I had a big Microsoft Event Viewer log file and I wanted specific information from the log file. At first I was thinking about using Microsoft Excel to do some filtering, but that didn’t really help. At the end Linux did the trick. I used Cygwin under Windows to extract the specific information. The raw log file had the following format:
2/22/2010:1:14:46 PM:IAS:Information:None:1:N/A:BOOCHES01:User rene was granted access.
2/22/2010:1:09:15 PM:IAS:Information:None:1:N/A:BOOCHES01:User rene was granted access.
2/22/2010:12:19:58 PM:IAS:Information:None:1:N/A:BOOCHES01:User BOOCHES\test was granted access.
2/22/2010:12:03:24 PM:IAS:Information:None:1:N/A:BOOCHES01:User booches was granted access.
2/22/2010:11:58:54 AM:IAS:Information:None:1:N/A:BOOCHES01:User testuser was granted access.
2/22/2010:11:58:13 AM:IAS:Information:None:1:N/A:BOOCHES01:User booches was granted access.
2/22/2010:11:58:07 AM:IAS:Information:None:1:N/A:BOOCHES01:User BOOCHES\test was granted access.
2/22/2010:11:17:13 AM:IAS:Information:None:1:N/A:BOOCHES01:User testuser1 was granted access.
I needed to extract only the unique users. Playing a little with Linux gave me the following output.
User test was granted access.
User booches was granted access.
User rene was granted access.
User testuser was granted access.
User testuser1 was granted access.
It isn’t perfect, but it is good enough for me. The original log file is called log.txt and the output is written to a file called users.txt. I used the following command to accomplish the output above.
cat log.txt | cut –d: –f11 | sed ‘s/BOOCHES\\//g’ | sort | uniq >> users.txt
Cat prints the file log.txt to the screen. The –d parameter with cut determines the delimiter and –f selects the column to print. With sed I search for the string “BOOCHES\” and replace the sting with nothing (//). Everything is sorted with sort and all duplicate entries are removed with uniq. The output is written to the file users.txt.
Simple and effective!!!
A friend of mine works for a well known auditing and penetration testing company in the Netherlands. Recently we were talking about how he starts looking for flaws in network infrastructures. My friend told me that the first thing he does is simply starting WireShark and start looking at all the packets he receives.
By default packets like DTP (Dynamic Trunking Protocol), CDP (Cisco Discovery Protocol) and HSRP (Hot Standby Routing Protocol) are broadcasted through all the different edge ports of a switch. Tools like Yersinia can be used by hackers to exploit these packets.
Normally when I configure a switch I always stop the broadcasting of DTP and CDP on normal edge ports, at least if possible. CDP is often used in conjunction with IP phones. I prevent broadcasting DTP and CDP with the following commands:
no cdp enable
To be honest, I never thought about the broadcasting of HSRP packets. I created a simple test environment with one Cisco Catalyst 3750G switch and configured VLAN 1 with HSRP, like shown below.
ip address 10.10.10.2 255.255.255.0
standby 1 ip 10.10.10.1
standby 1 priority 150
standby 1 preempt
This is the most default way of configuring HSRP. By using a tool like Yersinia, somebody could take over the role of active HSRP router by spoofing HSRP packets with a higher priority then the current active HSRP router. So I added a simple authentication text string to the configuration with the following command:
standby 1 authentication HSRP@ICT
This is no success, because when I start WireShark the authentication string is sent in clear text. The picture below shows an example:
In most recent software version you can protect HSRP by using MD5 Authentication. MD5 authentication provides greater security than plain text authentication. This feature allows each HSRP group member to use a secret key to generate a keyed MD5 hash of the packet that is part of the outgoing packet. A keyed hash of an incoming packet is generated and if the generated hash does not match the hash within the incoming packet, the packet is ignored.
To configure MD5 authentication in the previous example, I added the following configuration to interface VLAN 1:
standby 1 authentication md5 key-string hsrp@ictivity=secure,Ihope timeout 60
Now, when looking at the WireShark output, the key-string is composed of a hash and cannot be easily read by an hacker.
The timeout option is important when configuring a new key-string amongst all the members in an HSRP group. The timeout value is the period of time that the old key string will be accepted to allow configuration of all routers in a group with a new key.
So HSRP MD5 Authentication is another way of making our network components and network infrastructure more secure against “evil” attacks and hackers.