Thursday, April 9, 2015

Wireless Packet Capture on an IOS Device

Normally when you have a network problem with a wireless device you would fire up Wireshark and take a packet capture. On a Mac you can even capture in "Monitor" mode and look at the 802.11 management frames.

But on an IOS device there isn't an App for that! Luckily Apple does provide a way to capture wireless network traffic from an IOS device. This Apple KB will explain how to do wireless packet capture on an IOS device: Getting a Packet Trace

The document is aimed at developers and has a lot of information that a network engineer isn’t interested in. Here is an easy to follow summary of the steps needed to do the capture.

Determine the UDID of the IOS device

To find the the UDID - Connect the IOS device to a Macbook, Click the Apple Icon on the top left, select “About this Mac, click System report. When it opens click on USB on the left. The UDID will be listed as Serial Number. In this case 6bbed03e410f0523d88a50664060b34ad07fe3b9

Start the Remote Interface on the IOS Device

Now that we an IOS device and UDID we can start the remote interface on the Device. With the IOS device still connected to the Mac, open a terminal window and enter:

$ rvictl -s 6bbed03e410f0523d88a50664060b34ad07fe3b9

Starting device 6bbed03e410f0523d88a50664060b34ad07fe3b9 [SUCCEEDED]

Use ifconfig to view the Interface:

$ ifconfig -l
lo0 gif0 stf0 en0 en1 p2p0 fw0 ppp0 utun0 rvi0

If you are using Wireshark select rvi0 as the capture interface.

Using TCPDUMP to capture the traffic

You can use Wireshark to capture and display the traffic. If you just need to capture traffic for later analysis you can use tcpdump which is built into the Mac:

sudo tcpdump -i rvi0 -w iPhone.pcap

To stop the capture CTRL+C.

IOS7 and greater breaks wireshark but here is a work around

The Wireshark forum has a thread - Mavericks cannot capture from iPhone using rvi

From the thread:
As others mentioned, the workaround is to enable the DLT_USER protocol
#149 in Wireshark.
From my experience the actual header and protocol is different depending
wether your device is connected using wifi or radio:

* when connected with radio (3G): set header length to 112, and protocol
to ip
* when connected with wifi: set header length to 108, and protocol to eth

This is just to confirm that the above approach (set header length to 108,
and protocol to eth) works for me. I can capture live and see all the info
about my SIP packets during capture.

Resources

Enterprise Best Practices for Apple Mobile Devices on Cisco Wireless LANs

Tuesday, April 7, 2015

Using Secure Copy (SCP) to Transfer Files

Secure Copy or SCP uses SSH for data transfer and uses the SSH mechanisms for authentication, thereby ensuring the authenticity and confidentiality of the data in transit.

On Cisco network equipment you can enable SCP and use it instead of TFTP for most file transfers. This has the advantage of not having to setup a TFTP server on your computer and the file transfers are encrypted. Encryption should (must?) be used if you are copying files over an insecure link like the Internet.

On Windows you can use the Putty companion program pscp. You can download pscp here PSCP.

Configuration

SSH and "aaa new model" with exec authorization have to be enabled or a local username/password with level 15 priv. In other words, when you log in over SSH, you must end up at a # prompt. See the Cisco Support forum article "Privilege Denied message" in the Reference section below if you get a Privilege denied message.

aaa new-model
aaa authentication login default local
aaa authorization exec default local

Enable SCP
ip scp server enable

For this example:
Cisco device IP - 192.168.10.100
Username - cisco
password – cisco1
My workstation - 192.168.10.50

Copy files from flash:
pscp -scp -pw cisco1 cisco@192.168.10.100:flash:test.pcap
test.pcap             | 30 kB |  30.6 kB/s | ETA: 00:00:00 | 100%

Copy files to flash:
pscp -scp -pw cisco1 C:\tftp-root\firmware.bin cisco@192.168.10:flash:firmware.bin

Using the Archive command with SCP

The free Solarwinds SFTP/SCP server can be used on Windows as an SCP server. Once you have downloaded and installed the server use this syntax on the network device:

archive download-sw scp://mhubbard@192.168.10.50/c3750-ipbaselmk9-tar.122-55.SE10.tar

On the server you will see the authentication and then the file transfer:

On Mac or Linux

SCP is built into Mac OSX and most Linux/Unix distributions.
To copy a file from the network device to the host the syntax is:

scp user@host:flash:filename filename

Note: Make sure you have permission to save files in the directory you run the command from. If not you will see “Operation not supported
Closing Connection”

Here’s an example:
1s1k:~ mhubbard$ scp cisco@192.168.10.50:flash:config.text config.text
Password:
config.text                                       100% 7267     7.1KB/s   00:00

To copy a file from the host to the network device the syntax is:

scp file user@host:flash:file

Here’s an example:
1s1k:~ mhubbard$ scp a.txt cisco@192.168.10.50:flash:a.txt
Password:
a.txt                                                         100% 7267     7.1KB/s   00:00

Copy files to flash from the network device
In this example the file is in my Downloads folder so the absolute path is /home/mhubbard/Downloads.

copy scp://mhubbard@192.168.10.50//home/mhubbard/Downloads/cat3k_caa-universalk9.SPA.03.06.06.E.152-2.E6.bin flash:

NOTE: there are two // after the IP address and the full path to the file.

Using a Password with an @ Symbol 

Just like an SNMP Community string can't contain an @ symbol, neither can the password used for SCP. Here is an example: 

C:\TFTP-Root>pscp -scp -pw b@w0rk@7 c:\tftp-root\nxos.7.0.3.I2.2d.bin admin@172.16.40.5:flash:nxos.7.0.3.I2.2d.bin
PuTTY Secure Copy client
Release 0.64

w0rk@7' is not recognized as an internal or external command, operable program or batch file.

Notice that it took the "b" then terminated on the @ symbol and returned the rest of the password as an error. The user was doing the copy with WinSCP and it popped up a dialog saying it received invalid data. 

I switched to Putty SCP and it was immediately clear what the problem was. I created a new user with a valid password and the SCP transfer succeeded: 

C:\TFTP-Root>pscp -scp -ow 9x3kaqq! c:\tftp-root\nxos.7.0.3.I2.2d.bin mhubbard@172.16.40.5:flash:nxos.7.0.3.I2.2d.bin
nxos.7.0.3.I2.2d.bin | 315980 kB | 381.2 kB/s | 

Troubleshooting

OpenSSH dropped support for SSH V1 in mid 2017. I recently went to scp a file to a 3850 switch and received this on the switch (ip 10.42.250.40):

%Error opening scp://*@10.42.52.172/cat3k_caa-universalk9.16.03.07.SPA.bin (Undefined error)

On the laptop I ran:

systemctl status sshd
 
ssh.service - OpenBSD Secure Shell server
Loaded: loaded (/lib/systemd/system/ssh.service; enabled; vendor preset: enabled)
Active: active (running) since Wed 2018-12-12 21:31:56 PST; 21h ago
Process: 19309 ExecReload=/bin/kill -HUP $MAINPID (code=exited, status=0/SUCCESS)
Process: 19305 ExecReload=/usr/sbin/sshd -t (code=exited, status=0/SUCCESS)
Main PID: 2184 (sshd)
Tasks: 1 (limit: 4915)
CGroup: /system.slice/ssh.service
└─2184 /usr/sbin/sshd -D

Dec 13 18:46:11 1S1K-G5-5587 sshd[19813]: Protocol major versions differ for 10.40.250.40 port 23825: SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.1 vs. SSH-

I remembered that support for SSH V1 had been dropped. I ran
ip ssh ver 2
on the switch and it resolved the issue.

Resources
Solarwinds SFTP/SCP
SCP Copy - Cisco Support Forums
Privilege denied message

Saturday, April 4, 2015

Using MiniLock to encrypt files (safely email configuration files)

Minilock is a simple, easy to use file encryption extension for Chrome browsers. It's written by Nadim Kobeissi, the guy who wrote Cryptocat. The code has been audited and reviewed by the penetration testing company Cure53 with support from the Open Technology Fund. See the reference links below for more information about Minilock's design and a review by Steve Gibson of Security Now.

To get started with Minilock all you do is install the extension from the Chrome app store, start the app and enter your email address and a passphrase. Minilock will do an entropy check on your passphrase and if it isn't strong enough will offer a passphrase. I took the offered passphrase, which was long and there was no way I would remember it, but I use Lastpass to store my passphrases so I didn't care. Minilock is a Trust No One (TNO) application, if you forget your passphrase it CANNOT be recovered.

Minilock takes the email address and the passphrase to create a private\public key pair. The beauty of Minilock is that it uses Daniel Bernstein's Curve25519 crypto so the public key is very short. You can easily tweet it to someone if you need to share the encrypted file. It's easy enough to use that there is no longer a reason to send a configuration file or password list unencrypted in an email.
Apps Icon

After the extension is installed you click the Google Apps icon. You can right click on the icon and create a shortcut for future use. After you enter the email and passphrase click the arrow. Minilock will create the key pair and display your public key. Minilock calls the public key your "Minilock ID". You can save the Minilock ID but Minilock displays it every time you start the App.

You can tweet the Minilock ID, put it in your email signature, business card, etc. because it's the public part of the public/private key pair. This is the beauty of Public Key Infrastructure (PKI) crypto. You can create secure communications over an untrusted medium using a public key.

To encrypt a file, simply start the app, enter your email and passphrase. Minilock will display a link you can click to browse for a file or it allows you to drag and drop a file. Your Minilock ID will be displayed so that you can copy it and send it to someone else.
File Selection Dialog

Once you drag and drop or open a file it will be encrypted (and authenticated) and saved with a .minilock extension in the downloads folder. Minilock will display a new dialog asking you to enter the Minilock ID for the people who are allowed to decrypt the file.

You can add several IDs at once. The file size doesn't grow much at all as you add more IDs. One nice feature of Minilock is that none of the users will get any information about the other users that are allowed to open the file.

From the Minilock design document "Another feature is that analyzing a miniLock-encrypted file does not yield the miniLock IDs or identities of the sender or the recipient(s). Upon decryption, a legitimate recipient will be able to know and verify the identity of the sender, but will still be unable to determine the identity of other potential recipients."

Add "Allowed Users" Dialog
Once you add the Minilock IDs of the recipients click the arrow. The file will be encrypted and a new dialog will appear. Click the arrow to save the file to the downloads folder.

Now you can email the file without worrying about it being intercepted and compromised.

Chrome has become the number 1 browser and Minilock is easy enough to use that you should seriously consider it anytime you have to email a file with sensitive data in it.

References

Minilock Design Document
Security Now 501 Show Notes - includes a review of Minilock
My Minilock ID - 22LXKQertj4op8vCjpWNmGJyaGPryp3BEFv8d2y4rTzG4Q