iBeacons <3 Cisco Meraki

What I have noticed is that when companies buys network devices like firewalls, switches and access points they won’t use all the features what is implemented inside those devices.

I don’t know if the problem is sales or technical peoples, but what I think that companies don’t know how to use their hardware and take all out what they are already bought.

Situation is like this. You buy new car and then you don’t use lights, because you don’t know how to use lights or nobody hasn’t told you that there is lights in your car.

Because of this, I decided to write this little program and give it out for PoC purposes, so companies which have Cisco Meraki APs with bluetooth can get some ideas what they can do it.

First of all, if you don’t know what iBeacon is go to https://en.wikipedia.org/wiki/IBeacon and check it out. For the short, it is protocol developed by Apple and it’s based on bluetooth low energy (BLE) technology.

What is also great that if you don’t have Meraki APs, then you can use Linux hcitool or MAC mbeacon to test it. Do some googling (when I was “young” altavista was search engine back then) and check it out.

Now let’s stop talking and let’s go to the technical stuff.

Note: You need to have xcode installed in your MAC and you also know how to use it. You also need to have iPhone. I tested this code in IOS 14.0.1 and xcode 12.0.1 (12A7300).

First you need to enable iBeacons in your AP.

Go to Wireless > Configure and IoT radio settings.

Then go down to Beaconing and choose Advertising On.

Advertising > On.

Now you need to generate UUID for your BLE iBeacon advertising. This is the UUID what your APP try to find.

Click Generate new UUID.

After this you need to choose are you using unique Major and Minor for whole network or should all AP share same Major and Minor numbers. This depends in your use case.

Unique or Non-unique Major and Minor numbers.

If you have larger area and you want to get different impulse when Major or Minor changes then you can use Unique. If you only need one Major and Minor then you can choose Non-unique.

If you have multiple AP in your test bench, then you can set individual using API or using defaults.

Different Major and Minor numbers based on AP.

I suggest that you copy your UUID in file and upload it in your phone notes.

After this you need install My iBeacons app in your phone, you can download source code here: https://github.com/hrleinonen/iBeacon

After xcode has finished the installation, your phone will ask questions.

Chooce Allow While Using App.
Choose Allow.

After this click Configuration.

Choose Configuration.

Now you need to insert your UUID, Major and Minor number. Name field is not yet implemented.

Give UUID, Major and Minor numbers. After those click Save and Back.

Now you should see your distance to your AP.

iBeacon fully functional.

If you want use MAC and mbeacon application you should check this site https://github.com/watr/mbeacon

And if you want to use your RPI for iBeacon sender, then go here http://www.wadewegner.com/2014/05/create-an-ibeacon-transmitter-with-the-raspberry-pi/

Happy iBeaconing.

Regards,

Ville

Ubuntu (and maybe others) OpenLDAP 2.4+ and schema extension

I needed to integrate Cisco ISE (Identity Service Engine) and OpenLDAP together. It was easy task, but after couple week I realized that I need more fields. I didn’t find good fields in ISE SGT and some other uses, so I decide to create my own LDAP schema.

There was lot’s off discussion about how to generate your own schema, but only couple which worked for me. Now in this blogpost I parse those information together so you don’t need to do so much googling, ducking, bingin etc.

First install Apache Directory Studio. You can find it here https://directory.apache.org/studio/

After Directory Studio is started, open Apache Directory Studio Schema Editor.

Schema Editor Icon.

Choose File > New.

File > New.

Select Schema Editor > New Schema Project and click Next.

New Schema Project.

Give project name and click Next.

Project name.

Choose Server Type OpenLDAP and click Finish. After this you have created new project where you can add your own OpenLDAP schema.

Server Type.

Choose File > New.

File > New.

Select Schema Editor > New Schema and click Next.

Give schema name and click Finish.

Schema name.

Under Cisco > Object Classes, choose New > New Object Class.

New Object Class.

Give new OID, you can find instruction how get new private OID here https://pen.iana.org/pen/PenApplication.page and current OIDs here https://www.iana.org/assignments/enterprise-numbers/enterprise-numbers also give new unique name for attribute in aliases field and description. After this click Next.

New Object Type OID.

Choose Class type Auxiliary and click Finish.

Class Type.

Under Cisco > Attribute Types, choose New > New Attribute Type.

New Attribute Type.

Give new OID, you can find instruction how get new private OID here https://pen.iana.org/pen/PenApplication.page and current OIDs here https://www.iana.org/assignments/enterprise-numbers/enterprise-numbers also give new unique name for attribute and description. After this click Next.

New attribute type.

Choose Syntaxt, lenght and properties.

Attribute Type Content.

Choose matching rules and click Finish.

Matching Rules.

Choose Object class CiscoSchemaExtension and look Optional attributes. Choose Add…

Optional attributes.

Find your attribute and click Choose.

Object attributes.

Choose File > Save.

You are now create your own OpenLDAP schema extension.

Now choose Cisco > Export > Schemas as OpenLDAP files.

Schema Export.

Choose what to export and click Finish.

Schema export.

Login your linux server and create directory.

mkdir /tmp/ldapschema && cd /tmp/ldapschema

Copy your exported ldap file (cisco.schema) to directory /etc/ldap/schema

Create file called ldap.conf

echo “include /etc/ldap/schema/cisco.schema” > ldap.conf

Now generate ldap files what you import to your OpenLDAP server. Give command slaptest -f ldap.conf -F .

slaptest -f ldap.conf -F .

As you can see there is new directory in /tmp/ldapschema

New file and directory.

Go to directory cn=config/cn=schema

Directory cn=config/cn=schema

Edit file called cn={0}cisco.ldif

Remove bottom lines.

Removed lines in bottom.

Edit top lines

Original lines.
Edited lines.

Now you can add your new schema to your OpenLDAP server. Use command ldapadd -Y EXTERNAL -H ldapi:/// -f cn\=\{0\}cisco.ldif

If everything goes fine you get adding new entry….

Now restart your slapd (service slapd restart) and start using your new schema.

Cisco Meraki MX and Graylog3 Part 4

This parser/content pack are used to log Meraki MX security-events.

First download content pack from my github https://github.com/hrleinonen/graylog-meraki

File called “Cisco_Meraki_MX_Appliance_Security.json” is for MX appliance security events. It brings couple new search fields in Graylog3.

New fields are:

  • DISPOSITION = Disposition (eg. malicious)
  • ACTION = Action (eg. block)
  • SHA256 = SHA256 about file (eg. 2546dcffc5ad854d4d…)
  • NAME = Malware name (eg. Win.Ransomware.Eicar::95.sbx.tg)
  • SRCIP = Source IP-address (eg. 10.10.101.101)
  • SRCPORT = Source port (eg. 23434)
  • DSTIP = Destination IP-address (eg. 193.166.3.7)
  • DSTPORT = Destination port (eg. 443)

Upload file to Graylog3 using instruction from my blog https://www.hacknetwork.org/?p=167

Action report example.

Malware name example.

Now open Meraki dashboard and choose correct network.

Choose Network-wide > Configure > General.

Find part called reporting.

Cisco Meraki Syslog-server configuration.

Add your Graylog-server IP-address, port 5556 and choose Appliance event log role. Click save after this. Now your should see traffic in your graylog input.

Cisco Meraki MX and Graylog3 Part 3

This parser/content pack are used to log Meraki MX URL-events.

First download content pack from my github https://github.com/hrleinonen/graylog-meraki

File called “Cisco_Meraki_MX_Appliance_URLs.json” is for MX appliance events. It brings couple new search fields in Graylog3.

New fields are:

  • AGENT = Browser agent (eg. Mozilla Firefox)
  • REQUEST = Http request (eg. POST)
  • SRCIP = Source IP-address (eg. 10.10.101.101)
  • SRCPORT = Source port (eg. 23434)
  • DSTIP = Destination IP-address (eg. 193.166.3.7)
  • DSTPORT = Destination port (eg. 443)
Map based on destination IP-addresses.
Example fields.

Upload file to Graylog3 using instruction from my blog https://www.hacknetwork.org/?p=167

Now open Meraki dashboard and choose correct network.

Choose Network-wide > Configure > General.

Find part called reporting.

Cisco Meraki Syslog-server configuration.

Add your Graylog-server IP-address, port 5555 and choose Appliance event log role. Click save after this. Now your should see traffic in your graylog input.

Cisco Meraki MX and Graylog3 Part 2

First download content pack from my github https://github.com/hrleinonen/graylog-meraki

File called “Cisco_Meraki_MX_Appliance_Events.json” is for MX appliance events. It brings couple new search fields in Graylog3.

New fields are:

  • EVENT_TYPE = Event type (eg. IDS, content_filtering_block or dhcp)
  • SPI = Security Parameter Index  (eg. 53afbb30231007)
  • URL_CATEGORY = Category where blocked site belongs (eg. Malware)
Top 10 values for event type.
Top 5 blocked URL categories

Upload file to Graylog3 using instruction from my blog https://www.hacknetwork.org/?p=167

Now open Meraki dashboard and choose correct network.

Choose Network-wide > Configure > General.

Find part called reporting.

Cisco Meraki Syslog-server configuration.

Add your Graylog-server IP-address, port 5557 and choose Appliance event log role. Click save after this. Now your should see traffic in your graylog input.

Cisco Meraki MX and Graylog3

I really like Meraki cloud concept. It includes complete network stack Firewalls/SD-WAN, WLAN, Switches and Security Cameras (also MDM). Only problem (if we don’t count missing AnyConnect) is logs and query. Now, because I use Graylog for my other projects, I decide to use Graylog3 to my logstorage. There is no ready parsers or dashboards in Graylog marketplace, so I start to make my own.

Here comes parser (GROK based) for MX flow records, enjoy.

First download content pack from my github https://github.com/hrleinonen/graylog-meraki

There is couple roles in Meraki MX which you use to send syslog. I choose to send every role to different port, so I can choose what extractol to use.

File called “Cisco_Meraki_Flow_Content_Pack.json” is for MX flow events. It brings couple new search fields in Graylog3.

New fields are:

  • DSTIP = Destination IP-address (eg. 208.67.222.222)
  • DSTPORT = Destination port (eg. 53)
  • FLOW_TYPE = Flow start or end (eg. ip_flow_end)
  • PROTOCOL = Protocol (eg. tcp)
  • SRCIP = Source IP-address (eg. 172.16.0.10)
  • SRCPORT = Source port (eg. 1007)
  • TRANSLATED_DST_IP = Translated destination IP-address (eg. 1.2.3.4)
  • TRANSLATED_PORT = Translated port (eg. 55)
  • TRANSLATED_SRC_IP = Translated source IP-address (eg. 81.3.4.1)

Example for new search fields (btw. this is demo generated data not my inside net).

Now, when you are downloaded json file you must to upload it to the Graylog3. Choose System > Content Packs, Content Packs site opens. Click Upload (green box) upper left corner. Choose content pack file and upload.

There is now new content pack called Cisco Meraki Flow, now click Install. After this you have new input and dashboard.

Go to the input site System > Inputs. There is input called MERAKI_LOGS_FLOWS. Input listens RAW/plaintext udp port 5558 (there is some problems in standard Syslog udp). If input is not started, you must start it.

Now open Meraki dashboard and choose correct network.

Choose Network-wide > Configure > General.

Find part called reporting.

Cisco Meraki Syslog-server configuration.

Add your Graylog-server IP-address, port 5558 and choose Flows role. Click save after this. Now your should see traffic in your graylog input.

Click System > Inputs find MERAKI_LOGS_FLOWS and choose Show Received Messages.

There is also new dashboard called “Meraki MX Flow Records”. Go Dashboards > Meraki MX Flows Records.

Example flow dashboard.

Facedancer21 – Test your USB interface against unwanted devices.

USB interface, that small, useful, hard to protect multifunctional port in your PC, phone, digibox etc. device.

In this article I don’t try to crash my system or get inside to the OS, I just want to protect my Linux devices against unwanted USB devices. This blog post can be divined in the three part.

  1. Limit type of devices what can be connected in the box.
  2. Remove all devices which are not connected in the box during boot time.
  3. Combination of both.

This method is tested in Debian and RedHat/CentOS setup. There is a little difference between those two distributions.

First what you need is Facedancer21 USB device emulator hardware (you can order it here: https://store.hackaday.com/products/facedancer21)

 

Facedancer21 board.

Second you need Linux (or Mac OS X, I use both) and python version 3 installed on it.

Third you need to download NCC Groups USB host security assessment tool. I recommended that you use both tool:

Original umap: https://github.com/nccgroup/umap

Version 2 umap: https://github.com/nccgroup/umap2

What I have noticed that they works with different scenarios and version 2 is still limited (eg. missing printer and OS detection support), but version 2 is more accurate when you are testing audio based usb devices. In version 1 is feature called “Start network server”, but it’s not working for me.

Fourth you need target. In this picture it’s raspberry pi and raspbian (ok I had too much time in the hotel room).

Facedancer21 setup. Laptop, facedancer21 and target.

Scenario 1.

You can use -h option when you start your umap.py python script. It shows umap help options.

NCC umap.py options.

As you can see there is lot’s of options also in fuzzing, but that’s another story.

Connect your facedancer21 to the victims usb-port and run command “sudo python3 umap -P /dev/tty.usbserial-AH039TWN -O”. Check your logs what is correct device, my was tty.usbserial-AH039TWN. Option -O scans your target and gives best gues for operating system.

It maybe won’t recognise all embedded TV’s etc. but it is still quite good feature, if you don’t know what OS your target is running.

Next we need to figure out what USB-devices your target support. Run command“sudo python3 umap -P /dev/tty.usbserial-AH039TWN -i”. Option -i scans your target and lists all supported USB-devices. You should do this also in umap2, run command “umap2scan -P fd:/dev/ttyUSB0”, in my Kali FD2 is ttyUSB0.

Scan made by umap.

As you can see there is lot’s of supported USB devices in the default settings.

Scan made by umap2.

NCC umap2 version looks more beautiful, but seems to find also same devices.

Next we try to make some hardening, so that we can limit number of device types what we can connect to USB port. Try to run command “lsmod” and see what kernel modules are installed after first scan.

Output for lsmod.

As you can see there is lot’s of stuff loaded.

Go to /etc/modprobe.d directory and create new file. Now, in debian based you must put values this way:

blacklist snd_usb_audio
...
...

And in RedHat/CentOS in this way

install usb-storage /bin/true
...
...

in that file. You can use also command “lsusb -t” to find loaded drivers. After this reboot your system and run umap scan again.

Scan for original umap.

Scan for umap2.

As you can see original umap gives that audio is still supported, but version 2 tells that it is not supported. Actually OS cannot load correct drivers, but detects that some one is trying to connect headset in the USB port.

Scenario 2.

Now we know how-to filter USB devices. What if we need to filter all devices off. This is quite easy, but there is downside. When you need to connect devices in the USB port, you need boot the device every time.

In debian based distributions open file /etc/rc.local and put line echo 0 > /sys/bus/usb/devices/usb1/authorized_default” before line exit 0. You can check how many USB HUB is in your system to make “ls -l” in /sys/bus/usb/devices/ directory.

In RedHat/CentOS based system create file called eg. lockusb.sh and put it in the /etc directory. Edit file and put this information on it:

#!/bin/bash
# USB lock
# Ville Leinonen/Atea Finland
echo 0 > /sys/bus/usb/devices/usb1/authorized_default
echo 0 > /sys/bus/usb/devices/usb2/authorized_default
echo 0 > /sys/bus/usb/devices/usb3/authorized_default
echo 0 > /sys/bus/usb/devices/usb4/authorized_default

Remeber check the directory. Now create systemd file called eg. lockusb.service and put it in /etc/systemd/system/ directory. Chmod +x it and edit file:

# Location /etc/systemd/system/lockusb.service
# Ville Leinonen/Atea Finland Oy
[Unit]
Description=Lock USB in the boot
After=sshd.service

[Service]
Type=simple
ExecStart=/etc/lockusb.sh

[Install]
WantedBy=multi-user.target

Remember to enable script in the when system starts.

Now remove all the devices and reboot the system and scan it again.

Original umap scan.

Original umap2 scan.

Now you see that there is any supported USB devices anymore.

Scenario 3.

Now you need to connect eg. memory stick on the device. Insert USB-memory stick in the port and run command “lsusb -t”.

Command lsusb -t output.

As you can see there is no mass-storage device in the list. Now reboot the device.

Command lsusb -t output.

After boot you see that usb-storage driver is loaded. Now if you run umap scan, you can see that mass-storage is not supported again.

Scan after mass-storage instert and boot.

Now if you remove mass-storage and insert it again, it wont work. So you are still protected against unwanted USB-devices.

If you need to scan some specific USB-class then you can use -c option eg. sudo python3 umap.py -P /dev/tty.usbserial-AH039TWN -c 08:06:50″, this will scan only mass-storage class.

That’s all for this time. C’ya in next month.