#!/zitstif.no-ip.org/

Since the ssh client is pretty ubiquitous and has been included with Windows 10 installations for the past couple years, I’ve discovered it can be a useful tcp port scanner if you use the verbose flag:

For Windows:

ssh -p 80 google.com -v 2>&1 | findstr Connect

ssh -p 80 -o ConnectTimeout=1 www.google.com -v 2>&1 | findstr Connect
debug1: Connecting to www.google.com [142.250.191.228] port 80.
debug1: Connection established.
kex_exchange_identification: Connection closed by remote host

As for your *nix systems, just use grep instead of findstr. I hope someone else finds this useful!

If you have a Meraki setup that has Umbrella tied into it, and you can’t communicate properly with your *.local domain controller over the Meraki VPN, I have a potential fix for you. In my scenario, VPN clients could see the domain controllers and DC IP addresses were specified as DNS servers which would properly assigned to VPN clients. VPN clients could query DCs for external DNS names without any issues but any *.local communications or gpupdate related commands would fail. I troubleshooted it to the nth degree and discovered this fix:

Go to Security & SD-WAN, then to configure, and then to threat protection. Scroll down to the Umbrella protection section and specify your local domain name (mydomain.local) as an exception from being routed to Umbrella. Save your changes and hopefully this resolves your issue.

If you continue to have issues, double check that your VPN clients and see what DNS servers are getting assigned. Some individuals had to change the metric (hint lower the number, route print to find metrics of adapters).

Recently I wanted to test Meraki’s ‘Threat Protection’ system and see if it was really up to snuff. First, I setup an up to date Windows 10 virtual machine where I disabled the anti-virus on this system.  In this environment there isn’t any SSL inspection being done by Meraki and to my understanding, Cisco really doesn’t advocate using SSL inspection through Meraki. In my opinion, you are already at kind of a disadvantage with the lack of SSL inspection because most threats that need to be seriously considered will use encryption for evasion. Metasploit’s meterpreter payload has supported SSL and encryption for years. Plus you can setup legit certs for free if needed.

With that being said, I thought I would throw a softball at Meraki and see if it would do some sort of detection via HTTP. I tried downloading the benign eicar test file over HTTP and Meraki blocked it:

However, if you download the same file over HTTPS, Meraki does not block it (no surprise there).  I then decided to step my game up and generate a payload using msfvenom and host it on a python3 http server ( python3 -m http.server ):

I was able to download the payload using powershell on the victim VM:

I was then able to run the payload on the victim system and have a session:

Meraki did not detect the payload or the session.. and here’s the the virustotal report for this payload:

https://www.virustotal.com/gui/file/f7f301b9bb52a23efb1c6e5ee4f2bb6adeebda2882a60c9f98ca582100b78908/detection

This payload was not made in really any special way… it’s a pretty standard payload that I believe ALL IDS/IPS systems should be able to detect or block. However, I will give credit where credit is due. Later on I did receive an alert that this payload had slipped through:

Additionally, this Meraki configuration does not have Cisco’s Umbrella integrated yet. Would Umbrella have blocked it? I honestly don’t know but what I’m willing to test it.

I would like to add that a majority of events that I’ve seen under Security Center have been false positives. There is already enough noise in terms of information pertaining to networks. Meraki generating this just adds more unnecessary noise and can hamper investigations in my humble opinion.

I’m still thoroughly disappointed with this discovery because people are paying Cisco a lot of money for a false sense of security. Meraki should have blocked this threat right away. In the end of the day, I believe having well trained employees and thorough AV/EDR systems on endpoints is what matters most.

#Update 12/24/2021

I have setup the Umbrella client on the victim VM. Meraki blocked the known helpme.exe file, however if you simply use the shikata_ga_nai encoder to make a new file called helpme2.exe, this payload slipped through Meraki and Umbrella.

Here is the virustotal.com report for the file:

https://www.virustotal.com/gui/file/19cf577ac24452bfb715f421a6bdabadd0f2d043f60cbbf600e44e34dc14738f

I feel like I can confidentially say that Meraki/Umbrella security are a joke.

Storage continues to get cheaper and cheaper. Above is a picture of a SAMSUNG BAR Plus flash drive. I was able to find one used on eBay for about $30 which has 256GB storage capacity.

My goal was to have a portable Linux distro that’s persistent on a larger capacity flash drive which I can use to run virtual machines on and containers. While I’m not opposed to *BSD derivatives and even took some time to test out NomadBSD, I wanted to have an operating system that is more flexible and has more hardware support. I decided to go with Linux Mint XFCE. This means the flash drive can work in legacy bios systems and UEFI systems (provided secure boot is disabled).  To make the persistent Linux USB drive, I used this guide: https://www.howtogeek.com/howto/14912/create-a-persistent-bootable-ubuntu-usb-flash-drive/ .

A majority of computers for the past 20 years support virtualization. Granted, there are some rare systems that don’t support virtualization. (You can still install VirtualBox and have 32bit based guest operating systems.) My love and interest of type 1 hypervisors has lead me to experiment with hypervisors from different vendors. Linux KVM which has been around for 13 years, has become reliable and stable enough for production environments. To get Linux KVM up and running on my flash drive under Linux Mint, I simply used this tutorial: https://community.linuxmint.com/tutorial/view/1727. Then to get have a nice web based gui to work with Linux KVM, I installed cockpit ( https://www.hiroom2.com/2018/08/02/linuxmint-19-cockpit-en/ ) .

The next evolution of virtualization in my humble opinion, is virtual container based systems such as Docker. While dockers and container based systems may not always be ideal or meet true isolation security requirements, docker adoption and usage has skyrocketed. One of the most useful uses that I have for docker, is when I need a quick isolated environment for testing software that isn’t permanent. Need to brush up on MariaDB programming? Awesome, spin up a docker. Have a package you need to use that installs libraries that breaks other things or even your package manager? Docker to the rescue. There are some CUI/GUI based tools that help you with docker as well if you’re not a big fan of typing commands. (Check out dockly and https://www.portainer.io/ . Cockpit can be used for managing dockers as well.)

To install docker on my persistent flash drive, was no problem (see this guide: https://linuxhint.com/install_docker_linux_mint/). However, to get it up and running was a bit more of a pain on a persistent Linux Mint flash drive.  You can’t use the default storage driver, overlay2, you have to use the VFS storage driver (see https://docs.docker.com/storage/storagedriver/vfs-driver/ ). Once you have done this, you can test docker by simply doing: docker run hello-world.

I also wanted to have secure remote access to the system running my persistent flash drive. I stumbled upon Tailscale and fell in love. Once you have tailscale up and running, you’ll have a tailscale0 interface. You can now ssh into your persistent flash drive from other places on the internet as long as you have tailscale configured on the client system. Tailscale can traverse NAT!

This persistent flash drive that I have is not without its issues. I have not been able to upgrade the kernel or upgrade to a new version of Linux Mint. Additionally, the mint user password does not persist after reboot (though the root password persists). To access ssh on my flash drive I had to enable root login for ssh, which I know is not ideal or very secure. Caveats aside, this has been a fun learning experience that I would recommend to any other computer enthusiast.

I’m a big fan of command-not-found.com and decided to write a simple script that can be used from the command line:

command:

cnf whois 

results:

Command-not-found.com results:
Install

All systems
curl cmd.cat/whois.sh

Debian
apt-get install whois

Ubuntu
apt-get install whois

[alpine.png] Alpine
apk add whois

Arch Linux
pacman -S whois

image/svg+xml Kali Linux
apt-get install whois

CentOS
yum install whois

Fedora
dnf install whois

OS X
brew install whois

Raspbian
apt-get install whois

Docker
docker run cmd.cat/whois whois powered by [8]Commando

The script is available here:

http://zitstif.com/cnf.txt

It’s a quick and dirty script but it gets the job done.