Firewall/Router Attack – BlackNurse

SOURCE: blacknurse.dk

This BlackNurse attack will causing high CPU on target device

REQUIREMENT:

-Kali linux

Attack (flood better)
# hping3 -1 -C 3 -K 3 -i u20

# hping3 -1 -C 3 -K 3 –flood

RESULTS:
-Mikrotik v6.37.1 CPU utilization before attack 4%, after attack 44%
-Fortigate 5.2 CPU utilization before attack idle 99%, after attack idle 70%

This attack only from 1 source. Could be more damage if I am using more attack sources

LIST OF REPORTED AFFECTED PRODUCTS :
-Cisco ASA 5505, 5506, 5515, 5525 , 5540 (default settings)
-Cisco 6500 routers with SUP2T and Netflow v9 on the inbound interface – 100% CPU load
-Cisco ASA 5550 (Legacy) and 5515-X (latest generation)
-Cisco Router 897 – Can be mitigated – The current code from https://www.cymru.com/Documents/secure-ios-template.html will make evil worse.
-Fortinet v5.4.1 – One CPU consumed
-Fortigate units 60c and 100D (even with drop ICMP on) – RESPONSE FROM FORTINET
-Some unverified Palo Alto – SEE ANSWER FROM PALO ALTO
-Palo Alto 5050 Firewalls with firmware 7.1.4-h2
-SonicWall – Misconfiguration can be changed and mitigated (Enable Anti-DDOS)
-Zyxel NWA3560-N (Wireless attack from LAN Side)

-Zyxel Zywall USG50

NOT AFFECTED:
-AVM Fritz!Box 7360 (common ADSl router in Germany)
-Check Point Security Gateways – Checkpoint response!
-Cisco ISR4321 Router IOS XE – Version 15.5(3)S2, RELEASE SOFTWARE (fc2)
-GigaVUE HC-Serie (Gigamon)
-Iptables
-Juniper SRX
-Mikrotik CCR1036-12G-4S firmware: 3.27 (250 Mbit/sek) and no problem && RouterOS 5.4 on Mikrotik RB750
-OpenBSD 6.0 and current
-pfSense
-Ubiquiti Networks – EdgeRouter Lite CPU 60-70% load but still going
-Windows Firewalls

How to disable SIP ALG

SOURCE:
http://www.voip-info.org/wiki/view/Routers+SIP+ALG

Many of today’s commercial routers implement SIP ALG (Application-level gateway), coming with this feature enabled by default. While ALG could help in solving NAT related problems, the fact is that many routers’ ALG implementations are wrong and break SIP.

CheckPoint
login to Smart Dashboard
click Smart Defence tab
expand Application Intelligence
expand VoIP
disable all features on H.323

Cisco
(config)# no ip nat service sip tcp port 5060
(config)# no ip nat service sip udp port 5060

ASA
(config)# policy-map global_policy
(config)# no inspect sip

Cyberoam
> cyberoam system_modules sip unload

D-Link
Open a browser and enter the router’s IP address in the address bar. Go to “Firewall Settings” under the “Advanced” item.
Uncheck the box to disable SPI – usually, directly below this item are options for “NAT Endpoint Filtering” that must be changed to “Endpoint Independent” for both TCP and UDP.
Next, find the “Application Level Gateway (ALG) Configuration” area and uncheck the box for SIP.
Save these settings and reboot the device if requested

FortiGate
disable SIP ALG
# config system settings
# set sip-helper disable
# set sip-nat-trace disable
# end
verify
# show full-configuration system settings
delete sip
# config system session-helper
(session-helper) # show
config system session-helper
edit 1
set name pptp
set protocol 6
set port 1723
next
edit 2
set name h323
set protocol 6
set port 1720
next
edit 3
set name ras
set protocol 17
set port 1719
next
edit 4
set name tns
set protocol 6
set port 1521
next
edit 5
set name tftp
set protocol 17
set port 69
next
edit 6
set name rtsp
set protocol 6
set port 554
next
edit 7
set name rtsp
set protocol 6
set port 7070
next
edit 8
set name rtsp
set protocol 6
set port 8554
next
edit 9
set name ftp
set protocol 6
set port 21
next
edit 10
set name mms
set protocol 6
set port 1863
next
edit 11
set name pmap
set protocol 6
set port 111
next
edit 12
set name pmap
set protocol 17
set port 111
next
edit 13
set name sip
set protocol 17
set port 5060
next
edit 14
set name dns-udp
set protocol 17
set port 53
next
edit 15
set name rsh
set protocol 6
set port 514
next
edit 16
set name rsh
set protocol 6
set port 512
next
edit 17
set name dcerpc
set protocol 6
set port 135
next
edit 18
set name dcerpc
set protocol 17
set port 135
next
edit 19
set name mgcp
set protocol 17
set port 2427
next
edit 20
set name mgcp
set protocol 17
set port 2727
next
end
(session-helper) # delete 13
(session-helper) # end

Juniper
https://kb.juniper.net/InfoCenter/index?page=content&id=KB7078&actp=search
# set security alg sip disable
# commit and quit

Mikrotik
> ip firewall service-port set sip disabled=yes

Netgear
From Wan Setup Menu, NAT Filtering, uncheck the box next to “Disable SIP ALG”

PaloAlto
https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Disable-SIP-ALG/ta-p/60637
# set shared alg-override application sip alg-disabled yes

Peplink
go to http://<router.LAN.IP>/cgi-bin/MANGA/support.cgi
Click the “Disable” button under “SIP ALG Support”

SonicWall
in GUI, go to VOIP>Settings>General Settings
tick Enable consistent NAT
untick Enable SIP Transformations

SpeedTouch
telnet router
> connection unbind application=SIP port=5060
> saveall

Zyxel
telnet router
Menu option “24. System Maintenance”.
Menu option “8. Command Interpreter Mode”.
ip nat service sip active 0

NTP Server

CISCO
NTP MASTER
(config)#ip name-server 8.8.8.8
(config)#ntp server id.pool.ntp.org
(config)#clock timezone WIB 7
(config)ntp update-calendar
#show clock detail
#show calendarNTP CLIENT
(config)#clock timezone WIB 7
(config)#ntp server 12.12.12.1
# show ntp associations
# show ntp status
#show clock detail

FORTIGATE
using console, login as admin
config system global
    set fgd-alert-subscription advisory latest-threat
    set hostname “FGT1”
    set timezone 53
end
config system dns
    set primary 208.91.112.53
    set secondary 208.91.112.52
end
config system ntp
    set ntpsync enable
    set type custom
    set syncinterval 360
    config ntpserver
        edit 1
            set server “id.pool.ntp.org”
        next
    end
    set server-mode enable
    set interface “port1”
end

FGT1 # exe date
current date is: 2016-09-17
FGT1 # exe time
current time is: 19:28:04

JUNIPER
NTP MASTER
R1# show
system {
host-name R1;
domain-name poc.com;
time-zone Asia/Jakarta;
root-authentication {
encrypted-password “$1$k1Iyv6h7$zpP9XotU3WcLUU2Kf9baC.”; ## SECRET-DATA
}
name-server {
8.8.8.8;
ntp {
boot-server 202.162.32.12;
server 103.28.56.14;
}
}
interfaces {
em0 {
unit 0 {
family inet {
address 10.0.10.151/24;
}
}
}
em1 {
unit 0 {
family inet {
address 12.12.12.1/24;
}
}
}
lo0 {
unit 0 {
family inet {
address 127.0.0.1/32;
}
}
}
}
routing-options {
static {
route 0.0.0.0/0 next-hop 10.0.10.1;
}
}

# run show ntp associations
     remote           refid      st t when poll reach   delay   offset  jitter
=============================================================

 ns1.matrixgloba 203.123.48.219   2 –   22  512  377   19.156  2995.28 1137.12

NTP CLIENT
R2# show
system {
host-name R2;
domain-name poc.com;
time-zone Asia/Jakarta;
root-authentication {
encrypted-password “$1$ZyPyDk7D$KjTrKc1c61UuNszJ/HplX.”; ## SECRET-DATA
}
name-server {
8.8.8.8;
}
ntp {
boot-server 12.12.12.1;
server 12.12.12.1;
}
}
interfaces {
em0 {
unit 0 {
family inet {
address 12.12.12.2/24;
}
}
}
lo0 {
unit 0 {
family inet {
address 127.0.0.1/32;
}
}
}
}
routing-options {
static {
route 0.0.0.0/0 next-hop 12.12.12.1;
}
}

> show ntp status
> run show ntp associations
remote refid st t when poll reach delay offset jitter
==============================================================================
*12.12.12.1 103.28.56.14 3 – 32 64 77 1.786 1088.36 599.222

 

MIKROTIK
-download and install ntp server package inside “Extra packages from http://www.mikrotik.com/download

 

-check your LAN ip address
> ip address print
Flags: X – disabled, I – invalid, D – dynamic
 #   ADDRESS            NETWORK         INTERFACE
 0   ;;; default configuration

     10.0.46.1/24       10.0.46.0       bridge-local

-set your Mikrotik time zone
> /system clock print
                  time: 17:25:06
                  date: sep/12/2016
  time-zone-autodetect: yes
        time-zone-name: Asia/Jakarta
            gmt-offset: +07:00

            dst-active: no

-set your NTP server
> system ntp server print
              enabled: yes
            broadcast: no
            multicast: no
             manycast: yes

  broadcast-addresses:

-set your Mikrotik sync its time with id.pool.ntp.org
> system ntp client print
          enabled: yes
             mode: unicast
      primary-ntp: 202.162.32.12
    secondary-ntp: 0.0.0.0
  dynamic-servers:

           status: synchronized

-configure firewall to allow ntp traffic
/ip firewall nat print
Flags: X – disabled, I – invalid, D – dynamic
 0    ;;; default configuration
      chain=srcnat action=masquerade out-interface=ether1-gateway log=no
      log-prefix=””
 1    ;;; NTP
      chain=srcnat action=src-nat to-addresses=10.0.46.1 protocol=udp

      src-port=123

-verify current clock
> system clock print
                  time: 17:38:10
                  date: sep/12/2016
  time-zone-autodetect: yes
        time-zone-name: Asia/Jakarta
            gmt-offset: +07:00
            dst-active: no

Time zone resetted on every reboot

Mikrotik doesn’t have battery, so it won’t keep time zone upon reboot.

SOLUTION
/system scheduler
add name=startup on-event=ntp policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive start-time=startup
/system script
add name=ntp owner=admin policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive source=”:delay 15\r\
\n/system clock set time-zone-name=Asia/Jakarta\r\
\n/system ntp client set enabled=yes primary-ntp=203.89.31.13\r\
\n”

Mikrotik Hotspot

HW INFO:
-Mikrotik SXTG-2HNd
WAN IP: 10.0.10.229/24
WIFI IP: 192.168.88.1/24
> ip address print
Flags: X – disabled, I – invalid, D – dynamic
 #   ADDRESS            NETWORK         INTERFACE
 0   10.0.10.229/24     10.0.10.0       ether1
 1   192.168.88.1/24    192.168.88.0    wlan1
/ip route
add distance=1 gateway=10.0.10.1
/system ntp client
set enabled=yes primary-ntp=203.160.128.59
/ip dhcp-server network
add address=192.168.88.0/24 dns-server=192.168.88.1 gateway=192.168.88.1 \
    netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.
/ip firewall nat

add action=masquerade chain=srcnat out-interface=ether1

click IP/Hotspot/Servers
click Hotspot Setup
Image.png
Image.png
Image.png
Image.png
Image.png
Image.png
Image.png

Image.png

click IP/Hotspot/Servers/hotspot1

Image.png

click IP/Hotspot/Server Profiles/hsprof1/
Image.png

Image.png

click + on IP/Hotspot/User Profiles

Image.png

create hotspot user
click + on IP/Hotspot/Users

Image.png

To enable self-signed certificate
> ip service print
Flags: X – disabled, I – invalid
 #   NAME        PORT ADDRESS                                          CERTIFICATE
 0 XI telnet        23
 1   ftp           21
 2   www           80
 3   ssh           22
 4 XI www-ssl      443                                                  none
 5   api         8728
 6   winbox      8291
 7   api-ssl     8729                                                  none
> ip service disable 0
> ip service disable 1

> ip service enable 4

create self-signed
# openssl genrsa -des3 -out hotspot.key 1024
Enter pass phrase for hotspot.key: password

Verifying – Enter pass phrase for hotspot.key: password

# openssl req -new -key hotspot.key -out hotspot.csr
Enter pass phrase for hotspot.key: password
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [AU]:ID
State or Province Name (full name) [Some-State]:JKT
Locality Name (eg, city) []:Jakarta
Organization Name (eg, company) [Internet Widgits Pty Ltd]:NGTrain
Organizational Unit Name (eg, section) []:IT
Common Name (e.g. server FQDN or YOUR name) []:hs.ngtrain.com
Email Address []:support@ngtrain.com
Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:password

An optional company name []:

# openssl x509 -req -days 10000 -in hotspot.csr -signkey hotspot.key -out hotspot.crt
Signature ok
subject=/C=ID/ST=JKT/L=Jakarta/O=NGTrain/OU=IT/CN=hs.ngtrain.com/emailAddress=support@ngtrain.com
Getting Private key

Enter pass phrase for hotspot.key: password

-scp hotspot.crt hotspot.key into mikrotik /hotspot
> /certificate import file-name=hotspot/hotspot.crt
passphrase: ********
     certificates-imported: 1
     private-keys-imported: 0
            files-imported: 1
       decryption-failures: 0
  keys-with-no-certificate: 0
> /certificate import file-name=hotspot/hotspot.key
passphrase: ********
     certificates-imported: 0
     private-keys-imported: 1
            files-imported: 1
       decryption-failures: 0

  keys-with-no-certificate: 0

/ip service set www-ssl certificate=hotspot.crt_0

-if you don’t have your own dns server, you can add static dns address for hs.ngtrain.com into your mikrotik
> ip dns static add name=hs.ngtrain.com address=192.168.88.1
verify using this command

> ip dns cache print

-modify IP/Hotspot/Server Profiles/hsprof1/
13-May 19.12.46.jpg

Port Mirroring

Image.png
In Wireshark set
Interface: Ethernet
Filter: ip.addr == 10.0.10.115 (your WWW server ip address)

Cisco
to start
(config)# monitor session 1 source interface Fa2/0/1
(config)# monitor session 1 destination interface Fa2/0/2
(config)# monitor session 2 source vlan 10

to verify
# show monitor 1

to stop
(config)# no monitor session 1

HP
to start
(config)# mirror-port 2
(config)# int 1 monitor
(config)# vlan 10 monitor

to verify
(config)# show monitor
 Network Monitoring Port
  Mirror Port: 2
  Monitoring sources
  ——————
  1

to stop
(config)# no mirror-port
(config)# no int 1 monitor
(config)# no vlan 10 monitor

Juniper
# show
interfaces {
    ge-0/0/0 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members default;
                }
            }
        }
    }
    ge-0/0/1 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/0/47 {
        unit 0 {
            family ethernet-switching {
                port-mode trunk;
                native-vlan-id default;
            }
        }
    }
    vlan {
        unit 0 {
            family inet {
                address 10.0.10.241/24;
            }
        }
    }
}
routing-options {
    static {
        route 0.0.0.0/0 next-hop 10.0.10.1;
    }
}
ethernet-switching-options {
    analyzer monitor1 {
        input {
            ingress {
                interface ge-0/0/0.0;
            }
        }
        output {
            interface {
                ge-0/0/1.0;
            }
        }
    }
    storm-control {
        interface all;
    }
}

to verify
# run show analyzer
Analyzer name                    : monitor1
  Output interface               : ge-0/0/1.0
  Mirror ratio                   : 1
  Loss priority                  : Low
  Ingress monitored interfaces   : ge-0/0/0.0

to stop
# delete ethernet-switching-options analyzer monitor1
# commit

to start
/interface ethernet switch set mirror-source=ether1 mirror-target=ether4
NOTE: this must be done in physical RouterBoard, can’t be done in Unetlab

Blocking Browsec Chrome Extension

Browsec is VPN extension similar to ZenMate

CheckPoint:
Image.png

Cisco ASA:

Cyberoam:

Fortigate:

Juniper:

Mikrotik:

/ip firewall address-list
add address=12.12.12.0/24 list=LAN
/ip firewall layer7-protocol
add name=browsec regexp=”^.+(postls.com).*\$”
/ip firewall filter

add action=drop chain=forward layer7-protocol=browsec src-address-list=LAN

PaloAlto:

SonicWall: