pskl.us

Tutorials

Integrate your SafeConnect NAC with a Palo Alto Firewall

by on Jun.29, 2012, under Code, Tutorials

The following script allows you to export Username:IP Address pairings from your SafeConnect NAC appliance into your Palo Alto firewall.  This allows for super-fast identification of misbehaving clients and infected machines on your network.

Requirements:

  • A Palo Alto firewall and a SafeConnect NAC box (obviously)
  • MySQL database, configured to receive logging from your SafeConnect Appliance (SafeConnect support can help with the log export configuration on your appliance)
  • A Linux box to run this script.   I suggest using the same box as your MySQL DB, but that’s up to you.
  • Two windows servers.  If you’re an AD shop, just install these on any member server.

Setup:

1) Install the Palo Alto UserID Agent (download from the Palo Alto support site) on two member servers in your domain.  The account you provide to the agent needs permission to read the event logs on the Domain Controllers.  It must also have local administrator access to the box where it is installed.

2) Configure the Palo Alto UserID agent to accept incoming XML connections (Setup -> Edit -> Agent Service)

3) Configure the Access Control List of the PA User-ID Agent program to permit connections from your Linux box and your Palo Alto Firewalls. (Setup -> Access Control List -> Add).  Be sure to permit ports 5006/TCP and 5007/TCP through any applicable firewalls as well.

4) Configure your Palo Alto firewalls to communicate with the UserID Agents.  (From the WebUI, Device -> User Identification -> User-ID Agents).  The port number is 5007.

5) Install MySQL on your Linux box, and configure the SafeConnect appliance for MySQL export to your server.  (The MySQL setup is beyond the scope of this document).  SafeConnect support can assist you with the appliance-side configuration.  Create a MySQL user with permission to read the “clienthist” table from the Linux box where you’ll be running the script.

6) Install the PAN::API Perl Module on your Linux box.  On RHEL, you can drop it into /usr/lib/perl5/site_perl.  The module is available for download from https://live.paloaltonetworks.com/docs/DOC-1662

7) Copy the pa-uid-safeconnect.pl script to your Linux box:

#!/usr/bin/perl
#
# pa-uid-aruba.pl
# Revsion 0.2
#
# Collects username:IP pairings from your Impulse Point SafeConnect NAC box and and loads the data
# into the Palo Alto Firewall’s UserID agents.  The Palo Alto UserID agent runs on a Windows server;  you’ll
# need two UserID agent boxes to use this script as-written.
#
# Requires the PAN:API and DBI PERL modules.   You’ll also need to setup MySQL log export from your appliance
# to a MySQL database which is maintained on a separate server.  Ask your SafeConnect support rep for
# assistance in setting up the “BackupDB” export.
#
# This script was written for, and tested under, Red Hat Linux.
#
# NOTE:  The PAN::API module does not have proper error handling, and will die if an attempt is made to
# connect to a Palo Alto UserID agent box that is not responding.
#
# eric@pskl.us 06.27.12
#
#
# Configuration Section #################################

# Your Palo Alto User-ID Agent boxes:

$server1=”pa-uid-agent-1.pskl.us”;
$server2=”pa-uid-agent-2.pskl.us”;

# Your BackupDB MySQL host and user; the specified user needs read access to the “clienthist” table.

$mysql_server=”mysqlbox-14.pskl.us”;
$mysql_username=”MySQL_username”;
$mysql_password=”MySQL_password”;

# How often do you require users to re-authenticate to SafeConnect, in days?
$safeconnect_reauth_time=7;

# Maximum number of submissions to the PA UID Agent per session (100 seems to work well).
$XMLSize=100;

# Enable debugging (yes/no).  Generates a lot of output, use with caution.

$debug=”yes”;

#### End of Configuration Section ####

use DBI();
use PAN::API;

# Create PAN::API Objects

$pa_uid_agent_1=PAN::API::UID->new($server1);
$pa_uid_agent_2=PAN::API::UID->new($server2);

# Connection to your SafeConnect BackupDB instance

my $dbobject = DBI->connect(“DBI:mysql:database=backupDB;host=$mysql_server”,
$mysql_username, $mysql_password, {‘RaiseError’ => 1});

# MySQL query string.  Pulls the last $safeconnect_reauth_time days of data.

$query=<<EOF;
SELECT transDate,currentIpAddress,principal from clienthist where
DATE_SUB(CURDATE(), INTERVAL $safeconnect_reauth_time DAY) <= transDate order by transDate asc;
EOF

my $queryobject = $dbobject->prepare($query);

$queryobject->execute();

while (@row = $queryobject->fetchrow_array()) {

# Only process those entries with a username present..

if ( $row[2] ) {
($username, $groups)=split(“,”, $row[2]);
$ipdb{$row[1]}=$username;
if ( $debug eq “yes” ) {
print “Found pairing:  $row[0] $row[1] –> $username \n”;
};
};
};

# Close the connection to the BackupDB

$queryobject->finish();

$dbobject->disconnect();

# Process collected data

foreach $ip ( keys %ipdb ) {

if ( $ipdb{$ip} eq “null” ) {

# ignore “null” entries – indicates user has policy key installed but has
# not logged in through the web interface

} else {

if ( $debug eq “yes” ) {
print “Processing $ip –> $ipdb{$ip}\n”;
};

# Create the XML entries for this IP:Username pair
$pa_uid_agent_1->add(‘login’,$ipdb{$ip},$ip);
$pa_uid_agent_2->add(‘login’,$ipdb{$ip},$ip);
$count++;

if ( $count eq $XMLSize ) {
# Submit data to the agent in batches of $XMLSize
$count=0;

if ( $debug eq “yes” ) {
print “>> Submitting batch to $server1\n”;
};

$pa_uid_agent_1->submit();

if ( $debug eq “yes” ) {
print “>> Submitting batch to $server2\n”;
};

$pa_uid_agent_2->submit();

};
};
};

# Submit any remaining entries

if ( $debug eq “yes” ) {
print “>> Submitting final batch to $server1\n”;
};

$pa_uid_agent_1->submit();

if ( $debug eq “yes” ) {
print “>> Submitting final batch to $server2\n”;
};

$pa_uid_agent_2->submit();

# Done

8) Run the script.  If everything is configured properly, you’ll see username:IP pairings being retrieved from your database and transmitted to the Palo Alto UserID agent boxes:

Found pairing:  2012-06-29 09:18:24 18.42.124.194 –> jdoe01
Found pairing:  2012-06-29 09:18:26 18.42.124.194 –> jdoe01
Found pairing:  2012-06-29 09:19:18 18.42.97.119 –> jdoe02
Found pairing:  2012-06-29 09:19:19 18.42.97.119 –> jdoe02
Found pairing:  2012-06-29 09:19:24 18.42.97.119 –> jdoe07
Found pairing:  2012-06-29 09:20:09 18.42.124.239 –> jdoe02
Found pairing:  2012-06-29 09:20:10 18.42.124.239 –> jdoe07
Found pairing:  2012-06-29 09:20:19 18.42.201.219 –> jdoe31
>> Submitting batch to pa-uid-agent-1.pskl.us
>> Submitting batch to pa-uid-agent-2.pskl.us

9) Check the Palo Alto UserID agent’s GUI.  Under the “Monitoring” tab, you’ll see the new entries appear.

10) Configure your Linux box to run the pa-uid-safeconnect.pl script periodically.  Once every four hours seems about right for an environment where users must re-authenticate once every seven days.  Adjust accordingly.

11) WIN!  Your Palo Alto firewall will now tag any applicable log entries with the corresponding username.

I hope this has been helpful.  Please leave any questions or comments in the forum below.

 

2 Comments more...

Integrate your Aruba Wireless User Data with your Palo Alto Firewall

by on Jun.27, 2012, under Code, Tutorials

The following script allows you to export Username:IP Address pairings from your Aruba Wireless Controller into your Palo Alto firewall.  This allows for super-fast identification of misbehaving clients and infected machines on your network.

Requirements:

  • A Palo Alto firewall and an Aruba Wireless controller (obviously)
  • A Linux box to run this script.
  • Two windows servers.  If you’re an AD shop, just install these on any member server.

Setup:

1) Install the Palo Alto UserID Agent (download from the Palo Alto support site) on two member servers in your domain. The account you provide to the agent needs permission to read the event logs on the Domain Controllers. It must also have local administrator access to the box where it is installed.

2) Configure the Palo Alto UserID agent to accept incoming XML connections (Setup -> Edit -> Agent Service)

3) Configure the Access Control List of the PA User-ID Agent program to permit connections from your Linux box and your Palo Alto Firewalls. (Setup -> Access Control List -> Add). Be sure to permit ports 5006/TCP and 5007/TCP through any applicable firewalls as well.

4) Configure your Palo Alto firewalls to communicate with the UserID Agents. (From the WebUI, Device -> User Identification -> User-ID Agents). The port number is 5007.


5) Install the PAN::API Perl Module on your Linux box. On RHEL, you can drop it into /usr/lib/perl5/site_perl. The module is available for download from https://live.paloaltonetworks.com/docs/DOC-1662

6)  Copy the pa-uid-aruba.pl script to your Linux box:

#!/usr/bin/perl
#
# pa-uid-aruba.pl
# Rev 0.1
#
# Rev 0.2 – 7/2/12 – Removed double-backslash from posted usernames
#
# Collects username:IP pairings from your Aruba wireless controller(s) and loads the data
# into the Palo Alto Firewall’s UserID agents.
#
# Requires the PAN:API PERL module and the snmpwalk binaries.
#
# NOTE:  The PAN::API module does not have proper error handling, and will die if an attempt is made to
# connect to a Palo Alto UserID agent box that is not responding.
#
# This script uses plain-text SNMP to extract data from your Aruba controller.  Be sure to
# use a secure, dedicated link between your management box and your controllers for this application.
#
# eric@pskl.us 06.27.12
#
#
# Configuration Section #################################

# Aruba boxes
@ArubaControllers=(“aruba-master”, “aruba-local”);

# Credentials
$ArubaCommunity=”indiapaleale”;

# Palo Alto Agents.

$PA_UID_Agent_1=”auth-1.bucknell.edu”;
$PA_UID_Agent_2=”auth-2.bucknell.edu”;

# Maximum number of submissions per session (100 seems to work well).
$XMLSize=100;

# Uncomment this line if you want debugging output.
$debug=yes;

# End of Configuration Section ###########################

use PAN::API;

foreach $switch ( @ArubaControllers ) {

@ArubaUsers=`/usr/bin/snmpwalk -v 2c -c $ArubaCommunity $switch 1.3.6.1.4.1.14823.2.2.1.4.1.2.1.3`;

foreach $line ( @ArubaUsers ) {

if ( $line=~/\.(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) = STRING: “(.+)”/ ) {
$users{$1}=$2;
if ( $debug ) { print “From Aruba controller $switch:  $1 >> $2\n” };
$ArubaCount++;
};
};

};

if ( $debug ) { print “Found $ArubaCount IP:Username pairings.\n” };

$auth1=PAN::API::UID->new($PA_UID_Agent_1);
$auth2=PAN::API::UID->new($PA_UID_Agent_2);

foreach $ip ( keys %users ) {

$users{$ip}=~s/\\\\/\\/g;
$auth1->add(‘login’,”$users{$ip}”,”$ip”);
$auth2->add(‘login’,”$users{$ip}”,”$ip”);

$count++;

if ( $count eq $XMLSize ) {
$count=0;

if ( $debug ) {
print “Submitting $XMLSize entries to the PA-UID Agent boxes\n”; };

$auth1->submit();
$auth2->submit();
};

};

if ( $debug ) {
print “Submitting the balance of the entries to the PA-UID Agent boxes\n”; };

$auth1->submit();
$auth2->submit();

# Fin

8) Run the script.  If everything is configured properly, you’ll see username:IP pairings being retrieved from your database and transmitted to the Palo Alto UserID agent boxes:

From Aruba controller aruba1:  10.6.123.212 >> archer
From Aruba controller aruba1:  10.6.101.12 >> lana

From Aruba controller aruba1:  10.6.122.47 >> carol
From Aruba controller aruba1:  10.6.122.47 >> cheryl
From Aruba controller aruba1:  10.6.122.61 >> cyril
From Aruba controller aruba1:  10.6.116.131 >> seamus
Found 548 IP:Username pairings.
Submitting 100 entries to the PA-UID Agent boxes
Submitting 100 entries to the PA-UID Agent boxes
Submitting 100 entries to the PA-UID Agent boxes
Submitting 100 entries to the PA-UID Agent boxes
Submitting 100 entries to the PA-UID Agent boxes
Submitting the balance of the entries to the PA-UID Agent boxes

9) Check the Palo Alto UserID agent’s GUI.  Under the “Monitoring” tab, you’ll see the new entries appear.

10) Configure your Linux box to run the pa-uid-aruba.pl script periodically.  Once every 30-60 minutes works well.

11) WIN!  Your Palo Alto firewall will now tag any applicable log entries with the corresponding username.

I hope this has been helpful.  Please leave any questions or comments in the forum below.

5 Comments more...

Dual Booting Windows 7 w/Bitlocker and BackTrack Linux 5. (You SAID WHAT?)

by on Apr.05, 2012, under Security, Tutorials, Whining

Recently, due to laptop thefts at work and the risk of Personally Identifiable Information (PII) loss, I had to make the difficult choice to start a project to force encrypt our user laptops.  So, due to “what do we already own?” , I chose Microsoft Bitlocker for the Windows 7 computers, and FileVault for the Macintosh OSX 10.7 computers.

That seems fine, however, one “snag”…   I use a dual boot Backtrack 5 and Windows 7 machines DAILY at work.  So, being the guy who lives by the rule “Don’t give an order that you’re not willing to follow yourself” kind of guy, I had to figure out how to encrypt my windows side and still boot Backtrack 5.

I got it to work.  I was painful.

take a second to re-read that.  yes, it works, and yes, it caused me pain to make it work.

So, here are the steps I used to make this work:

Step 1: Wipe the drive.  (you should have backed it up if you needed to save something…  I shouldn’t have to tell you that.)

Step 2: Create a partition for the Win7 to be housed.  Make it the first partition.  Leave unallocated space for BackTrack.  (I left 30 gigs for backtrack…  you probably want more, I have a lot of scripts that always put captured data on something external that I mount and encrypt with Truecrypt…)

Step 3: Install Windows7 (or dump your standard image) to that partition.  Mine created a 100MB boot thing before the windows 7 partition, let it do whatever it wants to do, except use that unallocated space you already saved for Backtrack.

Step 4: Boot Windows 7 and test.   Make sure Windows 7 works first! (Well, functions as well as one could expect for Windows)

Step 5: In Windows, run this command from a command prompt: “%windir%\System32\BdeHdCfg.exe” -target default  (this command preps the drive for Bitlocker.)

Step 6: Encrypt the drive via Bitlocker with your pin.  (record the recovery key.  this is the single more important long string of numbers you’ll ever deal with in Windows. Preserve it, protect it.  This key is your life, young padawan…)

Step 7: When it’s done, Boot Windows 7 and test.   Make sure Windows 7 still works!  (Well, functions as well as one could expect for Windows)

Step 8: Pause Bitlocker.   I turned it off.  (this seems to make no sense, but I had a problem testing this that if I tried to encrypt the drive after installing Linux, forget it, it died.)

Step 9: Boot Backtrack 5 DVD/USB key.

Step 10: Install backtrack 5 to that new unallocated partition.   I configured /dev/sda3 as my /boot partition and /dev/sda5 as my root and /dev/sda6 as my swap.  /dev/sda1 was the windows 7 boot partition and /dev/sda2 was my windows 7 system partition)

Step 11: make sure when you install grub, you install it to /dev/sda3.   DO NOT PUT IT IN THE MBR or /dev/sda or /dev/sda1.  If you do, you just screwed yourself.

Step 12: This will only boot to Windows 7 still.   Grab BCDEDIT for windows, and add a boot option to boot linux on /dev/sda3.

Step 13:  Boot Windows 7 and test.   Make sure Windows 7 still works! (Well, functions as well as one could expect for Windows)

Step 14: Boot Backtrack 5 from the windows boot menu.  it should shell to grub, boot it.  Make sure Backtrack 5 works.

Step 15: Boot Windows 7 and turn Bitlocker back on.   (record the recovery key.  this is the single more important long string of numbers you’ll ever deal with in Windows. Preserve it, protect it.  This key is your life, young padawan…)

Step 16: It should present you the windows 7 boot menu, where option 1 is Windows 7 and option 2 is Backtrack Linux then it should now prompt you for your Bitlocker pin.

I can’t stress two things: #1) this took me weeks of wiping the drive to figure this out.  Don’t be shocked if you have to tweek the steps for your specific situation.  #2) that recovery key is the most important thing in this process…

a few notes: (things that make you go Hmmmm…)
1) It asks you to pick which OS first, then prompts you to enter your Bitlocker pin…   You can’t boot linux unless you unlock bitlocker first.  Not sure why, but I’ll call it an “added feature!”  Remember, the linux side is NOT ENCRYPTED!   That means don’t be an *idiot* what you store there, assume it’s accessible if someone takes your laptop.
2) After you update-grub, plan on having your recovery password around for Bitlocker…  it always keeps asking me for it after I update grub, even though it’s installed to the /boot partition. (/dev/sda3 in my case)  Don’t leave your recovery key in your laptop bag, because that defeats the purpose of encrypting it, duh. I can’t stress that enough. The whole “point” is to protect the windows side in case anyone takes your laptop from getting any useful info off it….  Don’t forget the goal while you’re having so much fun messing with this nightmare.

–Bill (General Major Webelo Captain Zapp Brannigan)

4 Comments :, , more...

Harbor Freight Auto-Darkening Solar Welding Helmet Repair

by on Sep.26, 2011, under Tutorials

A little over a year ago, I purchased one of Harbor Freight’s auto-darkening welding helmets.  For $50, it’s a great deal.

helmet1

Unfortunately, after less than a year of use, it simply stopped working.  Somewhat ironically, the way you find out that your helmet has stopped working is by getting a flash burn in your eyes when you weld using a broken helmet.

One of the guys in my welding class mentioned that there are batteries in the helmet which can go bad over time.  Batteries in a solar-powered helmet?  Clearly this guy was nuts — but I thought I’d check it out anyway.

Turns out, he wasn’t crazy.  There are two CR2330 coin cells soldered directly to the main circuit board inside of the unit:

batteryChecking the batteries with my voltmeter, I quickly discovered that one of them was completely dead.  The other battery was still putting out a solid 3VDC.

Since soldering in batteries every time they go dead is not exactly a user-friendly solution, I decided to replace them with AAA’s.  Here’s the procedure.

1)  Remove the darkness adjustment knob by gently prying it off with a screwdriver.  Un-screw the plastic nut which holds the unit in place.

2)  Remove the clear plastic shield from the front of the helmet, and then gently remove the electronics assembly by unhooking the retaining spring.

3)  Use a utility knife to pop open one corner of the enclosure.  Work your way around the circumference with a screwdriver, breaking apart the plastic weld, until the cover can be removed.

4) Mark the locations of the (+) and (-) of each coin cell.  Using your desoldering braid, remove the coin cells.

5)  Go to Radio Shack and buy two AAA battery holders.  I used these:

batt-holder

6)  Solder one AAA holder in place of each of the coin cells that you removed.  Be sure to observe polarity.

solder wires in

2holders

7)  Using the shaft of your soldering iron, melt a hole in the side of the enclosure so that the wires from the battery holders can exit.  You’ll also want to melt a corresponding hole in the cover.

8)  Mix up some 2-part epoxy, and epoxy the wires to the enclosure.  This step probably is not necessary, but I don’t want to burn my eyeballs again.

epoxy

9) Wait for the epoxy to dry.  Take this opportunity to clean all the viewing windows with Windex and a lint-free cloth, then  reassemble the unit.  There are four friction pins which seem to hold everything together just fine.

reassemble

10)   Re-install the electronics housing into the helmet.  Re-attach the darkness adjustment dial.

11)  Glue the two AAA holders to the inside of the helmet.  I initially used the same epoxy that I used to hold the wires in place, but it didn’t bond to either the plastic of the helmet or the plastic in the battery holders.  I ended up using my hot glue gun, which worked very well.

glue

glue2

12)   Install four AAA batteries, and then test your helmet.  I found – quite by accident – that the helmet will darken when you look at a halogen light bulb.

13)  Go weld stuff.

Good luck with your repair!

~Eric

61 Comments :, , , , , more...

Backtrack 5 is out! Do you get a kernel panic when you startx? The FIX is here!

by on May.18, 2011, under Hardware, Security, Tutorials, Whining

So, being someone who used Backtrack daily for my career, I routinely make sure I’m current with Backtrack.  So Backtrack 5 is out, I went and grabbed x64 KDE version, backedup up my PSKL directory on BT4R2, and blew it away…

First thing, startx didn’t load from the DVD until I removed some cache files…
rm /root/.kde/cache-root/icon-cache.kcache
rm /root/.kde/cache-root/plasma_theme_Volatile.kcache
rm /root/.kde/cache-bt/icon-cache.kcache
rm /root/.kde/cache-bt/plasma_theme_Volatile.kcache

So finally startx loaded and I was able to use the graphical installer to install it to my hard drive on my laptop.

When I rebooted, I did startx, and got a kernel panic (blinking caps lock light).   So I’m like, “M’kay, x64 kde is borked…” so I grabbed x64 gnome, repeat process, same things, x32 gnome, repeat process, same thing.  ok, it’s NOT borked, I’m just not doing it right.

so I searched and searched, found nothing immediately useful.  (I could bore the heck out of anyone with some of the searches I did to get at this one…)

Finally, I found this kernel parameter: i915.modeset=1

they should rename that to “setbrokentofixed=1”

So, put that at the end of your GRUB_CMDLINE_LINUX_DEFAULT in your /etc/default/grub and update-grub!

Boom, I appended that and now startx works and I can enjoy the BT5 goodness…   Now I just gotta configure my metasploit account on there and put my pskl directory back with all out awesome scripts.

Enjoy BackTrack 5!

Update (June 15th 2011): Talking with a few others, including the great comments here, you might need this like in your /etc/default/grub
Alternative line from Daveonator:
GRUB_CMDLINE_LINUX_DEFAULT=”text splash vga=791 i915.modeset=1″
then update-grub.

Try it, and let us know.


22 Comments :, , more...

Looking for something?

Use the form below to search the site:

Still not finding what you're looking for? Drop a comment on a post or contact us so we can take care of it!