Saturday, June 27, 2015

Hashing Algorithms

I managed to pass the CompTIA Security+ a couple of days ago and got excited to check out the CompTIA certification portal the following day but my info wasn't updated yet. It got reflected when I checked today and I was able to make some updates in order to activate the shipment of my hard copy cert. I downloaded my PDF cert and also noticed that my Security+ logo had a "ce" on it which designates for Continuing Education (CE). This means I had to go through their renewal program (every 3 years) in order to extend my cert. CompTIA changed their Good for Life (GFL) certification policy since January 2011.



CompTIA's CE is similar to Cisco's 3-year cert policy but with a twist. The major difference is that CompTIA allows you to pay an annual fee (USD 49) or pay 3x the amount in order to obtain a 3 year extension plus you'll need to obtain a minimum number of CE points such as earning non-CompTIA certs (Cisco, Juniper, EC-Council, etc.), teaching or attending seminars and conferences. The CE points varies and depends on which cert you're trying to renew.


This is what the CompTIA certification portal looks like when they've updated your certification history.





Below is one of the cryptography topic and a practical example used on an IT vendor website.

The hashes used to store data, such as hash tales, are very different from cryptographic hashes. In cryptography, a hash function must have three characteristics:

* It must be one-way. This means that it is not reversible. Once you hash something, you cannot unhash it.

* Variable-length input produces fixed-length output. This means that whether you has two characters or two million, the hash size is the same.

* The algorithm must have few or no collision.s This means that hashing two different input does not give the same output.

The following is a list of hashing algorithms:

Secure Hash Algorithm - The Secure Has Algorithm (SHA) was designed to ensure the integrity of a message. SHA is a one-way hash that provides a hash value that can be used with an encryption protocol. THis algorithm produces a 160-bit hash value. SHA-2 has several sizes: 224, 256, 334, and 512 bit. SHA-2 is the most widely used, but SHA-3 has been released. Although SHA3 is now standard, there simply are no known issues with SHA2, so it is still the most widely used and recommended hashing algorithm. The algorithm was originally named Keccak and was designed by Guido Bertoni, Joan Daemen, Michael Peeters and Gilles Van Assche.

Message Digest Algorithm - The Message Digest Algorithm (MD) also creates a hash values and uses a one-way has. The hash value is used to help maintain integrity. There are several versions of MD; the most common are MD5, MD4, and MD2. MD4 was used by NTLM (discussed in a moment) to compute the NT Hash.

MD5 is the newest version of the algorithm. It produces a 128-bit hash, but the algorithm is more complex than its predecessors and offers greater security. Its biggest weakness is that it does not have strong collision resistance, and thus it is no longer recommended for use. SHA (1 or 2) are the recommended alternatives.

RIPEMD - The RACE Integrity Primitives Evaluation Message Digest (RIPEMD) algorithm was based on MD4. There were questions regarding its security, and it has been replaced by RIPEMD-160, which uses 160 bits. There are versions in existence that use 256 and 320 bits (RIPEMD-256 and RIPEMD-320, repsectively), but all versions of RIPEMD remain.

GOST - GOST is a symmetric cipher developed in the old Soviet Union that has been modified to work as a hash function. GOST processes a variable-length message into a fixed-length output of 256 bits.

LANMAN - Prior to the release of Windows NT, Microsoft's operating systems used the LANMAN protocol for authentication. While functioning only as an authentication protocol, LANMAN used LM Hash and two DES keys. It was replaced by the NT LAN Manager (NTLM) with the release of Windows NT.

NTLM - Microsoft replaced the LANMAN protocol with NTLM (NT LAN Manager) with the release of Windows NT. NTLM uses MD4/MD5 hashing algorithms. Several versions of this protocol exist (NTLMv1, NTLMv20, and it is still in widespread use despite the fact that Microsoft has pointed to Kerberos as being its preferred authentication protocol. Although LANMAN and NTLM both employ hashing, they are used primarily for the purpose of authentication.

The file's MD5 checksum (or hash) is 5312e73d73c3accd99d2c1ee13d2448d which is publicly published on Cisco's website (as with any software vendors) is the same generated from the online MD5 hash generator. This means the file wasn't modified or altered while during transit (or download).




If we change the length or add some characters, the generated hash is completely different.



Saturday, June 20, 2015

Host Software Baselining

I appreciate topics in CompTIA Security+ to the point that every time I deal with a computer network,  there's always security in mind involved. It outlines all the best practices from end hosts (i.e. server and mobile device), the network layer devices (router and firewall) and up to the application level. There's a line in the book that says, "The entire network is only as strong as the weakest host." The focus is keeping all hosts' OS and patches updated in terms of malware protection and baseline.

One of the first steps in developing a secure environment is to develop a baseline of the minimum security needs of your organization. A security baseline defines the level of security that will be implemented and maintained. You can choose to set a low baseline by implementing next to no security of a high baseline that doesn't allow users to make any changes at all to the network or their systems. In practice, most implementations fall somewhere between these two extremes; you must determine what is best for your organization.

A security baseline, which can also be called a performance baseline, provides the input needed to design, implemented, and support a Secure network. Developing the baseline includes gathering data on the specific security implementation of the system with which you'll be working. Microsoft Baseline Security Analyzer is a free tool that can be downloaded and run on Windows to create security reports and scans for errors.

Microsoft Baseline Security Analyzer (MBSA) is an easy-to-use tool that helps small- and medium-sized businesses determine their security state in accordance with Microsoft security recommendations and offers specific remediation guidance. Improve your security management process by using MBSA to detect common security misconfigurations and missing security updates on your computer systems.








Saturday, June 13, 2015

Everything About CompTIA Security+ (SY0-401)

I took yet another detour from my CCNP Security journey and recently completed the CompTIA Security+ course. I missed learning in a classroom-type environment and making interactions with the instructor and classmates who are also working in the IT field. The last time I've enrolled in an IT course was exactly 10 years ago when I took the Cisco Networking Academy Program (CNAP) for my CCNA R/S.


The CompTIA Security+ is a vendor neutral certification and generally focuses on IT security concepts and best practices. It also gives a good foundation and introduction for Certified Ethical Hacker (CEH) and Certified Information Systems Security Professional (CISSP). A more detailed introduction and course objectives/syllabus are found on this link. Before you can be a Good-for-life (GLF) A+, Network+ or Security+ certified but now you'll need to re-certify by passing the current version/exam or by paying an annual fee (around USD 49) and enroll in their Continuing Education (CE) program and earn at least 50 points. Taking Security+ renews your Network+ but not the other way around though.

Everthing about Security+ SY0-401 are sum up here and on this video. I've already finished reading both the study guides from Dulaney/Easttom and Gibsson and have scheduled the exam after getting the exam voucher which is bundled together with my course (saved me a whopping SGD 485 / USD 302 exam fee). Creating the CompTIA exam account (when you choose Create account) in Pearson VUE website will be tagged to your Cisco exam profile if you have one. It will take the Cisco ID as your username. You'll also get a unique CompTIA ID after several days (it will initially show as Pending) and then you can proceed to schedule the exam afterwards.


The CompTIA profile on Pearson VUE portal is different on the actual CompTIA website. The CompTIA certification profile on its website helps track your exam history and it's the portal wherein you give your shipping address to get the actual cert. Just click on Never logged in before and provide the email address for CompTIA to send a link for further instructions. You'll need a CompTIA ID before proceeding.


Monday, June 1, 2015

ASA File System and bootvar Command

I was preparing a brand new Cisco ASA 5525-X firewall for one of our client. The first thing I always check is the preloaded ASA image on the device. We've had prior ASAs with 8.6 code but now we're getting 9.1. When I checked the 9.1(2) code, there were reviews (which is great by the way) on Cisco's download site saying there were bugs found on this code, so I proceeded to download a more stable code which is the 9.1(6).



Instead of configuring a /30 IP address on the ASA and my PC and doing the usual TFTP (or FTP) transfer, I conveniently took out my USB flash drive, copied the new image and inserted it on the ASA's USB slot. There are 2 USB slots below the MGMT port and right beside the CONSOLE port. I used the copy command and pointed to the new ASA code using the boot command. I finally reloaded the ASA for the new code to take effect.


ciscoasa# show version

Cisco Adaptive Security Appliance Software Version 9.1(2)
Device Manager Version 7.1(3)

ciscoasa# dir ?

  /all             List all files
  /recursive       List files recursively
  all-filesystems  List files on all filesystems
  disk0:           Directory or file name      // a.k.a FLASH
  flash:           Directory or file name
  system:          Directory or file name
  <cr>
ciscoasa# dir ?

  /all             List all files
  /recursive       List files recursively
  all-filesystems  List files on all filesystems
  disk0:           Directory or file name
  disk1:           Directory or file name     // USB SLOT 1
  flash:           Directory or file name
  system:          Directory or file name
  <cr>
ciscoasa# dir disk1:

Directory of disk1:/

142    -rwx  62682268     12:04:58 Mar 29 2012  c2900-universalk9-mz.SPA.150-1.M4.bin
143    -rwx  21890692     13:15:44 May 26 2012  c870-advipservicesk9-mz.124-24.T4.bin
144    -rwx  310347344    12:52:10 Feb 04 2015  cat3k_caa-universalk9.SPA.03.07.00.E.152-3.E.bin
145    -rwx  38172672     10:01:48 May 21 2015  asa916-4-smp-k8.bin

2013200384 bytes total (1192165376 bytes free)
ciscoasa# copy ?

  /noconfirm      Do not prompt for confirmation
  /pcap           Raw packet capture dump
  capture:        Copyout capture buffer
  cluster_trace:  Copy from cluster_trace: file system
  disk0:          Copy from disk0: file system
  disk1:          Copy from disk1: file system
  flash:          Copy from flash: file system
  ftp:            Copy from ftp: file system
  http:           Copy from http: file system
  https:          Copy from https: file system
  running-config  Copy from current system configuration
  smb:            Copy from smb: file system
  startup-config  Copy from startup configuration
  system:         Copy from system: file system
  tftp:           Copy from tftp: file system
ciscoasa# copy disk1:asa916-4-smp-k8.bin ?

  cluster:        Copy to cluster: file system
  disk0:          Copy to disk0: file system
  disk1:          Copy to disk1: file system
  flash:          Copy to flash: file system
  ftp:            Copy to ftp: file system
  running-config  Update (merge with) current system configuration
  smb:            Copy to smb: file system
  startup-config  Copy to startup configuration
  system:         Copy to system: file system
  tftp:           Copy to tftp: file system

ciscoasa# copy disk1:asa916-4-smp-k8.bin disk0:

Source filename [asa916-4-smp-k8.bin]?

Destination filename [asa916-4-smp-k8.bin]?

Copy in progress...CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC

CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC

<OUTPUT TRUNCATED>

CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC

CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC

CCCC
Writing file disk0:/asa916-4-smp-k8.bin...
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

<OUTPUT TRUNCATED>

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!
38172672 bytes copied in 19.430 secs (2009088 bytes/sec)

ciscoasa# dir flash:

Directory of disk0:/

10     drwx  4096         08:09:48 Apr 14 2015  log
20     drwx  4096         08:10:14 Apr 14 2015  crypto_archive
21     drwx  4096         08:10:24 Apr 14 2015  coredumpinfo
108    -rwx  38191104     08:13:30 Apr 14 2015  asa912-smp-k8.bin
109    -rwx  18097844     08:15:36 Apr 14 2015  asdm-713.bin
149    -rwx  38172672     19:12:25 May 20 2015  asa916-4-smp-k8.bin  
110    -rwx  12998641     08:20:18 Apr 14 2015  csd_3.5.2008-k9.pkg
111    drwx  4096         08:20:18 Apr 14 2015  sdesktop
112    -rwx  6487517      08:20:20 Apr 14 2015  anyconnect-macosx-i386-2.5.2014-k9.pkg
113    -rwx  6689498      08:20:22 Apr 14 2015  anyconnect-linux-2.5.2014-k9.pkg
114    -rwx  4678691      08:20:24 Apr 14 2015  anyconnect-win-2.5.2014-k9.pkg

8238202880 bytes total (8112111616 bytes free)

ciscoasa# show bootvar

BOOT variable = disk0:/asa912-smp-k8.bin
Current BOOT variable = disk0:/asa912-smp-k8.bin
CONFIG_FILE variable =
Current CONFIG_FILE variable =

ciscoasa# configure terminal
ciscoasa(config)# boot system disk0:/asa916-4-smp-k8.bin
ciscoasa(config)# show bootvar

BOOT variable = disk0:/asa912-smp-k8.bin
Current BOOT variable = disk0:/asa912-smp-k8.bin;disk0:/asa916-4-smp-k8.bin   // REMOVE 9.1(2)
CONFIG_FILE variable =
Current CONFIG_FILE variable =
ciscoasa(config)# no boot system disk0:/asa912-smp-k8.bin
ciscoasa(config)# show bootvar

BOOT variable = disk0:/asa912-smp-k8.bin
Current BOOT variable = disk0:/asa916-4-smp-k8.bin  
CONFIG_FILE variable =
Current CONFIG_FILE variable =

ciscoasa(config)# write memory
Building configuration...
Cryptochecksum: 1b4d1965 442beae6 63ff0698 b826c1f3

3000 bytes copied in 0.660 secs
[OK]
ciscoasa(config)# reload
Proceed with reload? [confirm]
ciscoasa(config)#


***
*** --- START GRACEFUL SHUTDOWN ---
Shutting down isakmp
Shutting down webvpn
Shutting down sw-module
Shutting down License Controller
Shutting down File system



***
*** --- SHUTDOWN NOW ---
Process shutdown finished


<OUTPUT TRUNCATED>


ciscoasa> show version       

Cisco Adaptive Security Appliance Software Version 9.1(6)4  
Device Manager Version 7.1(3)