The Iggblog

Most people are familiar with interacting with the ASA over HTTPS to get captures off the box, but every CLI mode is available using a browser. There are a lot of handy practical situations where you’d want to do this, including simply avoiding using a steaming pile of Java. Below is the simplest way to both show off how this works, and one of the better usage cases:

https://x.x.x.x:port/exec/show run

Just drop in the IP address and port you’d normally use to access HTTPS/ASDM on your ASA. leave the spaces in the command, the ASA will take care of %20-ifying them. An HTTP basic auth box will pop up – just enter the credentials you’d normally use for HTTPS/ASDM access. You will be greeted by a web page with simply “show run” output. This is even more useful with incredibly verbose things like “show conn” or “show tech”. No more ASCII transfers in SecureCRT or worrying about right-click auto-pasting the whole output back into putty by mistake. It saves a ton of time if you’re like me, and you use screen or tmux with pretty much every session. Getting verbose output out of a tmux/screen session can be awful. Another great use:

https://x.x.x.x:port/exec/packet-tracer input inside icmp 192.168.254.254 8 0 8.8.8.8 detail

The above came up recently in IRC, and I find it to be a particularly good use case for direct HTTPS interaction. With packet-tracer, especially in verbose mode, I tend to need to do some correlation between different parts of the output. I find a web browser to be a much more convenient place to Ctrl+f, or just scroll around to different parts of the output.

As I mentioned up top, every CLI mode I can think of is available via the HTTPS interface…including config mode. Let’s say you’re on a machine in a freshly provisioned DMZ, and you need to get into the ASA and tweak some ACL settings or something, but the ticket monkeys forgot to include SSH access in your change request. Assuming you’re cool enough to not have to wait for a new change request to go through, you could do this:

https://x.x.x.x:port/exec/ssh 192.168.254.254 255.255.255.255 DMZ1

Note that “exec” is still there – it doesn’t change to “config” like you might expect. Using config mode in this way will obviously be a corner case, but it can come in handy nonetheless. I’ve used it a few times to enable telnet temporarily if I hit the “it says I’ve used all 5 SSH connections but none are actually used” bug where SSH sessions become orphaned and eventually none are available for actual use (CSCts72188 I believe, but I could be wrong…bug details on that ID are currently unavailable).

There are a couple caveats. Normally, you can type naturally as you would on the command line. But if you need to access a sub-config mode or use a command that includes the slash character, using the HTTPS interface is a little different. To access sub-config modes like interface config, you need to use a slash in the browser address bar instead of a space. And to use an actual “slash” character, you need to specify “%2F” in the browser address bar since the slash itself is a delimiter:

https://x.x.x.x:port/exec/interface Ethernet0%2F0/security-level 100

So, the above is the equivalent of issuing the following at the actual CLI:

interface Ethernet0/0
security-level 100

One of the coolest uses for accessing the CLI using HTTPS is scripting. You can use it on a Linux CLI or in scripts to get periodic output for something like perfmon. Or in cronjobs to get output from the box without having to fumble around with expect scripts. Note that in this case, you’ll probably have to irresponsibly specify authorization credentials inline. Or store them in a script if you want to dodge leaving auth traces in your history file. So be careful what systems you run scripts like this from.

lynx -auth=username:password --source "https://x.x.x.x:port/exec/show ver"

using “–source” here allows for use of CLI pipes and redirects or inclusion in loops:

while true ; do lynx -auth=username:password --source "https://x.x.x.x:port/exec/show perfmon" ; sleep 1 ; done

It’s probably safest to store auth creds in a script under /root/scrtipts/ or something like that where the unwashed public can’t get to it without pwning the box. A simple script like the one below will do the trick in most cases, using $1 to let you specify the command you want to run as a command line argument:

#!/bin/bash
lynx -auth=username:password --source "https://x.x.x.x:port/exec/$1"

Used as such:

[0][root@iggmcp:/root/scriptss]# ./asa_https.sh "show int ip brief"
Interface IP-Address OK? Method Status Protocol
Ethernet0/0 X.X.X.X YES CONFIG up up
Ethernet0/1 unassigned YES unset up up
---SNIP---

Still have to use %2F in place of the slash character:

[0][root@iggmcp:/root/scriptss]# ./asa_https.sh "show int eth0%2F0"
Interface Ethernet0/0 "outside", is up, line protocol is up
Hardware is i82546GB rev03, BW 100 Mbps, DLY 100 usec
Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
Input flow control is unsupported, output flow control is off
---SNIP---

Credit here goes to Magnus Mortensen via the Cisco TAC Security Podcast episode 18, which is surprisingly good for being a vendor podcast. I recommend it for those awful moments when you realize you’re up to current with Packet Pushers but you still need more audio Nerd-Kibble to keep your brain going.

Crossposted from my article at Packet Pushers

 

As the title says, please stop saying “cyber”. It means nothing. More specifically, what it does mean is “blah blah networks and/or security”. In the industry, this is so non-specific that it essentially means nothing anyways.

As a security engineer, I get pretty sick of seeing/hearing the term “cyber” thrown around to describe pretty much anything I do. Cyber security, cyber attack, cyber defense. Our team doesn’t sit down in a conference room discussing “how are the cyber defenses on company X holding up?”, or “company Y has been experiencing a higher number of cyber-threats recently”. Nobody says crap like that in real life. I decided to see how little the term actually gets thrown around. I know we never use it verbally except while making “air quotes” with our fingers and making fun of the sorts of people who DO actually say it. But I thought I should at least check my email to see if it ever sneaks its way in unnoticed.

I have 9001 emails in my inbox from the last six months or so when I last hit the “I cant send email anymore because I have too much crap in my inbox” button. 102 matched the search term “cyber”.

– A little more than half was vendor spam from companies I deal with, promoting new products, services, and whatnot else.
– A little less than half was internal emails from our global or pre-sales groups, discussing news or vendor spam.
– To my surprise there was in fact a single legitimate ticket email in the last 6 months with the term “cyber” in it.

I had to look into that one ticket to find out what the deal was. It was a ticket for a BlueCoat issue, and nowhere did the term cyber seem to appear. However there was a sysinfo attached (like a “show tech” for BlueCoat boxen), and tucked in there was a reference to a russian domain name containing the word “cyber”. That’s what had matched.

Close call, but in the end I was right. Nobody in my workplace actually uses the term “cyber” in referene to what goes on in the realm of network security.

The turkeys are back at work. Careful guys, thanksgiving is getting pretty close

Originally published at The IggBlog. You can comment here or there.

So I’m back from Vegas. Some months ago I decided it’d be cool to see Vegas before I turned 30. Probably after watching CSI or something. So Emily took it upon herself to be awesome and make it happen. She got us plane tickets and a room for relatively cheap on Orbitz or something like that. It’s pretty much exactly what I needed.

I’d been coming to work angry for the last few weeks just due to frustration… There’s a hiring freeze on engineers so I’m stuck in an operator position for now. It’s fine, I like my company but the waiting was getting to me. There hasn’t been much to do except push trash at work recently. I thrive off solving challenging problems, and spending hours troubleshooting something complex that I’ve never touched before. But recently it’s been all boring standardized notification type stuff.

Vegas was impressive. We stayed at Circus Circus, mostly because it was possible to get a big room on the strip for dirt cheap. It’s the place with the massive motherfucking creepy clown outside. It took a day or so to really take it all in. Sure it’s all artificial but the novelty, and sheer density of that novelty, was what was really cool to see. As with most people I didn’t net any wins. Emily and I played a bunch of slots… We’d find the loudest and most ADD/obnoxious machine we could find and we’d rock it for a few hours. All while sucking down free booze of course. I won a little at blackjack, but nothing worth mention. On the last day I got to visit a cousin of mine in the area and his GF. We wound down the vacation with a little BBQ, and leeched a ride to the airport. It was everything I thought it would be and more, and did exactly what I wanted it to. We left Thursday and came back Tuesday, and I returned to work calm and relaxed for once. I even got to do some really fun events at work on Wednesday.

That’s my story. That place is good times, looking forward to going back sometime.

Originally published at The IggBlog. You can comment here or there.

Saw this the other day on TV. Yes, it’s a legit commercial. I’d completely forgotten about it, but a coworker passed the link around the NOC. I think it might be a bit much for kids, but then I’ve only seen it aired late-ish on TV. It’s pretty awesome, especially if you’re ancient like me and you remember the original vid when it came out. Funny how controversial for one generation is commercial stock for another.

Originally published at The IggBlog. You can comment here or there.

Due to a combination of taunts and dares, my breakfast turned out to be…

That’s right. a poptart and brownie sandwich. Clicky for a full force pic of it. It was a little messier than I’d planned on, but totally worth it. Also, fuck you Korey.

Originally published at The IggBlog. You can comment here or there.

The name of the department I work in right now is insite. It’s probably just some corporate goon’s idea of a trendy spelling of “insight”. When our updated systems get rolled out the new name for my group will be RIM, for “remote infrastructure management”. Because… I mean… Everyone loves acronyms, right? This means my job title will be “RIM operator”. I think people need to be a little more careful with acronyms though. We’re already calling eachother rim jockeys, and we’re just waiting for someone to come walking in with a resumee asking for details on the RIM job. At least they didn’t go with “automated network usage support”. It’s a bit of a stretch, but you get the idea.

In related news, I’ve come to find out one of my coworkers almost got a medal for his time served over in the middle east. the acronym on the medal would have been for “the war on terror”, signifying his diligence in the fight against TWAT for his time served.

I decided to go against the grain and actually post something. Not much to update just yet, although good stuff is in the works.

News: Finally got my CCNA. I have yet to be reimbursed for the test costs, but it’s good to get that under my belt.
Not news: Still working in the same position, but we have a couple of massive contracts pending. If they go through they’ll be needing more engineers, and I’m first in line.
Random: Music video about russian culture:

A++, would buy again.

I’ll try to write more often. Not because I think I have anything interesting to say, mostly just because I like hearing myself say it.

Originally published at The IggBlog. You can comment here or there.

This content is password protected. To view it please enter your password below:

Password:

They’ve been “testing” the fire alarm system for a week and change here for some reason. I asked a friend that worked at the company who owns the building we lease space from, and he has no idea why they’ve been doing it. Basically the alarm will sound and strobes will go off, then abruptly stop. This will happen a half dozen times, then someoen will come on the loudspeaker and state that they will be performing testing. Yeah, makes as much sense to me too. This has been going on all day every day for nearly two weeks. The thought had crossed my mind “what if there was a real fire?”. Sure enough a few days ago there were fire engines and stuff outside. Apparently there was a for-reals fire somewhere in the building and they were evacuating. We only found out about it when a coworker came into the ops center and told us that people were collecting in the mini-park out front. The general consensus was that at this point we were going to stay in the building out of spite, and jump out a window if we ended up actually having to leave.

Originally published at The IggBlog. You can comment here or there.