Trusk

Hey all, first allow me to thank you for taking a look at this. After a couple weeks of investigating, I am at a loss on the behavior I'm seeing so I thought I'd bring it to the minds of r/networking.

 
tl;dr
-ASA5505-BUN-K9 (Sanitized config shown at the bottom)
-Code in use when anomaly discovered: 9.2(4), 7.5(2)
-Current code: 9.2(4)14, 7.6(2) – Anomaly persists a flash rewrite

 
While examining the syslog I discovered what appears to be anomalous activity associated with the ASDM log-in sequence. Starting with the buffer log, I captured the TCP handshake and respective AAA output for the ASDM log-in sequence approximately 20 times. Each capture reveals what appears to be a unique, not-so-random and non-RFC1918 IP address showing up within Syslog Message %ASA-6-611101.

 
Cisco's explanation of syslog message ASA-6-611101 (below) is confusing to me because on one hand it indicates that authentication succeeded and later in the same message there is verbiage indicating failed user authentication.

*Error Message %ASA-6-611101: User authentication succeeded: IP, IP address : Uname: user

*Explanation User authentication succeeded when accessing the ASA. The username is hidden when invalid or unknown, but appears when valid or the no logging hide username command has been configured.

*IP address —The IP address of the client that failed user authentication user —The user that authenticated

*Recommended Action None required.


 
5505 CAPTURE (sanitized)

May 01 2017 16:20:00: %ASA-6-302013: Built inbound TCP connection 53 for INSIDE:x.x.x.4/50006 (x.x.x.4/50006) to identity:X.X.X.128/10101 (X.X.X.128/10101)
May 01 2017 16:20:00: %ASA-6-725001: Starting SSL handshake with client INSIDE:x.x.x.4/50006 for TLS session.
May 01 2017 16:20:00: %ASA-6-725003: SSL client INSIDE:x.x.x.4/50006 request to resume previous session.
May 01 2017 16:20:00: %ASA-6-725002: Device completed SSL handshake with client INSIDE:x.x.x.4/50006
May 01 2017 16:20:00: %ASA-6-113012: AAA user authentication Successful : local database : user = murphy
May 01 2017 16:20:00: %ASA-6-113009: AAA retrieved default group policy (DfltGrpPolicy) for user = murphy
May 01 2017 16:20:00: %ASA-6-113008: AAA transaction status ACCEPT : user = murphy
May 01 2017 16:20:00: %ASA-6-611101: User authentication succeeded: IP address: invalid-addr–933175856-128.51.219.204, Uname: murphy
May 04 2017 16:20:00: %ASA-6-605005: Login permitted from x.x.x.4/50006 to INSIDE:X.X.X.128/10101 for user "murphy"


 

To further the investigation I patched in a switch between the ASA and ISP to sniff with Wireshark. While I continued to see unique IPs appearing in syslog message %ASA-6-611101 with every ASDM authentication (that I performed locally), I did not see these IPs as corresponding traffic in Wireshark. Not sure what to make of this…

 

Below is the list of IPs that I pulled from the logs and WHOISd – take note of the fourth octet and how it varies only slightly from .200, .203, .204

ANYBODY KNOW WHAT TO MAKE OF THIS?

 
128.51.219.204 – US – NATIONAL SECURITY ADMINISTRATION (NSA)

160.192.227.204 – JP – YASUDA WOMEN'S UNIVERSITY YASUDA WOMEN'S JUNIOR COLLEGE

120.235.231.204 – CN – CHINA MOBILE COMMUNICATIONS CORPORATION

112.11.50.204 – CN – CHINA MOBILE COMMUNICATIONS CORPORATION

48.236.231.204 – US – THE PRUDENTIAL INSURANCE COMPANY OF AMERICA

232.134.91.200 – MULTICAST

0.156.67.200 – BROADCAST RFC-1700

64.119.91.200 – US – MST ACQUISITION GROUP MST

32.77.208.204 – US – AT&T GLOBAL NETWORK SERVICES

184.148.211.204 – CA – BELL CANADA

80.0.203.203 – UK – VIRGIN MEDIA LTD

24.1.231.203 – US – COMCAST CABLE COMMUNICATIONS

184.25.212.204 – US – AKAMAI TECHNOLOGIES

120.15.211.204 – CN – CHINA UNICOM HEIBEI PROVINCE NETWORK

128.192.211.204 – US – UNIVERSITY OF GEORGIA

152.17.215.204 – US – WAKE FOREST UNIVERSITY

48.142.202.204 – US – THE PRUDENTIAL INSURANCE COMPANY OF AMERICA

224.124.208.204 – MULTICAST

152.122.210.204 – US – US DEPARTMENT OF TRANSPORTATION

200.106.231.204 – HN – HONDURAS SULA AMNET DATOS SAN PEDRO SULA

72.80.234.204 – US – MCI COMMUNICATIONS SERVICES


 
5505 CONFIG

CISCOBOX# more system:run
: Saved
:
: Serial Number: xxxxxxxxxxxx
: Hardware: ASA5505, 512 MB RAM, CPU Geode 500 MHz
: Written by murphy at 16:20:00.000 CDT Mon May 1 2017
!
ASA Version 9.2(4)14
!
hostname CISCOBOX
domain-name xxxxxx.xxxxxx
enable password zxzxzxzxzxzxzxzxz
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
no names
dns-guard
!
interface Ethernet0/0
switchport access vlan A
!
interface Ethernet0/1
switchport access vlan B
!
interface Ethernet0/2
shutdown
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
interface Vlan1
shutdown
no nameif
no security-level
no ip address
!
interface VlanA
nameif OUTSIDE
security-level 0
ip address dhcp setroute
!
interface VlanB
nameif INSIDE
security-level 100
ip address B.B.B.128 B.B.B.B
!
banner exec You have logged in to $(hostname).$(domain)
banner motd **********************************
banner motd * UNAUTHORIZED ACCESS PROHIBITED *
banner motd **********************************
boot system disk0:/asa924-14-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring 3 Sun Mar 2:00 2 Sun Nov 2:00
dns server-group DefaultDNS
domain-name xxxxxx.xxxxxx
object network vLANB
subnet B.B.B.B B.B.B.B
pager lines 24
logging enable
logging timestamp
logging buffer-size 32768
logging asdm-buffer-size 512
logging buffered debugging
logging asdm notifications
mtu OUTSIDE 1500
mtu INSIDE 1500
ip verify reverse-path interface OUTSIDE
ip verify reverse-path interface INSIDE
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any echo-reply OUTSIDE
icmp deny any OUTSIDE
asdm image disk0:/asdm-762.bin
asdm history enable
arp timeout 300
no arp permit-nonconnected
!
object network vLANB
nat (INSIDE,OUTSIDE) dynamic interface
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authentication enable console LOCAL
aaa authentication serial console LOCAL
http server enable 10101
http server idle-timeout 30
http B.B.B.B B.B.B.B INSIDE
no snmp-server location
no snmp-server contact
sysopt noproxyarp OUTSIDE
sysopt noproxyarp INSIDE
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh stricthostkeycheck
ssh B.B.B.B B.B.B.B INSIDE
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
!
dhcpd dns L.L.L.L
dhcpd domain xxxxxx.xxxxxx
!
dhcpd address B.B.B.B B.B.B.B INSIDE
dhcpd enable INSIDE
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server N.N.N.N prefer
ntp server T.T.T.T
ntp server P.P.P.P
username murphy password zxzxzxzxzxzxzxz encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:xyzxyzxyzxyzxyzxyzxyzxyzxyzxyzxyzxyz
: end

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: