Please consider donating: https://www.corelan.be/index.php/donate/


29,334 views

Juniper : Netscreen/ScreenOS to HTML (ns2html) + audit your firewall config (nipper)

A short while ago, I came across 2 really nice tools that will help

– visualizing screenos configs into html pages

– auditing firewall configs

 

Converting screenos to html

The first tool, called ns2html, was developed by Rodrigo Pace de Barros and can be found at http://ns2html.sourceforge.net/

It is written in perl and both the .pl and the compiled version are part of the download package.

After downloading and extracting the zip file (I’m using the Windows version), you need to edit the config file, which can be found in the etc folder (ns2html.cfg)

Verify the “PUBLISH” and “BROWSER” path and save the file

Next, launch the ns2html.exe file (under bin)

image

Select your screenos config file, verify the output directory. Click “open rulebase in browser after generation?” and click generate.

Note : if you have previously converted a config file from the same firewall before, and are saving the files in the same folder, you will be prompted to overwrite the files in the small command-line window that sits behind the window dialog. When the process is complete, you’ll get a subfolder (name of the firewall) that contains a couple of html files and images. When you open the index page (index..html), you’ll get this

image

Life doesn’t get much easier than this… I wish there were more awesome tools like this. This is really a great tool for people who are looking to save their rulesets in a very user-friendly & readable format.

 

Audit your ruleset

A second tool I would like to talk about is “nipper”. This utility was written by Ian Ventura-Whiting and can be found at http://nipper.titania.co.uk . It is a Network Infrastructure Parser (hence the name NIPper) and will provide a nice friendly report containing a really nice audit report on your config file.

The tool supports a whole range of devices : Bay Networks, Cisco IOS, Cisco ASA, Juniper Netscreen, Nortel Passport, Nokia, SonicWall, …

After downloading and extracting the “all in one” package, you will see these files :

image

Edit the nipper.ini file with wordpad or notepad++  and go to the Report section. Set a Company Name and save the file.

When you run nipper /? or nipper –help, you’ll get a short help text :

                     _                           ____
               _ __ (_)_ __  _ __   ___ _ __    / ->/|
              | '_ \| | '_ \| '_ \ / _ \ '__|  /<-_/ |
              | | | | | |_) | |_) |  __/ |     |   | /
              |_| |_|_| .__/| .__/ \___|_|     |___|/
                      |_|   |_|

                         CLI Version 0.12.0
                    http://nipper.titania.co.uk
            Copyright (C) 2006-2008 Ian Ventura-Whiting

Nipper is a  Network Infrastructure  Configuration Parser.  Nipper takes
a network infrastructure  device configuration,  processes the  file and
produces  a report  which can  include detailed a  security audit  and a
configuration report.

By default, input is retrieved from stdin and is output (in HTML format)
to stdout.

Command:
    nipper [Options]

General Options:
    --input=
    Specifies a  device configuration  file to  process.  For CheckPoint
    Firewall-1  configurations,  the  input should be the conf directory
    (or the database directory).

    --output= | --report=
    Specified an output file for the report.

    --version
    Displays the program version.

Example:
    The  example   below  will   process  a   Cisco   IOS-based   router
    configuration file called ios.conf  and output  the report to a file
    called report.html.

    nipper --ios-router --input=ios.conf --output=report.html

For additional help:
    --help[=]
    Show  the  online help  or show  the  additional  help on  the topic
    specified.  The help  topics  are;  GENERAL,  DEVICES,  DEVICES-ADV,
    SNMP,  REPORT, REPORT-ADV,  REPORT-SECT, REPORT-HTML,  REPORT-LATEX,
    AUDIT-ACL, AUDIT-PASS, AUDIT-ADV or CONFIG-FILE.

Copy the screenos (or other compatible) config file into the folder and run

nipper –input=yourconfigfile.cfg –output=firewallaudit.html

If the tool has difficulties determining the type of device, you can specify the device using one of the following parameters :

    CMD Option       Device Type
    ====================================================
    --auto           Auto-Detect Device (Default)
    --3com-firewall  3Com SuperStack 3 Firewall
    --accelar        Bay Networks Accelar
    --cp-firewall    CheckPoint Firewall Module
    --cp-management  CheckPoint Management Module
    --ios-router     Cisco IOS-based Router
    --ios-catalyst   Cisco IOS-based Catalyst Switch
    --pix            Cisco PIX-based Firewall
    --asa            Cisco ASA-based Firewall
    --fwsm           Cisco FWSM-based Router
    --catos          Cisco CatOS-based Catalyst
    --nmp            Cisco NMP-based Catalyst
    --css            Cisco Content Services Switch
    --procurve       HP ProCurve Switches
    --screenos       Juniper NetScreen Firewall
    --nokiaip        Nokia IP Firewall
    --passport       Nortel Passport Device
    --nortel-switch  Nortel Ethernet Routing Switch 8300
    --sonicos        SonicWall SonicOS Firewall

 

Try it – you’ll love it.

© 2009 – 2021, Peter Van Eeckhoutte (corelanc0d3r). All rights reserved.

3 Responses to Juniper : Netscreen/ScreenOS to HTML (ns2html) + audit your firewall config (nipper)

Corelan Training

We have been teaching our win32 exploit dev classes at various security cons and private companies & organizations since 2011

Check out our schedules page here and sign up for one of our classes now!

Donate

Want to support the Corelan Team community ? Click here to go to our donations page.

Want to donate BTC to Corelan Team?



Your donation will help funding server hosting.

Corelan Team Merchandise

You can support Corelan Team by donating or purchasing items from the official Corelan Team merchandising store.

Protected by Copyscape Web Plagiarism Tool

Corelan on Slack

You can chat with us and our friends on our Slack workspace:

  • Go to our facebook page
  • Browse through the posts and find the invite to Slack
  • Use the invite to access our Slack workspace
  • Categories