Please take a moment to read http://bit.ly/demandglobalchange, to help share the message and support the initiative to tell our leaders to focus on addressing the global world problems, instead of complaining about the effects of their lack of leadership. Be a leader yourself, and share this with as many people as possible. #demandglobalchange // https://www.facebook.com/demandglobalchange



Please consider donating: https://www.corelan.be/index.php/donate/


27,253 views | This page as PDF

Juniper : Netscreen/ScreenOS to HTML (ns2html) + audit your firewall config (nipper)

A short while ago, I came across 2 really nice tools that will help

– visualizing screenos configs into html pages

– auditing firewall configs

Converting screenos to html

The first tool, called ns2html, was developed by Rodrigo Pace de Barros and can be found at http://ns2html.sourceforge.net/

It is written in perl and both the .pl and the compiled version are part of the download package.

After downloading and extracting the zip file (I’m using the Windows version), you need to edit the config file, which can be found in the etc folder (ns2html.cfg)

Verify the “PUBLISH” and “BROWSER” path and save the file

Next, launch the ns2html.exe file (under bin)

image

Select your screenos config file, verify the output directory. Click “open rulebase in browser after generation?” and click generate.

Note : if you have previously converted a config file from the same firewall before, and are saving the files in the same folder, you will be prompted to overwrite the files in the small command-line window that sits behind the window dialog. When the process is complete, you’ll get a subfolder (name of the firewall) that contains a couple of html files and images. When you open the index page (index..html), you’ll get this

image

Life doesn’t get much easier than this… I wish there were more awesome tools like this. This is really a great tool for people who are looking to save their rulesets in a very user-friendly & readable format.

Audit your ruleset

A second tool I would like to talk about is “nipper”. This utility was written by Ian Ventura-Whiting and can be found at http://nipper.titania.co.uk . It is a Network Infrastructure Parser (hence the name NIPper) and will provide a nice friendly report containing a really nice audit report on your config file.

The tool supports a whole range of devices : Bay Networks, Cisco IOS, Cisco ASA, Juniper Netscreen, Nortel Passport, Nokia, SonicWall, …

After downloading and extracting the “all in one” package, you will see these files :

image

Edit the nipper.ini file with wordpad or notepad++ and go to the Report section. Set a Company Name and save the file.

When you run nipper /? or nipper –help, you’ll get a short help text :

                     _                           ____
               _ __ (_)_ __  _ __   ___ _ __    / ->/|
              | '_ \| | '_ \| '_ \ / _ \ '__|  /<-_/ |
              | | | | | |_) | |_) |  __/ |     |   | /
              |_| |_|_| .__/| .__/ \___|_|     |___|/
                      |_|   |_|

                         CLI Version 0.12.0
                    http://nipper.titania.co.uk
            Copyright (C) 2006-2008 Ian Ventura-Whiting

Nipper is a  Network Infrastructure  Configuration Parser.  Nipper takes
a network infrastructure  device configuration,  processes the  file and
produces  a report  which can  include detailed a  security audit  and a
configuration report.

By default, input is retrieved from stdin and is output (in HTML format)
to stdout.

Command:
    nipper [Options]

General Options:
    --input=
    Specifies a  device configuration  file to  process.  For CheckPoint
    Firewall-1  configurations,  the  input should be the conf directory
    (or the database directory).

    --output= | --report=
    Specified an output file for the report.

    --version
    Displays the program version.

Example:
    The  example   below  will   process  a   Cisco   IOS-based   router
    configuration file called ios.conf  and output  the report to a file
    called report.html.

    nipper --ios-router --input=ios.conf --output=report.html

For additional help:
    --help[=]
    Show  the  online help  or show  the  additional  help on  the topic
    specified.  The help  topics  are;  GENERAL,  DEVICES,  DEVICES-ADV,
    SNMP,  REPORT, REPORT-ADV,  REPORT-SECT, REPORT-HTML,  REPORT-LATEX,
    AUDIT-ACL, AUDIT-PASS, AUDIT-ADV or CONFIG-FILE.

Copy the screenos (or other compatible) config file into the folder and run

nipper –input=yourconfigfile.cfg –output=firewallaudit.html

If the tool has difficulties determining the type of device, you can specify the device using one of the following parameters :

    CMD Option       Device Type
    ====================================================
    --auto           Auto-Detect Device (Default)
    --3com-firewall  3Com SuperStack 3 Firewall
    --accelar        Bay Networks Accelar
    --cp-firewall    CheckPoint Firewall Module
    --cp-management  CheckPoint Management Module
    --ios-router     Cisco IOS-based Router
    --ios-catalyst   Cisco IOS-based Catalyst Switch
    --pix            Cisco PIX-based Firewall
    --asa            Cisco ASA-based Firewall
    --fwsm           Cisco FWSM-based Router
    --catos          Cisco CatOS-based Catalyst
    --nmp            Cisco NMP-based Catalyst
    --css            Cisco Content Services Switch
    --procurve       HP ProCurve Switches
    --screenos       Juniper NetScreen Firewall
    --nokiaip        Nokia IP Firewall
    --passport       Nortel Passport Device
    --nortel-switch  Nortel Ethernet Routing Switch 8300
    --sonicos        SonicWall SonicOS Firewall

Try it – you’ll love it.

2009 – 2015, Corelan Team (corelanc0d3r). All rights reserved.

Related Posts:

3 Responses to Juniper : Netscreen/ScreenOS to HTML (ns2html) + audit your firewall config (nipper)

Corelan Live training

Since 2011, Corelan GCV has been teaching live win32 exploit dev classes at various security cons and private companies & organizations.

You can read more about the training and schedules here

Demand Global Change

The world needs your help !

Please take a few moments to read the "Demand Global Change Call For Action" document at
http://bit.ly/demandglobalchange
Read the full document at
http://bit.ly/demandglobalchange_full and share the message with as many people as possible.

Like the Facebook page, and SHARE it with everyone you know.



Donate

Want to support the Corelan Team community ? Click here to go to our donations page.

Want to donate BTC to Corelan Team?



Your donation will help funding server hosting.

Protected by Copyscape Web Plagiarism Tool

Corelan Team Merchandise

You can support Corelan Team by donating or purchasing items from the official Corelan Team merchandising store.

Corelan on IRC

You can chat with us and our friends on #corelan (freenode IRC)

Categories