Network Security, Endpoint/Device Security

Virtualizing JunOS on VMware

Many times when working with a client network or working on our own we have the need to test, document and validate certain networks configurations in a test environment. Sadly not many have the money to have one so as to test different scenarios so as to gage the impact that this changes might have on the production network. For a majority of configuration when it comes to system settings and routing a virtualized environment can be of great help, sadly anything ASIC or HW Specific configurations. On this blog post I will cover how to virtualize JunOS operating system to aide with testing and validating. I did this for a friend who needed to migrate the configuration of several of his Juniper Routers to a newer version of the OS and Hardware and also asked me for recommendations for hardening the routers. I do have to say I really like JunOS specially since it is a full FreeBSD subsystem underneath to wish a user has access to.

Requirements

Software required to install JunOS on VMware:

  • Download FreeBSD 4.11 mini ISO from FreeBSD ftp site Link
  • M Series Router jinstall Domestic Signed tgz file, Export version does not provide SSH.
  • Jweb tgz file for the version of JunOS being install

NOTE: Do not ask for Juniper images I will ignore those messages. You need a valid contract to obtain them.

Settings for Workstation 7.x

  • On VMware Workstation:
  • Create a New Virtual Machine.
  • Select on the image the FreeBSD ISO image.
  • Ensure that FreeBSD is selected as the operating system type.
  • Make sure HDD is 4GB or higher and of type IDE for version 9.x and 10.x for version 11.x use 6GB or higher.
  • For memory set initially 512MB for 9.x and after installation of jweb it can be changed to 256MB, for 10.x and 11.x set initial value to 1024MB and after install 512MB.
  • After creation of VM and before installation open VMX file and sure that the SCSI devises presence settings be set to FALSE: scsi0.present = "FALSE"

Settings for VMWare ESX 4.x

On VMWare ESX and ESXi :

  • Create a New Virtual Machine with Operating System Other -> FreeBSD 32-bits
  • Make sure HDD is 4GB or higher and of type IDE for version 9.x and 10.x for version 11.x use 6GB or higher.
  • "Select the Edit Virtual Machine Settings Before Completion" Check Box.
  • Change the SCSI Controller to LSI Logic SAS
  • For memory set initially 512MB for 9.x and after installation of jweb it can be changed to 256MB, for 10.x and 11.x set initial value to 1024MB and after install 512MB.
  • Set in the CD Rom the FreeBSD 4.11 ISO and make sure that it is Connected before saving.

FreeBSD Installation

  • Skip the kernel configuration and choose the standard installation.
  • When prompted to use fdisk select OK.
  • When you get to partitioning, allocate first the whole disk to BSD.
  • Press c then OK for the other prompts and finish by selecting q.
  • Select BootMrg as the boot manager.
  • Create the disk slices as shown in the table below:
Slice Name Size
ad0s1a / 2000M
ad0s1b    Swap 1024M
ad0s1e    /config 64M
ad0s1f    /var Remaining Space
  • / has to be a reasonable size or else you’ll run out of space on /mnt.
  • Choose ‘Minimal’ installation type and skip installing ports.
  • After the base is installed it will ask you if you want to configure Ethernet settings, select yes and use DHCP to configure your NIC (em0), Write down the IP given by DHCP and set a Hostname for the server. This allow us to scp the jinstall file after reboot.
  • Except for the DHCP on interface em0, choose "no" for everything else (IPv6. Linux compatibility, NFS, FTP, Inetd, TimeZone etc..)
  • When asked to create a user create one called junos, set a password for it and add it to the group wheel. Ensure to put a password for the root account.
  • After the installer completes it will reboot. Make sure that you have disconnected the CD so as to make sure the VM will not boot in to the CD again.
  • scp to /var/tmp on the VM the jinstall file only, do not copy the jweb file yet since during installation the file system will be formatted and changed.
 $ scp jinstall-<version>-domestic-signed.tgz [email protected]<ip>:/var/tmp
  • Once the file is there yo will SSH in to the server and use the su command to gain root privileges:
    $ su -

    JunOS 9.6R1

    Unpack the different parts of the installer and remove hash files used to validate the installer:

    # cd /var/tmp/
    
    # mkdir jinst
    
    # cd jinst
    
    # tar xvzf ../jinstall-9.6R1.13-domestic-signed.tgz
    
    # rm *.md5 *.sha1 *.sig
    
    # mkdir domestic
    
    # cd domestic/
    
    # tar xvzf ../jinstall-9.6R1.13-domestic.tgz
    
    # mkdir pkgtools
    
    # cd pkgtools
    
    # ls
    
    # tar xvzf ../pkgtools.tgz

     

    Make sure that check for hardware always return true by replacing the checkpic command:

    # cp /usr/bin/true bin/checkpic

    Repackage the installer:

    # tar cvzf ../pkgtools.tgz *
    
    # cd ..
    
    # rm -rf pkgtools
    
    # tar cvzf ../jinstall-9.6R1.13-domestic.tgz *
    
    # cd ..
    
    # rm -rf domestic/
    
    # cd jinst
    
    # tar cvzf ../jinstall-9.6R1.13-domestic-signed.tgz *
    
    # cd ..
    
    # rm -rf jinst/

    Install the package using pkg_add:

    # pkg_add jinstall-9.6R1.13-domestic-signed.tgz
    
    Adding jinstall...
    
    sysctl: unknown oid 'hw.product.model'
    
    sysctl: unknown oid 'hw.re.model'
    
    sysctl: unknown oid 'hw.re.model'
    
    sysctl: unknown oid 'hw.re.model'
    
    
    
    WARNING:     This package will load JUNOS 9.6R1.13 software.
    
    WARNING:     It will save JUNOS configuration files, and SSH keys
    
    WARNING:     (if configured), but erase all other files and information
    
    WARNING:     stored on this machine.  It will attempt to preserve dumps
    
    WARNING:     and log files, but this can not be guaranteed.  This is the
    
    WARNING:     pre-installation stage and all the software is loaded when
    
    WARNING:     you reboot the system.
    
    
    
    Saving the config files ...
    
    Installing the bootstrap installer ...
    
    
    
    WARNING:     A REBOOT IS REQUIRED TO LOAD THIS SOFTWARE CORRECTLY. Use the
    
    WARNING:     'request system reboot' command when software installation is
    
    WARNING:     complete. To abort the installation, do not reboot your system,
    
    WARNING:     instead use the 'request system software delete jinstall'
    
    WARNING:     command as soon as this operation completes.

    DO NOT REBOOT, Ensure you can interact with JunOS on the VM Console:

    # chmod +w /boot/loader.conf
    
    # vi /boot/loader.conf
    
    
    

    Add this line to the file:

    console="vidconsole"

    Reboot the device by entering the reboot command, the installation process will take several minutes and the router will reboot twice.

     

    JunOS 10.4R1 and JunOS 11.1R1

    This process is the same for 10.x and 11.x. Unpack the different parts of the installer and remove hash files used to validate the installer:

    # cd /var/tmp/
    
    # mkdir jinst
    
    # cd jinst
    
    # tar xvzf ../jinstall-9.6R1.13-domestic-signed.tgz
    
    # rm *.md5 *.sha1 *.sig
    
    
    

    Open in vi the +INSTALL file

    # vi ./+INSTALL
    
    
    


    Modify the variable re_name in the check_arch_compatibility() function as shown bellow, inside vi you can do a :/check_arch<enter> to go directly to it.

    check_arch_compatibility()
    
    {
    
        #re_name=`/sbin/sysctl -n hw.re.name 2>/dev/null`
    
        re_name='olive'
    
        if [ -z "$re_name" ]; then
    
            Error "hw.re.name sysctl not supported."
    
        fi
    
    
    


    Continue unpacking the next level of the package:

    # mkdir domestic
    
    # cd domestic/
    
    # tar xvzf ../jinstall-10.4R1.9-domestic.tgz

    Open with vi +INSTALL and +REQUIRE and modify the variable re_name in the check_arch_compatibility() as done before. Unpack the pkgtools.tgz file and make the checkpic file always return true:

    # mkdir pkgtools
    
    # cd pkgtools
    
    # tar xvzf ../pkgtools.tgz 
    
    # cp /usr/bin/true bin/checkpic 

    Repackage the installer:

    # tar cvzf ../pkgtools.tgz *
    
    # cd ..
    
    # rm -rf pkgtools
    
    # tar cvzf ../jinstall-10.4R1.9-domestic.tgz *
    
    # cd ..
    
    # rm -rf domestic
    
    # tar cvzf ../jinstall-10.4R1.9-domestic-signed.tgz *
    
    # cd ..
    
    # rm -rf jinst

    Install the package:

     # pkg_add jinstall-10.4R1.9-domestic-signed.tgz 
    
     Adding jinstall...
    
     sysctl: unknown oid 'hw.product.model'
    
     sysctl: unknown oid 'hw.re.model'
    
     sysctl: unknown oid 'hw.re.model'
    
     sysctl: unknown oid 'hw.re.model'
    
    
    
    
    
    
    
     WARNING:     This package will load JUNOS 10.4R1.9 software.
    
     WARNING:     It will save JUNOS configuration files, and SSH keys
    
     WARNING:     (if configured), but erase all other files and information
    
     WARNING:     stored on this machine.  It will attempt to preserve dumps
    
     WARNING:     and log files, but this can not be guaranteed.  This is the
    
     WARNING:     pre-installation stage and all the software is loaded when
    
     WARNING:     you reboot the system.
    
    
    
     Saving the config files ...
    
     Installing the bootstrap installer ...
    
    
    
     WARNING:     A REBOOT IS REQUIRED TO LOAD THIS SOFTWARE CORRECTLY. Use the
    
     WARNING:     'request system reboot' command when software installation is
    
     WARNING:     complete. To abort the installation, do not reboot your system,
    
     WARNING:     instead use the 'request system software delete jinstall'
    
     WARNING:     command as soon as this operation completes.
    
    
    
    
    

    Ensure you can interact with JunOS on the VM Console, there is no need for this step with version 10.4 but recommended in case there is a change in any other 10.x package:

    # chmod +w /boot/loader.conf
    
    # vi /boot/loader.conf

    Add this line to the file:

    console="vidconsole"

    Reboot the device by entering the reboot command, the installation process will take several minutes and the router will reboot twice.

    Initial Configuration

    On the console at login enter root and enter on the password prompt. Enter cli to enter in to command line interface of JunOS and enter:

    % cli
    
    > configure

    Set the hostname for the router:

    # set system host-name <router name>

    Set the root password:

    # set system root-authentication plain-text-password <enter>

    Create a secondary admin user to use for SSH:

    # set system login user <username> class super-user
    
    # set system login user <username> authentication plain-text-password <enter>

    Set an IP Address on the interface em0 so as to connect to the router:

    # set interfaces em0 unit 0 family inet address <ip/mask>

    Enable and set the SSH Version of the protocol to use to version 2:

    # set system services ssh protocol-version v2

    Enable Telnet:

    # set system services telnet

    Enable FTPD:

    # set system services ftp

    Set the default gateway:

    # set routing-options static route 0.0.0.0/0 next-hop <Default Gateway IP>

    Set the DNS Server to use:

    # set system name-server <name server IP>

    Save the configuration:

    # commit

    To get full list of software installed and version without paging:

    > show version | no-more

    To get full configuration:

    > show configuration | no-more 

    To get full configuration in XML format:

    > show configuration | no-more | display xml

    Install the Web Interface

    Copy to the router the jweb file using scp and the secondary admin account created above:

    > show configuration | no-more | display xml

    SSH in to the router and run:

    > request system software add /var/tmp/jweb-<version>-signed.tgz

    After installer finishes execute a reboot of the router

    > request system reboot
    
    Reboot the system ? [yes,no] (no) yes

    It will take a while for the router to reboot since it is setting up the files for the web interface. Once the router is back up connect to it, enter configuration mode and enable the the web management system on the interface you configured:

    # set system services web-management http interface em0.0
    
    # commit
    Carlos Perez

    Carlos is currently the Principal Consultant, Team Lead for Research at TrustedSec and well-known for his research on both Metasploit and Windows Powershell. His blog www.darkoperator.com carries the tag line: “Shell Is Only The Beginning”.

    Get daily email updates

    SC Media's daily must-read of the most current and pressing daily news

    By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.