Friday, December 9, 2011

Producing IPv6 traceroute results in HTML format using NMAP

I searched how we can display the IPv6 trace-route results to web in automated manner. There may be different PHP / perl modules but using nmap trace route option we can archive similar fashion.

we can have the list of hosts separated by space
nmap.org www.apnic.net he.net

we can use following command to create the XML output.
nmap -6 --traceroute -vv -iL TestList -sn -oX test.xml --stylesheet /usr/share/nmap/nmap.xsl
-6 to enable IPv6
-vv increase the verbosity of the oubput
--sn no port scan
-oX output XML
--stylesheet where to find { to translate from XML to HTML }
xsltproc test.xml --output test.html

Saturday, November 26, 2011

PPTP Server as Cisco for Mikrotik Client

Following configuration explains the Cisco as PPTP server and connecting two sites:

Following Configuration needed to enable the VPDN and default server:



vpdn enable
!
vpdn-group Mtik
! Default PPTP VPDN group
 accept-dialin
  protocol pptp
  virtual-template 1

interface Virtual-Template1
 ip unnumbered Loopback0
 peer default ip address pool IPPOOL1
 ppp encrypt mppe auto required
 ppp authentication ms-chap-v2 ms-chap pap

ip local pool IPPOOL1 192.168.150.10 192.168.150.224

Few more additional things we need to keep the same ip address for the user:
aaa new-model
!
!
aaa authentication ppp default local
aaa authorization network default local
!
aaa attribute list Gobi
 attribute type addr 192.168.150.13 service ppp protocol ip mandatory
 attribute type route "10.0.0.0 255.255.255.0 192.168.150.13"
 attribute type interface-config "description Gobi-test"

Finally apply the attribute list to the user:

username gobi password 0 test
username gobi aaa attribute list Gobi

Mikrotik Configurations:
/interface pptp-client
add add-default-route=no allow=mschap2 connect-to=192.168.16.2 \
    dial-on-demand=no disabled=no max-mru=1500 max-mtu=1500 mrru=1500 name=\
    gobi password=test profile=default-encryption user=gobi

[admin@HOST1] > ip add print
Flags: X - disabled, I - invalid, D - dynamic
 #   ADDRESS            NETWORK         INTERFACE
 0   192.168.10.2/30    192.168.10.0    ether1
 1   192.168.16.1/30    192.168.16.0    ether2
 2   10.0.0.1/24        10.0.0.0        ether1
 3 D 192.168.150.13/32  192.168.150.1   gobi
IP route placed in the mikrotik as static :
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=gobi scope=30 \
    target-scope=10

1500 df-bit ping test
R1#ping 10.0.0.254 size 1500 df-bit

Type escape sequence to abort.
Sending 5, 1500-byte ICMP Echos to 10.0.0.254, timeout is 2 seconds:
Packet sent with the DF bit set
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 100/124/152 ms

Saturday, November 19, 2011

l2tpv3 configuration reference

Reference Comparing , Designing and Deploying VPNs chap - 02 :
L2TPv3 is the enhanced version of L2TPv2 protocol. Mikrotik uses L2TPv2 i suppose but it offer another similar tunneling mechanism as EOIP.
L2TPv3 in cisco provides Pseudo-wire services to the customer. L2TPv3 only require the IP connectivity between peers but it can transport Ethernet, 802.1Q , HDLC, PPP framerelay etc.

Advantage over MPLS is the customer having the full control of their routing domain.

L2TP depolyment methods having 3 topologies
LAC - LNS , LNS - LNS , LAC - LAC

Following Diagram explain simple LAC - LAC L2TPv3 setup.

It uses two types of messages:
control connection messages - used for signaling between LCEs
session data messages - Used to transport layer 2 protocols and connections

Data channel Message Header having Session ID & cookie to correctly associate with the tunnel
Deploying dynamic Pseudowires session
1) configure CEF - Its default in IOSs now.
2) configure a loopback interface to use as the pseduowire endpoint ( need to have the connectivity)
3) configure an L2TP class ( optional)
L2TPv3 Class enables to configure number of control channel configurations.
authentication , keepalive intervals , receive window size, retransmission parameters, timeouts
4) configure a pseudowire class
5) bind attachment circuits to pseudowires


R1:
l2tp-class digest_r1
 digest secret 7 096F673A3A2A hash SHA1
pseudowire-class R1toR2
 encapsulation l2tpv3
 sequencing both
 protocol l2tpv3 digest_r1
 ip local interface Loopback0
xconnect peer-address VCID ( should be unique) pw-class [name]
interface FastEthernet1/0
 no ip address
 duplex auto
 speed auto
 xconnect 172.16.0.2 100 pw-class R1toR2 sequencing both



R2:
l2tp-class digest_r2
 digest secret 7 062526126F61 hash SHA1
pseudowire-class R2toR1
 encapsulation l2tpv3
 sequencing both
 protocol l2tpv3 digest_r2
 ip local interface Loopback0
interface FastEthernet1/1
 no ip address
 duplex auto
 speed auto
 xconnect 172.16.0.1 100 pw-class R2toR1 sequencing both

Between Two Circuits
R6#ping 192.168.20.2 size 1500 repeat 2 df-bit

Type escape sequence to abort.
Sending 2, 1500-byte ICMP Echos to 192.168.20.2, timeout is 2 seconds:
Packet sent with the DF bit set
!!
Success rate is 100 percent (2/2), round-trip min/avg/max = 72/94/116 ms


CDP from remote devices :
R6#show cdp neighbors detail  | inc Device|IP|Int
Device ID: R1
  IP address: 172.16.0.1
Interface: FastEthernet1/0,  Port ID (outgoing port): FastEthernet1/0
Device ID: R7
  IP address: 192.168.20.2
Interface: FastEthernet1/0,  Port ID (outgoing port): FastEthernet1/0

R1#show l2tun session all

L2TP Session Information Total tunnels 1 sessions 1

Session id 56564 is up, tunnel id 23863
  Remote session id is 61449, remote tunnel id 53859
  Remotely initiated session
Call serial number is 10785
Remote tunnel name is R2
  Internet address is 172.16.0.2
Local tunnel name is R1
  Internet address is 172.16.0.1
IP protocol 115
  Session is L2TP signaled
  Session state is established, time since change 00:58:25
  DF bit off, ToS reflect disabled, ToS value 0, TTL value 255
  UDP checksums are disabled
  FS cached header information:
    encap size = 28 bytes
    45000014 00000000 FF736353 AC100001
    AC100002 0000F009 00000000
    881 Packets sent, 881 received
    744359 Bytes sent, 744061 received
  Last clearing of counters never
  Counters, ignoring last clear:
    881 Packets sent, 881 received
    744359 Bytes sent, 744061 received
    Receive packets dropped:
      out-of-order:             0
      total:                    0
    Send packets dropped:
      exceeded session MTU:     0
      total:                    0
  Sequencing is on
    Ns 872, Nr 872, 0 out of order packets received
    Packets switched/dropped by secondary path: Tx 0, Rx 0
  Conditional debugging is disabled
  Unique ID is 1
Session Layer 2 circuit, type is Ethernet, name is FastEthernet1/0
  Session vcid is 100
  Circuit state is UP
    Local circuit state is UP
    Remote circuit state is UP

Have to try the interoperability between cisco & mikrotik

Friday, November 18, 2011

Modifying the Wireshark Column.

Basically i had a packet capture file where i need to check the ICMP sequence number to check any packet drops. going each packet one by one and finding out the sequence number is a tedious job. So i was looking to find a way to add another column to display the icmp sequence number.
Its quite easy
1) Go to Edit -> Preference
2) Add a new column and select the field type as custom and give the filter as icmp.seq

3) You can see following result . According to our requirement we can modify the field type.

Thursday, July 21, 2011

Cost Effective 1 Port Terminal Server Rs232 using mikrotik / 3G

out of band management is critical for the network operation. when searching solution for console access through rs232 and 3G i came across Mikrotik serial connection option. I haven't tested the 3G setup yet but quite impressive options available in 79$ Mikrotik router for RS232 access:
1st have to set the baud-rate and similar settings :

[admin@Console_Tik] > port export            
# jan/02/1970 00:32:05 by RouterOS 5.5
# software id = WE49-11I9
#
/port
set 0 baud-rate=9600 data-bits=8 flow-control=none name=serial0 parity=none \
stop-bits=1
/port firmware
set directory=firmware
[admin@Console_Tik] > 

2nd if we are using for console access we need to disable the console port option on mikrotik as follows :
[admin@Console_Tik] > system console print 
Flags: X - disabled, U - used, F - free 
#   PORT                                   TERM                                 
0 X serial0                                vt102    

From mikrotik we can directly access the console port of cisco as follows :

[admin@Console_Tik] > system serial-terminal serial0    
[Ctrl-A is the prefix key]
TEST>


or we can create separ te user account and divert the user directly to the serial access :
1) have to create separate user account :
[admin@Console_Tik] > u er print 
Flags: X - disabled 
#   NAME         GROUP        ADDRESS                                           
0   ;;; system default user
admin        fullZ       
1   terminal     full        

2) have to assign the user to the spcial-login option
admin@Console_Tik] > special-login print   
Flags: X - disabled 
#   USER                                      PORT                              
0   terminal                                  serial0   

if we telnet using the special user account directly redirected to serial access : 

MikroTik v5.5
Login: terminal
Password:

[Ctrl-A is the prefix key]



VOICE_TEST>

Monday, July 4, 2011

shorten the MPLS IOS commands

when it comes to mpls + vrf we can observe some lengthly commands..

R3#show bgp vpnv4 unicast vrf CusA
BGP table version is 7, local router ID is 192.168.254.3
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
Route Distinguisher: 65001:100 (default for vrf CusA)
*> 192.168.200.0    192.168.100.1            0             0 65100 i
*>i192.168.210.0    192.168.254.8            0    100      0 65101 i

how to shorten these commands as usual we can use aliases

eg:

alias exec shbgpvrf show bgp vpnv4 unicast vrf

R3#shbgpvrf CusA
BGP table version is 7, local router ID is 192.168.254.3
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
Route Distinguisher: 65001:100 (default for vrf CusA)
*> 192.168.200.0    192.168.100.1            0             0 65100 i
*>i192.168.210.0    192.168.254.8            0    100      0 65101 i

eg2: alias exec shvrf show ip route vrf


R3#shvrf CusA

Routing Table: CusA
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, + - replicated route

Gateway of last resort is not set

      192.168.100.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.100.0/30 is directly connected, Ethernet0/0
L        192.168.100.2/32 is directly connected, Ethernet0/0
B     192.168.200.0/24 [20/0] via 192.168.100.1, 00:10:08
B     192.168.210.0/24 [200/0] via 192.168.254.8, 00:08:42

Friday, June 24, 2011

MPLS LAB for experiment.

This is the lab prepared using the L2IOU (http://tinyurl.com/69j77ju )


NETMAP :
1:0/0 3:0/0
1:0/1 4:0/0
2:0/0 3:0/1
2:0/1 4:0/1
3:0/2 5:0/0
4:0/2 5:0/1
5:0/3 6:0/0
5:0/2 7:0/1
6:0/1 7:0/0
7:0/2 8:0/0
7:0/3 9:0/0
8:0/1 10:0/0
9:0/1 11:0/0
root@box:/home/tc# cat labstart_mpls 
#!/bin/sh

if [ "`pgrep i86bi`" ]
then
 echo ""
 echo ""
 echo "The lab is already loaded"
 echo ""
 echo ""
else
 echo ""
 echo ""
 echo please wait for the Lab to be loaded..
 echo ""
 ./wrapper -m ./i86bi_linuxl2-upk9-ms.M -p 2001 -- -c configs/R1.cfg -e1 -s0 1 > /dev/null 2>&1 & sleep 5
 echo R1 loaded
 ./wrapper -m ./i86bi_linuxl2-upk9-ms.M -p 2002 -- -c configs/R2.cfg -e1 -s0 2 > /dev/null 2>&1 & sleep 5
 echo R2 loaded
 ./wrapper -m ./i86bi_linuxl2-upk9-ms.M -p 2003 -- -c configs/R3.cfg -e1 -s0  3 > /dev/null 2>&1 & sleep 5
 echo R3 loaded
 ./wrapper -m ./i86bi_linuxl2-upk9-ms.M -p 2004 -- -c configs/R4.cfg -e1 -s0 4 > /dev/null 2>&1 & sleep 5
 echo R4 loaded
 ./wrapper -m ./i86bi_linuxl2-upk9-ms.M -p 2005 -- -c configs/R5.cfg -e1 -s0 5 > /dev/null 2>&1 & sleep 5
 echo R5 loaded
 ./wrapper -m ./i86bi_linuxl2-upk9-ms.M -p 2006 -- -c configs/R6.cfg -e1 -s0 6 > /dev/null 2>&1 & sleep 5
 echo R6 loaded
 ./wrapper -m ./i86bi_linuxl2-upk9-ms.M -p 2007 -- -c configs/R7.cfg -e1 -s0 7 > /dev/null 2>&1 & sleep 5
echo R7 loaded 
./wrapper -m ./i86bi_linuxl2-upk9-ms.M -p 2008 -- -c configs/R8.cfg -e1 -s0 8 > /dev/null 2>&1 & sleep 5  
echo R8 loaded
./wrapper -m ./i86bi_linuxl2-upk9-ms.M -p 2009 -- -c configs/R9.cfg -e1 -s0 9 > /dev/null 2>&1 & sleep 5  
echo R9 loaded
./wrapper -m ./i86bi_linuxl2-upk9-ms.M -p 2010 -- -c configs/R10.cfg -e1 -s0 10 > /dev/null 2>&1 & sleep 5  
echo R10 loaded
./wrapper -m ./i86bi_linuxl2-upk9-ms.M -p 2011 -- -c configs/R11.cfg -e1 -s0 11 > /dev/null 2>&1 & sleep 5  
echo R11 loaded
 echo ""
 echo ""
 nohup -g -Fa `pgrep i86bi` > /dev/null 2>&1
fi


Router configuration :

Saturday, June 4, 2011

Can you run two AS Numbers in Single Router ? - Local AS

according to my experience we can't but similar functionalities given by Local AS option . It enables to act one AS for some of the neighbors and another AS for other neighbors

R2 connects to R1 using remote as 100 , but the R1 using remote-as as 2 rather than 300
R2#
router bgp 300
 no synchronization
 bgp log-neighbor-changes
 network 200.200.200.0
 neighbor 192.168.100.1 remote-as 100
 neighbor 192.168.100.1 local-as 2
R1#router bgp 100
 no synchronization
 bgp log-neighbor-changes
 neighbor 192.168.100.2 remote-as 2
 no auto-summary
but when the route injected it shows originated AS as 300
R1#show ip bgp 
BGP table version is 2, local router ID is 192.168.100.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*> 200.200.200.0    192.168.100.2            0             0 2 300 i

with no-prepend we can remove the local as prepending .
R2#show ip bgp 
BGP table version is 3, local router ID is 192.168.100.2
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*> 100.100.100.0/24 192.168.100.1            0             0 100 i
*> 200.200.200.0    0.0.0.0                  0         32768 i
 
R2#router bgp 300
 no synchronization
 bgp log-neighbor-changes
 network 200.200.200.0
 neighbor 192.168.100.1 remote-as 100
 neighbor 192.168.100.1 local-as 2 no-prepend
 no auto-summary

prefix Deaggregation and inject map - BGP Design & Implementation Chap 4

this lab is directly taken from BGP Design & Implementation Chap 4. GNS3 configurations attached below.
Summary -
In the boarder router if the summary route injected as follows
aggregate-address 172.16.0.0 255.255.0.0 as-set summary-only
downwards the originality of the prefix may be lost therefore to specify the best exist path we can regenerate the path we use inject path .
bgp inject-map Map1 exist-map Map2
Map1 injects the path
Map2 checks whether path is available , it at least two match statements one is route-source & aggregate prefix. Whether u can inject weird prefix other than aggregate .. (eg aggregate is 172.16.0.0/16 but if you try to inject 10.0.0.0/24 ???) As usual you can't :)

following is the attached diagram

R5 Relevant configuration.
router bgp 100
 no synchronization
 bgp log-neighbor-changes
 bgp inject-map AS200-Specific exist-map AS200-aggregate
 neighbor 192.168.12.2 remote-as 100
 neighbor 192.168.12.2 send-community
 neighbor 192.168.23.2 remote-as 100
 neighbor 192.168.23.2 send-community
 neighbor 192.168.24.1 remote-as 200
 neighbor 192.168.24.1 send-community
 no auto-summary
!
ip forward-protocol nd
!
ip bgp-community new-format
!
ip http server
no ip http secure-server
!
!
ip prefix-list AS200-R3 seq 5 permit 192.168.24.1/32
!
ip prefix-list Aggregate seq 5 permit 172.16.0.0/16
!
ip prefix-list Specific seq 5 permit 172.16.1.0/24

no cdp run
!
!
!
route-map AS200-Specific permit 10
 set ip address prefix-list Specific
 set community 100:200 no-export
!
route-map AS200-aggregate permit 10
 match ip address prefix-list Aggregate
 match ip route-source AS200-R3
!

R7#show ip bgp
BGP table version is 4, local router ID is 192.168.13.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*>i172.16.0.0       192.168.24.1             0    100      0 200 300 i
* i                 192.168.35.1             0    100      0 200 400 i
*>i172.16.1.0/24    192.168.24.1             0    100      0 ?
*>i172.16.2.0/24    192.168.35.1             0    100      0 ?

show ip route OSPF sync in the AS100

R7#show ip route 
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

C    192.168.12.0/24 is directly connected, FastEthernet0/1
C    192.168.13.0/24 is directly connected, FastEthernet0/0
O E2 192.168.24.0/24 [110/20] via 192.168.12.1, 00:00:56, FastEthernet0/1
     172.16.0.0/16 is variably subnetted, 3 subnets, 2 masks
B       172.16.0.0/16 [200/0] via 192.168.24.1, 00:00:51
B       172.16.1.0/24 [200/0] via 192.168.24.1, 00:00:51
B       172.16.2.0/24 [200/0] via 192.168.35.1, 00:00:23
O    192.168.23.0/24 [110/20] via 192.168.13.2, 01:21:56, FastEthernet0/0
                     [110/20] via 192.168.12.1, 01:21:23, FastEthernet0/1
O E2 192.168.35.0/24 [110/20] via 192.168.13.2, 00:00:46, FastEthernet0/0

when the BGP peer goes down between R3 & R5
*Mar  1 01:25:37.511: %BGP-5-ADJCHANGE: neighbor 192.168.24.1 Down BGP Notification sent
*Mar  1 01:25:37.511: %BGP-3-NOTIFICATION: sent to neighbor 192.168.24.1 4/0 (hold time expired) 0 bytes 
*Mar  1 01:25:38.511: BGP(0): no valid path for 172.16.0.0/16
*Mar  1 01:25:38.511: BGP(0): no valid path for 172.16.1.0/24
*Mar  1 01:25:38.515: BGP(0): nettable_walker 172.16.0.0/16 no best path
*Mar  1 01:25:38.515: BGP(0): nettable_walker 172.16.1.0/24 no best path
*Mar  1 01:25:38.519: BGP(0): 192.168.12.2 send unreachable 172.16.1.0/24
*Mar  1 01:25:38.519: BGP(0): 192.168.12.2 send UPDATE 172.16.1.0/24 -- unreachable
*Mar  1 01:25:38.519: BGP(0): 192.168.12.2 send UPDATE 172.16.0.0/16 -- unreachable
*Mar  1 01:25:38.623: BGP(0): updgrp 3 - 192.168.12.2 updates replicated for neighbors: 192.168.23.2
*Mar  1 01:25:47.283: BGP(0): updating injected prefix 172.16.1.0/24, from source prefix 172.16.0.0/16
*Mar  1 01:25:47.283: BGP(0): retaining injected prefix 172.16.1.0/24, from source prefix 172.16.0.0/16


when the BGP peer up
*Mar  1 01:27:06.899: %BGP-5-ADJCHANGE: neighbor 192.168.24.1 Up 
*Mar  1 01:27:06.947: BGP(0): 192.168.24.1 rcvd UPDATE w/ attr: nexthop 192.168.24.1, origin i, metric 0, aggregated by 200 192.168.46.2, path 200 300
*Mar  1 01:27:06.951: BGP(0): 192.168.24.1 rcvd 172.16.0.0/16
*Mar  1 01:27:06.955: BGP(0): Revise route installing 1 of 1 routes for 172.16.0.0/16 -> 192.168.24.1(main) to main IP table
*Mar  1 01:27:06.959: BGP(0): 192.168.12.2 NEXT_HOP is on same subnet as the bgp peer and set to 192.168.24.1 for net 172.16.0.0/16
*Mar  1 01:27:06.959: BGP(0): 192.168.12.2 send UPDATE (format) 172.16.0.0/16, next 192.168.24.1, metric 0, path 200 300
*Mar  1 01:27:06.963: BGP(0): updgrp 3 - 192.168.12.2 updates replicated for neighbors: 192.168.23.2
*Mar  1 01:27:47.331: BGP(0): creating injected prefix 172.16.1.0/24, from source prefix 172.16.0.0/16
*Mar  1 01:27:47.331: BGP(0): updating injected prefix 172.16.1.0/24, from source prefix 172.16.0.0/16
*Mar  1 01:27:47.335: BGP(0): retaining injected prefix 172.16.1.0/24, from source prefix 172.16.0.0/16
*Mar  1 01:27:47.335: BGP(0): retaining injected prefix 172.16.1.0/24, from source prefix 172.16.0.0/16
*Mar  1 01:27:48.063: BGP(0): Revise route installing 1 of 1 routes for 172.16.1.0/24 -> 192.168.24.1(main) to main IP table
*Mar  1 01:27:48.063: BGP(0): 192.168.12.2 NEXT_HOP is on same subnet as the bgp peer and set to 192.168.24.1 for net 172.16.1.0/24
*Mar  1 01:27:48.063: BGP(0): 192.168.12.2 send UPDATE (format) 172.16.1.0/24, next 192.168.24.1, metric 0, path Local
*Mar  1 01:27:48.163: BGP(0): updgrp 3 - 192.168.12.2 updates replicated for neighbors: 192.168.23.2
*Mar  1 01:28:47.355: BGP(0): updating injected prefix 172.16.1.0/24, from source prefix 172.16.0.0/16
*Mar  1 01:28:47.359: BGP(0): updating injected prefix 172.16.1.0/24, from source prefix 172.16.0.0/16
*Mar  1 01:28:47.359: BGP(0): retaining injected prefix 172.16.1.0/24, from source prefix 172.16.0.0/16
*Mar  1 01:28:47.359: BGP(0): retaining injected prefix 172.16.1.0/24, from source prefix 172.16.0.0/16

GNS3 Configurations

Saturday, May 21, 2011

show ip ospf route undocumented command in IOS

This command i think introduced in NX-OS series but IOS also support this but not documented seems to be:
I have checked in the following version:
R2#show ver
Cisco IOS Software, 3700 Software (C3725-ADVENTERPRISEK9-M), Version 12.4(15)T7, RELEASE SOFTWARE (fc3)
Not supported command ??

R2#show ip ospf ro?  
% Unrecognized command
R2# show ip ospf route

            OSPF Router with ID (192.168.30.10) (Process ID 10)

    Area BACKBONE(0)

    Intra-area Route List
*   192.168.20.0/30, Intra, cost 64, area 0, Connected
      via 192.168.20.1, Serial0/1

    Intra-area Router Path List
i 192.168.20.2 [64] via 192.168.20.2, Serial0/1, ABR, Area 0, SPF 4

    Inter-area Route List
*>  192.168.10.64/26, Inter, cost 138, area 0
      via 192.168.20.2, Serial0/1
*>  192.168.10.32/28, Inter, cost 129, area 0
      via 192.168.20.2, Serial0/1
*>  192.168.10.0/27, Inter, cost 128, area 0
      via 192.168.20.2, Serial0/1

    Inter-area Router Path List
I 192.168.10.33 [128] via 192.168.20.2, Serial0/1, ASBR, Area 0, SPF 4

    Area 1

    Intra-area Route List
*>  192.168.30.0/29, Intra, cost 74, area 1
      via 192.168.30.9, Serial0/0
*   192.168.30.8/29, Intra, cost 64, area 1, Connected
      via 192.168.30.10, Serial0/0

    External Route List
*>  100.100.100.0/24, Ext2, cost 20, tag 0
      via 192.168.20.2, Serial0/1
This is similar to show ip route ospf but it has nice area separation . Also lists the ABR , ASBR rather than checking "show ip ospf border-routers" this command list in the route as
Intra-area Router Path List,Inter-area Router Path List,
vs
R2#show ip route ospf
     192.168.30.0/29 is subnetted, 2 subnets
O       192.168.30.0 [110/74] via 192.168.30.9, 00:17:26, Serial0/0
     192.168.10.0/24 is variably subnetted, 3 subnets, 3 masks
O IA    192.168.10.64/26 [110/138] via 192.168.20.2, 00:08:30, Serial0/1
O IA    192.168.10.32/28 [110/129] via 192.168.20.2, 00:12:08, Serial0/1
O IA    192.168.10.0/27 [110/128] via 192.168.20.2, 00:16:10, Serial0/1

Sunday, May 8, 2011

Connecting Mikrotik in GNS3

Attaching Mirkotik x86 to GNS3.
its quite easy anyway in ubuntu you need the qemu multicast patch , you can download qemu v13 patch ( http://nchc.dl.sourceforge.net/project/gns-3/Qemu/qemu-0.13.0-patches.zip) and Qemu source (http://wiki.qemu.org/download/qemu-0.13.0.tar.gz)
please check the following post to how to patch the qemu.
(http://blog.gns3.net/2009/10/olive-juniper/2/)

Installation requires Mikrotik x86 version(http://download.mikrotik.com/mikrotik-5.2.iso) and qemu image which can be created as follows

qemu-img create -f raw mtik.img 128M

In GNS3 please check whether qemuwrapper working properly ( you need to copy 2 python files distributed with GNS3)

-rwxr-xr-x 1 root root 868374 2011-05-08 09:22 pemubin.py
-rwxr-xr-x 1 root root 34162 2011-05-08 09:21 qemuwrapper.py

if all are setup you can create the qemu host as follows.


If you want to connect through winbox please follow the following post to create the tap interface :

http://www.kbrandt.com/2009/01/how-to-setup-up-an-emulated-cisco-lab-using-gns3-in-ubuntu-part1.html

Then you can run winbox ( You need to have wine installation )



I've followed following steps to connect the Mikrotik 5.12 with GNS3 in Windows 7 , may be helpful

First Create the Image
C:\Program Files\GNS3>qemu-img.exe create -f qcow2 mtik5-12.img 256M
Second install the Image
C:\Program Files\GNS3>qemu.exe mtik5-12.img -cdrom mikrotik-5.12.iso -boot d


3rd create the host in GNS3 ( link the image you have created in previous stage) if you want multiple host replicate the image and create multiple hosts.




Saturday, May 7, 2011

One drop while tracing - icmp unreachable & traceroute

Have you ever notice the * * while you are tracing some destination ?

Cochran#traceroute 192.168.16.1 probe 4

Type escape sequence to abort.
Tracing the route to 192.168.16.1

  1 172.20.15.5 4 msec 4 msec 0 msec 0 msec
  2 172.20.15.2 4 msec *  0 msec * 
Cochran#

When you ping no drops at all
Cochran#ping 192.168.16.1 repeat 4

Type escape sequence to abort.
Sending 4, 100-byte ICMP Echos to 192.168.16.1, timeout is 2 seconds:
!!!!
Success rate is 100 percent (4/4), round-trip min/avg/max = 4/5/8 ms
This behaviour due to ICMP unreachable rate limit configuration , only the last hop needs to generate icmp-unreachble others normally return the reply via ttl expired ( remember the way traceroute works )
Lindbergh#show ip int brief
Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0/0            unassigned      YES NVRAM  administratively down down    
Serial0/0                  172.20.15.2     YES NVRAM  up                    up      
FastEthernet0/1            192.168.16.1    YES NVRAM  up                    up      

Lindbergh#show ip icmp rate-limit 

                           DF bit unreachables       All other unreachables   
Interval (millisecond)     500                       500                      

Interface                  # DF bit unreachables     # All other unreachables 
---------                  ---------------------     ------------------------ 
Serial0/0                  0                         16                       
FastEthernet0/1            0                         0                        

Greatest number of unreachables on Serial0/0
check this information for more detail.
http://www.cisco.com/en/US/docs/ios/12_4t/12_4t2/hticmpun.html#wp1053877

Friday, April 15, 2011

Exploring Cisco Network Address Translation ( NAT) - Part -I

Even though I worked with NAT configuration it still troublesome when configuring NAT on the Cisco Router (I prefer the Mikrotik way of configuration, simple but powerful).
First in the Cisco NAT world we have to understand these 4 terms. Directly taken from Cisco [1]

• Inside local address—The IP address assigned to a host on the inside network. This is the address configured as a parameter of the computer OS or received via dynamic address allocation protocols such as DHCP. The address is likely not a legitimate IP address assigned by the Network Information Center (NIC) or service provider.
• Inside global address—A legitimate IP address assigned by the NIC or service provider that represents one or more inside local IP addresses to the outside world.
• Outside local address—The IP address of an outside host as it appears to the inside network. Not necessarily a legitimate address, it is allocated from an address space routable on the inside.
• Outside global address—The IP address assigned to a host on the outside network by the host owner. The address is allocated from a globally routable address or network space.
Following diagram depicts the terms in the actual traffic flow.




Following as depicted host1 and host 2 in the range if 192.168.100.0/24 range and 192.168.100.1 as the virtual ip for the HSRP group 10.
Simulated Inside network doesn’t have access to outside without natting.

R2#ping 192.168.100.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.100.1, timeout is 2 seconds:
...
Success rate is 0 percent (0/3)

First lets see what the options available for ip nat : (7200 Software (C7200-ADVENTERPRISEK9-M),

R1(config)#ip nat ?
Stateful           Stateful NAT configuration commands 
create             Create flow entries
inside             Inside address translation
log                NAT Logging
outside            Outside address translation
piggyback-support  NAT Piggybacking Support
pool               Define pool of addresses
portmap            Define portmap of portranges
service            Special translation for application using non-standard port
sip-sbc            SIP Session Border Controller commands
source             Source address translation
translation        NAT translation entry configuration

1) stateful nat (SNAT) works with HSRP/or independently to smooth tcp transition when the active/primary router fails [2]. this feature simply sync the flow entries to other router udp it uses port 15555.

first HSRP configuration on the R1#
R1# 
interface FastEthernet1/0
ip address 192.168.100.2 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
standby 10 ip 192.168.100.1
standby 10 priority 110
standby 10 name snat_hsrp

second we have to create ip nat stateful configuration .

ip nat Stateful id 10 #id should be unique for each router
redundancy snat_hsrp // identify the hsrp group
mapping-id 100 // this id will be mapped with nat
protocol   udp // we can use either tcp or tcp

Then we have to create the NAT pool :
ip nat pool TEST2 117.117.117.1 117.117.117.1 netmask 255.255.255.0
ip nat inside source list 105 pool TEST2 mapping-id 100 overload 
// check the mapping id is matched here..

same as R8 configured

R8#show run int fa2/0
Building configuration...

Current configuration : 192 bytes
!
interface FastEthernet2/0
ip address 192.168.100.3 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
standby 10 ip 192.168.100.1
standby 10 name snat_hsrp
// stateful configuration. 


ip nat Stateful id 20 // id is different
redundancy snat_hsrp
mapping-id 100
protocol   udp
ip nat pool TEST2 117.117.117.1 117.117.117.1 prefix-length 24
ip nat inside source list 105 pool TEST2 mapping-id 100 overload

according to this configuration, if stateful nat is not configured only the R1 should have the natting flow entries ( HSRP priority 110). but if you check the R8 nat table same entries kept on R8.

R8#show ip nat translations
Pro Inside global      Inside local       Outside local      Outside global
tcp 117.117.117.1:55833 192.168.100.100:55833 116.116.116.5:22 116.116.116.5:22
tcp 117.117.117.1:55834 192.168.100.100:55834 116.116.116.5:22 116.116.116.5:22


[2]          “Scalability for Stateful NAT - Cisco Systems.” [Online]. Available: http://www.cisco.com/en/US/docs/ios/12_4/12_4_mainline/snatsca.html. [Accessed: 15-Apr-2011].

Saturday, April 9, 2011

wirless environment OSPF neigbor issue.

This is setup is simple point to point but the physical transport medium is wireless.

when i enable the ospf neighbor getting up but frequently the ospf neighbor up & down.
Apr 9 08:09:33.719 LKT: %OSPF-5-ADJCHG: Process 10, Nbr 192.168.61.192 on Vlan2 from FULL to DOWN, Neighbor Down: Dead timer expired
Apr 9 08:09:33.731 LKT: %OSPF-5-ADJCHG: Process 10, Nbr 192.168.61.192 on Vlan2 from LOADING to FULL, Loading Done
Apr 9 08:12:23.720 LKT: %OSPF-5-ADJCHG: Process 10, Nbr 192.168.61.192 on Vlan2 from FULL to DOWN, Neighbor Down: Dead timer expired
Apr 9 08:12:33.735 LKT: %OSPF-5-ADJCHG: Process 10, Nbr 192.168.61.192 on Vlan2 from LOADING to FULL, Loading Done
Apr 9 08:15:13.721 LKT: %OSPF-5-ADJCHG: Process 10, Nbr 192.168.61.192 on Vlan2 from FULL to DOWN, Neighbor Down: Dead timer expired
Apr 9 08:15:23.737 LKT: %OSPF-5-ADJCHG: Process 10, Nbr 192.168.61.192 on Vlan2 from LOADING to FULL, Loading Done
Apr 9 08:19:43.729 LKT: %OSPF-5-ADJCHG: Process 10, Nbr 192.168.61.192 on Vlan2 from FULL to DOWN, Neighbor Down: Dead timer expired
Apr 9 08:19:53.740 LKT: %OSPF-5-ADJCHG: Process 10, Nbr 192.168.61.192 on Vlan2 from LOADING to FULL, Loading Done

I've confirmed there is no link failure but the hello packets are not received and the dead timer expired. I'm not sure where the problem, but i assume the problem is some multicast supporting on the wireless bridge devices . But this can be fixed using uni-cast neighbor establishment.
change the interface network type to NBMA
#ip ospf network ?
broadcast Specify OSPF broadcast multi-access network
non-broadcast Specify OSPF NBMA network
point-to-multipoint Specify OSPF point-to-multipoint network
point-to-point Specify OSPF point-to-point network
and in the ospf process define the neighbor statically this makes the unicast hello which solve this problem.
(config-router)#neighbor ?
A.B.C.D Neighbor address

Wednesday, March 16, 2011

cisco packet switching order

This Lab setup i was trying to understand the Routing TCP/IP vol 1 - cisco packet switching order.



In this setup if we enable the debug ip packet on the R1 and see whether packet transferred between Host 1 &  Host 2 ? lets ping from Host2 to Host1
mm execpt some broadcast packet nothing in the debugging output why ?

R1#debug ip packet
IP packet debugging is on
R1#
*Mar 1 00:15:00.823: IP: s=0.0.0.0 (FastEthernet0/0),
d=255.255.255.255, len 576, rcvd 2
R1#
*Mar 1 00:15:03.835: IP: s=0.0.0.0 (FastEthernet0/0),
d=255.255.255.255, len 576, rcvd 2
R1#
*Mar 1 00:15:06.839: IP: s=0.0.0.0 (FastEthernet0/0),
d=255.255.255.255, len 576, rcvd 2
R1#
*Mar 1 00:15:29.907: IP: s=0.0.0.0 (FastEthernet0/0),
d=255.255.255.255, len 576, rcvd 2
R1#
*Mar 1 00:15:32.911: IP: s=0.0.0.0 (FastEthernet0/0),
d=255.255.255.255, len 576, rcvd 2
R1#
*Mar 1 00:15:35.911: IP: s=0.0.0.0 (FastEthernet0/0),
d=255.255.255.255, len 576, rcvd 2


answer is
ip packet debugging only shows the packet transferred through packet switching.

Lets try further:
Lets change the processing to process switching on the R1 fa0/0 which is facing 192.168.1.2 Host. to disable cef we can use following command.


R1(config)#int fa0/0
R1(config-if)#no ip route-cache ?
cef Enable Cisco Express Forwarding
flow Enable Flow fast-switching cache
policy Enable fast-switching policy cache for outgoing

packets
same-interface Enable fast-switching on the same interface
R1(config-if)#no ip route-cache cef
R1(config-if)#no ip route-cache

Lets try to ping from 192.168.3.2 to 192.168.3.1


R1#
*Mar 1 00:36:30.131: IP: tableid=0, s=192.168.1.2 (FastEthernet0/0), d=192.168.3.2 (FastEthernet0/1), routed via FIB
*Mar 1 00:36:30.131: IP: s=192.168.1.2 (FastEthernet0/0), d=192.168.3.2 (FastEthernet0/1), g=192.168.2.2, len 84, forward
R1#
R1#
R1#
R1#


mmm .. only one packet shown here others ? above output shows two behaviors:

when the inbound is Process switching and outboud CEF / fast switching the resulting switching method will be Fastswitching that is the output shown here the first packet process switched as the expected behavior for fast switching

there is not packet shown as the src 192.168.3.2 because that stage the processing will happen via CEF( if inbound CEF & outbound process / Fast switching method CEF)

summary :

1) If the inbound is CEF switching method will be CEF
2) if the inbound is Process and the outbound is CEF / Fast resulting switching will be Fastswitching
3) if the inbound is Fast and outbound is CEF resulting will be Fast
4) if the inbound is Fast and outbound is Process resulting will be Process

There are exemption list we need to consider.

Reference : Table 3.1 Chapter 3 - routing tcp/ip vol 1 2nd edition.

Sunday, March 6, 2011

proxy arp

In the above diagram , both hosts don't have default routes. But both are in the same /16 subnet. When host1 tries to ping host2 will it be able to ping ? Yes this behaviour due to the Proxy Arp feature.
Note: Cisco by default enabled the proxy arp feature you have to disable it manually .

Check the following Debug messages "debug arp" from the router.
When the Arp request for 192.168.20.101 received on the router Fa0/1 it replies with its own mac address of fa0/1. (c200.03fc.0001)and vice versa

*Mar 1 00:11:43.071: IP ARP: rcvd req src 192.168.12.154 00aa.00f4.6800, dst 192.168.20.101 FastEthernet0/1
*Mar 1 00:11:43.075: IP ARP: sent rep src 192.168.20.101 c200.03fc.0001,dst 192.168.12.154 00aa.00f4.6800 FastEthernet0/1

*Mar 1 00:13:13.067: IP ARP: rcvd req src 192.168.20.101 00aa.0041.1d00, dst 192.168.12.154 FastEthernet0/0
*Mar 1 00:13:13.067: IP ARP: sent rep src 192.168.12.154 c200.03fc.0000,
dst 192.168.20.101 00aa.0041.1d00 FastEthernet0/0


following command per interface can disable the proxy arp feature.
# no ip proxy-arp.



Saturday, March 5, 2011

Internet Protocol Control Protocol in PPP links.


 this blog we will look the PPP link's ip route / address negotiation .

In the above diagram, there is not static routing / protocol implemented just serial interface with ppp encapsulation link brought up .
  if you try to ping the R1 interface ip 192.168.100.1  from R2 interface ip 192.168.1.1 will it succeed ?


R2#ping 192.168.100.1
Lets check the router interface:
R1#show run int s1/0
Building configuration...
Current configuration : 160 bytes
!
interface Serial1/0
ip address 192.168.200.1 255.255.255.0 secondary
ip address 192.168.100.1 255.255.255.0
encapsulation ppp
serial restart-delay 0

R2#show run int s1/0
Building configuration...

Current configuration : 110 bytes
!
interface Serial1/0
ip address 192.168.1.1 255.255.255.254
encapsulation ppp
serial restart-delay 0
end

Answer is Yes you can ping.
R2#ping 192.168.100.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.100.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/36/84 ms
R2#

Check the routing table: " 192.168.100.1" directly connected !!

R2#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
192.168.1.0/30 is subnetted, 1 subnets
C 192.168.1.0 is directly connected, Serial1/0
192.168.100.0/32 is subnetted, 1 subnets
C 192.168.100.1 is directly connected, Serial1/0

How it works :
ip address negotiated through IPCP as defined in RFC 1332
“The IP Control Protocol (IPCP) is responsible for configuring, enabling, and disabling the IP protocol modules on both ends of the point-to-point link.“

enabled the debugging to what is going on :
*Mar 1 00:31:48.207: Se1/0 PPP: I pkt type 0x8021, datagramsize 14 link[ip]
*Mar 1 00:31:48.211: Se1/0 IPCP: I CONFREQ [Open] id 3 len 10
*Mar 1 00:31:48.211: Se1/0 IPCP: Address 192.168.100.2 (0x0306C0A86402)
*Mar 1 00:31:48.215: Se1/0 IPCP: O CONFREQ [Open] id 3 len 10
*Mar 1 00:31:48.215: Se1/0 IPCP: Address 192.168.1.1 (0x0306C0A80101)
*Mar 1 00:31:48.215: Se1/0 IPCP: O CONFACK [Open] id 3 len 10
*Mar 1 00:31:48.219: Se1/0 IPCP: Address 192.168.100.2 (0x0306C0A86402)
*Mar 1 00:31:48.367: Se1/0 PPP: I pkt type 0x8021, datagramsize 14 link[ip]
*Mar 1 00:31:48.367: Se1/0 IPCP: I CONFACK [ACKsent] id 3 len 10
*Mar 1 00:31:48.371: Se1/0 IPCP: Address 192.168.1.1 (0x0306C0A80101)
Further Reading:
Internet Protocol Control Protocol in PPP links - http://tools.ietf.org/html/rfc1332


Friday, March 4, 2011

/31 bit Point to Point ip address configuration .

Can we assign /31 address on the point to point link & save 50 % of ip address?
 Answer is yes.

R2(config)#int fa0/0
R2(config-if)#ip address 192.168.1.0 255.255.255.254
% Warning: use /31 mask on non point-to-point interface cautiously


R4(config)#int fa0/0
R4(config-if)#ip address 192.168.1.1 255.255.255.254
% Warning: use /31 mask on non point-to-point interface cautiously

Let’s try to ping :)

R4#ping 192.168.1.0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.0, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

Ok do we need privilege mode to ping ? no .

R4> ping 192.168.1.0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.0, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

Let’s check the ip route:

R4#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

192.168.1.0/31 is subnetted, 2 subnets
C 192.168.1.0 is directly connected, FastEthernet0/0
C 192.168.1.2 is directly connected, FastEthernet0/1

I tried to assign the same way on switches 3550,3560 there was no issues.

" im just wondering.... So wht is a the use of Network n Broadcast addrs anyway ?":
Fist if its real point to point interface ( eg: serial, ppp) we don’t need to assign the ip address at all , unnumbered or we could use /32 at both side 
But when we use Ethernet as Point to Point we need to consider the broadcast addresses:

RFC 1812 says in section 4.2.3.1 IP Broadcast Addresses :
“ (2) SHOULD silently discard on receipt (i.e., do not even deliver to
applications in the router) any packet addressed to 0.0.0.0 or {
, 0 }. If these packets are not silently
discarded, they MUST be treated as IP broadcasts (see Section
[5.3.5]). There MAY be a configuration option to allow receipt
of these packets. This option SHOULD default to discarding
them.

Broadcast fall in to two categories:

  • Limited broadcast (Local)
  1. 0.0.0.0
  2.   All one -255.255.255.255
  •   Directed broadcast
  1.   Network < all zero > - this is obsolete ( Reference RFC 3021 section 2.2 )
  2.   Network , < all one>
But our concern here is the directed broadcast , therefore if there is any broadcast it can uses limited broadcast . we have to understand the directed broadcast only affects the local router and  the segment which is the point to point link . Further routing protocols uses the multicast, limited broadcast or unicast addresses that is not going to affected by the /31 addressing scheme.
Anyway directed broadcasts are always filtered as the best practice.
 

Further Reading:
http://www.faqs.org/rfcs/rfc3021.html

http://www.faqs.org/rfcs/rfc1812.html
http://www.cisco.com/en/US/docs/ios/12_2t/12_2t2/feature/guide/ft31addr.html

Thursday, February 17, 2011

Whether we can give actual details to the forums ?

After the release of the rootkit.com whole Mysql database (http://stfu.cc/rootkit_com_mysqlbackup_02_06_11.gz) 85000 users detail (if we remove the duplicate at least 50000 users) I searched my data obviously listed there.. :( Anyway i used to rotate my passwords and use lame passwords in the forums i feel safe. But after the breach the owners could advise the users of the group may be they don’t have the data now ? Some of the hashes i could reverse. I searched some Sri Lankan users around 30 users i could reverse some of the users password obviously my one too as reference ;).

Hope dedicated crackers could use large rainbow table to reverse more of it I don’t wont to waste my time.

One reverse hashing site:
http://md5.thekaine.de/ ( if you have better sites please let me know)
http://md5.my-addr.com/md5_decrypt-md5_cracker_online/md5_decoder_tool.php
http://www.netmd5crack.com/cracker/
http://isc.sans.edu/tools/reversehash.html

1023 passwords are - "123456" :)
384 - password is "password"
329 - password is "rootkit"
190 - 111111
181 - 12345678
174 - qwerty


Analysis about the attack:
http://arstechnica.com/tech-policy/news/2011/02/anonymous-speaks-the-inside-story-of-the-hbgary-hack.ars

jibberjabber :)

Wednesday, February 9, 2011

mikrotik queue tree - Per connection queuing.

One of the cool feature on Mikrotik queuing is Per Connection Queuing . we can equally distribute the bandwidth among Number of users.[1]
This setup explores the per connection queuing in the congestion situation and how to utilize the priority queuing features.


[Please note Mikrotik Queue lowest priority value have highest priority eg: queue priority 7 traffic gets highest preference over queue priority 8  ]
In this test setup 192.168.92.50 and 51 given 512Kbps per connection queuing(PCQ) Priority 6 . 192.168.52 and 54 placed under 256Kbps PCQ (Priority 8) and further youtube users given 384Kbps irrespective to the queue they are currently placed ( FIFO) .


1) Bridge setup - " Don't forget to enable the bridge firewall :) "
/interface bridge
add admin-mac=00:00:00:00:00:00 ageing-time=5m arp=enabled auto-mac=yes comment="" disabled=no forward-delay=15s l2mtu=1522 \
max-message-age=20s mtu=1500 name=br_traffic_shaper priority=0x8000 protocol-mode=none transmit-hold-count=6

/interface bridge port
add bridge=br_traffic_shaper comment="" disabled=no edge=auto external-fdb=auto horizon=none interface=ether1 path-cost=10 point-to-point=auto \
priority=0x80
add bridge=br_traffic_shaper comment="" disabled=no edge=auto external-fdb=auto horizon=none interface=ether2 path-cost=10 point-to-point=auto \
priority=0x80
/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-pppoe=no use-ip-firewall-for-vlan=no


Place an address list to define the 512Kbps users:
/ip firewall address-list
add address=192.168.92.50 comment="" disabled=no list=specical
add address=192.168.92.54 comment="" disabled=no list=specical


all others are placed in 256Kbps through marking the whole subnet (/29). Make sure the passthrough. Youtube traffic simply matched through content of the packet . It will match the whole session traffic.
/ip firewall mangle
add action=mark-connection chain=prerouting comment="" content=youtube disabled=no  \
new-connection-mark=youtube passthrough=yes
add action=mark-packet chain=prerouting comment="" connection-mark=youtube disabled=no new-packet-mark=youtube-packet passthrough=no
add action=mark-connection chain=prerouting comment="" disabled=no new-connection-mark=special passthrough=yes src-address-list=specical
add action=mark-packet chain=prerouting comment="" connection-mark=special disabled=no new-packet-mark=special_pkt passthrough=no
add action=mark-connection chain=prerouting comment="" disabled=no dst-address=192.168.92.48/29 new-connection-mark=all_conn \
passthrough=yes
add action=mark-packet chain=prerouting comment="" connection-mark=all_conn disabled=no new-packet-mark=all_pkt \
passthrough=yes


3) Define the queue type ,
/queue type
add kind=pcq name=256K_Users pcq-classifier=dst-address pcq-limit=50 pcq-rate=256000 pcq-total-limit=2000
add kind=pcq name=512K_Users pcq-classifier=dst-address pcq-limit=50 pcq-rate=512000 pcq-total-limit=2000


4) Define the Parent queue:
/queue tree
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=1024k max-limit=1024k name=Test_Parent_Dwn parent=ether1 \
priority=8
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=1024k max-limit=1024k name=Test_Parent_Up parent=ether2 \
priority=8


4) Define the sub queue tree based on the marking:
/queue tree
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=1024k name=256K_U packet-mark=all_pkt parent=\
Test_Parent_Dwn priority=8 queue=256K_Users
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=512k name=go packet-mark=special_pkt parent=\
Test_Parent_Dwn priority=6 queue=512K_Users
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=384k name=youtube packet-mark=youtube-packet parent=\
Test_Parent_Dwn priority=2 queue=default


we can see if all the users download in this situation ( except youtube) the total bandwidth goes 1.5Mbps but since the max-limit for 512K users 512Kbps they will equally share the bandwidth 256Kbps but if one user not downloading other user will get 512Kbps full.
but if the max limit is 768Kbps both users will devide the bandwidth equally but at the same time 256Kbps user will get 128kbps each.

In this scenario (max-limit 512kbps & 384 for youtube) when 4 usrs downloading & one user goes to youtube he will get 384Kbps and remaining bandwidth 640Kbps will be available for other users.
since 512Kbps goes to priority 6 users so only 128Kbps allocated for 256k users except youtube ( There is a dependency on the packet mark order in our setup highest order )

if the subqueues (which have the highest priority - Lower number) max-limit total > Total bandwidth
loweset priority queues will starve (0 kbps will be allocated) . Do some math before allocating bandwidth & priority.

[1] Manual:Queues - PCQ - http://wiki.mikrotik.com/wiki/Manual:Queues_-_PCQ

Tuesday, February 1, 2011

ANSI color code what to do with windows terminal .

I was trying some telnet coding on NET::TELNET and received some text as the response from mikrotik router.
[m [36m/interface [m [m [36methernet
when you see such a text file in your windows notepad editor (? ) ( i thought to replace this unwanted character :) ) what you will do ?

after some googling i found this is the ANSI color code that supported by Linux terminals, if you do cat it will display correctly . windows there are some resources seems to be outdated anyone find better resources ?
http://www.andre-simon.de/zip/download.html#ansifilter
http://www.defacto2.net/nfo-files.cfm

Friday, January 28, 2011

can you assign same ip address to two interfaces

cisco if the interface type is point to point we don't need to assign ip address related to RFC 1812 2.2.7 section :
Related to this if the interface type is P2P we can assign same ip address to two interfaces.

Serial1/0 192.168.1.1 YES manual up up
Serial1/1 192.168.1.1 YES manual up up


Ok if i ping 192.168.1.2 where it will go ? lets explore it ..

Basic diagram

R2 (s1/0)--<(s1/1) R1 (s1/0)>--(s1/0) R3 -- LO 192.168.6.1/32


R1#show ip route 192.168.1.2
Routing entry for 192.168.1.0/30
Known via "connected", distance 0, metric 0 (connected, via interface)
Routing Descriptor Blocks:
* directly connected, via Serial1/0
Route metric is 0, traffic share count is 1
directly connected, via Serial1/1
Route metric is 0, traffic share count is 1

so basically load sharing :)
further more ,

R1#show ip cef 192.168.6.1
192.168.6.1/32
nexthop 192.168.1.2 Serial1/0
nexthop 192.168.1.2 Serial1/1


if i enabled the debug ip icmp and interface changed the loadsharing mode to per packet :

R1#ping 192.168.6.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.6.1, timeout is 2 seconds:
U!
*Jan 28 22:24:25.455: ICMP: dst (192.168.1.1) host unreachable rcv from 192.168.1.2
*Jan 28 22:24:25.555: ICMP: echo reply rcvd, src 192.168.6.1, dst 192.168.1.1.!U
Success rate is 40 percent (2/5), round-trip min/avg/max = 76/88/100 ms
R1#
*Jan 28 22:24:27.635: ICMP: echo reply rcvd, src 192.168.6.1, dst 192.168.1.1
*Jan 28 22:24:27.743: ICMP: dst (192.168.1.1) host unreachable rcv from 192.168.1.2


So we can assign the ip address but if its connecting to same device no issue otherwise will be problem

XAMPP WebDAV Vulnerability

This vulnerability basically WebDav can be access like ftp server if you know the username & Password. since Xampp places the default username & password the user doesn't restrict the access to xampp directory after the xampp installtion attackers can places their files & execute remotely. they can use your PC to DDoS their targets.


Quite a strange my machine generating 80Mbps traffic towards one of the host.
as usual i searched through process explore (sysinternal ) for any unwanted process + tcp connection, Nothing suspicious.But Anti-Virus logs points out http.exe trying to access IRC ports http.exe is xammp apache server process.

1/21/2011 10:02:23 AM Blocked by port blocking rule X:\xampplite\apache\bin\httpd.exe Anti-virus Standard Protection:Prevent IRC communication 173.192.66.130:6666
1/21/2011 10:35:45 AM Blocked by port blocking rule X:\xampplite\apache\bin\httpd.exe Anti-virus Standard Protection:Prevent IRC communication 199.27.134.100:6668
1/21/2011 10:37:04 AM Blocked by port blocking rule X:\xampplite\apache\bin\httpd.exe Anti-virus Standard Protection:Prevent IRC communication 199.27.134.100:6666
1/21/2011 10:39:36 AM Blocked by port blocking rule X:\xampplite\apache\bin\httpd.exe Anti-virus Standard Protection:Prevent IRC communication 74.53.201.162:6668

so i was suspicious over the xampp and started to google around vulnerability for Xampp and found xampp webdav has default password , anybody can access it and place files in the folder it. through that they can access whole server content.
Next step the apache logs ,
Access log points that too ( watch the PUT) :


50.22.21.218 - - [18/Jan/2011:14:02:34 +0530] "GET /webdav/ HTTP/1.1" 200 313 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12"
50.22.21.218 - - [18/Jan/2011:14:02:34 +0530] "PROPFIND /webdav/ HTTP/1.1" 401 1369 "-" "WEBDAV Client"
50.22.21.218 - wampp [18/Jan/2011:14:02:34 +0530] "PROPFIND /webdav/ HTTP/1.1" 207 2397 "-" "WEBDAV Client"
50.22.21.218 - wampp [18/Jan/2011:14:02:35 +0530] "PROPFIND /webdav/ HTTP/1.1" 207 2397 "-" "WEBDAV Client"
50.22.21.218 - wampp [18/Jan/2011:14:02:35 +0530] "PUT /webdav/info.php HTTP/1.1" 201 332 "-" "WEBDAV Client"
50.22.21.218 - wampp [18/Jan/2011:14:02:36 +0530] "PROPFIND /webdav/ HTTP/1.1" 207 3174 "-" "WEBDAV Client"
50.22.21.218 - - [18/Jan/2011:14:02:41 +0530] "GET /webdav/info.php HTTP/1.1" 200 105 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12"
50.22.21.218 - wampp [18/Jan/2011:14:02:49 +0530] "DELETE /webdav/info.php HTTP/1.1" 204 - "-" "WEBDAV Client"
50.22.21.218 - wampp [18/Jan/2011:14:02:49 +0530] "PUT /webdav/x32.php HTTP/1.1" 201 331 "-" "WEBDAV Client"
50.22.21.218 - wampp [18/Jan/2011:14:02:50 +0530] "PROPFIND /webdav/ HTTP/1.1" 207 3174 "-" "WEBDAV Client"
50.22.21.218 - wampp [18/Jan/2011:14:02:50 +0530] "PUT /webdav/servconfig.php HTTP/1.1" 201 338 "-" "WEBDAV Client"
50.22.21.218 - wampp [18/Jan/2011:14:02:52 +0530] "PROPFIND /webdav/ HTTP/1.1" 207 3958 "-" "WEBDAV Client"

3 files placed by the attackers leaf.php,servconfig.php, x32.php ( no idea what is leaf.php anybody have any idea ? here i've attached the php files. :

01/22/2011 03:03 AM 1,107 leaf.php
01/21/2011 08:56 PM 3,775 servconfig.php
12/20/2009 12:00 AM 277 webdav.txt
01/18/2011 02:02 PM 1,975 x32.php

rar file .
http://hotfile.com/dl/100076218/c618307/webdav.rar.html

x32.php gives basic interface where you can place host & time duration for the attack. Sample attack request : This may be vary depend on the php /active content the attacker places.

"91.121.2.103 - - [27/Jan/2011:15:09:14 +0530] "GET /webdav/x32.php?act=phptools&host=76.105.134.136&time=120&port=3074 HTTP/1.1" 200 1133 "-" "-"
91.121.2.103 - - [27/Jan/2011:15:10:14 +0530] "GET /webdav/x32.php?act=phptools&host=76.105.134.136&time=120&port=3074 HTTP/1.1" 200 1134 "-" "-"
91.121.2.103 - - [27/Jan/2011:15:10:51 +0530] "GET /webdav/x32.php?act=phptools&host=76.105.134.136&time=120&port=3074 HTTP/1.1" 200 1133 "-" "-"
91.121.2.103 - - [27/Jan/2011:15:13:48 +0530] "GET /webdav/x32.php?act=phptools&host=76.105.134.136&time=120&port=3074 HTTP/1.1" 200 1134 "-" "-"
"

workaround:
Change the default username and password on the webdav folder that placed by the xampp
X:/xampp/security/webdav.htpasswd

Delete the webdev folder / search google XAMPP WebDAV vulnerability.