Blog

Special Use IPv4 Addresses – RFC5735

Address Block Present Use  Reference 0.0.0.0/8           “This” Network             RFC 1122, Section 3.2.1.3 10.0.0.0/8          Private-Use Networks       RFC 1918 127.0.0.0/8         Loopback                   RFC 1122, Section 3.2.1.3 169.254.0.0/16      Link Local                 RFC 3927 172.16.0.0/12       Private-Use Networks       RFC 1918 192.0.0.0/24        IETF Protocol Assignments  RFC 5736 192.0.2.0/24        TEST-NET-1                 RFC 5737 192.88.99.0/24      6to4 Relay Anycast         RFC 3068 192.168.0.0/16      Private-Use Networks       RFC 1918 198.18.0.0/15       Network Interconnect RFC 2544    Device Benchmark Testing   RFC 2544 198.51.100.0/24     TEST-NET-2                 RFC 5737 203.0.113.0/24      TEST-NET-3                 RFC 5737 224.0.0.0/4         Multicast                  RFC 3171 240.0.0.0/4         Reserved for Future Use    RFC 1112, Section 4 255.255.255.255/32   Limited Broadcast          RFC 919, Section 7     RFC 922, Section 7

By |December 30th, 2013|Uncategorized|0 Comments

Cisco ACS Initial Setup

localhost login: setupEnter hostname[]: acs-server-1Enter IP address[]: 209.165.200.225Enter IP default netmask[]: 255.255.255.0Enter IP default gateway[]: 209.165.200.1Enter default DNS domain[]: mycompany.comEnter Primary nameserver[]: 209.165.200.254Add/Edit another nameserver? Y/N : nEnter username [admin]: adminEnter password:Enter password again:Pinging the gateway…Pinging the primary nameserver…Do not use `Ctrl-C’ from this point on…Appliance is configuredInstalling applications…Installing acs…Generating configuration…Rebooting…After the ACS server is installed, the system reboots automatically.Verify that the application has been installed properly by entering show application. Check the release and ACS version installed  by entering show application version acsCheck the status of ACS processes, at the system prompt by entering show application status acs   Password Reset – Power up the appliance.– Insert the ACS 5.3 Recovery DVD. The console displays:       Welcome to Cisco Secure ACS 5.3 Recovery                                  To boot from hard disk press <Enter>.                                           Available boot options:                                                           [1] Cisco Secure ACS 5.3 Installation (Keyboard/Monitor)                        [2] Cisco Secure ACS 5.3 Installation (Serial Console)                          [3] Reset Administrator Password (Keyboard/Monitor)                             [4] Reset Administrator Password (Serial Console)                               <Enter> Boot from hard disk In my case I used option 4 since I was connected via console. The console displays: ————————————————————————-  ———————— Admin Password Recovery ————————  ————————————————————————-   This utility will reset the password for the specified admin username.  At most the first five admin usernames will be listed. Enter Ctrl-C  to abort without saving changes and reboot.   ————————————————————————-   Admin Usernames :      [1] admin   Enter number of admin for password recovery: 1  Password:   Verify password:   Save changes and reboot? [y/n]: y     Source: http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.3/installation/guide/csacs.pdf

By |December 30th, 2013|Cisco, Security|0 Comments

IKE v1 vs. IKE v2

IKE Properties – Negotiate SA attributes, determine transforms, hashing and more – Generate and refresh keys using DH – Authenticate peer devices using attributes like IP, FQDN, LDAP DN and more – It has two phases IKE v1 (Phase 1 and 2) IKE v2 (Init and Auth) – Main mode & aggressive mode – ISAKMP negotiates SA for IPSEC. Quick mode & sdoi mode   IKE v2 Advantages – Simplifies the existing IKEv1 – Single RFC, including NAT-T, EAP and remote address acquisition – Replaces the 8 initial exchanges with a single 4 message exchange – Reduces the latency for the IPSEC SA setup and increases connection establishment speed. – Increases robustness against DOS attack. – Improves reliability through the use of sequence numbers, acknowledgements, and error correction. – Forward Compatibility – Simple cryptographic mechanisms – Traffic selector negotiation: – IKEv1: Responder can just say yes/no. IKEv2: Negotiation ability added – Reliability – All messages are request/response. – Initiator is responsible for retransmission if it doesn’t receive a response.   IKE v1 IKE v2 Developed in 1998, based on RFC 4995 Developed in 2006, based on RFC 5996 Pre-shared key and certificate for authentication Pre-shared key, certificate and EAP variants. Supports  for asymmetric authentication. Side A Preshared Key and Side B Certificates. No reliability Reliable. Introduces retransmission and acknowledgement functions. ack and sequenced Phase 1 generates 6 messages (main mode) 3 messages (aggressive mode) Reduced bandwidth requirements. generates only 4 messages at all. When EAP is used in IKEv2, an additional 2 messages may be required. Negotiation of the first CHILD_SA required 3 messages. Subsequent CHILD_SAs require 3 messages Negotiation of the first CHILD_SA required no messages since it is piggybacked onto the negotiation of the […]

By |December 30th, 2013|Cisco, Security|0 Comments

NMAP Cheat Sheet

Scan an IPv4 host/address nmap 192.168.1.1 Scan an IPv6 host/address nmap -6 2607:f8b0:4007:804::1009 nmap -v A -6 2607:f8b0:4007:804::1009 Scan FQDN nmap server1.cyberciti.biz Scan a host name with more info nmap -v server1.cyberciti.biz Scan a range of IP address nmap 192.168.1.1-20 nmap 192.168.1.* nmap 192.168.1.0/24 nmap 192.168.1.1,2,3 nmap 192.168.1.1 192.168.1.2 Read list of hosts/networks from a file nmap -iL /tmp/test.txt Excluding hosts/networks (IPv4) nmap 192.168.1.0/24 –exclude 192.168.1.5 nmap 192.168.1.0/24 –exclude 192.168.1.5,192.168.1.254 nmap -iL /tmp/scanlist.txt –excludefile /tmp/exclude.txt Turn on OS and version detection scanning script (IPv4) nmap -A 192.168.1.254 nmap -v -A 192.168.1.1 nmap -A -iL /tmp/scanlist.txt Find out if a host/network is protected by a firewall nmap -sA 192.168.1.254 Scan a host when protected by the firewall nmap -PN 192.168.1.1 Scan a network and find out which servers and devices are up and running nmap -sP 192.168.1.0/24 Perform a fast scan nmap -F 192.168.1.1 Display the reason a port is in a particular state nmap –reason 192.168.1.1 Only show open (or possibly open) ports nmap –open 192.168.1.1 Show all packets sent and received nmap –packet-trace 192.168.1.1 Show host interfaces and routes (netsat -nr) nmap –iflist Scan specific ports nmap -p 80 192.168.1.1 nmap -p 80,443 192.168.1.1 nmap -p 80-200 192.168.1.1 nmap -p T:80 192.168.1.1 nmap -p U:53 192.168.1.1 nmap -p U:53,111,137,T:21-25,80,139,8080 192.168.1.1 nmap -v -sU -sT -p U:53,111,137,T:21-25,80,139,8080 192.168.1.254 nmap –top-ports 5 192.168.1.1 Fastest way to scan all your devices/computers for open ports nmap -T5 192.168.1.0/24 Detect remote operating system nmap -O 192.168.1.1 nmap -O –osscan-guess 192.168.1.1 nmap -v -O –osscan-guess 192.168.1.1 Detect remote services (server / daemon) version numbers nmap -sV 192.168.1.1 Scan a host using TCP ACK (PA) and TCP Syn (PS) ping nmap -PS 192.168.1.1 nmap -PS 80,21,443 192.168.1.1 nmap -PA 192.168.1.1 nmap […]

By |October 7th, 2013|Security|0 Comments

SNMP

  Application-layer management protocol used for monitoring and administration. SNMP operates by sending information to Network Management Servers (NMS). The NMS learns about problems in the network by receiving traps or inform messages generated by the individual device running SNMP or what is more commonly called the managed device.   SNMP Operations – Agents listen to UDP port 161 for messages sent by the NMS – Responses are sent back to the originating NMS port from a dynamic port. Many agents use port 161 also for this target – Traps are received on port 162 of a NMS   The first two variants of SNMP have pretty much the same protocol structure.  (V3 is shown below.) This means that each of them will encapsulate the same general message format into a UDP packet. This message will be similar to this:   SNMP Message Sequence Diag   SNMP Message Diagram   Shark Capture showing Version, String and PDU   SNMP Version field will be an integer value and it should be noted that both the NMS and the agent must agree on the version of SNMP being used to communicate.   SNMP community string is best described as a string value used for the password check for the NMS before the managed device will allow it to access or manipulate the agent process.   SNMP Protocol Data Unit (PDU). The actual communication of information in the SNMP Protocol is performed through the exchange of SNMP messages. These messages are sometimes called protocol data units or PDUs. The PDU is the higher-layer data that SNMP encapsulates; The values applied to this field represent various PDU types and formats.   See SNMP Versions for SNMP PDUs     […]

By |September 27th, 2013|CCIE, Cisco|0 Comments

Filtering Routes on IOS

Route filtering with RIP & RIPNG– Passive interface (passive-interface)– Distribute-list (distribute-list 2 [in|out])– Offset list (offset-list)– Administrative distance (distance) Route filtering with EIGRP & EIGRP V6– Passive interface (passive-interface)– Distribute-list [in|out] – IPV4 ACLs only– Prefix-list (prefix prefix-list-name[in|out])– Route-map  (route-map map-tag [permit|deny] [sequence-number])– Administrative distance (distance) Route filtering with OSPF– Stub area (area stub & area nssa)– LSA Type 3 filtering (area filter-list) – IPV4 only– Summarization (area range/summary address [not-advertise])– Redistribution (redistribute protocol route-map) Route filtering with BGP & BGP for IPV6– Prefix list (neighbor prefix list [in|out])– Distribute list (neighbor distribute list [in|out])– Filter list (neighbor filter list [in|out])– Route maps (neighbor route-map [in|out]) Regex characters on IOS“.”         – match any character“|”         – concatenates constructs. matches one of the characters or character patterns on either side of the vertical bar.“[]”        – matches the character following the backslash“[0-9]”   – match any single digit“[a-z]”   – match any lower case“[A-Z]   – match any upper case“_”        – replaces a long regular expression list by matching a comma (,), left brace ({), right brace (}), the beginning of the input string, the end of the input string, a space or the end of an AS Path.“^”       – match the beginning of a string.“$”       – match the end of a string“\”        – matches the character following the backslash and also escapes special characters. Regex Occurrence Modifiers on IOS“?”     – means 0 or 1 times. matches zero or one occurrence of the pattern“*”     – mean 0 or any times. matches zero or one occurrence of the pattern“+”     – means 1 or any times. matches zero or one occurrence of the pattern Source:IP Expert VODCisco Doc: Additional and Legacy Protocols/Terminal Services Configuration Guide, Cisco IOS Release

By |September 27th, 2013|Cisco|0 Comments

Switching To Ubuntu

Table of Equivalent Commands Below is a table of equivalent commands for package management on both Ubuntu/Debian and Red Hat/Fedora systems. Task Red Hat/Fedora Ubuntu Adding, Removing and Upgrading Packages Refresh list of available packages Yum refreshes each time it’s used apt-get update Install a package from a repository yum install package_name apt-get install package_name Install a package file yum install package.rpm rpm -i package.rpm dpkg –install package.deb Remove a package rpm -e package_name apt-get remove package_name Check for package upgrades yum check-update apt-get -s upgrade apt-get -s dist-upgrade Upgrade packages yum update rpm -Uvh [args] apt-get upgrade Upgrade the entire system yum upgrade apt-get dist-upgrade Package Information Get information about an available package yum search package_name apt-cache search package_name Show available packages yum list available apt-cache dumpavail List all installed packages yum list installed rpm -qa dpkg –list Get information about a package yum info package_name apt-cache show package_name Get information about an installed package rpm -qi package_name dpkg –status package_name List files in an installed package rpm -ql package_name dpkg –listfiles package_name List documentation files in an installed package rpm -qd package_name – List configuration files in an installed package rpm -qc package_name dpkg-query –show -f ‘${Conffiles}\n’package_name Show the packages a given package depends on rpm -qR package_name apt-cache depends Show other packages that depend on a given package (reverse dependency) rpm -q -whatrequires [args] apt-cache rdepends Package File Information Get information about a package file rpm -qpi package.rpm dpkg –info package.deb List files in a package file rpm -qpl package.rpm dpkg –contents package.deb List documentation files in a package file rpm -qpd package.rpm – List configuration files in a package file rpm -qpc package.rpm – Extract files in a package rpm2cpio package.rpm | […]

By |September 26th, 2013|Unix/Linux|0 Comments

RIP Authentication

RIPv1 does not support authentication. If you are sending and receiving RIP v2 packets, you can enable RIP authentication on an interface. The key chain determines the set of keys that can be used on the interface. Authentication, including default authentication, is performed on that interface only if a key chain is configured. Cisco supports two modes of authentication on an interface on which RIP is enabled: plain-text authentication and message digest algorithm 5 (MD5) authentication. Plain-text authentication is the default authentication in every RIPv2 packet. Do not use plain text authentication in RIP packets for security purposes, because the unencrypted authentication key is sent in every RIPv2 packet. Use plain-text authentication when security is not an issue; for example, you can use plain-text authentication to ensure that misconfigured hosts do not participate in routing. Specifying a RIP Version and Enabling Authentication Configuration example: ! router rip version {1 | 2} interface type number ip rip send version [1] [2] ip rip receive version [1] [2] ip rip authentication key-chain name-of-chain ip rip authentication mode {text | md5} ! Note: Key Chain needs to be configured for this to work. Troubleshoot: debug ip rip

By |September 4th, 2013|CCIE, Cisco, Security|0 Comments

Cisco Key Chains

To define an authentication, a key chain needed to enable authentication for routing protocols. To enter key-chain configuration mode, use the `key chain` command in global configuration mode. Only DRP Agent, Enhanced Interior Gateway Routing Protocol (EIGRP), and Routing Information Protocol (RIP) Version 2 use key chains. It is useful to have multiple keys on a key chain so that the software can sequence through the keys as they become invalid after time, based on the accept-lifetime and send-lifetime key chain key command settings. If the last key expires, authentication will continue and an error message will be generated. To disable authentication, you must manually delete the last valid key key chain commandkey chain name-of-chain no key chain name-of-chain  Configuration example ! key chain MD5 key 1 key-string MD5HASH accept-lifetime 13:30:00 Jan 25 1996 duration 7200 send-lifetime 14:00:00 Jan 25 1996 duration 3600 exit ! key chain TEXT key 1 key-string CLEARTEXT key 2 key-string KEY2 !

By |September 4th, 2013|CCIE, Cisco|0 Comments

TMUX

Shell CMDS – From any shell prompt: start new:tmux start new with session name:tmux new -s myname attach:tmux a  #  (or at, or attach) attach to named:tmux a -t myname list sessions:tmux ls kill session:` TMUX CMDS – In tmux, hit the prefix ctrl+b and then: Sessions :new<CR>  new sessions  list sessions$  name session Windows (tabs) c  new windoww  list windowsf  find window,  name window&  kill window Panes (splits) %  vertical split”  horizontal splito  swap panesq  show pane numbersx  kill pane+  break pane into window (e.g. to select text by mouse to copy)–  restore pane from window⍽  space – toggle between layoutsPREFIX q (Show pane numbers, when the numbers show up type the key to goto that pane)PREFIX { (Move the current pane left)PREFIX } (Move the current pane right) Resizing Panes You can also resize panes if you don’t like the layout defaults. I use the mouse to resize PREFIX : resize-pane (By default it resizes the current pane down)PREFIX : resize-pane -U (Resizes the current pane upward)PREFIX : resize-pane -L (Resizes the current pane left)PREFIX : resize-pane -R (Resizes the current pane right)PREFIX : resize-pane 20 (Resizes the current pane down by 20 cells)PREFIX : resize-pane -U 20 (Resizes the current pane upward by 20 cells)PREFIX : resize-pane -L 20 (Resizes the current pane left by 20 cells)PREFIX : resize-pane -R 20 (Resizes the current pane right by 20 cells)PREFIX : resize-pane -t 2 20 (Resizes the pane with the id of 2 down by 20 cells)PREFIX : resize-pane -t -L 20 (Resizes the pane with the id of 2 left by 20 cells) Misc d  detacht  big clock?  list shortcuts:  prompt z zoom How do I copy and paste when the mouse […]

By |August 16th, 2013|Unix/Linux|0 Comments