If you want don’t want to see your TFTP file transfer looking like 259bytes/second between Cisco ASA and your Windows XP workstation, don’t forget to close Virtual PC machine.
Today I initiated a TFTP file transfer from a freshly out-of-the-box Cisco ASA and a Solarwinds TFTP server hosted on a Windows XP workstation. Traffic was very very slow. Show interfaces reported 5 minute output rate 0 pkts/sec, 259 bytes/sec
So what the fuck? I was very skeptical on this issue .. Ran Wireshark and no interface was available except generic dialup. And here comes the idea in my brain: I’m running Debian in Virtual PC. No IT can’t be ?? Yes, don’t blame the network so early in your troubleshooting steps.. VPC was the root problem :)
Click here to see the TFTP transfer speed changing over time !
Wanna dream of QoS rate limiting without adding a unique line of configuration ? Run Virtual PC!
août 19th, 2008
When a networking geek find a new feature, he’d love to implement it on his network perimeter (Perhaps Benmoon will read my article).
But, sometimes, the super feature is not applicable on all sort of production networks.
That’s the case for the L2PT (Layer 2 protocol tunneling) feature which is especially useful for VPLS (aka virtual lan services based on Ethernet) service provider customers. Cisco doc is not very clear and poor about the usage of L2PT feature but CCIE hackers use it. The feature’s goal is to widen the layer 2 network of multiple geographic remote sites over WAN. I’ll try to add another dimension in the understanding of this feature.
First thing to know: when you hear L2TP you must think “big switch” or “big trunk” in Cisco terminology.
Second thing to know: L2TP do Spanning-tree, CDP and Vlans tunnels (+Pagp,lacp,udld).
Third thing to know: It do nothing except giving the possibility to extend the Layer 2 domain size.
Why do I need a big switch ?
Increasing Layer 2 domain size between Paris, London and Sidney :
- Single bridge domain (one VLAN)
- Single subnet
- Single SLA
- MAC address learning and forwarding
To do this working over a WAN, L2PT is mandatory.
Guys, I have a Wacom tablet so I’ll definitely try to use it for this article. Like I used to say to my students, it’s best effort drawing ;-)
L2PT big picture over a MPLS/VPLS backbone :
A switch as a CE (Customer Edge) ?
It’s not because it’s a Layer 2 stuff that a switch is absolutely required. You can have a switch and/or a router aka a stuff who can do 802.1Q tunneling.
Who configure the L2PT in IOS ?
L2PT will be configured on the ISP equipments (commands borrowed from packetlife). These lines need to be typed on the backbone routers where CDP,STP and VLANs frames will flow until reaching another customer’s site.
interface GigabitEthernet0/1
l2protocol-tunnel cdp
l2protocol-tunnel stp
l2protocol-tunnel vtp
no cdp enable
Limitations of L2PT
Don’t forget the MAC address limits, VLAN numbers limit which will require PBT (Provider Bridging Transport) or H-VPLS (Hierarchical VPLS) in order to work and break L2PT. Also, in the good to know part, please keep in mind that a virtual switch will operate like a conventional switch considering flooding/forwarding, MAC learning/aging, loop prevention in Unicast, Broadcast and Multicast environments, so always keep an open eye on your layer 2 perimeters (not the part owned by the ISP).
L2TP should only be used with small customer implementations.
And security ?
One thing is sure.. these technologies open massive leaking holes on the network security field. I will name the use of redundant multihoming connections (Local traffic may be tunneled to the service provider backbone) and misfit in Vlans number: Imagine Vlan10 in the Sidney site is the wifi hotspot vlan and Vlan10 in Paris is the database’s customers one.
août 16th, 2008
Strange behavior in the pipe! Welcome!
I was working on a bug PoC glad to an old fashion 2611 router when the problem begins: Packets can’t reach their destination from and to an ethernet sub-interface with the physical interface UP and without IP address.
I do ping 192.168.0.23 which is linked to ethernet0/0 by a cross-over cable.
CDP can be exchanged as it’s layer 2 and use of the physical interface.
I’ve tested too with the 2611 linked to a 2500 router and to a 2900 switch.
Same behavior : I can’t ping from and to the sub-interface (192.168.0.100).
And of course, it works like a charm when I setup it with the physical interface.
Do you know a mystic trick to do this working except use other hardware or use dynamips linked to the host computer interface ?
Anyway, I really need to use the subif else my bug PoC should not be viable :)
Show commands output:
hacking2600#sh ip int brief
*Mar 1 00:07:43.848: %SYS-5-CONFIG_I: Configured from console by console
Interface IP-Address OK? Method Status Prot
ocol
Ethernet0/0 unassigned YES manual up up
Ethernet0/0.1 192.168.0.100 YES manual up up
sh run
interface Ethernet0/0
no ip address
full-duplex
!
interface Ethernet0/0.1
encapsulation dot1Q 1 native
ip address 192.168.0.100 255.255.0.0
!
When I try ping, debug ip packet said “encapsulation failed”.
There is nothing special in wireshark: The PC responds to the ICMP requests but looks like the router drop the stuff.
Tried with 2 different versions of ios.
Don’t get fucked by the the network mask.
Debug ip packet details output :
*Mar 1 00:44:38.907: IP: tableid=0, s=192.168.0.100 (local), d=192.168.0.23 (E
thernet0/0.1), routed via RIB
*Mar 1 00:44:38.907: IP: s=192.168.0.100 (local), d=192.168.0.23 (Ethernet0/0.
1), len 100, sending
*Mar 1 00:44:38.907: ICMP type=8, code=0
*Mar 1 00:44:38.907: IP: s=192.168.0.100 (local), d=192.168.0.23 (Ethernet0/0.
1), len 100, encapsulation failed
*Mar 1 00:44:38.911: ICMP type=8, code=0.
Success rate is 0 percent (0/5)
hacking2600#
*Mar 1 00:44:44.112: IP: s=192.168.0.100 (local), d=224.0.0.5 (Ethernet0/0.1),
len 64, sending broad/multicast, proto=89
août 16th, 2008
In this funny video (yeah I like FBI even if I don’t know them), I will show you my IOS botnet proof of woot.
It’s for real but I don’t want to be a security pr0nstar showing my 4ss at conferences nor taking the time to make a perfect proof of concept that everyone in the IT security field dreams about at least a time in his career. Just take some fun with computer glad to my poor programming skills in TCL.
So yeah, I’ve hacked 127.0.0.1 in order to leak my old hard disk for you.
Why now ?
- IOS stuff is breaking news since some months so the most stupid human can understand what I did (or not)
- Holidays, I would like less people see this in order to stop blargz about this and mitigated since long time by Cisco
- I’m clear with Cisco about it and helped the R&D to reproduce the proof of concept
- Definitely not 0-day!
Click here to join #lol
Pète un coup et ça ira mieux …
août 14th, 2008
From logs I learn the last time I boot on my Juniper JunOS Olive vmware was 1 year ago.
Not surprisingly I forgot my password.
I tried password recovery official methods and other stuff from Google which leaded to an epic FAIL.
Well you know, Olive is just a hack. Gladly Freebsd and UNIX commands are inside and today is a creativity day :)
Here’s my unofficial method to recover the root password if you are really really stuck:
fsck /dev/ad0s1e
mount -o rw /dev/ad0s1e /config
gunzip juniper.conf.gz
mv juniper.conf juniper.orig
cat -b juniper.orig
export NEWROOTPWD=”plain-text-password \”root\”;”
sed “4s/.*/ ${NEWROOTPWD}/g” juniper.orig >> juniper.conf
gzip juniper.conf
rm juniper.orig
cd /
umount /dev/ad0s1e
reboot
hura! Your console access is back!
août 14th, 2008
Are you looking for bandwidth or latency stress tools ?
I’ll don’t tell you to look at Spirent or breakingPoint cuz it cost tons of bucks.
Here is a list of free tools under Windows, Linux and BSD:
- iperf - tcp/udp/multicast - http://sourceforge.net/projects/iperf/
- tfgen - UDP - http://www.st.rim.or.jp/~yumo/pub/tfgen.html
- netcps - http://www.netchain.com/netcps/
- PCAUSA test tcp - http://www.pcausa.com/Utilities/ttcpdown1.htm
- OpenWebLoad - http://openwebload.sourceforge.net/
- Sipp - SIP voice signalization protocol - http://sipp.sourceforge.net/
- DPT - DNS protocol - Win32 - Linux - MacOSX
- TXDNS - multithreaded DNS testing - Win32
- tcpbench - tcp benchmarking and measurement - inside OpenBSD
- Ixia Qcheck - http://www.ixiacom.com/products/performance_applications/pa_display.php?skey=qcheck - Submitted by Joe
Feel free to add a comment in order to complete the list!
juillet 30th, 2008
This morning when I opened my mail inbox, I found this gem and it’s too late for april’s fool :
From: K…. P….. (k…….)
Sent: mardi 29 juillet 2008 22:09
To: blarg-obfuscated (mailer list)
Subject: Reset router
I cannot log into to my router. What is the command to reset the router to factory default?
–
K…. P….., CISSP, CISA, GSNA, ITIL
Sr Systems Engineer
Security/ Compliance Specialist
Cisco Systems Inc.
13600 Dulles Technology Drive
Herndon Va 20171
Direct 7.. … ….
Mobile 7.. … ….
http://www.cisco.com/go/security
juillet 30th, 2008
Irina from Cisco Moscow told me yesterday I am funny. Well, Windows XP is too.
Telnet.exe dislikes cat /dev/mem in socat :-/
Click here to view the Windows XP telnet.exe bug
juillet 28th, 2008
Il faudrait être déconnecté d’Internet, en vacances en Corse ou formateur à SUPINFO, être trop occupé à coder un exploit SMTP qui va rooter toute la planète ou encore travailler chez un ISP pour ne pas avoir entendu parler du buzz de l’été: Dan Kaminsky, Paul Vixie et DNS.
L’Internet étant déjà bien pollué … et histoire de se démarquer des bloggeurs sur la faille DNS qui racontent tous la même chose. Pourquoi pas réaliser une série de ta mère sur le DNS ?
- Ta mère elle a tellement oublié son cerveau en se réveillant qu’elle croit encore qu’il y a 13 serveurs physiques DNS racines
- Ta mère a tellement de l’espoir qu’elle dit partout que AAAA c’est l’avenir
- Ta mère y compris tellement rien dans son archi réseau qu’elle ose pas patcher BIND
- Ta mère est tellement open qu’elle met en cache powned.doxpara.com
- Ta mère est tellement moche que Dan ose pas la bruteforcer
- Ta mère elle a tellement rien à foutre qu’elle a le temps de lire la RFC 2181
- Ta mère c’est tellement une pigeonne qu’elle croit encore qu’on peut déployer DNSSEC en 6 minutes
-
Ta mère elle veut tellement devenir une star qu’elle fuzz les RR additionnels cet été
- Ta mère elle est tellement parano qu’elle dig son macbook pro sous MAC OsX
- Ta mère elle a tellement lu l’autobiographe de Théo qu’elle croit que le BIND de son OpenBSD est safe
Ouais!
juillet 24th, 2008
SecurityVibes is a web2.0 dedicated for IT security and organizational professionals and as you know, I love web2.0 and convinced that’s it’s the most accurate thing to do business today as I’m concerned with such things (back to web1.0) from 2001.
ACZ (Aurélien Cabezon), well known with vulnerabilite.com launch securityvibes in beta-test since two week or so.
At this time of writing, content and people are mostly french but soon open to the world.
The website is organized in some clearly defined parts: buzz, opinions and articles, groups (temporarly down) and events. All this base is shared between users.
Actually, there is 18 users online … ACZ, I wish you the best with this new community!
I’ve some invitations if you are interested …
juillet 24th, 2008
Previous Posts
