Tuesday, September 29, 2009

Linux Varsiti @ Universiti Teknologi Malaysia 2009 - 5th Oct 2009

Linux Varsiti Edisi Selatan (Johor)

Linux Varsiti is a programme that aimed to bring Open Source Software to tertiary education institute in Malaysia.

Date: Monday, October 5, 2009
Time: 9:00am - 6:30pm
Location: Universiti Teknologi Malaysia
Street: Jalan Universiti
City/Town: Skudai, Malaysia

Tentative :

1. Introduction to Open Source Software
2. Facebook Developer Garage Program
3. GIMP vs Photoshop
4. Basic Installation of Linux Distro
5. Career Opportunity in OSS

More information

http://groups.google.com/group/utm-oss

http://www.facebook.com/event.php?eid=111952749503

Join LinuxVarsiti in Facebook.

http://www.facebook.com/group.php?gid=94991914012

Saturday, September 26, 2009

The 2009 Virtual Conference on Information Security

Two days back, I attended " The 2009 Virtual Conference on Information Security" which organised by Infosecurity Magazine. Indeed it was a brand new experience as the conference was totally on virtual as the whole involvement has done only in front of my desktop. There was several webninars at the Keynote Theathre which broadcasted live for 7 hours and I managed to catch up with a few.

One interesting point was the conference delegate may visit the Exhibit Hall. The virtual booth unit has included Trend Micro, Sysbase, Overtis, LANDesk, Webroot,PGP, Check Point and Info Security. We may obtain some white paper, brocheru and techinical paper by just click the the "save to briefcase" button. The resources will be saved in our conference bag and we can download it afterward.

Great experience! Unfortunately the recorded video sessions yet to download for the moment. Wish that it will be up soon.

Screen shoots:

Main hall


The Exhibit Hall


The Keynote Theater

Sunday, September 20, 2009

SANS webcast - Developing exploits

SEC709 Developing Exploits for Penetration Tester and Security

From Stephen Sims

Precompile framework
-metaspoilt
-core impact
-immunity canvas
-sink

code analysis
code scanning tool,gcar lcar
(not really catch the application name he mentioned such as gcar and lcar)

Debugger : immunity debugger

OS monitoring tools
-ProcMon, RegMon,FileMon,RegShot

What happen during the crash?
-Analysis the status of each register
eg , strange 0x41414141 if the input is A
-is the Return Pointer or SEH chain overwritten?
analysis the stack segment and monitor ESP/EBP
-are heap overwritten?
analysis dynamic memory allocation

Tool : findjump kernel32.dll edx
-get pop-pop-return address

Several protection

SafeSEH
-protect SEH pointer again overwrite

ASLR
-randomises the location of libraries and memory segment

DEP
-prevent code execution on stack and heap

Security cookies
-pushes unique values onto the stack and heap during allocations which are

checked upon exit or free

Useful screenshot

Sunday, September 13, 2009

CCNA2 Chapter 5 - 6 note

Finish another 2 chapters.

My note

/////////////////////

Chapter 5 RIPv1

RIP messages are encapsulated in a UDP segment, with source and destination ports of 520.

One RIP update can contain up to 25 route entries. The maximum datagram size is 512 bytes, not including the IP or UDP headers.

To enter the router configuration mode for RIP, enter 'router rip' at the global configuration prompt.

debug ip rip
undebug all

The correct solution is to use the passive-interface command, which prevents the transmission of routing updates through a router interface but still allows that network to be advertised to other routers. Enter the passive-interface command in router configuration mode.

Router(config-router)#passive-interface interface-type interface-number

This command stops routing updates out the specified interface. However, the network that the specified interface belongs to will still be advertised in routing updates that are sent out other interfaces.

RIP is a classful routing protocol that automatically summarizes classful networks across major network boundaries

classless routing protocols like RIPv2 allow the same major (classful) network to use different subnet masks on different subnets, better known as Variable Length Subnet Masking (VLSM).

How does R2 know that this subnet has a /24 (255.255.255.0) subnet mask?
R2 uses its own subnet mask on this interface and applies it to this and all other 172.30.0.0 subnets that it receives on this interface

RIPv1 lack of support for discontiguous networks. It may make load balancing between 2 discontinous network

'default-information originate' - specify that this router is to originate default information, by propagating the static default route in RIP updates.

you can see that there is a candidate default route, as denoted by the R* code. The static default route on R2 has been propagated to R1 in a RIP update. R1 has connectivity to the LAN on R3 and any destination on the Internet.

////////////////////

Chapter 6 VLSM

CIDR uses Variable Length Subnet Masks (VLSM) to allocate IP addresses to subnets according to individual need rather than by class.

As you most likely recall, VLSM is simply subnetting a subnet. VLSM can be thought of as sub-subnetting.

As you previously learned, route summarization also known as route aggregation, is the process of advertising a contiguous set of addresses as a single address with a less-specific, shorter subnet mask. Remember that CIDR is a form of route summarization and is synonymous with the term supernetting.

CIDR allows for supernetting. A supernet is a group of major network addresses summarized as a single network address with a mask less than that of the default classful mask.

Supernetting refers to the ability to sumarise networks less than the classfull default mask.

Saturday, September 12, 2009

CCNA2 Chapter 1 - 4 note

Note :

Chapter 1 Introduction to Routing

nvram - startup file
flask - cisco IOS

enable password and enable secret password not need to exist together. If only enable secret password, it already enof

R1(config-line)#login
important, if without this line, the user will be granted access to the line without entering a password.

Router#copy running-config startup-config

RIP (Routing Information Protocol)
IGRP (Interior Gateway Routing Protocol)
EIGRP (Enhanced Interior Gateway Routing Protocol)
OSPF (Open Shortest Path First)
IS-IS (Intermediate System-to-Intermediate System)
BGP (Border Gateway Protocol)

Note: RIP (versions 1 and 2), EIGRP, and OSPF are discussed in this course. EIGRP and OSPF are also explained in more detail in CCNP, along with IS-IS and BGP. IGRP is a legacy routing protocol and has been replaced by EIGRP. Both IGRP and EIGRP are Cisco proprietary routing protocols, whereas all other routing protocols listed are standard, non-proprietary protocols.

As a packet is forwarded from router to router, the Layer 3 source and destination IP addresses will not change; however, the Layer 2 source and destination data link addresses will change. This process will be examined more closely later in this section.

Best path for RIP - hop count
Best path for OSPF - bandwidth of the link

/////////////////////////////////////

Chapter 2 Static routing

Two types of cables can be used with Ethernet LAN interfaces:
A straight-through, or patch cable, with the order of the colored pins the same on each end of the cable
A crossover cable, with pin 1 connected to pin 3, and pin 2 connected to pin 6

Straight-through cables are used for:
Switch-to-router
Switch-to-PC
Hub-to-PC
Hub-to-server

Crossover cables are used for:
Switch-to-switch
PC-to-PC
Switch-to-hub
Hub-to-hub
Router-to-router
Router-to-server

#show ip interface brief
#show interface fastethernet 0/0

Typically, the router is the DTE device and is connected to a CSU/DSU, which is the DCE device. The CSU/DSU (DCE device) is used to convert the data from the router (DTE device) into a form acceptable to the WAN service provider.

Although Cisco serial interfaces are DTE devices by default, they can be configured as DCE devices.

To configure a router to be the DCE device:

1. Connect the DCE end of the cable to the serial interface.

2. Configure the clock signal on the serial interface using the clock rate command.


!!! Note: If a router's interface with a DTE cable is configured with the clock rate command, the IOS will disregard the command and there will be no ill effects.

A stub network is a network accessed by a single route.

R1(config)#ip route 172.16.1.0 255.255.255.0 172.16.2.2

( is at priv mode, not at line mode)

recursive lookup
- We will see in the next section that static routes can be configured with an exit interface. This means that they do not need to be resolve using another route entry.
- if in static route, the exit interface column is 'IP', recursive lookup need to be done to get the exit interface
- if the exit interface is 'fa 0/0' or 'serial 0/0/0', x recursive lookup

There is an advantage to utilizing exit interfaces in static routes for both serial point-to-point and Ethernet outbound networks. The routing table process only has to perform a single lookup to find the exit interface instead of a second lookup to resolve a next-hop address.

What are the most common metrics used in IP dynamic routing?
Hop count,bandwidth, delay and cost

Default route
The key to this configuration is the /0 mask.
Default routes are very common on routers.

The original static route must be remove before add in anything

Exit interface is down
Let's consider what would happen if an exit interface goes down. For example, what would happen to R1's static route to 192.16.2.0/24 if its Serial 0/0/0 interface went down? If the static route cannot be resolved to an exit interface, in this case Serial 0/0/0, the static route is removed from the routing table.


The rate configured on the DEC determnies the clock rate

A static route that points to the next hop IP will have 1 administrative distance and metric 0

/////////////////////////

Chapter 3 Intro to dynamic routing protocols

BGP is typically used between ISPs and sometimes between a company and an ISP.

Distance vector protocols work best in situations where:
The network is simple and flat and does not require a special hierarchical design.
The administrators do not have enough knowledge to configure and troubleshoot link-state protocols.
Specific types of networks, such as hub-and-spoke networks, are being implemented.
Worst-case convergence times in a network are not a concern.

In contrast to distance vector routing protocol operation, a router configured with a link-state routing protocol can create a "complete view" or topology of the network by gathering information from all of the other routers.

Link-state routing protocols do not use periodic updates. After the network has converged, a link-state update only sent when there is a change in the topology.


Link-state protocols work best in situations where:
The network design is hierarchical, usually occurring in large networks.
The administrators have a good knowledge of the implemented link-state routing protocol.
Fast convergence of the network is crucial.

Classful routing protocols include RIPv1 and IGRP

Classless routing protocols are RIPv2, EIGRP, OSPF, IS-IS, BGP.

Generally, RIP and IGRP are slow to converge, whereas EIGRP and OSPF are faster to converge.

Each routing protocol uses its own metric. For example, RIP uses hop count, ,IGRP and EIGRP uses a combination of bandwidth and delay, and Cisco's implementation of OSPF uses bandwidth.

All the routing protocols discussed in this course are capable of automatically load balancing traffic for up to four equal-cost routes by default. EIGRP is also capable of load balancing across unequal-cost paths.

Administrative distance (AD) defines the preference of a routing source.
Only a directly connected network has an administrative distance of 0, which cannot be changed.
static route - AD 1

To see the AD value of a directly connected network, use the [route] option.

at 'show ip route', Administrative distance/hop

EIGRP internal route has the most trustworthy administrative distance by default

How many equal cost paths can a dynamic routing protocol use for load balancing by default? 4

when do directly connected networks appear in the routing table? as soon as they addressed and operational at layer 3

AD
20 - eBGP
90- EIGRP (internal)
110-OSPF
115-ISIS
120-RIP
170 -EIGRP (external)
120 - RIP

//////////////////////////

Chapter 4 Distance Vector Routing Protocol

Periodic Updates are sent at regular intervals (30 seconds for RIP and 90 seconds for IGRP).

Distance vector routing protocols share certain characteristic :
periodic updates
broadcast updates
entire routing table updates

RIP :
invalid timer : 180s
flush timer : 240s
holddown timer : 180s


Holddown Timer. This timer stabilizes routing information and helps prevent routing loops during periods when the topology is converging on new information. Once a route is marked as unreachable, it must stay in holddown long enough for all routers in the topology to learn about the unreachable network. By default, the holddown timer is set for 180 seconds.

EIGRP uses updates that are:
Non-periodic because they are not sent out on a regular basis.
Partial updates sent only when there is a change in topology that influences routing information.
Bounded, meaning the propagation of partial updates are automatically bounded so that only those routers that need the information are updated.

Note: Collisions are only an issue with hubs and not with switches.

To prevent the synchronization of updates between routers, the Cisco IOS uses a random variable, called RIP_JITTER,

Distance vector routing protocols are simple in their operations. Their simplicity results in protocol drawbacks like routing loops.

There are a number of mechanisms available to eliminate routing loops, primarily with distance vector routing protocols. These mechanisms include:
Defining a maximum metric to prevent count to infinity
Holddown timers
Split horizon
Route poisoning or poison reverse
Triggered updates

Holddown timers are used to prevent regular update messages from inappropriately reinstating a route that may have gone bad

Holddown timers also help prevent the count to infinity condition.

The split horizon rule says that a router should not advertise a network through the interface from which the update came.

Route poisoning is used to mark the route as unreachable in a routing update that is sent to other routers.

Route poisoning speeds up the convergence process as the information about 10.4.0.0 spreads through the network more quickly than waiting for the hop count to reach "infinity".

Note: Split horizon is enabled by default. However split horizon with poison reverse may not be the default on all IOS implementations.

Features of RIP:
Supports split horizon and split horizon with poison reverse to prevents loops.
Is capable of load balancing up to six equal cost paths . The default is four equal cost paths.

EIGRP features include:
Triggered updates (EIGRP has no periodic updates).
Use of a topology table to maintain all the routes received from neighbors (not only the best paths).
Establishment of adjacencies with neighboring routers using the EIGRP hello protocol.
Support for VLSM and manual route summarization. These allow EIGRP to create hierarchically structured large networks.

RIP and IGRP are distance verctor routing protocols characterized by periodic updates that are broadcast to directly connected neighbours. The entire routing table is sent in the updat.

Three router running a distance-vector routing protocols lost all power, including the baterry backups. When router reload, they will send updates that include only directly connected routes to their directly connected neighbours.


(All note taken from CCNA2 Exploration)

Friday, September 11, 2009

First Nepenthes catch! Woo

An exciting days for me! For past few months, here the first time i have a stable connection and the admin privilege for the router. I managed to put my VM Ubuntu to DMZ. When the application console keep showing different notice messages, i realised that the nepenthes is working!

Here show the results of short 8 hours capturing :

/var/log/nepenthes/logged_download

/var/log/nepenthes/logged_submission

/var/lib/nepenthes/binaries


Within 8 hours, nepenthes managed to get 4 submission. More to go!