Monday, November 30, 2009

Dionaea - Nepenthes successor

Nepenthes, the low interactive honeypot has implemented in the wild for several years. It is the versatile tool to collect malware, acts passively by emulating known vulnerabilities and downloading malware trying to exploit these vulnerabilities.

Here come a next generation of the low interactive honeypot, Dionaea which is funded by Google Summer of Code 2009. It introduced several nice features to improve Nepenthes funtionality :

- embedding python as scripting language
- using libemu to detect shellcodes
- supporting ipv6 and tls

Full details about Dionaea can be found here.

And one interesting stuff that I just found out from the Nepenthesdev mailling list. Hugo González from the Mexican Chapter of the Honeynet created VirtualBox debian images which make it easier to install dionaea.

The image can be downloaded and import to virtualbox.

Monday, November 9, 2009

CCNA3 Chap 4-7 Note

Chapter 4 VTP

The switch can be configured in the role of a VTP server or a VTP client. VTP only learns about normal-range VLANs (VLAN IDs 1 to 1005). Extended-range VLANs (IDs greater than 1005) are not supported by VTP.

VTP stores VLAN configurations in the VLAN database called vlan.dat.

A router or Layer 3 switch defines the boundary of each domain.

VTP Modes- A switch can be configured in one of three modes: server, client, or transparent.

VTP clients function the same way as VTP servers, but you cannot create, change, or delete VLANs on a VTP client.

VTP Transparent-Transparent switches forward VTP advertisements to VTP clients and VTP servers. Transparent switches do not participate in VTP. VLANs that are created, renamed, or deleted on transparent switches are local to that switch only.

VTP Pruning-VTP pruning increases network available bandwidth by restricting flooded traffic to those trunk links that the traffic must use to reach the destination devices. Without VTP pruning, a switch floods broadcast, multicast, and unknown unicast traffic across all trunk links within a VTP domain even though receiving switches might discard them.

VTP server mode is the default mode for a cisco switch

A switch can be a member of only one VTP domain at a time. Until the VTP domain name is specified you cannot create or modify VLANs on a VTP server, and VLAN information is not propagated over the network.

a VTP frame is encapsulated as an 802.1Q frame

Each time a VLAN is added or removed, the configuration revision number is incremented.

Note: A VTP domain name change does not increment the revision number. Instead, it resets the revision number to zero.

Summary advertisements are sent:

Every 5 minutes by a VTP server or client to inform neighboring VTP-enabled switches of the current VTP configuration revision number for its VTP domain
Immediately after a configuration has been made

Request Advertisements

When a request advertisement is sent to a VTP server in the same VTP domain, the VTP server responds by sending a summary advertisement and then a subset advertisement.

Request advertisements are sent if:

-The VTP domain name has been changed
-The switch receives a summary advertisement with a higher configuration revision number than its own
-A subset advertisement message is missed for some reason
-The switch has been reset

Summary advertisements comprise the majority of VTP advertisement traffic.

You need to enable pruning on only one VTP server switch in the domain.

VTP server: Confirm that all of the switches you are going to configure have been set to their default settings.

As on the VTP server switch, confirm that the default settings are present.

Configure VTP client mode. Recall that the switch is not in VTP client mode by default. You have to configure this mode.


Chap 5 STP

Redundancy is the solution for achieving the necessary availability.

For broadcast frame,if there is more than one path for the frame to be forwarded out, it can result in an endless loop.

Network loops that are a result of accidental duplicate connections in the wiring closets are a common occurrence.

STP ensures that there is only one logical path between all destinations on the network by intentionally blocking redundant paths that could cause a loop.

If the path is ever needed to compensate for a network cable or switch failure, STP recalculates the paths and unblocks the necessary ports to allow the redundant path to become active.

The switch with the lowest BID automatically becomes the root bridge for the STA calculations.

the BID is made up of a priority value, an extended system ID, and the MAC address of the switch.

After a switch boots, it sends out BPDU frames containing the switch BID and the root ID every 2 seconds.

The root ID identifies the root bridge on the network. Initially, each switch identifies itself as the root bridge after bootup.

Although switch ports have a default port cost associated with them, the port cost is configurable.

spanning-tree cost value
spanning-tree cost 25

no spanning-tree cost //revert back

STP determines a root bridge for the spanning-tree instance by exchanging BPDUs.

This frame has a destination MAC address of 01:80:C2:00:00:00, which is a multicast address for the spanning-tree group.

When a switch first boots, the root ID is the same as the bridge ID. However, as the election process occurs, the lowest bridge ID replaces the local root ID to identify the root bridge switch

During BPDU process, root ID will change. But bridge ID wont change.

The default value for the priority of all Cisco switches is 32768. The priority range is between 1 and 65536; therefore, 1 is the highest priority.

When two switches are configured with the same priority and have the same extended system ID, the switch with the MAC address with the lowest hexadecimal value has the lower BID. Initially, all switches are configured with the same default priority value. The MAC address is then the deciding factor on which switch is going to become the root bridge.

The root port exists on non-root bridges and is the switch port with the best path to the root bridge. Root ports forward traffic toward the root bridge.

Only one root port is allowed per bridge.

For root bridges, all switch ports are designated ports. For non-root bridges, a designated port is the switch port that receives and forwards frames toward the root bridge as needed.

spanning-tree port-priority value

The port priority values range from 0 - 240, in increments of 16. The default port priority value is 128. As with bridge priority, lower port priority values give the port higher priority.

When two switches are connected to the same LAN segment, and root ports have already been defined, the two switches have to decide which port gets to be configured as a designated port and which one is left as the non-designated port

the switch with the lower BID has its port configured as a designated port, while the switch with the higher BID has its port configured as a non-designated port.

The port ID is appended to the port priority. For example, switch port F0/1 has a default port priority value of 128.1, where 128 is the configurable port priority value, and .1 is the port ID. Switch port F0/2 has a port priority value of 128.2, by default.

During a topology change, a port temporarily implements the listening and learning states for a specified period called the "forward delay interval."

switch diameter is the number of switches a frame has to traverse to travel from the two farthest points on the broadcast domain. A seven-switch diameter is the largest diameter that STP permits because of convergence times.

When a switch port configured with PortFast is configured as an access port, that port transitions from blocking to forwarding state immediately, bypassing the typical STP listening and learning states.

To understand the convergence process more thoroughly, it has been broken down into three distinct steps:

Step 1. Elect a root bridge

Step 2. Elect root ports

Step 3. Elect designated and non-designated ports

the show spanning-tree output for switch S1 reveals that it is the root bridge. You can see that the BID matches the root ID, confirming that S1 is the root bridge.

The max age delay of 20 seconds provides enough time for the seven-switch diameter with the 2-second hello timer between BPDU frame transmissions.

When a switch needs to signal a topology change, it starts to send TCNs on its root port. The TCN is a very simple BPDU that contains no information and is sent out at the hello time interval.

The receiving switch is called the designated bridge and it acknowledges the TCN by immediately sending back a normal BPDU with the topology change acknowledgement (TCA) bit set.

PVST+ a network can run an STP instance for each VLAN in the network. With PVST+, more than one trunk can block for a VLAN and load sharing can be implemented.

However, you can set the switch priority for the specified spanning-tree instance. This setting affects the likelihood that this switch is selected as the root switch. A lower value increases the probability that the switch is selected. The range is 0 to 61440 in increments of 4096. For example, a valid priority value is 4096x2 = 8192. All other values are rejected.

RSTP does not have a blocking port state. RSTP defines port states as discarding, learning, or forwarding.

RSTP speeds the recalculation of the spanning tree when the Layer 2 network topology changes.

Protocol information can be immediately aged on a port if hellos are not received for three consecutive hello times, 6 seconds by default, or if the max age timer expires.

An RSTP edge port is a switch port that is never intended to be connected to another switch device. It immediately transitions to the forwarding state when enabled.

Root ports, althernate and backup ports do not use the link type parameter. Designated ports make the most use of link

1 designed port per segment
1 root port per switch
1 root bridge per network

Althernate port
-present on non-designated switches and will make a transition to a designed port if the current designated path fails

Backup port
-redundant link to the segment

RSTP significantly speeds up the recalculation process after a topology change, because it converges on a link-by-link basis and does not rely on timers expiring before ports can transition. Rapid transition to the forwarding state can only be achieved on edge ports and point-to-point links.

Do not leave it up to the STP to decide which bridge is root.

STP Failure scenerio
Most spanning free algorithm failures occus due to excessive losses of BPDUs causing blocked ports to transition to forwarding mode. Broadcast sotrm occurring

BPDU guard disables a PortFast-configured port or interface if the

Using the original IEEE 802.1D spanning-tree protocol involves a convergence time of up to 50 seconds. RSTP reduces convergence time to approximately 6 seconds or less.port or interface receives a BPDU.

PVST - supprt ISL trunking and load balance
PVST+ -support RPDUguards
RSTP - incorporated into 802.1D; supports BackboneFast, Uplinkfast and PortFast
rapid PVST+ - based on IEEE802.1w


Chap 6 Inter-VLAN routing

"Router-on-a-stick" is a type of router configuration in which a single physical interface routes traffic between multiple VLANs on a network

Subinterfaces are multiple virtual interfaces, associated with one physical interface.

These subinterfaces are configured in software on a router that is independently configured with an IP address and VLAN assignment to operate on a specific VLAN.

Traditional routing requires routers to have multiple physical interfaces to facilitate inter-VLAN routing.

Functionally, the router-on-a-stick model for inter-VLAN routing is the same as using the traditional routing model, but instead of using the physical interfaces to perform the routing, subinterfaces of a single interface are used.

Subinterfaces require the switch port to be configured as a trunk port so that it can accept VLAN tagged traffic

To configure switch port F0/5 as a trunk port, execute the switchport mode trunk command in interface configuration mode on the F0/5 interface. You cannot use the switchport mode dynamic auto or switchport mode dynamic desirable commands because the router does not support dynamic trunking protocol.

1.verify vlan assigning in switch
2.verify switchport mode, (switch --> router must in trunk mode for subinterface to work)
3.wrong VLAN setting in router ( encapsulation bla bla)
4. ip adress and subnet mask

Each interface, or subinterface, needs to be assigned an IP address that corresponds to the subnet for which it is connected


Chap 7 Wireless

You should be aware that when a standard uses OFDM, it will have faster data rates.

The ITU-R regulates the allocation of the RF spectrum and satellite orbits.

The IEEE developed and maintains the standards for local and metropolitan area networks with the IEEE 802 LAN/MAN family of standards

The Wi-Fi Alliance is an association of vendors whose objective is to improve the interoperability of products that are based on the 802.11 standard by certifying vendors for conformance to industry norms and adherence to standards.

-ITU-R regulates allocation of RF bands.
-IEEE specifies how RF is modulated to carry information.
-Wi-Fi ensures that vendors make devices that are interoperable.

an access point converts the TCP/IP data packets from their 802.11 frame encapsulation format in the air to the 802.3 Ethernet frame format on the wired Ethernet network.

Imagine two client stations that both connect to the access point, but are at opposite sides of its reach. If they are at the maximum range to reach the access point, they will not be able to reach each other. This knowns as hidden nodes

One means of resolving the hidden node problem is a CSMA/CA feature called request to send/clear to send (RTS/CTS).

When RTS/CTS is enabled in a network, access points allocate the medium to the requesting station for as long as is required to complete the transmission.

The wireless network mode refers to the WLAN protocols: 802.11a, b, g, or n.

When a Linksys access point is configured to allow both 802.11b and 802.11g clients, it is operating in mixed mode.

A shared service set identifier (SSID) is a unique identifier that client devices use to distinguish between multiple wireless networks in the same vicinity. Several access points on a network can share an SSID

Beacons - Frames used by the WLAN network to advertise its presence. (advertised by access point)
Probes - Frames used by WLAN clients to find their networks.

The common distribution system allows multiple access points in an ESS to appear to be a single BSS.

The attacker, using a PC as an access point, can flood the BSS with clear-to-send (CTS) messages, which defeat the CSMA/CA function used by the stations. The access points, in turn, flood the BSS with simultaneous traffic, causing a constant stream of collisions.

This login process is managed by the Extensible Authentication Protocol (EAP). EAP is a framework for authenticating network access

SSID cloaking - Disable SSID broadcasts from access points
MAC address filtering - Tables are manually constructed on the access point to allow or disallow clients based on their physical hardware address
WLAN security implementation - WPA or WPA2

Various types of PSKs are as follows:

PSK or PSK2 with TKIP is the same as WPA
PSK or PSK2 with AES is the same as WPA2
PSK2, without an encryption method specified, is the same as WPA2

Multiple access points that share a service set identifier combine to form an extended service set.

wireless NIC - encodes a data stream onto a RF signal

Wednesday, November 4, 2009

CCNA3 Chap 1-3 Note

Chapter 1 LAN Design

In smaller networks, it is not unusual to implement a collapsed core model, where the distribution layer and core layer are combined into one layer.

Access layer switches can be configured with various port security options that provide control over which devices are allowed to connect to the network

Network diameter is the number of devices that a packet has to cross before it reaches its destination.

Link aggregation allows multiple switch port links to be combined so as to achieve higher throughput between switches.

Convergence is the process of combining voice and video communications on a data network.

User community analysis is the process of identifying various groupings of users and their impact on network performance.

Modular switches typically come with different sized chassis that allow for the installation of different numbers of modular line cards.

StackWise allows you to interconnect up to nine switches using fully redundant backplane connections.

Stackable switches are desirable where fault tolerance and bandwidth availability are critical and a modular switch is too costly to implement.

Forwarding rates define the processing capabilities of a switch by rating how much data the switch can process per second.

Link aggregation helps to reduce these bottlenecks of traffic by allowing up to eight switch ports to be bound together for data communications, providing up to 8 Gb/s of data throughput when Gigabit Ethernet ports are used.

Power over Ethernet (PoE) allows the switch to deliver power to a device over the existing Ethernet cabling.

Layer 3 switches are also known as multilayer switches.

PoE dramatically increases the overall price of the switch across all Cisco Catalyst switch product lines, so it should only be considered when voice convergence is required or wireless access points are being implemented, and power is difficult or expensive to run to the desired location.

Distribution layer switches are typically implemented in pairs to ensure availability. It is also recommended that distribution layer switches support multiple, hot swapable power supplies. Having more than one power supply allows the switch to continue operating even if one of the power supplies failed during operation


Chap 2 Basic switch


collision --> detect increase amplitude --> jamming signal --> backoff algorithm invoked -->stop transmitting for random time

An Ethernet MAC address is a two-part 48-bit binary value expressed as 12 hexadecimal digits. The address formats might be similar to 00-05-9A-3C-78-00,

auto - autonegotiation
full - full duplex
half - halp duplex

For Fast Ethernet and 10/100/1000 ports, the default is auto. For 100BASE-FX ports, the default is full.

Instead, you can now use the mdix auto interface configuration command in the CLI to enable the automatic medium-dependent interface crossover (auto-MDIX) feature.

For example, if a 12-port switch has a device connected to each port, 12 collision domains are created.

Since Layer 2 data is present earlier in the frame structure than the Layer 3 data, switches can process the frame more quickly.

Even though the LAN switch reduces the size of collision domains, all hosts connected to the switch are still in the same broadcast domain.

The use of higher layer devices can also increase latency on a network

Cut-through switching
Because the switch does not have to wait for the entire frame to be completely buffered, and because the switch does not perform any error checking, cut-through switching is faster than store-and-forward switching. switching
2.fragment-free switching
the switch stores the first 64 bytes of the frame before is a compromise between the high latency and high integrity of store-and-forward switching,

Asymmetric switching enables more bandwidth to be dedicated to a server switch port to prevent a bottleneck. - smoother network
-memory buffering

Routers are also capable of performing packet forwarding tasks not found on Layer 3 switches, such as establishing remote access connections to remote networks and devices.

AAA and TACACS are authentication protocols that can be used in networks to validate user credentials

You can change the aging time setting for MAC addresses. The default time is 300 seconds.

To create a static mapping in the MAC address table, use the mac-address-table static vlan {1-4096, ALL} interfaceinterface-id command.

If you want to remove the requirement to store all system passwords in an encrypted format, enter the no service password-encryption command from global configuration mode. Removing password encryption does not convert currently encrypted passwords back into readable text. However, all newly set passwords are stored in clear text format.

enable password recovery
-dir flash
-rename flash:config.text flash:config.text.old
-rename flash:config.text.old flash:config.text
-copy flash:config.text system:running-config
-configure terminal
-enable secret password
-copy running-config startup-config

The MOTD banner displays on all connected terminals at login and is useful for sending messages that affect all network users (such as impending system shutdowns). The MOTD banner displays before the login banner if it is configured.

To delete the RSA key pair, use the crypto key zeroize rsa global configuration command. After the RSA key pair is deleted, the SSH server is automatically disabled.

By default, up to five simultaneous, encrypted SSH connections for multiple CLI-based sessions over the network are available (session 0 to session 4).

the CLI-based session time-out value returns to the default of 10 minutes.

Specify the number of times that a client can re-authenticate to the server. The default is 3

//MAC flooding
MAC flooding can be performed using a network attack tool. The network intruder uses the attack tool to flood the switch with a large number of invalid source MAC addresses until the MAC address table fills up.

When the MAC address table is full, the switch floods all ports with incoming traffic because it cannot find the port number for a particular MAC address in the MAC address table. The switch, in essence, acts like a hub.

//DHCP starvation attack
causes all of the leases on the real DHCP server to be allocated, thus preventing the real users (DHCP clients) from obtaining an IP address.

to prevent DHCP attacks, use the DHCP snooping
Ports are identified as trusted and untrusted. Trusted ports can source all DHCP messages; untrusted ports can source requests only. Trusted ports host a DHCP server or can be an uplink toward the DHCP server. If a rogue device on an untrusted port attempts to send a DHCP response packet into the network, the port is shut down.

Static secure MAC addresses
Dynamic secure MAC addresses:
Sticky secure MAC addresses:

If you save the sticky secure MAC addresses in the configuration file, when the switch restarts or the interface shuts down, the interface does not need to relearn these addresses. If you do not save the sticky secure addresses, they are lost.

security violation modes
protect - drop packet, no notification
restrict - drop packet, got notification
shutdown - turn off port, default mode


Chap 3 - VLANs

A VLAN is a logically separate IP subnetwork. VLANs allow multiple IP networks and subnets to exist on the same switched network.

All switch ports become a member of the default VLAN after the initial boot up of the switch.

The Scavenger class is intended to provide less-than best-effort services to certain applications. . These include peer-to-peer media-sharing applications, gaming.

A dynamic port VLAN membership is configured using a special server called a VLAN Membership Policy Server (VMPS). With the VMPS, you assign switch ports to VLANs dynamically, based on the source MAC address of the device connected to the port.

The configuration command mls qos trust cos ensures that voice traffic is identified as priority traffic.

switchport voice VLAN 150

The default VLAN for Cisco switches is VLAN 1. VLAN 1 has all the features of any VLAN, except that you cannot rename it and you can not delete it.

It is a security best practice to change the default VLAN to a VLAN other than VLAN 1;

A native VLAN is assigned to an 802.1Q trunk port. An 802.1Q trunk port supports traffic coming from many VLANs (tagged traffic) as well as traffic that does not come from a VLAN (untagged traffic).

SVI is a logical interface configured for a specific VLAN. By default, an SVI is created for the default VLAN (VLAN 1) to permit remote switch administration.You need to configure an SVI for a VLAN if you want to route between VLANs

A trunk is a point-to-point link between one or more Ethernet switch interfaces and another networking device, such as a router or a switch

Dynamic Trunking Protocol (DTP) is a Cisco proprietary protocol

DTP manages trunk negotiation only if the port on the other switch is configured in a trunk mode that supports DTP.

Trunking modes
switchport mode trunk.
-Dynamic auto
switchport mode dynamic auto.
-Dynamic desirable
switchport mode dynamic desirable
-turn off DTP
switchport nonegotiate.

Note: Before deleting a VLAN, be sure to first reassign all member ports to a different VLAN. Any ports that are not moved to an active VLAN are unable to communicate with other stations after you delete the VLAN.

Alternatively, the entire vlan.dat file can be deleted using the command delete flash:vlan.dat from privileged EXEC mode. After the switch is reloaded, the previously configured VLANs will no longer be present.

Common problem with trunks
-native VLAN mistmatches
the native VLAN set wrong
-trunk mode mismatches
ex. dynamic auto + dynamic auto = access
-allowed vlans on trunks

VLANs are used to segment broadcast domains in a switched LAN. This improves the performance and manageability of LANs. VLANs provides network administrators flexible control over traffic associated with devices in the LAN.

Routers or Layer 3 switches are required for inter-VLAN communication

IEEE802.1Q is standard trunkng protocol. It does not tag native VLAN traffic,which can result in problems when trunking is misconfigured.

One IP subnet to one VLAN