pello's network security

vmware and ubuntu kernel update

Sun, 15 Aug 2010 12:12:50 +0200

You just upgraded to the latest ubuntu kernel available and vmware stopped working. This time, running the vmware-config.pl script has not be sufficient. It worked but the job was done badly.

This patch solved my problems with the latest ubuntu 10.04 kernel: http://communities.vmware.com/thread/267682

Right after applying patches, re-run the vmware-config.pl script.

SPF DNS top domains report

Sat, 24 Jul 2010 12:58:00 +0200

As of 24th july: dig +short TXT -f top10 | grep spf | wc -l => 7 dig +short TXT -f top100 | grep spf | wc -l => 67 No ip6 filtering within the top100

Hacking mindmap

Sat, 19 Jun 2010 12:56:58 +0200

Hacking mindmap

ssl/ssh multiplexer

Wed, 16 Jun 2010 22:53:11 +0200

ssl/ssh multiplexer

Cisco Nexus troubleshooting notes

Mon, 14 Jun 2010 17:03:55 +0200

Some commands useful for troubleshooting the nexus platform:

show feature
show version
show system reset-reason
show logging onboard stack-trace
show logging nvram
show proc mem
show system internal kernel meminfo
show system internal flash
show system internal kernel malloc-stats
show system internal kernel memory global detail
show system internal kernel skb-stats
show system internal kernel messages
show system internal kernel nvram-trace
show hardware internal proc-info pcacheinfo
sh system internal mts sup sap 252 stats
sh system internal mts sup sap 252 description
sh system resource
sh system internal mts buffers details
sh system internal mts event-history msgs
sh system internal mts event-history errors
ethanalyzer local sniff-interface mgmt det limit-captured-frames 0
Never do a “show tech”

To be completed…

Google IPv6 Implementors Conference (since 2008)

Sat, 12 Jun 2010 20:08:10 +0200

Google IPv6 Implementors Conference (since 2008)

IEEE member card

Tue, 01 Jun 2010 19:04:57 +0200

IEEE member card

Old Version Downloads - OldApps.com

Tue, 01 Jun 2010 00:04:55 +0200

Old Version Downloads - OldApps.com

SixXS - IPv6 Deployment & Tunnel Broker :: IPv6 ULA (Unique Local ...

Wed, 26 May 2010 01:56:30 +0200

SixXS - IPv6 Deployment & Tunnel Broker :: IPv6 ULA (Unique Local ...

BGP strikes again? No… it’s just a change in the...

Fri, 21 May 2010 11:20:20 +0200

BGP strikes again? No… it’s just a change in the SNMP community name

Scapy and checksum calculation

Tue, 18 May 2010 10:00:00 +0200

Sometimes you have to (re)calculate a checksum when you modify packets or when you try to solve friends networking challenge like the following:

I’m 45000064000f0000fe013726c0a80108c0a8030b - a 20 bytes IP header.

What will be my checksum after the next hop? :-)

It’s easy with scapy … first, import the hex, modify the TTL, delete the checksum then apply show2() function. This one automatically recalculate the new checksum for you.

»> pownage=IP(import_hexcap())
0000 4500 0064 000f 0000 fe01 3726 c0a8 0108
0010 c0a8 030b
»> pownage.ttl = pownage.ttl - 1
»> del pownage.chksum
»> pownage.show2()
###[ IP ]###
version= 4L
ihl= 5L
tos= 0x0
len= 100
id= 15
flags=
frag= 0L
ttl= 253
proto= icmp
chksum= 0x3826
src= 192.168.1.8
dst= 192.168.3.11
options= ”

OpenBSD 4.7 goodies and Cisco

Thu, 13 May 2010 15:06:00 +0200

Meat and goodies:

OpenBSD and Cizcoeee:

OpenBSD 4.7 official release date is 19th May of 2010 but already available as pre-order.

Leon’s ten rules for improved network security

Thu, 13 May 2010 13:58:38 +0200

Leon’s ten rules for improved network security

Big LAN and ARP broadcast

Tue, 11 May 2010 10:00:00 +0200

Sometimes the network suffers from a very BAD design (like large L2 domain).

In this situation, some (normal) network behavior are more visible than it should if the network had a better designer.

The reason of the bad design is often part of the history OR the hired consultant dislikes th company he works for and ship them with a bad design :D

One of the visible phenomenon occurs when many hosts are populated in ARP caches and the local table overflows. The default ARP cache on Linux (and every other OS) are not suited for the bad designed networks.

It results in broadcast storms that kills network performances. Another side effect that double the bad effect is when you have configured broadcast rate-limiter. This feature could kills ARP broadcast and make the packets dance … dance again and again through your L2 network.

To fix the network, you must go in two directions:

re-think your broadcast rate-limiter (in some network devices it’s done automatically without configuration! don’t trust the vendor pre-sales in his well-suited costume, trust the packets!
adjust ARP cache and garbage collector settings on your end hosts. And adjust CAM age entries on your transit L2 devices. For Linux, you can go with those parameters:

$ sudo echo ‘net.ipv4.neigh.default.gc_thresh3’ = 4096 » /etc/sysctl.conf

$ sudo echo ‘net.ipv4.neigh.default.gc_thresh2’ = 2048 » /etc/sysctl.conf

$ sudo echo ‘net.ipv4.neigh.default.gc_thresh1’ = 1024 » /etc/sysctl.conf

$ sudo sysctl -p

Et voilà!

Wireshark configuration for Check Point fw monitor

Sat, 08 May 2010 17:05:39 +0200

Here is how to set-up correctly wireshark in order to read fw monitor output friendly:

ctrl+shift+p
Protocols / Ethernet / Attempt to interpret as Firewall-1 monitor file
Protocols / FW-1 / Monitor file includes UUID and Interface list includes chain position
User Interface / Columns / Add : fw-1 chain|FW-1 monitor if/direction
Apply preferences
View / Coloring rules / New
preIn / fw1.direction==i
postIn / fw1.direction==I
preOut / fw1.direction==o
postOut / fw1.direction==O

Good luck!

802.3x prezo

Tue, 04 May 2010 20:17:16 +0200

Breaking the myth about 802.3x usage. Here is a public prezo I did for a customer.

Click here to download the prezo.

Table of contents:

Do you really know Flow Control?
802.3x standard
Places where you will find 802.3x
Pause frames were created to defeat non wirerates switches
Symetric vs Asymetric 802.3x
Asymetric speed connected to the same L2 device
Flow control on trunk/etherchannel impact
Where to use flow control
(some) Cisco switches behavior
Pause frames in wireshark
802.3x Black Hat
802.3x versus QoS
Datacenter
Ethernet over MPLS
Operational tips
Best practices summary

Enjoy …

Wireshark · OUI Lookup Tool

Sat, 01 May 2010 14:16:00 +0200

Wireshark · OUI Lookup Tool:

The Wireshark OUI lookup tool provides an easy way to look up OUIs and other MAC address prefixes. It uses the Wireshark manufacturer database, which is a list of OUIs and MAC addresses compiled from a number of sources.

Wireshark: extract HTTP objects from captured traffic

Sat, 01 May 2010 10:45:43 +0200

Looking for an elegant way to extract HTTP objects (images, javascript, …) from a pcap file?

Open the pcap file under wireshark then click on FILE => Export => Objects => HTTP.

802.3x blackhat pownage

Fri, 30 Apr 2010 22:48:00 +0200

Little leak from a future prezo for a customer:

802.3x flow control is a quick&dirty protocol. If you have physical access to install a hub anywhere on the network or already have a victim host under control it could lead to a massive Ethernet Denial of Service.

It’s very easy to kill a network at layer 2 if mitm is possible and flow control receive is on by replaying quanta 65535 pause frames.

Impact:

No new flows creation will be possible.

Existing connections breaks if DoS is longer than upper layers timeout.

Reply from 10.162.112.45: bytes=32 time<1ms TTL=255

Request timed out.

…

Request timed out.

Reply from 10.162.112.45: bytes=32 time=1729ms TTL=255 <— Attack stopped

Reply from 10.162.112.45: bytes=32 time<1ms TTL=255

2960_lab_test#sh int flow | inc (Fa0/48|Port)

Port Send FlowControl Receive FlowControl RxPause TxPause

Fa0/48 Unsupp. Unsupp. on on 385552 0

Haha received another inquiry from PHP.Hop willing users! yes! phphop rstack page is down. Pls look...

Wed, 21 Apr 2010 12:54:29 +0200

Haha received another inquiry from PHP.Hop willing users! yes! phphop rstack page is down. Pls look at HiHat or glastopf projects.