Category Archives: elguber

Perl programming

I am back again.

I just been thinking about a programming language that could be useful for a network guy…. and  finally I´m with Perl . I don´t know if it is the best one or not… but it remind me my ages when I was studing. This language is quite similar to C.

The purpose of the script is modify a given file. I did it because at work  I was doing a repetitive task so many times and I decided to use the scripting. Because we are doing more and more repetitive task, I will keep my perl skills up to date. Then, let´s read a file with Perl 😉

#!/usr/bin/perl -w

use strict;

use warnings;
# read initial file to modify

my $file=”file.txt”;

# final file

my $final =”final.txt”;

#text or characters deleted

my $bin=”bin.txt”;

my $line;

my $i=0;

#check if files can be created or oppened

open (FILE,”<$file”) || die “ERROR: File $file not found\n”;

open (FINAL,”>$final”) || die “ERROR: File $final not found\n”;

open (BIN,”>$bin”) || die “ERROR: File $bin not found\n”;

#read the file

while ($line=<FILE>){

if ($line =~ /COMMENT/) {   # if line contains the chain “COMMENT”, send the line to the bin file.

print BIN $line;

}

else{

if ($line =~ /\}/) {     # if line contains the chain “}”, send the line to the bin file.

print BIN $line;

}

else{

if ($line =~ /;$/){   # if line is ending in “;”, send the line to the bin file.   $ is indicating that is the end of the line. It is not considering the \n

if ($line =~ /CHAIN/) {  # if line contains the chain “CHAIN”,

if ($i== 0){  # I added this counter for formating purposes

print FINAL “\n——\n”;

$i = $i + 1;

}

else{$i = 0;} # I set to 0 because the above “CHAIN” is twice on the file and I only need to add the lines(for formating purposes) only once.

}

print FINAL substr($line, 1,-2).”\n”;  # with substr function I am taking the whole line except untill the last 2 possitions. Last one is “\n” and previous one was “;”

}

}

}

}

# Closing files

close (FILE);

close (FINAL);

close (BIN);

 

An important function in the script is substr. You can use it like this:

print substr($line, 1,-2);

We are stracting a string from another one. In our case, we are reading the line ($line), taking from position “1”, till position “-2”. With the negative symbol, we indicating that should take from the end and not from the start.

I will explain the basic syntax for substr:
EXPR – string expression from which the substring will be extracted.
OFFSET – an index from where the substring to be extracted starts.
LENGTH – the length of the substring to extract.

Advertisements

Back Track 5 r3 a BOx or a BOmb. The security suite.

  1. Back Track 5 r3 a BOx or a BOmb. The security suite.
  2. Since it was started in 2006, Back Track has become one of the best security suites in penetration testing market. Due to that fact, there has been a huge proliferation of this kind of software in the last few years.

In this article we are going to cover how a bunch of software  could be as easy as pie, or a dangerous game that could get you into trouble. On one side, installation is pretty easy (even in a virtual machine, you can easily run a security distribution). On the other side, the management and mastering is in a completely different league.

We have in front of us a Linux OS with more than 300 penetration tools.

  1. This article will help you to open the box. What can you do with a box? Not so much or maybe nothing. But with the content of the box, you could probably do a lot of things, even more if we are talking about a big box with hundreds of boxes inside. I must tell you to be careful, because depending on the use, the content can be as bad as nitroglycerin. Regardless, it is not necessary to say that, in some countries, the use of this tools can be considered as  terrorism.

When used in the right way, we can have a great security tool which will be able to help in several different areas (wifi, forensics….). With the right knowledge on each area the power multiplies 10 times.

If you use it wrongly, you can have serious problems. That said, it will be your own responsibility once you start BackTrack.

After you read this article, you would be able to run a security suite and use a couple of applications. My opinion is that the information here displayed is enough to get you hooked and with some hunger for knowledge. I think like this, mainly because I will give you a few tips to get information from the system you want to audit 😉 and I say a small part because it is quite difficult to talk about more than the 300 tools that are a part of Back Track. Inside security, there are also different fields that we could talk about, and talk a lot by the way.

  1.   I still remember the time, several years ago, when I discovered this tool. It was Back Track 2 at that time. I was using a new DELL laptop with 2 Gb RAM , 1,6 Ghz intel processor and a nvidia graphic card. It took me at least 3 days to sniff a simple packet because of my wifi chipset version and another extra day to inject traffic. I didn´t have internet at home because I was living abroad and I had to go to a local cybercafe.

Let´s start from the beginning. The current version is BackTrack 5 r3. I recommend to download the iso image from  http://www.backtrack-linux.org/. Since this is an Ubuntu version modified, Ubuntu 4.4.3. to be more accurate, you can run it even in a smart phone.

Once the iso is in your hands, you have 3 options:

  • Install it in your hard drive. Highly recommended for professionals.
  • Install it in a USB or DVD (With the proliferation of the USB devices, it does not make any sense but it is a possibility ) to run a live version. It is also a good option if you do not want to change anything in your computer. But I would recommend that, once you run your live image, you must make your changes permanent in your USB, because the next time you run it, you should change the features. And that  is not so funny.
  • Virtualization. The best and quick option to play with. This option offers you the possibility to install or even run the live ISO image in a virtual machine. It is the easiest  way to start using it. You could run a lot of virtual machines with only a PC, depending of the features and characteristics of your equipment. With a computer and a couple of virtualized machines you can play to protect a box and attack the other one. It is funny if you are into it and you could spend lots of hours 🙂

First steps:

After booting the system, you can see the following message:

Figure 1. Boot

Figure 1 – Boot

Type intro and you will enter in the main boot menu. There are 3 different modes:

-Stealth

-Forensics

-Text (this one is the default option)

Figure 2. Back Track Menu

Figure 2 – Back Track menu

The main objective of this article is to speak only about the first boot option that is “Text mode”, so you can get to know it better. Let´s say that I jump quickly into graphic mode, basically because that’s the easiest way in most of the cases, and because it is a more friendly environment. I must also say that to reach excellence in Back Track, you need to be fair good in text mode and know it very well. That is the same as saying “if you want to run, you should start to walk first”.

Following with the instructions, once you press “BackTrackText” the screen will show:

Figure 3. Prompt

Figure 3 – Login

When the “bt login” appears, it means that you are already in Text mode. The following are the credentials to log into the system.

user root
password toor(the one used in last back track distributions)

Figure 4. Prompt2

 

Figure 4 – Command line

When you type the default credentials, you will see the prompt that is showed above. From here the race will begin! You can start to play now. So far, at this point, we have crossed the line. Everything is ready!

You can start applications in text mode (Tcpdump, netcat, nmap… ). Also, as in every linux distribution, with Alt + Function keys you can move to different terminals.

To run the graphical environment, just type:

root@bt:~# startx

Once you are in the main window, go to Applications > BackTrack. You will now see the whole areas that BackTrack is covering:

Figure 5. Xwindow

Figure 5 – Back Track Xwindow

From now on, it depends on preferences. As you can see in the previous image, there are different areas to explore:

  • Information Gathering
  • Vulnerability Assessment
  • Exploitation Tools
  • Privilege Escalation
  • Maintaining Access
  • Reverse Engineering
  • RFID Tools
  • Stress Testing
  • Forensics
  • Reporting Tools
  • Services
  • Miscelaneous

As a good expert, before any attack, you need to know your “victim” right? I believe that it is sensible to start with Information Gathering Tools. You would need to get as much information as possible to find the best vector attacks. Personally, one of my favorite tools  for recognition jobs  is Maltego. The Paterva guys are doing a very well job on this area.  With a graphic interface, they make it easy for a program to start getting information from a simple domain record. With this tools you would simplify your work, avoiding getting locks in Text mode and parsing to draft the final report. It is quite complete and there even is the possibility to add plugins.

Believe me, this tool is fantastic.Let me tell you that, as a security consultant, it helps a lot to use Maltego. To be honest, as a consultant, the whole Suite is a mandatory tool to have.  It is like an all-in-one. I do not need to say that a good professional use to have every tool personalized and this is also the case. Back Track is running under a Linux distribution or, even better, it is a Linux distribution already modified for security experts. Then, once you are provided with the ultimate Back Track tool, you may start to tune it to fulfill your own necessities.

You also have wine  installed by default to emulate any windows application in a Linux machine.

ü  Let´s talk now about Maltego. It comes to my mind a previous version (version 2) in which you were not asked to log in as in this new one. This has been made probably  to provide better features.

How can we use it then? Where should I start? Once you open it up, the picture that is showed next (figuere 6) is the first screen you would see:

Figure 6. Maltego

Figure 6 – Maltego

The first option that you may check is the Manage > Manage Transforms. This is an important one and the real engine that would help you establish the parameters of how Maltego will work later on. A good transform will lead you to achieve a best result.

Figure 10. Transform manager

Figure 7 – Transform manager

You can create your own transforms, personalized in order to your necessities, or you can also modify the ones that are in the system by default. You also need to accept each transform disclaimer, unless you want to accept every time you do a transform. You can sort them by Status and accept the ones in “disclamer not accepted” status. After you fine tune your transformations, you are ready to start using Maltego.

As some ways to see the information, you have Main View, Bubble View and Entity List View. By default, Main View is the one that will be selected. The differences are in how data are represented (with icons in the main view, with bubbles in the bubbles view and also as a list). The default view starts the same as in Figure 6. Let´s see the options. On the left side, there are the objects which you can drag and drop into the Main View. On the right side you see some other windows that will be empty until you select an icon. Starting from the left and selecting “Domain”, for example, you already have the first piece of the game. I did a test with the default feature that is paterva.com. Of course that you can change anything to whatever domain name that you want, and do the same for each object. Clicking on it or even passing the mouse over it, you have a detailed view and also a property view in the right side of the main window. With an object, there is not so much that we can do. Let´s go on! Now you click with the right button of the mouse on the domain “Run Transform” -> “All transforms” and that´s the result:

Figure 13. Run - Transform - finished

Figure 8 – Transformation finished

As you can see, there is  a lot of “rubbish”. In this case, if you visit paterva.com, you´ll notice that at the end of the website, there are some social network icons and that is why you see facebook, twitter, youtube… in your schema. This is the same for phones and some other objects. For that reason, discard all the icons that are not giving you any interesting information. And you can continue with each icon doing transforms until you get the final picture as well.

When you clik on “Running transforms” this is what Maltego is doing in the “background” to finally draw the final  picture.

Figure 12. Output - Transform

Figure 9 – Transform output

The best idea is to check only the important transformations or even better if you ask me,  disable the ones not needed and create personalized ones. As I said before, the first clicks you may do after start Maltego is Manage > Manage Transforms.

ü  Another interesting tool that we can talk about is Etherape. It is not under BackTrack option in the main menu. You can find it in systems tools or in internet. This is a graphical network monitor with 5 different capture modes (Token Ring, FDDI, Ethernet, IP and TCP).You could see the connections from your host , the connections to your host, or both ways. This is, in my opinion, an easy and light tool with just a few options, but very useful.

Figure 15. Etherape preferences

Figure 10 – EtherApe – Preferences

You surely would be surprised if you run this tool after you type your favorite website.  It is like if it is alive. Every few seconds, a banner or another link in your browser is creating a connection. I did a test with http://www.facebook.com. You can also see the ips, traffic per node, traffic per protocol.

Figure 16. Etherape

Figure 11 – EtherApe

An easy and quick example that you can try is typing the ip of your own router in your browser and you´ll see that only one connection is created between you and the router. But if you type, for example, http://www.amazon.com, you will see the bigger amount of connections that are created.

Let´s assume that you are a security guy that needs to audit a “secured system”.  The first action that you may do is to change your mac address. Because you do not want to be discovered or even because you already know the physical address of a machine and you want to obfuscate. The tool used for that purpose is the one that we are going to see next, macchanger.

ü  “Macchanger”.

Figure 17. Macchanger

Figure 12 – Macchanger

As you can see in the previous screenshot of the help menu, this is an easy and useful tool, much like some of the previous ones. With a virtual machine, you could also do it but if you want to change too many times, it is worth it.

The last application which I will cover in this article is

ü  Metasploit.  This application is an Exploitation tool,  then we will find in below path(see figure 13):

Figure 18. Metasploit

Figure 13 – Metasploit path

Metasploit is a powerful framework that could be used in different fields. It is like a Back Track inside another Back Track.  I would like to start mentioning that, an important task which you should do before starting to play with, it is to update the database. The real power of this tool is in the  database, which is being continuously updated. Metasploit is “exploiting” vulnerabilities and  if you don´t have this DDBB up to date, it is like an old anti-virus not updated since 3 months ago. Maybe you have the intention to exploit a vulnerability that is already in the database  and you do not want to update, but this is not usual because the vendors and software developers are also fixing the problems as soon as possible. There are some cases in which since day “0” to the moment the problem is patched, takes longer than expected.

To understand better, let´s think about a scenario: You are a system administrator for an important company and your web server is affected by a XSS. Due to this vulnerability, a user could get a copy of your user database compromising the privacy of the employees. As a good administrator, you need to test that your application is not affected by the dangerous bug or, if it is affected, try to fix the problem. The most important thing for you is the system that you are administering. We need to know our infrastructure (software and hardware),  and also the behavior of a specific pattern.

Some concepts that should be familiar to you when you are using Metasploit are payload and exploit.  A payload is a part of a software which allows you to take control of the computer that is affected by an exploit, which we are exploiting. The most known payload is Meterpreter(we will see it in the example later on). An exploit is a program or piece of software designed to break or crash into a system through a known vulnerability.

What this software is basically doing, is to checking in a database for all kind of bugs for different platforms, software… (that´s why is so important to update first).  You can load a bug for a specific application and once it is loaded, you can attack the application with that tool. Let´s see it with an example:

1st- Update the database. As I mentioned before this is an important step. Looking at figure 13, we can see that there is an icon to update metasploit. Click on it and prepare yourself a good coffee while you wait. It will takes time.

Figure 21. Metasploit-updated

Figure 14 – Updating Metasploit

2nd – Start Metasploit. You will get a random image and at the end you will see: version, exploits, payloads….

Figure 19. Metasploit-start

Figure 15 – msf console

3rd – Find a bug in metasploit and try to use it. Just type “search”  command  plus a chain to search. In the example below we are searching for ms08  (command:”search ms08″).

Figure 21. Metasploit-bug

Figure 16 – Searching in modules

4th – Load the module. Once you have defined the exploit, type: “use” + module.

Figure 23. MSF-show_options

Figure 17 – Module loaded

Once you are in ms08_067_netapi module, you need to investigate which options you can  type.

Now, you can define your parameters with the “set” command.

  • set rhost 192.168.1.61 (this is the ip of the remote host)
  • set lhost 192.168.1.59 (our local ip)

5th – Once it is loaded run an attack to exploit the bug. When we have the parameters configured, we will type the “exploit” command and WE ARE INSIDE!!

Figure 24. Meterpreter

Figure 18 – Exploiting

Meterpreter is the payload. Invoking help, we will already see the commands to execute in the remote host.

Figure 25. Meterpreter_shell

Figure 19 – Shell in remote host

This is only a module and you could load hundreds of modules. We also could find hundreds of exploits.

Just to resume, the commands used in this article for metasploit are:

  • ./msfpro -> Start the program
  • search + “string” -> Search in the big database you need this command.
  • use + module to load  -> Load module
    • show options -> Options in the module that you previously loaded.
      • Set + option -> It defines the values
      • exploit -> It starts the exploit
  1. To cover in deep all the tools included in this distribution I should spend some months of my life or even some years.

Just to summarize, we are standing in front of a swiss army knife(a big one by the way!).

I have given you the main steps to use one of the best security suites in the world. Now it is up to you. With that amount of tools in Back Track, you can choose which one is your strong point and try to use it and do your best.  Or even you could try to investigate about other areas.

If you are an expert in networks, you can use BT. If you are a programmer, you can use BT. If you are a DDBB expert, you can use BT. If you are a security specialist, you can use BT. Even if you are not an IT expert you also can use it, to get information about any place, person or  item 😉

About Eduardo Cuthbert:
I started in networking and security in 2004. Ever since I discovered the field of Security I have been passionate about it.

Having always lived and worked in a medium size city in Spain, I decided to try and take my chances abroad. Knowing that in other countries I could develop and research, I left and found a job in Switzerland, where I am living and working currently.

I have always worked in those two fields and I consider myself a committed and focused person, so researching and learning about new developments is something essential to me. That’s why I have always looked for better ways of improving.

Through all my career I got several certifications, such as CCNP and CCSP.

I am also a cycling enthusiast.

Text: Eduardo Cuthbert González

Proof reader: Desirée Suarez González

FreeBSD – Reset password

Three steps to change root password in FreeBSD:

Step 1: Boot in single user mode

As the operating system is starting, it will display the following message:
Hit [Enter] to boot immediately, or any other key for command prompt.
Booting [kernel] in 10 seconds…
You should now press the space bar, and you will see the following message:
Type ‘?’ for a list of commands, or ‘help’ for more detailed help.
ok
# boot -s
to start FreeBSD in single user mode. After the system boots, you should see the statement:
Enter full pathname of shell or RETURN for /bin/sh:
Press the enter key and you will have a # prompt.

Step 2: Mount the filesystems

At the command prompt, issue the mount command. This command will mount all the filesystems listed in your /etc/fstab file.
# mount -t ufs -a

Step 3: Change the root password

Issue the passwd command and you will be prompted to enter a new password for the root account.

# passwd

New password:_
Retype new password:_
passwd: updating the database…
passwd: done

# exit

Wireshark

A new book into my pariticular library.
Wireshark Network Analysis: The Official Wireshark Certified Network Analyst Study Guide

I was following to close Laura Chappell and after a hard day in the office I decided to buy this book.
I was feed up to see some of the options in a capture and using Wireshark at 10 or 20 % of the capacity.
I said to mylef, this is not the right path to understand and to analyze a network.
It is time to chage and to try to understand a bit more this fantastic tool.

Who knows is this is my new certification challenge…. Let´s see. At the moment I started with the chapter in which is explaining all the options in the program.

If you are thinking in buy the book you have some options:

http://www.wiresharkbook.com/
http://www.amazon.com/

tcpdump

tcpdump

tcpdump [ -AdDefIKlLnNOpqRStuUvxX ] [ -B buffer_size ] [ -c count ]
[ -C file_size ] [ -G rotate_seconds ] [ -F file ]
[ -i interface ] [ -m module ] [ -M secret ]
[ -r file ] [ -s snaplen ] [ -T type ] [ -w file ]
[ -W filecount ]
[ -E spi@ipaddr algo:secret,… ]
[ -y datalinktype ] [ -z postrotate-command ] [ -Z user ]
[ expression ]

Command Line Options
-A Print frame payload in ASCII
-c <count> Exit after capturing count packets
-D List available interfaces
-e Print link-level headers
-F <file> Use file as the filter expression
-G <n> Rotate the dump file every n seconds
-i <iface> Specifies the capture interface
-K Don’t verify TCP checksums
-L List data link types for the interface
-n Don’t convert addresses to names
-p Don’t capture in promiscuous mode
-q Quick output
-r <file> Read packets from file
-s <len> Capture up to len bytes per packet
-S Print absolute TCP sequence numbers
-t Don’t print timestamps
-v[v[v]] Print more verbose output
-w <file> Write captured packets to file
-x Print frame payload in hex
-X Print frame payload in hex and ASCII
-y <type> Specify the data link type
-Z <user> Drop privileges from root to user

EXAMPLES

To print all packets arriving at or departing from sundown:

tcpdump host sundown

To print traffic between helios and either hot or ace:

tcpdump host helios and \( hot or ace \)

To print all IP packets between ace and any host except helios:

tcpdump ip host ace and not helios

To print all traffic between local hosts and hosts at Berkeley:

tcpdump net ucb-ether

To print all ftp traffic through internet gateway snup: (note that the expression is quoted to prevent the shell from (mis-)interpreting the parentheses):

tcpdump 'gateway snup and (port ftp or ftp-data)'

To print traffic neither sourced from nor destined for local hosts (if you gateway to one other net, this stuff should never make it onto your local net).

tcpdump ip and not net localnet

To print the start and end packets (the SYN and FIN packets) of each TCP conversation that involves a non-local host.

tcpdump 'tcp[tcpflags] & (tcp-syn|tcp-fin) != 0 and not src and dst net localnet'

To print all IPv4 HTTP packets to and from port 80, i.e. print only packets that contain data, not, for example, SYN and FIN packets and ACK-only packets. (IPv6 is left as an exercise for the reader.)

tcpdump 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'

To print IP packets longer than 576 bytes sent through gateway snup:

tcpdump 'gateway snup and ip[2:2] > 576'

To print IP broadcast or multicast packets that were not sent via Ethernet broadcast or multicast:

tcpdump 'ether[0] & 1 = 0 and ip[16] >= 224'

To print all ICMP packets that are not echo requests/replies (i.e., not ping packets):

tcpdump 'icmp[icmptype] != icmp-echo and icmp[icmptype] != icmp-echoreply'

Bigpipe vs TMSH

Important things to remember when examining commands in tmsh:

  • show (usually) provides just the statistical information, with configuration parameters present to provide a level of disambiguation.
  • list provides configuration information, but just variations from the default. For example, “list /ltm nat 192.0.2.1” will only show the “originating-address” information
  • all-properties extends a “list” command to show every configuration option, not just the variations from default.

DESCRIPTION

bigpipe command tmsh Command Comment
b arp show show /net arp all
b arp all delete tmsh delete /net arp all
b class DATA-GROUP mode read modify ltm data-group DATA-GROUP access-mode read-only
b class show show running-config /ltm data-group
b cluster show show /sys cluster all-properties
b config load file.ucs load /sys ucs file.ucs
b config save file.ucs save /sys ucs file.ucs
b config sync run /cm config-sync from-group/to-group DEVICEGROUPNAME
b conn show show /sys connection
b conn show all show /sys connection all-properties Show all connection table properties
b conn ss server node-ip:node-port delete delete /sys connection ss-server-addr node-ip ss-server-port node-port Delete connection table entries for node-ip node-port
b daemon list list /sys daemon-ha all-properties
b db < key name > < value > modify /sys db < key name > value < value > Modify database values
b db Platform.PowerSupplyMonitor disable tmsh modify sys db platform.powersupplymonitor value disable Disables PSU alert if only one PSU in use on Dual PSU system
b db show show running-config /sys db -hidden all-properties
b export my.config.scf save /sys scf my.config.scf v10.x only
b export my.config.scf save /sys config file my.config.scf tar-file my.config.tar v11.0+
b failover standby run /sys failover standby v11+
b fo show show /sys failover
b fo standby run /util bigpipe fo standby v10+
b ha table show /sys ha-status all-properties
b hardware baud rate modify /sys console baud-rate v10: sol10621 | v11: sol13325
b ha table show show /sys ha-status all-properties
b httpd list list /sys httpd To list httpd configuration.
b import my.config.scf load /sys scf my.config.scf v10.x only
b import my.config.scf load /sys config file my.config.scf tar-file my.config.tar v11.0+
b interface show -j show /net interface -hidden all-properties -hidden is not tab completable, but should be shown in the command output on iHealth.
b load load sys config partitions all
b merge load /sys config merge Added in v11. In v10 use bigpipe
b merge /path/to/file.txt tmsh load /sys config file /path/to/file.txt merge Merge a file into the BIG-IP configuration. Added in v11. In v10, use bigpipe
b mgmt show show running-config /sys management-ip
b monitor show show running-config /ltm monitor (?)
b nat show show /ltm nat all or list /ltm nat all-properties The two tmsh commands are required here since b nat show will list the unit preference and ARP status. Statistical information is shown via “show” while configuration information is shown via “list”.
b node all monitor show list ltm node monitor
b node show show /ltm node
b ntp servers 10.10.10.10 modify sys ntp servers add { 10.10.10.10 }
b packet filter all show show /net packet-fliter
b partition list auth partition no “show” command yet, list will only show written partitions
b persist tmsh show ltm persistence persist-records
b platform show /sys hardware
b pool list list /ltm pool
b pool show show /ltm pool members
b profile access all stats
b profile auth all show all show /ltm auth profile all The tmsh auth command does not display associated OCSP information shown by bigpipe.
b profile http ramcache show show /ltm profile http
b profile http stats show /ltm profile http
b profile ssl stats show /ltm profile ssl
b profile persist profile_name list all tmsh list ltm persistence profile_name all-properties
b profile tcp show show /ltm profile tcp
b profile tcp stats show /ltm profile tcp
b profile udp show show /ltm profile udp
b profile udp stats show /ltm profile udp
b profile xml show show /ltm profile xml
b reset load / sys default-config v10.x
b reset load / sys config default v11.x
b route show show /net route all
b rule < rule > show all show /ltm rule < rule >
b rule show show /ltm rule all
b rule stats reset reset-stats /ltm rule < rule >
b save save sys config partitions all
b self show show running-config /net self
b snat show /ltm snat
b snatpool show show /ltm snatpool
b software show sys software
b software desired install sys software image NAME volume HDX.Y reboot
b software desired install sys software image NAME create-volume volume HDX.Y v11.0+ : Creates volume and installs software. (Cannot create empty volumes in v11)
b software desired install sys software hotfix NAME volume HDX.Y Installs desired Hotfix to the specified Volume.
b stp show show running-config /net stp all-properties
b syslog list all list sys syslog all-properties
b syslog remote server none modify sys syslog remote-servers none
b syslog remote server test-srv host 192.168.206.47 modify sys syslog remote-servers add {test-srv{host 192.168.206.47}} You can append “remote-port 517” for example to the end of the command to specify the port
b syslog remote server test-srv local ip 172.28.72.90 modify sys syslog remote-servers modify {test-srv{local-ip 172.28.72.90}} The self ip must be non-floating
b system hostname modify sys global-settings hostname NEWHOST.EXAMPLE.COM
b trunk show -j show /net trunk -hidden all
b trunk all lacp show show /net trunk detail
b unit show
b verify load load sys config verify
b version show /sys version Takes grep (but not “head” as in “b version |head”) – for example, grep on build: tmsh show sys version |grep -i build
b virtual address show show /ltm virtual-address all-properties “show” does not show the objects used by the virtual, and list does not show statistics.
b virtual all show all show /ltm virtual all-properties or list /ltm virtual all-properties “show” does not show the objects used by the virtual, and list does not show statistics.
b vlan all show all -j show /net vlan -hidden
b vlangroup all show all show /net vlan-group all
bigstart status|start|stop|restart SERVICE_NAME show|start|stop|restart sys service SERVICE_NAME
bpsh (?) load sys config from-terminal merge Merge config from interactive shell. Paste/type the config objects you want to add. Then type Ctrl+d to complete the submission or Ctrl+c to cancel the input. Added in v11.0.

Linux Commands (Commands only accessible from the CLI)

Linux Command tmsh Comment
arp -an run /util bash -c “arp -an”
crontab -l run /util bash -c “crontab -l”
date run /util bash -c “date”
df -h run /util bash -c “df -h”
df -i run /util bash -c “df -i”
df -ik run /util bash -c “df -ik”
eud_info (version) run /util bash -c “eud_info (version)”
free run /util bash -c “free”
grub default -d run /util bash -c “grub default -d”
grub default -l run /util bash -c “grub default -l”
halid run /util bash -c “halid”
hsb snapshot (version) run /util bash -c “hsb snapshot (version)”
ifconfig -a run /util bash -c “ifconfig -a”
interrupts run /util bash -c “interrupts”
ip -f dnet addr show run /util bash -c “ip -f dnet addr show”
ip -f inet addr show run /util bash -c “ip -f inet addr show”
ip -f inet link show run /util bash -c “ip -f inet link show”
ip -f inet neigh show run /util bash -c “ip -f inet neigh show”
ip -f inet route show run /util bash -c “ip -f inet route show”
ip -f inet rule show run /util bash -c “ip -f inet rule show”
ip -f inet tunnel show run /util bash -c “ip -f inet tunnel show”
ip -f inet6 addr show run /util bash -c “ip -f inet6 addr show”
ip -f inet6 link show run /util bash -c “ip -f inet6 link show”
ip -f inet6 neigh show run /util bash -c “ip -f inet6 neigh show”
ip -f inet6 route show run /util bash -c “ip -f inet6 route show”
ip -f inet6 tunnel show run /util bash -c “ip -f inet6 tunnel show”
ip -f ipx addr show run /util bash -c “ip -f ipx addr show”
ip -f link addr show run /util bash -c “ip -f link addr show”
ip -f link link show run /util bash -c “ip -f link link show”
ip -f link neigh show run /util bash -c “ip -f link neigh show”
ip -f link route show run /util bash -c “ip -f link route show”
ls -las /var/local/ucs run /util bash -c “ls -las /var/local/ucs”
ls -lasLR /dev/mprov/ run /util bash -c “ls -lasLR /dev/mprov/”
ls -lasLR /var/core run /util bash -c “ls -lasLR /var/core”
ls -lasR /boot run /util bash -c “ls -lasR /boot”
ls -lasR /hotfix run /util bash -c “ls -lasR /hotfix”
lsof -n run /util bash -c “lsof -n”
meminfo run /util bash -c “meminfo”
mount run /util bash -c “mount”
netstat -nge run /util bash -c “netstat -nge”
netstat -ni run /util bash -c “netstat -ni”
netstat -pan run /util bash -c “netstat -pan”
netstat -sa run /util bash -c “netstat -sa”
ntpdc -n -c peer 127.0.0.1 run /util bash -c “ntpdc -n -c peer 127.0.0.1”
ntpq -pn run /util bash -c “ntpq -pn”
pci run /util bash -c “pci”
pstree run /util bash -c “pstree”
qkview run /util qkview
rpm -qa run /util bash -c “rpm -qa”
switchboot -l run /util bash -c “switchboot -l” Or use: /sys reboot volume < volume >
sysctl run /util bash -c “sysctl”
top run /util bash -c “top”
vmstat run /util bash -c “vmstat”
who -aH run /util bash -c “who -aH”

https://devcentral.f5.com/wiki/TMSH.BigpipeMappings.ashx

TCP State

A connection progresses through a series of states during its lifetime. The states are: LISTEN, SYN-SENT, SYNRECEIVED, ESTABLISHED, FIN-WAIT-1, FIN-WAIT-2, CLOSE-WAIT, CLOSING, LAST-ACK, TIME-WAIT, and the fictional state CLOSED. CLOSED is fictional because it represents the state when there is no TCB, and therefore, no connection. Briefly the meanings of the states are:

  • LISTEN represents waiting for a connection request from any remote TCP and port.
  • SYN-SENT represents waiting for a matching connection request after having sent a connection request.
  • SYN-RECEIVED represents waiting for a confirming connection request acknowledgment after having both received and sent a connection request.
  • ESTABLISHED represents an open connection, data received can be delivered to the user. The normal state for the data transfer phase of the connection.
  • FIN-WAIT-1 represents waiting for a connection termination request from the remote TCP, or an acknowledgment of the connection termination request previously sent.
  • FIN-WAIT-2 represents waiting for a connection termination request from the remote TCP.
  • CLOSE-WAIT represents waiting for a connection termination request from the local user.
  • CLOSING represents waiting for a connection termination request acknowledgment from the remote TCP.
  • LAST-ACK represents waiting for an acknowledgment of the connection termination request previously sent to the remote TCP (which includes an acknowledgment of its connection termination request).
  • TIME-WAIT represents waiting for enough time to pass to be sure the remote TCP received the acknowledgment of its connection termination request.
  • CLOSED represents no connection state at all.

A TCP connection progresses from one state to another in response to events. The events are the user calls, OPEN, SEND, RECEIVE, CLOSE, ABORT, and STATUS; the incoming segments, particularly those containing the SYN, ACK, RST and FIN flags; and timeouts.

TCP/IP State Transition Diagram (RFC793)

Bigip LTM commands

I have been playing arround with Bigip and I think that there are some interesting commands:

#Checking persistance

Read the rest of this entry

Security? No, please!

In the last couple of months I have been working in different scenariosI notice that people is not taking care of some basic security aspects. 

For example:

  • We were working in a network issue. An engineer was requested to check a server log. After a few seconds this person wrote in a multichat conversation: “C0n$0le7” :S . To hide this big mistake, he wrote down “fjkfslfadslfjsljf”. Because I¨m just curious,  I decided to check from my computer the access to this server. Was not so difficult to gain access. I did an appointment to try the day after and this guy did not change the password and 1 week later password is still the same!!!!!
 
 
 
  • Another example. 01:00 am, another network incident. I was on-call and this is the situation:

PersonA: “We have problem in this device, could you please help us?”.

Me: ” We are not supporting this device could you please call the people in charge?”

PersonA: “Could you please help us anyway….?”

Me: “I don´t have rights to access this device”

PersonA: ” I already sent to you an email with root account”

Me: :S

PersonA: Please.

Me: Let me try…. 

      ……….

      After some checkings…. done!

PersonA: Thank you. 

Me: No problem

I did an appointment to check this password some weeks later and….. babum!! it works!!

 
  • Scenario 3. During another issue in which I was trying to explain to the ingeneer in charge of a server how to configure the server…. (yes it is true!!) I requested to him a user and password to do some test with a test user. This guy told me: ” Use mine, but please don´t share with anyone”. This was 6 months ago and still today I can access this server!!!!!

 

 

Checkpoint command line

IPSO commands

newimage Installs IPSO OS from the local machine
newpkg -m localhost Check Point package Install
clish IPSO OS CLI
ipsctl -a displays all of the IPSO Settings and Values
ipsctl -a ifphys:eth-s5p1:errors|more display errors on eth-s5p1
ipsctl -w net:ip:tcp:default_mss 1460 Change MSS to 1460
netstat 1 shows network stats every second
ipsofwd list displays ipso properties (flowpath, etc)
ipsofwd slowpath turns off flows (flowpath turns back on)
fsck -fyb 32 check the file system on a flash based nokia (KB 1355433)

Bootmgr

printenv print environment variables
install install an image across the network
boot boot  an image

clish commands

show useful-stats Shows Disk, VRRP, RAM summary
show package all List all packages
show package active List active packages
show package inactive List inactive packages
show images Show installed images
show image current Show current image
delete image [name] Delete image
set hostname testbox Set Hostname
set date timezone-city “Greenwich (GMT)” Set Timezone
set static-route default nexthop gateway address 192.168.29.2 priority 1 on Set default gateway
set static-route 10.2.2.15/32 nexthop gateway address 192.168.0.1 on Add static routes
hostname testbox Set hostname
set package name name [on | off] Set package name
add arpproxy address 192.168.1.1 macaddress 0:a0:1b:3e:33:f1 Add Proxy arp
add ntp server 10.1.1.2 version 3 prefer yes Add an NTP server
add package media local name [opt/packages/IPSO-3.9.tgz] Add package
add host name testbox ipv4 192.168.29.54 Set hostname assignment