Awesome tool for Hard Drive Data Recovery.
testdisk – http://www.cgsecurity.org/wiki/TestDisk
Useful command to see if disk is connected.
lsblk -o name,label,size,fstype,model
0
Scapy is an awesome packet manipulation tool that will allow to create an packet. Great for testing network security.
Tshark for capturing is used to see outgoing packets
user@UbuntuDesktop02:~$ sudo tshark host 192.168.1.55
Start scapy
user@UbuntuDesktop01:~$ sudo scapy
WARNING: No route found for IPv6 destination :: (no default route?)
Welcome to Scapy (2.2.0)
>>>
Send an ICMP Packet from Scapy (ICMP type is not specified and the payload is OurPayload)
>>> send(IP(src="192.168.1.55",dst="10.0.0.204")/ICMP()/"OurPayload")
.
Sent 1 packets.
Send ICMP type=echo-reply 100 times
>>> send(IP(src="192.168.1.55",dst="192.168.1.1")/ICMP(type="echo-reply")/"OurPayload", count=100)
....................................................................................................
Sent 100 packets.
Create variable for Layer2(Ethernet), Layer3(IP), Layer4(TCP)
>>> L2=Ether()
>>> L3=IP()
>>> L4=TCP()
>>> L2
<Ether |>
>>> L3
<IP |>
>>> L4
<TCP |>
List the default variables scapy has assigned to L2, L3, L4
>>> L2.show()
###[ Ethernet ]###
WARNING: Mac address to reach destination not found. Using broadcast.
dst= ff:ff:ff:ff:ff:ff
src= 00:00:00:00:00:00
type= 0x0
>>> L3.show()
###[ IP ]###
version= 4
ihl= None
tos= 0x0
len= None
id= 1
flags=
frag= 0
ttl= 64
proto= hopopt
chksum= None
src= 127.0.0.1
dst= 127.0.0.1
\options\
>>> L4.show()
###[ TCP ]###
sport= ftp_data
dport= http
seq= 0
ack= 0
dataofs= None
reserved= 0
flags= S
window= 8192
chksum= None
urgptr= 0
options= {}
Modify L2, L3, L4 properties of a packet
>>> L2=Ether(src="01:23:45:67:89:ab")
>>> L2.show
<bound method Ether.show of <Ether src=01:23:45:67:89:ab |>>
>>> L2.show()
###[ Ethernet ]###
WARNING: Mac address to reach destination not found. Using broadcast.
dst= ff:ff:ff:ff:ff:ff
src= 01:23:45:67:89:ab
type= 0x0
>>> L3=IP(ttl=99, dst="10.0.0.1")
>>> L3.show()
###[ IP ]###
version= 4
ihl= None
tos= 0x0
len= None
id= 1
flags=
frag= 0
ttl= 99
proto= hopopt
chksum= None
src= 10.0.0.204
dst= 10.0.0.1
\options\
>>> L4=TCP(sport=4001, dport=22, flags="A")
>>> L4.show()
###[ TCP ]###
sport= 4001
dport= ssh
seq= 0
ack= 0
dataofs= None
reserved= 0
flags= A
window= 8192
chksum= None
urgptr= 0
options= {}
Send the crafted packets. L2, L3, L4 need to be combined together to send at once
>>> send=sendp(L2/L3/L4, count=5)
.....
Sent 5 packets.
Scapy as a sniffer
>>> sniff(iface="eth0", prn=lambda x: x.show())
>>> sniff(iface="eth0", prn=lambda x: x.summary())
Sniffing for host 10.0.0.1
>>> sniff(filter="host 10.0.0.204", count=10)
<Sniffed: TCP:2 UDP:8 ICMP:0 Other:0>
Now to display the output
>>> output=_
>>> output.nsummary()
0000 Ether / IP / TCP 10.0.0.99:49765 > 10.0.0.204:ssh A / Padding
0001 Ether / IP / UDP / DNS Qry "ntp.ubuntu.com.sacklab.com."
0002 Ether / IP / UDP / DNS Qry "ntp.ubuntu.com.sacklab.com."
0003 Ether / IP / UDP / DNS Ans
0004 Ether / IP / UDP / DNS Ans
0005 Ether / IP / UDP / DNS Qry "ntp.ubuntu.com."
0006 Ether / IP / UDP / DNS Qry "ntp.ubuntu.com."
0007 Ether / IP / UDP / DNS Ans
0008 Ether / IP / UDP / DNS Ans
0009 Ether / IP / TCP 10.0.0.99:49444 > 10.0.0.204:ssh PA / Raw
>>> output[1]
<Ether dst=00:50:56:85:c4:b8 src=00:50:56:85:9d:8b type=0x800 |<IP version=4L ihl=5L tos=0x0 len=72 id=15777 flags=DF frag=0L ttl=64 proto=udp chksum=0xe7d3 src=10.0.0.204 dst=10.0.0.101 options=[] |<UDP sport=38876 dport=domain len=52 chksum=0x1576 |<DNS id=29227 qr=0L opcode=QUERY aa=0L tc=0L rd=1L ra=0L z=0L rcode=ok qdcount=1 ancount=0 nscount=0 arcount=0 qd=<DNSQR qname='ntp.ubuntu.com.sacklab.com.' qtype=A qclass=IN |> an=None ns=None ar=None |>>>>
>>>
Run commands behind a proxy.
sudo http_proxy='http://user:pass@proxy.example.com:8080/' apt-get install package-name#
#This is an example of a script developed to connect and backup cisco device configs using python
#
import paramiko
import time
import os
def disable_paging(remote_conn):
'''Disable paging on a Cisco router'''
remote_conn.send("terminal length 0\n")
time.sleep(1)
# Clear the buffer on the screen
output = remote_conn.recv(1000)
return output
if __name__ == '__main__':
# VARIABLES THAT NEED CHANGED
#ip = '10.18.113.16'
ipaddress = open('list.txt')
username = 'confbackup'
password = 'SUPERepic@'
for ip in ipaddress:
# Create instance of SSHClient object
remote_conn_pre = paramiko.SSHClient()
# Automatically add untrusted hosts (make sure okay for security policy in your environment)
remote_conn_pre.set_missing_host_key_policy(paramiko.AutoAddPolicy())
# initiate SSH connection
remote_conn_pre.connect(ip, username=username, password=password)
print '#################################################'
print "SSH connection established to %s" % ip
# Use invoke_shell to establish an 'interactive session'
remote_conn = remote_conn_pre.invoke_shell()
# print "Interactive SSH session established"
# Strip the initial router prompt
output = remote_conn.recv(1000)
# See what we have
#print output
# Turn off paging
disable_paging(remote_conn)
# Now let's try to send the router a command
# remote_conn.send("\n")
# remote_conn.send("show ip int brief\n")
# These are only required if you need an enable password to login
# remote_conn.send("en\n")
# remote_conn.send("cisco\n")
remote_conn.send("\n")
output = remote_conn.recv(0)
#output = ''
remote_conn.send("show run\n")
# Wait for the command to complete
time.sleep(2)
output = remote_conn.recv(500000000)
# print output
# print output
##################
#OUTPUT GENERATED FOR FILES
###########################
mytime = time.strftime('%Y-%m-%d-%H-%M-%S')
#Remove the trailing /n from varible ip this is required for file creation
ip = ip.strip(' \t\n\r')
print
print ip + ' config backup in place'
print
#filename = 'tas_%s.txt' % str(ip)
#filename = os.path.join('RC-', mytime)
filename = ("RC-" + mytime)
filepath = os.path.join('configs', ip, filename)
if not os.path.exists(os.path.dirname(filepath)):
os.makedirs(os.path.dirname(filepath))
with open(filepath, "w") as f:
f.write(output)
f.close()
#disconnect
remote_conn.send("exit\n")
print "SSH connection closed to %s" % ip
print '#################################################'
Found this post over at reddit. Very handy for enforcing users to use the add/remove commands when adding/removing vlans.
!
event manager applet ALWAYS-ADD-VLANS
event cli pattern "^switchport trunk allowed vlan [0-9]+$" sync no skip yes
action 1.0 syslog priority informational msg "PLEASE USE SWITCHPORT TRUNK ALLOWED VLAN __ADD__ WHEN CONFIGURING TRUNK PORTS - COMMAND NOT RETAINED!"
!
Switch(config)#int fa 0/1
Switch(config-if)#switchport trunk allowed vlan 1
*Mar 1 19:43:41.870: %HA_EM-6-LOG: ALWAYS-ADD-VLANS: PLEASE USE SWITCHPORT TRUNK ALLOWED VLAN __ADD__ WHEN CONFIGURING TRUNK PORTS - COMMAND NOT RETAINED!
Switch(config-if)#do show run int fa 0/1
Building configuration...
Current configuration : 33 bytes
!
interface FastEthernet0/1
end
Switch(config-if)#
Unable to locate the SecureCRT Configuration Folder to backup and transfer my sessions.
All guides told me the path was
C:\Users\<username>\AppData\Roaming\VanDyke\Config
However in Windows this directory did not exist.
Correct path was
C:\Users\<username>\AppData\Roaming\Thinstall\SecureCRT 6.6.1\%AppData%\VanDyke\Config\Sessions
This is quick instructions to allow serial console access to linux guest across the network. Remember to allow access on the ESX server side too.
1) Create a file called /etc/init/ttyS0.conf containing the following:
# ttyS0 - getty # # This service maintains a getty on ttyS0 from the point the system is # started until it is shut down again. start on stopped rc or RUNLEVEL=[12345] stop on runlevel [!12345] respawn exec /sbin/getty -L 115200 ttyS0 vt102
2) Ask upstart to start the getty
sudo start ttyS0
Full article here – https://help.ubuntu.com/community/SerialConsoleHowto
Pages of interest for future reading and reference…
IPV6
IPv6 Address Planning – Designing an Address Plan for the Future : By Tom Coffeen
Fibre Optic Cables
http://www.thefoa.org/tech/ref/index.html
http://www.cablek.com/technical-reference/fiber-optic-cable-types
Handy script found on github to query name server.
#script
#!/bin/sh
for IP in `cat ./ips.txt`
do
printf "$IP\t"
LOOKUP_RES=`nslookup $IP`
FAIL_COUNT=`echo $LOOKUP_RES | grep "** server can't find " | wc -l`;
if [ $FAIL_COUNT -eq 1 ]
then
NAME='Bad FQDNS\n';
else
NAME=`echo $LOOKUP_RES | grep -v nameserver | cut -f 2 | grep name | cut -f 2 -d "=" | sed 's/ //'`;
fi
echo $NAME
done
Basic script to go through and scan netflow data for previous week and print to net_scan file.
#!/bin/bash
echo > net_scan
ip_address=(
'list of ip addresses'
'list of ip addresses'
)
for item in ${ip_address[*]}
do
echo ................................................................................... >> net_scan
echo . $item >> net_scan
echo ................................................................................... >> net_scan
echo >> net_scan
nfdump -M /data/nfsen/profiles-data/live/switch1:switch2 -T -R 2014/12/01/nfcapd.201412011045:2014/12/08/nfcapd.201412081045 -a -A srcip,dstport -o line -c 10000 'dst ip '$item' AND proto TCP AND (dst port 22 or dst port 23 or dst port 80 or dst port 443 or dst port 17988 or dst port 9300)' >> net_scan
echo >> net_scan
echo >> net_scan
done
And the output
...................................................................................
. 10.18.0.110
...................................................................................
Date flow start Duration Proto Src IP Addr:Port Dst IP Addr:Port Packets Bytes Flows
2014-12-03 11:29:49.784 11874.134 TCP 192.168.10.1:48243 -> 10.18.0.110:22 548 50724 114
2014-12-05 13:04:18.133 0.000 TCP 192.168.10.5:52520 -> 10.18.0.110:23 1 46 1
2014-12-01 11:00:02.622 588284.916 TCP 192.168.20.10:63704 -> 10.18.0.110:443 3600 336148 234
2014-12-05 13:04:18.136 29.576 TCP 192.168.10.5:16886 -> 10.18.0.110:22 74 5806 23
2014-12-01 16:05:53.921 518415.958 TCP 192.168.30.4:59082 -> 10.18.0.110:80 77 4921 14
2014-12-03 11:29:51.385 11923.475 TCP 192.168.10.1:48243 -> 10.18.0.110:80 1767 125090 290
2014-12-05 13:04:18.133 32.140 TCP 192.168.10.5:16887 -> 10.18.0.110:80 98 7661 20
2014-12-03 11:29:51.513 11923.475 TCP 192.168.10.1:48243 -> 10.18.0.110:443 7559 550718 421
2014-12-03 11:29:49.782 10585.845 TCP 192.168.10.1:47987 -> 10.18.0.110:23 4 184 4
2014-12-05 13:04:18.134 37.320 TCP 192.168.10.5:16914 -> 10.18.0.110:443 383 37540 40
2014-12-05 13:04:18.134 24.968 TCP 192.168.10.5:16890 -> 10.18.0.110:17988 113 6509 27
2014-12-01 10:51:28.874 604774.400 TCP 192.168.30.4:65074 -> 10.18.0.110:443 36762 2.8 M 2049
2014-12-01 16:06:14.079 518419.544 TCP 192.168.30.4:59279 -> 10.18.0.110:22 189 21756 21
Summary: total flows: 3258, total bytes: 4.0 M, total packets: 51175, avg bps: 52, avg pps: 0, avg bpp: 77
Time window: 2014-12-01 10:51:28 - 2014-12-08 10:51:03
Total flows processed: 314141285, Blocks skipped: 0, Bytes read: 16335752408
Sys: 76.320s flows/second: 4116107.0 Wall: 229.979s flows/second: 1365953.1
Root Bridge 