Saturday, 23 June 2012

Free wifi at Premier Inn

While staying at a premier inn I wanted some IP based communication to do my online biddings. The premier inn are all decked out with dozens of access points configured in channel groups 1,6,11 so there is good coverage throughout. When connected you are greeted with a portal page that allows you to pay for online time at a great cost. Happily they provide a one time 30min of free internet, once the 30min is up it logs you off and demands money.

Problem:
The only way you can be uniquely identified on a dynamically addressed network is by your mac address.

Solution:
To continue getting 30mins free internet you can change your mac address and as far as the portal is concerned you are a new user.

On windows this can be done with SMAC.

On linux either manually from the terminal with:
Ifconfig wlan0 down
ifconfig wlan0 hw ether 11:22:33:44:55:66
Ifconfig wlan0 up

On mac you will need to buy it a present. Then read this from osXdaily

Please check the laws in your area on modifying mac addresses.

Tuesday, 1 May 2012

quick and easy Dell fix

Brief:
The repair of a dell laptop. The title is a lie, it started as a quick fix but turned into something far greater than you can ever imagine, too extreme? It went smoothly.

So laptop arrived on my doorstep with a power supply and no explanation. The owner was a friend and unable to shed any light so I was left to draw my own conclusions.

Analysis:
Boot up........damn password protected, two options available to use from my usb bootable "katana". Since I knew it was running Windows XP I could either run "Ophcrack" and see if it can get the password with its rainbow tables or edit the SAM file in the windows directory to remove the password. I chose the latter as it would not disclose the private password and it could be reinstated after the job was finished.

Boot up......every thing seems fine, check the logs....good. Right well ill do some cleaning.

Fix:
  • Antivirus up to date
  • chkdsk -R
  • Defragmentation 
  • Antivirus full disk scan
  • Malware scan
My work here is done ill leave it on charge and return it later. Boot up.....what? There is no power, the power supply is switched on.

Analysis:
Ill start with the power supply.

IEC lead - plugged into another device. It works. plugged it back into the laptops block.
Power supply output - Multimeter on the power jack and receiving the correct voltage stated on the block.

This only leaves one area to test. The problem is going to be the power in jack or the charging circuit, either way access to the mainboard is needed which means the laptop needs to get naked.

Fix:
Getting to the mainboard was relatively simple, the dvd drive was removed, expansion slot covers and all screws on the underside except the hinges. The back then slips off. With the mainboard exposed i get the multimeter out and check for continuity from the jack connector to the board. It was found the center pin was faulty, visual inspection found there was a dry joint on the connector and some play. I got the solder iron out and fixed that. Before putting it back together i tested the continuity again and then plugged in the charger. Success, screw it back up and job done.

Additional:
The customer no longer wanted it so it was decided it would be a gift for my father so that I could Skype him. The box was running windows XP but was running dog slow, I wanted to put Linux mint on it as it is lightweight and I can tailor the services that it needs. Before Windows was wiped a full disk backup was done using my friend clonezilla which kindly transferred a compressed copy to my storage server. The Windows cd key was nowhere to be found and I used a tool on katana to grab that and keep it safe.


Stay dramatic

Wednesday, 25 April 2012

Dramatic Desktop support - return of the PIXEL

HP G61 laptop repair

Brief:
This job was close to home, my other half’s laptop. It all started when she reported that a file was clicked on and said some funny stuff that made her think it had a virus. I was away on a jobs when the call came in so I insisted that it was to be kept off the network and shutdown until I can look at it.

Problem:
suspicious behaviour.

Analysis:
The laptop was put into safe mode and scanned with its anti-virus software. A trojan was found and a few bits of malware.

Fix:
Removal of said evils claimed in the anti-virus software. Additionally a pre boot scan was done to look for rootkits and full disk scan.

Additionally:
The new family friend stig the cat then decided that he wanted to play on the keyboard and pulled off some keys. In trying to put the letter 'k' back on a metal tab failed and meant the key would not seat properly. The keyboard then acted strangely and would type random characters without been touched.

Fix:
First I removed the keyboard by removing the screws marked 'kbd' on the back of the laptop. Two screws visible from the back, one screw behind the battery, one screw behind the memory cover and one screw behind the wireless cover. Being careful with the tabs around the edge of the keyboard it comes out with ease. I removed the ribbon cable and looked for damage or dirt, after a shake for anything loose and clean I replaced it to see if the problem was still there. No luck, pricing for a new one was around £60 so I looked on ebay for a used on and found the right one, checking the spares number on the back of the keyboard, I picked one for £15 including shipping. It arrived a few days later and was immaculate with no sign of use, I attached the ribbon, booted the computer and it worked great, pushed the keyboard back in being careful not to pinch the ribbon, put the screws back in. Job done.

Sunday, 11 July 2010

MPLS the Superior WAN

Just when you thought fast switching was the best layer 3 could be.....a new player made a new layer, all the hardware layer 2 addressing mixed with routable layer 3 addressing and just to make it even better throw in the ports to be used, welcome to layer 2.5. I know its not new now but its still awesome. The challenge was given to me to add MPLS VPN technology to an existing network in order to provide secure links between four different sites. The initial network des ign is as below
The objectives are:
1: Provide two separate VPN links between Finance - Payroll and Research - Labs
2: Further secure the Finance - Payroll link with IPSEC
3: Users are currently using the network so equipment cannot be removed (equipment may be added).

I love MPLS its such a dream to work with and simple to understand, to make this work there are a few changes i implemented.

1: With PE1 where it is at the moment is not suitable for me as two separate links are needed which means two VRF's on two interfaces so they would have to be setup on HQ and then tunnelled to PE1 to be put into MP-BGP.This may be done by using sub interfaces and multi-VRF which seems more work than needed i think.I have pushed the MPLS cloud up to the HQ router to allow the VRF's to be kept in their separate instances from there.

2: IPSEC problem, with the Finance segment hanging directly off the HQ router means that the IPSEC tunnel would use the outbound interface towards the P router but since its routing is moved from the VRF to MP-BGP the outbound interface has no idea about the networks behind it so cannot bring up the tunnel. My solution was simply to put another router in for Finance so that its outbound interface would learn about the other side through MP-BGP and the fun may commence.


My new design can be seen in Fig 2 above.

Protocols: In the cloud all mpls interface use OSPF and are in area 0, this link state protocol has been used here for its low administrative overhead and fast convergence on topology changes, only updates are sent every 30 minutes if nothing happens to make sure that everything is still there.

MP-BGP is used to allow the VRF's to communicate.

RIP has been used for all departments except research, don't worry its version 2 to allow for my subnetting scheme. This has been used since they are stub networks they don't need an advanced protocol. The RIP routes are redistributed into BGP and a default route is sent to the departments as its their only way out anyway.

Research is hanging directly off the HQ interface so the route needs to be redistributed into BGP.

BASIC SECURITY:
Security measures should be implemented on the routers to secure them from being accessed illegally.

MOTD - This is important as it can be used to display a warning to anyone wanting to gain access to the equipment saying who owns the network and only authorized users may use it. This may be a deterrent and if you are able to trace and prosecute someone who accessed your network illegally it shows you done all you can to say they shouldn't have been there.

Enable secret - This is a password that is needed to get from user EXEC level to privileged EXEC. By using the command enable secret instead of enable password it hashes that password so that it cannot be seen by a show run or someone peering over your shoulder.

Console password - There needs to be a password on the console port so that anybody who gains physical access to the equipment can't get in without a password.

VTY login - The vty lines 0 - 4 used for remote access need a password to login. They should only allow SSH connections version 2 as telnet is susceptible to sniffing due to sending everything in plain text. As extra protection a access list was put on the vty lines to only allow certain ip addresses establish a connection.

CDP - This protocol is very useful for troubleshooting a network as it gives information about connected neighbours. when enabled it sends this information out of all ports, with a packet sniffer this would be picked up telling them ip addresses, names and ports. It should be disabled on LAN interfaces with the no cdp enable command on the interface.

stay dramatic,

marty

Thursday, 25 March 2010

wi-spy with my little eye

Inherent weakness in WiFi
The greatest thing about WiFi 802.11 is that its......wireless, data magically propagating through different mediums to network devices together. The problem with these waves moving through the air is that anyone who stands in there way can hear them

Management frames are send in plain sight at 1mb/s to enable all devices to see them. They can be seen by putting your wireless card into monitor mode and you will see in wireshark all the beacons from AP's . Your MAC address can be seen here which means your identity is not necessarily secret.

If you have set up security associations with a range of AP's when you turn wireless on in windows the first thing it does is probe to see who's there and if an AP they have connected to before is available and yes it sends this information for Mr hack in a box to see. A big risk of this is that if Mr hack knows that your computer is wanting to connect to "home" then they could set up a rogue AP with the ssid "home" and sit by you giving that the strongest signal and it would move onto that rogue AP. If the attacker sets up a route for the Internet which is a highly likely service, you wouldn't even know that you've changed connections! Now all your data and transactions can be looked at and saved yum yum yum.

Lets play a game
Why don't we use the fact that your wireless gives out its identity for a game of wireless hide and seek. You get a gaggle of friends to come over with their wireless devices and log their mac addresses and tell them to go hide around the city center. Use a laptop in monitor mode run wireshark or airodump, something that can make a record the data. Make a simple C program that can read through the messages and look for the logged MAC addresses and make a noise to say when its found one. Now run around town and wait for a beep! The rssi can be used to narrow the search. Happy hunting


The same technique could be used for any wireless goods that may have been stolen, assuming you know the MAC, and its powered on, and its not 300 miles away been swapped for some trainers.

Does anyone still use WEP!?
I would really like some feedback leave a comment, let me embrace your views. Why is WEP still around its security is as good as a padlock with the combination wrote on the back. When looking for wireless signal in various places I keep seeing it pop up, often with a default ssid. A few manufacturers and ISP's will give you an AP that is set up with WEP and the key wrote on the side so that average Joe can plug it in and away they go, brilliant it works their happy. The other use i see is often hotels and you either pay for the key or its given to you and pay to go through a tunnel.

WEP is week, it just hands out the IV in all its packets and as that's only 24bit its only a matter of time until it uses that same one again

I went to go visit a relative and noticed that he was using WEP(128bit) as part of a security audit. I tried to explain the weaknesses in this method and demonstrated how easy it is to crack.
  1. Booted up backtrack from usb (1 minute)
  2. Used airmon to put the card into monitor mode, airodump to cature data, aireplay to generate data, aircrack to crack the key (30 seconds)
  3. Aircrack looked at ~8000 IV's and gave me the WEP key (1 minute on the dot)
  4. Put the key in and started using his wifi
All security can be broke given the resources and time, the crucial decision is deciding what level of security is reasonable. I use WPA2-PSK which can be cracked, it could take a year but i could make it my policy to change the PSK monthly, i may not even live in the same house in a year.

Tip top tips - I'm sure nobody does, don't leave defaults on. Its reckless and an insult to professionals.

Monday, 22 March 2010

Queue them up, push them out

The latest lab expedition is to configure Class Based Weighted Fair Queuing to allow for different treatment of voice and http traffic. The way of testing this is by hosting a website on one end of a low bandwidth link that has two pictures in and you are able to match http traffic by key words! so the class maps are able to distinguish between LEFT and RIGHT giving different bandwidth to each. Even though the allotted bandwidth per class isn't greater than the total bandwidth it still uses the full bandwidth but as a ratio of the initial inputs. To get the web server ready you need to do a few things.

1) Grab a picture with a decent size (500k - 1M)
Here is one i prepared earlier for you to download
IMAGE, ALT
ADDITIONAL- I have just tried to download the image from within the lab and pictures are getting blocked by admin!
SOLUTION - Go through a proxy, or go ask admin if they will stop filtering pictures.
SECURITY - The above mentioned content filter happily gives out the information "powered by draytek". Know of any exploits for them....?

2) Make a copy of the image and rename it "right" and the original should be "left"

3) Copy this simple html text into notepad and save as index.html in the Apache htdocs folder and drop the two pictures into the folder as well


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>CBWFQ + LLQ </title>
<style type="text/css">
*{width:100%}
.picleft { float:left; width:45%; border-right:#FF0000 20px solid; margin-right:20px}
.picright { float:left; width:45%; border-left:#0000FF 20px solid}
</style>
</head>
<body>
<h1 align="center">Let the race begin!</h1>
<div class="picleft">
<img src="left.jpg" />
</div>
<div class="picright">
<img src="right.jpg" />
</div>
</body>
</html>


4) Sit back and enjoy watching an image crawl on screen just like the good old days
Bonus video
180's on the new ramp
GO

Saturday, 13 March 2010

Save The Switch, Save The Lab

In Cisco land (the networks lab) its a common sight to see the suicidal blink of the switches stat light as they whimper in ROM-monitor mode after a brutal assault from a student trying to do something too advanced. Maybe that's a bit cruel, the lab equipment is on 24/7 getting copy run start and reloads constantly throughout the day and the flash is taking a beating. The most common sight Ive seen is the IOS image disappearing or corrupt. There were some switches that i had seen had been in ROM mode for weeks missing an IOS without a tech fixing it, i took things into my own hands and fixed two 2960's, let me dispense this information now.....

From ROM mode you first need to initialise the flash file system and support

switch: flash_init
switch: load_helper

so now you have access to some commands and can look around the flash

switch: dir flash:

(example output)
Directory of flash:
13 drwx 192 Mar 01 1993 22:30:48 c3550-i5q3l2-mz-121-0.0.53
11 -rwx 5825 Mar 01 1993 22:31:59 config.text
17 -rwx 27 Mar 01 1993 22:30:57 env_vars
5 -rwx 90 Mar 01 1993 22:30:57 system_env_vars
18 -rwx 720 Mar 01 1993 02:21:30 vlan.dat

the IOS .bin file is in the folder at the top, you can verify the image and attempt to boot manually

switch: boot flash: c3550-i5q3l2-mz-121-0.0.53/c3550-i5q3l2-mz-121-0.0.53.bin


if it returns an boot error than you know the image file is corrupt and need to put a new one on. In my case when i looked into the flash directory there wasn't even an image file there which leads me to believe a student put the wrong command in when trying to delete a file....

Retrieve an IOS image file from cisco or what i did since there are many of the same switches in the lab tftp one from there. set up a tftp server and connect it to the working switch in vlan1, give the switch an ip address on vlan 1 in the same segment as the tftp server. This command says copy from the flash TO tftp.

swalive# copy flash:c3550-i5q3l2-mz-121-0.0.53/c3550-i5q3l2-mz-121-0.0.53.bin tftp:192.168.1.1(server address)

OK the image is acquired now we need to get it onto the broken switch. Were going to use HyperTerminal to send the file through the console using XMODEM. This command says copy from xmodem TO flash

switch: copy xmodem: flash:c3550-i5q3l2-mz-121-0.0.53/c3550-i5q3l2-mz-121-0.0.53.bin

On HyperTerminal go to the TRANSFER tab at the top and select SEND FILE, use options XMODEM and point to the image file acquired. This needs to be done sharpish or the switch will timeout. The transfer will take a while since your limited by the speed of your console connection, the 4.8MB IOS i transferred took 1hr40 so ~8400b/s even though it was a 9600 connection......

All is sorted and issue the magic command to revive the almighty

switch: boot

For me this was not the end! Once booted i found that it had been given an enable secret, no worries ill try the usual suspects, cisco, Cisco, class, password, pass, slightly annoying.... how about iamatoolforlockingthisciscoswitchdownwithanonuniformpass. Damn i cant get in. What next you ask, lets get it back into ROM mode and change the config.text file.

reboot the switch while holding the mode button for a few seconds until it flashes and it will go into ROM mode.

switch: flash_init
switch: load_helper
switch: dir flash:(you will see there is a file called config.text)
switch: rename flash:config.text flash:config.old
switch: boot

The switch is looking for its startup config, config.text, unable to find it it loads with a fresh instance with no config. You can either copy flash:config.old running-config and change the password or start from scratch.

Tip: To speed up the xmodem copy increase the BAUD rate
switch: set BAUD 115200
restart the HyperTerminal session to match. Once finished change it back
switch: unset BAUD

Additional:

This Sunday i spent the weekend AIRSOFTING in a field near Duram using initiative and tactics to win the game and keep the team and myself alive. It was a really fun game and i was 1 of 2 medics looking after 15 team members proving very tiresome. In the first game i was using a kind of Distance vector protocol periodically running around checking everyone was ok while they provided covering fire. However this proved inefficient.....see where I'm going with this. I then moved onto a link state algorithm re converging the team upon shouts of MEDIC!! Some routes were blocked so i had a chat with a node who had build up a full topology of the field via his comms and legged it through the lowest cost path. There was a problem with my gun making a horrible whirring sound so when i took apart home to be inspected. This is what the gun should look like and what the faulty part should look like









And this is what they look like now. You can see the barrel just peaking out the sad bag. the pistons teeth have completely vanished resulting in a complete fail. there should be a soft rubber cushion on the end but it has evaporated! there is no sign of it. Rebuild when i get some free time.