stealth ideas to check egress rules on firewall

14 08 2012

To verify egress rules on firewall. we could
1. look at firewall policies
2. ask some employees to help in other words do social engineering
3. guess

The first two approaches are not what I would like to talk today instead I am focusing on guessing technique. A stager of Metasploit called reverse_tcp_allports is one of the nice ideas to do this.
However, if we need more stealth, create a server which responses to any TCP port like 65K Open TCP Ports and watch for our traffic.

“The quieter you become the more you can hear”





Voice VLAN

25 03 2012

1. Voice VLAN is not a trunk.
2. Voice VLAN is supported on an access port not a trunk port.
3. Even IP phones and workstations share the same physical ports, they are treated differently. IP phones’packets are tagged, but PC’s packets are untagged. This key role is played by CDP.
4. Voice VLAN is not on a trunk port, it is called as multi VLAN access port.
Group Study: Good Explanation of the Voice VLAN
5. DHCP could distribute IP address correctly after IP phones exchange CDP with the switch. DHCP on data VLAN and DHCP on Voice VLAN are different.

Cisco QOS
QoS Frequently Asked Questions
Configuring QOS





DHCP on Cisco Switch

10 10 2010

การคอนฟิก service DHCP บน Cisco Switch นั้นสามารถทำได้ไม่ยากเกินไปนัก admin สามารถทำการ configure บน switch ที่ต้องการแจก IP ได้เลยโดยทำการแจก IP แยกไปตาม VLAN ตามที่กำหนดไว้ใน pool ที่จะทำการสร้างโดยสามารถกำหนด range ที่จะ reserve หรือ bind MAC กับ IP ได้

To distribute IP address on cisco switch, follow these steps. I am going to set DHCP service over network 192.168.34.0/24.

1. set Network pool name
Router(config)# ip dhcp pool MyNet34
2. set network
Router(dhcp-config)# network 192.168.34.0 255.255.255.0
3. set domain name
Router(dhcp-config)# domain-name mycompany.net
4. set DNS
Router(dhcp-config)# dns-server 192.168.1.1 192.168.100.1
5. set default gateway
Router(dhcp-config)# default-router 192.168.34.1
6. set lease time(day,hours,minutes)
Router(dhcp-config)# lease 7

However, sometimes we need to fix IP address for a specific MAC address:
1.Go to that network
Router(config)# ip dhcp pool MyNet34
2.specify the IP address to be binded
Router(dhcp-config)# host 192.168.34.21 /24
3.bind MAC
Router(dhcp-config)# client-identifier aabb.ccdd.eeff
4.describe its name
Router(dhcp-config)# client-name Printer1

If we want to review our binding, just call
show ip dhcp binding
Finally, to reserve IP address range for a specific purpose, we need to call:
Router(config)# ip dhcp excluded-address 192.168.34.1 192.168.34.20
That would be enough for DHCP configuration on any cisco switch. Please
see Configuring DHCP for more details.





IP address and cmd

1 04 2010

When I had to set IP address and often changed it, it’s not fun and not convenient to configure all details with Window GUI. cmd /f is what I prefer.

Let’s display the interface’s details

C:\>netsh interface ip show address
Configuration for interface "Local Area Connection"
DHCP enabled: No
IP Address: 192.168.51.243
SubnetMask: 255.255.255.0
Default Gateway: 192.168.51.21
GatewayMetric: 1
InterfaceMetric: 0
C:\>netsh interface ip show config
Configuration for interface "Local Area Connection"
DHCP enabled: No
IP Address: 192.168.51.243
SubnetMask: 255.255.255.0
Default Gateway: 192.168.51.21
GatewayMetric: 1
InterfaceMetric: 0
Statically Configured DNS Servers: 192.168.3.1
Statically Configured WINS Servers: None
Register with which suffix: Primary only

Now, IP address setting is in our control.
C:\>netsh interface ip set address name="Local Area Connection" static 192.168.51.243 255.255.255.0 192.168.51.21 1
Ok.

Do you notice the number behind the gateway address?
That’s gateway metric. So we can set more gateway to our machine.

C:\>netsh interface ip set dns "Local Area Connection" static 192.168.3.1
Ok.

If IP address is distributed with DHCP, configuration is not much different.
C:\>netsh interface ip set address name="Local Area Connection" dhcp
Ok.
C:\>netsh interface ip set dns "Local Area Connection" dhcp
Ok.

With netsh command, IP address setting is more convenient.