EAPC TECH

Track down network problems with Wireshark

2010-01-18T20:33:00.002-06:00

Ethernet networks can run remarkably well for long periods of time, lulling IT admins into a false sense of security. Unfortunately, disaster can strike at anytime, and to the under-equipped, network issues can be downright debilitating.

Some of the most serious network problems can include broadcast storms, in which a defective or misconfigured network device floods the network with traffic. Broadcast storms tend to amplify themselves until they completely shut down your network, which is bad. Another common threat is a malware-infected computer, which can send a barrage of e-mail or attempt to replicate to computers on your LAN or across the internet. An infected computer can slow down internet traffic and put you on bad terms with your ISP.

More... Track down network problems with Wireshark

Blackberry Messenger Outage and Microsoft i4i

2009-12-22T21:01:00.001-06:00

Blackberry Messenger outage and Microsoft i4i are the major technology news today. The BBM outage and i4i have everyone talking. Let's check out the Blackberry Messenger outage then see what's happening with i41.

The BBM outage was all across North America this afternoon. Erictric reports the Blackberry Messenger outage affecting users throughout the continent coincides with the release of a new version of the Blackberry messaging service.

Today Research in Motion released version 5.0.0.57 after 5.0.0.55 and 5.0.0.56 were released last week. It seems RIM is trying to fix the bugs. Read more about the Blackberry Messenger outage and easy instructions on how to download the new messenger service at Erictric.

The second technology tidbit pertains to Microsoft losing the i4i appeal in the patent case. eWeek Microsoft Watch revealed Microsoft losing means they would have to pull Word 2003 and Word 2007 from stores within 60 days. Microsoft will also have to pay almost $300 million in fines.

Co-founder of i4i Michel Vulpe said in a December 22 statement they were "especially pleased with the court's decision to uphold the injunction, an important step in protecting the property rights of small inventors." To read more about the past, present and future of this interesting case, visiit eWeek Microsoft Watch.

Google offers free, public DNS server

2009-12-09T13:05:00.000-06:00

Google is planning on offering a free, public DNS server, adding yet another prong to its many-pronged attack on making the Web faster. With this move, anyone would be able to set up a browser to access Google's public DNS server, rather than using an Internet Service Provider or corporate DNS server.

To be sure, the Google Public DNS, announced on Thursday, is still in an experimental phase. But Google thinks that its DNS offering can not only make the Web faster (with improved caching for instance) but also safer. Google thinks it can do a better job of determining which Web sites have been compromised, which is being spoofed, trying to dupe users into visiting malicious Web sites.

Downside is ... wow, what a lot of control this gives Google. It already has the power to make a site a big hit or hard to find though its search engine. This would give it the power to determine which sites it deems safe enough for people to visit and should be blocked.

Google isn't the first to offer free public DNS ... small companies like OpenDNS have that honor. Indeed, OpenDNS could be badly hurt if Google's DNS takes off. Given how Google has behaved in other areas, is this a good idea? I'm not so sure. I think of Google offering free-text versions of news stories that the publishers of said news stories wanted to charge for, and its scanning of books in Google Books (practically grabbing by default the copyright to so-called Orphaned Books ... books not old enough to be in the public domain, but whose authors are not known).

Can Google really be trusted ... or are we looking at a wannabe Big Brother in the making?

Text Source: http://www.networkworld.com/community/node/48751

Reference: http://googleblog.blogspot.com/2009/12/introducing-google-public-dns.html

Google offers free, public DNS server

2009-12-09T13:01:00.000-06:00

Can Google really be trusted ... or are we looking at a wannabe Big Brother in the making?

Text Source: http://www.networkworld.com/community/node/48751

Reference: http://googleblog.blogspot.com/2009/12/introducing-google-public-dns.html

iPhone worm could be used to create botnets

2009-11-30T19:27:00.004-06:00

Clearly F-Secure has done a good job to dig this one up. To get to the basics, a Botnet is a jargon term for a collection of software robots, or bots, that run autonomously and automatically. The term is often associated with malicious software, but it can also refer to the network of computers using distributed computing software. While botnets are often named after their malicious software name, there are typically multiple botnets in operation using the same malicious software families, but operated by different criminal entities.

So for the IPhone users out there, read this update carefully. Cheers...

A second iPhone exploit has been identified by security vendor F-Secure, which claims the new worm has botnet capability and is more threatening than its predecessor.The new worm affects the SSH protocol in jailbroken iPhones and is "much more serious" than the previous threat, as it may attempt to steal data, F-Secure warns.

Dealing with Heavy Loads on a Router's Interface

2009-11-02T13:29:00.004-06:00

If a router’s serial interface load increases heavily on point to point link, for example 220/255, you are probably maxing out the link, so the users depending on this link would be experiencing slowness in their applications, web browsing or even email downloading, all due to the congestion.

I will discuss some approaches which could be used to try and solve this issue.

1) Try turning on "ip accounting" on the interface, then run a "show ip accounting" to see who is using the link heavily, do this at the moment of congestion. The accounting is only on output packets, so you want to be putting it on the link that's sending the traffic. You may not see this on the counters because there is a 5 minute delaying average, so oftentimes you would miss the spikes. To avoid missing the spikes, you might want to put an SNMP monitor on the router and graph the usage so you can see it. Here is a neat tool called PRTG you can use for that http://www.paessler.com/download/prtg, this tool would show you what the bandwidth usage of the link in real time, the link is to download the tool at no cost, considering is the company’s freeware version and can only be configured with 10 sensors.

2) You should look at what type of queuing you're using on the interface. You can change the input and output queue values to squeeze a little more out of the interface, but that is a finite resource so you need to be careful how you do it. Do a "show controller t1 <number of the interface> and look at that as well.

3) You can turn on Netflow in your router, then use Netflow Analyzer to take a look into your WAN usage to see who's using all the bandwidth from a Windows workstation or server, or you can simply configure netflow with top-talker command in your router. ManageEngine Netflow Analyzer is very easy to setup and use.

http://www.manageengine.com/products/netflow/index.html

I would for sure add some more tips regarding this every day issue for you network techs out there if I remember any other. Cheers…

Keeping Network Attacks under the Radar

2009-10-20T17:40:00.001-06:00

PSAD (Port Scan Attack Detector Tool) is a tool that can detect not only port scans but also the OS of the machine that initiates the scan. It can also detect denial of service attacks and reuse the snort signature set to generate alerts. This tool integrates well enough into the normal system processes. Written in Perl & C, it is not hard to install. If you use Ubuntu (or Debian) just do a:

sudo apt-get install psad

You would have to also configure the syslogD to pass data to PSAD. You can do so by piping kernel info with the append:

kern.info | /var/lib/psad/psadfifo

Configuring PSAD is nothing out of the ordinary. Just edit the /etc/psad/psad.conf file with you favorite editor. You can configure email alerts, danger levels, enable_persistence and a few others options to make it more adjusted to your needs. Install and configusration could take around 30 minutes from a base level system.

For a rapid way to configure it, go to:

http://www.cipherdyne.org/LinuxFirewalls/ch05/

Copy and Paste the conf file. After editing both syslog and PSAD restart each process.

Use the command "psad -S" to confirm that everything is up and working. To test it just run a NMAP TCP and UDP scan against a couple servers.

nmap -sT -n 192.168.1.10 and nmap -sU -n 192.168.1.10

After applying the command above, you will notice that PSAD will detect the scan and alert over email (if you set it up). It will include the information regarding a reverse DNS lookup on the attacker and also find the OS of its workstation.

PSAD can be downloaded at: http://www.cipherdyne.org/psad/ as well as install and configuration guides.

Troubleshooting Web Apps Access

2009-10-20T17:37:00.001-06:00

When talking about the world of web applications, there is something important and very particular I want to share with you all. Remember that a web application should be accessed either internally or externally, but however it is that your company exposes it, you should know this procedure to at least know if a network issue is probably present or not.

Many of you network techs out there may be getting a call from a client to troubleshoot the access to a particular site that they are hosting. So, to make sure it is not a routing problem or any other network related issue, you can follow this procedure and if you get an HTML code response, that means you are on your way to determining if it might be a DNS issue, or some other sort of server related issue (load balancing, content, etc).

Here is the procedure:

1. Open a command shell
2. Use telnet to connect to the site with the problem, such as intranet.company.com using port 80. Depending on the service you are using you would use that port, for example it could be you are using HTTPS (port 443) or instead of port 80 for WWW you are using 8081, and so on.
3. Type in the following (even if the window is blank and you can't see what you are typing): GET / HTTP/1.0
4. Press the ENTER key twice.
5. Notice if you get an HTML formatted text returned.

After step 5, if you don’t get that HTML returned, then start troubleshooting the network as usual and see where the traffic is being dropped or blocked. I hope this helps, cheers…

Don't run after the Hackers, let them come to you

2009-10-20T12:20:00.001-06:00

If you ever watched police movies or so called action movies, you always see the good cops chasing after the bad thief. It’s not so easy anymore in this digital world we live in, with so many digital thieves or so called hackers / crackers out there doing a lot of damaged under anonymous names or leaving no tracks behind. So for those of you who are attracted to security, this is for you.

I came across this tool from a company named Dalmatech, it is called Nepenthes. This tool is for honeypotting, for those of you not aware of the term, honeypotting, in computer terminology, a honeypot is a trap set to detect, deflect, or in some manner counteract attempts at unauthorized use of information systems. It generally consists of a PC, data, or a network site that appears to be part of a network, but is actually isolated, (un)protected, and monitored, and which seems to contain information or a resource of value to attackers.

This tool from Dalmatech is very good for honeypotting, downloadable at no cost from their site at no cost http://www.dalmatech.com/downloads/Nepenthes.20.zip, this is a 520MB ISO image that runs as a VMWare appliance. Nepenthes is designed to emulate vulnerabilities that worms use to spread, and to capture these worms. As there are many possible ways for worms to spread, Nepenthes is modular. There are module interface to: resolve DNS asynchronous, emulate vulnerabilities, download files, submit the downloaded files, trigger events and shellcode handler.

To learn about honeypotting, this is a very nice and fast way to do so, even if you are looking into becoming a stronger security professional. I highly recommend that you use this as a tool, now go on and catch those thieves without even running an inch!

Testing for Open Relay Hosts

2009-10-19T20:29:00.001-06:00

By legal definition: Simple Mail Transfer Protocol (SMTP) relay is a feature that lets an SMTP client use an SMTP server to forward e-mail messages to a remote domain. As described in Request for Comments (RFC) 282, sections 2.1 and 3.7, SMTP was designed with the ability to relay e-mail messages.

Hey folks, this is old stuff and many of you know it. Nevertheless I hate to see SMBs out there not being careful when running older versions of MS Exchange (which is not deactivated by default) and even some newer versions.

So, what is the big deal?? If relay is not controlled, a malicious user might use relay to send bulk unsolicited e-mail messages. An uncontrolled host is known as an "open relay" host. By sending these unsolicited e-mail messages to the intermediate host, the malicious user can disguise his or her identity. This may also cause excessive resource use on the relay host and prevent the relay host from sending valid e-mail messages. In particular, a malicious user who sends unsolicited e-mail messages may send a single message to many recipients without using their own bandwidth.

With this simple test you should be good to at least know whether you are protected or not:

1. Open a command shell.
2. Determine the name of the email server in your domain, maybe
smtp.yourcompany.com
3. Use telnet to contact the email server using port 25 for email service.
4. The server responds by sending an identification line.
5. Enter the following text (or a reasonable variation). The server will
respond to each command. If you make a mistake, just try the line again.
HELO smtp.yourcompany.com (or the name of the mail server)
MAIL FROM: name@host.com (use a valid syntax for mail)
RCPT TO: yourname@yahoo.com (use your email address)
DATA
Type an email message. Multiple lines okay.
. (End with a period.)
QUIT
6. Verify that the connection was closed by the server.
7. Verify that the email was delivered to your email address.
Optional:
8. Repeat with multiple RCPT TO: lines.
9. Try with bogus MAIL FROM: names. Some servers require an address with
valid mail syntax, but not a real address.

If you get a “550 5.7.1 Relaying prohibited” after step 5 or so, this means you are probably fine and taken care of, if you are able to send emails, check your server configuration. Cheers…

Free Virtual Machine Software for the Tight Budgets

2009-10-19T20:13:00.002-06:00

I try to keep this site focused on Networking, so you may be asking yourself why through a Virtual Machine article into the mix. Well, let’s just imagine that you would need somehow to virtualize a desktop because you need to test one of your favorite network tools and don’t want to mess up your actual system environment. Ok, you got me, that is exactly what happened to me and since I always look for the open source / free stuff first, this is why I found it. I wish I could have known this before; this is why I want to share it with you.

I believe the Sun’s VirtualBox software to be a good option for you folks out there that have to run virtual machines for home or enterprise use. I tested it because I needed to install a fresh WinXP and a fresh Ubuntu for some geeky programming thing I was working on, and it worked great for me. Further more, it is open source, you can download it at no cost (http://www.virtualbox.org/wiki/Downloads) and like VMWare, it comes with its own set of integration tools which can be installed on the guest OSes to improve performance. VirtualBox also supports Virtual Machine formats of competitive products, such as Microsoft’s Virtual Server and VMWare. Be advised that if you do port one of your older VMs over, you’ll want to remove the “tools” (paravirtualized device drivers) from the guest OS install before running them in VirtualBox, or you will run into a number of compatibility problems.

FAQ for a few DOS commands useful for troubleshooting from the desktop side

2009-10-13T17:23:00.001-06:00

1)Which command do you use to list the number of ICMP messages that show
when the TTL value timed out?

Use the ping command.

Example:

C:\>ping www.yahoo.com -t -l 1472

Pinging www-real.wa1.b.yahoo.com [209.191.93.52] with 1472 bytes of data:
Reply from 209.191.93.52: bytes=1472 time=38ms TTL=51
Reply from 209.191.93.52: bytes=1472 time=24ms TTL=51
Reply from 209.191.93.52: bytes=1472 time=35ms TTL=51
Reply from 209.191.93.52: bytes=1472 time=24ms TTL=51

Ping statistics for 209.191.93.52:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 24ms, Maximum = 38ms, Average = 30ms

2)Which command do you use to see what applications are associated with
which ports?

Use the netstat -o command.

Example:

C:\>netstat -o
Active Connections
Proto Local Address Foreign Address State PID
TCP 192.168.1.4:54764 cpe-076-182-187-185:55039 ESTABLISHED
5496
TCP 192.168.1.4:54804 by2msg1010508:msnp ESTABLISHED 4036
TCP 192.168.1.4:59307 74.125.98.21:http ESTABLISHED 5920
TCP 192.168.1.4:60214 iw-in-f18:https ESTABLISHED 5920
TCP 192.168.1.4:60412 iw-in-f17:https ESTABLISHED 5920
TCP 192.168.1.4:61156 iw-in-f149:http CLOSE_WAIT 5920
TCP 192.168.1.4:61251 iw-in-f155:http CLOSE_WAIT 5920
TCP 192.168.1.4:61259 iy-in-f139:http CLOSE_WAIT 5920
TCP 192.168.1.4:61268 65.55.15.123:http TIME_WAIT 0
TCP 192.168.1.4:61270 69.18.50.51:nntp ESTABLISHED 2892

3)Which command do you use to see how many errors were detected at the
network interface?

Use the netstat -e command.

Example:

C:\>netstat -e

Interface Statistics

Received Sent
Bytes 4091961680 1521742152
Unicast packets 6321695 5755310
Non-unicast packets 91615 42220
Discards 0 0
Errors 0 0
Unknown protocols 0

4)Which command do you use to see the address of the default gateway?

Use the ipconfig command.

Example:

C:\>ipconfig
Windows IP Configuration
Wireless LAN adapter Wireless Network Connection:
Connection-specific DNS Suffix . :
Link-local IPv6 Address . . . . . : fe80::4563:5a68:6ef1:64e3%11
IPv4 Address. . . . . . . . . . . : 192.168.1.4
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1

5)Which command do you use to see the Address Resolution Protocol cache?

Use the arp -a command.

Example:

C:\>arp -a

Interface: 192.168.1.4 --- 0xb
Internet Address Physical Address Type
192.168.1.1 00-24-b2-0d-93-00 dynamic
224.0.0.22 01-00-5e-00-00-16 static
224.0.0.252 01-00-5e-00-00-fc static
255.255.255.255 ff-ff-ff-ff-ff-ff static

Interface: 169.254.165.13 --- 0x10
Internet Address Physical Address Type
169.254.255.255 ff-ff-ff-ff-ff-ff static
224.0.0.22 01-00-5e-00-00-16 static
224.0.0.252 01-00-5e-00-00-fc static
239.255.255.250 01-00-5e-7f-ff-fa static
255.255.255.255 ff-ff-ff-ff-ff-ff static

Port Mapping Lab

2009-09-30T11:01:00.001-06:00

Port mapping can be used to find computers on a network and to detect what applications are listening for connections. Port mapping has been used by hackers to probe the defenses of a computer, but it is also used by system administrators to verify that their computer systems are not vulnerable to attack. Follow this lab and gain some experience with a port mapper called nmap. Background reading is available at http://www.insecure.org/nmap/.

1. Download and install nmap by unpacking the nmap-393-win32.zip file to the C:\ directory.

2. Open a command shell - open the Start menu and select Run... and enter cmd in the Open text box.

3. Change directories into the C:\nmap-3.93-win32\nmap-3.93, assuming that you unpacked the compressed files there. If not, cd into the proper directory where nmap.exe is located.

4. Start by scanning the ports of a neighboring computer. Find the IP address of another computer in the lab - the command ipconfig is a quick way to find the IP address. Then run the nmap program as below (replace 10.10.21.9 with the IP number of the neighboring computer).
nmap -v -O 10.10.21.9
The -O option asks nmap to make a guess at the operating system.
The -v option asks nmap to show verbose output.

5. Broaden your investigation by scanning for the presence of all devices in a range:
nmap -sP 10.10.21.1-254
The -sP option performs a "ping scan" to find which nodes are responding in the specified range. You get a list of the devices that are online. Another way to scan for devices is below: nmap -sL 10.10.21.*

Use Telnet to Contact a Time Server

2009-09-30T09:11:00.002-06:00

Procedure (Time-of-day server)

1. Open a command shell - open the Start menu and select Run... and enter cmd in the Open text box.

2. Run telnet to connect with a time of day server to get the current time. Here is an example:
telnet time-A.timefreq.bldrdoc.gov 13

3. Verify that the host responded by displaying a line like this:
54108 07-01-08 17:41:57 00 0 0 233.1 UTC(NIST) *
Note that the connection was closed automatically.

For more information, read about the Daytime Protocol at http://tf.nist.gov/service/its.htm to interpret the response.