Sunday, December 28, 2008

Lab 3 VLAN Configuration

Lab Section: Router and Switch

Lab Title: VLAN Configuration

Purpose:

1. Understand how to setup VLAN.

Preparation:

1. Basic command of switch: enable, config terminal, hostname, banner, exit, end, show, no, etc.

2. 3 ways to create VLAN: Privileged EXEC mode (vlan database); Global Configuration Mode (vlan vlanid); Interface Configuration Mode (config-if)

Topological


Require

1. Technical Support Team: Vlan name is Tech, Vlanid=100, Description: For Technical Support team

2. Accountant Department: Vlan name is Account, Vlanid=200, Description: For Accountant department

3. Customer Service Department: Vlan name is Customer, Vlanid=300, Description: For Customer Service Department

Procedure:

1. Setup hostname, banner and password:

Switch>en

Switch#conf t

Switch(config)#hostname SW1

SW1(config)#banner motd $

Enter TEXT message. End with the character '$'.

Welcome to Valute IT Virtual Lab$

SW1(config)#enable password cisco

SW1(config)#enable secret cisco12345

SW1(config)#exit

2. Create vlan in Privileged EXEC mode

SW1#vlan database

SW1(vlan)#vlan 100 name Tech

SW1(vlan)#exit

SW1#show vlan

3. Create vlan in Global configuration mode:

SW1#conf t

SW1(config)#vlan 200

SW1(config-vlan)#name Account

SW1(config-vlan)#end

SW1#show vlan

4. Create vlan in Interface configuration mode:

SW1#conf t

SW1(config)#interface f0/3

SW1(config-if)#switchport mode access

SW1(config-if)#switchport access vlan 300

% Access VLAN does not exist. Creating vlan 300

SW1(config-if)#no shutdown

SW1(config-if)#end

SW1#show vlan

5. Setup the vlan description:

SW1#conf t

SW1(config)#interface vlan 100

SW1(config-if)#description ?

SW1(config-if)#description For Technical Support team

SW1(config-if)#no shutdown

SW1(config-if)#exit

SW1(config)#interface vlan 200

SW1(config-if)#description For Accountant department

SW1(config-if)#no shutdown

SW1(config-if)#exit

SW1(config)#interface vlan 300

SW1(config-if)#description For Customer Service Department

SW1(config-if)#exit

6. Change vlan name:

SW1(config)#vlan 300

SW1(config-vlan)#name Customer

SW1(config-vlan)#end

SW1#show vlan

7. Assign switch port to vlan:

SW1#conf t

SW1(config)#interface fastEthernet 0/1

SW1(config-if)#switchport mode access

SW1(config-if)#switchport access vlan 100

SW1(config-if)#no shutdown

SW1(config-if)#exit

SW1(config)#interface fastEthernet 0/2

SW1(config-if)#switchport mode access

SW1(config-if)#switchport access vlan 200

SW1(config-if)#no shutdown

SW1(config-if)#exit

8. Setup trunk port, this port is used to connect to other switch

SW1(config)#interface f0/24

SW1(config-if)#switchport mode trunk

SW1(config-if)#no shutdown

SW1(config-if)#end

SW1#show running-config

9. Do the exactly same steps with Switch 2 (except hostname).

10. Setup the PCs’ IP address (refer to the topologic graph above).

11. Use “ping” to verify the isolation.

Further:


*******************************************************************************

1. For more information, please visit my blog http://jhuang8.blogspot.com/.

2. Video demo is located in http://www.valit.ca/lab/.

Lab 2 Reset Password of Router and Switch

Lab Section:  Router and Switch

Lab Title: Reset Password

 

Purpose:

1.       Understand how to reset the password of Cisco Router.

2.       Understand how to reset the password of Cisco Switch.

 

Preparation:

1.       Usually the switch and the router were given very complex passwords, and we forgot password for many reasons, but the start-config can not be deleted, in this situation, we need to reset the password and keep the start-config.

2.       The method of reset password for Cisco 2600 serial and 3600 serial is the same. There is a little different between 2500 and 2600/3600.

3.       For Switch, we need to get into “switch:” mode to reset the password: when you restart the switch, press “mode” key (located on the front panel of switch)

 

Topological

 

Procedure:

Reset 2600 serial router password (same as 3600 serial)

1.       Power on the router, in the meantime, press ctrl+break.

2.       rommon>confreg 0x2142

-- Change the start register value to 2142, it means the router will load the factory default configuration in the next start-up.

3.       rommon>reset

-- restart the router

4.       router#copy startup-config running-config:

-- Now we can enter the Privileged EXEC Mode, we need to copy the old startup-config which was saved in NVRAM to the current running config, remember we don’t want to lose the old configuration except the password.

5.       router#config t

6.       router(config)# enable password cisco.

-- After we copy the old startup-config, we also copy the old password, so we need to change it to a new password.

7.       router(config)#exit

8.       router#copy running-config startup-config

-- Save the current running-config which contains the new password to NVRAM

9.       router#conf t

10.   router(config)#config-register 0x2102

-- Restore the register value to 2102, it means router will load the configuration from NVRAM.

11.   router(config)#exit

12.   router#reload

-- Restart the router to check the password

 

*********************************************************************

Reset 2500 serial router Password:

1.       Power on the router, in the meaning, press ctrl+break.

2.       rommon>o/r 0x2142

-- Change the start register value to 2142, it means the router will load the factory default configuration in the next start-up.

3.       rommon>i

-- restart the router

The rest steps are as same as the 2600 router.

 

**********************************************************************

Reset Catalyst 2900 serial Switch password:

1.       Turn on the switch, in the mean time, press the “mode” button that located on the front panel.

2.       In the “switch:” mode, backup and rename the startup configuration.

3.       switch: dir flash:      ;check the current files in the flash, backup them if necessary.

4.       switch: rename flash:config.text flash:config_old.txt            ;Rename the configuration file, switch will use factory default setting if this file missing.

5.       switch: reset          ;Restart the switch

6.       Would you like to enter the initial configuration dialog? [yes/no]: n

7.       Enter the privilege EXEC mode

8.       Switch# copy config_old.txt running-config                ;copy the old configuration settings to running config, then we wouldn't lose the old settings.

9.       Switch# conf t

10.   Switch(config)#enable password cisco                ;Setup a new password

11.   Switch(config)#enable secret cisco12345

12.   Switch(config)#exit

13.   Switch#wirte                                      ;Save the new password to the start-up config

14.   Switch# reload               ;Restart the switch

 

-------------------------------------------

1.       For more information, please visit my blog http://jhuang8.blogspot.com/.

2.       Video demo is located in http://www.valit.ca/lab/.

 

Lab 1 Router Basic commands

Lab Section: Router and Routing Protocol
Lab Title: Router Basic commands

Purpose:
1. Understand the basic commands of Cisco Router.
Preparation:
1. What’s User EXEC Mode, Privileged EXEC Mode and Global Configuration Mode
2. The difference between running-config and startup-config.
3. ROM, RAM, Flash and NVRAM
4. The difference of “exit” and “end”.
5. Commands: enable, configure, exit, end, show, ?, copy, hostname, banner, interface, line console, line vty, no, etc.

Procedure:
1. Task 1: Connect Router to PC through RS232.


2. Task 2: Commands: enable, show, clock:
1) Router>enable
2) Router# show version
3) Router# show clock
4) Router# clock set 10:11:00 Dec 22 2008
5) Router# show clock

3. Task 3: Setup hostname and banner:
1) Router# conf ig terminal
2) Router(config)# enable password cisco
3) Router(config)# enable secret cisco12345
4) Router(config)# hostname R2600
5) R2600(config)# banner ?
6) R2600(config)# Banner motd $ Welcome to Value IT virtual Lab$
7) R2600(config)# exit

4. Task 4: Setup Interface:
1) R2600# show running-configure
2) R2600# conf t
3) R2600(config)# interface fastEthernet 0/0
4) R2600(config-if)# description Management
5) R2600(config-if)# no shutdwon
6) R2600(config-if)# exit
7) R2600(config)# interface FastEthernet 0/1
8) R2600(config-if)# description IT Security
9) R2600(config-if)# no shutdown
10) R2600(config)# end

5. Task 5: Setup Console:
1) R2600# conf t
2) R2600(config)# line console 0
3) R2600(config-line)# login
4) R2600(config-line)# password cisco
5) R2600(config-line)# exec-timeout 0 0
6) R2600(config-line)# logging synchronous
7) R2600(config-line)# end

6. Task 6: Copy current config to start config, and verify the banner and password
1) R2600# copy running-config startup-config
2) R2600# exit
3) Press Enter key to reenter the router, check the banner, you’ll need password to get into user exec mode.


-------------------------------------------
1. For more information, please visit my blog http://jhuang8.blogspot.com/.
2. Video demo is located in http://www.valit.ca/lab/.

Sunday, November 30, 2008

Code review – what functions cause problems?

You never have enough time to do Code Review if you try to walk trough every functions, instead, we can focus on the “high risk” functions that hackers have been known to take advantage of Web application.

The common potential problem areas are:
1.       User input;
2.       The third party input that from other untrusted sources, such as external database;
3.       The output. For example, the error message may reveal too much information, or a poorly coded application may insert tainted SQL data into a database, which your application would be potentially use it.

Here is the list of “high risk” functions (copy from a PDF file and some websites, I also added some):
1.       Buffer overflow
When a particular function/operation writes more data into a variable than the variable was designed to hold, the result is buffer overflow. Fortunately, this only occurs on the languages that must predeclare their variable storage size, such as C and C++. ASP, Perl, and Python all have dynamic variable allocation, which means they can interpreter themselves handle the variable size.
For C/C++, the “high risk” functions are:
(1)    str* family: strcpy(), strcat(), strcadd(), strccpy(), streadd(), strecpy(), strtrns(). We should avoid to use these functions
(2)    strn* family: strncpy(), strncat(), and so on. This is a safer alternative to the str* family. The strn* family is essentially the same as the str* family except it allow you to specify a maximum length. So we only need to make sure that the specified maximum value is equal or less than the destination variable size.
(3)    memcpy(), bcopy(), memccpy(), memmove().
(4)    sprintf(), snprintf(), vsprintf(), vsnprintf(), swprintf(), vswprintf().
(5)    gets(), fgets().
(6)    getc(), fgetc(), getchar(), read().

2.       Cross-Site Scripting (XSS)
XSS is in fact a subset of HTML injection. It allows attackers to execute the script in the victim’s browser, which can hijack user sessions, deface web sites, insert hostile content, conduct phishing etc.
Looking for XSS vulnerabilities is tough; the best place to start is with the common output functions used by the language:
(1)    C/C++: printf(), fprintf(), output streams, and so on.
(2)    Java: Don’t use
(3)    .NET: the better way is to use the Microsoft Anti-XSS Library freely available from MSDN.
(4)    ASP: Response.Write, Response.BinaryWrite,
(5)    Perl: print, printf, syswrite.
(6)    PHP: print, printf, echo.

3.       Information Disclosure
This is not a technical problem, it is quite possible that the application may provide some information that can be used by attackers. For example, developer may insert some output for debug purpose and forget to delete it.
We need to review all the output functions of the language with:
(1)    Printing sensitive information (passwords, credit card numbers) in full display.
(2)    Displaying application configuration, server configuration information, environment variables, and so on.
(3)    Revealing too much information in error message. For example, failed database connections typically spit out connection details that include database host address, authentication details and target tables; failed file inclusion may disclose file paths, which allows attackers to determine the layout of application.
(4)    Avoiding the use of public debugging mechanisms in production applications. The better way is to write debugging information to a log on the application server.

4.       File system access/interaction
We need to check where, when and how a web application accesses the local file system on the server, the danger lies in using filenames that may contain tainted data.
(1)    C/C++: open(), fopen(), create(), mknod(), catopen(), dbm_open(), opendir(), unlink(), link(), chmod(), stat(), lstat(), mkdir(), readlink(), rename(), rmdir(), symlink(), chdir(), chroot(), utime(), truncate(), glob().
(2)    ASP: Server.CreateObject() that create Scripting.FileSystemObject objects.
(3)    Perl: chmod, chown, link, lstat, mkdir, readlink, rename, rmdir, stat, symlink, truncate, unlink, utime, chdir, chroot, dbmopen, open, sysopen, opendir, glob.
(4)    PHP: opendir(), chdir(), dir(), chgrp(), chmod(), chown(), copy(), file(), fopen(), get_meta_tags(), link(), mkdir(), readfile(), rename(), rmdir(), symlink(), unlink(), gafile(), gzopen(), readgz-file(), fdf_add_template(), fdf_open(), fdf_save().
(5)    Java: java.io.*, java.util.zip.*, java.util.jar
(6)    JSP: < %@include file=’filename’% >
(7)    ColdFusion: CFFile, CFInclude tags.

5.       Calling External Programs
Calling external programs is danger, if tainted user data is included within the call, an attacker could trick the command processor into executing additional commands, or changing the intended command.
(1)    C/C++: exec* family, exec(), execv(), execve(), and so on.
(2)    Perl: exec,’’(backticks), qx//, and <> (the globbing function).
(3)    PHP: fopen(), popen(), exec(), passthru(), system().
(4)    Python: os.exec* family, os.exec, os.execve, os.execle, os.execlp, os.execvp, os.execvpe, os.popen, os.system.
(5)    Java: Runtime.exec().
(6)    ColdFustion: CFExecute, CFServlet tags.

6.       Dynamic code execution
Some languages contain mechanisms to interpret and run native scripting code, the advantage is that allows the program to “build” a subprogram dynamically, and user can input fragment script code. However, it opens a door to the attacker who may insert his own script code to be compiled and executed.
(1)    Perl: eval function, do, and any regex operation with the e modifier.
(2)    Python: exec, compile, eval, execfile, input.
(3)    ASP: Eval, Execute, ExecuteGlobal.

7.       External objects/Libraries
Including or loading libraries is helpful in making the design of a program easier. However, you need to make sure that all external library loading routines do not user any sort of tainted data, an attacker could coerce your program into loading an alternate library, which could provide him an advantage.
(1)    Perl: import, require, use, do.
(2)    Python: import, _import_.
(3)    ASP: Server.CreateObject(), tag in global.asa.

(4)    JSP: jsp:useBean.

(5)    Java: URLClassLoader, JarURLConnection from the java.net package; ClassLoader, Runtime.load, Runtime.loadLibrary, System.load, and System.loadLibrary from the java.lang package.

(6)    ColdFusion: CFObject.

 

8.       Structured Query Language/Database Queries

The two problem areas are:

(1)    Connection setup: the connection usually contains authentication information, such as user name, password, database server etc. this information should be considered sensitive and need to be well protected.

(2)    Tampering with queries: when inserted into a SQL query, an attacker could submit data that could trick the database server into executing different queries than the one intended.

The following list of functions and commands could lead you to these potential problems:

(1)       PHP: ifx_connect(), ifx_pconnect(), ifx_prepare(), ifx_query(), msql_connect(), msql_pconnect(), msql_db_query(), msql_query(), mysql_connect(), mysql_db_query(), mysql_pconnect(), mysql_query(), odbc_exec(), odbc_pconnect(), odbc_prepare(), ora_logon(), ora_open(), ora_parse(), ora_plogon(), OCILogon(), OCIParse(), OCIPLogon(), pg_connect(), pg_exec(), pg_pconnect(), Sybase_connect(), Sybase_pconnect(), Sybase_query().

(2)       ASP: ADODB.* objects.

(3)       Java: createStatement() and execute() methods in java.sql module.

(4)       Perl: DB::* modules

(5)       ColdFusion: CFInsert, CFQuery, CFUpdate tags.

 

9.       Networking and communication streams

The outgoing and incoming network connection and communication stream used by the program is a potential security hole. For example, your application may make an FTP connection to a particular server to retrieve a file, or may set up a listening server processes to answer incoming network connections. It is very important to make sure not to allow a remote attacker to compromise the server.

The following list of functions allows your application to establish or use network and communication streams:

(1)    Perl and C/C++: connect, accept.

(2)    PHP: imap_open, imap_popen, ldap_connect, ldap_add, mcal_open, fsockopen, pfsockopen, ftp_connect, ftp_login, mail.

(3)    Python: socket.*, urllib.*, ftplib.* modules.

(4)    ASP: CDONTS.* objects, CDONTS.Attachment, CDONTS.NewMail, AttachFile and AttachURL methods.

(5)    Java: ServerSocket in java.net.*, java.rmi.*.

(6)    ColdFusion: CFFTP, CFHTTP, CFLDAP, CFMail, CFPOP tags.

 

References:

1.       Michael Cross, “Developer’s Guide to Web Application Security”, ISBN-10 1-59749-061-X

2.       OWASP TOP 10, 2007, http://www.owasp.org

 

Saturday, November 22, 2008

Make your own Windows XP SP3 plus IE7 and WMP11 installation CD


Recently I need to reinstall Windows XP. I know it will take some times to install services packs and IE7, Windows Media Player etc. Is it possible to make a CD that includes these things, so I won’t be bothered by installing them after finish the Windows XP installation?

Preparation:

a. My original Win XP CD and product key;

b. Nlite 1.4.9.1 (http://www.nliteos.com/)

c. Windows Media Player 11 Slipstreamer (http://www.boooggy.org/slipstreamer/)

d. IE7 installer and service packs:

  • IE7-WindowsXP-KB938127-v2-x86-ENU.exe
  • IE7-WindowsXP-KB956390-x86-ENU.exe

e. Windows Media Player 11 installer and service packs:

  • WindowsMedia11-KB929399-v2-x86-INTL.exe
  • WindowsMedia11-KB936782-x86-ENU.exe
  • WindowsMedia11-KB939683-x86-ENU.exe
  • WindowsMedia11-KB954154-x86-ENU.exe

f. Windows XP sp3 and the latest service pack(before Nov 21st, 2008):

  • WindowsXP-KB936929-SP3-x86-ENU.exe
  • WindowsXP-KB938464-x86-ENU.exe
  • WindowsXP-KB941569-x86-ENU.EXE
  • WindowsXP-KB944043-v3-x86-ENU.exe
  • WindowsXP-KB946648-x86-ENU.exe
  • WindowsXP-KB950582-x86-ENU.exe
  • WindowsXP-KB950760-x86-ENU.exe
  • WindowsXP-KB950762-x86-ENU.exe
  • WindowsXP-KB950974-x86-ENU.exe
  • WindowsXP-KB951066-x86-ENU.exe
  • WindowsXP-KB951072-v2-x86-ENU.exe
  • WindowsXP-KB951376-v2-x86-ENU.exe
  • WindowsXP-KB951698-x86-ENU.exe
  • WindowsXP-KB951748-x86-ENU.exe
  • WindowsXP-KB951830-x86-ENU.exe
  • WindowsXP-KB951978-x86-ENU.exe
  • WindowsXP-KB952287-x86-ENU.exe
  • WindowsXP-KB952954-x86-ENU.exe
  • WindowsXP-KB953155-x86-ENU.exe
  • WindowsXP-KB953839-x86-ENU.exe
  • WindowsXP-KB954459-x86-ENU.exe
  • WindowsXP-KB955069-x86-ENU.exe
  • WindowsXP-KB956391-x86-ENU.exe
  • WindowsXP-KB956803-x86-ENU.exe
  • WindowsXP-KB957095-x86-ENU.exe
  • WindowsXP-KB957097-x86-ENU.exe
  • WindowsXP-KB958644-x86-ENU.exe

Here’s what I’ve done:

1. Install Nlite and Wmp11 slipstreamer, you may need to install .NET Framework V2.0 first.

2. Copy all the files in your Win XP CD to a folder, let’s assume it is c:\winxpSp3

3. Run Nlite, in the welcome page, select language.



4. Locate the XP distribution folder, in this example, it is c:\winxpSp3, Nlite will detect the language, service pack, and version of your Win XP


5. In “Presets” window, use one of the previous settings (if you have) or just click “next” button.

6. In “Task Selection” window, click “All” button, then click “Drivers” button, which means I don’t integrate particular drivers to this CD, because I may use this CD to install my uncle’s computer that has different video card and sound card.





7. In “Service Pack” window, select the sp3 file “WindowsXP-KB936929-SP3-x86-ENU.exe”Nlite will automatically extract and integrate sp3 to the xp distribution folder(c:\winxpSp3).



After the integration, the version number has been changed.



8. In “Hotfixes, Add-ons” window, insert all the hotfixes, be careful the sequence of the hot fixes, I failed several times because of this, you should put IE7 installer first, then IE7’s 2 hot fixes, and small number is first, KB938127 then KB956390, it may cause some problems if KB956390 is ahead. Use the small green button that locate on the right side to adjust the sequence; then add windows media play and its hotfixes and all the xp service packs, check the sequence as well. Finally, you should get something like this:



9. In “Components” window, I simply selected “Movie Maker” and “Music Samples” because I never use them. You can remove more unused components if you want to.



10. In “Unattended” window, you can provide answers to all of the questions that xp normally asks during the installation.
In “General” tab, enter the Product key, I also turn off firewall and Hibernate because I have Symantec firewall and I think Hibernate is useless.



11. In “RunOnce” tab, you can add some commands here, and they will be executed on first user logon. Think about this, if I put a Trojan horse here, and release this combination CD to Internet, someone download and install it, what happens? Haha, you’re on my control.



12. In “Users” tab, enter password for Administrator. I also added a user for daily uses, it is not good to log on as administrator all the time.



13. In “Regional” tab, select the Time zone.



14. Work through all tabs and make adjustments if needed


15. In “Options” window, I only changed the “TCP/IP patch” to 100, it will certainly speed up my emule and BT.



16. In “Tweaks” window, I selected to show “My document icon” and “My computer icon” on desktop; there’re so many items you can select.



17. After finish all the settings, Nlite will start the process



18. When the process go through Windows media Player installer, Nlite will automatically run wmp11 slipstreamer to extract and integrate wmp11 to distribution folder.



19. Next window is making Bootable ISO, you can either create image or burn it directly, I suggest creating an image, and then you can test it using Vmware or Virtual PC. Enter a label name, click “Make ISO”, select the location of ISO file.



20. Now you have a bootable ISO image of Windows XP SP3+IE7+WMP11! Before you burn a CD with this image, you’d better test it with Vmware or Virtual PC, because exception is not predictable, install it in a Virtual machine, and see if it runs well.