Have you ever used /, + and – IOS commands in a router?

These commands are similar to last week’s ‘|’ command, but these can be used to parse output several times in a single show command. This is very handy in situations where you have to search for a particular portion of text in a lengthy output.

/   : Displays output from the next entry of search text

+   : Displays lines of output which contains search text

-   : Displays lines of output which does not contain search text

Examples

Sh run --> /bgp         = Output starting from “bgp”

Sh run --> +interface = Output lines containing “interface”

Sh run --> -line          = Output lines without “line”

As usual, keep in touch with ‘Asiri’s Blog’ for more cool tutorials and tips like this. Do not forget to follow this using your Google account and comment as well.

Bill Gates' Last Day at Microsoft

This time it is well known Bill Gates. May this become a tribute for the great man who spent his last full time day at Microsoft Corporation on 27 June, 2008. Now he serves as 'non-executive' chairman while Steve Ballmer acts as CEO since January 2000. [1,2]



References

[1] Bill Gates, Wikipedia, viewed 16 Aug 2010, < http://en.wikipedia.org/wiki/Bill_Gates >

[2] Steve Ballmer, Wikipedia, viewed 16 Aug 2010, < http://en.wikipedia.org/wiki/Steve_Ballmer >

As always, stay tuned with Asiri's Blog and feel free to comment on any post which you find interesting ...

Wi-Fi Myth Busters Series – Episode 2

                                                                                                                          Figure 1

Myth # 5 : Even with 802.11i (WPA2), there is a need of VPN still in order to provide enterprise level security to a wireless network.

IPSec and SSL VPNs are famous solutions to protect networks linked with WAN connections. So people may choose same to protect their wireless networks too. WPA fixed flaws of WEP by introducing TKIP and 802.1x/EAP or WPA-PSK as secure authentication methods. Unfortunately, TKIP is based on same cipher as WEP (RC4). When WPA2 was released it came with CCMP (Counter Mode CBC-MAC Protocol) encryption. The cipher used in CCMP is AES which is considered as strongest among IPSec VPNs. The end result is WPA2 provides same strong encryption as IPSec VPNs.

But WPA-PSK and 802.1X/EAP-LEAP authentications are both vulnerable to brute force attacks surprisingly. Even though vulnerable WPA2 authentication methods do exist, some secure methods are there too such as EAP-TLS, EAP-TTLS or PEAP which keeps credentials securely using tunnelling similar to SSL. Like that it satisfies WPA2 Enterprise Standards. WPA2 Enterprise secures the wireless link in Layer 2 but if consider about layer 3 technologies such as IPSec to protect it too, it would become less scalable and manageable.

So this myth also can be taken as partially correct.

References

Miller, B & Hill, G 2006, ‘Eleven Myths about 802.11 Wi-Fi Networks’, Expert Reference Series of White Papers , 18 August, pp. 4-5, Global Knowledge Training LLC., viewed 15 August 2010

‘Figure 1’ [image] in 2009, ‘The second day of the School on Low Cost Wireless’, school2009, viewed 15 Aug 2010, http://wireless.ictp.it/groups/school2009/wiki/8d8fe/Group_Two's_-_Day_Two.html

The previous episode of this series was posted on 8th Aug 2010 which can be found easily in this blog.To be continued…

Have you ever used | (Pipe) IOS command in a router?

This is a really cool way to filter text in output commands of Cisco routers. Please note that expressions you type with | commands are case sensitive (Typing serial0/1 instead of Serial0/1 will not work). In this tutorial a Cisco 3640 router has been used. Some | commands are not available in some routers depending on IOS version and model.

Type ‘show run | ?’ in order to see what are the available commands. Refer figure 1.

                                                                          Figure 1

Following ‘show run’ output has been used to explain commands ‘append, begin, redirect, section and tee’. Refer figure 2

                                                                              Figure 2

Append

This command can append an output of a show command into an existing file somewhere (ex: ftp, nvram). Give command ‘sh run | append ?’ to see what are the supported formats. Then issue ‘sh run | append '<'path to existing file'>'’. Refer figure 3

                                                                             Figure 3

Begin

This command can display an output starting from the given expression in it. As an example, if you want to display all lines after ‘Serial’ in show run output, command should be issued as ‘sh run | begin Serial’. Again remember that expressions are case sensitive. Refer figure 4

                                                                                   Figure 4

Tee

This command is similar to ‘append’ command but this creates a new file in given destination. Give command ‘sh run | tee ?’ to see what are the supported formats. Then issue ‘sh run | tee '<'path to new file'>'’. And also output is displayed on console at the same time. Refer figure 5

                                                                              Figure 5

Redirect

This command is similar to ‘tee’ command but output is not displayed on console at the same time. Give command ‘sh run | redirect ?’ to see what are the supported formats. Then issue ‘sh run | redirect '<'path to new file'>'’. Refer figure 6

                                                                             Figure 6

Section

This command can display a particular section of a show command. As an example, the section which is relevant to an interface in show run output can be viewed with ‘sh run | section '<'Interaface name'>'’. Refer figure 7

                                                                               Figure 7

The following ‘show ip route’ output has been used to explain commands ‘include and exclude’. Please note there are 2 ‘BGP’ routes and 3 ‘Connected’ routes in figure 8.

                                                                                Figure 8

Include

This command can display lines which include the given expression. As an example ‘sh ip ro | include B’ may filter out and display all BGP routes. Again remember that expressions are case sensitive. Instead of characters you can use numbers such as IP addresses too. Refer figure 9

                                                                             Figure 9

Exclude

This command can display lines which does not include (exclude) the given expression. As an example ‘sh ip ro | exclude B’ may filter out and display all routes except BGP routes. Again remember that expressions are case sensitive. Refer figure 10

                                                                               Figure 10

Hope you learned something new and valuable today. Make sure you practice them in order to learn where to apply correctly.

As usual, keep in touch with ‘Asiri’s Blog’ for more cool tutorials and tips like this. Do not forget to follow this using your Google account and Twitter as well.

"Geek Rap" of the week - 2

This time only one intern. Really funny and creative !



Stay tuned.......!!!

Wi-Fi Myth Busters Series – Episode 1

                                                                                                                            Figure 1
Myth # 1 : Wi-Fi stations are vulnerable to attacks just by leaving their Wi-Fi adapters enabled.                  

It is correct partially. Unknown Wi-Fi device drivers may be present which leads to such attacks. And if the end user is so dumb and careless, it is possible as well. (Common factor with any kind of attack – user unawareness)

But, to communicate with another machine, Data Link connectivity (Layer 2) must be operational. So it is impossible for an attacker to gain peer-to-peer access without establishing Layer 2 connectivity first.                                               

Myth # 2 : Isolated stations are vulnerable to “Rogue Access Points” and already associated stations are secretly hijacked by “Rogue Access Points”.

Both cases are correct partially. Specifically, unassociated stations which are controlled by client side Wi-Fi utilities and maintaining a ‘Preferred Networks List’ are vulnerable. If the attacker throws an AP (Access Point) with a non-encrypted SSID which is in station’s 'Preferred Networks List', station will connect to that attacker.

Asiri’s Experience : This Rogue Access Points topic was a hot topic during my masters’ final group project period. If I add something more to above paragraph, an already associated station is vulnerable if RAP’s (Rogue Access Point) signal strength is higher than the legitimate AP’s signal strength. And also to attack successfully, end station’s Wi-Fi adapter should be restarted and re-associated with its preferred network in the list which leads to connect with RAP. It is tested by my team (Asiri, Roger, Sharan, Prashanth, and Prasad) and the viable solution we came up with can be seen on my ‘LinkedIn’ profile for its registered users.

Other solutions for hijacking attacks.

• Removing all non-encrypted SSIDs from preferred list would work but not practical as it saves such poor configurations automatically whenever user connects with that. 
• A simple but practical solution is disable wireless adaptor when it is not in use. 
• User’s wireless station can be disconnected automatically when it is connected with a wired network by using applications such as “NetOaats”. It can be configured to work in other way around as well (wired --> wireless).                                                                                           Figure 2
• Another state of the art solution is using wireless client isolation security protocols such as Cisco’s PSPF (Public Secure Packet Forwarding). It prevents accessing another machine directly when they are connected with same AP. It is recommended to implement such protocols in free public Wi-Fi hot spots.

Myth # 3 : Stations get connected with ad-hoc (peer-to-peer) Wi-Fi networks with same SSID as an Access Point

It is also partially correct. Beacon frames from APs always indicate whether it is AP based (BSS) or ad-hoc (IBSS) based. So it is impossible to connect like that.

Asiri’s Experience : But, my project team demonstrated it is ‘possible’ to make a peer-to-peer like association with another laptop which runs Ubuntu with wireless card’s mode set to “Master mode”. So laptop itself acted as a rogue “AP” which appeared as a real access point(BSS) in victim’s visible wireless networks list. So it is possible as well. Our solution was smart enough to detect such vulnerabilities as well.

Myth # 4 : Stations connect with any access point in vicinity if their Wi-Fi adapter is left enabled.

Some legacy client utilities had that flaw but modern utilities are smart enough to connect with SSID that are configured with secure parameters in preferred networks list.

Conclusion

Users are vulnerable if following conditions are met;

                                                                             Figure 3

References

Miller, B & Hill, G 2006, ‘Eleven Myths about 802.11 Wi-Fi Networks’, Expert Reference Series of White Papers , 18 August, pp. 2-4, Global Knowledge Training LLC., viewed 8 August 2010

'Figure 1’ [image] in 2009, ‘The second day of the School on Low Cost Wireless’, school2009, viewed 8 Aug 2010, http://wireless.ictp.it/groups/school2009/wiki/8d8fe/Group_Two's_-_Day_Two.html

‘Figure 2’ [image] in Ironic1 2008, ‘Geek Prom - WiFi Ready?’, perfectduluthday, viewed 8 Aug 2010, http://archive.perfectduluthday.com/2008/03/

To be continued… Stay tuned with Asiri’s Blog