The Certified Geek

Imagine you have a number of Cisco Wireless Access Points, say 10 spread across your office functioning as some wireless mesh. You need to replace an access point (AP) which giving some problem on the wireless infrastructure. However, you currently dont have any documentation on which APs are mounted on the ceiling. There are also no proper labelling. So, how would you determine which physically is the device?

Cisco IOS has a command which make the LED of the AP to blink in order to be identified from the pack.

ap#led flash ?
<1-3600> number of sec to flash
disable stop flashing the LEDs

ap#sh led flash
LED Flash is disabled

ap#led flash
ap#sh led flash
LED Flash is enabled


With this command, you can physically locate the APs from the ceiling.

Sometimes Linux administrator/owners wants to restrict access to the Samba server to specific IP addresses since user authentication is not enabled (because of so reasons). Here is a bash script to use iptables to restrict specific hosts via loop statement.


# Define the interface where Samba listens
IF_INT=eth0
# Define the list of host allowed to connect to the server separate by space and note the /32 subnet
HOSTS="192.168.1.100/32 192.168.1.200/32 192.168.1.201/32"

# This is the FOR loop
for SOURCE in $HOSTS;
do
iptables -A INPUT -i $IF_INT -s $SOURCE -p tcp --dport 445 -j ACCEPT
iptables -A INPUT -i $IF_INT -s $SOURCE -p tcp --dport 139 -j ACCEPT
iptables -A INPUT -i $IF_INT -s $SOURCE -p udp --dport 137 -j ACCEPT
iptables -A INPUT -i $IF_INT -s $SOURCE -p udp --dport 138 -j ACCEPT
done;


Add this to your existing iptables script and your good to go.

I have always been scratching my head whenever I used sudo and the environment variables (env) keep on changing. In my case, I have learned there are two ways to keep/preserve the environment or retain some them when moving into a privilege account (sudo -s).

First method, run

#sudo -s -E

where the -E parameter is meant to presserve the environment.

Second method, save all necessary variables in the current user (not root) shells profile (i.e. for bash its ~/.bashrc) and save these environment variables.

#vi ~/.bashrc
export param1=value1
export param2=value2
#

That’s all to it.

In a normal switch stack of Cisco Catalyst 3750 (several switches connected with each other functioning as one virtual switch), one switch will make itself the master switch (the one which controls the operations of the stack). In order to make the switch elect itself as master, it needs to have the highest priority number.

Here we have a switch with a priority “1″

Switch#show switch
Switch# Role Mac Address Priority Version State
----------------------------------------------------------
*1 Master 0023.344b.de80 1 0 Ready


We need to increase its priority number in order to force it to become the master when it joins the switch stack

Switch#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#switch 1 ?
priority Set the priority of the specified switch
provision Configure Switch provision / offline config
renumber Renumber the specified switch number

Switch(config)#switch 1 priority 15
Changing the Switch Priority of Switch Number 1 to 15
Do you want to continue?[confirm]
New Priority has been set successfully


For here, we can check the switch status and priority number set to “15″

Switch#sh switch
Switch/Stack Mac Address : 0023.344b.de80
H/W Current
Switch# Role Mac Address Priority Version State
----------------------------------------------------------
*1 Master 0023.344b.de80 15 0 Ready


When this stack is joined in a switch stack, it will elect itself as the switch master (check the Master LED after booting). Note that the switch stack can only handle only 9 stacked switches, so priority number 15 should be more than enough. Then the only problem if somebody set another switch with priority number 15 too, we will check on that later

It has been a while I manage to write new stuff given with the new work I am currently dealing but here is the first for this year

We just bought some Cisco Wireless Access Point (model 1131AG) but unfortunately these are already in lightweight mode. In this mode, you would need a Wireless LAN Controller to utilize them. There a documentation to how to upgrade an autonomous Cisco Aironet Access Point to lightweight mode only a small section discusses the reversing the process. This blog discusses how I managed to brick errm reverse the process which is not recommended by Cisco.

1. Download the appropriate Cisco IOS from the cisco website (You need to have a valid Cisco account to do this )

For this I downloaded c1130-rcvk9w8-tar.124-10b.JA3

2. Install a TFTP Service (recommend SolarWinds free TFTP server)

3. Rename the image to c1130-k9w7-tar.default and place the image in the TFP source directory

4. Change to IP address of the TFTP Server to any IP address between 10.0.0.2 to 10.0.0.30 (I used 10.0.0.2 on my laptop where the TFTP service is running)

5. Connect the access point on the same switch where the TFTP service is connected. Note: Ensure there is no DHCP service running on the this device.

6. Press the mode button of the access point while pluggin in the power (wait for about 20-25 seconds). Wait for the one of the LED to turn RED (one them becomes Amber first) then release the mode button.

If everything goes well, the process will take around 10 to 15 minutes.

Here are the screenshots from the console of the access point, the sniffer on my laptop and the TFTP server activity.

On the final outcome, the access point can now operate in autonomous mode with a full fledge IOS that enables it to function in stand alone.

Enjoy!

While updating my knowledge with security tools, I manage to stumble upon this “Hackvertor”. It kinda sounded like a convertor in a more hacker term.

For you guys to appreciate this, you should try doing this challenge manually from the Spanner. Then try watching the this video in order to appreciate how it is done with the Hackvertor. Enjoy!

Interested in watching FREE webcasts from Cisco, check these featured webcasts from them. I know some of you might be taken off since these are vendor centric webcasts but we can’t deny Cisco has been and will be around setting the trends of networking and security…. well for the latter part I might think twice

Ever wondered how to provide remote desktop support to one of your non-techie friends who have a problem using their computer. If they are directly connected to the Internet meaning have public IP address assigned to them then this should be a cinch. We have Windows Remote Desktop and a plethora of VNC program to support this.

But how about if they are connected in an internal network where private network address is used as well NATting their environment prior to reaching the Internet. There are also some ISP out there still providing users in the private addressing space. How do you go about supporting them in case they need your help? Their network administrator as well as security guys would not allow any special treatment for these machines being accessed from the Internet. Now we have a bit of a problem.

But not long ago, programs have been developed to address these concerns. Without disturbing the current infrastructure, clients can be remote accessed and controlled by users outside the network. One particular program I have recently used and liked is theTeamviewer.

One good this about this program is that it is free for non-commercial use meaning normal users like you and I can use the program to be able to provide free remote desktop sharing. Simply downloading and installing the program is fairly straightforward. It has also a light version called Teamviewer Quick Support which does not require any installation and can be run in order to allow users to connect to the user’s desktop.

One the program is installed, running it will show you the main interface:

One the main interface, one can see the “Your Details” section which has the ID and Password (numeric password). These are the credentials required to be sent over to the user requiring remote desktop access to the client. This can be sent via IM or voice call. The Teamviewer mode below explains the type of access allowed for the remote user. Another in the main interface is the “Partner Details” which is used as entry for the ID of the remote client which will be connected if this host will act as the machine that is going to connect. Nifty aint it

One thing people should notice why this program works even if it is inside an internal network is because of a small program called DynGate which runs in the background. It is mainly responsible for the connectivity for the remote desktop access. This program requires outbound access via port 80 to an external IP address which is normally the case for every hosts requiring Internet access. Using the program tcpview, we can see how the program connected to the Internet.

.

Though they state in their clause once the connection is established between the hosts, the line is secured using an encrypted channel and Teamviewers systems cannot decipher this traffic. Some people will raise security and privacy concerns on this. However, since its free and you only utilized it in certain occassions it would not be an issue to me. I would just terminate the program once done.

While playing around with my Windows XP, I tried looking around for alternatives for the crude CMD.EXE Command Prompt. I tried several alternatives for gaining the same *Nix-Shell flexibility I get while using my *Nix plaform. In the end, I have narrowed my choice to two Window shell environment. These are Cygwin and Windows Powershell

I will post next time detailed difference between the two Windows shell environment. Here some screenshots from my machine:

Cygwin

Powershell

“Two things are infinite: the universe and human stupidity; and I’m not sure about the universe” -
Qoutes from Albert Einstein