Shorty: aggregrate CIDR blocks with a perl script

I feel compelled to point out a perl script I found while researching a recent event.

The issue: I wanted to find all subnets for a particular region, then find the least number of CIDR blocks.

After finding the subnets, I needed to find the fewest CIDR blocks possible. While this can be done mentally, I was dealing with a list of hundreds of subnets, with few that were contiguous (and this happens often).

Queue the perl script. Call the script against a text file containing the subnets.

'perl CIDR.pl subnets.txt'

Contents of the infile:

192.168.2.0/23
192.168.3.0/24
192.168.4.0/24
192.168.5.0/24
192.168.6.0/23
192.168.7.0/24
192.168.8.0/25
192.168.8.128/25
192.168.10.0/24
192.168.11.0/24
172.16.4.0/24
172.16.5.0/24
127.16.6.0/23
subnets.txt (END) 

Output:

127.16.6.0/23
172.16.4.0/23
192.168.2.0/23
192.168.4.0/22
192.168.8.0/24
192.168.10.0/23
outfile.txt (END)

There are multiple instances where this can be useful: route summarization, efficient/reduced ACL entries, etc. The script can be found here: http://www.uq.edu.au/~suter/software/aggregate-cidr-addresses/

  

As always, YMMV and check the hashes. The script has definitely helped me. Thank you Mark Suter.

CLI: simple 'for loops'

If you're like me (most people aren't), you occasionally receive notices or bulletins with details of "interesting data" that you're advised to look further into (we'll leave it at that).

Quite often the "interesting data" contains domains, IP addresses, and...other stuff. To get as much info as possible, I'll dive further into the data: internet and log searches for related strings, whois information, geolocation, domain reputations, etc.

A simple technique that I use from the command line to find some of this data is the basic 'for loop'. I'll show you an example on two different OSes and let you work from there.

Linux (choose your flavor):

'for variable in 1 2 3 4; do command variable; done;'

Pretty boring, huh? This simple line can reduce the time when gathering details though.

An example that I use quite regularly:

[for A in badguy1.com badguy2.com; do dig $A; done;]

In the previous line, we declared a variable 'A' in our loop that represents the values of the domains (badguy1, etc.), we run dig against the variable and finally exit the loop. The output is a simple dig of the domain.

"Bah! How boring" you say. Well, the sky's the limit on modding the loop and before you know it you'll have more than you can easily type into a terminal (a script is born).

Example2:

[for A in badguy1.com badguy2.com; do geoiplookup $A && dig $A && whois $A; done >> outfile.txt]

-- tell me the country involved, dig and whois info for the domains/IPs and append it to a file.

"Bah! I have a huge list! Typing sucks!" you say. Yeah, I hear you. Put all the info in a file (one item per line in this example) and feed the file into the loop.

  

[while read A; do geoiplookup $A && nslookup $A && whois $A; done < ./blah.txt >> outfile.txt]

Windows: 

'for variable in (1,2,3,4) do command $variable'

I'd go into details here, but it's more of the same.

"Bah! I hate cucumbers!" you say.

You get the idea. Now, go forth and conquer.

Shorty: latest curiousities

The latest curiousities.


- persistent data connections in logs; connections "that don't belong".
- data trending and anomalies.
- reverse shells and how to find them.
- malware analysis.

Where'd this come from? Oh, *sigh*, I don't know. I happened upon on my sad, forgotten blog and figured that I would add something current (at least to me).

Notes - Cabling Specifications

RDP, who's connected?

It happens to the best of us. Drudging along with our usual admin duties, RDPing to various servers and ultimately leaving a Terminal Session (TS) disconnected. This leaves the amount of TS sessions available decremented by one and possibly locking out other admins from working on that particular server. While this result can be desirable, it can also annoy. The timeout for TS sessions can be managed with Group Policy but how do we get immediate satisfaction? By using two little known commands in Windows.

We will use the 'qwinsta' and 'rwinsta' commands (think Query WINdows STAtion and Reset WINdows STAtion).


I tried connecting to one of our servers and was presented the "Maximum Terminal server connections exceeded" message. While I could connect via the console session by using 'mstsc /console' or 'mstsc /admin', depending on your version of the Remote Desktop Client, I can also check for disconnected sessions hanging around preventing me from logging in and reset them.


First we'll use 'qwinsta' to query the target machine for sessions. Note: these commands should be run from a prompt that has at minimum local administrator privileges on the target machine.


C:\>qwinsta /? Display information about Terminal Sessions.
QUERY SESSION [sessionname | username | sessionid]

[/SERVER:servername] [/MODE] [/FLOW] [/CONNECT] [/COUNTER]

sessionname         Identifies the session named sessionname.
 username            Identifies the session with user username.
 sessionid           Identifies the session with ID sessionid.
 /SERVER:servername  The server to be queried (default is current).
 /MODE               Display current line settings.
 /FLOW               Display current flow control settings.
 /CONNECT            Display current connect settings.
 /COUNTER            Display current Terminal Services counters information.

C:\>qwinsta /SERVER:SantaPoco (SantaPoco is my target)

SESSIONNAME       USERNAME                 ID  STATE   TYPE        DEVICE
                                            0  Disc    rdpwd
rdp-tcp                                 65536  Listen  rdpwd
console                                     2  Conn    wdcon
                  ElGuapo                   4  Disc    rdpwd
rdp-tcp#46        DustyB                   1  Active   rdpwd

Here we see that 'ElGuapo' is disconnected but is still consuming a terminal server session. Let's boot him (FYI: it's always good to check with someone to see if they have some process/application running in their profile before kicking them off, however, knowing the temperament of El Guapo and his disregard for villagers, we'll simply kick him off...he's so smug).

 C:\>rwinsta /? Reset the session subsytem hardware and software to known initial values.
RESET SESSION {sessionname | sessionid} [/SERVER:servername] [/V]

sessionname         Identifies the session with name sessionname.
 sessionid           Identifies the session with ID sessionid.
 /SERVER:servername  The server containing the session (default is current).
 /V                  Display additional information.

C:\>rwinsta /server:SantaPoco 4 /V (we could also use the command 'C:\>RESET SESSION 4 /SERVER:SantaPoco /V' (Session 4 was being used by 'ElGuapo' as shown above)
Resetting session ID 4 Session ID 4 has been reset

C:\>qwinsta /SERVER:SantaPoco

SESSIONNAME       USERNAME                 ID  STATE   TYPE        DEVICE
                                            0  Disc    rdpwd
rdp-tcp                                 65536  Listen  rdpwd
console                                     2  Conn    wdcon
rdp-tcp#46        DustyB                   1  Active  rdpwd

You should now be able to RDP to the target, assist DustyB and rescue Carmen.
 
The idea for this post was gleaned from: http://weblogs.asp.net/owscott/archive/2003/12/30/Managing-Terminal-Services-Sessions-Remotely.aspx. We thank you greatly and so does our village.

Notes - CCNP SWITCH/BCMSN

Occasionally, notes will be posted on various topics, much to the chagrin of this site's blogger. While a good deal of the content seems obscure, it is useful for some.

• What is multilayer switching (MLS)? - Switching at layers 2 through 4. It is hardware based and at wire speed.
• What is a collision domain, and where does it exist in a switched LAN? - A collision domain exists on a shared media access (think HUB). In today’s networks where switches rule, the collision domain exists singly on switchports.
• What is a broadcast domain and where is it located in a LAN? – First of all, we should consider what a broadcast is. A broadcast is traffic destined for a group of hosts. Think of it as a message sent over a pa system; it is destined for a specific subset of people. So, again, what is a broadcast domain? A network where broadcast frames propagate. The domain ends at the Layer 3 boundary. It is common to all switchports in a VLAN.
• What is a VLAN, and why is it used? - Think “virtual LAN”. It is a group of switchports that communicate as if they were on the same shared media segment. As mentioned earlier, it is a broadcast domain. VLANs allow for network segmentation.
• What is network segmentation? Why do I care? – Segmentation is dividing the network into smaller, more manageable broadcast domains. You should care about segmentation because bandwidth can be managed more efficiently though segmentation. As mentioned earlier, broadcasts are sent to groups of hosts, but why do we want to limit the amount of broadcast traffic? 

(Queue obscure example): Well, for example, think of each broadcast message as a coworker talking loudly on a cellphone (yes, you read that correctly), we’ll call him Herbert. If you were trying to have a face to face conversation with another coworker, Mitch, more than likely Herbert’s conversation won’t bother you. But what happens when ten other coworkers simultaneously start talking loudly on their cellphone; you might not be able to communicate with Mitch let alone think. Wouldn’t it be nice to tell the coworkers to close the office doors or go somewhere else? Enter segmentation. With segmentation and with VLANs containing broadcast information, we could place our coworkers (switchports) into separate offices (networks/VLANS). After this, your conversation to Mitch should go smoother.

• How exactly are broadcasts sent? Can traffic simply be sent to the broadcast address in an ipv4 network? How does the switch handle the traffic? - The switch will never have a mac address for the broadcast address so the traffic is flooded out all ports except the originating port (think split horizon). If the switch looked in the CAM table it would never see the address, hence the flooding.
• How can you provide redundancy at the switch and core block layers? - Redundancy at the switchblock level consists of having dual distribution switches and access switches being cabled to each distro switch. At the core layer, a dual-core design should be used if possible with dual uplinks from each distro switch to different core switches.
• So, you would like to build a campus network. What are the pieces involved in the design? To start on a basic level, the switchblock and its sizing should be considered. Always factor in redundancy (dual distribution switches in the each switch block). These blocks are then connected into the core block. Other building blocks can include: server farm, network management, and enterprise edge. The service provider edge block lives outside of your network (unless you work for an ISP), but this block interfaces with your Enterprise Edge block.
• What are the two types of core? Collapsed and dual-core.
• When sizing a switchblock, what considerations should be taken? - Traffic patterns, capacity, and size of workgroups should be considered when sizing switchblocks. Also the amount of interVLAN traffic should be considered; can the L3 device sufficiently handle the traffic. Incorrect sizing of the switchblock can lead to traffic bottlenecks and high cpu/mem utilization on L3 devices. Can the distribution switches process the traffic fast enough even when access-lists are used? Are the ACLs limiting the throughout?
• What are the signs of an oversize switchblock? Smoke and heavy grunting.

Well, it came to this. I was tired of constantly writing my notes to internal wiki servers and filling notebooks (well, maybe not filling). So, enter this blog. It will be, for the most part, related to technology that I work on/with: routing, switching, security, operating systems, Active Directory and whatever else comes to mind.