Network Notepad

Network Notepad

CIDR

Tech Info – IP Subnets and Stuff

CIDR

Classless Inter-Domain routing (CIDR) essentially removes the idea of Class from IP addresses and allows administrations to allocate and route any valid subnet from any convenient base IP irrespective of its Class. The idea being that if you want a group of 128 IP addresses whether you take them from an IP Class C address or from an IP class B address is NOT important. You simply want 128 IP addresses. The table below shows two 32 address subnets, one from a nominal Class B range the other from a nominal Class C range – spot the difference!
Class Network Netmask
B 172.28.227.192 255.255.255.224
C 192.168.15.64 255.255.255.224

In short the key factors in a CIDR world become the Network (base) IP address and the Netmask.

Block a country

لیست  ip هایی که در ایران استفاده می شود:

http://blockacountry.com/htaccess.php

عوض کردن آدرس فیزیکی کارت شبکه

با استفاده از نرم‌افزار :

http://tmac.technitium.com/tmac/index.html

…

How Does It Work ?

This software just writes a value into the windows registry. When the Network Adapter Device is enabled, windows searches for the registry value ‘NetworkAddress’ in the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1- 08002bE10318}\[ID of NIC e.g. 0001]. If a value is present, windows will use it as MAC address, if not, windows will use the hard coded manufacturer provided MAC address. Simple? Some Network Adapter drivers have this facility built-in. It can be found in the Advance settings tab in the Network Adapter’s Device properties in Windows Device Manager.

ابزارهای شبکه

http://www.rawlogic.com/netbrute/

http://www.radmin.com/products/utilities/

http://www.networknotepad.com/download.html

http://www.purenetworks.com/download/

NetBIOS 1

ورود به دنيای هک – قسمت يکم

نویسنده : محمد رضا حیدر پور فرد

NetBIOS مخفف عبارت Network Basic Input/Output System است. NetBIOS ابزاري است که اجازه به اشتراک گذاشتن منابع رو به ما مي‌ده. ما برای به اشتراک گذاشتن فايل‌ها و يا پرينتر مي‌تونيم از اين پروتکل استفاده کنيم. نکته مهم اين است که NetBIOS فقط در سيستم‌عامل ويندوز معني داره (اگرچه ابزارهايي مثل Samba در لينوکس مي‌تونن اونو شبيه سازي کنن ولي بحث ما خود پروتکل NetBIOS است). وقتي NetBIOS در ويندوز فعال باشد، بلافاصله سه تا پورت براي استفاده باز مي‌شوند. پورت مهم و اصلي پورت ۱۳۹ در tcp است که NetBIOS را هم با اين پورت مي‌شناسن. دو پورت ديگر، از نوع udp هستند و عبارتند از پورت ۱۳۷ براي name service و پورت ۱۳۹ براي Datagram service . وقتي قرار باشه که يک سيستم‌عامل ويندوز هک بشه ( خصوصا اگه کلاينت باشه ) يکي از اولين مواردي که به ذهن مي‌رسه، استفاده از NetBIOS ه.

حالا ببينيم منظور از به اشتراک گذاشتن (Sharing) در مورد فايل‌ها و پرينتر‌ها چيست؟

به اشتراک گذاشتن در مورد فايل‌ها يعني قرار دادن تعدادي فايل در يک کامپيوتر خاص به طوريکه توسط ساير کامپيوترها قابل دسترسي و استفاده باشه. در مورد پرينتر به اشتراک گذاشتن يعني طوري چاپگر متصل به يک کامپيوتر را تنظيم کنيم که توسط ساير کامپيوتر‌ها هم قابل استفاده باشه. با توجه به اينکه در سيستم‌عامل‌هاي ويندوز به صورت پيش‌فرض NetBIOS فعال است، پس مي‌توان به تعدادي از فايل‌ها و فولدرهاي تعدادي از کامپيوترهاي روي شبکه دسترسي داشت و فايل‌ها را خواند و حتي کپي يا پاک کرد.

◊ چگونه با پورت ۱۳۹ صحبت کنيم؟
۱- اولين کاري که مي‌کنيم اين است که براي پورت ۱۳۹ پورت اسکن مي‌کنيم تا ip هايي را که پورت ۱۳۹ در آنها باز است، پيدا کنيم. من اين کار را با nmap انجام مي‌دم. فرض کنيد که يک ip به شماره 217.218.84.29 را تست کرده و به نتيجه زير برسم:

Interesting ports on HOME-TU6U0AV86Y (217.218.84.29):

Port State Service

139/tcp open netbios-ssn

Remote operating system guess: Windows Millenn… (Me), Win 2000, or WinXP

اين خروجي اعلام مي‌کند که پورت ۱۳۹ باز است. پس مي‌شود از اين ip استفاده کرد.

۲- حالا مي‌خوام با اين پورت ارتباط برقرار کنم. اصولا بايد مثل سابق از telnet يا nc استفاده کنم ولي در مورد پورت ۱۳۹ روش ارتباطي فرق مي‌کند. کامنت پرامت را باز کرده و دستور زير را مي‌نويسم:

nbtstat -A 217.218.84.29

دستور nbtstat يک ابزار خاص براي کار با NetBIOS است. دقت کنيد که از پارامتر A- با ip مربوطه استفاده کردم. (دستور nbtstat داراي پارامتر‌هاي بسياري است که اگه مي‌خواين همه رو ببينين، بنويسين nbtstat و enter را بزنيد.)
حالا بحث اينه که اين دستور چه‌ کاري مي‌کنه و خروجي به چه صورتي است:
اين دستور به ip مورد نظر وصل مي‌شه و از اون مي‌خواد ليست منابعي رو که به اشتراک گذاشته رو ليست کنه. در اين حالت ۲ حالت ممکنه اتفاق بيوفته:
الف) مواجه با پيغام Host not found بشم. اين يعني اينکه نمي‌تونه ليست منابع را از اون کامپيوتر بگيره (يعني NetBIOS غير فعاله). يعني اگرچه پورت ۱۳۹ بازه ولي قابل استفاده نيست.
ب) ارتباط برقرار بشه و ليست منابع اشتراکي ليست بشه:

NetBIOS Remote Machine Name Table

Name Type Status

———————————————

HOME-TU6U0AV86Y UNIQUE Registered

MSHOME GROUP Registered

HOME-TU6U0AV86Y UNIQUE Registered

MSHOME GROUP Registered

MAC Address = 00-53-45-00-00-00

۳- در اين نتايج چيزي که به درد مي‌خوره، سطري است که دارد. اگه نباشد، يعني نمي‌تونين از اشتراک گذاري فايل استفاده کنيد ( به عبارت ساده تر بي‌خيال شو اين کامپيوتر رو ! ). در اين مثال ما اين سطر را داشتيم پس ادامه مي‌دهيم. حالا مي‌نويسم:

net view \\217.218.84.29

حالا اگه گفتين چي ميشه؟ درسته! دو حالت ممکنه اتفاق بيوفته:
الف) پيغام بياد

System error 5 has occurred.

Access is denied.

اين يعني نمي‌تونين ادامه بدين. به عبارت ديگه ايست! ولي يه کاري مي‌تونيد بکنيد و اون اينه که يه null session برقرار کنيد با اون کامپيوتر. اين حالت در مورد ويندوز‌هاي سري NT جواب ميده. مي‌نويسيد:

net use \\217.218.84.29\IPC$ “” /user:”"

حالا چرا مي‌گن null session ؟ دليلش اينه که يک ارتباط برقرار کردم با اون ip بدون username و بدون password . حالا اگه اين دستور جواب داد مي‌تونم دوباره دستور net view \\217.218.84.29 را تکرار کنم.
ب) ممکنه دستور ذکر شده جواب بده و مثلا جواب بده:

Shared resources at \\217.218.84.29

Share name Type Used as Comment

————————————————

Printer Print Acrobat PDFWriter

Printer2 Print Acrobat Distiller

SharedDocs Disk

The command completed successfully.

عاليه. دقت کنيد که در اين کامپيوتر يک فايل (Disk) به اسم ShareDocs به اشتراک گذاشته شده (دو تاي باقي براي پرينتر است). حالا که رسيدم به اين اسم ديگه آخرين دستور را مي‌نويسم.

۴- حالا وقتشه که واقعا عمل به اشتراک گذاشتن رو انجام بديم. براي اينکار بايد يک درايو انتخاب کنيد. حتما مي‌دونيد که درايو چيه. وقتي شما My Computer را دابل کليک کرده و باز مي‌کنيد، يک سري آيکون مي‌بينيد که هر کدام اسمي‌ دارند. مثلا :A براي فلاپي و و و تا مي‌رسيد به cdrom که آخرين حرف را دارد. مثلا فرض کنيد که :K باشه. حالا بايد اسم درايو رو براي اشتراک گذاشتن انتخاب کنيد. براي اين‌کار حرف بعدي در زبان انگليسي رو به کار ببريد. چون در کامپيوتر من :K آخرين بود، من حرف بعدي يعني :L را انتخاب مي‌کنم و دستور زير را مي‌نويسم:

net use L: \\217.218.84.29\SharedDocs

به اسم درايو، ip و نام مربوطه که ShareDocs دقت کنيد. چون من اصطلاحا به صورت null session دارم ارتباط مي‌گيرم، ممکنه کار نکنه ولي اگه درست کار کنه جواب مي‌شنوم:

The command completed successfully.

معرکه است!!! حالا My Computer رو باز کنيد و ببينيد که درايو جديد به ليست درايوها اضافه شده که مي‌تونين مثل درايوهاي معمولي با اون کار کنيد و فايل کپي کنيد و …

۵- وقتي کار تموم شد مي‌تونيد درايو رو حذف کنيد. براي اينکار مي‌تونين روي درايو رايت‌کليک کنيد و Disconnect را انتخاب کنيد. و يا اينکه از دستور

net use /delete L:

استفاده کنيد.

◊ چگونه NetBIOS را روي کامپيوتر خودمان فعال يا غير فعال کنيم؟

براي غيرفعال کردن NetBIOS در ويندوز با توجه به نوع آن ويندوز روش‌هاي مختلفي هست. جدول پاييني براي همين موضوع طراحي شده است:

Win 2000

Win XP Home

Win XP Professional

Start > Programs > Administrative Tools > Local Security Settings > Local Policies > Security Options > Additional restrictions of anonymous connections > Local policy setting > “No access without explicit anonymous permissions” > Ok

Start > Programs > Administrative Tools > Local Security Settings > Local Policies >
1) Network Access: Do not allow anonymous enumeration of SAM accounts: Enabled
2) Network Access: Do not allow anonymous enumeration of SAM accounts and shares: Enabled

Start > Run > regedit > HKEY_LOCAL_MACHINE > HKEY_LOCAL_MACHINE > SYSTEM > CurrentControlSet > Control > LSA > RestrictAnonymous=2

مي‌تونيد به کمک فايروال يا روتر پورت‌هاي زير را ببنديد:

135 TCP DCE/RPC Portmapper

137 TCP/UDP NetBIOS Name Service

138 TCP/UDP NetBIOS Datagram Service

139 TCP NetBIOS Session Service

445 TCP Microsoft-DS (Windows 2000 CIFS/SMB)

۱- وقتي پورت ۱۳۹ رو مي‌بنديد، ديگه نمي‌تونيد از NetBIOS استفاده کنيد ( مگر اينکه دوباره پورت رو به صورت فعال در‌ آوريد). پس وقتي که کسي رو مي‌خواهيد هک کنيد، نياز داريد که براي مدت کوتاهي دوباره پورت رو فعال کنيد.

۲- مي‌بينيد که مثلا براي ويندوز ۲۰۰۰ به سه روش کار کنيد، در اين جدول فقط کافي است يکي رو اعمال کنيد.

۳- اگه بعد از غير فعال کردن، دوباره بخواهيد فعال کنيد، در مرحله آخر هر يک از روش‌هاي بالا، گزينه‌اي که مخالف گزينه ذکر شده در جدول است رو انتخاب کنيد، مثلا اگه در جدول Enabled را نوشته‌ايم، شما Disable را انتخاب کنيد.

◊ چگونه از اين امکانات به اشتراک گذاشتن، براي اجراي يک تروجان روي کامپيوتر قرباني استفاده کنيم؟

روش کار به اين صورت است که فرضا من الان تونستم يک درايو رو از يک کامپيوتر با پورت باز Share کنم. حالا فايل تروجان ( سرور تروجان ) را upload مي‌کنم به اون کامپيوتر و اسمي براش انتخاب مي‌کنم که طرف مقابل رو به اجراي فايل تشويق کنه. يک اشتباهي که بعضي‌ها مي‌کنند اينه که بعد از کپي کردن تروجان در کامپيوتر هدف، خود هکر مي‌آد و فايل رو دابل کليک مي‌کنه، در اين حالت تروجان روي کامپيوتر خودمون (هکر) اجرا مي‌شه نه کامپيوتر قرباني. پس ما فقط فايل رو مي‌فرستيم و منتظر مي‌مونيم که طرف مقابل اجرا کنه.

تست فیروال

www.hackerwatch.org/probe/hitmap.asp

Chapter 10: Virtual LAN Concepts

 

Chapter 10: Virtual LAN Concepts

A virtual LAN (VLAN) is a broadcast domain created by one or more switches:

• To group users by department, or by groups that work together, instead of by physical location
  
• To reduce overhead by limiting the size of each broadcast domain
  
• To enforce better security by keeping sensitive devices on a separate VLAN
  
• To separate specialized traffic from mainstream traffic—for example, putting IP telephones on a separate VLAN from user PCs
  

 

• Port-based VLANs, the typical choice for configuring VLANs in a switch, can be done very easily, without needing to know the MAC address of the device. However, you need good documentation to make sure that you cable the right devices into the right switch port, thereby putting them in the right VLANs.
  
• A rarely used alternative for creating VLANs is to group devices into a VLAN based on MAC address. The engineer would discover all the MAC addresses of all the devices and then would configure the MAC addresses in the various switches, associating each MAC address with a VLAN. When a device moves to a different switch port and sends a frame, the device stays in the same VLAN.
  

   

   

When using VLANs in networks that have multiple interconnected switches, you need to use VLAN trunking between the switches. When sending a frame to another switch, the switches need a way to identify the VLAN from which the frame was sent. With VLAN trunking, the switches tag each frame sent between switches so that the receiving switch knows which VLAN the frame belongs to.

 

Trunking protocols:

• Inter-Switch Link (ISL)
  
• IEEE 802.1q.
  

 

with the encapsulated original Ethernet frame being unchanged

Because the original header is now longer, 802.1q encapsulation forces a recalculation of the original FCS field in the Ethernet trailer because the FCS is based on the contents of the entire frame.

 

both allow the use of a 12-bit-long VLAN ID field.

both support a separate instance of spanning tree for each VLAN.

802.1q did not support multiple spanning trees:

 

Although the concept of a VLAN and a subnet are indeed different concepts, they have a one-to-one relationship.

 

 

You might be thinking that using three interfaces on the router in Figure 10-7 seems wasteful—and it is. Alternately, you can use a router with a Fast Ethernet port that supports trunking and use a single physical connection from the router to the switch (trunking is not supported on 10 Mbps Ethernet interfaces).

 

You might be thinking that using three interfaces on the router in Figure 10-7 seems

wasteful—and it is. Alternately, you can use a router with a Fast Ethernet port that supports

trunking and use a single physical connection from the router to the switch (trunking is not

supported on 10 Mbps Ethernet interfaces).

The only difference between routing using a router and using a Layer 3 switch lies in the internal processing. Outwardly, nothing is different.

The switch ASICs (Application Specific Integrated Circuits) on an L3 switch have been built

 

Layer 4 Switching

The term Layer 4 switches (L4 switches) refers to a type of switching in which the switch considers the information in the Layer 4 headers when forwarding the packet. In some cases, the forwarding decision is based upon information inside the Layer 4 headers. In other cases, L3 forwarding is used, but the switch does accounting based on the Layer 4 headers. Both are considered to be Layer 4 switching.

it can also simply keep track of the numbers of packets and bytes sent per TCP port number, while still performing Layer 3 forwarding.

L4 switching does not always imply a change in how packets are forwarded. A switch can perform accounting to track the volumes of traffic per TCP and UDP port number but still make the decisions based on L3 switching logic. With Cisco switches, you can enable a feature called NetFlow switching, which performs the accounting based on Layer 4 information while forwarding traffic like a Layer 3 switch.

 

 

Layer 5-7 switching typically falls into a category of features and products that Cisco calls Content Delivery Networks (CDN).

Chapter 7

Chapter 7

IOS supplies network services to computers that use networked applications.

 

The cable from the console to a PC requires a special eight-wire cable, called a rollover cable, in which pin 1 connects to pin 8 on the other end of the cable, pin 2 connects to pin 7, and so on.

 

The login
command actually tells the router to display a password prompt.

 

Several concurrent Telnet connections to a router are allowed. The line vty 0 4 command signifies that this configuration applies to vtys (virtual teletypes/terminals) 0 through 4.Originally, IOS allowed for only these five vtys, unless the router was also a dial access server,such as a Cisco AS5300. At IOS Version 12.2, 16 vtys are allowed by default on all models of routers. Regardless, all the configured vtys typically have the same password, which is handy because users connecting to the router through Telnet cannot choose which vty they get. User exec mode is one of two command exec modes in the IOS user interface. Enable mode (also known as privileged mode or privileged exec mode) is the other. Enable mode is so named because the enable command is used to reach this mode, as shown in Figure 7-2; privileged mode earns its name because powerful, or privileged, commands can be executed there.

The key sequences in Table 7-4 are part of what Cisco calls enhanced editing mode. IOS enables enhanced editing mode by default and has for a long time. However, you can turn off these keystrokes with the no terminal editing
exec command, and turn them back on with the terminal editing command. Why would you bother? Well, occasionally, you might be using a scripting language to run commands automatically on the router through a Telnet session, and enhanced editing mode sometimes can interfere with the scripts. For the exam, just remember that you can enable and disable enhanced editing mode.

 

The debug
command actually tells the router to spend some CPU cycles to do things besides its normal functions…

 

When you use the debug command, IOS creates messages when different events occur and, by default, sends them to the console. These messages are called syslog messages. If you have used the console of a router for any length of time, you likely have noticed these messages— and when they are frequent, you probably became a little frustrated. You can view these same messages when you have Telnetted to a router by using the terminal monitor
command.

 

• Be aware that some debug options create so many messages that the IOS cannot process them all, possibly crashing the IOS. You might want to check the current router CPU utilization with the show process command before issuing any debug command. You also should know that the no debug all command disables all debugs. Before enabling an unfamiliar debug command option, issue a no debug all and then issue the debug that you want to use; then quickly retrieve the no debug all command using the up arrow or Ctrl-p key sequence. If the debug quickly degrades router performance, press Enter immediately, executing the no debug all command, to try to prevent the router from crashing.
  

 

The banner motd (motd stands for “message of the day”) command causes a text banner to display when someone accesses the router from the console, Telnet, or an auxiliary port.

 

■ RAM—Sometimes called DRAM for dynamic random-access memory, RAM is used by the router just as it is used by any other computer: for working storage. The running or active configuration file is stored here.

■ ROM—This type of memory (read-only memory) stores a bootable IOS image, which typically is not used for normal operation. ROM contains the code that is used to boot the router until the router knows where to get the full IOS image or as a backup bootable image, in case there are problems.

■ Flash memory—Either an EEPROM or a PCMCIA card, Flash memory stores fully functional IOS images and is the default location where the router gets its IOS at boot time. Flash memory also can be used to store any other files, including configuration files.

■ NVRAM—Nonvolatile RAM stores the initial or startup configuration file.

copy {tftp | running-config | startup-config} {tftp | running-config | startup-config}

 

The copy command always replaces the existing file when the file is copied into NVRAM or into a TFTP server. In other words, it acts like the destination file was erased and the new file completely replaced the old one.

 

When the copy command copies a configuration file into RAM, the configuration file in RAM is not replaced. Effectively, any copy into RAM works just as if you typed the commands in the “from” configuration file in the order listed in the config file. In other words, it works as if the RAM configuration file and the newly copied files were merged.

 

Three key commands can be used to erase the contents of NVRAM. The write erase and erase startup-config commands are older, whereas the erase nvram: command is the more recent,

 

The show flash
command then can be used to verify the contents of Flash memory

 

Flash memory access time is much slower than RAM’s

 

In some cases, Flash memory can be in read-only mode. That is the case when a router loads only part of the IOS into RAM, to conserve RAM. Other parts of the IOS file are kept in Flash memory (Flash memory access time is much slower than RAM’s). In this case, if Flash memory must be erased to make room for a new image, the IOS could not continue to run. So, if the router is running from a portion of IOS in Flash memory, the router must be booted using IOS in ROM. Then the Flash memory is in read/write mode and the erase and copy processes can be accomplished. The copy tftp flash command in later releases of the IOS actually performs the entire process for you. In earlier releases, you had to boot the router from ROM and then issue the copy tftp flash command.

 

When using the limited-function IOS in ROM, the router is in a mode called Rxboot mode. Routers cannot route packets while in Rxboot mode, but it can send and receive IP packets like an IP host. So, one of two things must be true for the router to be capable of sending packets to the TFTP server. First, the TFTP server could reside on the same subnet as one of the interfaces on the router. Alternately, you could configure a default route on the router,

pointing to another router that is on one of the same subnets as the router in Rxboot mode.