Thursday, December 27, 2018

Default TTL (Time To Live) Values of Different OS

https://subinsb.com/default-device-ttl-values/

TTL (Time To Live) is a timer value included in packets sent over networks that tells the recipient how long to hold or use the packet before discarding and expiring the data (packet). TTL values are different for different Operating Systems. So, you can determine the OS based on the TTL value. You can get the TTL value by pinging an address. Here is the output got by pinging "subinsb.com" on my system :

PING subinsb.com (108.162.199.61) 56(84) bytes of data.
64 bytes from 108.162.199.61: icmp_seq=1 ttl=57 time=503 ms
64 bytes from 108.162.199.61: icmp_seq=2 ttl=57 time=416 ms

As you can see from the output, you got the TTL value. Since this website is hosted on a Red Hat system, it returned 57 which is close to 64 (TTL default value of Linux system). So, from this we can understand the OS of the remote system. Here are the default TTL values of different devices / Operating Systems :

Device / OS	Version	Protocol	TTL
AIX		TCP	60
AIX		UDP	30
AIX	3.2, 4.1	ICMP	255
BSDI	BSD/OS 3.1 and 4.0	ICMP	255
Compa	Tru64 v5.0	ICMP	64
Cisco		ICMP	254
DEC Pathworks	V5	TCP and UDP	30
Foundry		ICMP	64
FreeBSD	2.1R	TCP and UDP	64
FreeBSD	3.4, 4.0	ICMP	255
FreeBSD	5	ICMP	64
HP-UX	9.0x	TCP and UDP	30
HP-UX	10.01	TCP and UDP	64
HP-UX	10.2	ICMP	255
HP-UX	11	ICMP	255
HP-UX	11	TCP	64
Irix	5.3	TCP and UDP	60
Irix	6.x	TCP and UDP	60
Irix	6.5.3, 6.5.8	ICMP	255
juniper		ICMP	64
MPE/IX (HP)		ICMP	200
Linux	2.0.x kernel	ICMP	64
Linux	2.2.14 kernel	ICMP	255
Linux	2.4 kernel	ICMP	255
Linux	Red Hat 9	ICMP and TCP	64
MacOS/MacTCP	2.0.x	TCP and UDP	60
MacOS/MacTCP	X (10.5.6)	ICMP/TCP/UDP	64
NetBSD		ICMP	255
Netgear FVG318		ICMP and UDP	64
OpenBSD	2.6 & 2.7	ICMP	255
OpenVMS	07.01.2002	ICMP	255
OS/2	TCP/IP 3.0		64
OSF/1	V3.2A	TCP	60
OSF/1	V3.2A	UDP	30
Solaris	2.5.1, 2.6, 2.7, 2.8	ICMP	255
Solaris	2.8	TCP	64
Stratus	TCP_OS	ICMP	255
Stratus	TCP_OS (14.2-)	TCP and UDP	30
Stratus	TCP_OS (14.3+)	TCP and UDP	64
Stratus	STCP	ICMP/TCP/UDP	60
SunOS	4.1.3/4.1.4	TCP and UDP	60
SunOS	5.7	ICMP and TCP	255
Ultrix	V4.1/V4.2A	TCP	60
Ultrix	V4.1/V4.2A	UDP	30
Ultrix	V4.2 – 4.5	ICMP	255
VMS/Multinet		TCP and UDP	64
VMS/TCPware		TCP	60
VMS/TCPware		UDP	64
VMS/Wollongong	1.1.1.1	TCP	128
VMS/Wollongong	1.1.1.1	UDP	30
VMS/UCX		TCP and UDP	128
Windows	for Workgroups	TCP and UDP	32
Windows	95	TCP and UDP	32
Windows	98	ICMP	32
Windows	98, 98 SE	ICMP	128
Windows	98	TCP	128
Windows	NT 3.51	TCP and UDP	32
Windows	NT 4.0	TCP and UDP	128
Windows	NT 4.0 SP5-		32
Windows	NT 4.0 SP6+		128
Windows	NT 4 WRKS SP 3, SP 6a	ICMP	128
Windows	NT 4 Server SP4	ICMP	128
Windows	ME	ICMP	128
Windows	2000 pro	ICMP/TCP/UDP	128
Windows	2000 family	ICMP	128
Windows	Server 2003		128
Windows	XP	ICMP/TCP/UDP	128
Windows	Vista	ICMP/TCP/UDP	128
Windows	7	ICMP/TCP/UDP	128
Windows	Server 2008	ICMP/TCP/UDP	128
Windows	10	ICMP/TCP/UDP	128

I will update this table in the future when there’s a release of new important OS whenever I get the time. You can get the short version of default TTL values by this table :

Device / OS	TTL
*nix (Linux/Unix)	64
Windows	128
Solaris/AIX	254

You can find it yourself by pinging localhost as mentioned by Gurubaran :

ping -4 localhost

Tuesday, December 11, 2018

CCNA Security – ASA 5505

1, Reset to factory defaults:

enable
configure terminal
configure factory-default
reload save-config noconfirm

2, Minimal configuration

a, Configure hostname ‘ASA01’
configure terminal
hostname ASA01

b, Set password ‘cisco’
enable password cisco

c, Configure SSH
! create user ‘root’ with password ‘toor’
username root password toor
aaa authentication ssh console LOCAL
! generate RSA key pair
crypto key generate rsa modulus 1024
! enable 192.168.10.2 to use ssh on ASA
ssh 192.168.10.2 255.255.255.255 inside

d, Configure interfaces
Each interface has a security level, between 0 and 100. Traffic is permitted from higher to lower security level. ACL can disable traffic from higher to lower security level, and can permit from lower to higher security level.
ASA01

interface vlan 100
nameif outside
security-level 0
ip address 172.16.10.1 255.255.255.0
no shutdown
exit
interface vlan 200
nameif inside
security-level 100
ip address 192.168.10.1 255.255.255.0
no shutdown
exit
interface vlan 300
nameif dmz
security-level 50
ip address 10.10.10.1 255.255.255.0
no shutdown
exit
interface e0/0
switchport access vlan 100
no shutdown
exit
interface e0/1
switchport access vlan 200
no shutdown
exit
interface e0/2
switchport access vlan 300
no shutdown
exit

In case of higher than 5505, use this syntax:
interface g0/0
nameif outside
security-level 0
ip address 172.16.10.1 255.255.255.0
no shutdown
exit

e, Configure default route
! default route toward 172.16.10.2, f0/0 interface of R2 router
route outside 0.0.0.0 0.0.0.0 172.16.10.2

If the outside interface gets the IP address through DHCP, then the syntax is:
ip address dhcp setroute

In this case setroute configures the given IP address as a default route.

Hint: Configure the routers and test the connectivity with: telnet <IP_address>

3, Configure NAT

Detailed description can be found here.

a, Static Object NAT
Let us say, that R3 is a web server with IP address 10.1.1.2. NAT will make it accessible from outside as 172.16.10.3.
object network WEB_SERVER
host 10.1.1.2
nat (dmz,outside) static 172.16.10.3
In this case an ACL is also necessary as dmz has higher security level than outside.
access-list OUTSIDE_ACCESS extended permit tcp any object WEB_SERVER eq www
access-group OUTSIDE_ACCESS in interface outside
‘Public Server’ option in ASDM can do all these things in one step.

b, Static Object NAT with port translation
This is similar to the previous one, but the inside web server port number is 8080, which can be seen as 80 from outside.
object network WEB_SERVER
host 10.1.1.2
nat (dmz,outside) static 172.16.10.3 service tcp 8080 www
It is possible to translate another port to the same IP address. 10.1.1.3 is an FTP server:
object network WEB_SERVER
host 10.1.1.3
nat (dmz,outside) static 172.16.10.3 service tcp ftp ftp

c, Dynamic NAT
Translates the inside subnet into 172.16.10.10-20 range.
object network NATPOOL
range 172.16.10.10 172.16.10.20
object network INSIDE_NET
subnet 192.168.10.0 255.255.255.0
nat (inside,outside) dynamic NATPOOL

d, Dynamic PAT
Translates the inside subnet into 172.16.10.10.
object network INSIDE_NET
subnet 192.168.10.0 255.255.255.0
nat (inside,outside) dynamic 172.16.10.10
Translates the inside subnet into the outside interface. This is useful if the IP address of the outside interface is given through DHCP.
object network INSIDE_NET
subnet 192.168.10.0 255.255.255.0
nat (inside,outside) dynamic interface

e, Identity NAT
Identity NAT maps an IP address to itself. It is useful if we want to exclude an IP from NAT, for example in case of VPN.
object network IDENTITY_NAT
host 10.1.1.10
nat (inside,outside) static 10.1.1.10

f, Monitoring NAT
show nat
show nat pool
show running-config nat
show xlate

4, Access Control Lists

ACLs can be standard, extended and global. There are no wildcard masks on ASA, just normal masks.

a, ACLs overwrite the security level restrictions.
access-list ACL1 permit tcp any object WEB_SERVER eq http
access-group ACL1 in interface outside

b, Network object groups represent more than one network objects.
object-group network DMZ_SERVERS
network-object host 10.1.1.2
network-object host 10.1.1.3
network-object host 10.1.1.4
Service object groups represent more than one service objects.
object-group network DMZ_SERVICES tcp
port-object eq http
port-object eq https
port-object eq smtp
ACL with network and service object group groups servers together (easier management).
access-list ACL1 extended permit tcp any object-group DMZ_SERVERS object-group DMZ_SERVICES

c, Check ACLs
show conn
show conn details

5, Modular Policy Framework

MPF can be used to configure QoS, send traffic to IPS to inspection, configure application traffic stateful inspection with dynamic port allocation, limit maximum TCP connections to a server, and generally to create more granular configuration of inspection.
Class-map identifies the traffic. Policy-map identifies the action, that should be taken for the specific traffic (class-map). Service-policy enables policy on an interface or globally.

a, Configure Class-map
class-map CLASS_MAP1
match access-list ACL_NAME
match port [tcp | udp] [eq TCP_PORT_NUM | range PORT1 PORT2]
match any
match default-inspection-traffic

b, Configure Policy-map
The ASA supports only one Policy-map per interface and one global Policy-map. Thus more than one Class-map and the required actions can be assigned to a Policy-map. Actions can be:

CSC, send the traffic through Content Security and Control module
IPS, send the traffic through Intrusion Prevention System module
set connection, enforce connection limits
inspect, apply protocol inspection
police, apply rate limit for traffic
priority, apply priority for voice traffic

Class-map for a web-server (192.168.10.10) can be created the following way:
! ACL for the traffic
access-list ACL_WEB_TRAFFIC permit tcp any host 192.168.10.10 eq 80
! Class-map which identifies the traffic
class-map CLASS_MAP_WEB_TRAFFIC
match access-list ACL_WEB_TRAFFIC

Let us say we have two Class-maps: CLASS_MAP_WEB_TRAFFIC and CLASS_MAP_SMTP_TRAFFIC.
Then this Policy-map will send the traffic trough the CSC module:
policy-map GLOBAL_POLICY_MAP
class CLASS_MAP_WEB_TRAFFIC
csc [fail-open|fail-close]
exit
class CLASS_MAP_SMTP_TRAFFIC
csc [fail-open|fail-close]
exit

! set global policy-map
service-policy GLOBAL_POLICY_MAP global
! set policy-map on an interface (outside)
service-policy POLICY_MAP interface outside

fail-open: traffic will be forwarded if the CSC module fails
fail-close: traffic will be dropped if the CSC module fails

c, Check configuration
show run class-map
show run policy-map
show run service-policy
show conn
show conn detail

Transparent mode

In transparent mode ASA works like a switch. The interfaces do not have IP address but they are placed into a bridge-group. ASA inspects the traffic, which goes through the device. By default ICMP, broadcast and multicast are not inspected. BVI (Bridge Virtual Interface) is the management IP address.

! clear all configuration
clear config all
! check firewall mode
show firewall
! switch into transparent mode
firewall transparent
! configure BVI
interface BVI 1
ip address 192.168.1.1
exit
! enable management
http server enable
http 0 0 inside
! configure vlans
interface vlan 100
nameif outside
security-level 0
no shutdown
exit
interface vlan 200
nameif inside
security-level 100
no shutdown
exit
! configure interfaces
interface e0/0
switchport access vlan 100
bridge-group 1
no shutdown
exit
interface e0/1
switchport access vlan 200
bridge-group 1
no shutdown
exit

CCNA R&S config

General configuration

config t
hostname S1
enable secret
line console 0
logging synchronous
password console
login
line vty 0 4
password telnet
login
exit
no ip domain-lookup
ip default-gateway 192.168.10.1
banner motd # Welcome #

Configure DHCP

config t
ip dhcp excluded-address 192.168.10.1
ip dhcp pool NET1
ip dhcp network 192.168.10.0 255.255.255.0
ip dhcp default-router 192.168.10.1
ip dhcp name-server 8.8.8.8

SSH setup

config t
hostname R1
ip domain-name home.com
username root password toor
crypto key generate rsa
ip ssh version 2
line vty 0 4
transport input ssh
login local

Disable CDP globally and on an interface

config t
no cdp run
int f0/0
no cdp enable

Build a host table

ip host HOST1 192.168.10.10
show hosts

Static NAT (192.168.10.10 will be visible as 123.45.67.89 from outside)

config t
int f0/0
ip nat inside
int f0/1
ip nat outside
exit
ip nat inside source static 192.168.10.10 123.45.67.89

Dynamic NAT (inside IP is transformed into another IP from a pool)

config t
int f0/0
ip nat inside
int f0/1
ip nat outside
exit
ip access-list standard NAT_INSIDE
permit 192.168.10.0 0.0.0.255
exit
ip nat pool NAT_OUTSIDE 170.168.2.3 170.168.2.254 netmask 255.255.255.0
ip nat inside source list NAT_INSIDE pool NAT_OUSIDE

config t
int f0/0
ip nat inside
int f0/1
ip nat outside
exit
ip access-list standard NAT_INSIDE
permit 192.168.10.0 0.0.0.255
exit
ip nat inside source list NAT_INSIDE interface f0/1 overload

Configure access port

config t
int f0/0
switchport mode access
switchport access vlan 10

Configure trunk port

config t
int f0/0
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk allowed vlan 1,2,3
switchport trunk native vlan 1

Configure router-on-a-stick

config t
int f0/0
ip address 192.168.10.1 255.255.255.0
no shutdown
int f0/0.10
encapsulation dot1q 10
ip address 192.168.20.1 255.255.255.0
int f0/0.20
encapsulation dot1q 20
ip address 192.168.30.1 255.255.255.0

Configure port security

config t
int f0/0
switchport mode access
switchport port-security
switchport port-security maximum 1
switchport port-security violation shutdown
switchport port-security mac-address sticky
switchport port-security mac-address aaaa.bbbb.cccc

Configure PPP with pap

On Router1:
config t
hostname R1
username R2 password cisco
int s0/0
encapsulation ppp
ppp authentication pap
On Router2:
config t
hostname R2
int s0/0
encapsulation ppp
ppp pap sent-username R2 password cisco

Configure PPP with chap

On Router1:
config t
hostname R1
username R2 password cisco
int s0/0
encapsulation ppp
ppp authentication chap
On Router2:
config t
hostname R2
username R1 password cisco
int s0/0
encapsulation ppp

Configure frame-relay

config t
int s0/0
encapsulation frame-relay
int s0/0.102 point-to-point
ip address 172.16.10.1 255.255.255.252
frame-relay interface-dlci 102
int s0/0
no shutdown

Configure frame-relay switch

config t
hostname ISP
frame-relay switching
int s0/0
encapsulation frame-relay
frame intf-type dce
clock rate 64000
frame-relay route 102 interface s0/1 201

GRE tunnel

On Router1:
config t
int f0/0
ip address 192.168.10.1 255.255.255.0
no shutdown
int tunnel 1
ip address 10.1.1.1 255.255.255.252
tunnel source f0/0
tunnel destination 192.168.20.1
On Router2:
config t
int f0/0
ip address 192.168.20.1 255.255.255.0
no shutdown
int tunnel 1
ip address 10.1.1.2 255.255.255.252
tunnel source f0/0
tunnel destination 192.168.10.1

Password recovery

show version
config t
config-register 0x2142
reload
config t
config-register 0x2102

Copy IOS image to flash from TFTP (TFTP and CISCO device should be connected with crosslink cable)

set IP_Address=1.1.1.1
set IP_SUBNET_MASK=255.0.0.0
set DEFAULT_GATEWAY=1.1.1.2
set TFTP_SERVER=1.1.1.2
set TFTP_FILE=flash:c2800nm-advipservicesk9-mz.124-12.bin
tftpdnld

Crack code2