Archives for : text

    No need to bypass security with a boot disk – 17 year old Windows exploit found

    The problem has been discovered in the Virtual DOS Machine (VDM) introduced in 1993 to support 16-bit applications (real mode applications for 8086). VDM is based on the Virtual 8086 Mode (VM86) in 80386 processors and, among other things, intercepts hardware routines such as BIOS calls. Google security team member Tavis Ormandy has found several vulnerabilities in this implementation that allow an unprivileged 16-bit program to manipulate the kernel stack of each process via a number of tricks. This potentially enables attackers to execute code at system privilege level.

    In addition to the unpatched hole in Internet Explorer, a now published hole in Windows allows users with restricted access to escalate their privileges to system level – and this is believed to be possible on all 32-bit versions of Windows from Windows NT 3.1 up to, and including Windows 7. While the vulnerability is likely to affect home users in only a minor way, the administrators of corporate networks will probably have their hands full this week.

    The problem is caused by flaws in the Virtual DOS Machine (VDM) introduced in 1993 to support 16-bit applications (real mode applications for 8086). VDM is based on the Virtual 8086 Mode (VM86) in 80386 processors and, among other things, intercepts hardware routines such as BIOS calls. Google security team member Tavis Ormandy has found several vulnerabilities in this implementation that allow an unprivileged 16-bit program to manipulate the kernel stack of each process via a number of tricks. This potentially enables attackers to execute code at system privilege level.

    Ormandy has also published a suitable exploit which functions under Windows XP, Windows Server 2003 and 2008, Windows Vista and Windows 7. When tested by the The H’s associates at heise Security, the exploit opened a command prompt in the system context, which has the highest privilege level, under Windows XP and Windows 7. No patch has become available, although Ormandy reports that Microsoft was already informed of the hole in mid 2009. The developer decided to publish the information regardless because, in his opinion, there is a simple workaround: to disable the MS-DOS subsystem.

    The workaround requires users to start the group policy editor and enable the “Prevent access to 16-bit applications” option in the Computer ConfigurationAdministrative TemplatesWindows ComponentsApplication Compatibility section. When tested with these settings by the heise Security team, the exploit no longer functioned. The settings reportedly don’t cause any major compatibility problems for most users while no 16-bit applications are being used.

    Update – The above option is only available through the group policy editor on Windows 2003 systems. Some versions of Windows do not include a group policy editor. As an alternative, users can also create a registry key under HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsAppCompat with a D-Word value of VDMDissallowed = 1. Under Windows XP, to prevent the system from being vulnerable to the exploit, users can place the following text:

    Windows Registry Editor Version 5.00



    into a file called vdmdisallow.reg and double click the file. Windows will then automatically import the key (admin rights are required to perform this action).

    Update 2 - Microsoft has now confirmed the privilege escalation hole in Windows. The company says that it wants to complete its investigation of the vulnerability and will then decide whether, how and when to close it.

    See Also:

    REDMOND — When it rains, it pours. Especially in the Seattle area. Tavis Ormandy has published full details on a privilege escalation hack of all versions of Windows including Windows 7.

    The exploit takes advantage of a bug in the Windows implementation of the ‘virtual DOS machine’ used to run legacy 16-bit programs. The exploit can be avoided by turning the VDM ‘feature’ off but the danger of course is that enough Windows lusers won’t know about the bug and/or bother turning the ‘feature’ off.

    16-bit applications need BIOS support; the Windows kernel supports virtual BIOS interrupts in its ‘Virtual-8086’ mode monitor code. The code is implemented in two stages. The #GP trap handler transitions to the second stage when CS:EIP faults with specific ‘magic’ values.

    The transition requires (subsequent to authentication) restoring the context and the call stack from the faulting trap frame. But the authentication process is flawed, relying as it does on three incorrect assumptions.

    • Setting up a VDM context requires SeTcbPrivilege.The barrier to getting a VDM context can be subverted by requesting the NT VDM subsystem and then using CreateRemoteThread() to run code in the context of the VDM subsystem. The VDM subsystem already has the necessary flag set.
    • Ring 3 (unprivileged) code cannot install arbitrary code segment selectors.Using the two least significant bits of CS/SS to calculate the privilege of a task doesn’t work when it comes to Virtual-8086 mode. The 20-bit addressing (by adding CS << 4 to the 16-bit IP) is also used to map onto the protected linear Virtual-8086 address space. If CS can be set to an arbitrary value, then the privilege calculation can be circumvented.
    • Ring 3 (unprivileged) code cannot forge a trap frame.Returns to user mode are through IRET. An invalid context can cause IRET to fail pre-commit, which in turn forges a trap frame. And even with address randomisation it’s trivial to use NtQuerySystemInformation() to obtain the address of the second stage BIOS handler.

    Affected Systems

    This bug dates back 17 years and affects all systems released since 27 July 1993 – Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, and Windows 7. See the links below for further details.

    See Also
    MITRE: CVE-2010-0232
    Windows plagued by 17-year-old privilege escalation bug
    NEOPHASIS: Trap Handler Allows Users to Switch Kernel Stack

    SSLv3 / TLS Man in the Middle vulnerability

    Recently I have been looking into the vulnerabilities in the TLS negotiation process discovered late last year.

    There are a range of experts debating the exploit methods, tools and how it may be fixed (server or client site or both). From what I have seen so far this may prompt a change to the TLS standard to introduce an extension to the protocol to validate sessions (session hand off and certificate validity).

    I’m also trying to find some tools which may assist in testing for this. It looks like the exploit relies on an ARP poison or similar and then inserting plain text into the negotiation process.

    Could be something that can be fixed over time as servers and clients are patched.

    Ham Radio Links

    Amateur Packet Radio Australian

    Aussiewide Packet Radio Network


    Queensland APRS Users Group

    VK2KFJ’s Packet Radio Links page


    VK5 AX25 Packet Network Map (VK5AH)




    Amateur Packet Radio Gateways

    Amateur Packet Radio, net 44, and AMPR.ORG `

    American Febo Enterprises







    G4JKQ TCP/IP Telnet listing

    G7JJF TNC Driver Support (WINTNC)

    High speed packet

    High Speed Packet radio

    High-speed Packet Radio


    K4ABT (home page)

    Linux® / Amateur Radio Information

    Linux AX25-HOWTO


    Packet Info and Downloads

    Packet Links

    Packet Net (VK5 packet map)

    Packet Net (FBB software)

    PAcket Digital Amateur Network (PADAN)

    Radio-TNC Wiring Diagrams


    Slovenian ATV/Packet

    Sound Card Packet




    TNOS Central


    WA4DSY 56k RF Modem

    Yet Another 9k6 Modem


    Sound Card Packet

    Sound Card Buddy

    Soundcard Interfacing

    Sound Card Packet AGWPE (KC2RLM)

    Sound Card Interface with Tone Keyer (WA8LMF)

    QDG sound card interface

    Return to Top


    Winlink! 2000

    Aussie Winlink

    Pactor Communications Australia


    Winpack home page

    Winpack info


    TNC information


    Setting Your TNC’s Audio Drive Level

    TNC and Radio mods


    MFJ-1278B Care and maintenance


    AEA radio and TNC mods

    Other suppliers


    Fox Delta



    The DXZone Digital and Packet Radio



    TNC-X – The Expandable TNC


    Amateur Packet Radio Gateways


    The Gateways Home Page


    High-Speed Digital Networks and Multimedia (Amateur)

    North Texas High Speed MultiMedia group

    Also take a look at the wireless LAN pages


    Aus APRS




    APRS in Adelaide


    APRS in the UK





    BYONICS (Electronics Projects for Amateur Radio)


    Dansk APRS Gruppe

    France APRS

    Kansas City APRS Working Group


    Live Australian APRS data maps


    Queensland APRS Users Group

    Tri-State APRS Working Group

    Other Digital Modes




    Morse Code

    CW Operators’ QRP Club Inc.

    Fists Down Under

    LEARN MORSE CODE in one minute !

    MRX morse code

    Not Morse Code, Slow Scan , Packet or APRS

    HamDream by HB9TLK (digital radio)

    JE3HHT, Makoto (Mako) Mori

    PSK31 and other PC Magic

    WSJT ACTIVITY IN AU (follow link)

    Amateur Digital Radio

    AR Digital Voice Communications

    Australian National D-Star

    Ham Radio digital info

    ICOM America digital

    Temple University Digital Voice Project

    Temple University Vocoder Redux

    WinDRM – HF Digital Radio Mondiale



    Australian D-Star information

    D-Star wikipedia

    ICOM America D-Star Forums


    Software Defined Radio

    FlexRadio Systems Software Defined Radios

    Rocky software for SoftRock-40 hardware

    SDRadio – a Software Defined Radio

    SoftRock-40 Software Defined Radio

    The Weaksignals pages og Alberto I2PHD (software)

    Digital Radio

    BBC digital Radio

    Digital Audio Broadcasting

    Digital Radio Broadcasting

    Digital Radio


    DRM – Digitaler Rundfunk unter 30 MHz


    Amateur Radio Direction Finding

    Amateur Radio Direction Finding and Orienteering

    Amateur Radio Direction Finding Webring

    Homing In


    Victorian ARDF Group Inc.

    Repeater Linking

    There are currently There are 5 internet linking projects that I know of :-

    IRLP,  iPHONE, iLINK, eCHOLINK and WIN SYSTEM (May 2005)


    Hamlink (K1RFD)

    KWARC (live audio)

    Internet Linking


    IRLP status



    G4CDY-L Internet Gateway



    VK2JTP iLINK gateway

    WB2REM & G4CDY’S  iLINK boards



    laser diodes

    A R Laser Communications

    Australian Optical DX Group

    Driver Enhancements

    European Laser Communications


    Amateur Radio Licence


    Worldwide Information on Licensing for Radio Amateurs by OH2MCN

    Amateur Radio Clubs and Organisations

    Also see ATV link page

    and VHF link page


    Adelaide Hills Amateur Radio Society

    Amateur Radio Victoria

    Barossa Amateur Radio Club VK5BRC

    Brisbane Amateur Radio Club

    Brisbane VHF Group

    Central Coast Amateur Radio Club

    Central Goldfields A R Club


    Coffs Harbour & District Amateur Radio Club

    CW Operators’ QRP Club Inc.

    Eastern and Mountain District Radio Club

    Gold Coast AR Society

    Healesville Amateur Radio Group

    Historical Wireless Society of South East Queensland

    Ipswich Metro Radio Group

    Lockyer Valley Radio and Electronic Club Inc

    Manly-Warringah Radio Society


    QRP Amateur Radio Club International

    Queensland APRS Users Group

    RADAR Club Inc

    Radio Amateurs Old Timers Club Australia Inc

    Radio Sport

    Radio and Electronics Association of Southern Tasmania

    Riverland Amateur Radio Club

    South Australian Packet User Group Inc. (SAPUG)


    South Coast AMATEUR RADIO Club


    Sunshine Coast Amateur Radio Club

    VK Young Amateur Radio Operator’s Net


    VK3BEZ (WIA Eastern Zone Amateur Radio Club)


    West Australia Repeater Group


    WIA VK4 Qld



    WICEN Australia

    WICEN Brisbane Qld

    New Zealand


    Papakura Radio Club

    Wanganui Amateur Radio Society Inc.

    Wellington VHF Group


    American QRP Club


    Clear Lake Amateur Radio Club





    K2MFF Amateur Radio club

    North TeXas Repeater Association


    The Repeater Builders Technical Information Page

    Richardson Wireless Klub




    Submarine Veterans Amateur Radio

    Southgate AR club


    The 500 KC Experimental Group for Amateur Radio

    Tucson Amateur Packet Radio

    W6DEK 435 Los Angeles

    Amateur Radio


    Australian AR Repeater Map



    Ham Radio in Australia with VK1DA

    HF Radio Antenna Tuners

    Queensland AR Repeater listings

    Radioactive Networks: Ham

    Tony Hunt VK5AH (Home of Adelaides 10m Repeater)

    VK1DA’s Amateur Radio Web Directory



    VK2BA (AM radio)




    VK3YE’s Gateway to AR










    New Zealand

    Micro Controller Projects for Radio Amateurs and Hobbyists

    Precision Frequency Transmission and Reception



    AC6V’s AR & DX Reference

    Amateur radio with Knoppix

    Amateur Radio Soundblaster Software Collection


    AMRAD Low Frequency Web Page


    Direction finding

    DSP Links




    eQSL (electronic QSL)


    Felix Meyer



    Gateway to Amateur Radio

    Grid Square Locator


    G4KLX (The [ON/]G4KLX Page)




    Hamview DSP software

    Homebrew RF Test Equipment And Software

    KB4VOL   link site



    KU4AY ham radio directory



    K1TTT Technical Reference


    K3TZ Ham Radio Experimentation

    K6XC (links)

    Lighthouses (International Lighthouse/ Lightship Weekend)



    Michael Todd Computers & Communications



    NW7US   (Amateur and Shortwave Radio)

    N3EYR’s Radio Links


    PI6ATV (ATV, Antenna, software, info)

    Radio Links

    Radio Corner (forum)

    Ray Vaughan


    streaming radio programs

    The Elmer HAMlet (information)

    VE1XYL and VE1ALQ

    WB6VUB (links)



    XE1BEF  (DX, mods, links and more)

    Communications Equipment


    Andrews Communication Systems





    Hamak (RM Products Italy)


    KENWOOD Australia

    Kyle Communications

    ICOM Australia



    Radio-Data (links)

    Radio Specialists (equipment connectors and antenna)



    Townsville CB& Communications

    TTS Systems

    VK4-ICE Communications

    WiNRADiO (PC based receivers)



    Vertex Standard


    Z Communications Company (repair of old radio equipment)

    See also Kits and components

    Radio mods, cables, connection info

    batlabs (Motorola radio connection, cable info)

    Hall Electronics

    Radio Mods (mods info and more)

    W4RP IC-2720H Page

    XE1BEF  (DX, mods, links and more)

    Please also look at manufacture’s sites

    Lightning Protection (video and links)

    K9WK Amateur Radio

    Lightning Protection Institute

    Marine Grounding Systems

    Moonraker boat lightning information



    RFI Lightning protection


    Amateur Spread Spectrum

    Spread Spectrum Scene

    Spread spectrum

    SS Info

    Call-sign finders

    The DX Notebook



    Equipment suppliers and manufacturers

    Easy-radio (your DNS server may have problems finding this site)

    Kits and Components

    Australian and selected international suppliers




    Antique Electronic Supply

    Antenna Systems and Supplies Inc. (sm)



    Clarke & Severn Electronics

    Cliff Electronics (Aus) Pty. Ltd


    David Hall Electronics

    Dick Smith Electronics


    Dominion Electronics


    Elliott Sound Products


    Fox Delta (ATV and more)

    Hammond Mfg

    Hy-Q International

    IRH Components


    Microwave Dynamics

    MicroZed Computers



    Mouser Electronics


    Oatley electronics

    Ocean State Electronics


    pacific DATACOM


    Prime Electronics

    Radio Parts

    R.C.S. Radio (circuit boards)

    RF Modules Australia (ZigBee) http:\

    RFShop (Brisbane)

    Rockby Electronics and Computers

    RS Components



    Silvertone Electronics

    South Island Component Centre (New Zealand)

    Surplus Sales of Nebraska

    Surplustronics (New Zealand)

    Tandy (Australia)


    TTS Systems

    WB9ANQ’s Surplus Store


    Worldwide Electronic Components http:/

    Also look at the ATV links

    PCB layout and schematic programs baas electronics LAYo1 PCB


    Electronics WORKBENCH Industries McCAD OrCAD TARGET 3001! Tech5 TinyCAD VEGO ABACOM

    Amateur Satellites and space



    AMSAT-ZL (kiwisat)

    CSXT Civilian Space eXploration Team



    ISS fan club

    SATSCAPE   (free satellite tracking program)

    Satellite tracking software





    IPS Radio and Space Services


    Near-Real-Time MUF Map

    Radio Mobile (path prediction)

    VK4ZU (Propagation)


    Satellite TV



    KRISTAL electronics


    Nationwide Antenna Systems


    SAT TV


    Radio and Scanning


    Brisbane Radio Scanner

    Extreme Worldwide Scanner Radio

    Newcastle Area Radio Frequency Guide


    New Zealand

    Kiwi Radio


    Wellington Scanner Frequencies


    ZL3TMB (Christchurch NZ)


    Frequency guide

    Incident Broadcast Network (including Australian feeds)

    Radio H.F.  (some ham stuff)

    Amateur Radio DX and Contest

    DX Cluster

    AA1V’s DX Info-Page

    AC6V’s AR & DX Reference

    Australian contesting

    Buckmaster callsign database

    DX Greyline

    DX Summit

    DX 425 News


    EI8IC Global Overlay Mapper

    eQSL (electronic QSL)

    German DX Foundation-GDXF

    GlobalTuners (provides access to remotely controlled radio receivers all over the world)

    Ham Atlas by SP6NVK

    Kiwi DX List

    Oceania Amateur Radio DX Group Incorporated

    Oceania DX Contest


    The AM Window

    The Daily DX

    IARU QSL Bureaus

    International DX Association

    Internet Ham Atlas


    IOTA groups and Reference


    IOTA 425

    Island Radio Expedition Fondation

    LA9HW HF Contest page

    NG3K Contest/DX Page

    Northern California DX Foundation

    Simple phrases in European Languages

    SUMMITS on the AIR

    Telnet Access to DX Packet Clusters

    The DX Notebook

    VE6OA’s DX Links Contest Club

    World of DK4KQ

    XE1BEF  DX and links

    Logging Software

    VK Contest Log (VKCL)

    VK/ZL Logger

    WinRD+ logging program




    CLX Home page

    DX CLUSTER programs




    DX PacketCluster Sites on the Internet

    DXSpider – DX cluster system is written in perl

    Packet Cluster user manual

    The DXSpider User Manual

    VE7CC-1 Dx Spider Cluster


    Short Wave DX


    Electronic DX Press (HF, MW and VHF)

    CQ World Wide DX Contest


    Longwave Club of America (also Ham)

    NIST time stations

    OK1RR DX & Contesting Page

    Prime Time Shortwave

    Radio Interval Signals


    SM3CER Contest Service

    The British DX Club

    Yankee Clipper Contest Club


    Radio Scouting

    Scouts Australia JOTA/JOTI

    The history of the Jamboree On The Air history.htm

    World Organization of the Scout Movement

    Australian Regulator


    International Regulator


    Electronic Information and technical reference

    AC6V’s Technical Reference

    Chip directory

    Circuit Sage

    CommLinx Solutions Pty Ltd

    Computer Power Supply Mods

    Discover Circuits

    Electronic Information

    Electronics Links and Resources

    Epanorama (lots of links)

    Electronics Tutorials

    Electronic Theory

    Fox Delta


    Hobby Projects (electronic resource)


    Information site

    ISO Date / Time

    Latitude/Longitude Conversion utility – 3 formats

    New Wave Instruments (check out SS Resources)

    Paul Falstad (how electronic circuits work)

    PINOUTS.RU (Handbook of hardware pinouts)



    RF Cafe

    RF Globalnet

    RHR Laboratories


    RS232 Connections, and wiring up serial devices

    RF Power Table

    Science Lobby (electronic links)

    Tech FAQ (technical information for mobile electronics installers)

    Electronic service

    Repair of TV Sets

    Sci.Electrinic.Repair FAQ

    Service engineers Forum


    Cable Data




    Coaxial cable data

    Coaxial Cable Page




    NESS Engineering

    RF Industries cables


    Times Microwave


    W4ZT Antenna cable chart

    50 W Coaxial Cable Information

    75 W Coaxial Cable Information

    Antique Radio

    Antique Electronic Supply

    Alan Lord

    Antique Radio

    Apex Jr

    Archives of Boatanchors

    Australian Vintage Radio MK II

    Australian Wireless (OZ-Wireless) Email List

    AWA and Fisk Radiola

    Crystal Radio


    Hammond Museum of Radio

    Historical Radio Society of Australia Inc.

    JMH’s Virtual Valve Museum

    John Rose’s Vintage Radio Home

    Klausmobile Russian Tube Directory


    Kurrajong Radio Museum

    Links to Vintage Radios (Amateur)

    Mike’s Electric Stuff

    Nostalgiar Air

    Phil’s Old Radios

    Radio A’s Vintage Radio Page

    Radio Era

    Rap ‘n Tap

    Replacing Capacitors

    Savoy Hill Publications

    South East Qld Group of the HRSA

    SEQG of the HRSA Crystal comp

    SEQG One Tube Radio comp


    The Vintage Radio Emporium

    The Wireless Works

    Triode Tube Data Tubesworld  (Valve Audio and Valve data)

    Vintage Radio

    Vintage Radio Times

    Vintage Radios and programs

    Vintage Radios UK

    Vintage Radio and Test Equipment Site

    Vintage Radio World

    Vintage Radio and Audio Pages



    Ye Olde Hurdy Gurdy Museum of Vintage Radio

    Valve Audio and Valve data Ake’e Tube Data CVC

    Data Sheet Locator


    Frank’s Electron tube Pages

    Hammond  Manufacturing

    House of Tubes

    High Voltage Tube Archive


    Industrial Valve Data


    NJ7P Tube Data Search

    RCA-R10 Data

    SAS Audio Labs

    Sowter Audio Transformers

    Spice Valves



    Tube datasheets

    Vacuum Tube Links

    Valves and Tubes

    Valve Data Links

    Valve Data

    Valves Unlimited

    Valve and Tube Supplies


    Audio Calculators and Links Calculators & References Links.htm


    Car Audio Australia

    DIY Audio

    Duncan’s Amp Pages

    Elliott Sound Products


    Norman Koren


    The Self Site

    The Class-A Amplifier Site


    DUBUS (VHF magazine)

    Elektor Electronics

    Harlan Technologies (Amateur Television Quarterly)

    Radio & Communications Monitoring Monthly


    VHF Communications Mag



    SETI Australia

    World Clock

    I thought this was cool. It may come in handy for Ham Radio.

    Nmap Examples

    Some Nmap examples I thought I would post.

    Scanning past Watchguard Firewalls: nmap -sS -iL targetlist.txt -P0 -sV -T4

    Verbose Scan: nmap -v

    This option scans all reserved TCP ports on the target machine. The -v option enables verbose mode.

    nmap -sS -O /24

    Launches a stealth SYN scan against each machine that is up out of the 256 IPs on “class C” sized network where Scanme resides. It also tries to determine what operating system is running on each host that is up and running. This requires root privileges because of the SYN scan and OS detection.

    nmap -sV -p 22,53,110,143,4564 198.116.0-255.1-127

    Launches host enumeration and a TCP scan at the first half of each of the 255 possible eight-bit subnets in the 198.116 class B address space. This tests whether the systems run SSH, DNS, POP3, or IMAP on their standard ports, or anything on port 4564. For any of these ports found open, version detection is used to determine what application is running.

    nmap -v -iR 100000 -PN -p 80

    Asks Nmap to choose 100,000 hosts at random and scan them for web servers (port 80). Host enumeration is disabled with -PN since first sending a couple probes to determine whether a host is up is wasteful when you are only probing one port on each target host anyway.

    nmap -PN -p80 -oX logs/pb-port80scan.xml -oG logs/pb-port80scan.gnmap

    This scans 4096 IPs for any web servers (without pinging them) and saves the output in grepable and XML formats.

    Instead of limiting ourselves to scanning just one target., let’s broaden our horizon’s to bigger and better things. In example 2 we used our IP address to base a scan against. Using that address again we can get a look at numerous targets in our “community”. At the command line type the following (substituting a valid address of your choice of course):

    nmap -sT -O

    What this does is instruct nmap to scan every host between the IP addresses of and If you happen to find many interesting feedback results from this or a larger scale scan then you can always pipe the output into your choice of a human readable file or a machine parsable file for future reference by issuing the following option:

    To create a human readable output file issue the -oN command into your nmap string so that it would look similar to this:

    nmap -sT -O -oN sample.txt

    Rather have a machine parsable file? Enter the -oM to pipe the output into a machine parsable file:

    nmap -sT -O -oM sample.txt

    *Back when I was becoming aquatinted with all the nmap options, I ran my first large scale scan against 250 consecutive machines using an arbitrary number (nmap -sX -O -oN sample.txt XXX.XXX.XXX.0-250).To my great surprise I was confronted with 250 up and running virgin Linux machines. Another reason why Linux enthusiasts should NEVER become bored.

    -I This is a handy little call that activates nmap’s TCP reverse ident scanning option. This divulges information that gives the username that owns available processes. Let’s take a look (Note that the host has to be running ident). At the command line issue this command against your target, in this case our default Eve running Linux:

    -iR Use this command to instruct nmap to scan random hosts for you.

    -p Port range option allows you to pick what port or ports you wish nmap to scan against.

    -v Use verbosity to display more output data. Use twice (-v -v) for maximum verbosity.

    -h Displays a quick reference of nmap’s calls

    Now that we have looked at nmap’s three basic usage types and some of it’s other options, let’s mix and match them.

    nmap -v -v -sS -O

    This instructs nmap to use a maximum amount of verbosity to run a stealth scan and OS detection against all machines between IP addresses and This command will also require root privileges due to both the -sS and -O calls. Of course this will display a very overwhelming amount of data so let’s log our results into a human readable file for future reference:

    nmap -v -v -sS -O -oN sample.txt

    Now let’s make nmap run a stealth scan and instruct it to look only for machines offering http and ftp services between the addresses of and Once again we will log the output (I’m a log junkie) for future reference into a human readable file called ftphttpscan.txt:

    nmap -sS -p 23,80 -oN ftphttpscan.txt

    Remember the -iR option mentioned previously? Let’s use it to take a random sampling of Internet web servers using the verbatim example from nmap’s man page:

    nmap -sS -iR -p 80

    Last but certainly not least, while gleaning information, don’t forget to nmap yourself. Just type at the command line: nmap This is especially useful and recommended if you’re a newcomer to Linux and connected to the Internet via DSL or cable modem.

    Detect promiscuous network devices or sniffers on a network

    Old versions       nmap –script=promiscuous

    New Versions     nmap -sV –script=sniffer-detect

    Google Helps Find Webcam’s

    The below lines can be placed into Google to find hidden cams on the net.”ViewerFrame?Mode= 2400 video server”Live View / – AXIS” | inurl:view/view.shtml^ (motion-JPEG)”live view” intitle:axis”Network Camera NetworkCamera” intitle:”video server” inurl:LvAppl”EvoCam” inurl:”webcam.html””Live NetSnap Cam-Server feed””Live View / – AXIS””Live View / – AXIS 206M””Live View / – AXIS 206W””Live View / – AXIS 210″ Axis”MultiCameraFrame?Mode=Motion” inurl:cgistart”WJ-NT104 Main Page””MOBOTIX M1″ intext:”Open Menu””MOBOTIX M10″ intext:”Open Menu””MOBOTIX D10″ intext:”Open Menu” inurl:home/ inurl:home/ inurl:home/”sony network camera snc-p1″”sony network camera snc-m1″”Toshiba Network Camera” user login”netcam live image””i-Catcher Console – Web Monitor” changing room index/shtml/home’your frame?mode=motion’”viewframe?mode=refresh” inurl:/view/shtml hacks“inurl:”view from?mode=refresh””nurl:viewerframe?mode=refresh””viewerframe?mode=” naked adult”viewerframe? mode= refresh” inurl”viewframe?mode=refresh””viewerframe?mode=” live webcams”view/index.shtml mobotix camera view school”refresh porn“inurl: /shtml””viewerframe?mode motion” motion

    A link to others

    DUKPT Overview and Transaction notes


    I was asked on another post relating to DUKPT to provide some backgound. Given I have lots of material on the subject, I thought I would create this thread. Link


    I will come back at some stage and expand on this when I get time.

    Transaction Process narrative:

    The diagram describes a mobile terminal/ATM is described using the a AS2805 (‘2805’) message type and 3DES DUKPT and dual direction auth SSL from the terminal to the aquirer (transaction switch).

    A good explanation of DUKPT can also be found at Wikipedia.


    Diagram of the flow


    DUKPT transaction flow - terminal to bank

    DUKPT transaction flow - terminal to bank


    Background notes:

    • The terminal or ATM firstly encrypts the user entered pin (may be a unique DUKPT key or static, depending on the design and banks involved) prior to incorporating it into the AS 2805 transaction message.
    • the message is then encrypted again using the DUKPT key which has been established through the merchant logon process within the aquirer Host Security Module (HSM) i.e. the user entered pin is encrypted separately and encapsulated within the DUKPT encrypted 2805 message to provide full message encryption.
    • In the diagram a separate dual authenticating SSL session is also used between the terminal/ATM and the aquirers infrastructure. This allowing the transaction including the pin to traverse the external Wired/GPRS/LAN within 2 primary independent layers of encryption, with a 3rd protecting the PIN.
    • When the transaction enters the aquirer environment the message encapsulation layer provided by SSL is removed.  This leaving the DUKPT’ed 2805 message which also encapsulates the separately encrypted PIN.
    • This encrypted message is passed to the aquirer switch engine through to the aquirer’s HSM for decryption of the 2805 message excluding the user entered pin.
    • This is when transactional information necessary for aquirer’s merchant reporting (truncated card number, transaction amount, transaction type, etc.) and fraud management data is collected.
    • The aquirer switch then passes the encrypted PIN to the aquirer HSM requesting that the PIN be decrypted using the aquirer’s PIN encryption and translated to the next banks (Bank 1)  PIN Encryption Key (Pin translation only occurs within the aquirer HSM) This is then sent back to the aquirer Switch engine as the Bank 1 encrypted PIN.
    • The aquirer switch engine then send the decrypted 2805 message with the newly encrypted PIN back to aquirer HSM to be encrypted with the Bank 1 MAC key.
    • The resultant Bank 1 key encrypted message is then sent to Bank 1 for processing and/or passing to the card issuer (using a similar process as described above).
    • When the result is received back from the issuing bank it is encrypted with the Bank 1 MAC key (the pin will not be present in the result message).
    • This is then decrypted by the aquirer HSM, the transaction fate result stored into the aquirer merchant reporting system and the transaction fate re-encrypted with the original aquirer DUKPT key (should be different per terminal/merchant instance) and the result sent back to the terminal through the original established SSL encrypted terminal connection.

    The aquirer may terminate the the SSL connection on a hardware device such as a CISCO Content Service Switch (CSS), or equivalent instead of the design described in the diagram which terminates onto a SSL session server/gateway (Possibly including a Certificate Authority) or on the aquirer transaction switch.

    When PIN blocks are received by the aquirer processing centre, the PIN encryption is translated from the terminal key to the Local Master Key (LMK) by the Host Security Modules (HSM).

    When the message is sent on the upstream bank interchange link to the issuer or gateway , the aquirer HSM translates the encrypted PIN block from the LMK to the Zone Master Key (ZMK) of the aquirer interchange link. The PIN block is always encrypted using DEA3 (3DES) whenever outside of the Terminal or ATM.

    HSM-8000-User Guide V2.2

    Secure Application Development links


    I have been putting some secure application development documents together recently and have found some good general tutorials and guidelines which I thought I would post here.

    Best Practices

    Other Resources

    Cisco Command Cheat Sheet

    I found a list of useful Cisco commands which I though I would post here.


    • Config# terminal editing – allows for enhanced editing commands
    • Config# terminal monitor – shows output on telnet session
    • Config# terminal ip netmask-format hexadecimal|bit-count|decimal – changes the format of subnet masks


    • Config# hostname ROUTER_NAME


    • Config# banner motd # TYPE MESSAGE HERE # – # can be substituted for any character, must start and finish the message


    • Config# description THIS IS THE SOUTH ROUTER – can be entered at the Config-if level


    • Config# clock timezone Central -6
      # clock set hh:mm:ss dd month yyyy – Example: clock set 14:13:00 25 August 2003


    • Config# config-register 0x2100 – ROM Monitor Mode
    • Config# config-register 0x2101 – ROM boot
    • Config# config-register 0x2102 – Boot from NVRAM


    • Config# boot system tftp FILENAME SERVER_IP – Example: boot system tftp 2600_ios.bin
    • Config# boot system ROM
    • Config# boot system flash – Then – Config# reload


    • Config# cdp run – Turns CDP on
    • Config# cdp holdtime 180 – Sets the time that a device remains. Default is 180
    • Config# cdp timer 30 – Sets the update timer.The default is 60
    • Config# int Ethernet 0
    • Config-if# cdp enable – Enables cdp on the interface
    • Config-if# no cdp enable – Disables CDP on the interface
    • Config# no cdp run – Turns CDP off


    • Config# ip host ROUTER_NAME INT_Address – Example: ip host lab-a
    • Config# ip host RTR_NAME INT_ADD1 INT_ADD2 INT_ADD3 – Example: ip host lab-a – (for e0, s0, s1)


    • Config# ip domain-lookup – Tell router to lookup domain names
    • Config# ip name-server – Location of DNS server
    • Config# ip domain-name – Domain to append to end of names


    • # clear interface Ethernet 0 – Clears counters on the specified interface
    • # clear counters – Clears all interface counters
    • # clear cdp counters – Clears CDP counters


    • Config# ip route Net_Add SN_Mask Next_Hop_Add – Example: ip route
    • Config# ip route Next_Hop_Add – Default route
    • Config# ip default-network Net_Add – Gateway LAN network


    • Config# ip routing – Enabled by default
    • Config# router rip
    • Config# router igrp 100
    • Config# interface Ethernet 0
    • Config-if# ip address
    • Config-if# no shutdown


    • Config# ipx routing
    • Config# interface Ethernet 0
    • Config# ipx maximum-paths 2 – Maximum equal metric paths used
    • Config-if# ipx network 222 encapsulation sap – Also Novell-Ether, SNAP, ARPA on Ethernet. Encapsulation HDLC on serial
    • Config-if# no shutdown


    IP Standard1-99
    IP Extended100-199
    IPX Standard800-899
    IPX Extended900-999
    IPX SAP Filters1000-1099


    • Config# access-list 10 permit – allow all src ip’s on network
    • Config# access-list 10 permit host – specifies a specific host
    • Config# access-list 10 permit any – allows any address
    • Config# int Ethernet 0
    • Config-if# ip access-group 10 in – also available: out


    • Config# access-list 101 permit tcp eq telnet
      -protocols: tcp, udp, icmp, ip (no sockets then), among others
      -source then destination address
      -eq, gt, lt for comparison
      -sockets can be numeric or name (23 or telnet, 21 or ftp, etc)
    • Config# access-list 101 deny tcp any host eq www


    • Config# access-list 101 permit ip any any
    • Config# interface Ethernet 0
    • Config-if# ip access-group 101 outIPX STANDARD:
    • Config# access-list 801 permit 233 AA3 – source network/host then destination network/host


    • Config# access-list 801 permit -1 -1 – “-1” is the same as “any” with network/host addresses
    • Config# interface Ethernet 0
    • Config-if# ipx access-group 801 outIPX EXTENDED:
    • Config# access-list 901 permit sap 4AA all 4BB all
      – Permit protocol src_add socket dest_add socket
      -“all” includes all sockets, or can use socket numbers


    • Config# access-list 901 permit any any all any all
      -Permits any protocol with any address on any socket to go anywhere
    • Config# interface Ethernet 0
    • Config-if# ipx access-group 901 inIPX SAP FILTER:
    • Config# access-list 1000 permit 4aa 3 – “3” is the service type


    • Config# access-list 1000 permit 4aa 0 – service type of “0” matches all services
    • Config# interface Ethernet 0
    • Config-if# ipx input-sap-filter 1000 – filter applied to incoming packets


    • Config-if# ipx output-sap-filter 1000 – filter applied to outgoing packets


    • Config# ip access-list standard LISTNAME
      -can be ip or ipx, standard or extended
      -followed by the permit or deny list
    • Config# permit any
    • Config-if# ip access-group LISTNAME in
      -use the list name instead of a list number
      -allows for a larger amount of access-lists


    • Config-if# encapsulation ppp
    • Config-if# ppp authentication chap pap
      -order in which they will be used
      -only attempted with the authentification listed
      -if one fails, then connection is terminated
    • Config-if# exit
    • Config# username Lab-b password 123456
      -username is the router that will be connecting to this one
      -only specified routers can connect


    • Config-if# ppp chap hostname ROUTER
    • Config-if# ppp chap password 123456
      -if this is set on all routers, then any of them can connect to any other
      -set same on all for easy configuration


    • Config# isdn switch-type basic-5ess – determined by telecom
    • Config# interface serial 0
    • Config-if# isdn spid1 2705554564 – isdn “phonenumber” of line 1
    • Config-if# isdn spid2 2705554565 – isdn “phonenumber” of line 2
    • Config-if# encapsulation PPP – or HDLC, LAPD

    DDR – 4 Steps to setting up ISDN with DDR Configure switch type

    1. Config# isdn switch-type basic-5ess – can be done at interface config

    2. Configure static routes
    Config# ip route – sends traffic destined for to
    Config# ip route bri0 – specifies how to get to network (through bri0)

    3. Configure Interface
    Config-if# ip address
    Config-if# no shutdown
    Config-if# encapsulation ppp
    Config-if# dialer-group 1 – applies dialer-list to this interface
    Config-if# dialer map ip name Lab-b 5551212
    connect to lab-b at 5551212 with ip if there is interesting traffic
    can also use “dialer string 5551212” instead if there is only one router to connect to

    4. Specify interesting traffic
    Config# dialer-list 1 ip permit any
    Config# dialer-list 1 ip list 101 – use the access-list 101 as the dialer list

    5. Other Options
    Config-if# hold-queue 75 – queue 75 packets before dialing
    Config-if# dialer load-threshold 125 either
    -load needed before second line is brought up
    -“125” is any number 1-255, where % load is x/255 (ie 125/255 is about 50%)
    -can check by in, out, or either

    Config-if# dialer idle-timeout 180
    -determines how long to stay idle before terminating the session
    -default is 120


    • Config# interface serial 0
    • Config-if# encapsulation frame-relay – cisco by default, can change to ietf
    • Config-if# frame-relay lmi-type cisco – cisco by default, also ansi, q933a
    • Config-if# bandwidth 56
    • Config-if# interface serial 0.100 point-to-point – subinterface
    • Config-if# ip address
    • Config-if# frame-relay interface-dlci 100
      -maps the dlci to the interface
      -can add BROADCAST and/or IETF at the end
    • Config-if# interface serial 1.100 multipoint
    • Config-if# no inverse-arp – turns IARP off; good to do
    • Config-if# frame-relay map ip 48 ietf broadcast
      -maps an IP to a dlci (48 in this case)
      -required if IARP is turned off
      -ietf and broadcast are optional
    • Config-if# frame-relay map ip 54 broadcast


    • Show access-lists – all access lists on the router
    • Show cdp – cdp timer and holdtime frequency
    • Show cdp entry * – same as next
    • Show cdp neighbors detail – details of neighbor with ip add and ios version
    • Show cdp neighbors – id, local interface, holdtime, capability, platform portid
    • Show cdp interface – int’s running cdp and their encapsulation
    • Show cdp traffic – cdp packets sent and received
    • Show controllers serial 0 – DTE or DCE status
    • Show dialer – number of times dialer string has been reached, other stats
    • Show flash – files in flash
    • Show frame-relay lmi – lmi stats
    • Show frame-relay map – static and dynamic maps for PVC’s
    • Show frame-relay pvc – pvc’s and dlci’s
    • Show history – commands entered
    • Show hosts – contents of host table
    • Show int f0/26 – stats of f0/26
    • Show interface Ethernet 0 – show stats of Ethernet 0
    • Show ip – ip config of switch
    • Show ip access-lists – ip access-lists on switch
    • Show ip interface – ip config of interface
    • Show ip protocols – routing protocols and timers
    • Show ip route – Displays IP routing table
    • Show ipx access-lists – same, only ipx
    • Show ipx interfaces – RIP and SAP info being sent and received, IPX addresses
    • Show ipx route – ipx routes in the table
    • Show ipx servers – SAP table
    • Show ipx traffic – RIP and SAP info
    • Show isdn active – number with active status
    • Show isdn status – shows if SPIDs are valid, if connected
    • Show mac-address-table – contents of the dynamic table
    • Show protocols – routed protocols and net_addresses of interfaces
    • Show running-config – dram config file
    • Show sessions – connections via telnet to remote device
    • Show startup-config – nvram config file
    • Show terminal – shows history size
    • Show trunk a/b – trunk stat of port 26/27
    • Show version – ios info, uptime, address of switch
    • Show vlan – all configured vlan’s
    • Show vlan-membership – vlan assignments
    • Show vtp – vtp configs

    For Native IOS – Not CatOS


    • Config# ip address
    • Config# ip default-gateway MODE:
    • Config# interface Ethernet 0/5 – “fastethernet” for 100 Mbps ports
    • Config-if# duplex full – also, half | auto | full-flow-control


    • Config# switching-mode store-and-forward – also, fragment-free


    • Config# mac-address-table permanent aaab.000f.ffef e0/2 – only this mac will work on this port
    • Config# mac-address-table restricted static aaab.000f.ffef e0/2 e0/3
      -port 3 can only send data out port 2 with that mac
      -very restrictive security
    • Config-if# port secure max-mac-count 5 – allows only 5 mac addresses mapped to this port


    • Config# vlan 10 name FINANCE
    • Config# interface Ethernet 0/3
    • Config-if# vlan-membership static 10TRUNK LINKS:
    • Config-if# trunk on – also, off | auto | desirable | nonegotiate
    • Config-if# no trunk-vlan 2
      -removes vlan 2 from the trunk port
      -by default, all vlans are set on a trunk port



    • Config# delete vtp – should be done prior to adding to a network
    • Config# vtp server – the default is server, also client and transparent
    • Config# vtp domain Camp – name doesn’t matter, just so all switches use the same
    • Config# vtp password 1234 – limited security
    • Config# vtp pruning enable – limits vtp broadcasts to only switches affected
    • Config# vtp pruning disableFLASH UPGRADE:
    • Config# copy tftp:// opcode – “opcode” for ios upgrade, “nvram” for startup config


    • Config# delete nvram


    • show ip bgp – Displays entries in the BGP routing table.
    • show ip bgp injected-paths – Displays paths in the BGP routing table that were conditionally injected.
    • show ip bgp neighbors – Displays information about the TCP and BGP connections to neighbors.

    BGP Conditional Route Injection:

    Step 1 Router(config)# router bgp as-number
    -  Places the router in router configuration mode, and configures the router to run a BGP process.

    Step 2 Router(config-router)# bgp inject-map ORIGINATE exist-map LEARNED_PATH
    -  Configures the inject-map named ORIGINATE and the exist-map named LEARNED_PATH for conditional route injection.

    Step 3 Router(config-router)# exit
    -Exits router configuration mode, and enters global configuration mode.

    Step 4 Router(config)# route-map LEARNED_PATH permit sequence-number
    – Configures the route map named LEARNED_PATH.

    Step 5 Router(config-route-map)# match ip address prefix-list ROUTE
    – Specifies the aggregate route to which a more specific route will be injected.

    Step 6 Router(config-route-map# match ip route-source prefix-list ROUTE_SOURCE
    – Configures the prefix list named ROUTE_SOURCE to redistribute the source of the route.
    Note The route source is the neighbor address that is configured with the neighbor remote-as command. The tracked prefix must come from this neighbor in order for conditional route injection to occur.

    Step 7 Router(config-route-map)# exit
    – Exits route-map configuration mode, and enters global configuration mode.

    Step 8
    Router(config)# route-map ORIGINATE permit 10
    – Configures the route map named ORIGINATE.

    Step 9 Router(config-route-map)# set ip address prefix-list ORIGINATED_ROUTES
    – Specifies the routes to be injected.

    Step 10 Router(config-route-map)# set community community-attribute additive
    – Configures the community attribute of the injected routes.

    Step 11 Router(config-route-map)# exit
    – Exits route-map configuration mode, and enters global configuration mode.

    Step 12
    Router(config)# ip prefix-list ROUTE permit
    – Configures the prefix list named ROUTE to permit routes from network

    Step 13 Router(config)# ip prefix-list ORIGINATED_ROUTES permit
    – Configures the prefix list named ORIGINATED_ROUTES to permit routes from network

    Step 14 Router(config)# ip prefix-list ORIGINATED_ROUTES permit
    – Configures the prefix list named ORIGINATED_ROUTES to permit routes from network

    Step 15 Router(config)# ip prefix-list ROUTE_SOURCE permit
    – Configures the prefix list named ROUTE_SOURCE to permit routes from network
    Note The route source prefix list must be configured with a /32 mask in order for conditional route injection to occur.


    Step 1 (config)# interface ethernet0/0
    (config-if)#ip address
    (config-if)# no shutdown
    – Configure an IP address on the router’s Ethernet port, and bring up the interface. (On an existing router, you would have already done this.)

    Step 2 (config)# ip dhcp pool mypool
    – Create a DHCP IP address pool for the IP addresses you want to use.

    Step 3 (dhcp-config)# network /8
    – Specify the network and subnet for the addresses you want to use from the pool.

    Step 4 (dhcp-config)#domain-name
    – Specify the DNS domain name for the clients.

    Step 5 (dhcp-config)#dns-server
    – Specify the primary and secondary DNS servers.

    Step 6 (dhcp-config)#default-router
    – Specify the default router (i.e., default gateway).

    Step 7 (dhcp-config)#lease 7
    – Specify the lease duration for the addresses you’re using from the pool.

    Step 8 (dhcp-config)#exit
    – Exit Pool Configuration Mode.

    This takes you back to the global configuration prompt.

    Next, exclude any addresses in the pool range that you don’t want to hand out.

    For example, let’s say that you’ve decided that all IP addresses up to .100 will be for static IP devices such as servers and printers. All IP addresses above .100 will be available in the pool for DHCP clients.

    Here’s an example of how to exclude IP addresses .100 and below:

    Optional (config)#ip dhcp excluded-address

    The full DHCP reference can be found on the CISCO site.

    Common Commands and Troubleshooting

    • Set a password on the console line:
      • configure terminal
      • line console 0
      • password ‘cisco’
      • login
    • Passwords are case sensitive.
    • You must configure a password on the VTY lines, without one no one will be able to telnet to the switch/router.
    • The default mode when logging into a switch/router via telnet or SSH is user exec mode, which is indicated by the ‘>’ prompt.
    • To configure the switch/router you need to use the privileged EXEC mode. To do this you enter the enable command in user EXEC mode. The prompt is indicated with ‘#’.
    • If both enable secret and enable password are set, the enable secret will be used.
    • The enable secret is encrypted (by default) where as the enable password is in clear text.
    • In a config containing an enable secret 5 ‘hash’ the 5 refers to the level of encryption being used.
    • If no enable password/secret has been set when someone telnets to the device, they will get a ‘%No password set’ message. Someone with physical access must set the password.
    • To place all telnet users directly into enable mode:
      • configure terminal
      • line vty 0 4
      • privilege level 15
    • To put a specific user directly into privileged EXEC mode (enable mode)
      • username superman privilege 15 password louise
    • Telnet sends all data including passwords in clear text which can be intercepted.
    • SSH encrypts all data preventing an attacker from intercepting it.
    • Setting up a local user/password login database for use with telnet:
      • configure terminal
      • line vty 0 4
      • login local
      • exit
      • username telnetuser1 password secretpass
    • To set up SSH you need to create the local user database, the domain name must be specified with the ip domain-name command and a crypto key must be created with the crypto key generate rsa command. To enable SSH on the VTY lines, use the command transport input ssh.
    • If you connect two Cisco switches together and the lights don’t go amber then green, but instead stays off. A straight through cable has been used instead of a crossover cable.
    • The term ‘a switches management interface’ normally refers to VLAN1.
    • Assign a default gateway using the ip default-gateway ipaddress command.
    • You can use the command interface range fasterthernet 0/1 – 12 to select a range of interfaces to configure at once.
    • MOTD banner appears before login prompt.
    • The login banner appears before the login prompt but after the MOTD banner.
    • The banner exec appears after a successful logon.
    • line con 0 – configuring the logging synchronous on the console port stops the router from displaying messages (like an interface state change) until it detects no input from the keyboard and not other output from the router, such as a show commands output.
    • exec-timeout x y (x=minutes, y=seconds) – the default is 5 minutes. Can be disabled by setting x=0 y=0
    • Shortcut commands
      • Up Arrow – will show you the last command you entered. Control+P does the same thing.
      • Down Arrow – will bring you one command up in the command history. Control+N does the same thing.
      • CTRL+A takes the cursor to the start of the current command.
      • CTRL+E takes the cursor to the end of the current command.
      • Left arrow or CTRL+B moves backwards (towards the start) of the command one character at a time.
      • Right arrow or CTRL+P moves forwards (towards the end) of the command one character at a time.
      • CTRL+D deletes one character (the same as backspace).
      • ESC+B moves back one word in the current command.
      • ESC+F moves forward one word in the current command.
    • show history command will show the last 10 commands run by default.
    • the history size can be increased individually on the console port and on the VTY lines with the history size x command.
    • Config modes
      • config t R1<config> is the global configuration mode.
      • line vty 0 4 R1<config-line> is the line config mode.
      • interface fastethernet 0/1 R1<config-if> interface config mode.
    • Cisco Discovery Protocol (CDP) runs by default on Cisco routers and switches. It runs globally and on a per-interface level.
    • CDP discovers basic information about neighboring switches and routers.
    • On media that supports multicasts at the data link layer, CDP uses multicast frames. on other media, CDP sends a copy of the CDP update to any known data-link addresses.
    • The show cdp command shows CDP settings.
    • CDP can be disabled globally using the command no cdp run and re-enable using cdp run.
    • CDP can be disabled at an interface level using the no cdp enable command at the sub-interface level.
    • The command show cdp neighbor – lists one summary line of information about each neighbor. Including:
      • Device ID – the remote devices hostname.
      • Local Interface – the local switch/router interface connected to the remote host.
      • Holdtime – is the number of seconds the local device will retain the contents of the last CDP advertisement received from the remote host.
      • Capability – shows you the type of device the remote host is.
      • Platform – is the remote devices hardware platform.
      • Port ID – is the remote interface on the direct connection.
    • The command show cdp neighbor detail – lists one large set (approx 15 lines) of information, one set for every neighbor. Including:
      • The IOS version.
      • VTP management domain.
      • Management addresses.
    • show cdp entry name – lists the same information as the show cdp neighbors detail command, but only for the named neighbor (case sensitive).
    • show cdp – states whether CDP is enabled globally, and lists the default update and holdtime timers.
    • show cdp traffic – lists global statistics for the number of CDP advertisements sent and received.
    • show cdp interface type number – states whether CDP is enabled on each interface or a single interface if the interface is listed, and states the update and holdtime timers on those interfaces.
    • CDP should be disabled on interfaces it is not needed to limit risk of an attacker learning details about each switch or router. Use the no cdp enable interface subcommand to disable CDP and the cdp enable interface subcommand to re-enable it.
    • The command show cdp interface shows the CDP settings for every interface.
    • Interface status messages:
      • Interface status is down/down – this indicates a physical problem, most likely a loose or unplugged cable.
      • Line protocol is down, up/down – this indicates a problem at the logical level, most likely an encapsulation mismatch or a missing clock rate.
      • Administratively down – this indicates the interface has been shutdown and needs to be manually opened with the sub interface command no shutdown.
    • The command show mac-address-table shows the mac address table. show mac-address-table dynamic sows the dynamically learned entries only.
    • Most problems on a switch are caused by human error – misconfiguration.
    • The command show debugging shows all the currently running debugs.
    • undebug all – will turn all debugging off.
    • The command show vlan brief shows a switches VLAN configuration.
    • If pinging fails on a pc, there is a problem with the local PC, most likely a bad install of TCP/IP.
    • On a pc the command netstat -rn shows the pc’s routing table.
    • Additional Telnet commands:
      • show sessions shows information about each telnet session, the where command does the same thing.
      • resume x, x being the session number is used to resume a telnet session.
      • To suspend a session use the command CTRL+ALT+6.
      • To disconnect an open session use the command disconnect x, x being the session number.
    • Ping result codes:
      • !!!!! – IP connectivity to the destination is ok.
      • ….. – IP connectivity to the destination does not exist.
      • U.U.U – the local router has a route to the destination, but a downstream router does not.
    • debug ip packet – can help troubleshooting the above ping results.
    • When using traceroute or extended ping the Escape Sequence is: CTRL+SHIFT+6.
    • Extended ping can only be run from enable mode.
    • If a routing table contains multiple routes to the same destination with multiple next hops and the prefixes are different, the most specific (longest) prefix route will be used. If all of the prefix lengths are the same the Administrative Distance will be used. [AD/Metric].
    • Administrative Distance is a measure of a routes believability, with a lower AD being more believable than a route with a higher AD. AD only comes into play if the prefix lengths are the same.
    • You can set the Administrative Distance on a static route with the command ip route 150, you would do this to set a backup route if a dynamic route fails/is not available in the routing table.

    Cisco NX-OS/IOS BGP (Advanced) Comparison

    These may also assist: Undocumented Cisco Commands