Archives

All posts for the month May, 2009

Network monitoring with ngrep

Published May 22, 2009 by Siva
Constant monitoring and troubleshooting are key to maintaining a network’s availability. With ngrep, you can analyze network traffic in a manner similar to that of other network sniffers. However, unlike its brethern, ngrep can match regular expressions within the network packet payloads. By using its advanced string matching capabilities, ngrep can look for packets on specified ports and assist in tracking the usernames and passwords zipping off the network, as well as all Telnet attempts to the server.

Ngrep uses the libpcap library, and can also take hexadecimal expressions for which to capture network traffic. It supports TCP, UDP, ICMP, IGMP, and Raw protocols across Ethernet, PPP, SLIP, FDDI, Token Ring, 802.11, and null interfaces. In addition to listening to live traffic, ngrep can also filter previous tcpdump grabs.

Author Jordan Ritter says that ngrep has traditionally been used to debug plaintext protocol interactions such as HTTP, SMTP, and FTP; to identify and analyze anomalous network communications, such as those between worms, viruses, and zombies; and to store, read, and reprocess pcap dump files while looking for specific data patterns.

You can also use ngrep to do the more mundane plaintext credential collection, as with HTTP basic authentication or FTP or POP3 authentication. Like all tools, it can be useful in the right hands and damaging if used by those with less than admirable intentions.

Before installing the 400-odd KB utility, make sure you have the libpcap library. If you use tcpdump, you have it. Download ngrep, unpack, and install it as root with<nobr> <wbr></nobr>./configure, make, make install.

Start sniffing

You can run ngrep only as root. If you invoke it without any options, it will listen to all traffic on the current interface. That’s no fun, so let’s see who’s searching Google by specifying a keyword to look for, along with a port. By the way, while all the examples below are valid and will work, real-life situations will likely require complex pattern-matching strings that could span across multiple lines.

# ngrep google port 80
interface: wlan0 (192.168.0.0/255.255.255.0)
filter: ip and ( port 80 )
match: google
#########################
T 192.168.0.100:33020 -> 216.239.39.99:80 [AP]
GET / HTTP/1.1..Host: google.com..User-Agent: Mozilla/5.0 (X11; U; Linux i6
86; en-US; rv:1.7.6) Gecko/20050419 OpenLX/1.7.6-1.olx..Accept: text/xml,ap
plication/xml,application/xhtml+xml,text/html;q=0<nobr>.<wbr></nobr> 9,text/plain;q=0.8,image/
png,*/*;q=0.5..Accept-Language: en-us,en;q=0.5..Accept-Encoding: gzip,defla
te..Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7..Keep-Alive: 300..Connec
tion: keep-alive..Cookie: PREF=ID=6bfa2ae9c8bf1894:CR=1:TM=1118348709:LM=11
18400738:GM=1:S=NWBKfMYi55QzWD_y....

The # marks denote traffic that doesn’t match our keyword.

Now let’s look for people misusing bandwidth:

# ngrep -i 'game*|chat|recipe' -W byline > bad_user.txt

Pipes (|) delimit each key word, one of which is specified with a wildcard. -i makes the search case-insensitive and -W in the byline mode produces a cleaner report which is sent to a file. Here’s how it looks:

interface: wlan0 (192.168.0.0/255.255.255.0)
match: game*|chat|recipe
###############################
T 192.168.0.100:33035 -> 66.249.85.104:80 [AP]
GET<nobr> <wbr></nobr>/search?hl=en&safe=off&q=online+games&btnG=Search<nobr>&<wbr></nobr> meta= HTTP/1.1.
Host: http://www.google.co.in.
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.6) Gecko/20050419 OpenLX/1.7.
6-1.olx.
Accept: text/xml,application/xml,application/xhtml+xml,te<nobr>x<wbr></nobr> t/html;q=0.9,text/plain;q=0.8,
image/png,*/*;q=0.5.
Accept-Language: en-us,en;q=0.5.
Accept-Encoding: gzip,deflate.
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7.
Keep-Alive: 300.
Connection: keep-alive.
Referer: http://www.google.co.in/search?hl=en&q=hello&btnG<nobr>=<wbr></nobr&gt; Google+Search&meta=.
Cookie: PREF=ID=7c5bf916f28d16c7:FF=4:LD=en:NR=10:TM=1118<nobr>3<wbr></nobr> 48709:LM=1118348731:S=20ZkQG0Y
sMDDsXsW.

To monitor current email transactions and print the addresses:

# ngrep -i 'rcpt to|mail from' tcp port smtp
interface: wlan0 (192.168.0.0/255.255.255.0)
filter: ip and ( tcp port smtp )
match: rcpt to|mail from
T 192.168.0.100:1043 -> 200.40.174.30:25 [AP]
MAIL From: SIZE=192..
T 192.168.0.100:1043 -> 200.40.174.30:25 [AP]
RCPT To:..

Ngrep can resolve a port address by matching the port name in the<nobr> <wbr></nobr>/etc/services file, so it’ll substitute 25 in place of smtp.

You can also timestamp the grabs:

# ngrep -q -t -wi "login" port 23

This command will watch Telnet traffic through port 23 for the word “login” case-insensitively and timestamp it in the YYYY/MM/DD HH:MM:SS.UUUUUU format. -q ensures nothing else is printed.

Let’s timestamp all traffic on port 53 (DNS) on all devices (if the box has multiple devices) and send the output to a pcap file specified by the -O switch:

# ngrep -O ~/logs/traffic.dump -d any -T port 53

We use the -I switch to instruct ngrep to match the specified pattern on a file rather than on live traffic. To look for all domains except<nobr> <wbr></nobr>.net:

# ngrep -tv '*.net' -I ~/logs/traffic.dump

The -v switch inverts the specified pattern, so we get every domain except<nobr> <wbr></nobr>.net, printed with timestamps because of the -t switch.

Conclusion

For a network administrator familiar with pattern matching with grep, ngrep requires a minimum of training. Wrapping ngrep up in Perl scripts and bundling the scripts in a cron job can help create 5:00p.m. daily system check reports. For an example, see hack #60 from O’Reilly’s “Linux Server Hacks” book.

Ngrep can match patterns only within a packet. If you want to detect malicious strings hidden across multiple small packets, use SNORT.

Source: http://www.linux.com/archive/articles/46268c

Advertisements

How to Rename Windows Server 2008 Domain Controller

Published May 22, 2009 by Siva

If you want to rename your windows server

2008 domain controller after server migration you can do this using netdom.exe utility.You need to make sure you have an additional domain

controller before proceeding with this procedure.This utility is builtin in to the win server 2008.

Note:- Domain Controllers running Microsoft’s Certificate Authority services (CA) can never be renamed.

Procedure to Follow

Open Command Prompt fro Start>Run>cmd type the following command

netdom computername CurrentComputerName/add:NewComputerName

This command will update the service principal name (SPN) attributes in Active Directory for this computer account and register DNS resource records for the new computer

name. The SPN value of the computer account must be replicated to all domain controllers for the domain and the DNS resource records for the new computer

name must be distributed to all the authoritative DNS servers for the domain name. If the updates and registrations have not occurred prior to removing the old computer name, then some clients may be unable to locate this computer using the new or old name.

Ensure the computer account updates and DNS registrations are completed and now type

netdom computername CurrentComputerName/makeprimary:NewComputerName

Restart your windows server 2008

Open Command Prompt fro Start>Run>cmd type the following command

netdom computername NewComputerName/remove:OldComputerName

Options in Detail

CurrentComputerName :- The current, or primary, computer name or IP address of the computer you are renaming.

NewComputerName :- The new name for the computer. The NewComputerName must be a fully qualified domain name (FQDN).

OldComputerName :- The old name of renamed computer.

Source:  http://www.windowsreference.com/windows-server-2008/how-to-rename-windows-server-2008-domain-controller/

Adding Logon Script For Active Directory Users

Published May 18, 2009 by Siva

Logon scripts can be useful tools for configuring desktop environments for users. Some of the things such scripts can be used for include mapping network drives, connecting to shared printers, gathering system information, synchronizing system clocks, and so on. In fact, just about anything you can do from the command-line can be done using a logon script.

Step1:
Go to the following location

%systemroot%\sysvol\sysvol\<domain_DNS_name>\scripts\logon.bat

@Echo On
ECHO    *************************************************************************
EchO    *                                    *
ECHO    *  Please wait while Computer and User Settings are getting applied.    *
ECHO    *                   This will take approx 5 Sec                *
ECHO    *            Thank you for your patience                *
ECHO    *    Script Written by sivakumar.e@gmail.com                *
ECHO    *                                    *
ECHO    *************************************************************************
ECHO
REM —————————————————————————–

Net Use H: \\Server<ip>\<ShareFolderName>

Exit

Step 2:

Goto Active Directory Users & Computers from Administrative tools

Select the user properties ->Select profile tab –> loginscript -> give ur script name here logon.bat.

It Should Work Now…

For further clarification mail me..

Have a Nice Day..

How can I uninstall the BrowseControl Client?

Published May 16, 2009 by Siva


The BrowseControl Client can be uninstalled from the BrowseControl Server by right clicking the Client and selecting Service/Uninstall.

If the Client is not connected to the Server or if the Client does not appear on the Console, please follow these steps to uninstall the Client:
At a client PC, click on Start –> Run Enter the following script: cwClient.exe –pv Admin (Please note that Admin is the default password and is case sensitive. If you changed the password during the client installation, then please substitute that password in place of Admin. )

  1. You will be presented with the Client interface.Click on the services tab and click on the uninstall button.
  2. Reboot the PC.
  3. Repeat this step for all the client PCs.
2. How can I uninstall the BrowseControl Console?
To uninstall the BrowseControl Console, use the Windows Control Panel “Add/Remove Programs” utility.
3. How can I uninstall the BrowseControl Server?
To uninstall the BrowseControl Server, use the Windows Control Panel “Add/Remove Programs” utility.

NOTE: Please make sure to exit BrowseControl before starting the uninstall operation

Installing Internet Explorer in any Linux Flavor.

Published May 15, 2009 by Siva

Install wine and cabextract as root
yum -y install wine*yum -y install cabextractInstall IEs 4 Linux as a normal user. Don’t run this as root.

wget http://www.tatanka.com.br/ies4linux/downloads/ies4linux-latest.tar.gztar zxvf ies4linux-latest.tar.gzcd ies4linux-*./ies4linux
Disable Adobe Flash. It will report a bug while installing IE.

Fo further Detail .. Please contact sivakumar.e@gmail.com