Lets explain the basic configuration of the routers.

R1

R1(config)#int fa0/0
R1(config-if)#ip add 192.168.0.2 255.255.255.0
R1(config-if)#no sh
R1(config-if)#int s0/0/0
R1(config-if)#ip add 1.1.1.1 255.255.255.252
R1(config-if)#no sh
R1(config)#exit
R1(config)#ip route 0.0.0.0 0.0.0.0 serial 0/0/0

R2

R2(config)#int fa0/0
R2(config-if)#ip add 192.168.0.3 255.255.255.0
R2(config-if)#no sh
R2(config-if)#int s0/0/0
R2(config-if)#ip add 2.2.2.1 255.255.255.252
R2(config-if)#no sh
R2(config)#exit
R2(config)#ip route 0.0.0.0 0.0.0.0 serial 0/0/0

Nothing difficult to understand. You can see that there will be a static route for the internet traffic on both R1 and R2.

Now let’s configure R3 and R4. In my lab both R3 and R4 on their f0/1 interfaces will get IP addresses from the DHCP server on my LAN (which will also provide internet connection).
NAT with overload (PAT) will also be configured on both R3 and R4 for the internet connectivity on PC1

R3

R3(config)#int f0/1
R3(config-if)#ip add dhcp
R3(config-if)#ip nat outside
R3(config-if)#no sh
R3(config-if)#int s0/0/1
R3(config-if)#ip add 1.1.1.2 255.255.255.252
R3(config-if)#ip nat inside
R3(config-if)#no sh
R3(config-if)#exit
R3(config)#ip route 192.168.0.0 255.255.255.0 serial 0/0/1
R3(config)#access-list 1 permit any
R3(config)#ip nat inside source list 1 interface fastEthernet 0/1 overload

R4

R4(config)#int f0/1
R4(config-if)#ip add dhcp
R4(config-if)#ip nat outside
R4(config-if)#no sh
R4(config-if)#int s0/0/1
R4(config-if)#ip add 2.2.2.2 255.255.255.252
R4(config-if)#ip nat inside
R4(config-if)#no sh
R4(config-if)#exit
R4(config)#ip route 192.168.0.0 255.255.255.0 serial 0/0/1
R4(config)#access-list 1 permit any
R4(config)#ip nat inside source list 1 interface fastEthernet 0/1 overload

Don’t forget the route for the LAN network (192.168.0.0)
Now all is set.

If we want to configure PC1, we can set for example:
IP ADDRESS> 192.168.0.60
NETMASK> 255.255.255.0
GATEWAY> 192.168.0.2 or 192.168.0.3
DNS SERVER> 10.19.40.1 //this is my LAN DNS server.

Sweet it’s working, now we can configure our redundancy. The principle here is simple, we will assign a virtual IP address on both R1 and R2. And this virutal IP address will be the gateway for PC1
R1

R1(config)#int f0/0
R1(config-if)#standby 1 ip 192.168.0.1
R1(config-if)#standby 1 preempt
R1(config-if)#standby 1 priority 105
R1(config-if)#standby 1 track serial 0/0/0

R2

R2(config)#int f0/0
R2(config-if)#standby 1 ip 192.168.0.1
R2(config-if)#standby 1 preempt
R2(config-if)#standby 1 priority 100
R2(config-if)#standby 1 track serial 0/0/0

Explanations:
standby 1 ip 192.168.0.1
The number 1 is the hsrp group. The IP address 192.168.0.1 will be the virtual one, this will be PC1’s gateway.

standby 1 preempt
This is needed for the router to become the Active Router instead of the Standby Router. When it sees that the Active router is down or when its priority has becomed higher thant the Active router’s one.

standby 1 priority 100
that’s the priority, if we have 2 routers, the one with the biggest priority will become the Active Router, the other one will be the Standby Router.
By default the priority is set to 100 (From 1 to 255). If the 2 routers have the same priority, the one with the biggest IP address will become the Active Router.

standby 1 track serial 0/0/0
Let say R1 is the Active router, everything is fine except the serial link between R1 and R3, so the internet connection is down, but R1 will still remain the Active router.
That’s why this command is so important, it will check the serial link, and if it goes down, it will decrement from 10 the priority. Then R2 will have a higher priority (100 > 95) and R2 will become the Active Router, thanks to the preempt command that allows to automatically let R2 become the Active router when it sees its priority bigger thant R1’s priority.

Verifications
Now let’s go on tests.
PC1 is configured this way:
IP ADDRESS> 192.168.0.60
NETMASK> 255.255.255.0
GATEWAY> 192.168.0.1
DNS SERVER> 10.19.40.1 //this is my LAN DNS server.

You can see when i use the tracert command on my DNS server, I am using the link between R1 and R3.

I just can’t explain why the name in front of [192.168.0.2] is thinklabs.esi-supinfo.com … It seems to be a host in the LAN (the LAN that provides internet connectivity to f0/1 on both R3 and R4)

Now I will ping google and then unplug a wire on R1

As you can see we have 2 timeout then the connection is up again

Another tracert now

Still the same bug (?) with the name of the router.
But We can see that now we are using the link between R2 and R4 !

Now let’s go on PC1 and see the ARP cache.

The MAC address of a virtual IP Address with hsrp will always be:
00-00-0c-07-ac-**
** will be the HSRP group number.

For security reasons, you will may want to set a secure password between your routers for the protocol HSRP to work.
You will just need to set this command on the interface configuration mode.

Router(config-if)#standby 1 authentication md5 key-string toto

You also can set the password in clear text mode…

En image le petit logo visible en ouvrant le chassis, Big Fuckin Router in da place

The script, when reduced to its minimal needs, has 18 lines …

Here is the video.

All the datas captured are stored in a file: Client-Source IP - Server-Destination IP

The script does not manage very well when several telnet connections are launched to the same Telnet server by a unique host.

Here’s the video of my new tool written with Scapy. The aim is to capture file configuration exported from cisco devices and walking on the wire in plain text.

I assume that you already are connected to the ASA with the console port.

Restart the ASA (manually you can switch ON/OFF).

Then, when prompted press ESCAPE to enter ROMMON mode.


We want to bypass the startup-config on the next restart of the ASA, so we will change the value of the configuration register.

We need to use the confreg command. By using this command, we enter in a wizzard which will ask us some questions.



We answer yes at the first question, we want to change the value. (At this point you should store the configuration register value).

We will use the default values for all settings, except for “disable system configuration?” which is the option that will permit to bypass the startup-config. So we answer y.

rommon #0> confreg

Current Configuration Register: 0x00000001
Configuration Summary:
  boot default image from Flash

Do you wish to change this configuration? y/n [n]: y
enable boot to ROMMON prompt? y/n [n]:
enable TFTP netboot? y/n [n]:
enable Flash boot? y/n [n]:
select specific Flash image index? y/n [n]:
disable system configuration? y/n [n]: y
go to ROMMON prompt if netboot fails? y/n [n]:
enable passing NVRAM file specs in auto-boot mode? y/n [n]:
disable display of BREAK or ESC key prompt during auto-boot? y/n [n]:

Current Configuration Register: 0x00000040
Configuration Summary:
  boot ROMMON
  ignore system configuration

Update Config Register (0x40) in NVRAM...

rommon #1> boot

We can now reload the ASA with the boot command.

Once the ASA has been reloaded, we can enter privileged mode without any password (the startup-config has been bypassed).

ciscoasa> en
Password: [enter]
ciscoasa#

Now we load the startup-config in the running-config

ciscoasa# copy startup-config running-config

Destination filename [running-config]?

Cryptochecksum (unchanged): ab580f48 aeed7459 2da4751b b0061ac3

1726 bytes copied in 0.50 secs
MadRouterASA#

We enter global configuration mode and change the password.

MadRouterASA# conf t
MadRouterASA(config)# enable password Cisco

We change back the configuration register value.

MadRouterASA(config)# config-register 0x00000001

Now You can save your running-config.

MadRouterASA# copy running-config startup-config

That’s it.. !

Suivez les étapes suivantes :

1ère étape :

Récupérez le .dmg contenant dynagen et dynamips pour Leopard. Monter le et copier le contenu dans votre dossier /Applications

2ème étape :

Faites un lien symbolique du binaire de dynamips

sudo ln -s /Applications/Dynagen/dynamips /usr/sbin/dynamips

3ème étape :

Faites un lien symbolique du binaire de dynagen

sudo ln -s /Applications/Dynagen/Dynagen.app/Contents/Resources/dynagen
/usr/sbin/dynagen

4ème étape :

Lancez le serveur depuis votre terminal

Last login: Thu Apr 10 00:57:57 on ttys000
madrouter:~ alex$sudo dynamips -H 7200

5ème étape :

Lancez votre topologie en ciblant le fichier .net avec dynagen depuis un autre terminal

Last login: Thu Apr 10 00:57:57 on ttys000
madrouter:~ alex$sudo dynagen /Users/alex/IOS/test.net

( Attention : avec cette méthode vous devrez à coup sûr killer dynamips qui se transformera en zombie lorsque vous fermerez votre shell )

Dans ces cas la, la commande ultime reste et restera sh ip int br (A savoir show ip interface brief).
Mais même réduite à sa plus petite taille cette commande si on doit la répéter 20 fois en 10min, et bien ca reste quand même plutôt long …
Il y a donc un moyen simple de réduire encore la taille de cette commande avec un ALIAS §§!!

Il faudra certes inclure cette commande dans ce que les étudiants devront faire, mais une fois fait, c’est que du bonheur.

On se place en mode de configuration globale:

madRouter(config)# alias <mode> <alias> <real command>

La commande à utiliser sera donc

madRouter(config)# alias exec s show ip interface brief

On pourra créer des alias pour les commandes les plus usitées.

alias exec sir sh ip route
alias exec sr show running-config
alias exec c conf t
alias exec sinc sh run | inc

Avec la dernière commande vous pourrez afficher uniquement les lignes dans la running-config qui contiennent ce qu’il y aura en paramètre après sinc.

Router#sinc ma
boot-start-marker
boot-end-marker
username madrouter password 7 14021C1B050A393B2B3D21212D1A0B130E005A50561D

On pourra aussi créer des alias pour les commandes du mode de configuration globale comme par exemple

madRouter(config)# alias configure rr router rip
madRouter(config)# alias configure ro router ospf
madRouter(config)# ro 12
madRouter(config-router)#

Mais attention, car vous pouvez réécrire une commande ios, exemple

madRouter(config)# alias exec logout sh run

Et vous ne pourrez plus vous deloguer avec la commande logout
Usez et abusez des alias

Apres avoir effectué la commande show run sur le routeur R1 vous obtenez ceci:

!
ip route 10.0.0.0 255.0.0.0 100.100.100.1
ip route 10.0.0.0 255.0.0.0 interface serial 1
!

La question est simple, quel chemin sera sélectionné par le routeur R1 pour joindre le réseau 10.0.0.0/8 ?
… Et pourquoi ?

edit: Réponse en comment.

Ton ACL observe attentivement les entêtes… tu perds en performance et en plus de cela ton routeur recrache de l’ICMP Unreachables à la source pourrissant ainsi le traffic et pouvant être utilisé comme une reconnaissance!

D’où ici… la double possible attaque DoS…. on blinde en rêquete sur le réseau filtré en spoofant l’adresse source… le routeur monte en charge et un péon de ton réseau reçois de l’icmp à ne pas savoir quoi en faire!

Et là, le black hole routing intervient…

Le black hole routing, ce n’est ni plus ni moins que du routage statique vers l’interface logiciel null0 autrement dis “on drop ” . De cette façon aucune ACL n’est nécessaire, aucune perte de performance vu qu’il s’agit juste de routage ( merci CEF ) et aucun renvoi de paquets ICMP ! Le h4ck3r ne sait même pas que son paquet a été filtré !

2 commandes nécessaire !

MadRouter(config)#interface null0
MadRouter(config-if)#no ip unreachables

Empêche ici l’envoi d’icmp unreachables pour indiquer que la route est filtré…

Et ensuite

MadRouter(config)#ip route 10.0.1.0 255.255.255.0 null0

Redirige tout les paquets à destination de 10.0.1.0 /24 vers null0 ( kicked xD )