A technology scientist. Humans living in a biologically driven existence through which I like to find ways the non biological machines can help us live more meaningful lives; stated in my complex of words and imagination.
Administratively down – means shutdown command was issued on an interface
down – means either: no cable;bad cable;wrong cable pinouts;speed mismatch;neighbor device is off;error disabled by port security
Protocol Status
up – Interface is working
down – either: shutdown command issued;cable issue;speed mismatch;neigbor is off;
down(err-disabled) – port security disabled status
Interface Status
disabled – shutdown command was issued
notconnect – bad cable;speed mismatch;;no neigbor device;
connected – interface is working
err-disabled – disabled by port security
Duplex
a-half – duplex was auto negotiated
INTERFACE CODES/COUNTERS
-Seen in “show interfaces fa0/0” command
-most of these counters are seen incremented during half duplex networking although late collisions point to a duplex mismatch
Input Errors – A total of many counters, including runts, giants, no buffer, CRC, frame, overrun, and ignored counts.
Runts – frames that didn’t meet the Frame size requirements of 64 bytes + 18 byte dest MAC,source MAC,and FCS. Can be caused by collisions
Giants – Frames that exceed the max frame size of 1518 bytes including the 18 byte dest/src MACs and FCS fields
CRC – frames that don’t pass the FCS algorithm, likely cause of collisions or interference
frame – frames received that have illegal formats. ie; partial bytes. Likely cause of collisions
Packets Output – Total number of Frames that are forwarded out an interface
Output Errors – total number of frames that the port tried transmitting but for some reason had an issue
collisions – counter of all the collisions that have occurred when the interface is transmitting a frame
late collisions – collisions that happen after the 64th byte has been transmitted. Very likely pointing to duplex mismatch and would increment on the switch using half duplex
This article is a part of my CCNA course material I use for study that encompasses everything needed to know about IPV6 as a layer 3 protocol to help pass the CCNA v3 exam. It is also a final consolidation of notes on the subject with full video and lab demonstration link provided to help the reader and myself better understand the subject. This will be updated as new information is disseminated.
Why IPV6
IPV6 is the next generation protocol that solves the IPV4 exhaustion problem that is currently being held together by CIDR and NAT as discussed in the article for IPV4. IPV6 like IPV4 has a many similarities but also many new features like new address types that allow for enhanced network communication. For example IPV6 clients can auto generate a Link Local Address to begin talking to each other on the network without admin intervention. With 128bits of address equaling 7038340000000000000♠3.4×1038 (340undecillion) addresses available to ipv6 this is like giving every atom on planet earth its own ip address 3x over. Now to sum up points for knowing everything needed on the CCNA see below.
Who made it
Registration with IANA > RIR(ARIN) > ISP > Your company ——must be made before using an ipv6 routable address/subnet. It will otherwise be dropped at some point in the routing process likely by the ISP or higher authority.
Characteristics
128 bits >32 hexadecimal digits > 8 sets of 4 hex digits(quartet) > 4 bits per digit >16 bits per set
ie; 11aa.22bb.33cc.44dd.55ee.66ff.7777.8888
Rules for ease of use:
Abbreviate Leading 0s NOT trailing 0s i.e.; FE00:0000:0000:0001:0000:0000:0000:0056 = FE00:0:0:1:0:0:0:56
Abbreviate consecutive quartets of 0s with double colons but only once ie; FE00:0:0:1::56
Review of Hex Numbering
Hex Binary Hex Binary
0 0000 8 1000
1 0001 9 1001
2 0010 A(10) 1010
3 0011 B (11)1011
4 0100 C (12)1100
5 0101 D (13)1101
6 0110 E (14)1110
7 0111 F (15)1111
IPV6 Header:
4 Bytes:
version
class
flow label
payload length
next header
hop limit
32 bytes
source address – 16 bytes
destination address – 16 bytes
How it Works on Cisco Routers
When enabled on the router and on an interface (see below for commands):
enables routing of IPV6 packets
defines ipv6 prefix that will be used on that interface;
adds a connected route to the routing table when the interface is up/up
-Interfaces can have ipv6 link local and global addresses configured and in use on their interfaces with a special ipv6 enable command in the interface subcommand mode. They don’t need ipv6 enabled on the router necessarily
Dual Stack: Terminology used when routers run both ipv4 and ipv6 routing and use a separate Routing table for each
Address Types
Global Routing Prefix:
Closest thing similar to IPv4s classful networks but in this case the company is locked down to using the network mask assigned by the IPV6 authorities so there really is no classes the address block that can be assigned to a company for which can also be addressed to when reaching that company. The prefix should allow the company to basically assign as many addresses as needed and so provides for that many
ie; Host: 2001:0DB8:1111:0001:0000:0000:0000:0001/64——-this allows for 2^64 =18446744073709551616 hosts
Prefix ID: 2001:DB8:1111:1::/64-keep in mind that 16 bits are used to represent the subnet id allowing for 2^16=65536 subnets
next prefix id: 2001:DB8:1111:2::—–this will go on until the 4 hex digits all reach the max allowed 16 bits using the hex digit 15
final prefix id: 2001:DB8:1111:FFFF–
Prefix ID:(same as subnet ID)
ie; /64 is the first 16 hex characters of the 128 bit/32hex address
ie; 2000:1234:5678:9ABC::/64 is the Prefix ID of 2000:1234:5678:9ABC:1234:5678:9ABC:1111/64
Global Unicast Address:
Originally began with 2 or 3.
Any unicast addresses not specifically reserved are considered global unicast.
registered addresses with IANA that allow an organization to assign all their hosts public addresses
EUI 64: Extended unique identifier: is a method to generate a unique interface ID after custom making the prefix
-Inserts FFFE hex digits directly between the 12 hex MAC address of the interface to help make a unique 64 bit/16 hex address
-Finally the 7th bit in the new interface ID(in second hex digit) is inverted(if its 1 make 0 if its 0 make 1). Reading left to right keep in mind
-For serial interfaces without MAC addresses the router will use the MAC of the lowest numbered interface with a MAC
Unique Local Unicast Address:
Begin with FD 8bits > next 48 bits(10 hex) needs to be the global prefix(can randomly make this) > next 16 bits is the subnet field to be used >finally 64 bits for the hosts
RFC4193 requests that use of 8th bit should be 1 and so originally FC00::/7 is what IANA reserve
Assign a Global ID and Prefix ID(in this case everything is in control of the engineer except for the first 8bits which need to be FD)
Not registered and can be used any agency
like ipv4 private addresses don’t need registration
Link Local:
Begin with FE8;FE9;FEA;or;FEB
-First 10 bits need to match FE80::/10
-Next 54 bits need to be Binary 0s ie; FE80:0000:0000:0000/64
-Next 64 bits can use EUI-64 method to autogenerate; OR can be manually entered OR can use Microsofts Algorithym
Used for overhead protocols and for routing ie;NDP uses this type of address
Unicast address
Not forwarded by routers therefore only stays in the subnet locally
Also used as a next hop address by routers in the same subnet and as the default gateway for hosts
Automatically generated using EUI-64 when an interface is configured with any other ipv6 unicast address
Site Local Addresses:
No longer a part of the IPV6 standard begin with FEC;FED;FEE or FEF
Multicast Adddresses:
Configured when a corresponding protocol is enabled
Begin with:
FF02::1—-used to addres all ipv6 interfaces on the subnet
FF02::2—-used to address all ipv6 router interfaces on the subnet
FF02::5—-used to address all OSPFv3 Routers on the subnet
FF02::6—-used to address all OSPFv3 DR routers on the subnet
FF02::9—-used to address all RIPng Routers on the subnet
FF02::A—-used to address all EIGRPv6 routers on the subnet
FF02::1:2–used to address all DHCPv6 Relay agent Routers on the subnet
Solicited-Node Multicast Addresses
-first 104 bits begin with FF02:0000:0000:0000:0000:0001:FF also written as FF02::1:FF
last 6 hex digits/24 bits of the ipv6 unicast address assigned to a host is filled into the last 24 bits of the address
-Some nodes might have the same adddress and overlap on this address
-All hosts listen for packets sent to this address
-Used for the reason of addressing overlapped hosts using the same solicited node address
Anycast Addresses
Begin With: These addresses can be any unicast address; Must use a host mask of /128 and are specified as anycast aaddresses in the ios
Provide a service that may be spread among different routers/devices but is used to contact the nearest device when the service is called upon by a host
Subnet Router Any Cast Addresses:
Used by routers to send packets to any other router on the subnet
contains same prefix and all binary 0s for the interface ID
Unknown/unspecified Address:
:: or all 0s
Used as the source ip address when a host doesn’t know its address ie; in the case of using dhcp
Loopback address:
::1 or 127
used to test the ipv6 stack
IOS Commands
ipv6 unicast-routing———–In Global configuration Mode; enables ipv6 packet forwarding routing —–ACTUALLY ENABLES IPV6 ROUTING without this command the router will still act as an ipv6 host for its interfaces but won’t route ipv6 packets
int <type> <#/#>————choose interface to configure and enter commands below from interface subcommand mode
ipv6 enable ———this will simply enable ipv6 on the interface and generate its link local address. Good for simple WAN link connections since they only need to use link local address to route packets across their network
ipv6 address 2001:0db8:1111:0002:0000:0000:0000:0001/64——-example Ipv6 address completely written out
ipv6 address 2001:0:1:1::1/64—————example of an ipv6 assigned address(DONT forget the double colon syntax at the end of every address;;;Also feel free to remove leading 0s). This will also automatically assign a link local address
ipv6 address 2001:DB8:1111:1::/64 eui-64——example of using the eui method which takes the MAC and insert FFFE in the middle and inverts 7th bit to create the 64 bit host ID
ipv6 address <address> link-local ——manually assigning the link local address
In a home environment I have always used and been able to rely upon Trinity Rescue Kit. If your working in an enterprise environment this won’t work on Domain Accounts but if you for some reason don’t have any access at all to the PC you can at least reset the administrator’s password and get in. If I don’t even need to get in to retrieve any information I would just re-image the PC and not bother getting in but in case you need something here is the tool.
You will get an ISO image and just burn it to CD since it is most likely your PC has a cd player. If not then you will have to make a bootable USB drive with it and boot using USB if your PC doesn’t use a CD player. This tutorial is for use of the CD version but if you need to make a bootable USB drive I like using this little tool called YUMI
Boot into your TRK disc and Choose the Interactive WinPass option and then choose option 1 to select your Windows Installment and list its users.
Type in the name of the user you want to clear a password for and your done!(See video for details)
So we like playing music in the car or wherever we are from our phone using youtube. Now lets instead just download our music before-hand and not use our costly phone’s bandwidth! On top of this we just want to download the audio since it is a much smaller file size and will take up little room.
Tool Needed:
Back to my favorite online video downloader: Youtube-dl – This is our simple command line tool we will run in the command prompt to grab our videos with. I have written a previous post on this on how to use it please check that out on figuring out how it’s used.
This is a quick blogged guide for administrators who need to delete an email from their organization for some reason or another. In my case this was due to a cryptolocker like virus outbreak called Cerber.
The Task: Find the emails and delete them from the system to prevent further incidents from popping up making more work for us because we always have to re-image and physically replace the machines in some cases not to mention user downtime.
First Step:
First we want to be able to locate and identify the emails targeted for deletion. In my case we received the payload from this address: [email protected] (first just want to say .ru its Russian!) we should never open emails like this but users will still go for it. There are several ways to find where the emails went and find out who read them and so on and this is what we will do going off this address.
Options for Searching: Exchange Powershell OR Exchange E-Discovery Gui
I’ll use both normally. In many cases if the search involves gathering emails it is easiest for me to just run an E-discovery search and shoot them over into a PST file. In the case of deletions though we want to use the Powershell since it is the only way as of now that I know of to delete emails from the system and user mailboxes in mass action.
-This command first grabs all mailboxes within the Organization then pipes it to our search function using the “|” symbol. In our Search operation we “Searh-Mailbox -Search Query” so here we will then specifcy with the “From:” text to find our matching address. The command then follows up with a “target” mailbox and user to send a report of the results. In my case I’m sending it to my adminuser’s mailbox under the “SearchAndDeleteLog” I created for it.
Here is a guide to other parameters I might use when running the search. We can use things like Subject line or Dates and get fairly specific. Keep in mind it is using KQL language which is the same syntax used in e-Discovery. Use this guide to have an idea of what search parameters you can use for the -SearchQuery: https://technet.microsoft.com/en-us/library/ms.o365.cc.searchquerylearnmore.aspx#emailproperties
Once you receive the results you like you can then move on to delete them. with the following command:
I was concerned that it worked on also infecting file shares but from what I can see it doesn’t touch them. After having a user infect a computer here in our Network it looks like nothing else has been touched but all the files on her computer displaying messages like this:
Every file basically encrypted until you pay the son of aguns.
Basic Steps on handling this type of problem:
Verify none of your other networked file shares have been infected and run a full virus scan of the shares just to be safe. So far I haven’t heard of Cerber jumping to any networked shares so it keeps things local to the machine which means it is mainly targeting end users. Here is a snip of Code from the above link that leads me to believe it is only keeping things local since it’s the only reference to any directories it makes: “folders”: [ “:\\$recycle.bin\\”,”: \\$windows.~bt\\”, “:\\boot\\”,”: \\drivers\\”, “:\\program files\\”,”: \\program files (x86)\\”, “:\\programdata\\”,”: \\users\\all users\\”, “:\\windows\\”,”\\appdata\\local\\”, “\\appdata\\locallow\\”,”\\appdata\\roaming\\”, “\\public\\music\\sample music\\”,”\\public\\pictures\\sample pictures\\”, “\\public\\videos\\sample videos\\”,”\\tor browser\\
Next step is to Burn the infected machine(Just re-image it) Users might ask for the files in which case they can pay the ransom if it’s that important. Something like 2 bit coins or $500 if you pay up before it doubles on you every week. One other thing users have asked me is if they can at least see the files they lost in which case your going to be taking a picture of the computer screen because there’s no safe bets I would take making any kind of digital bridge to that computer(ie: plugging in a usb stick or taking a snapshot to transfer to a usb Stick)
Final step is replace the users PC and restore their files. That is if you back them up!
UPDATE:
Confirmed with Talos Security group that this is not de-cryptable as of yet
So if you have had to ever do this you will first have to deal with the legal side of the software. With adobe you can order a Device or User license.
User licences are the easiest to deal with because you don’t really manage it other than give a user the license.
With a device license however we need to specifically create a package using Adobe’s Creative Cloud Packager by which we end up downloading the software we want ie: Premier,Photoshop,etc. And then we can create an MSI file from that to distribute in SCCM 2012.
So check it out I have a video for this:)
-Sorry for the Blurred parts, for security purposes
-If there are questions, post in the comments and I’ll reply.
Download Creative Cloud Packager to local HD
Run CC Packager and select the Option to create a package for Teams and Educational licenses(Otherwise you won’t get the Device License Option)
Use the program to download and create a package of the Adobe programs you want
Import it into SCCM as an application
Distribute to your Device Collection as needed. The applications should afterwards run without requiring the device to sign into the Cloud
So I have re-imaged a computer and it has been several weeks. I have already re-provisioned the computer and another user has been writing to it obviously. The simple answer on this one is the chances are incredibly slim. Although after speaking with a Kroll Ontrack recovery rep they did say something can still be recovered but highly unlikely it would be what we were looking for. I also had memory of using FTK imager for file investigations. That ended up being far to pricey just to recover data although their product is great for finding lost data or hidden data; A post for another time on FTK..
I tried the free program Recova to see what thatmight unveil and it picked up some deleted PDF files but even the ones it deemed were in excellent condition were too damaged to work in Adobe Acrobat. And of course its advanced feature will at least let you filter through pictures,files,documents etc.. I will say it was good only for recovering images since it seemed to keep them intact. But again only the ones deemed excellent(denoted by the green circles)
Nonetheless in a situation involving a Hard disk data recovery your best bet is to send it to a professional company and even that isn’t a guarantee but if the data is that important maybe it’s worth the cost. A managerial decision to be made.
And of Course another lesson in Backup. Always backup your information. In this case we had the user wait forever to tell us what was needed and with a backup policy that doesn’t include local hard drives it was close to impossible. You move on and leave it in the past.
