Thursday, February 25, 2010

VMware IP Address Already Assigned to Another Adapter

I got the following message when I was attempting to change the DNS address on a few of  my VMware Servers today.

The IP address XXX.XXX.XXX.XXX you have entered for this network adapter is already assigned to another adapter Name of adapter. Name of adapter is hidden from the network and Dial-up Connections folder because it is not physically in the computer or is a legacy adapter that is not working. If the same address is assigned to both adapters and they become active, only one of them will use this address. This may result in incorrect system configuration. Do you want to enter a different IP address for this adapter in the list of IP addresses in the advanced dialog box?
In this message, XXX.XXX.XXX.XXX is an IP address that you are trying to set and Name of adapter is the name of a network adapter that is present in the registry but hidden in Device Manager.



I tried  Microsoft's suggestion in this article "http://support.microsoft.com/?kbid=269155" however it didn't work for me. I had to create a "system environment variable" and give it the value of "1". Once that was completed I was able to follow the rest of the article. I removed all hidden adapters except for the "RAS Adapter" and I was then able to add the new IP address.

How to create a system variable:

On a Windows machine right click "My Computer" --> Properties --> Advanced tab--> Environment Variables--> System variables -->Click new --> Specify a "Variable name" (devmgr_show_nonpresent_devices)  and the "Variable value" which is 1



Enjoy now you can rest easy!

Reference Links:
http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1179

http://support.microsoft.com/?kbid=269155

Wednesday, February 24, 2010

Troubleshooting VMware ESX Networking


Troubleshooting ESX 4.0 Networking Issues

Phase one: Verification


If you installed the ESX software and you are unable to ping the host after installation try the following steps.

1. Verify that the required network interface cards are up and the switch port is up and configure correctly.
ESX Command to check network cards:
 esxcfg-nics –l 
Once you confirmed that your NICS are up verify the duplex setting on both your network switch and your ESX host.

ESX Command to set the speed to 1 Gig / Full duplex to full for NIC 0
esxcfg-nics –s 1000 –d full vmnic0
2. Verify that you have the  correct network addressing configuration:
less /etc/sysconfig/network
3.       Verify your vSwitch configuration.
esxcfg-vswitch –l
This command is also use to create and update a virtual machine (vswitch) network settings as you will see later one.
Here you can see that NIC 0 and 2 are both assigned to vSwitch0



Verify your service console network setting.
esxcfg-vswif –l

This command is also used to create and update the service console network settings. This command is used if you cannot manage the ESX Server host through the VI Client because of network configuration issues

                   
      You can also use this command to create and update the virtual machine (vswitch) network settings.

If you are still unable to establish connectivity to the hosts, by this time, you can use the following commands to delete and recreate the vSwitch.

Phase two: Changes
At this point if after verifying the following settings you don’t see anything unusual, you would take note of the above settings, delete them and recreate it.

esxcfg-vswitch  –d vSwitch0 --> To remove virtual switch
esxcfg-vswitch  –a vSwitch0 --> To re-add a virtual switch
esxcfg-vswitch -L vmnic0 vSwitch0 --> To assign physical nic0  (repeat and add additional nics)
esxcfg-vswif  -d vswif0 --> To remove the service console network.

esxcfg-vswif -a vswif0 -p "Service Console" -i 10.100.0.114 -n 255.255.255.128 --> Add a Service Console (vswif0)
esxcfg-vswitch -v 69 -p "Service Console" vSwitch0 --> Add Vlan 69 to service console on vSwitch0


After these steps its important to restart the network service with the "service network restart" command.



Sunday, February 14, 2010

Metadata analysis is cewl!

The idea of this post came about while using the program "cewl" that was created by Robin Wood aka @digininja. I initially started using this application to harvest the email addresses on my company's website so I can compare to a know list of exchange public folders and correct any discrepancy. If you would like to give cewl a try you can find a nice install guide over at @joswr1ght website.
However after utilizing some of cewl's functions to download documents while analyzing the email addresses, I then went a step further and used Larry's paper as a guide to analyze some of those documents and the results were shocking. This brought on the realization that a lot of companies just post PDF's/ Word documents online without thinking about sanitizing them first, and thats just making it easy for the bad guys. I am not going to get into all the details of my findings but I would say if you haven't used cewl or read Larry's paper you are doing yourself a great injustice.

Now before you start panicking the are a few things you can do to limit the exposure of personal data your company might inadvertently leak on the internet. The National Security Agency published a paper back in 2008 which I believe is still very useful today. You can use this paper as a guide for sanitizing your PDF's and other documents before publishing them online.
I decided to do something new this time, and ask both Authors a few questions:

Robin Wood Q&A:

What prompted you to create cewl?
Cewl is based on a blog post by Larry "HaxorTheMatrix" Pesce from http://www.pauldotcom.com/. He used command line tools,and I put it all in one place.

Do you think that the area of metadata research is not getting a lot of attention?
I think there is a bit of research going on, Larry does some and foca is a great app. It is defense that is lacking.

What was the main usage you had in mind for this tool and is that goal being meet?
The main usage was creating dictionaries for dictionary attacks and it seems to be working from the feedback I've been getting.

What other meta data analysis tools are you working on?
I'm currently not working on any meta data projects at the moment, however I tend to be a spur of the moment developer so if I have an idea you might see a tool the next day.

How can someone contribute or help out with this tools or any other of your projects?
If anyone wants to contribute they can mail me ideas or send code patches. I'm always happy to listen to ideas.

Where can people follow your work and find out more about what you are doing?
For more details on my projects visit http://www.digininja.org/ or follow me on twitter @digininja.

Larry Pesce Q&A:

What made you decided to focus your research and write a paper on the evils of meta data?
It started with they myspace 1.6 gig picture leak, I wanted to see if any of the images contained GPS info so that I could tie the picture to a location.

Do you think everyone is doing their part to bring awareness to this issue?
I think that folks are just starting to come around on the whole "detailed recon" aspect of a test and are starting to educate themselves.

Would you say every company that publishes documents on the web should have a policy in place that addresses sanitizing documents?
I would not say that every company needs to have a policy on it.I know shocking! For some, the effort put forth to sanitize the public documents has no reward in reducing risk. But I think that if you do the analysis, any mid sized or larger company can easily and adequately address the risk that it introduces.

Since the paper have you done any additional work or research in this area?
I have done some, such as looking at some other common stuff for information gathering and recon. I have looked at simcards, and other document types; such as streaming video, stuff like YouTube for GPS tagged videos, and of course automating a lot of the work.

Do you think that more people should be doing research in this field?
Yes, in as much as the attackers are doing the same thing. I think that most of us don't realize how much info is out there with a little bit of digging

I would like to end with a quote which I am sure I have picked up from the PDC crew “no need for a zero day, when all your personal information is in the wild".

Reference links:

http://www.digininja.org/
http://pauldotcom.com/wiki/index.php/Episode129
http://pentestit.com/2009/05/16/foca-fingerprinting-organisation-collected-archives/
http://www.sans.org/reading_room/whitepapers/privacy/document_metadata_the_silent_killer_32974
http://www.willhackforsushi.com/?p=410
http://www.fas.org/sgp/othergov/dod/nsa-redact.pdf
http://www.nsa.gov/ia/_files/app/pdf_risks.pdf

Friday, February 5, 2010

Configuring a NetMRI Appliance



I am currently in the middle of working on a project that involves configuring a NetMRI appliance and a accompanying event collector. So far I am finish configuring the appliance along with a test switch "Cisco 3560".This blog posting will briefly go over some of the steps I took to accomplish this task.

What is NetMRI?
NetMRI enables organizations to take control of network configurations and changes–making it easy to identify hard-to-find configuration problems that are lurking in the network and meet internal standards and external compliance requirements. Instead of just logging changes, NetMRI utilizes built-in subject matter expertise to audit, analyze and automate network change.


Prior to starting the configuration process for the NetMRI appliance you need to install an SSH client and have a cross over cable, or a switch with the correct VLAN configured. NetMRI always listens on the private IP address 169.254.1.1,with subnet 255.255.255.0. Simply configure your machine to 169.254.1.3 or any address in that range within this range that’s lower than .254 with a subnet of 255.255.255.0.
Once you are finish try to ping 169.254.1.1 if you are able to communicate with the appliance you can use your favorite SSH client and connect to the appliance on port 22 using  the following credentials admin/admin and from there run the “configure server” command.
During this process you will be asked several questions:
·         Network , Server and Domain name
·         Two DNS address
·         Time server/ time zone
·         Management port IP address and gateway
·         Scanning port IP address an gateway if you choose to use both ports

Once you are finish you can now login into the appliance using the newly assigned IP address that was selected during the setup above. Ex http://172.29.19.4


Select next to continue. 
Step 1:   Chose a new admin password.
Choose a difficult password, since the username cant be changed its advisable to use a password that's not easily guessed.

Step 2: License file
Browse to the location on your computer where you have the file and click next.
 Step 3: IP Addresses/CIDR Blocks
You can either add a whole subnet or individual IP addresses using a /32 at the end of the IP address.


Setp 4: Community Strings
Here is where you will enter the string that you will be configuring on your router and switches.

Step 5: CLI Credentials
Here is where you need to enter the user name and password that the NetMRI appliance is going to be using to access your infrastructure devices; you will also need to enter your Enable password here to. 
Once you are done click finish.
After the NetMRI setup process has been completed, review the Network Explorer tab > Inventory tab > Devices / Interfaces section > Devices page. If the Default Gateway, CIDR blocks, SNMP credentials and Telnet/SSH credentials were entered correctly, you should start to see devices listed in this table within a few minutes. Periodically refresh your browser to see the progress of the discovery process.

Troubleshooting

If you don’t see any devices within a few minutes, you should verify the accuracy of the network information added during the configuration process as follows:

1. In the NetMRI header panel, click the Settings button. In the menu along the right side of the Settings window, click the Setup section, then click Discovery Settings. Ensure that the given CIDR blocks cover the desired parts of your network. Also, ensure that the Default Gateway is covered by one of the Included CIDR blocks, but not by one of the Excluded CIDR blocks.

2. In the menu along the right side of the Settings window, click Collectors and Groups (just above Discovery Settings). Ensure that SNMP collection is Enabled. In the Settings window, click SNMP Credentials and verify that the community strings for your network devices are entered properly (e.g., check spelling and case-sensitivity).

3. If NetMRI was configured using a crossover Ethernet cable and NetMRI was not on the network following completion of the configuration process, then NetMRI may not have been successful in its initial probes of the network. Navigate to Settings > Settings section > Discovery Settings page and click the Reset Discovery Counters button (below the table) to kick off the initial network probes again, then continue to monitor the discovery process as before.
Any changes made using the forms described above will be automatically used by the discovery process. If the new information is correct, you should start to see devices appearing in the table at Network Explorer tab > Inventory tab > Devices / Interfaces section > Devices
  
Cisco Device Configuration

Create Username on the Cisco 3560 switch
======================================
username mriuser password 7
aaa new-model
aaa authentication login default local

Configure SNMP Cisco Catalysis 3560
===================================
config t
snmp-server group nmri v2c read mrigp
snmp-server community mr131 RO
snmp-server user mriuser nmri v2c
snmp-server enable traps syslog

Doing an SNMP Walk


In order to do a SNMP walk you need to replace the Root OID system with 1.3.6.1.2.1.1.
Reference links: