SNMP Snooping

Summit 09 Bonus: Licensed NetScanTools Pro - a $249 ValueAll Summit 09 attendees will receive a full licensed copy of NetScanTools Pro - a $249 value.

One of the labs for Summit 09 deals with SNMP snooping - locating information about a device by taking advantage of available MIB (Management Information Base) data through SNMP walking. Networks abound with SNMP-based devices - we can use the Port Scanner tool to generate a simple UDP scan for port 161 to discover those SNMP devices.

In NetScanTools, I discovered a few network printers supporting SNMP. I entered the IP address of one of the printers and selected the WALK action for the Object ID (OID) .iso.org.dod.internet. I left the community string at the default as I was certain no one had changed it since the printer was plugged in.

The result - a 24-page document filled with information about that printer and the other devices on the wired and wireless networks. The standard printer information was puked out as expected, but this SNMP snoop yielded loads more information:

• ARP table listing devices on the wired and wireless network
• MAC layer In/Out statistics (including errors)
• TCP In/Out statistics (including errors)
• UDP In/Out statistics (including errors)
• ICMP In/Out statistics (including errors)
• Routing table
• List of all received/transmitted ICMP packets
• SSIDs, channel numbers and signal strength of local WLANs - not just the WLAN that the printer was on and not just on the channel the printer was on

As I started playing a bit more and finding other unique SNMP devices, I realized I needed to load some new MIBs - a MIB is a database of objects. I found hundreds of MIBs available online at www.oidview.com/mibs/detail.html.

One of the coolest features in NetScanTools' SNMP tool is the ability to determine listening ports on the target without using a port scan. By generating udpLocalPort and tcpConnState queries, I could get the list of open UDP and TCP ports directly from the source. Using NetScanTools we can discover SNMP devices on the network, load an unlimited number of additional MIBs and perform a dictionary attack to identify the community string used by SNMP devices.

Join us at Summit 09 on December 7-9th! You'll get a copy of NetScanTools Pro and 3 full days of hands-on individual and group labs focused on troubleshooting and security. Don't miss it! Download the Summit Information Guide from www.chappellU.com. All Access Pass members receive a 50% discount to Chappell Summit 09.

Enjoy life one bit at a time!
Laura

Summit 09 Registration Opens

It's a Geekfest Training Event! Last year's Summit was a great success with a room full of folks hunched over their laptops for three-days of labs and training. Since that time I've been researching and developing new materials - they are ready to go into Summit 09. Summit 09 will be another BYOL (Bring Your Own Laptop) event - filled with hands-on labs. This time around we will offer both individual and group labs.



Hot Tools and Key Tasks
We will focus on which tools are best for each task, such as the following:

• traffic redirection and interception
• IP address sanitizing
• locating firewalled hosts
• throughput testing
• jitter measurement
• identifying blocked/filtered ports
• WLAN RF analysis

Troubleshooting Hot Spots and Testing
On day two, we will delve into a corporate network that is consistently garnering complaints. Working from the network diagram, we'll devise a plan to isolate the cause of network problems and perform proactive throughput testing and live RF analysis. We'll address both wired and wireless network problems.

Security and Forensics
On the third and final day, we focus on security. Starting with the TCP vulnerabilities and the SMB2 vulnerability announced this month, we will dissect the key issues and build a malicious/suspicious traffic profile. This profile will save you lots of time and help you spot security flaws on the network.

During the Summit you will be working on network diagrams to pinpoint where to capture traffic and follow the path of communications.The schedule is packed with the latest techniques for catching network problems, identifying suspicious traffic, testing network throughput, analyzing WLAN traffic and discovering network devices and services.

Download the Summit Information Guide. All Access Pass members receive a 50% discount to Chappell Summit 09. Enjoy life one bit at a time. Lauraw

Do You Know Where Your Throughput is Today?

iPerf Might Scream "This Stinks!"

Last night I was laughing and crying at the same time while reading a local small town newspaper and the dissertation on bandwidth problems at the local library. They actually shut off half the computers to aleviate the problem. One quote really grabbed me - "We don't notice the bandwidth problem when no one is using the computers." Hunh?

There were a few puzzling comments in the article such as the comment that the bandwidth problem "started 3 weeks ago." That sudden onset of the problem feels like something else to me. It feels like a device along the path that is causing the problems. A quick look at the traffic would validate that.

The article tied in nicely to the iPerf Throughput Testing materials I am finishing up. The reaction to the live iPerf testing done during the Analyze and Improve Throughput course and numerous requests for more information on iPerf prompted me to start developing a course that shows how to perform a series of throughput tests for UDP and TCP traffic.

iPerf is simple and complex at the same time. The one application can be run either in client mode or server mode.

Tests can be run in one direction (from the client to the server, which is the default) or bi-directionally. Here is one of my favorite tests for iPerf:

Client: -c 10.1.1.1 -u -t 60 -i 5
Server: iperf -s -u -i 5

This test enables me to locate jitter and packet loss along a path using a UDP stream sent over a 60 second time with results displayed every five seconds at both the server and the client.As you can see from the screenshot above, the path suffers packet loss reaching 39%. We were sending a steady stream at 1.05 Mbit/second specifically to identify packet loss. Well... we found it. Running the test for a full 24 hours would help us identify specific times of the day when packet loss is at its highest.

I hope to get into the local library and run Wireshark and iPerf on the network soon. I have no idea if the systems are locked down - a slight problem that might require some workaround. Meanwhile I'll peruse the shelves for those network troubleshooting books.

The "iPerf Throughput Testing" modules will be included in the Summit 09 course in December (www.chappellseminars.com/summit09.html) - the "Analyze and Improve Throughput" course is available now at www.chappellseminars.com.

Enjoy life one bit at a time.
Laura

Summit08 Wraps!

Puff, puff... It's a heck of a lot of work putting on a conference - hats off to the folks who do it year in and year out and actually smile through the process (they must have some strong meds). You are a sick lot, you know! Anyone care to guess how many pieces of bacon, sodas and beers were downed during the two-day Troubleshooting and Security Summit08 conference (November 4-5)? Me neither.

One of the highlights of the conference was having Gerald Combs (creator of Wireshark) join us to talk about capturing traffic in a virtual environment and Tom Quilty (BD Investigations) talking about the steps to take before and after a network breach occurs. Who ya gonna call?

It was great sitting around a table at the vendor party with those two as well as Ron Nutter from Network World as we swapped geeky war stories and shared some of the inside scoop on cybercrime events and Wireshark development (which are mutually exclusive topics, by the way). He he...

For those of you who didn't join us, you missed a great time. We played with VoIP reassembly, some ugly WLAN communications, loads of ugly file transfers caused by packet loss/high latency, a DHCP server gone awry, nasty SNMP traffic (that we configured to see using the MIB printer configuration), problems with autonegotiation, SMB2 protocol negotiation during a Vista client/Server 2008 connection, lost packets, totally pathetic websites, evidence of a "DNS walking" application, a redirector infection, SNMP scanning host and traffic hidden through port swapping.

Two nights before the conference I added a set of trace files taken at a client and a server - I really wanted to show how to alter the timestamps because one analyzer was off on the timesync and then merge the two traces together, colorizing the two sets to differentiate them. I love this stuff!

Now my days are spent buiding the Summit 08 Wrap-Up site - if you attended Summit 08 you will receive your login credentials by the end of the week. I've put together four videos covering the MS08-067 vulnerability, the trace file merging process, building and sending custom packets and the Summit 08 Wrap-Up Checklist. In addition, I have a discount code for NetScanTools Pro and Pilot/Pilot+AirPcap EX3 bundle also going up on your Wrap-Up site (you already should have the code for 50% off the Wireshark University self-paced courses - good through December 31st).

So... would we ever do the conference again? Absolutely! We've already started planning based on the feedback we received. Register for notification at http://www.chappellsummit.com/ and I'll send you an email when Summit 09 registration opens and details on the Early Bird Special pricing. Alumnae will get special discounted pricing on Summit 09.

Now... just a couple more days until I head off to Portugal for the Vantagem conference. After that, it's the ATT Live conferences in Salt Lake City and then... well... then it's 2009 and time to start development on Summit 09!

Laura

[off to the Wrath of the Lich King launch party... 2 hours and counting...]