IT Trenches


December 22, 2009  12:31 AM

Thank you ITKE Community!



Posted by: Troy Tate
blogging

I want to thank the ITKE Community for nominating me and selecting me as the winner of the flatscreen contest. It is an honor to be recognized in this manner by peers.

I also want to take this opportunity to thank the readers of IT-Trenches and those that submit and answer the outstanding questions. It is you folks that keep things interesting and fresh!

Keep up the good work and hope to see you in 2010! Merry Christmas and Happy New Year to all!

December 18, 2009  8:33 PM

Broadcast traffic told me the network was contaminated



Posted by: Troy Tate
broadcast, network analysis, packet capture, protocol analysis, troubleshooting

If you don’t know what’s broadcasting on your network, you don’t know your network! I recently discovered a rogue network cross-connection on a network. The cross connect was from an unmanaged internet connection to a private LAN. The way I discovered this was using Wireshark and listening for all traffic not from the private LAN IP range. I used a capture filter of “not 172.16.88.0/24″. This showed all non-IP traffic and especially all broadcast traffic on the network. Lo and behold, a device was doing broadcasts on a network starting with 221.x.x.x. Hmmm… a device is either misconfigured or there is a cross-connect that no one knows about or isn’t telling anyone about. The Wireshark screen is shown below highlighting just one example ARP packet showing the traffic in question.

The display filter I have in the box removes spanning tree protocol (STP) and AppleTalk ZIP broadcasts.

This is definitely unexpected and unwelcome traffic. I asked the person to immediately find and remove this rogue connection.

So, I recommend every now and then putting up Wireshark and listening to broadcasts on your network. It’s talking to you!

Has your network told you anything interesting lately? Tell me and other ITKE readers about it. Thanks for reading and let’s be good network citizens!


December 18, 2009  7:58 PM

Search engine for telnet, ftp, ssh and http brings hackers closer to your doorstep



Posted by: Troy Tate
ftp, http, information security, infosec, malware, network, network protection, reconnaisance, scanning, search, search engine, ssh, telnet, web

Google is obviously a great tool for everyone including hackers. If you have never heard of Google Hacking, then I highly recommend you take a look at what might be exposed and found through a Google search. This Google Hacking tutorial might help get you started. It is important that you understand the threats against computer security and be prepared to appropriately handle the risks.

A new search engine recently came to my attention that every network person needs to be made aware of. This search engine is called Shodan – a computer search engine. This search engine will allow a user to search for various strings returned when connecting to ports like ftp, ssh, telnet and http. This means I could put in a search string like “cisco country:us port:23“. This would return search results that show any device returning a banner on port 23 (telnet) that has the word “cisco“.

This is scary stuff! This is similar to doing a network scan using nmap and grabbing banners from ports, but this search engine makes scanning individual hosts obsolete.

Here’s an interesting blog post about Shodan: Is SHODAN really controversial? The author followed it up with Taking SHODAN for a spin. Check out the results from this Google search for “Shodan computer search“. If some of those threads don’t scare you, then… maybe you are not an IT person!

Looks like I need to spend some time visiting Shodan to see if there’s some tightening up I need to do on systems I manage! Have you tried Shodan or anything similar? Share your experiences with other ITKE readers.

Thanks for reading and let’s continue to be good network citizens.


December 18, 2009  7:28 PM

Using PsExec to fight malware



Posted by: Troy Tate
antivirus, malicious software, malware, Microsoft, Microsoft Sysinternals, psexec, remote administration, Sysinternals

The excellent Sysinternals Windows tools have been around for many years (since 1996!). Microsoft now has these tools available and they are all FREE! They are also available in a “live” way such that you do not need to have previously downloaded the tools to use them. Simply browse to:

http://live.sysinternals.com/toolname.exe

and run the tool from a web browser. This means that you always have access to the latest valid version and can use the tool anywhere you are that has internet access.

One of the tools I most frequently use is the PsExec tool. PsExec is a command-line tool that lets you execute processes on remote systems and redirect console applications’ output to the local system so that these applications appear to be running locally. There are several command-line options on this tool so please read the documentation carefully to understand how to use this powerful tool.

The following is an example of how to use PsExec to remotely fight a system infected by malware. Note that this access works ONLY if you have administrative access on the remote Windows host. Continued »


December 15, 2009  9:38 PM

Use NMap to quickly scan a large subnet for MAC or IP addresses – even firewalled systems!



Posted by: Troy Tate
ARP, arp scan, education, network scan, network tool, nmap, ping, tool, utility

One of my favorite tools to manage a population of network hosts is the excellent tool NMap. It can easily and quickly be used to scan a large subnet for live hosts. I recently scanned a /16 or 65,535 hosts subnet in about 30 minutes with NMap detecting most common running services on the hosts discovered (note that the network was not very populated, so a densely populated network will take longer to scan than a sparsely populated network). This is a very fast and useful tool. I was particularly interested in MAC addresses as I was seeing some unusual ARP traffic and wanted to see what IP address might be assigned to the device.

The command I used to scan the subnet was:

nmap -PR -oN nmap-arpscan.txt 192.168.0.0/16

This scanned the entire 192.168.0.0/16 network and logged the results to a text file called nmap-arpscan.txt for later review.

One reason to do an ARP sweep on a network is that this will find even firewalled hosts as a system on an IP network may have ICMP filtered but ARP is practically a necessity to participate in network communications. So, this scan will find even firewalled hosts!

You can get more information about NMap from some of my previous blog postings:

Online Nmap video training – scan your network

Nmap v5 released – nearly 600 changes!

What other NMap scans do you do? Share your tips with other ITKE readers!

Thanks for reading and let’s continue to be good network citizens.


December 4, 2009  1:22 PM

Generating and tracking passwords: Put javascript to work for you



Posted by: Troy Tate
complex password, information security, Password, password security, password tool, strong password, tool, utility

I recently came across this interesting website that uses javascript and SHA-1 hashes to generate passwords. The thing to remember about this tool is that the generated passwords are just numbers and letters. There are no special characters. So, the passwords should not be considered strong or complex. You can add special characters to meet passwords complexity requirements.

What I like about this website is that you can simply save the entire page to a local drive or a USB stick for portability. All of the necessary code is in the page. Simply browse to the page and use the page or file save browser feature to save a local copy of the file to the desired location. You can then modify the code as needed to strengthen the generated passwords.

This method of password generation is a good tool in that nothing is stored and the password generation process is repeatable. Simply enter a master password, the site (or host) name and click the generate button. The javascript under the page generates a SHA-1 hash based on the combination of the master password and the site (host) name. So, this means that each site (host) has a different password. This will permit you to not use the same password on multiple sites, but will enhance your ability to generate a strong password for the sites you do use and recover it easily.

What password generation and tracking tools do you use? Share your suggestions with other ITKE readers. Thanks for reading & let’s continue to be good network citizens.


December 3, 2009  7:02 PM

CERT ALERT:H1N1 Malware Campaign Circulating



Posted by: Troy Tate
alert, botnet, bulletin, CERT, cert alert, education, government, information security, information security awareness, malicious software, malware, us-cert, user education, warning

The US-CERT released an alert yesterday about a currently circulating malware threat with the H1N1 virus as the subject matter.

US-CERT is aware of public reports of a malware campaign circulating. This campaign is circulating via email messages offering information regarding the H1N1 vaccination. This email messages contain a link to a bogus Centers for Disease Control and Prevention website. Users who click on this link may become infected with malware. Public reports indicate that these email messages are noted as having subject lines such as: “Governmental registration program on the H1N1 vaccination” and “Your personal vaccination profile.” Please note that subject lines may change at any time.

US-CERT encourages users to take the following precautions to help mitigate the risks:

  • Install antivirus software, and keep the signature files up to date.
  • Do not follow unsolicited links and do not open unsolicited email messages.
  • Use caution when visiting untrusted websites.
  • Refer to the Recognizing and Avoiding Email Scams (pdf) document for more information on avoiding email scams.
  • Refer to the Avoiding Social Engineering and Phishing Attacks document for more information on avoiding social engineering attacks.

The suggestions offered match very well with the topic of my blog posting yesterday 10 Tips: Holiday greeting cards, holiday shopping and computer security awareness. Thanks for reading and let’s continue to be good network citizens! Please feel free to include your thoughts to help out other ITKE readers with reducing threats through keeping users informed about issues like this.


December 2, 2009  9:33 PM

10 Tips: Holiday greeting cards, holiday shopping and computer security awareness



Posted by: Troy Tate
antispyware, antivirus, hoaxes, information security, internet security, phishing, Security, security awareness, shopping

It is that time of year again when folks send electronic holiday greeting cards to one another. Some of the greetings may also be games that bear holiday messages. It is also a time when malicious software spreads using these same types of messages and software. You should also be cautious when doing any holiday shopping online or at stores. It is important that you and those you communicate with understand these risks. Your finances and identity are always at risk in today’s technology environment, but you may be less attentive during the holiday season. The following 10 tips are meant to remind you of some important security precautions. Continued »


November 30, 2009  7:16 PM

Microsoft releases File Server Capacity Tool 1.0



Posted by: Troy Tate
capacity planning, CIFS, client performance testing, client-server, file server capacity testing, Microsoft planning tool, Microsoft Windows, performance monitoring, server performance measurement, server performance testing, server testing, SMB

Microsoft has released the File Server Capacity Tool (32-bit) v1.0 (64-bit here). This command line tool (no user GUI is available) is for testing server capacity and identifying performance bottlenecks. This is NOT a beginner tool and should be used in a test lab environment. The tool will format the data test volume without asking for confirmation Be sure to read the step-by-step documentation included with the tool and understand the options before running.

One of the differences between this tool and previous capacity testing tools is that this tool has increased flexibility to permit the tester to build automated test scenarios. The test scenario included with v1.0 is the HomeFolders workload. This simulates users accessing a server used primarily as storage for home folders. The tool will also capture specified performance monitoring counters.

For additional support on the FSCT, visit the Microsoft forum on FCST.

Let other ITKE readers know if this tool is useful and how you used it to do your job.

Thanks for reading & let’s continue to be good network citizens.


November 30, 2009  6:25 PM

Windows Technology Deep Dive: Understanding and Troubleshooting Memory Problems



Posted by: Troy Tate
advanced training, advanced troubleshooting, memory management, Microsoft Windows, program development, RAM, technology training, troubleshooting, Windows

David Soloman – Understanding and Troubleshooting Memory Problems

This webcast is the *best* memory troubleshooting presentation I have ever seen.This should be standard advanced training for everyone in the Windows industry. It’s a 97 minute presentation

http://www.microsoft.com/emea/spotlight/sessionh.aspx?videoid=64

* Requires a Live ID login.

Did you know that you do not gain performance by having or not having a page file?

Did you know that sizing of the page file(s) has nothing  to do with the amount of physical memory on the computer?

Did you know the more RAM you have the smaller page file you need?

Did you know that the page file(s) never contain data that can be found elsewhere on the disk?

Did you know that the x64 virtual address space is really 17 *billion* gigabytes in size, but limited to 16 terabytes for now?

Did you know that a high number of hard page faults does not directly mean low on memory?

Did you know that so-called “memory optimizer” third-party applications make memory optimization worse?

Did you know that if you minimized all of your running applications and let the computer run idle that all of your running applications would be paged out to the page file eventually?

Thanks for reading & let’s continue to be good network citizens!


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: