Which command enables you to search a specific location for files and directories that adhere to some search criteria?

Troubleshooting Connection Problems

Routers are basically used to connect multiple networks. Sometimes the router itself may be online but you will experience connection problems. The router may not be able to communicate with various networks or devices. Cisco offers a few User Exec level commands to troubleshoot these connection issues.

■

PING – You can use the PING command to send test packets to a particular device. If you get a response back, you know there is a physical connection between the two devices. If no response is returned, this could indicate a problem with the physical connection.

Traceroute – The traceroute command is used to determine the path between two connections. Often a connection to another device will have to go through multiple routers. The traceroute command will return the names or IP addresses of all the routers between two devices. This also allows you to see where a packet may be misguided.

Solving Boot Problems

A less common, but more serious set of problems revolve around booting the router. If the router does not boot properly, it is basically useless. It is critical that administrators understand what can be done if their router does not boot properly. Therefore, it's also critical that you understand this for the exam.

Firmware Upgrade

The firmware running on your Cisco device is the Cisco IOS. There will come a time when you will need to upgrade this firmware. This may be necessary in order to get bug fixes or to enable new router features.

The Cisco IOS is basically a file that gets loaded at device initialization. If you want to upgrade your IOS, you simply have to replace this file with a newer file. Cisco developed the Cisco IFS (Cisco IOS File System), to help you manage files on your router. You can use the Cisco IFS to copy the new IOS image to your router.

EXERCISE 4.4

Upgrade Your Router Firmware

Here we will be upgrading your router firmware. This requires us to access the flash memory in your router.

At the IOS prompt, type dir. This will list out the contents of your flash memory.

Type copy tftp://<ipaddress>//ios-image-name flash:/ios-image-name

Confirm the source filename. Press Enter.

Confirm the destination filename. Press Enter.

Type sh file information flash:ios-image-name to verify the new image was copied and is runnable.

Reload the router.

CONFIGURING AND IMPLEMENTING…

So, Do You Really Think You Know Who Is Scanning You?

Are you interested in knowing how good penetration testers keep their addresses hidden for as long as possible? It's a matter of hiding among the other IP addresses which are present, and spoofing an IP address. Two cool ways that you can obfuscate your IP address as the source of scanning activity involve using the decoys function and spoofing your Media Access Control (MAC) address.

Here we have chosen to designate a few extra decoys along with our scan to make the scans appear as though they are coming from a number of systems, rather than just ours. (Remember the age-old rule of safety in numbers!)

Here is an example of this technique sending ACK flags to port 80 at Captain Insaneo-speed:

#nmap –n –PA –p 80 –T5 –D 10.1.1.1,10.1.2.1,66.1.2.6,ME,202.3.192.1 <target>

As far as MAC address spoofing is concerned, today it is easy to spoof the source MAC address of the interface Nmap is using, and you don't even have to look it up. Say, for instance, that you visit an art studio with an Alienware system as your vulnerability assessment computer, and all your targets are Macintosh systems. If you run an Nmap scan without making a change to obscure your system's identity, your system is going to stick out like a sore thumb. So, you conjure up some “lucky charms” and use a particular MAC address vendor—and throw the security officer for a loop as he goes around looking for an HP Compaq system. Here is the Nmap command you would pass in this case:

#nmap –n –PA –p 870 –T5 –spoof-mac HP <target>

If you wanted him to think that a Linksys router was involved, try this:

#nmap –n –PA –p 870 –T5 –spoof-mac Linksys <target>

Good times!

24.10.1 ping

The ping command was described in Chapter 23. It works essentially the same under Windows and UNIX. Enter “ping” and another computer’s name or IP address. The format of both ping commands is shown here. Ping will determine if the destination is reachable. If ping continues to display output lines you can press Ctrl-C to kill it:

ping computer-name

ping IP-address

If you get an error message saying the ping command is not found then try entering ping as follows:

/usr/sbin/ping computer-name

There are two potential shortcomings to using the ping command. The first is that if you enter the name of the remote computer it’s possible that your DNS (Domain Name System) server is translating the server name you entered to the wrong IP address. If an inaccurate IP address is being provided, this could be the source of your problem. To determine whether or not this might be the problem you should compare the IP address returned by a “ping computer-name” command with your documentation that identifies the IP address of the remote computer. If the IP address returned by the ping-by-name doesn’t match your records, then a problem exists in the DNS area. Contact your network team and work with them while they resolve it.

You should also execute a ping command and specify the IP address of the remote computer. This will help you determine whether the remote computer can be accessed if an accurate IP address is being used.

The previous advice assumes that you have a “landscape” document or other documentation that shows the name and correct IP address for all of the organization’s computers. If this documentation doesn’t exist, then now would be a very good time to create it.

The second potential problem with a ping command is that some servers have been configured to ignore ping commands. This is done as a security measure to help protect them from DOS (denial of service) attacks. If you get the result “Request Timed Out” every time you ping a particular server, then this probably means it has been set to ignore ping commands.

24.10.2 Database connectivity

If your connectivity problem appears to be related to the database, then you should see if the database server can be accessed from the application server. There may be a tool on the application server that enables you to initiate a database session. For example, if the database being used is Oracle, then SQL*Plus has likely been loaded onto the application server. Open a SQL*Plus session with the database using a command like the following:

sqlplus username/[email protected]

If the session established, it proves that connectivity with the database server exists. If the SQL*Plus command fails, then a problem exists. The next step would be to work with the DBA team to confirm that the database engine is running. If it is, then you might need to work with the network team to verify that the application server can communicate with the database server.

24.10.3 Traceroute

If the ping-by-name and the ping-by-IP were unsuccessful, then you need to find out where along the path between your server and the destination it failed. You need to know if your computer is able to communicate with the Internet or other networks. Your organization has a device called a gateway router that acts as a gateway between your network and all other networks. Run the “traceroute” command to determine whether your communication attempts are getting out the door so to speak. If the results indicate that your traceroute attempt didn’t make it past your gateway router, then you need to contact your organization’s network team to resolve the problem.

traceroute, like ping, confirms whether or not connectivity to the destination computer can be established. The output from traceroute indicates how many servers or hops it takes a packet to get from your server to the destination computer. The format of the traceroute command is:

traceroute destination

where destination can be either a name or an IP address.

This command can be very informative if communications with another computer are extremely slow. It can tell you either that the packets are taking an excessive number of hops taken along the path or that a specific computer in the path is taking longer than expected to communicate. If either of these is the case these, the problem isn’t with your server.

24.10.4 tnsping

tnsping is a utility provided by Oracle that determines if connectivity to the Oracle database server can be established. If your application uses an Oracle database, then you can use tnsping to determine if the application server can communicate with the Oracle database server. The format of the command is:

tnsping service-name

If you don’t know the value of the service name you can find it in the tnsnames.ora file within the Oracle Client software subdirectory.

24.10.5 netstat

netstat displays the following network communications related information:

Active ports—running netstat with the—an option displays a list of all active ports. This means a list of incoming and outgoing network connections that are currently open on the server. It also lists the process that opened each port, whether the port is open for input or output and what protocol is being used.

Routing tables—the routing table holds the list of computers that can be directly communicated with. It might be a surprise to you, but your server isn’t aware of every server on the Internet. It is aware of a few other computers which are aware of a few more computers which are aware of still more computers, etc. To view only routing table information include the –r option when calling netstat.

Statistics by protocol can be obtained by running netstat with the –s option displays a list of statistics for each of the protocols (tcp, udp, ip, icmp, igmp) that are supported. Some of the stats that are displayed are: packets sent, packets received, connection requests, connection accepts, connections established, and timeouts.

24.10.6 ruptime

ruptime, remote uptime, shows the status of all machines on the network. It also provides information on how long each computer has been up and what its recent load level is. The formation of ruptime is as follows:

ruptime

24.10.7 rwho

rwho, remote who, lists who is logged onto all machines in network. Be aware that rwho isn’t available on all networks due to security concerns. If you need to know who is logged into another computer and “rwho” doesn’t work, then you’ll have to remote to that machine and run “who” on it. The format of this command is:

rwho

24.10.8 nslookup

If your users or application is no longer able to connect to a server, the problem could be that the local name server has out of date or otherwise inaccurate information. The nslookup command allows you to query the Domain Name System (DNS) to gather information on domain names it contains. Using it you can learn the name and IP address of the name server that is being used. You can also obtain the IP addresses of machines that the name server is maintaining information on.

Figure 24.8 shows the results of an nslookup call to get the details on server “dr005.” The nslookup command has other available parameters which can be seen on the man page for it.

24.10.9 Firewall problems

It’s possible that your organization’s firewall is causing the connectivity problems. It’s not uncommon for a change in a firewall’s configuration to cause problems connecting to a server that was working just fine yesterday. Depending on your level of expertise you could investigate this yourself or contact the organization’s team that administers the firewall. A word of warning is definitely in order here: be very careful not to cause problems or make unapproved changes of the firewall. Doing so could cause extremely serious problems for you, your users, other applications, and their users.

If you’re knowledge about the organization’s firewall, you might consider checking the firewall configuration or its logs to see if there are any clues about the problem. Two commands that might provide some insight are:

24.10.10 Network analysis tools

There are a number of network analysis tools that can be acquired to provide detailed information on the communications between your server and other machines. Providing an in-depth description of any of them is beyond the scope of this book, but a brief description of some tools that are available is provided.

Secure Troubleshooting

One thing you want to make sure of when troubleshooting your firewall is that you don't compromise your security during the troubleshooting process. If you're using HTTP (Hypertext Transfer Protocol) or Telnet to access your firewall, someone may be able to sniff your packets while you're working to solve the problems.

The WebUI can be encrypted with SSL (Secure Sockets Layer) or tunneled through a VPN. It is recommended that this connection be secured at all times. The certificate can be self-signed by the Juniper firewall, so no certificate has to be purchased.

The command-line interface can be encrypted by using SSH (Secure Shell) to log in to your firewall. Telnet should be disabled so it cannot be used by anyone. If Telnet access is required for some reason, be sure to encrypt the packets using a VPN tunnel. Serial console access requires physical access to the firewall. You can disable all CLI access if you wish and require serial access to manage the box, but this measure might be a bit extreme.

Ping

Ping is probably the most well-known network troubleshooting utility in existence. The ping command is used to test for network connectivity. Every network operating system has a version of it preinstalled. It was written in December, 1983 by Mike Muuss for BSD Unix. The BSD Unix network stack has been ported to many operating systems, including every version of Microsoft Windows. Although the name was originally derived from a sonar analogy, it is now referred to as an acronym for Packet InterNet Groper.

The functionality is simple: send an ICMP (Internet Control Message Protocol) echo-request and wait for an ICMP echo-reply. The code shown in Figure 13.1 is an example of sending a ping to IP address 192.168.0.1, and getting four replies in return. This is a connectivity check from a Windows machine to a router.

By default, the NetScreen device will send five ICMP echo requests of 100 bytes each with a two-second timeout. Advanced settings can also be included on the command line:

You may also set all of the options manually by entering only the command ping and pressing Enter. At this point, you will be prompted for each one of the options to build the command you wish to execute, specifying target IP, the number of requests, the datagram size, and so on.

Figure 13.2 shows an example of using the ping command in ScreenOS 5.

Keep in mind that the results of the ping command may not always be accurate. Some network traffic does not pass ping traffic and could possibly change the results of the command.

You can also ping from a specific interface with the ping command ping <ipaddress> from <interfacename> (see Figure 13.3)

traceroute

The traceroute command is useful in troubleshooting multihop routing. traceroute uses the TTL (Time to Live) field of the IP protocol to get an ICMP TIME_EXCEEDED response from each gateway the packet goes through to reach the destination. Figure 13.4 shows an example of traceroute in ScreenOS.

Figure 13.4. traceroute in ScreenOS

traceroute results should also be taken with a grain of salt. Since traceroute uses TTL fields in the packets, any devices that do not respond to that field will not return valid data.

Get Session

The get session command will show all current established sessions going through the Juniper firewall. If an entry exists in the session table, the connection has passed through the routing table and the policy successfully.

Each session entry has three lines of information. The first line contains the policy rule number, which can be viewed by the get policy command. The time entry shows idle time and resets every time traffic goes through the firewall. Figure 13.5 illustrates these points.

The output from the get session command can seem a bit overwhelming at first, but it isn't really that bad once you break it down. First, the command specifies how many sessions are currently allocated (in the preceding case, it is 64 with a maximum number of 128064). This command also specifies how many sessions failed to be allocated (both regular and DI sessions) and how many multicast sessions are allocated. It also provides statistics for the memory and sessions pools. The next part of the command that you really should be concerned with is the information about the source IP address, source port, traffic direction, destination address, and destination port. The first entry in Figure 13.5 is: 218.172.211.178/18772->123.49.20.57/1024. This stands for a source address of 218.172.211.178, with a source port of 18772 going outbound to destination 123.49.20.57 port 1024. It will be using route 0, which you can verify with the get route command and compare that against the route ID value in the output. Traffic with the <- symbol designates the inbound (return) traffic. The return traffic may also show the NAT'd value of the packet, and the subsequent route which may be taken to reach the destination. You can also see which policy (in this case 320000) is being matched for this session.

Get Policy

The get policy command displays the current NetScreen policy. This command is useful as a reference to see which policy ID is assigned to each rule. Pay attention to the From and To fields. These indicate which zones each policy crosses, as shown in Figure 13.6.

Get Route

The get route command shows the current NetScreen routing table. There is a separate routing table for each virtual router. In the example in Figure 13.7, there are no routes for the untrust-vr, which is the default configuration. Make sure you differentiate which routes are static and which are added by a routing protocol.

Remember that the * next to a route designates that it is the active route in the routing table, and the ID is the value that is also referenced in other troubleshooting commands such as the get session command. This output shows you that route 12 is active over the same route (different next hop) route 13. They are both Static routes with a preference of 20, and a metric of 1. It is not immediately clear in this case why route 12 is valued higher than 13, but the reason could be because ethernet0/1 is physically down.

Get Interface

The get interface command shows detailed interface statistics. This command (shown in Figure 13.8) is useful to see which zone an interface is in and which hardware MAC (Media Access Control) address is assigned to each interface. You can also see the IP address, VLAN, and what state the interface is currently in (U for Up, D for Down.)

Get ARP

The ARP (Address Resolution Protocol) table of the Juniper firewall can be viewed by using the get arp command. This can be useful when troubleshooting OSI layer 1 and layer 2 issues. Figure 13.9 shows the ARP table of the Juniper firewall.

We can see in this example that the MAC address for 218.172.211.177 is invalid (000000000000.) It also specifies what interface this will try to learn the MAC address on, which will be whatever interface has an IP address in the same subnet as the IP address that you are ARPing for. This can be very useful to troubleshoot layer 2 issues, especially when devices are connected directly to your firewall.

TIP

Please remember that if you are replacing one network gateway device with another (such as the SSG), the MAC address will change because there will be a new hardware interface in place of the old one (assuming you are keeping the same IP address). This will mean that other devices may not recognize this new MAC address until either their ARP cache times out (often 10 minutes on most systems), or you can manually clear it, such as issuing the clear arp on the Juniper firewall, or arp –d on Windows.

Get System

The get system command gives you several important pieces of information. Use this command to get an overview of your firewall and the setting for each interface. On an unknown firewall, this should be the first command you use.

▪

Serial Number This can be used to reset the device to the factory defaults. Use the serial number as the username and password when logging in on the serial interface. Be aware that this will also wipe out any configuration changes you have made. The serial number is used to generate the license keys for your device as well.

Software Version The software version of the ScreenOS device in running memory.

Date and Time Returns the date and time on the NetScreen device.

Total Device Resets Tracks the total number of asset recovery resets. This number counts the number of times the system has been reset to the factory defaults.

User Name The username of the current user.

Debug

The debug utility in ScreenOS is a powerful troubleshooting tool that allows you to track sessions going through the Juniper firewall. The firewall has a memory buffer set aside for the debug system, and packets can be captured in this memory for inspection. The following outlines various uses of the debug system:

Set any filters necessary for the debug. This is optional, but it might help consolidate the results. Optionally, you might also want to clear the buffer of old debugs so that you get a better snapshot.

Issue the Debug Command.

Issue the get db str command to get the output stored in the memory buffer from the debug.

Stop the debug with the undebug all command which will halt any debugs. Alternatively you can keep issuing the get db str command to keep getting output from the debug.

Clear the memory buffer with the clear db command.

WARNING

You must be mindful that issuing debug commands can increase the load on the firewall. Althought it is not as crippling as debugs on other platforms (historically,) it can cause problems if you are not careful. It is best to use flow filters, and turn the debugs off as soon as possible.

Snoop

Snoop is a full packet sniffer. The output of snoop goes into the same memory buffer that debug sends to. The biggest difference between debug and snoop is that snoop can dump the actual contents of the packets to the memory buffer. snoop output is more difficult to read than debug output and is typically used when the contents of the packets need to be analyzed. The following are the commands for using snoop:

snoop Starts the snoop capture.

snoop info Displays current snoop status.

snoop detail Enables full packet logging. This logs the full contents of the packets.

snoop off Turns off the snoop capture.

snoop filter Allows you to filter what gets captured. Employs syntax similar to that used for debug filtering.

clear db Clears the debug memory buffer.

get dbuf stream Displays the output for analysis.

Firewall Session Analyzer (FSA)

Juniper has created a new Web-based tool called Firewall Session Analyzer (FSA) to help make sense of the torrent of information that can come from running a get session command. As discussed earlier, this command shows all current established sessions going through the NetScreen device, and this can seem a little daunting when viewed in the console.

After uploading a log of the get session command output to the FSA (located at http://tools.juniper.net/fsa/), it will generate the following seven reports.

▪

Rank based on destination IP address

Rank based on destination port

Rank based on source IP address

Rank based on source port

Rank based on protocol

Rank based on Virtual System Device (VSD)

Rank based on source IP with protocol and destination port information

In order to use the tool, you need to log the command output to a file on a TFTP server by using the following command.

SSG550-> get session > tftp <server ip> <filename>

You may also choose to capture the screen output to a file and upload it to the analyzer in the same manner as the file stored on the TFTP server. Once you have the log file, generating the FSA reports is simple.

1.

Go to http://tools.juniper.net/fsa/ using your Web browser.

Browse to your get session .log or .txt file, first making sure the file does not exceed 10MB.

Choose the version of ScreenOS the file was captured from (ScreenOS v4 or v5).

Click Submit. After several seconds, your results will be viewable in a new screen.

The top 10 results for each of the seven previous reports will be viewable on one page (see Figure 13.10), at which point you can download each complete report as an individual csv file by selecting the link for the report you desire. This information will be available for you to view for one hour following the execution of the analyzer. After one hour, the information processed by the tool, and the corresponding reports, will be deleted from the Juniper site for security reasons.

Putting It All Together

When troubleshooting the Juniper firewall, use any of the previous commands necessary to resolve the issue. When a packet arrives at an interface of the firewall, the following things happen.

1.

The packet goes through a “sanity check” to make sure it isn't corrupt.

A session lookup is performed. If the packet is part of an existing session, it follows the rest of the packets in the same session.

The packet is routed, based on the routing table and zones.

The packet is checked against the firewall policy.

The ARP cache is referenced.

A session is created if one does not exist, and the packet is forwarded.

Notice that the session is not created until the packet passes through the routing table and the firewall policy.