Wireshark to the rescue !!!

So we had a massive increase in logging from our campus firewall.

Jan 25 2018 11:50:32: %ASA-1-106021: Deny UDP reverse path check from 172.16.160.29 to 172.16.70.1 on interface campus

What's the big deal? Well we send our logs to a centralized syslog server and we only pay for 20GB of volume per day and this increase was tipping us over that threshold which basically locks us out if we go over 5 times in a sliding 30 day window.  There were roughly 103,000 of these messages every minute, so in a day that equaled about 148,320,000 a day.  To put it in perspective, we normally log about 10GB a day and we were now logging over 40GB a day.  I need to figure out what was going on, and fast.

The source and destination always stayed the same, but the problem was those aren't private addresses that we used on our network anywhere. 


So to try to get a handle on what the traffic really was I figured a good old packet capture might help a bit.  So I started up a capture with the source address from above, and sure enough, the packets started filling up my capture.

So I still had no idea what the traffic really was, but hey at least now I know that it was some MPEG TS stream.  Hmm that would be really cool if you could have wireshark reassemble the packets into a visual stream for me to look at…  I mean I know you can do it with un-encrypted audio, and if you have SNMP v3 credentials you can dissect the traffic and actually read it.

I headed off to goo goo land and found the mpeg_dump.lua script !!! • https://wiki.wireshark.org/mpeg_dump.lua

Basically install the script to your wireshark main directory and then edit some init.lua file and tell it to load the script.  See the above link for a more detailed description.  Once you restart your wireshark you will find it under Tools -> Dump MPEG TS Packets and then tell it where you want to dump the packets in their MPEG file.

After waiting, while it worked it's magic, I had to use VLC to actually see the traffic (no built in windows apps knew what to do with it), and there you have it… PBS stream.

"Hey what were those guys installing the other day in our data center for our TV system ?" I asked my boss.  "It was a PBS channel for our analog TV system" he said.

Well we now had a scapegoat, and after contacting their support they connected to their equipment and admitted to the newly installed device being misconfigured to send that out to the destination address from the log message.

PROBLEM SOLVED !!! Thanks Wireshark !!!

Here are some of my recent paracord key chain fobs...

Here is one I added to a flashlight (Coast G10) with a split keyring loop.

Here is one I added to the pocket clip of my every day carry knife (Kershaw 3655 Volt SS)

USB Keyboard Foot Pedal Button

A friend of mine was saying that he would love a foot pedal to use while playing W.O.W. to control his chat application (Vent).  I told him that would be super easy and whipped this out the next day for him.   Here is how I ended up doing it...

Parts List:
- USB keyboard
- Dremmel with plastic cutting disk
- Project enclosure (optional; you could probably figure out a way to use the case from the keyboard of you think long enough about it)
- Multimeter (optional but sure helps a lot and makes things go faster when decoding the key matrix)
- Drill for drilling hole in project enclosure
- Momentary push button switch
- Some hook up wire
- Soldering and some solder
- Xacto knife
- Screw driver
- Hot glue gun

Start by taking all the screws out of the bottom of the keyboard and put them aside encase you need to use any of them again later. Figure out what key you are trying to find, if you have a multimeter it's time to bust it out. Set it to the continuity tester function. Hold one probe on the location of the key you are looking for and then start poking at the pins across the top that would connect to the pcb. Even though continuity normally beeps but watch the output since most of the runs are too long but the reading willl change, it's just not high enough for the beepy beep. Now do it again foe the second layer cor the same button pad. When you are done you' should have found 2 pins on the pcb. All the ksyboards that I have ever used have a weird black coating over the pads on the pcb which must be conductive but it doesn't lend itself to soldering to it, so I just use a xacto knife and scrape that black stuff off. When you are done you should have some shinny pads you can solder your hook up wire to for you button. Now that you have that black stuff scrapped off time to make sure you have the right ones. Plug the keyboard into a computer, open notepad or any other text editor applicaion, and take a wire and bridge the 2 pads. Your desired character should appear, if it doesn't then double check all your traces. Disconnect the keyboard from the computer and solder your leads from your button on to these pads. Reconnect and make sure you still get the desired character, and if you do box that bad boy up and you're ready to go.

Turn Outlets On & Off via SNMP

APC makes a line of switched rack PDUs that is very popular amongst home network labs.  These PDUs have the ability to selectively turn individual outlets on and off.  The units also have a display on them that shows the current AMP usage flowing though the PDU.
The PDU has a RJ-45 network interface that allows you to connect to the web interface where you can configure the unit as well as interact with it to turn outlets on and off.
While it is possible to do it from the web interface, I prefer to turn the outlets on and off via a snmp script.
You need some kind of SNMP client capable of sending snmpset commands

• Net-SNMP is a good client, they have a version for Windows so I’m down with that one

If you are installing on Windows you will also need to install the following items:

• Visual C++ 2008 Redistributes
• OPENSSL

So after you get all that setup, you need to configure your PDU to allow SNMP ( I’m using SNMP v 2c in tis example… ).  Then make a batch file and add this stuff, obviously change it to cd where every you have snmpset is installed.

@echo off
cd C:\tools\usr\bin
snmpset -v 2c -c <COMMUNITYSTRING> <PDU-IPADDRESS> 1.3.6.1.4.1.318.1.1.4.4.2.1.3.1 integer 1
snmpset -v 2c -c <COMMUNITYSTRING> <PDU-IPADDRESS> 1.3.6.1.4.1.318.1.1.4.4.2.1.3.2 integer 1
snmpset -v 2c -c <COMMUNITYSTRING> <PDU-IPADDRESS> 1.3.6.1.4.1.318.1.1.4.4.2.1.3.3 integer 1
snmpset -v 2c -c <COMMUNITYSTRING> <PDU-IPADDRESS> 1.3.6.1.4.1.318.1.1.4.4.2.1.3.4 integer 1
snmpset -v 2c -c <COMMUNITYSTRING> <PDU-IPADDRESS> 1.3.6.1.4.1.318.1.1.4.4.2.1.3.5 integer 1
snmpset -v 2c -c <COMMUNITYSTRING> <PDU-IPADDRESS> 1.3.6.1.4.1.318.1.1.4.4.2.1.3.6 integer 1
snmpset -v 2c -c <COMMUNITYSTRING> <PDU-IPADDRESS> 1.3.6.1.4.1.318.1.1.4.4.2.1.3.7 integer 1
snmpset -v 2c -c <COMMUNITYSTRING> <PDU-IPADDRESS> 1.3.6.1.4.1.318.1.1.4.4.2.1.3.8 integer 1
exit

This script above will shutoff the ports on the 8 port pdu, if you have the 16 port PDU instead just double all those statements and change the last number in the OID to the port numbers.  If you want to turn off the ports instead change the integer to 2.  Now you can turn your lab on or off with the click of a file instead of logging on and all that other who-ha to get them on.  I have have added it to a lab startup script that launches that script and then loads some other stuff after a while after things have booted up.

Try it out, it makes a fun sound… click click boom !!!! OK no boom but it’s pretty cool.

Hack a Cisco Console Cable

If you’re a network admin (of Cisco Networks) you probably have these scattered all over the place; I have a few at home, one in my car, and normally always have one in what ever bag I’m carrying all my junk in.  It seems that whenever you need to pull out one of the bad boys out in a data closet there is no where with in reach of that cable to sit down.  I used to carry that cable along with a 10 foot serial cable that I found to work between my USB -> serial adapter and my good ol’ Cisco console cable.  Problem is that i started to just have too much stuff with me and I was getting sick of hauling around a bag full of cables; then in walked the 5-in-1 network cable website.

I’m still in the process of trying to get things working using the suggestions on that site but started to think about another alternative.

I took a serial to RJ-45 Cisco console cable and chopped most of it off and wired a network jack on the end of it so I could then just have that and use the Cat5e cable, that I would normally be carrying anyway with my gear, to connect to the console port on whatever I was working on.

 

T568-B Standard	Cisco Console Cable
Orange/White <===>	Black
Orange             <===>	Brown
Green/White   <===>	Orange
Blue                  <===>	Red
Blue/White      <===>	Yellow
Green                <===>	Green
Brown/White   <===>	Blue
Brown               <===>	Gray

 

A buddy of mine, who also does this kind of stuff for a job, said, “Same as Console Cable + RJ-45 coupler + Cat5 cable. Cool though!”.  Yes he is right, but I am always loosing my couplers, or using them on jobs when jerkoffs don’t install things where you tell them and you have to string 2 cables together to reach an access point while offsite in a stinky farm building.

After my buddy made that comment, I made another one that was just and RJ-45 end crimped on an inch from the serial connector. So now I can use the precious coupler as well, either way it has reduced some of the stuff I have to carry, now I just stash one of these in the spots I used to stash regular Cisco console cables.

 

 

 Well that’s about it… Have a good one…