Monthly Archives: December 2008

//December

Simple POP3 Communication HOWTO

POP3 is an incredibly simple protocol, and with the most basic commands, you can access your POP3 server ‘by hand’ with this POP3 HOWTO without the need for a client. You can find the entire POP3 RFC here http://www.ietf.org/rfc/rfc1939.txt Now, down to business. I have created a temporary test account:  test@iodigitalsec.com – please don’t try and access this as by the time you see this, it’s already been removed! I’ll use telnet to access the service, and send simple plain text commands. I’ve sent myself a test email, which I will also retrieve and then delete. Conversation as follows, I have highlighted my own commands in bold: […]

By | December 16th, 2008|Internetworking & Routing, Technology|1 Comment

Some simple filtering and sniffing with tcpdump

tcpdump is one of the best network debugging tools available. In it’s most basic form, it will print network traffic in terms of a source and destination address to the console, more advanced uses include printing out captured ASCII and simple but powerful filtering. tcpdump -ieth0 -n # Start tcpdump listening on interface eth0, and do not attempt to resolve IP addresses to hostnames ( -n ). What we see is: 20:51:40.848211 IP 217.10.X.X.22 > 93.97.Y.Y.52381: P 76216:76364(148) ack 261 win 8576 20:51:40.853726 IP 93.97.Y.Y.52381 > 217.10.X.X.22: . ack 59548 win 16848 And this is repeated over and over. Now this is a feedback loop. As we are connected via port 22 (SSH), this loop will continue, and we must therefore filter it out: tcpdump -ieth0 -n tcp port not 22 Now we can cleanly monitor traffic. What happens though if we want to view SSH traffic, but not our own? tcpdump -ieth0 -n tcp port not 22 and host not 93.97.Y.Y We can build this filter up as much as we wish. Let’s start watching HTTP (tcp port 80) traffic only: tcpdump -ieth0 -n tcp port 80 Finally, let’s set the ‘snaplen’ to 1500 bytes, and print out the captured data in ASCII: tcpdump -ieth0 -n tcp port 80 -A -s1500 20:56:25.260143 IP 217.10.X.X.80 > 88.110.Y.Y.51171: P 1:550(549) ack 172 win 1728 E..Mn @.@..w. ..Xn!..P….’@…P…3…HTTP/1.1 404 Not Found Date: Mon, 15 Dec 2008 21:05:17 GMT Server: Apache/2.2.3 (Debian) PHP/5.2.0-8+etch13 Content-Length: 313 Keep-Alive: timeout=15, max=100 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 <!DOCTYPE HTML PUBLIC “-//IETF//DTD HTML 2.0//EN”> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /favicon.ico was not found on this server.</p> <hr> <address>Apache/2.2.3 (Debian) PHP/5.2.0-8+etch13 Server at www.[HIDDEN].com Port 80</address> </body></html> And from this we can see all HTTP traffic. As you can see, it’s that easy to capture and decode plaintext traffic. We can do the same on port 110 (POP3): […]

By | December 15th, 2008|Technology|2 Comments

A BIND9 zonefile and commentary

I’m often asked for a copy of various zone files for Bind, that other users may use as a template. Here’s the zonefile for www.adampalmer.me/iodigitalsec: $TTL 604 @ IN SOA iodigitalsec.com. root.iodigitalsec.com. ( 2008101023 ; Serial 172800 ; Refresh 900 ; Retry 1209600 ; Expire 3600 ) ; Negative Cache TTL ; IN NS ns3.apnichosting.com. IN NS ns2.apnichosting.com. IN MX 10 mail3.sasdataservices.com. IN MX 100 mail2.sasdataservices.com. IN MX 1000 backup-0.l3.iodigitalsec.com. IN A 217.10.156.197 * CNAME iodigitalsec.com. I’ll now cover each type of record briefly, and explain the ellusive decimal point. The SOA or “start of authority” record indicates the domain name “iodigitalsec.com” and the email address of the domain administrator “root@iodigitalsec.com”, replacing the at symbol with a decimal point (this decimal point does not have the same meaning as those later on). There is only one SOA record allowed per domain. Contained within the SOA record is also a serial number, refresh, retry, expiry and TTL. The serial number is the ‘version’ of the zone. This is generally incremented each time the zone is updated. The refresh is used by the slave or secondary DNS server as an instruction on how often to update in seconds. The ‘retry’ is the length in seconds that the slave DNS server should wait before retrying to contact an unreachable primary DNS server. The expiry specifies how long until the slave DNS server stops responding to requests for this domain name, should the primary DNS server remain unreachable. If the primary DNS server becomes available again, the timer is reset. Lastly, the Negative TTL or ‘time to live’ value indicates how long the server will cache a NAME ERROR (NXDOMAIN) record. The longest permitted is 3h (10800 seconds). On to the more simple records… […]

By | December 15th, 2008|Internetworking & Routing, Technology|2 Comments

Debian Lovers – Why I love Voyage Linux

For those Debian lovers I have finally found a great embedded distro. I’ve always stayed away from the multitude of distros available, each with their own package manager or lack of, each with their own preinstalled software or again, lack of, and each with their own caveats. I began my jorney into Linux with SuSE about 11 years ago at the time of writing, and have also given RedHat a fair chance in the past. In my first employment I was forced to battle against Slackware for two years, and about 7 years ago, discovered Debian. […]

By | December 14th, 2008|Linux, Technology|0 Comments