Cisco’s can be rebooted with the reload command. The reload command allows you to specify how many minutes like
reload 5
to reload in 5 minutes. We can also reload at a specific time. For instance
reload 13:30
will reload the router at 1:30PM.
For a Cisco config to remain permanent, we have to “write” i.e. save the config. By default, making changes, for instance an IP address on an interface, will get wiped on a reboot or reload.
We can take advantage of this behavior to “test” changes on a Cisco router.
Example:
Run the command “reload 10” to reboot the router in 10 minutes. The plan is to cancel the reload after making sure our changes work
Make the needed changes to the Router.
After verifying that everything is working, run the “reload cancel” command to cancel the reload
Now we can run “write” to save our new config
To recap reload 10 will reload a router in 10 minutes If we loose access to the router while making changes, once 10 minutes has expired, the router will reload, returning it to the last know working state. The reload cancel command will cancel the reload. write will make our config persistent across reboots/reloads
Setting up OSPF between Mikrotik routers is not too difficult. The following commands should work with RouterOS version 7+. Run these commands on each Mikrotik changing out the router-id.
Create a Loop-back interface
First it would be a good idea to create an loopback interface that will stay up. We’ll use this address as the router-id. This should be unique per router.
First we’ll create the instance. Use the address from the above loopback address. Technically you can use whatever id you want as long as it is a 32 bit “address” and is unique.
IMPORTANT NOTE: If this router is also the default gateway, you’ll need to specify the “originate-default=always” option to share the default gateway over OSPF to the other routers. You don’t have to do this if you don’t want to share the default route.
Create OSPF Area
Now we can create an OSPF area. For a simple OSPF setup, we’ll just use the default 0.0.0.0 area.
Now we can add an instance. This is responsible for what networks get shared with OSPF. If you want to do all the addresses on the router, then use 0.0.0.0/0. If you only want to do specific networks, run an entry for every network, changing 0.0.0.0/0 to the network of interest.
After that we can check to make sure things worked.
/routing/ospf/neighbor/print
You should see at a neighbor. It can take a little bit for the neighbors to show up.
You can also check the routes on the router.
/ip/route/print
OSPF has a default distance of 110, so checking the routes is a quick way to verify the routes are getting updated. Do note that if you have a static route in with a lower distance, that will take precedence over OSPF.
The following are some helpful tips from the post.
Search log by email address
You can search for specific addresses with the exigrep. Replace email@address with the email address of interest.
exigrep email@address /var/log/exim_mainlog
Message Direction
Looking at entries in the main log, some of the messages will have an indicator from the following table that tell us the status of the message and/or where it came from or went.
<=
Indicates the arrival of a message to Exim for handling
=>
Shows a normal message delivery
->
Additional address for the same delivery, i.e. an Email forwarder.
>>
cutthrough is a router precondition This option requests delivery be attempted while the item is being received. It is usable in the RCPT ACL and valid only for single-recipient mails forwarded from one SMTP connection to another. If a recipient-verify callout connection is requested in the same ACL it is held open and used for the data, otherwise one is made after the ACL completes.
*>
delivery suppressed by -N
**
delivery failed; address bounced
==
delivery deferred; temporary problem
<>
For “<>” from the exim manual; Additionally, you will often find A bounce message is shown with the sender address “<>”, and if it is locally generated, this is followed by an item of the form R=<message id>
Some other posts that may be helpful while troubleshooting mail deliveries.
If you have installed the hardened Linux Kernel on Fedora, you may have encountered the following error when trying to launch Flatpak applications.
bwrap: No permissions to creating new namespace, likely because the kernel does not allow non-privileged user namespaces. On e.g. debian this can be enabled with 'sysctl kernel.unprivileged_userns_clone=1'.
error: Failed to sync with dbus proxy
The issue looks to arise from the fact that the hardened Linux Kernel disables unprivileged name space and Fedora does not have setuid on by default on the bubblewrap executable.
Enabling setuid on bubblewrap
You can set the setuid permission on the bubblewrap executable with
sudo chmod u+s /usr/bin/bwrap
Allow Unprivileged Name Space (Alternative work around)
You could also allow unprivileged name space by running
sysctl kernel.unprivileged_userns_clone=1
Note that setting the setuid seems the safer/recommended option.
It looks like using the setuid binary for bubblewrap would be better to use then enabling unprivileged user space.
It’s fairly easy to send a message to a Telegram Channel using curl. Copy and paste the following command in, replacing the API_TOKEN, chat_id, and test_message, with the appropriate items.
The short answer is no. At least on some of the newer Dell PowerEdge servers. There are some places online where it sounds like it may work with certain servers.
If you are running on 120v and then plug in a 240v line on the second PSU, the PSU light flashes 3 times and then stays off.
From the iDRAC we can see that one PSU Input Line Type is Low line (120v) and the other is High line (240v)
As a side note, the Input Wattage is different because we can pull more watts from a 240v line. Watts are Amps X Voltage, so halving our voltage, halves our total wattage.
Looking through the Lifecycle Log we see the following saying that the PSU is disabled because of a input voltage mismatch.
Ran across an email that had an attachment named Payment.htm. This kind of phishing attack isn’t anything new, but the htm file had some interesting obfuscation inside of it.
Opening up the file in a virtual a Kali virtual machine, starts to load what appears to look like a Microsoft Sharepoint site. Notice the URL is the local file. It’s setup to pull the photos from the web. Since the VM had no internet available, the images never loaded.
After spinning around for a second, it loads the “log on page”, already populated with our email address. Note I changed the email address before taking the screenshot.
Typing in a random password and hitting Sign in triggers the sign in page.
Notice the ipinfo.io network connection
Going to https://ipinfo.io/json gives us a good bit of info about our IP address, location etc. It looks like this information is requested and then sent to the hackers.
Since there was not an internet connection, the malicious htm web page never received the IP information and so didn’t continue on to the next stage, it just sat there loading. Should be able to setup a fake local server and feed it the information to continue on to the next stage. Or we can just do some static code analysis
Base64, Base64 and more Base64
Opening up the file in a text editor shows tons of Base64 encoded data. The file is only about 20 lines long, but the individual lines are super long.
This first section of Base64 encoded data is by far the shortest. atob is a javascript function that decodes Base64 data. There are multiple atob functions, meaning that to actually get the data, we’ll need to decode the data multiple times. Or we can just copy out the atob functions, and run them directly in Node.js to get the output.
This is fairly easy to do, run nodejs from the command line, set the variable, and print it to console
# nodejs
> let b64 = atob(atob(etc...etc...etc...))
> console.log(b64)
Unfortunately, the next few lines are too large to do what we just did. What we can do is duplicate the file, then delete all non javascript text. Next we can replace the beginning lines where it says “document.head……atob” to
console.log(atob(atob(atob(.....))));
After we have cleaned up the file and made those changes, we save it, and now run it as a javascript file.
nodejs ./Payment.htm
If we want to, we can pipe the output into another file with the > operator
nodejs ./Payment.htm > Decoded_Payment.js
Deobfuscating the important stuff
Looking at the decoded code shows that there is still some obfuscated stuff in that last line.
The var _0x8378= array contains a lot of human unreadable text.
Fortunately, this is not hard to decode at all. In a terminal, launch nodejs again, copy the whole array as a variable, and then just print the whole array.
The last URL is the ipinfo.io one we saw in the browser developer tools. Some of the variables from the above variable also seem to map to the return info from ipinfo.
Windows 11 introduced “Suggested Actions”. When you copy a date, time, or phone number, you will get this little pop up asking if you want to “Create event” or “Call number”.
While this can be helpful, it can also be slightly annoying and get in the way. Fortunately, there is a simple way to turn it off. Hit the little down arrow, then click “Go to clipboard settings”
Once in the System settings, turn “Suggested actions” off.
atob() is a javascript function that decodes base64 encoded text. btoa() is the encoding function. We can use NodeJS to dedcode atob() functions. For instance, we can lanch nodejs woth
nodejs
and decode the sting SGVsbG8gV29ybGQgIQ==
console.log(atob("SGVsbG8gV29ybGQgIQ=="));
If we wanted to break that down into a couple variables we can do something like the following.
> var b64 = atob("SGVsbG8gV29ybGQgIQ==")
> console.log(b64");
You can also create a javascript file and then run the file with nodejs.
var b64 = atob(atob("U0dWc2JHOGdWMjl5YkdRZ0lRPT0="))
console.log(b64);
We can then run the file with
nodejs ./file.js
In the file the string “Hello World !” is double encoded so we process it twice with the “atob(atob(base64);”
There is more info available at the following links
