Unterschiede

Hier werden die Unterschiede zwischen zwei Versionen angezeigt.

--- know-how:usefull_commands [2024/02/26 10:29] – cc
+++ know-how:usefull_commands [2024/03/28 13:55] – [List /scan wireless access points hostapd/wpad] cc
@@ Zeile 94: / Zeile 94: @@
 </code>
+  * Bridges ausschließlich mit iproute2 (thanks https://unix.stackexchange.com/a/255489)
+<code>
+ip link add name br0 type bridge
+ip link set dev br0 up
+ip link set dev lan0 master br0
+ip link set dev lan1 master br0
+#remove interface from bridge
+ip link set dev lan0 nomaster
+#remove bridge
+ip link del br0
+</code>
 ====== bonding ======
   * Debian Buster working **LACP**
@@ Zeile 1527: / Zeile 1543: @@
 <code>
 iw dev wlan0 station dump
+</code>
+====== List wireless hardware capabilities hostapd/wpad ======
+<code>
+iw list
+root@ilo:~# iw list
+Wiphy phy1
+	wiphy index: 1
+	max # scan SSIDs: 4
+	max scan IEs length: 2257 bytes
+	max # sched scan SSIDs: 0
+	max # match sets: 0
+	Retry short limit: 7
+	Retry long limit: 4
+	Coverage class: 0 (up to 0m)
+	Device supports AP-side u-APSD.
+	Device supports T-DLS.
+	Available Antennas: TX 0x7 RX 0x7
+	Configured Antennas: TX 0x7 RX 0x7
+	Supported interface modes:
+		 * IBSS
+		 * managed
+		 * AP
+		 * AP/VLAN
+		 * monitor
+		 * mesh point
+		 * P2P-client
+		 * P2P-GO
+		 * outside context of a BSS
+	Band 1:
+		Capabilities: 0x11ee
+			HT20/HT40
+			SM Power Save disabled
+			RX HT20 SGI
+			RX HT40 SGI
+			TX STBC
+			RX STBC 1-stream
+			Max AMSDU length: 3839 bytes
+			DSSS/CCK HT40
+		Maximum RX AMPDU length 65535 bytes (exponent: 0x003)
+		Minimum RX AMPDU time spacing: 8 usec (0x06)
+		HT TX/RX MCS rate indexes supported: 0-23
+		Frequencies:
+			* 2412 MHz [1] (24.0 dBm)
+			* 2417 MHz [2] (24.0 dBm)
+			* 2422 MHz [3] (24.0 dBm)
+			* 2427 MHz [4] (24.0 dBm)
+			* 2432 MHz [5] (24.0 dBm)
+			* 2437 MHz [6] (24.0 dBm)
+			* 2442 MHz [7] (24.0 dBm)
+			* 2447 MHz [8] (24.0 dBm)
+			* 2452 MHz [9] (24.0 dBm)
+			* 2457 MHz [10] (24.0 dBm)
+			* 2462 MHz [11] (24.0 dBm)
+			* 2467 MHz [12] (disabled)
+			* 2472 MHz [13] (disabled)
+			* 2484 MHz [14] (disabled)
+	valid interface combinations:
+		 * #{ managed } <= 2048, #{ AP, mesh point } <= 8, #{ P2P-client, P2P-GO } <= 1, #{ IBSS } <= 1,
+		   total <= 2048, #channels <= 1, STA/AP BI must match, radar detect widths: { 20 MHz (no HT), 20 MHz, 40 MHz }
+	HT Capability overrides:
+		 * MCS: ff ff ff ff ff ff ff ff ff ff
+		 * maximum A-MSDU length
+		 * supported channel width
+		 * short GI for 40 MHz
+		 * max A-MPDU length exponent
+		 * min MPDU start spacing
+	max # scan plans: 1
+	max scan plan interval: -1
+	max scan plan iterations: 0
+	Supported extended features:
+		* [ RRM ]: RRM
+		* [ CQM_RSSI_LIST ]: multiple CQM_RSSI_THOLD records
+		* [ CONTROL_PORT_OVER_NL80211 ]: control port over nl80211
+		* [ TXQS ]: FQ-CoDel-enabled intermediate TXQs
+		* [ AIRTIME_FAIRNESS ]: airtime fairness scheduling
+		* [ SCAN_RANDOM_SN ]: use random sequence numbers in scans
+		* [ SCAN_MIN_PREQ_CONTENT ]: use probe request with only rate IEs in scans
+		* [ CAN_REPLACE_PTK0 ]: can safely replace PTK 0 when rekeying
+		* [ CONTROL_PORT_NO_PREAUTH ]: disable pre-auth over nl80211 control port support
+		* [ DEL_IBSS_STA ]: deletion of IBSS station support
+		* [ MULTICAST_REGISTRATIONS ]: mgmt frame registration for multicast
+		* [ SCAN_FREQ_KHZ ]: scan on kHz frequency support
+		* [ CONTROL_PORT_OVER_NL80211_TX_STATUS ]: tx status for nl80211 control port support
+Wiphy phy0
+	wiphy index: 0
+	max # scan SSIDs: 16
+	max scan IEs length: 199 bytes
+	max # sched scan SSIDs: 0
+	max # match sets: 0
+	Retry short limit: 7
+	Retry long limit: 4
+	Coverage class: 0 (up to 0m)
+	Device supports AP-side u-APSD.
+	Available Antennas: TX 0x7 RX 0x7
+	Configured Antennas: TX 0x7 RX 0x7
+	Supported interface modes:
+		 * IBSS
+		 * managed
+		 * AP
+		 * AP/VLAN
+		 * monitor
+		 * mesh point
+		 * P2P-client
+		 * P2P-GO
+		 * P2P-device
+	Band 2:
+		Capabilities: 0x19ef
+			RX LDPC
+			HT20/HT40
+			SM Power Save disabled
+			RX HT20 SGI
+			RX HT40 SGI
+			TX STBC
+			RX STBC 1-stream
+			Max AMSDU length: 7935 bytes
+			DSSS/CCK HT40
+		Maximum RX AMPDU length 65535 bytes (exponent: 0x003)
+		Minimum RX AMPDU time spacing: 8 usec (0x06)
+		HT TX/RX MCS rate indexes supported: 0-23
+		VHT Capabilities (0x338001b2):
+			Max MPDU length: 11454
+			Supported Channel Width: neither 160 nor 80+80
+			RX LDPC
+			short GI (80 MHz)
+			TX STBC
+			RX antenna pattern consistency
+			TX antenna pattern consistency
+		VHT RX MCS set:
+streams: MCS 0-9
+streams: MCS 0-9
+streams: MCS 0-9
+streams: not supported
+streams: not supported
+streams: not supported
+streams: not supported
+streams: not supported
+		VHT RX highest supported: 0 Mbps
+		VHT TX MCS set:
+streams: MCS 0-9
+streams: MCS 0-9
+streams: MCS 0-9
+streams: not supported
+streams: not supported
+streams: not supported
+streams: not supported
+streams: not supported
+		VHT TX highest supported: 0 Mbps
+		Frequencies:
+			* 5180 MHz [36] (23.0 dBm)
+			* 5200 MHz [40] (23.0 dBm)
+			* 5220 MHz [44] (23.0 dBm)
+			* 5240 MHz [48] (23.0 dBm)
+			* 5260 MHz [52] (23.0 dBm) (radar detection)
+			* 5280 MHz [56] (23.0 dBm) (radar detection)
+			* 5300 MHz [60] (23.0 dBm) (radar detection)
+			* 5320 MHz [64] (23.0 dBm) (radar detection)
+			* 5500 MHz [100] (23.0 dBm) (radar detection)
+			* 5520 MHz [104] (23.0 dBm) (radar detection)
+			* 5540 MHz [108] (23.0 dBm) (radar detection)
+			* 5560 MHz [112] (23.0 dBm) (radar detection)
+			* 5580 MHz [116] (23.0 dBm) (radar detection)
+			* 5600 MHz [120] (23.0 dBm) (radar detection)
+			* 5620 MHz [124] (23.0 dBm) (radar detection)
+			* 5640 MHz [128] (23.0 dBm) (radar detection)
+			* 5660 MHz [132] (23.0 dBm) (radar detection)
+			* 5680 MHz [136] (23.0 dBm) (radar detection)
+			* 5700 MHz [140] (23.0 dBm) (radar detection)
+			* 5720 MHz [144] (23.0 dBm) (radar detection)
+			* 5745 MHz [149] (30.0 dBm)
+			* 5765 MHz [153] (30.0 dBm)
+			* 5785 MHz [157] (30.0 dBm)
+			* 5805 MHz [161] (30.0 dBm)
+			* 5825 MHz [165] (30.0 dBm)
+			* 5845 MHz [169] (27.0 dBm) (no IR)
+			* 5865 MHz [173] (27.0 dBm) (no IR)
+	valid interface combinations:
+		 * #{ managed, P2P-client } <= 16, #{ P2P-GO } <= 3, #{ AP } <= 16, #{ IBSS } <= 1,
+		   total <= 16, #channels <= 1, STA/AP BI must match, radar detect widths: { 20 MHz (no HT), 20 MHz, 40 MHz, 80 MHz, 80+80 MHz, 160 MHz }
+	HT Capability overrides:
+		 * MCS: ff ff ff ff ff ff ff ff ff ff
+		 * maximum A-MSDU length
+		 * supported channel width
+		 * short GI for 40 MHz
+		 * max A-MPDU length exponent
+		 * min MPDU start spacing
+	max # scan plans: 1
+	max scan plan interval: -1
+	max scan plan iterations: 0
+	Maximum associated stations in AP mode: 0
+	Supported extended features:
+		* [ VHT_IBSS ]: VHT-IBSS
+		* [ RRM ]: RRM
+		* [ SET_SCAN_DWELL ]: scan dwell setting
+		* [ CQM_RSSI_LIST ]: multiple CQM_RSSI_THOLD records
+		* [ CONTROL_PORT_OVER_NL80211 ]: control port over nl80211
+		* [ TXQS ]: FQ-CoDel-enabled intermediate TXQs
+		* [ AIRTIME_FAIRNESS ]: airtime fairness scheduling
+		* [ AQL ]: Airtime Queue Limits (AQL)
+		* [ CONTROL_PORT_NO_PREAUTH ]: disable pre-auth over nl80211 control port support
+		* [ DEL_IBSS_STA ]: deletion of IBSS station support
+		* [ SCAN_FREQ_KHZ ]: scan on kHz frequency support
+		* [ CONTROL_PORT_OVER_NL80211_TX_STATUS ]: tx status for nl80211 control port support
+</code>
+====== List/scan wireless access points hostapd/wpad ======
+  * WLANs anzeigen cli
+<code>
+ggf. ip li set dev wlanxx up
+iw dev wlanxx scan
 </code>
@@ Zeile 2454: / Zeile 2686: @@
 the way, when you do init=/bin/sh (or bash), it isn't strictly necessary to reboot afterwards (well, depending on what you change I suppose), you can just do an 'exec /sbin/init' to continue the boot process. Make sure the state of the system is as it would normally be though (e.g. umount /usr, make / readonly again etc).
+</code>
+====== cryptsetup ======
+  * Interesting read **argon2id**: https://mjg59.dreamwidth.org/66429.html?thread=2120573 , https://dys2p.com/en/2023-05-luks-security.html  , https://neilzone.co.uk/2023/04/updating-the-luks-key-derivation-function-on-debian/  , https://www.linkedin.com/pulse/how-utilize-argon2-kdf-configuration-secure-things-know-chung-mba#:~:text=%23Argon2id%20is%20much%20more%20modern,for%20CPU%20and%20RAM%20usage
+  * Getestet auf Debian Bookworm / ursprünglich **argon2i** / Stand der Technik (2024-03-11): **argon2id** / erfolgreicher **reboot** :)
+<code>
+root@mrWhiteGhost:/home/urnilxfgbez# cryptsetup luksHeaderBackup /dev/crypted_partition_info  --header-backup-file /tmp/header_backup_crypted_partition_info.img
+root@mrWhiteGhost:/home/urnilxfgbez# file /tmp/header_backup_crypted_partition_info.img
+/tmp/header_backup_crypted_partition_info.img: LUKS encrypted file, ver 2, header size 16384, ID 3, algo sha256, salt 0x9838482c38d968d1..., UUID: 123-123-123, crc 0xff.....
+root@mrWhiteGhost:/home/urnilxfgbez# cryptsetup luksDump /dev/nvme0n1p3
+LUKS header information
+Version:       	2
+Epoch:         	3
+Metadata area: 	16384 [bytes]
+Keyslots area: 	16744448 [bytes]
+UUID:          	123-123-123
+Label:         	(no label)
+Subsystem:     	(no subsystem)
+Flags:       	(no flags)
+Data segments:
+: crypt
+	offset: 16777216 [bytes]
+	length: (whole device)
+	cipher: aes-xts-plain64
+	sector: 512 [bytes]
+Keyslots:
+: luks2
+	Key:        512 bits
+	Priority:   normal
+	Cipher:     aes-xts-plain64
+	Cipher key: 512 bits
+	PBKDF:      argon2i
+	Time cost:  4
+	Memory:     966868
+	Threads:    4
+	AF stripes: 4000
+	AF hash:    sha256
+	Area offset:32768 [bytes]
+	Area length:258048 [bytes]
+	Digest ID:  0
+Tokens:
+Digests:
+: pbkdf2
+	Hash:       sha256
+	Iterations: 85780
+root@mrWhiteGhost:/home/urnilxfgbez# cryptsetup luksConvertKey /dev/nvme0n1p3 --pbkdf argon2id
+Enter passphrase for keyslot to be converted:
+root@mrWhiteGhost:/home/urnilxfgbez# echo $?
+root@mrWhiteGhost:/home/urnilxfgbez# cryptsetup luksDump /dev/nvme0n1p3
+LUKS header information
+Version:       	2
+Epoch:         	5
+Metadata area: 	16384 [bytes]
+Keyslots area: 	16744448 [bytes]
+UUID:          	123-123-123
+Label:         	(no label)
+Subsystem:     	(no subsystem)
+Flags:       	(no flags)
+Data segments:
+: crypt
+	offset: 16777216 [bytes]
+	length: (whole device)
+	cipher: aes-xts-plain64
+	sector: 512 [bytes]
+Keyslots:
+: luks2
+	Key:        512 bits
+	Priority:   normal
+	Cipher:     aes-xts-plain64
+	Cipher key: 512 bits
+	PBKDF:      argon2id
+	Time cost:  5
+	Memory:     1048576
+	Threads:    4
+	AF stripes: 4000
+	AF hash:    sha256
+	Area offset:290816 [bytes]
+	Area length:258048 [bytes]
+	Digest ID:  0
+Tokens:
+Digests:
+: pbkdf2
+	Hash:       sha256
+	Iterations: 85780
 </code>
 ====== encrypted zip ======
@@ Zeile 2636: / Zeile 2961: @@
 ====== cisco land ======
+===== Basics =====
 <code>
 -User-Exec-Modus (>)-> Privileged Exec Modus (#) mit enable
@@ Zeile 2687: / Zeile 3014: @@
 foo#
 </code>
+===== IP Assignment =====
   * Basic IP Assignment Interfaces:
@@ Zeile 2722: / Zeile 3050: @@
  ip default-gateway ip-address in global configuration
 </code>
+  * Routing: ** ip route ** {{ :know-how:ip_route_commands.pdf |}} (https://www.cisco.com/c/en/us/td/docs/routers/nfvis/switch_command/b-nfvis-switch-command-reference/ip_route_commands.pdf)
+  * IPV6 enable: ipv6 unicast-routing
+<code>
+ip route
+To establish static routes, use the ip route command in switch configuration mode. To remove static routes,
+use the no form of this command.
+ip route prefix mask ip-address [metric-value]
+no ip route prefix mask ip-address
+Syntax Description Specifies the IP route prefix for the destination.prefix
+Specifies the prefix mask for the destination.mask
+Specifies the IP address of the next hop that can be used to reach that network.ip-address
+Specifies the metric of the route. The default metric is 6. Valid range is from 1–255
+</code>
+  * Differences between svi and routed port (https://learningnetwork.cisco.com/s/question/0D53i00000KsoxbCAB/switching-routed-ports-and-switched-virtual-interfaces-svis)
+<code>
+SVI's support both routing and switching protocols, while routed ports do not support any layer 2 protocols (STP). An SVI is created by the interface VLAN command while a routed port by using the no switchport command in interface configuration mode.
+</code>
+===== SSH Server aktivieren =====
+  * 1024 bit Key / Username **Bob** mit passwort **cisco** / FIXME Public Keys akzeptieren , Passwort Login deaktivieren
+<code>
+Router# configure terminal
+Router(config)# hostname R1
+R1(config)# ip domain name span.com
+R1(config)# crypto key generate rsa general-keys modulus 1024
+The name for the keys will be: Rl.span.com % The key modulus size is 1024 bits
+% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]
+Dec 13 16:19:12.079: %SSH-5-ENABLED: SSH 1.99 has been enabled
+R1(config)#
+R1(config)# username Bob secret cisco
+R1(config)# line vty 0 4
+R1(config-line)# login local
+R1(config-line)# transport input ssh
+R1(config-line)# exit
+R1(config)#
+</code>
+===== netstat / Dienste deaktivieren =====
+  * **Achtung** Quote von Cisco
+<code>
+Router# show ip ports all
+Proto Local Address               Foreign Address             State       PID/Program Name
+TCB       Local Address               Foreign Address             (state)
+tcp   :::443                     :::*                        LISTEN      309/[IOS]HTTP CORE
+tcp   *:443                      *:*                         LISTEN      309/[IOS]HTTP CORE
+udp   *:67                        0.0.0.0:0                               387/[IOS]DHCPD Receive
+Router#
+IOS versions prior to IOS-XE use the show control-plane host open-ports command. We mention this command because you may see it on older devices. The output is similar. However, notice that this older router has an insecure HTTP server and Telnet running. Both of these services should be disabled. As shown in the example, disable HTTP with the no ip http server global configuration command. Disable Telnet by specifying only SSH in the line configuration command, transport input ssh.
+Router# show control-plane host open-ports
+Active internet connections (servers and established)
+Prot        Local Address      Foreign Address                  Service    State
+ tcp                 *:23                  *:0                   Telnet   LISTEN
+ tcp                 *:80                  *:0                HTTP CORE   LISTEN
+ udp                 *:67                  *:0            DHCPD Receive   LISTEN
+Router# configure terminal
+Router(config)# no ip http server
+Router(config)# line vty 0 15
+Router(config-line)# transport input ssh
+</code>
+===== show / infos anzeigen =====
+<code>
+show running-config
+To verify the current configuration and settings
+show interfaces
+To verify the interface status and see if there are any error messages
+show ip interface
+To verify the Layer 3 information of an interface
+show arp
+To verify the list of known hosts on the local Ethernet LANs
+show ip route
+To verify the Layer 3 routing information
+show protocols
+To verify which protocols are operational
+show version
+To verify the memory, interfaces, and licences of the device
+</code>
 ====== sed ======
   * Regex Search and Replace alle matches e.g.