Unterschiede

Hier werden die Unterschiede zwischen zwei Versionen angezeigt.

--- know-how:usefull_commands [2024/02/27 09:31] – [cisco land] cc
+++ know-how:usefull_commands [2024/03/28 13:56] (aktuell) – [List wireless hardware capabilities hostapd/wpad] cc
@@ Zeile 1543: / Zeile 1543: @@
 <code>
 iw dev wlan0 station dump
+</code>
+====== List wireless hardware capabilities hostapd/wpad ======
+<code>
+-> iw list
+root@foo:~# iw list
+Wiphy phy1
+	wiphy index: 1
+	max # scan SSIDs: 4
+	max scan IEs length: 2257 bytes
+	max # sched scan SSIDs: 0
+	max # match sets: 0
+	Retry short limit: 7
+	Retry long limit: 4
+	....
+Wiphy phy0
+	wiphy index: 0
+	max # scan SSIDs: 16
+	max scan IEs length: 199 bytes
+	max # sched scan SSIDs: 0
+...
+</code>
+====== List/scan wireless access points hostapd/wpad ======
+  * WLANs anzeigen cli
+<code>
+ggf. ip li set dev wlanxx up
+iw dev wlanxx scan
 </code>
@@ Zeile 2470: / Zeile 2502: @@
 the way, when you do init=/bin/sh (or bash), it isn't strictly necessary to reboot afterwards (well, depending on what you change I suppose), you can just do an 'exec /sbin/init' to continue the boot process. Make sure the state of the system is as it would normally be though (e.g. umount /usr, make / readonly again etc).
+</code>
+====== cryptsetup ======
+  * Interesting read **argon2id**: https://mjg59.dreamwidth.org/66429.html?thread=2120573 , https://dys2p.com/en/2023-05-luks-security.html  , https://neilzone.co.uk/2023/04/updating-the-luks-key-derivation-function-on-debian/  , https://www.linkedin.com/pulse/how-utilize-argon2-kdf-configuration-secure-things-know-chung-mba#:~:text=%23Argon2id%20is%20much%20more%20modern,for%20CPU%20and%20RAM%20usage
+  * Getestet auf Debian Bookworm / ursprünglich **argon2i** / Stand der Technik (2024-03-11): **argon2id** / erfolgreicher **reboot** :)
+<code>
+root@mrWhiteGhost:/home/urnilxfgbez# cryptsetup luksHeaderBackup /dev/crypted_partition_info  --header-backup-file /tmp/header_backup_crypted_partition_info.img
+root@mrWhiteGhost:/home/urnilxfgbez# file /tmp/header_backup_crypted_partition_info.img
+/tmp/header_backup_crypted_partition_info.img: LUKS encrypted file, ver 2, header size 16384, ID 3, algo sha256, salt 0x9838482c38d968d1..., UUID: 123-123-123, crc 0xff.....
+root@mrWhiteGhost:/home/urnilxfgbez# cryptsetup luksDump /dev/nvme0n1p3
+LUKS header information
+Version:       	2
+Epoch:         	3
+Metadata area: 	16384 [bytes]
+Keyslots area: 	16744448 [bytes]
+UUID:          	123-123-123
+Label:         	(no label)
+Subsystem:     	(no subsystem)
+Flags:       	(no flags)
+Data segments:
+: crypt
+	offset: 16777216 [bytes]
+	length: (whole device)
+	cipher: aes-xts-plain64
+	sector: 512 [bytes]
+Keyslots:
+: luks2
+	Key:        512 bits
+	Priority:   normal
+	Cipher:     aes-xts-plain64
+	Cipher key: 512 bits
+	PBKDF:      argon2i
+	Time cost:  4
+	Memory:     966868
+	Threads:    4
+	AF stripes: 4000
+	AF hash:    sha256
+	Area offset:32768 [bytes]
+	Area length:258048 [bytes]
+	Digest ID:  0
+Tokens:
+Digests:
+: pbkdf2
+	Hash:       sha256
+	Iterations: 85780
+root@mrWhiteGhost:/home/urnilxfgbez# cryptsetup luksConvertKey /dev/nvme0n1p3 --pbkdf argon2id
+Enter passphrase for keyslot to be converted:
+root@mrWhiteGhost:/home/urnilxfgbez# echo $?
+root@mrWhiteGhost:/home/urnilxfgbez# cryptsetup luksDump /dev/nvme0n1p3
+LUKS header information
+Version:       	2
+Epoch:         	5
+Metadata area: 	16384 [bytes]
+Keyslots area: 	16744448 [bytes]
+UUID:          	123-123-123
+Label:         	(no label)
+Subsystem:     	(no subsystem)
+Flags:       	(no flags)
+Data segments:
+: crypt
+	offset: 16777216 [bytes]
+	length: (whole device)
+	cipher: aes-xts-plain64
+	sector: 512 [bytes]
+Keyslots:
+: luks2
+	Key:        512 bits
+	Priority:   normal
+	Cipher:     aes-xts-plain64
+	Cipher key: 512 bits
+	PBKDF:      argon2id
+	Time cost:  5
+	Memory:     1048576
+	Threads:    4
+	AF stripes: 4000
+	AF hash:    sha256
+	Area offset:290816 [bytes]
+	Area length:258048 [bytes]
+	Digest ID:  0
+Tokens:
+Digests:
+: pbkdf2
+	Hash:       sha256
+	Iterations: 85780
 </code>
 ====== encrypted zip ======
@@ Zeile 2742: / Zeile 2867: @@
 </code>
   * Routing: ** ip route ** {{ :know-how:ip_route_commands.pdf |}} (https://www.cisco.com/c/en/us/td/docs/routers/nfvis/switch_command/b-nfvis-switch-command-reference/ip_route_commands.pdf)
+  * IPV6 enable: ipv6 unicast-routing
 <code>
 ip route
@@ Zeile 2757: / Zeile 2883: @@
 SVI's support both routing and switching protocols, while routed ports do not support any layer 2 protocols (STP). An SVI is created by the interface VLAN command while a routed port by using the no switchport command in interface configuration mode.
 </code>
+===== SSH Server aktivieren =====
+  * 1024 bit Key / Username **Bob** mit passwort **cisco** / FIXME Public Keys akzeptieren , Passwort Login deaktivieren
+<code>
+Router# configure terminal
+Router(config)# hostname R1
+R1(config)# ip domain name span.com
+R1(config)# crypto key generate rsa general-keys modulus 1024
+The name for the keys will be: Rl.span.com % The key modulus size is 1024 bits
+% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]
+Dec 13 16:19:12.079: %SSH-5-ENABLED: SSH 1.99 has been enabled
+R1(config)#
+R1(config)# username Bob secret cisco
+R1(config)# line vty 0 4
+R1(config-line)# login local
+R1(config-line)# transport input ssh
+R1(config-line)# exit
+R1(config)#
+</code>
+===== netstat / Dienste deaktivieren =====
+  * **Achtung** Quote von Cisco
+<code>
+Router# show ip ports all
+Proto Local Address               Foreign Address             State       PID/Program Name
+TCB       Local Address               Foreign Address             (state)
+tcp   :::443                     :::*                        LISTEN      309/[IOS]HTTP CORE
+tcp   *:443                      *:*                         LISTEN      309/[IOS]HTTP CORE
+udp   *:67                        0.0.0.0:0                               387/[IOS]DHCPD Receive
+Router#
+IOS versions prior to IOS-XE use the show control-plane host open-ports command. We mention this command because you may see it on older devices. The output is similar. However, notice that this older router has an insecure HTTP server and Telnet running. Both of these services should be disabled. As shown in the example, disable HTTP with the no ip http server global configuration command. Disable Telnet by specifying only SSH in the line configuration command, transport input ssh.
+Router# show control-plane host open-ports
+Active internet connections (servers and established)
+Prot        Local Address      Foreign Address                  Service    State
+ tcp                 *:23                  *:0                   Telnet   LISTEN
+ tcp                 *:80                  *:0                HTTP CORE   LISTEN
+ udp                 *:67                  *:0            DHCPD Receive   LISTEN
+Router# configure terminal
+Router(config)# no ip http server
+Router(config)# line vty 0 15
+Router(config-line)# transport input ssh
+</code>
+===== show / infos anzeigen =====
+<code>
+show running-config
+To verify the current configuration and settings
+show interfaces
+To verify the interface status and see if there are any error messages
+show ip interface
+To verify the Layer 3 information of an interface
+show arp
+To verify the list of known hosts on the local Ethernet LANs
+show ip route
+To verify the Layer 3 routing information
+show protocols
+To verify which protocols are operational
+show version
+To verify the memory, interfaces, and licences of the device
+</code>
 ====== sed ======
   * Regex Search and Replace alle matches e.g.