Look in looking-glass
A great example of network solidarity is the numerous services of looking-glass, which allow you to look behind the scenes of so many large and small networks around the world. It is so amazing in today's world, hidden behind hundreds of security systems, just to pick up and execute commands on routers that are among the most critical devices in the entire data transmission infrastructure.
You just need to enter the IP address or prefix in the field and get in reply the routing table or trace and the results of the ping utility. Therefore, when you understand that it is possible to enter not only addresses, but also some other characters formed into meaningful commands and to receive meaningful results, a stupor occurs. I want to run and shout at all corners: "But what is it that should be immediately banned, what kind of absurdity?" These are all the consequences of recent years, when security is above openness and convenience, and there are undoubtedly reasons for that.
')
It will be a question of the very popular implementation of looking-glass from version6.net and that something can be obtained from this service.
If you suddenly find it normal that the looking-glass interface allows you to enter something other than an IP address, then you probably belong to the “old school” or do not read the news. It seemed to me unusual, especially since other implementations of this service do not allow this.
Since it was unusual for me, I even began to warn the owners of services about it, but then I looked into the code and realized that it should be so - this is a feature, not a bug. On the site version6.net , which is now for some reason not available, the functionality is honestly written: " all BGP show commands , ping and traceroute" .
Open lg.cgi , which is hard to read and Perl does not help at all:
The command is transmitted in the $ addr variable, in which all characters except whitespace (including tabs, \ s option), letters, numbers, symbols "-", "_", "/", "$", ".", " Are deleted: ".
The ping condition is much stricter. As far as I can see, all input is wiped after the whitespace. Therefore, adding something extra to the ping and traceroute commands is much more difficult.
Then a command is formed for direct execution from the $ query_cmd template and a check is made that the input belongs to a slightly different group of characters: tabs are excluded, because spaces are clearly indicated, the "_" symbol remains included because it falls under the \ w option with numbers, the symbol appears ^ ". Additional verification is done on ":", which is possible only when working with IPv6.
That's all, the remaining checks are only on the empty line for some modes of operation. The command for execution has already been formed earlier and it goes to the device without changes:
What can we do? From useful lost quotes, symbols "|", "?" and all brackets. But there are a lot left, even very much. The command forming pattern looks like this (for Cisco):
The basic show ip bgp , ping, and traceroute commands. Obviously, show ip bgp summary and show ip bgp neighbors% s advertised-routes can be formed from show ip bgp% s .
Our bread. It should be noted that on different sites, additional filtering is still done, or refinement for other systems other than the standard ones, therefore, it is not always possible to enter arbitrary characters. Rather, it is even possible, but further execution of commands leads to errors. However, if we have the basic devices provided in the original code, we can enter a wide range of commands. Site Cisco, we will stop on one vendor, offers many options . Some useful, for example.
We look at all the routes for a given AS-PATH. For example, to all Yandex networks from Stockholm, TTK (GET will send directly to the query results):
Detailed information about established neighborhoods. The command is sometimes indirectly available in the highlighted output when executing other commands. For example, detailed information about one of the Beeline neighborhoods in Stavropol:
You can expand to advertised-routes to see which routes are advertised in the direction of a certain neighbor, often present directly in the interface.
The command is not always available directly, so you can try to bypass. For example, for RTCOMM :
And these commands can be expanded: increase the size of the packet, turn off fragmentation. But it is more difficult to do this, because the code for filtering is stricter. Examples, however, can be found - Starnet , by the way here is Juniper:
Looking-glass is a wonderful tool, even an excellent one that solves many problems and unites the ranks of networking professionals around the world, a very clear sign of a company's maturity. Having mentioned several different companies, in my own I have not yet decided to put such a service outside.
You can experiment for a long time, LG services are available a lot around the world and a sufficient number of them are built on the version offered by version6.net. But any tool must be predictable, some of the unfiltered commands are terribly resource intensive, some open a little more than can be allowed in the modern world. Take a look at your code and do it enough for you. Be attentive to each other, mutual assistance and openness allowed to build the Internet, we will not destroy it.
You just need to enter the IP address or prefix in the field and get in reply the routing table or trace and the results of the ping utility. Therefore, when you understand that it is possible to enter not only addresses, but also some other characters formed into meaningful commands and to receive meaningful results, a stupor occurs. I want to run and shout at all corners: "But what is it that should be immediately banned, what kind of absurdity?" These are all the consequences of recent years, when security is above openness and convenience, and there are undoubtedly reasons for that.
')
It will be a question of the very popular implementation of looking-glass from version6.net and that something can be obtained from this service.
If you suddenly find it normal that the looking-glass interface allows you to enter something other than an IP address, then you probably belong to the “old school” or do not read the news. It seemed to me unusual, especially since other implementations of this service do not allow this.
- In ReTN (quite a popular implementation), all entered characters are treated as a domain name, if it is not an IP address.
- MSX-IX everything is divided into parts, you can enter, but only where it is provided and interpreted everything is quite rigid.
- Data IX allows some freedom, although it reports that the IP address is not specified: “An invalid argument is specified — it must be IP or IP / n” —but still birdc is executed, which reports an error and filters all obscenities.
- And Vkontakte is allowed only ping and traceroute and only with IP addresses.
Since it was unusual for me, I even began to warn the owners of services about it, but then I looked into the code and realized that it should be so - this is a feature, not a bug. On the site version6.net , which is now for some reason not available, the functionality is honestly written: " all BGP show commands , ping and traceroute" .
Open lg.cgi , which is hard to read and Perl does not help at all:
my %FORM = &cgi_decode($incoming); ... $FORM{addr} =~ s/\s.*// if (($FORM{query} eq "ping") || ($FORM{query} eq "trace")); $FORM{addr} =~ s/[^\s\d\.:\w\-_\/\$]//g; The command is transmitted in the $ addr variable, in which all characters except whitespace (including tabs, \ s option), letters, numbers, symbols "-", "_", "/", "$", ".", " Are deleted: ".
The ping condition is much stricter. As far as I can see, all input is wiped after the whitespace. Therefore, adding something extra to the ping and traceroute commands is much more difficult.
my $command = sprintf($query_cmd, $FORM{addr}); ... if ($FORM{addr} !~ /^[\w\.\^\$\-\/ ]*$/) { if ($FORM{addr} =~ /^[\w\.\^\$\-\:\/ ]*$/) { ... } else { &print_error("Illegal characters in parameter string"); } } Then a command is formed for direct execution from the $ query_cmd template and a check is made that the input belongs to a slightly different group of characters: tabs are excluded, because spaces are clearly indicated, the "_" symbol remains included because it falls under the \ w option with numbers, the symbol appears ^ ". Additional verification is done on ":", which is possible only when working with IPv6.
That's all, the remaining checks are only on the empty line for some modes of operation. The command for execution has already been formed earlier and it goes to the device without changes:
$FORM{addr} = "" if ($FORM{addr} =~ /^[ ]*$/); ... if ($query_cmd =~ /%s/) { &print_error("Parameter missing") if ($FORM{addr} eq ""); } else { &print_warning("No parameter needed") if ($FORM{addr} ne ""); } ... &run_command($FORM{router}, $router_list{$FORM{router}}, $command); What can we do? From useful lost quotes, symbols "|", "?" and all brackets. But there are a lot left, even very much. The command forming pattern looks like this (for Cisco):
my %valid_query = ( "ios" => { "ipv4" => { "bgp" => "show ip bgp %s", "advertised-routes" => "show ip bgp neighbors %s advertised-routes", "summary" => "show ip bgp summary", "ping" => "ping %s", "trace" => "traceroute %s" }, ... The basic show ip bgp , ping, and traceroute commands. Obviously, show ip bgp summary and show ip bgp neighbors% s advertised-routes can be formed from show ip bgp% s .
show ip bgp
Our bread. It should be noted that on different sites, additional filtering is still done, or refinement for other systems other than the standard ones, therefore, it is not always possible to enter arbitrary characters. Rather, it is even possible, but further execution of commands leads to errors. However, if we have the basic devices provided in the original code, we can enter a wide range of commands. Site Cisco, we will stop on one vendor, offers many options . Some useful, for example.
show ip bgp regexp
We look at all the routes for a given AS-PATH. For example, to all Yandex networks from Stockholm, TTK (GET will send directly to the query results):
show ip bgp regexp $ 13238
Router: sgm01rb
Command: show bgp regexp $ 13238
Sat Dec 19 16: 30: 21.141 UTC
BGP router identifier 10.146.0.1, local AS number 20485
BGP generic scan interval 60 secs
BGP table state: Active
Table ID: 0x0 RD version: 0
BGP main routing table version 2995757495
BGP scan interval 60 secs
Status codes: s suppressed, damped, history, valid,> best
i - internal, r RIB-failure, S stale, N Nexthop-discard
Origin codes: i - IGP, e - EGP,? - incomplete
Network Next Hop Metric LocPrf Weight Path
Route Distinguisher: 20485: 1 (default for vrf internet)
*> i5.45.192.0 / 18 10.78.0.6 1000 70 0 13238 i
* i 10.99.0.8 1000 70 0 13238 i
* 149.6.168.201 1000 70 0 174 13238 i
* 166.63.220.185 1000 70 0 1273 9002 13238 i
* 212.73.250.153 1000 60 0 3356 13238 i
* 213.248.99.221 1000 70 0 1299 13238 i
*> i5.45.194.0 / 24 10.78.0.6 1000 70 0 13238 i
* i 10.99.0.8 1000 70 0 13238 i
* 212.73.250.153 1000 60 0 3356 13238 i
* 213.248.99.221 1000 70 0 1299 13238 i
*> i5.45.196.0 / 24 10.78.0.6 1000 70 0 13238 i
* i 10.99.0.8 1000 70 0 13238 i
* 149.6.168.201 1000 70 0 174 13238 i
* 166.63.220.185 1000 70 0 1273 9002 13238 i
* 212.73.250.153 1000 60 0 3356 13238 i
* 213.248.99.221 1000 70 0 1299 13238 i
*> i5.45.202.0 / 24 10.78.0.6 1000 70 0 13238 i
* i 10.99.0.8 1000 70 0 13238 i
* 212.73.250.153 1000 60 0 3356 13238 i
* 213.248.99.221 1000 70 0 1299 13238 i
... show ip bgp neighbors
Detailed information about established neighborhoods. The command is sometimes indirectly available in the highlighted output when executing other commands. For example, detailed information about one of the Beeline neighborhoods in Stavropol:
show ip bgp neighbors 10.255.0.2
Router: len244-bb.stv
Command: show ip bgp neigh
BGP neighbor is 10.255.0.2, remote AS 3216, external link
BGP version 4, remote router ID 79.104.32.226
BGP state = Established, up for 1y5w
Last read 00:00:40, last write 00:00:14, hold time is 180, keepalive interval is 60 seconds
Neighbor sessions:
1 active, is not multisession capable
Neighbor capabilities:
Route refresh: advertised and received (new)
Four-octets ASN Capability: advertised and received
Address family IPv4 Unicast: advertised and received
Multisession Capability: advertised
Message statistics:
InQ depth is 0
OutQ depth is 0
Sent Rcvd
Opens: 1 1
Notifications: 0 0
Updates: 1,352
Keepalives: 631466 635532
Route Refresh: 0 0
Total: 631468 635885
Default minimum time between advertisement runs is 30 seconds
For address family: IPv4 Unicast
Session: 10.255.0.2
BGP table version 182470946, neighbor version 182470946/0
Output queue size: 0
Index 77
77 update-group member
Incoming update prefix filter list is B2B-BRAS-IN
Outgoing update filter list prefix is ​​DENY-ALL
Slow-peer detection is disabled
Slow-peer split-update-group dynamic is disabled
Sent Rcvd
Prefix activity: ---- ----
Prefixes Current: 0 1 (Consumes 52 bytes)
Prefixes Total: 0 176
Implicit Withdraw: 0 0
Explicit Withdraw: 0 175
Used as bestpath: n / a 1
Used as multipath: n / a 0
Outbound inbound
Local Policy Denied Prefixes: -------- -------
prefix-list 16426 0
Well-known Community: 126392327 n / a
Bestpath from this peer: 347 n / a
Suppressed due to dampening: 15381 n / a
Invalid Path: 2886275 n / a
Total: 129310756 0
Maximum prefixes allowed 500
Threshold for warning message 75%, restart interval 3 min
Number of NLRIs in the update sent: max 0, min 0
Last detected as dynamic slow peer: never
Dynamic slow peer recovered: never
Datagrams (max data segment is 1460 bytes):
Rcvd: 1268112 (out of order: 0), with data: 635885, total data bytes: 12089768
Sent: 1265174 (retransmit: 1 fastretransmit: 0), with data: 631468, total data bytes: 11997935
...
You can expand to advertised-routes to see which routes are advertised in the direction of a certain neighbor, often present directly in the interface.
show ip bgp summary
The command is not always available directly, so you can try to bypass. For example, for RTCOMM :
show ip bgp summary
BGP router identifier 81.176.81.18, local AS number 8342 RIB entries 1052472, using 64 MiB of memory Peers 2, using 5024 bytes of memory Peer groups 1, using 16 bytes of memory Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up / Down State / PfxRcd 195.161.1.10 4 8342 42323357 15458 0 0 0 01w3d17h 574623 195.161.1.155 4 8342 43105981 15458 0 0 0 01w3d17h 574623 Total number of neighbors 2
Ping and traceroute
And these commands can be expanded: increase the size of the packet, turn off fragmentation. But it is more difficult to do this, because the code for filtering is stricter. Examples, however, can be found - Starnet , by the way here is Juniper:
ping count 5 detail do-not-fragment size 1200 8.8.8.8
Router: MSK-IX MX480 Command: ping count 5 detail do-not-fragment size 1200 8.8.8.8 PING 8.8.8.8 (8.8.8.8): 1200 data bytes 1208 bytes from 8.8.8.8 via xe-3/3 / 0.0: icmp_seq = 0 ttl = 60 time = 1.041 ms 1208 bytes from 8.8.8.8 via xe-3/3 / 0.0: icmp_seq = 1 ttl = 60 time = 0.964 ms 1208 bytes from 8.8.8.8 via xe-3/3 / 0.0: icmp_seq = 2 ttl = 60 time = 0.959 ms 1208 bytes from 8.8.8.8 via xe-3/3 / 0.0: icmp_seq = 3 ttl = 60 time = 32.190 ms 1208 bytes from 8.8.8.8 via xe-3/3 / 0.0: icmp_seq = 4 ttl = 60 time = 1.038 ms --- 8.8.8.8 ping statistics --- 5 packets transmitted, 5 packets received, 0% packet loss round-trip min / avg / max / stddev = 0.959 / 7.238 / 32.190 / 12.476 ms ...
Looking-glass is a wonderful tool, even an excellent one that solves many problems and unites the ranks of networking professionals around the world, a very clear sign of a company's maturity. Having mentioned several different companies, in my own I have not yet decided to put such a service outside.
You can experiment for a long time, LG services are available a lot around the world and a sufficient number of them are built on the version offered by version6.net. But any tool must be predictable, some of the unfiltered commands are terribly resource intensive, some open a little more than can be allowed in the modern world. Take a look at your code and do it enough for you. Be attentive to each other, mutual assistance and openness allowed to build the Internet, we will not destroy it.
Source: https://habr.com/ru/post/273517/
All Articles