Justin Rummel . com

Configuring IPv6 DNS on Mac OS X Server

Justin Rummel — Tue, 24 Jan 2012 13:50:41 +0000

What are you bitching about and IPv6?

Over the past several months, my company has been dealing with AD/OD integrations with Lion 10.7.2 and the customer’s environment is using “.local”. If you are not familiar with the history between “.local” and Apple computers simply put: they don’t mix. PERIOD. It all stems from Apple OS X Clients using the naming convention of “ComputerName.local” as its address for Bonjour services. When an Active Directory (AD) environment uses something like “company.local”, Lion doesn’t know if you are talking DNS or Bonjour… so it just tries everything, thus giving you delayed authentication (login) against your AD controllers.

With the release of OS X Lion, Apple stepped up the complexity notch and introduced IPv6 in its broadcast for resolving names, thus now you have four sets of timeouts to compete with:

IPv4 DNS
IPv4 Bonjour
IPv6 DNS
IPv6 Bonjour

Normally, if we can’t get DNS working from the customer on their Windows AD domain controller, we’ll utilize Apple’s DNS service to place GOOD values until the customer can work out the “fun” of Windows DNS (hint, the more domains and the more domain controllers… it seems difficult in keeping records versus AD replication making things automagically disappear). One issue, Server Admin doesn’t allow for creating IPv6 records (a.k.a AAAA records) so we’re going to crank these out by hand!

Configuring Mac OS X DNS for IPv6 Records

Before we go any farther, I’m warning you now… modifying BIND configuration files by hand could will cause you grief later. You have just committed yourself to the rest of your life on hand modification of DNS records because once you start using Server Admin again… it may (and most likely) remove anything it doesn’t understand. That’s the joys of Apple’s Server Admin tool.

If you have never looked at creating and/or adjusting BIND records on an Apple Server, I would first HIGHLY recommend you pick up a copy of Ed Marczak’s Mac OS X Advanced System Administration v10.5. It explains a lot about DNS and configuring BIND from command line starting at page 89 – 104. I’m not going to over the intricacies, I’m going for the dirty nibbles of IPv6 and what files you will adjust or create.

Test Environment

In my test environment I have four domains:

justinrummel.net
apple.edu
exmaple.prv
newco.prv

All of these domains live in my lab network of 192.168.1.1/24 subnet, meaning all machines have 192.168.1.x IP address. Some machines may have multiple records within multiple zones; for instance my Software Update Server (SUS) is always “sus.zone.tld” so: sus.justinrummel.net, sus.apple.edu, sus.example.prv, sus.newco.prv all point to my one SUS server who’s IP address is 192.168.1.111.

In order for Apple machines to fully work, you also need reverse DNS entries, which reverse zones. Reverse zones are displayed in a reverse IP structure, thus in my environment with every machine having a 192.168.1.x IP address, we’re using 1.168.192 reverse name, plus “in-addr.arpa” as a suffix per ARPA naming conventions.

Each of these zones (forward and reverse) are listed in the /etc/named.conf file, which points to the zone files that reside within your /var/named directory.

Before we go any further, it is best practice to stop your DNS service prior to modifying any files so be sure to run sudo serveradmin stop dns before you change any files.

/var/named
I’m going to focus my examples on ONE domain “newco.prv” to make things easy to understand, however, this could be applied to any of the domains that I host within my lab. Also, at this point I assume you have already read my article “Working With IPv6 and Mac OS X” and know how to find your IPv6 address.

We are going to start with the easy files that we want to adjust to make IPv6 work in our environment. When you are thinking about DNS services on your Apple server, you are most likely thinking “How does a FQDN get translated to this IP address”. The files that make this magic happen are located in your /var/named/ directory. You are going to have a file for each zone that starts with “db” (example db.newco.prv), which is the forwarding zone file. You will also have a “db.reverse.IP.in-addr.arpa” which is the IPv4 reverse zone file. There are two files that are “named.ca” and “named.local” that you can ignore as this is used for listing DNS root servers and your localhost environment respectively.

Inside my db.newco.prv zone I have three DNS entries with their associated IP address:

ldap.newco.prv is linked to IP address 192.168.1.150
jss.newco.prv is linked to IP address 192.168.1.151
cp.newco.prv is linked to IP address 192.168.1.152

If I wanted my ldap.newco.prv server to link to an IPv6 address, we need to update our db.newco.prv by duplicating the line that references ldap, jss, cp; and substitute our IPv4 address with our IPv6 address, PLUS make sure that the “A” record is now references as “AAAA”. My updated db.newco.prv zone would look like this (this is not the full db.newco.prv zone file, just the snippet that was updated):

ldap.newco.prv.                       10800 IN A        192.168.1.150
ldap.newco.prv.                       10800 IN AAAA     fe80::20c:29ff:fe21:28a9
jss.newco.prv.                        10800 IN A        192.168.1.151
jss.newco.prv.                        10800 IN AAAA     fe80::20c:29ff:fe39:d6c
cp.newco.prv.                         10800 IN A        192.168.1.152
cp.newco.prv.                         10800 IN AAAA     fe80::20c:29ff:fed0:c01

Notice that all of my IPv6 records start with “fe80″. These are known as “link-local” IPv6 address and are treated the same way as 192.168.0.0/16, 172.16-32.0.0/16, and 10.0.0.0/8 in that they are not internet routable, they are only for your local network.

Now for the reverse record.

Just like IPv4 we need to reverse your IPv6 record, however, it seems like it’s not as simple as making things backwards to be in compliance with ARPA needed structure to “lookup” your IPv6 address and find the associated DNS record. I found a great utility called ipv6calc that I was able to download, tar -xvzf; ./compile; make; sudo make install that will spit out the reverse IPv6 ARPA name.

justinrummel@jrummel-mbp:~$ ipv6calc --in ipv6addr --out revnibbles.arpa fe80::20c:29ff:fe21:28a9
9.a.8.2.1.2.e.f.f.f.9.2.c.0.2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa.
justinrummel@jrummel-mbp:~$ ipv6calc --in ipv6addr --out revnibbles.arpa fe80::20c:29ff:fe39:d6c
c.6.d.0.9.3.e.f.f.f.9.2.c.0.2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa.
justinrummel@jrummel-mbp:~$ ipv6calc --in ipv6addr --out revnibbles.arpa fe80::20c:29ff:fed0:c01
1.0.c.0.0.d.e.f.f.f.9.2.c.0.2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa.

Since these are link-local, you can see that at a certain point the numbers become repetitive. Lets make things easy by cutting the “last half” of the string (minus the “.ipv6.arpa.” at the end) and this will become our reverse zone (later in this article), and in for our reverse zone file’s “$ORIGIN” section.

justinrummel@jrummel-mbp:~$ ipv6calc --in ipv6addr --out revnibbles.arpa fe80::20c:29ff:fed0:c01 | sed 's/.ip6.arpa.//' | cut -c 33-64
0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f

Now it’s time to create our new reverse IPv6 DNS zone file so we can translate our ARPA values to DNS names. Lets name the file “reverse-v6-fe80-64.IP6.ARPA” as this tells us it’s the reverse IPv6 file for link-local (fe80) addresses. There is really no good way to do this other than copy/paste my example below and adjust your own values.

$TTL 3d	; Default TTL (bind 8 needs this, bind 9 ignores it)
@ 	IN SOA 0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa.      helpdeskEmail.newco.prv. (
		201201210  	; Serial number (YYYYMMdd)
		24h		; Refresh time
		30m		; Retry time
		2d		; Expire time
		3d		; Default TTL (bind 8 ignores this, bind 9 needs it)
)

                                ; Name server entries
                                IN     NS     dns1.newco.prv.
                                IN     NS     dns2.newco.prv.

$ORIGIN 0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa.
9.a.8.2.1.2.e.f.f.f.9.2.c.0.2.0         IN      PTR     ldap.newco.prv.
c.6.d.0.9.3.e.f.f.f.9.2.c.0.2.0         IN      PTR     jss.newco.prv.
1.0.c.0.0.d.e.f.f.f.9.2.c.0.2.0         IN      PTR     cp.newco.prv.

Notice our bits 33-64 (which is what we received from the above sed / cut one liner) from our link-local values in the “$ORIGIN” section and bits 1-31 is only being references for our IPv6 to DNS name value. Now that we have our DNS forward and reverse zones files updated and created, we need to set the BIND configuration file to use our new IPv6 records.

/etc/named.conf

Your named.conf file is going to list each of your DNS zones that your server provides along with security settings and environment records for replication between multiple DNS servers. Think of your named.conf file as a configuration file that points to the “real data” versus housing any true information. In my test environment’s /etc/named.conf file I have five forwarding zones (the for domains I host plus “localhost”).

The good news is we don’t need to add an IPv6 forwarding zone because we just updated our forward zone file “db.newco.prv” with the new AAAA records. However, we need to add a new zone to the named.conf file so it can find our reverse IPv6 zone as that was just created.

A zone file is constructed of these sections:

Its type
The zone file name
If you can transfer the zone information (to a slave DNS that you control)
If the slave can update the zone files

To make things easy, open your /etc/named.conf file and find the line with view “com.apple.ServerAdmin.DNS.public” and add this information below:

zone "0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa" {
		type master;
		file "reverse-v6-fe80-64.IP6.ARPA";
		allow-transfer {
			com.apple.ServerAdmin.DNS.public;
		};
		allow-update {
			none;
		};
	};

What this is doing is adding the reverse zone “0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f” which was created from bits 33-64 in our IPv6 to ARPA conversion. It’s also stating that this is the master DNS record, and information can be propagated to any DNS slaves that may be running in my house (if you don’t have a DNS slave, use “none”). Notice I’m not allowing any updates by my slave as this is best practice. Lastly, there is a file setting that uses the same name that we gave our file within /var/named/ of “reverse-v6-fe80-64.IP6.ARPA”.

Test

There you go, everything is now configured time to test. Don’t forget, we did this all when DNS was stopped, we need to run sudo serveradmin start dns and we can watch our logs by doing a “tail -F /Library/Logs/named.log” to make sure we don’t see any “errors” or “ignore” warnings. Once you are confident in that DNS is running again, start checking your DNS entries by using the host and ping6 commands.

justinrummel@jrummel-mbp:~$ host cp.newco.prv
ldap.newco.prv has address 192.168.1.152
ldap.newco.prv has IPv6 address fe80::20c:29ff:fed0:c01

justinrummel@jrummel-mbp:~$ host 192.168.1.152
150.1.168.192.in-addr.arpa domain name pointer cp.newco.prv.

justinrummel@jrummel-mbp:~$ host fe80::20c:29ff:fed0:c01
1.0.c.0.0.d.e.f.f.f.9.2.c.0.2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa domain name pointer cp.newco.prv.

justinrummel@jrummel-mbp:~$ ping6 -I en0 -c 1 jss.newco.prv
PING6(56=40+8+8 bytes) fe80::225:bcff:fedc:9924%en0 --> fe80::20c:29ff:fe39:d6c
16 bytes from fe80::20c:29ff:fe39:d6c%en0, icmp_seq=0 hlim=255 time=0.618 ms

--- jss.newco.prv ping6 statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 0.618/0.618/0.618/0.000 ms
justinrummel@jrummel-mbp:~$

Conclusion

Hopefully Apple will soon give us the capabilities of setting IPv6 records within Server Admin sometime in the near future as it will become important as operating systems and networks progress and fully utilize IPv6. And don’t forget on June 6th 2012 we’ll be celebrating World IPv6 Launch: this time it’s for real

If you have any troubles with your IPv6 values not returning, my guess there is something minor such as one to many zeros in your IPv6 ARPA zone name and/or you have a simple typo. I’ll try to help as much as I can if there are any questions.

Sources

Mac OS X Advanced System Administration v10.5: http://www.amazon.com/Apple-Training-Advanced-System-Administration/dp/032156314X
ipv6calc: http://mirrors.bieringer.de/www.deepspace6.net/projects/ipv6calc.html#id1506183
IPv6 Converter: http://ipv6-literal.com/
IPv6 Reverse DNS Zone Builder: http://www.fpsn.net/tools&tool=ipv6-inaddr
IPv6 REVERSE ZONE BUILDER: http://captaingeek.net/ipv6-zone-builder/

Working With IPv6 and Mac OS X

Justin Rummel — Mon, 23 Jan 2012 17:00:46 +0000

What is IPv6?

I don’t feel that anyone reading this in 2012 has never heard of IPv6. The easiest way to put it it’s a combinations of HEX values to make a big ugly “thing” that represents your computer. IPv4 was simple; four octets made up of a value from 0-255; thus 192.168.1.111. IPv6 takes this to a new other level. From Wikipedia:

IPv6 addresses have two logical parts: a 64-bit network prefix, and a 64-bit host address part. (The host address is often automatically generated from the interface MAC address.[37]) An IPv6 address is represented by 8 groups of 16-bit hexadecimal values separated by colons (:) shown as follows:
2001:0db8:85a3:0000:0000:8a2e:0370:7334
The hexadecimal digits are case-insensitive.

The 128-bit IPv6 address can be abbreviated with the following rules:
Rule one: Leading zeroes within a 16-bit value may be omitted. For example, the address
fe80:0000:0000:0000:0202:b3ff:fe1e:8329
may be written as
fe80:0:0:0:202:b3ff:fe1e:8329
Rule two: One group of consecutive zeroes within an address may be replaced by a double colon. For example,
fe80:0:0:0:202:b3ff:fe1e:8329
becomes
fe80::202:b3ff:fe1e:8329
A single IPv6 address can be represented in several different ways, such as 2001:db8::1:0:0:1 and 2001:0DB8:0:0:1::1. RFC 5952 recommends a canonical textual representation

How do I get an IPv6 Address on Lion

You most likely already have one! If you navigate to System Preferences => Network and click on the “Advance…” button on your Ethernet settings, you should see “Configure IPv6″ and it’s set to automatic. You’re DONE!

Now, finding is your IPv6 address is another story. The best way to discover your IPv6 address is running the following command in Terminal:

ifconfig en0

You should get back something like the following:

justinrummel@jrummel-mbp:~$ ifconfig en0
en0: flags=8863 mtu 1500
	options=27
	ether 00:25:bc:dc:99:24
	inet6 fe80::225:bcff:fedc:9924%en0 prefixlen 64 scopeid 0x4
	inet 192.168.1.11 netmask 0xffffff00 broadcast 192.168.1.255
	media: autoselect (1000baseT )
	status: active

You can see the inet6 value that starts with the hex values “fe80″, that is my IPv6 address. Notice at the end of that string is “%en0″, you don’t need that part. An easy way only to get the IPv6 Address in one line could be:

ifconfig en0 | grep inet6 | awk -F " " '{print $2}' | sed 's/%en0//'

How to test IPv6 on your local network

Normally to test if a computer is on your network you would initiate a “ping” to the IP address of your target machine. IPv6 has the same capabilities, however, the function is not embedded into the “ping” command… it’s now “ping6″!

The interesting part of ping6 is that you have to declare the interface you are using to send the command. So on a standard Mac machine (and non-MB Air), you have two interfaces to choose from:

Ethernet: en0
WiFi (f.k.a AirPort): en1

So if I wanted to ping from my laptop to a target machine IPv6 address of “fe80::c62c:3ff:fe21:cc0e”, I would perform a ping6 the following:

justinrummel@jrummel-mbp:~$ ping6 -I en0 -c 1 fe80::c62c:3ff:fe21:cc0e
PING6(56=40+8+8 bytes) fe80::225:bcff:fedc:9924%en0 --> fe80::c62c:3ff:fe21:cc0e
16 bytes from fe80::c62c:3ff:fe21:cc0e%en0, icmp_seq=0 hlim=64 time=0.406 ms

--- fe80::c62c:3ff:fe21:cc0e ping6 statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 0.406/0.406/0.406/0.000 ms

Sources

http://en.wikipedia.org/wiki/IPv6#Address_Format – Wikipedia IPv6
http://developer.apple.com/library/mac/#documentation/Darwin/Reference/ManPages/man8/ping6.8.html – ping6 man page

IT851: How Lion Has Changed Mac OS X: Services, Features & Capabilities

Justin Rummel — Sat, 21 Jan 2012 15:00:19 +0000

MacIT® Conference

Friday, January 27, 2012 (10:20am – 11:05am)

Overview
This discussion will review the major changes between Snow Leopard and Lion, and what it takes to configure these services. There are many changes in Lion–some subtle, and some no so subtle. In either case, though, an admin needs to be aware of the changes and how it impacts them. There are changes in Directory Services, Kerberos, Database Services, Server Control, Machine Management and more. Lion is growing to be a major change vs. little differences that was experienced from Leopard to Snow Leopard. It will be easier to grasp seeing what was once performed is now accomplished by “this new process”.

Kiana and Buckland Alaska

Justin Rummel — Wed, 30 Nov 2011 20:05:15 +0000

During the week of November 14th, 2011, through the combination of Qivliq Village Partnerships and the NANA BWISE program I was able to visited two villages within the Northwest Arctic: Kiana and Buckland.

I really do enjoy these trips to the Northwest Arctic, even when the “high” temperature is about zero degrees, with the coldest always around 7am which hit -25 degrees (just another day in paradise). During this time several items were achieved:

A short 1hr discussion with several middle school and hight school classes on Technology Jobs (which included: Helpdesk, Call Center Staff, System Administrator, Integrator, Instructor, Developer, and Subject Matter Expert.) Included in this discussion were key items when a business is hiring that ranged from Higher Education, industry standard Certificates, and portraying NANA values during interviews (Respect for Others, Hard Work, and Hunter Success).
A Presentation Skills all-day training session was provided that took students from start to finish on collecting, outlining, creating and presenting a presentation to others. This year, our training focused on teaching parents and elders a “Macintosh Computers: a first time experience) assuming they have either a) never touch a Mac, or b) never touched a computer.
Lastly, during both the short 1hr discussions and at the end of the Macintosh Computers presentation; I was able to remind people to watch nana.com for Jobs, Scholarships, and for Internship announcements in January. We were also able to guide a few parents for their first time experience with Powerschool (an online real-time grade and attendance record keeping that is used throughout the school district).

MacTech Conference 2011

Justin Rummel — Wed, 30 Nov 2011 19:54:59 +0000

Wow… I’ve been slacking off on writing posts. I know I’m highly overdue on S/MIME on iOS, I’ll be working on that soon… just finding a few snags and using MDM deployments. For now here are several sets of pictures I’ve been taking over the past month.

Compared to last year’s collection, these are weak except for the landscape pictures I was able to take out of the airplane window traveling to CA and returning home to DC. MacTech was an awesome conference and I hope to present again next year!

Apple’s Built-in Anti-Virus: XProtect

Justin Rummel — Tue, 01 Nov 2011 16:17:43 +0000

Today, Intego announced of a new trojan designed for the Mac dubbed “DevilRobber”.

You can read Intego’s site (or many other sites posting about this trojan), but I wanted to remind everyone that there is a built-in anti-virus software within updated versions of Snow Leopard (version 10.6.7 with Security Update 2011-003 OR greater) and Lion called XProtect.

Xprotect is enabled by going to System Preferences => Security => General tab and check the “Automatically update safe downloads list”. If you ever want to update your list, just uncheck / recheck the option.

(Notice, my settings may look different from yours as I have FileVault enabled along with other MCX settings. The safe downloads list is what’s important for this article.)

However, let’s get a little more information from Xprotect.

If we run to following command “today” (11/1/2011 @ 11am Eastern), we get the following results:

/usr/libexec/PlistBuddy -c "print LastModification" /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist
Tue, 11 Oct 2011 16:20:51 GMT

This tells us that our anti-virus dictionary file has not been updated since Oct 11th of 2011. In order to update your dictionary, you can use the above check / recheck method or:

/usr/libexec/XProtectUpdater

You will notice that as of right now the XPotect meta file timestamp has not change. I assume Apple will soon update this file to protect Mac users from DevilRobber, or any other future trojan/virus that gets created. We’re just dependent on Apple to update their dictionary just the same as Intego / Sophos / etc users are dependent on their paid software to update their dictionary file. Once the file is updated, you should get a similar result for MacDefender.

cat /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.plist | grep MacDefender

### Update
XProtect.plist file has been updated as of Nov 1st, 2011, and if you grep for “Devil” you will get a response of “OSX.DevilRobber.A”. Pretty quick (and automatically done) as the announcement was on Nov 1st.

Niagara Falls

Justin Rummel — Wed, 05 Oct 2011 20:47:05 +0000

For the past couple of weeks, I’ve been in Niagara Falls, NY for a client. I have never seen the falls or have been to Canada, so it was fun to check both of those items off my life’s to-do list, and in the process took some pictures.

For the pictures I knew I wanted to get the long exposure for the water coming down the falls, however, it was harder at night to get the right balance between getting enough light to even see the falls vs. washing out everything. In the end I used a high ISO of 1600 and half second shutter speed. I would have preferred to use ISO 200 (or 100 if possible) to reduce the noise in the pictures. For future note, these pictures are from the US side of the falls, the Canadian side is better for viewing the falls (just haven’t been there at night… not yet at least).

Check www.niagaraparks.com/attractions/falls-illumination.html for the light’s schedule.

Remove Diginotar CA Certificate

Justin Rummel — Wed, 31 Aug 2011 12:32:31 +0000

First, I want to say thanks to Edward Marczak for his original post on how to remove the Diginotar CA Certificate, and his forward thinking about how to do this from a System Admin perspective. I wanted to add a few more bits of info to his post to better explain the security command.

In Ed’s post, he states to run this command:

sudo /usr/bin/security delete-certificate -Z C060ED44CBD881BD0EF86C0BA287DDCF8167478C /System/Library/Keychains/SystemRootCertificates.keychain

So the “-Z” flag is telling they system to search based on the SHA-1 has value of the certificate. How do you know this is the correct certificate? By using the find-certificate operation.

/usr/bin/security find-certificate -Z -e "info@diginotar.nl" /System/Library/Keychains/SystemRootCertificates.keychain | grep SHA | awk -F ": " '{print $2}'

In the command above, I’m asking the security command to find the certificate with the email address with the “-e” flag. The “-Z” flag in this command states to print out the SHA-1 has value. At the end I’m using “grep” to filter all the other information that comes with displaying your certificate information via Terminal then “awk” to only return the hash value. This way you can have some logic to ensure that you system find the correct certificate to delete vs. taking information from a website and fully trusting the instructions (no offense to Ed, it is just a good practice to perform sanity checks).

#!/bin/sh
BADDIGI=$(/usr/bin/security find-certificate -Z -e "info@diginotar.nl" /System/Library/Keychains/SystemRootCertificates.keychain | grep SHA | awk -F ": " '{print $2}')
echo "Going to delete: $BADDIGI\n"
sudo /usr/bin/security delete-certificate -Z "$BADDIGI" /System/Library/Keychains/SystemRootCertificates.keychain

So the obvious question from the above command is “How do I know info@diginotar.nl was the correct email”? Simple, I checked Keychain Access.

If you open Keychain Access (located in /Applications/Utilities/), do a search for Diginotar (you will get one value in return as seen below). Right click the certificate and select “Get Info”.

Built-in Hidden Command Line Tools: Stroke and Airport

Justin Rummel — Wed, 03 Aug 2011 15:22:06 +0000

These tools are nothing new as they were available in Snow Leopard (and I believe Leopard, just can’t check), but they are fun little tools just in case you don’t have Apple’s Xcode [iTunes link] installed or MacPorts available on your computer.

Port Scanning with stroke

So you want to perform a port scan, but you are missing the more powerful nmap command that can be installed via MacPorts or compiled from insecure.org. In order to use the command, open Terminal and cd to the /Applications/Utilities/Network\ Utility.app/Contents/Resources/ directory, then type ./stoke

justinrummel@JRummel-MBP:Resources$ ./stroke
2011-08-02 12:46:09.315 stroke[45023:707] stroke address startPort endPort

The help information for stoke is very short, mostly because this is a one trick pony. You can enter your address (IP or FQDN), a starting port number, and end port number, then off you go! A good port to start with is 20 and end somewhere around 10000. Yes you can go higher to 65535, but it will just take longer. So for example:

justinrummel@JRummel-MBP:Resources$ ./stroke 192.168.1.111 20 10000
Port Scanning host: 192.168.1.111
     Open TCP Port: 22 ssh
     Open TCP Port: 25 smtp
     Open TCP Port: 53 domain
     Open TCP Port: 80 http
     Open TCP Port: 88 kerberos
     Open TCP Port: 106 3com-tsmux
     Open TCP Port: 143 imap
     Open TCP Port: 311 asip-webadmin
     Open TCP Port: 389 ldap
     Open TCP Port: 443 https
     Open TCP Port: 464 kpasswd
     Open TCP Port: 587 submission
     Open TCP Port: 625 dec_dlm
     Open TCP Port: 749 kerberos-adm
     Open TCP Port: 993 imaps
     Open TCP Port: 2000 callbook
     Open TCP Port: 2336 appleugcontrol
     Open TCP Port: 3659 apple-sasl
     Open TCP Port: 4190 sieve
     Open TCP Port: 5204
     Open TCP Port: 5220
     Open TCP Port: 5268
     Open TCP Port: 5900 rfb
     Open TCP Port: 8088 radan-http

Things you can’t do for people who use nmap include fingerprinting, service information, comma separated for a select ports to scan vs. the whole spectrum. If you find a port number and are not sure what it’s used for, check the Apple kbase article Well known TCP and UDP ports used by Apple software products.

Wireless discovery with airport

The airport command is more powerful than stroke as you are able to use this for preferences setting, network scanning, or packet capturing! First lets find the command by cd to the /System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/ directory, then type ./airport

If you just typed that out… you’ll notice a long list of options for this command. More than I want to copy and paste for this post, and much more than stroke!

If you need to capture the available wireless networks that are at your current location, we’ll use the “-s” flag for scanning available Wi-Fi networks.

justinrummel@JRummel-MBP:Resources$ ./airport -s
SSID    BSSID             RSSI CHANNEL HT CC SECURITY (auth/unicast/group)
hhonors 00:1a:a2:82:2d:90 -90     4    N -- NONE
hhonors 00:16:46:2c:41:40 -89    11    N -- NONE
hhonors 00:16:46:2c:43:00 -78     6    N -- NONE
hhonors 00:1a:a2:82:30:10 -50     6    N -- NONE
hhonors 00:16:46:2c:42:60 -83     1    N -- NONE
hhonors 00:16:46:2c:42:20 -63     1    N -- NONE
hhonors 00:1b:2a:95:52:70 -75    11    N -- NONE

From my Hilton hotel, you can see there are 7 Access Points (AP) that are near my room, all with the SSID of “hhonors”. We can also see that there is one bad AP that is running on channel 4. If you were not aware, enjoy this 802.11 101 lesson only use channels 1, 6, and 11 for “g” service (“n” has more channels and are higher numbers, but that discussion is for another post. So if I connect to the “hhonors” network, how do I know which AP I really connected to. My guess would be the one with RSSI value of -50 because that is the strongs single. Think of RSSI as golf; the lower the better.

If you need to see information about your current wireless network, you can use the “-I” flag.

justinrummel@JRummel-MBP:Resources$ ./airport -I
     agrCtlRSSI: -51
     agrExtRSSI: 0
    agrCtlNoise: -90
    agrExtNoise: 0
          state: running
        op mode: station
     lastTxRate: 54
        maxRate: 54
lastAssocStatus: 0
    802.11 auth: open
      link auth: none
          BSSID: 0:1a:a2:82:30:10
           SSID: hhonors
            MCS: -1
        channel: 6

Once connected to “hhonors”, the “-I” flag gave me the BSSID of “0:1a:a2:82:30:10″ which matches the previous command results using the “-s” flag who’s RSSI of -50.

What else can you do with the airport command? How about this awesome list:

DisconnectOnLogout
Automatic Joining
Remembering Recent Networks
Requiring an Admin account to make changes

These options should look somewhat familiar as if you check out the System Preferences => Network => Wi-Fi you would see the same checkboxes. This gives you the option of changing your settings by SSH or a script later in time.

Wi-Fi Network Settings

Wi-Fi Network Options

MacTech Conference 2011 – How Lion Has Changed Mac OS X: Services, Features, and Capabilities

Justin Rummel — Sat, 30 Jul 2011 16:53:49 +0000

I’ll be speaking at MacTech Conference 2011 which runs November 2-4 in Los Angeles with Randy Saeks!

This discussion will review the major changes between Snow Leopard and Lion, and what it takes to configure these services. There are many changes in Lion–some subtle, and some no so subtle. In either case, though, an admin needs to be aware of the changes and how it impacts them. There are changes in Directory Services, Kerberos, Database Services, Server Control, Machine Management and more. Lion is growing to be a major change vs. little differences that was experienced from Leopard to Snow Leopard. It will be easier to grasp seeing what was once performed is now accomplished by “this new process”.

You can see the entire list of speakers at http://www.mactech.com/conference/sessions