Windows XP Admin Tips-Network

Windows XP Admin Tips ~ network ~ 1
Windows XP Admin Tips

- network -
1. Avoiding APIPA
• Created on Jul 27, 2006.

• Last Modified on Nov 07, 2006.
• Last Modified by Mitch Tulloch.
How to avoid problems arising from APIPA
Windows XP computers can be assigned IP addresses two ways: manually using static
addresses or automatically using DHCP. If your computer is configured to use DHCP
however, a problem can occur if the DHCP server is down when your computer needs to
renew its lease. This happens typically if you reboot your computer when the DHCP is
unavailable, and in this case Windows XP uses Automatic IP Address Allocation
(APIPA) to automatically assign itself an address of the form 169.254.x.y. Once your
computer has this address however, it typically can't communicate on the network
anymore. To prevent this kind of situation from happening, you can assign your computer
an alternate IP address to fall back on when your computer can't contact a DHCP server
to lease an address. This is done by using the Alternate Configuration tab of the TCP/IP
properties for your computer's Local Area Connection. A typical situation where you
might want to use this might be if you have a laptop at home where you use DHCP to
obtain an IP address from your ISP. If you take your laptop to work sometimes and your
workplace is a small business that uses static addressing instead of DHCP, you can assign
your computer a static address on the Alternate Configuration tab so that it can participate
in your work network when present at work. Note that the Alternate Configuration tab is
only visible when you've selected Obtain An IP Address Automatically on the General
tab of your TCP/IP Properties.
2. Using XP as a router
• Created on Mar 01, 2006.

• Last Modified on Mar 29, 2006.
• Last Modified by Mitch Tulloch.
A cheap and easy way of using an XP box as a router.
A cheap and easy way of adding a router to your network is to use a surplus PC with
Windows XP Professional installed on it. Just install an additional network card in the
Today is the best day to learn new things, try hard as much as u can.
box and then configure the registry setting below and Presto! Your XP box becomes able
to route (forward) IP packets from one interface to another.
Open Regedit and navigate to:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Find the following registry value:
IPEnableRouter
Set this value to 1 to enable IP routing on the box.
After doing this, reboot the machine. You may also need to disable Windows Firewall on
the machine.
3. Reliable File and Folder Sharing in Windows XP
• Created on Aug 13, 2005.

• Last Modified on Sep 01, 2005.
• Last Modified by Varun Sud.
Explains how to share files and folders in Windows XP over a network. It was written
specifically because users in our college network had unpredictable results in sharing
files over LAN on Windows XP.
This tip is on sharing files and folders on a local network in Windows XP. It has been
tested on Windows XP Professional (with and without SP2).
Many users of WinXP have experienced difficulty in sharing files and folders over our
college network whether or not simple file sharing is enabled. The approach that I have
found to work consistently is:
1. Disable simple file sharing from My Computer --> Tools menu --> Folder Options -->
View tab --> Advanced Settings
2. Open Control Panel --> Administrative Tools --> Services. Enable the Server service
by making startup Automatic or Manual. This is a standard service needed for sharing
files and folders under WinXp.
3. Open Control Panel --> Administrative Tools --> Computer Management. Scroll to
System Tools --> Shared Folders --> Shares. From Action menu, select 'Add share' and
follow the instructions.
4. You may also want to add users to Administrator or other groups for shared folder
access. Under Computer Management, scroll to Local Users and Groups. To add user to
Administrator group, select the group name and choose Add from Action menu. This can
also be used to add domain users as local admins.
Sharing files on computers directly connected to Internet is not recommended. However,

restrict access to specific users using above procedure mitigates security risks.
4. Map Your Network For Better Protection and Incident Response

• Last Modified on Apr 01, 2005.
• Last Modified by Tony Bradley.
It is difficult to protect devices that you don't even know exist. In larger enterprises it is
very easy to lose track of the asset inventory which leads to complacency about rogue
devices. In order to effectively protect the network and to respond to incidents efficiently,
an updated asset inventory and network map should always be handy.
In an enterprise network with thousands or even tens of thousands of devices, it seems

like assets are constantly coming and going. When a site or department administrator sees
a new device they are likely to be complacent and simply assume that it belongs to
someone else in the enterprise rather than being suspicious of the rogue device.
Rogue or unknown devices that are added to the network are often missed in patch and
security update deployments and they can be a constant source of headaches when it
comes to trying to proactively protect and defend a large enterprise network.
If a security incident does occur, an updated and logically organized asset inventory,
combined with a current and accurate network map will make response and forensic
investigation that much simpler. If a 3rd-party or law enforcement agencies are involved
they will need an overview of the network architecture and environment in order to
conduct an investigation.
Policies should be written to define how new assets are added to the inventory and the
steps that must be taken to include them on the asset inventory and network map prior to
joining the network. But, no matter how foolproof that policy may be, it is virtually
inevitable that new, rogue devices will eventually appear on the network.
To detect the rogue devices and fight to enforce the policy and ward off complacency,
you can run periodic scans of the network using any of a wide variety of tools that can
scan and report back information regarding the network and the devices attached. Many
of the tools will report the IP address, MAC address, type of device or operating system
and more. Below are a few tools you can consider for network mapping:
• LANSurveyor from Neon Software

• Visio from Microsoft
• What's Up Gold from Ipswitch
• SuperScan from Foundstone
Tony Bradley is a consultant and writer with a focus on network security, antivirus and
incident response. He is the About.com Guide for Internet / Network Security
(http://netsecurity.about.com), providing a broad range of information security tips,
advice, reviews and information. Tony also contributes frequently to other industry
publications. For a complete list of his freelance contributions you can visit Essential
Computer Security (http://www.tonybradley.com).
5. Shared printer separator page for Windows 2000 and Windows XP

• Last Modified on Dec 17, 2004.
• Last Modified by Wayne Maples.
If you are in a SOHO or company environment with shared printers, users may have
trouble separating their print jobs if several of them print in a row. The standard solution
is to use separator pages for shared printers. Windows 2000 and Windows XP includes 4
pre-defined separator pages in the winnt\system32 directory:
• pcl.sep
Changes the printer to PCL mode and prints the separator page
• pscript.sep
Changes the printer to PostScript mode but does not print a separator page
• sysprint.sep
Changes the printer to PostScript mode and prints a separator page
• sysprtj.sep
variant of sysprint.sep but uses Japanese fonts if available
You implement a separator page by
• Right-clicking the shared printer you want to add a separator page to

• Click Properties
• On the Advanced tab, click the "Separator Page" button
• Browse to or enter the name of the separator page file
If you want to modify a .sep control file, the first line must be a single character which
defines the delimiter character (any character can be the delimiter). Follows is pcl.sep :
\
\H1B\L%-12345X@PJL ENTER LANGUAGE=PCL
\H1B\L&l1T\0
\M\B\S\N\U
\U\LJob : \I
\U\LDate: \D
\U\LTime: \T
\E
The codes are (continuing to use \ as delimiter):
\N : prints name of person submitting print job
\I : prints job number
\D : prints date (in format defined by Regional option of Control Panel)
\T : prints time (in format defined by Regional option of Control Panel)
\L : prints chars between code and next delimiter
\Ffqfn : prints contents of file specified by fqfn
\Hnn : prints printer specific control code where nn is in hex, \H1B is HP esc char
\Wnn : sets max width of separator page
\B\S : prints single-width block chars
\B\M : prints double-width block chars
\U : turns off block-char printing
\E : ejects current page
\n : skips n lines. Legal values are 0-9
6. Control default internet programs

Do you have IE and Netscape installed? Both browsers check whether they are the
default browser. That is, if you click on a link in an application, lets say email, then
default browser will start up even if the other browser is already running. If you want
Netscape to be the default browser and you want Internet Explorer to stop checking if its
the default browser, you do that from Internet Options within the Control Panel. Open the
Programs tab and you will see the checkbox for Internet browser should check to see
whether it is the default browser.
Internet Options Programs tab also lets you select which programs Windows will use for
default
• HTML editor
• E-mail program
• Newsgroup program
• Internet call program
• Calendar
• Contact tool
When you check the pulldowns, there will be nothing there but the defaults unless you
have installed a program which registers itself for the task. For example, if you install the
full Outlook, it will show up in the pulldowns for email and newsgroup programs. I
installed Ultraedit and it set itself as my default editor. The pulldown then had the options
of Notepad and Ultraedit. After installing Outlook 2000, I had pulldown options of
Outlook and Outlook Express for email and newsgroup. After installing Freeagent ,
which is the best newsgroup reader around, I had the options of Agent and Outlook.
There is a "Reset Web Settings" button to return Windows to its original defaults
• HTML editor : Notepad

• E-mail program : Outlook Express
• Newsgroup program : Outlook Express
• Internet call program : Netmeeting
• Calendar : none
• Contact tool : Address Book
This should work in all versions of Windows including Windows 95, Windows 98,
Windows ME, Windows NT, Windows 2000 and Windows XP.
7. Give XP ability to search Active Directory

Out of the box, Windows XP Pro does not have Windows 2000's capability to search the
Active Directory. To put it back: create a shortcut icon on the desktop to run the
following command: rundll32 dsquery,OpenQueryWindow .
Rundll32.exe is an application included with Windows that executes functions in

dynamic link libraries (DLLs). Most applications (and Windows) use DLLs to share code
between multiple applications or multiple modules within a single application. There are
lots of other tasks you can accomplish with Rundll32.exe. You can execute these
commands from a console or incorporate them into scripts or batch files to help you
quickly access certain features in the user interface for configuring the operating system
or hardware.
The following command starts the Add Printer Wizard:

Rundll32.exe printui.dll,PrintUIEntry /il
If you want to add a standard TCP/IP port for printing, use this command:
Rundll32.exe tcpmonui.dll,LocalAddPortUI
You can easily create new shared folders through the New Share dialog box. Use this
command to open it:
Rundll32.exe ntlanui.dll,ShareCreate
Another function you can access through Ntlanui.dll is the Shared Directories dialog box.
Here's how to open it:
Rundll32.exe ntlanui.dll,ShareManage
Note:
This Windows XP tip applies only when you are running Windows Explorer in Classic
Mode. If you go Tools --> Folder Options --> General tab and select "Show common
tasks in Windows" then you'll see a link called "Search Active Directory" under
Network Tasks. Clicking on this link will then bring up the familiar Active Directory
search interface.
8. Do it yourself WHOIS command

If you have your own web site with a registered name, you should be familiar with the
WHOIS utility. You can search by web address, NIC handle, or ip address. whois is
available as a commandline utility in unix. There are also web versions:
• Networksolutions
• Whois.net
Although NT does not come with whois, you can create your own version using a batch
file:
contents of WHOIS.cmd:
@echo off
start http://www.networksolutions.com/cgi-bin/mcwho/whois?STRING=%1
-or-
@echo off
start http://www.whois.net/search.cgi2?str=%1
The first version uses the whois lookup from Networksolutions whereas the second
version uses the whois lookup from Whois.net Copy the batch file to somewhere in your
path, for example, the %systemroot%\system32 folder. Because I have a lot of these
small scripts and batch files, I created a %systemroot%\bin folder and placed it in the
path. To lookup the whois info for microsoft.com, use the commandline:
whois microsoft.com
The results are:
Registrant:
Microsoft Corporation (MICROSOFT-DOM)
1 microsoft way
redmond, WA 98052
US
Domain Name: MICROSOFT.COM
Administrative Contact:
Microsoft Hostmaster (MH37-ORG) msnhst@MICROSOFT.COM
Microsoft Corp
One Microsoft Way
Redmond, WA 98052
US
425 882 8080
Fax- - - .: 206 703 2641
Technical Contact:
MSN NOC (MN5-ORG) msnnoc@MICROSOFT.COM
Microsoft Corp
One Microsoft Way
Redmond, WA 98052
US
425 882 8080
Fax- PATH
Billing Contact:
idNames, Accounting (IA90-ORG) accounting@IDNAMES.COM
idNames from Network Solutions, Inc
440 Benmar
Suite #3325
Houston, TX 77060
US
703-742-4777
Fax 281-447-1160
Record last updated on 19-Mar-2001.

Record expires on 03-May-2010.
Record created on 02-May-1991.
Database last updated on 23-Apr-2001 10:05:00 EDT.
Domain servers in listed order:
DNS4.CP.MSFT.NET 207.46.138.11
DNS5.CP.MSFT.NET 207.46.138.12
DNS2.TK.MSFT.NET 207.46.232.38
DNS1.TK.MSFT.NET 207.46.232.37
DNS3.UK.MSFT.NET 213.199.144.151
9. DNSLint can verify DNS records

DNSLint is a command-line Microsoft utility designed to help you diagnose common

DNS name resolution issues. DNSLint can be downloaded from the Microsoft Download
Center. DNSLint has three functions that verify Domain Name System (DNS) records
and generate an HTML report. The three functions are:
• dnslint /d: This diagnoses potential causes of "lame delegation" and other related
DNS problems.
• dnslint /ql: This verifies a user-defined set of DNS records on multiple DNS
servers.
• dnslint /ad: This verifies DNS records specifically used for Active Directory
replication.
DNSLint syntax is:

dnslint /d domain_name | /ad [LDAP_IP_address] | /ql input_file
[/c [smtp,pop,imap]] [/no_open] [/r report_name]
[/t] [/test_tcp] [/s DNS_IP_address] [/v] [/y]
10. Change the Logon Window and the Shutdown Preferences in Windows XP

INTRODUCTION
The Windows Setup program configures Microsoft Windows XP to use the friendly
Welcome logon screen and the shutdown buttons if your computer is installed as a home
computer. A home computer is a computer that does not specify a network domain.
This article describes how to use the classic logon screen that Windows XP-based
computers use when they are joined to a domain. The classic logon screen looks similar
to the following example:
Log On to Windows
User name: _____________
Password: _____________
MORE INFORMATION
Use the classic logon screen

To temporarily use the classic logon screen, press CTRL+ALT+DEL two times on the
Welcome logon screen.
To configure Windows XP to use the classic logon and shutdown screens for every logon
session, follow these steps:
1. Click Start, and then click Control Panel.
2. Double-click User Accounts.
3. Click Change the way users log on or off.
4. Clear the Use the Welcome screen check box.
Note If you turn off the Welcome logon screen, you also turn off the Fast User
Switching option.
Require users to press CTRL+ALT+DEL before the classic logon

screen appears
Warning If you use Registry Editor incorrectly, you may cause serious problems that
may require you to reinstall your operating system. Microsoft cannot guarantee that you
can solve problems that result from using Registry Editor incorrectly. Use Registry Editor
at your own risk.
If you want users to have to press CTRL+ALT+DEL before the classic logon appears
like a Windows XP-based computer that is joined to a domain, follow these steps:
1. Click Start, click Run, type regedit in the Open box, and then click OK.
2. Click the Winlogon subkey at the following registry location:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon
3. Click Edit, click New, and then click DWORD value.
4. To change the value name, type DisableCAD, and then press ENTER.
5. Keep the data value set to 0. The data value set appears as 0x00000000(0).
11. HOW TO: Change the Logon Screen Saver in Windows
SUMMARY
Warning Serious problems might occur if you modify the registry incorrectly by using
Registry Editor or by using another method. These problems might require that you
reinstall your operating system. Microsoft cannot guarantee that these problems can be
solved. Modify the registry at your own risk. This step-by-step article describes how to
change the default logon screen saver. When you start Windows, a Begin Logon dialog
box prompts you to press CTRL+ALT+DEL to log on. By default, if you do not press a
key for 15 minutes, the Windows logon screen saver (Logon.scr) starts.
Change the logon screen saver

1. Click Start, click Run, type regedt32, and click OK.
Locate the following registry key:
2.
HKEY_USERS\.DEFAULT\Control Panel\Desktop
3. In the Details pane, double-click the SCRNSAVE.EXE string value item.
In the Value data box, type the path and name of the screen saver, and then click OK.
4.
Important Make sure that you specify the path correctly to the screen saver. If the
screen saver is located in %SystemRoot%\System32, the explicit path is not required.
You have now changed the logon screen saver.
Change the logon screen saver timeout time

You can also change the amount of time that elapses before the logon screen saver starts.
The default is 900 seconds (15 minutes).
To change the length of time before the logon screen saver starts, follow these steps:
1. Click Start, click Run, type regedt32, and then click OK.
2.
3. In the Details pane, double-click the ScreenSaveTimeOut string value item.
4. In the Value data box, type the number of seconds, and then click OK.
You have now changed the length of time that elapses before the logon screen saver
starts.
Disable the logon screen saver

To disable the logon screen saver, follow these steps:
1. Click Start, click Run, type regedt32, and then click OK.
2.
3. In the Details pane, double-click the ScreenSaveActive string value item.
4. In the Value data box, replace the number 1 with the number 0, and then click OK.
You have now disabled the logon screen saver.
APPLIES TO
• Microsoft Windows Server 2003, Standard Edition (32-bit x86)
• Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)

• Microsoft Windows 2000 Server
• Microsoft Windows 2000 Advanced Server
• Microsoft Windows 2000 Professional Edition
• Microsoft Windows 2000 Datacenter Server
12. Toggle XP logon to Windows 2000 logon mode
Windows XP Logon sports a new look and feel. If you prefer the Windows 2000 Logon,
you can toggle to the W2K/NT logon style screen:
• Press and hold the Alt + Ctrl keys

• Press the Delete key twice
You can flip back by pressing the Esc key.
13. Manage the DNS resolver cache with IPCONFIG
W2K and XP's workstation DNS client resolves host names to support web browsers,
mail clients, and other apps where you used a host name rather than IP addresses. The
Windows DNS resolver caches the results of DNS queries including queries that fail to
resolve. Each DNS record has a time-to-live value that determines when the record
should be refreshed with another query. Until the TTL expires, Windows will respond
with the cached query rather than perform a new query.
What this means is the when you're troubleshooting connection and DNS problems, it's
important to flush the DNS cache and force Windows to generate a new query. ipconfig
can be used to view and/or clear the resolver cache, among other things. The following
command displays the contents of the resolver cache :
E:\Documents and Settings\Wayne>ipconfig /displaydns
Windows IP Configuration
Record Name . . . . . : udns1.ultradns.net

Record Type . . . . . : 1
Time To Live . . . . : 37577
Data Length . . . . . : 4
Section . . . . . . . : Additional
A (Host) Record . . . : 204.69.234.1
Record Name . . . . . : udns2.ultradns.net

Time To Live . . . . : 37577
A (Host) Record . . . : 204.74.101.1
dns.sprintip.com
----------------------------------------
Record Name . . . . . : dns.sprintip.com
Time To Live . . . . : 230
Section . . . . . . . : Answer
A (Host) Record . . . : 208.25.104.7
dnsla.carsdirect.com
----------------------------------------
Record Name . . . . . : dnsla.carsdirect.com
Time To Live . . . . : 1719
A (Host) Record . . . : 12.129.202.53
ns2.cts-bv.com
----------------------------------------
Record Name . . . . . : ns2.cts-bv.com
Time To Live . . . . : 1194
A (Host) Record . . . : 193.173.159.212
1.0.0.127.in-addr.arpa
----------------------------------------
Record Name . . . . . : 1.0.0.127.in-addr.arpa.
Record Type . . . . . : 12
Time To Live . . . . : 83255
PTR Record . . . . . : localhost
www.eastminsterdallas.org
----------------------------------------
Record Name . . . . . : www.eastminsterdallas.org
Time To Live . . . . : 2083
A (Host) Record . . . : 207.70.181.116
stats.cts-bv.nl
----------------------------------------
Record Name . . . . . : stats.cts-bv.nl
Time To Live . . . . : 1194
A (Host) Record . . . : 193.173.159.197
www.lynchwiles.com
----------------------------------------
Record Name . . . . . : www.lynchwiles.com
Time To Live . . . . : 420
A (Host) Record . . . : 203.15.67.163
auth00.ns.uu.net
----------------------------------------
Record Name . . . . . : auth00.ns.uu.net
Time To Live . . . . : 1961
A (Host) Record . . . : 198.6.1.65
ns-3.amazon.com
----------------------------------------
Record Name . . . . . : ns-3.amazon.com
Time To Live . . . . : 1961
A (Host) Record . . . : 207.171.171.132
ns1.wdc.pnap.net
----------------------------------------
Record Name . . . . . : NS1.WDC.PNAP.NET
Time To Live . . . . : 859
A (Host) Record . . . : 216.52.126.1
www.is-it-true.org
----------------------------------------
Record Name . . . . . : www.is-it-true.org
Time To Live . . . . : 27814
A (Host) Record . . . : 66.34.10.74
A (Host) Record . . . : 216.221.160.10
Use this command to flush the resolver cache:
ipconfig /flushdns
To check out all the options:
E:\Documents and Settings\Wayne>ipconfig /?
USAGE:
ipconfig [/? | /all | /renew [adapter] | /release [adapter] |
/flushdns | /displaydns | /registerdns |
/showclassid adapter |
/setclassid adapter [classid] ]
where
adapter Connection name
(wildcard characters * and ? allowed, see examples)
Options:
/? Display this help message
/all Display full configuration information.
/release Release the IP address for the specified adapter.
/renew Renew the IP address for the specified adapter.
/flushdns Purges the DNS Resolver cache.
/registerdns Refreshes all DHCP leases and re-registers DNS
names
/displaydns Display the contents of the DNS Resolver Cache.
/showclassid Displays all the dhcp class IDs allowed for
adapter.
/setclassid Modifies the dhcp class id.
The default is to display only the IP address, subnet mask and

default gateway for each adapter bound to TCP/IP.
For Release and Renew, if no adapter name is specified, then the IP

address
leases for all adapters bound to TCP/IP will be released or renewed.
For Setclassid, if no ClassId is specified, then the ClassId is

removed.
Examples:
> ipconfig ... Show information.
> ipconfig /all ... Show detailed information
> ipconfig /renew ... renew all adapters
> ipconfig /renew EL* ... renew any connection that has its
name starting with EL

> ipconfig /release *Con* ... release all matching connections,
eg. "Local Area Connection 1" or
"Local Area Connection 2"
14. nslookup and DNS Zone Transfers
Want to get a list of all the ip addresses as well as aliases assigned within a domain? You
can grab that information if the DNS server allows zone transfers. The zone transfer is the
method a secondary DNS server uses to update its information from the primary DNS
server. DNS servers within a domain are organized using a master-slave method where
the slaves get updated DNS information from the master DNS. One should configure the
master DNS server to allow zone transfers only from secondary (slave) DNS servers but
this is often not implemented.
You do not have to have DNS to request a zone transfer. You can issue a zone transfer
request using the nslookup client which is a standard part of unix, NT, Windows 2000
and XP. To dump the DNS records from your current domain, lets says, its wayne.net:
Type nslookup at the commandline (NT example). This starts nslookup in interactive
mode. It will respond with the name and ip address of your default DNS server:
Default Server: dns01.wayne.net

Address: 10.10.10.1
>
To get a list of commands available, type set all. For the more important set options:
set d2 : puts nslookup in debug mode, so you can examine query and response packets
between the resolver and server
set domain= : tells the resolver which domain name to append to queries not FQDN
set timeout= : for slow links
set type= : which type of records to search for ( A, PTR, SRV, or ALL)
You can get help at the nslookup command prompt by typing:
> help
To dump all available records, assuming zone transfers are enabled, issue the following
commands:
> set type=any

> ls -d wayne.net > dns.wayne.net
> exit
The ls -d wayne.net command requested all records for the domain be dumped in a file
named "dns.wayne.net". Open up dns.wayne.net and see what goodies you can find. If
dns1 is not authoritative for the domain, you can change which DNS server you wish to
dump records using the command:
> server 10.10.10.2
Default Server: dns02.wayne.net

Address: 10.10.10.2 >
If successful, the dump file will have lines such as:
> ls -d wayne.net
[dns1.wayne.net]
wayne.net. SOA dns04.wayne.net wayne.dns04.wayne.net. (3301 10800 3600 604800
86400)
wayne.net. NS dns04.wayne.net
wayne.net. MX 10 email.wayne.net
rsmithpc TXT "smith, robert payments 214-389-xxxx"
rsmithpc A 10.10.10.21
wmaplespc TXT "Waynes PC"
wmaplespc A 10.10.10.10
wayne CNAME wmaplespc.wayne.net
You can see from the bits above, that there are multiple dns servers, that there is a email
pop3 server, what my ip address is, ...
Lots of goodies particularly if the DNS admins put in "good" comments. Might be useful
info for social engineering if the comments include phone numbers.
The ls -d command, emulates a zone transfer. You can also get a listing by using the ls -t
to get a list of the members of a domain.
For DNS info see The DNS Place.
15. IIS Web Server Resources and Tips
One of my jobs is webmaster in the sense of system support, not the common
misconception of graphics designer. I recently started supporting IIS (a shift from
Netscape web servers which were essentially problem free). As such I need tips and
resources for Microsoft's Internet Information Server IIS. As I find useful information I
will use this page as an index for the IIS info. Please let me know if you know of an IIS
tip or site I should add to this IIS resource page: Wayne Maples.
Microsoft has released another IIS Rollup patch to date as of October 30, 2002. This
patch applies to IIS versions 4.0, 5.0 and 5.1:
Cumulative Patch for Internet Information Service (Q327696)
Tips
• Backing Up and Restoring IIS Servers

• IIS 4.0 Recommended Installation Procedure
• IIS 5.0 Features
• IIS 5 New Features
• Differences in default behavior and settings between IIS 4.0 and IIS 5.0
• IIS Metabase Registry
• Securing IIS 4
• Securing IIS 5
• Securing IIS : 10 STEPS TO BETTER IIS SECURITY
• Start / Stop IIS related services using NET START/STOP
• Gotcha! Microsoft IIS 4 Versus Netscape Communicator 4.7
• SecureIIS Application Firewall
• Security : How to Use the IIS Security "What If" Tool
• Using Windows Security with IIS and SQL Server 2000
Resources
• 15seconds : IIS support site

• How to Use WebDAV
• How to troubleshoot HTTP connections using Wfetch
free utility
• How to View HTTP Data Frames Using Network Monitor
• IIS Administrator Newsletter
• Microsoft's Internet Information Server 4 Baseline Security Checklist
• Microsoft's IIS 5.0 Baseline Security Checklist
• Microsoft's Secure Internet Information Services 5 Checklist
• Microsoft's Windows 2000 IIS 5.0 Hotfix Checking Tool
• Microsoft Technet's Windows Web Services (IIS)
• IIS and ISAPI
• ASP Barcode Server Component for IIS Manual
FAQs
• www.iisfaq.com
• iisadministrator IIS FAQ
• windows2000faq.com IIS FAQ
• Perl on IIS 4
16. AD admins should be running Windows XP Pro
Background : AD differences between XP and W2K. Summary :
• An updated Adminpak.msi must be installed because the one shipped with

Windows 2000 is not compatible with Windows XP.
• There are over 200 new group-policy settings in Windows XP.
• Windows XP specific group policy settings are ignored when applied to Windows
2000 systems.
• Windows 2000 applies GPOs synchronously, while Windows XP applies GPOs
asynchronously
Source: Managing Windows XP in a Windows 2000 Server Environment
You can add Windows XP Pro workstations to your AD domains and they will respond
to existing GPOs just like Windows 2000 Pro. That is a significant bit of information.
Much more important though is that if you update Windows 2000 Active Directory with
the new security templates that shipped with Windows XP Pro, significant new
functionality becomes available to the AD administrator using XP Pro as the admin
console. For this reason, Windows XP Pro is now the preferred management console for
Windows 2000 Active Directory.
Windows XP Pro ships with more than 200 new policies in addition to the 421 policies
still supported from Windows 2000. Windows XP specific policies will be ignored by
Windows 2000 machines. Managing policy is made easier with a new user interface
available to XP Pro containing descriptive text and OS requirements for each policy. New
Help files dedicated to policy settings let you search for specific policies by keyword. XP
ships with Resultant Set of Policy (RSoP). New tools let administrators check policy
settings in effect for any machine or user in a domain. Users can verify their own policy
settings on their computer with a user-friendly report accessible from the Help and
Support Center.
It is now clear that a GPO best practices are
• exclusively use an XP Pro workstation as the AD management console when

working with GPOs
• use the same policy settings for both XP and W2K Pro IF you now or will ever
support roaming users who will be using both XP and W2K Pro workstations.
See the full Microsoft document for details but the process to update the security
templates is simple. Be sure you can get back to your starting point should the sh*t hit the
fan when you do this. It has been reported to me that in certain circumstances, this will
set domain policies to defaults. Ouch to say the least.:
• Copy all .ADM files from the WINNT/INF directory on a Windows XP Pro
workstation to a file share on the network.
• From a Windows 2000 based computer, open a GPO in the Group-Policy console.
• Right click on Administrative templates and then select Add/Remote Templates.
• From the Add/Remove Templates window, remove the old Windows 2000 .ADM
files and add the new Windows XP .ADM files.
• You will need to repeat this for each of your Group Policy Objects.
A brief list of the most important new Group Policy settings available to clients running
Windows XP workstations:
• XP clients support software restriction policies which allows one to protect XP

workstations from untrusted code by identifying and specifying which
applications are allowed to run.
• XP Terminal Services enhancements
• XP workstations support more granular configuration of the Start menu and
Taskbar so the XP can be more easily locked down than W2K. If you need to
kiosk or have a restrictive user environment. Or you are a control freak.
• XP supports very fine control over MMC snap-ins when comparied to W2K.
OK I admit it. There are reasons for at least administrators to upgrade from Windows
2000 to Windows XP. And if you want the capability of tighter desktop control, your
users should be on Windows XP Pro. I have had many discussions about the value of XP
Pro vs W2K. My interest is from a business perspective. These new capabilities are real
considerations.
Additional resources:
• Group Policy Object Settings

105K Excel spreadsheet : This spreadsheet lists the settings exactly as they appear
in the Group Policy snap-in tree, including the changes contained in Microsoft®
Windows® XP Professional.
• Upgrading Windows 2000 Group Policy for Windows XP (Q307900)
• Windows XP supports an enhanced Group Policy infrastructure that uses
Windows Management Instrumentation (WMI)
• A Description of the Group Policy Update Utility (Q298444)
• Administering Windows XP Professional
17. netcat ( nc ) utility resources
netcat is the swiss army knife utility for hackers and should be in the armory for all
network support personnel. This is my list of netcat resources. If you have links that
should be here, please let me know. For hacking uses see the "Hacking Exposed Books".
• Cloning Operating Systems : Wonders of 'dd' and 'netcat'

for additional info on dd, check out my dd resources
• Cat data to a network host and port using Netcat
• Cryptcat : Netcat with encryption
• Example Uses
• fpipe and netcat
• How to use Netcat with the Axis 540 Print Server and SCO Unix
• Gaining Root Access to Apache web server via PHP.exe
need a reason to apply security patches? Read on! and you thought only IIS was
insecure.
• Netcat Overview : Netcat rules the net
• netcat6
• Print Server Port Numbers for Netcat
• versions / sources :
o Unix versions
o Debian source
o OpenBSD source
o Netcat 6 : netcat clone with IPv6 support
18. NetOp Remote Control for Windows
PCAnywhere is not the only remote control software. CrossTec's NetOp Remote for
Windows is a very feature rich product. The NetOp Remote Control 7.0 Guest module
offers full functionality for Windows XP, Windows 2000, Terminal Services, NT 4.0,
NT3.51, ME, Win98, Win95, and remote control functionality for Windows CE, Linux
and ActiveX (e.g. in Internet Explorer). The NetOp Remote Control 7.0 Host module
offers full functionality for Windows 2000, Terminal Services, NT 4.0, NT 3.51, ME,
win98 and win 95.
Related tips:
• Freeware VNC: Virtual Network Computing
19. TCP/IP resources
I will use this tip to collect tcpip related tips with a flavor or useful in penetration testing.
If there is a site that should be listed here or if a link goes dead, please let me know.
• AckCmd : remote command prompt using only TCP ACK segments to pass
firewalls W2K , free
• ARP Poisoning
• ARP0c connection interceptor
• ArpWatch
tool that monitors ethernet activity and keeps a database of ethernet/ip address
pairings. It also reports certain changes via email. Arpwatch uses libpcap, a
system-independent interface for user-level packet capture. Platforms: AIX,
BSDI, DG-UX, FreeBSD, HP-UX, IRIX, Linux, NetBSD, OpenBSD, SCO,
Solaris, SunOS, True64 UNIX, Ultrix, UNIX
• Ethernet Bridge
This is a small utility (driver and console application) for MAC level bridging
TCPIP bound network interfaces. It can be used an example for bridging wireless
and wired Ethernet when IP address space can't be divided into subnets.Jan 2002
• Ethereal : network protocol analyzer for Unix and Windows freeware
• Hunt : TCP hijacking
• Hping: Create custom ICMP/UDP/TCP packets
• IP:
o IP Insecurity ComputerWorld article
o IP spoofing Department of Computer Science, Princeton University
o IP spoofing Demystified ==Phrack Magazine==
o IP Spoofing : A Mammoth Description
o IP Subnetter Free Utility
calculates subnets, subnet mask, binary hosts, binary masks, broadcast
address, host range, and more
• ISN Initial Sequence Number Vulnerability
• Monitor network activities
• Netcat: TCP/IP Swiss Army knife tool
• Ngrep:
Grep for the network layer linux
• NICs:
o Diagram to build a read-only Ethernet cable
o PromiScan W2K Pro; searches for promiscuous nodes on the local net
• Nmap:
o Fastest port scanner linux
o NDiff compares two nmap scans and outputs differences. Automate
change analysis.
• Probing TCP implementations
• Source routing : Loose Source Routing, why is it still here?
• tcpdump / libpcap
• tcpdump and tcp/ip pocket reference
• tcpdump : tools of the trade
• tcpflow : A TCP Flow Recorder
captures data transmitted as part of TCP connections (flows), and stores the data
in a way that is convenient for protocol analysis or debugging
• TCP/IP Subnetting Tables
• TCP Wrappers:
o tcp wrappers : Network monitoring, access control & booby traps
o TCP WRAPPERS—What are they??

• Traceroute, Tracing the Traceroute: A White Paper by Ankit Fadia
20. AD admins should be running Windows XP Pro
Background : AD differences between XP and W2K. Summary :
• An updated Adminpak.msi must be installed because the one shipped with

Windows 2000 is not compatible with Windows XP.
• There are over 200 new group-policy settings in Windows XP.
• Windows XP specific group policy settings are ignored when applied to Windows
2000 systems.
• Windows 2000 applies GPOs synchronously, while Windows XP applies GPOs
asynchronously
Source: Managing Windows XP in a Windows 2000 Server Environment
You can add Windows XP Pro workstations to your AD domains and they will respond
to existing GPOs just like Windows 2000 Pro. That is a significant bit of information.
Much more important though is that if you update Windows 2000 Active Directory with
the new security templates that shipped with Windows XP Pro, significant new
functionality becomes available to the AD administrator using XP Pro as the admin
console. For this reason, Windows XP Pro is now the preferred management console for
Windows 2000 Active Directory.
Windows XP Pro ships with more than 200 new policies in addition to the 421 policies
still supported from Windows 2000. Windows XP specific policies will be ignored by
Windows 2000 machines. Managing policy is made easier with a new user interface
available to XP Pro containing descriptive text and OS requirements for each policy. New
Help files dedicated to policy settings let you search for specific policies by keyword. XP
ships with Resultant Set of Policy (RSoP). New tools let administrators check policy
settings in effect for any machine or user in a domain. Users can verify their own policy
settings on their computer with a user-friendly report accessible from the Help and
Support Center.
It is now clear that a GPO best practices are
• exclusively use an XP Pro workstation as the AD management console when

working with GPOs
• use the same policy settings for both XP and W2K Pro IF you now or will ever
support roaming users who will be using both XP and W2K Pro workstations.
See the full Microsoft document for details but the process to update the security
templates is simple. Be sure you can get back to your starting point should the sh*t hit the
fan when you do this. It has been reported to me that in certain circumstances, this will
set domain policies to defaults. Ouch to say the least.:
• Copy all .ADM files from the WINNT/INF directory on a Windows XP Pro
workstation to a file share on the network.
• From a Windows 2000 based computer, open a GPO in the Group-Policy console.
• Right click on Administrative templates and then select Add/Remote Templates.
• From the Add/Remove Templates window, remove the old Windows 2000 .ADM
files and add the new Windows XP .ADM files.
• You will need to repeat this for each of your Group Policy Objects.
A brief list of the most important new Group Policy settings available to clients running
Windows XP workstations:
• XP clients support software restriction policies which allows one to protect XP

workstations from untrusted code by identifying and specifying which
applications are allowed to run.
• XP Terminal Services enhancements
• XP workstations support more granular configuration of the Start menu and
Taskbar so the XP can be more easily locked down than W2K. If you need to
kiosk or have a restrictive user environment. Or you are a control freak.
• XP supports very fine control over MMC snap-ins when comparied to W2K.
OK I admit it. There are reasons for at least administrators to upgrade from Windows
2000 to Windows XP. And if you want the capability of tighter desktop control, your
users should be on Windows XP Pro. I have had many discussions about the value of XP
Pro vs W2K. My interest is from a business perspective. These new capabilities are real
considerations.
Additional resources:
• Group Policy Object Settings

105K Excel spreadsheet : This spreadsheet lists the settings exactly as they appear
in the Group Policy snap-in tree, including the changes contained in Microsoft®
Windows® XP Professional.
• Upgrading Windows 2000 Group Policy for Windows XP (Q307900)
• Windows XP supports an enhanced Group Policy infrastructure that uses
Windows Management Instrumentation (WMI)
• A Description of the Group Policy Update Utility (Q298444)
• Administering Windows XP Professional
21. Group Policy XPerience

You can do more with Group Policy in Windows XP than in Windows 2000
Professional. Here’s a guide to the changes.
by Jeremy Moskowitz - November 2002
ARE YOU REAPING the benefits of Group Policy yet? Are you finding that you’re able
to roll out a consistent environment for all your Windows 2000 users? Are your users
happily getting the software you deployed and happily saving their files to their “My
Documents” folder (with you knowing their data is secretly saved on the server)?
Or, will your perfect Win2K Group Policy utopia all fall apart when you introduce your
first Windows XP Professional client machine?
If you’re happily deploying Group Policy to Win2K clients, then you’ll be well poised to
also deploy it to your XP clients. However, you should be aware of differences, additions
and pitfalls with XP in order to maintain a working Group Policy implementation.
New! Improved!
XP has some additional features that can be set through Group Policy. However, it takes
hoop-jumping to enable these features, so stay with me here. It’s likely today that you
administer the Group Policy settings of your machines in one of two ways: either you run
Active Directory Users and Computers directly on a server (or via Terminal Services) or
your run it on your local Win2K Pro box using the MMC snap-in tools contained within
Adminpak.msi, which ships with Win2K.
When you upgrade your desktop to XP, you’ll find the tools inside the Adminpak.msi
won’t work. This is because the tools inside the Adminpak.msi that comes with Win2K
Pro are incompatible with XP. This means you need to get the right version of the
Adminpak.msi containing the new administrative snap-in tools compatible with XP.
These tools expose some new features, particularly in regard to Group Policy. Download
the right version, which is called the “Windows .NET Server RCi Adminpak.exe,” from
http://support.microsoft.com/default. aspx?scid=kb;EN-US;q304718. Note that the
Adminpak currently ships as an EXE but upon release will be delivered back as the
familiar MSI file type.
Just What You Need—200 More Group Policy Settings

Since XP has more features than Win2K Pro, it stands to reason there’s more “stuff” that
can be controlled using Group Policy. For instance, two new XP Group Policies allow
you to disable the use of the Internet Connection Firewall and the Network Bridge
features. In all, there are about 200 new Group Policy settings, one of which is seen in
Figure 1. Some affect just XP, others affect both XP and Win2K systems. Note that when
you manipulate AD Group Policies from your XP machine (with the tools contained
within the new Adminpak), you get an additional benefit of seeing which policies support
which clients. If you don’t manage your domain’s Group Policy on an XP client with the
new Adminpak, you won’t know if the policy affects or doesn’t affect specific clients.
Figure 1. The latest version of Group Policy tells you what policies can be applied to
various OSs.
The good news is that if you apply a policy meant for XP on a Win2K Pro machine, the
policy is simply ignored. The bad news is that in order to properly manage all your
systems (Win2K and XP), you need to be religious about manipulating your GPOs only
from an XP system (that has the proper Adminpak loaded).
Recall that Win2K Group Policies are initially applied at startup (for Computer policies)
and at logon (for User policies). Both Computer and User policies are then independently
refreshed periodically at intervals in the background. The background refresh happens
about every 90 minutes with a 30-minute randomization factor thrown in there so every
client doesn’t “ask” the server at once for updates.
This is important depending on the type of policy delivered. For instance, if you use
Group Policy to change the desktop wallpaper for a gaggle of users in an OU, each user’s
desktop wallpaper will respond when, individually, the background refresh next hits its
cycle. Conversely, when you use Group Policy to distribute software, it doesn’t show up
(or get removed) when the background refresh hits. Rather, Software Distribution (and
Folder Redirection) policies are only applied at Startup or Logon. This is a good thing, as
you wouldn’t want your users to suddenly not have DogFoodMaker 7.0 while right in the
middle of using it.
Out of Synch
Win2K, by default, applies policies synchronously. This means that upon startup, a
Win2K computer waits for the network interface to initialize, locates a domain controller,
downloads the applicable Computer GPOs (site, domain, and each nested OU) and
applies them—all before presenting the Ctrl-Alt-Del prompt to the user. When the user
logs on, the User GPOs are downloaded and applied before the desktop and Start menu
appear.
XP, however, processes GPOs asynchronously. This means that upon startup, the
computer doesn’t wait for the network interface to initialize before starting to process
Computer GPOs. Rather, XP processes previously cached Computer GPOs while it
presents the Ctrl-Alt-Del prompt to the user. At the same time, it downloads any new
GPOs. These new GPOs don’t get applied until a bit later. Similarly, when a user logs on,
the desktop and Start menu appear while the system processes any cached User GPOs.
New GPOs are downloaded but processing is deferred.
Once the computer has started, the user has logged on and any cached Computer and
User GPOs have been applied, newly downloaded policies are then processed in the
background. This ensures that the latest Security Settings and Administrative Templates
(Registry updates) are applied soon after logon.
This results in a faster boot time (when processing Computer policies) as well as faster
logon time (when processing User Policies.) Microsoft calls this XP behavior “fast boot.”
For some environments, it does speed things up a bit—at a cost.
The Dark Side of Faster Booting

The downside to this new approach is that, potentially, a user at an XP desktop could be
logged on but not quite have all the GPOs processed. Then, after that person has been
working for a while—pop! A setting takes effect out of the blue. This is because not all
GPOs were processed before the user was presented with the desktop and Start menu.
Your network would have to be slow for this scenario to occur, but it’s certainly possible.
The next major downside to this updated approach is that some features, potentially, can
take an XP client several additional logons or reboots to have the changes applied. This
strange behavior becomes understandable when we take a step back and think about how
certain policies are processed on Win2K. Specifically, we need to direct our attention to
Software Distribution and Folder Redirection policies.
I’ve already stated that on Win2K, these two types of policies must be processed in the
foreground to prevent data corruption and unhappy users. But if XP doesn’t do
synchronous processing, how are these polices handled? XP fakes it and tags the machine
when a Software Package is targeted for an XP client. The next time the user logs on, the
Group Policy engine sees that the machine is tagged for Software Distribution and then
switches, for this one time, back into synchronous mode. The net result: XP typically
requires two logons (or reboots) to get a software distribution package when Win2K Pro
only requires one.
This problem is worse for Folder Redirection. Basic Folder Redirection with XP is like
Software Distribution, in that it now generally takes two logons to take effect. However,
the use of Advanced Folder Redirection (which checks which security groups the user is
in) takes a whopping three logons to take effect. The first one tags the system for a Folder
Redirection change; the second one figures out the user’s security group membership,
and the third actually performs the new Folder Redirection.
Predictability=Good; Unpredictability=Bad
If you want your XP users to log on a bit faster, then, by all means, leave fast boot on. If
you’re doing some “no-no’s” in Group Policy like cross-domain links of Group Policy or
lots of site-based GPOs, then leaving this on will likely make each and every logon a bit
faster.
If, however, you want your XP machines to act just like Win2K Pro machines, you need
to set a Group Policy that reverts them back to the old behavior. Sure, it’s a bit slower to
log on. It’s also a heck of a lot more predictable. Besides, your Win2K machines already
act this way, and it probably would be good practice to have all machines in your
environment react as similarly as possible—even if they’re different OSs.
To revert XP back to the Win2K “synchronous” behavior, set a Group Policy (preferably
at the domain level) to enable the “Always wait for the network at computer startup and
logon” policy which can be found in the Computer Configuration | Administrative
Templates | System | Logon branch of Group Policy.
http://mcpmag.com/features/article.asp?EditorialsID=309
22. Wireless penetration testing resources

Wireless is a hot topic. Unfortunately lots of wireless LANs have been put in without any
consideration of security. If you have a wireless or are considering, read the whitepapers
and check for yourself using a commercial or shareware analyzer. If there is a site that
should be listed here or if a link goes dead, please let me know.
• Books
o Building Wireless Community Networks, 2nd Edition
o 802.11 Security
o Wireless Hacks
o Wireless Security: Models, Threats, and Solutions
o 802.11 Wireless Networks: The Definitive Guide (O'Reilly Networking)
o Hack Proofing Your Wireless Network
o Wireless Communications: Principles and Practice (2nd Edition)
o Wireless LANs (2nd Edition)
o Wireless Lan Standards and Applications
o Wireless and Mobile Network Architectures
o IEEE 802.11 Handbook: A Designer's Companion
o Essential Guide to Wireless Communications Applications (2nd Edition)
o 802.11 Demystified: Wi-Fi Made Easy
• Whitepapers / Tech docs / FAQ

o Accessing wireless security with AiroPeek
o Ars Technica: Wireless Security Blackpaper
o Bluetooth Basics
o Building a Cisco Wireless LAN - Chapter 8: Cisco Wireless Security
o Choosing between 802.11a and 802.11b
o FAQ Wireless LAN Security by Christopher W. Klaus of Internet Security
Systems (ISS)
o Firewall : Wireless Firewall Gateway White Paper
o ISS Wireless LAN Security : 802.11b and corporate networks
o Linux Wireless LAN Howto
o Microsoft Solution for Securing Wireless LANs
Networking Handbook 802.11 (Wi-Fi) - Chapter 9: Wireless LANs in the
Enterprise
NIST : Wireless network security - 802.11, Bluetooth, and Handheld
Devices
o Securing The Maginot Line Of Wireless LANs
o Security of 802.11 Wireless Networks for Automated Data Collection
o WEB Wired Equivalency Protocol
802.11 WEP: Concepts and Vulnerability
(In)Security of the WEP algorithm
Intercepting mobile communications: Insecurity of 802.11
Unsafe at any key size: An analysis of the WEP encapsulation
WildPackets' Guide to Wireless LAN Analysis
SANS has a large # of wireless access articles
• Tools / Utilities
o Aerosol : Wireless Tool for Windows
o AirDefense : WLAN Intrusion Protection & Management System
commercial
o AirMagnet Handheld Analyzer
o AiroPeek : commercial packet analyzer for IEEE 802.11b wireless LANs
Windows comprehensive packet analyzer for IEEE 802.11b wireless
LANs, supporting all higher level network protocols such as TCP/IP,
AppleTalk, NetBEUI and IPX.
o AirSnort : collect encryption keys
Linux tool that passively monitors transmissions, computing the
encryption key when enough packets have been gathered
o AirTraf: wireless 802.11b network analyzer
Linux
o AP Scanner : Mac 802.11 scanner
Macintosh-only application that will detect all in-range open 802.11
wireless network access points.
o bsd-airtools : complete toolset for wireless 802.11b auditing
contains a bsd-based wep cracking application, dweputils; kernel patches
for NetBSD, OpenBSD, and FreeBSD; a curses based ap detection
application similar to netstumbler (dstumbler) to detect wireless access
points and connected nodes, view signal to noise graphs, and interactively
scroll through scanned ap's and view statistics for each; other tools to
provide a complete toolset for making use of all 14 of the prism2 debug
modes as well as do basic analysis of the hardware-based link-layer
protocols provided by prism2's monitor debug mode.
o Fake AP : hide in plain sight
Black Alchemy's Fake AP generates thousands of counterfeit 802.11b
access points. Hide in plain sight amongst Fake AP's cacophony of beacon
frames. As part of a honeypot or as an instrument of your site security
plan, Fake AP confuses Wardrivers, NetStumblers, Script Kiddies, and
other undesirables. Fake AP is a proof of concept released under the GPL.
Linux compatible.
o Grasshopper : commercial handheld
wireless receiver for sweeping and optimizing Local Area Networks
o Isomair : wireless lan security package
commercial
o ISS' Wireless Scanner : commercial wireless penetration tool
o Kismet : Linux 802.11b wireless network sniffer
capable of sniffing using almost any wireless card supported in Linux,
including Prism2 based cards supported by the Wlan-NG project (Linksys,
Dlink, Rangelan, etc), cards which support standard packet capture via
libpcap (Cisco), and limited support for cards without RF Monitor support.
o MacStumbler : Wireless scanning tool for the Apple Airport
only works with airport wireless cards
o Mognet: open source wireless ethernet sniffer/analyzer written in Java
o NetStumbler : Windows utility for 802.11b based wireless network
auditing
o Prism2 : Linux AP driver for Intersil Prism2/2.5/3
o Prism2dump : part of BSD-Airtools package
puts Prism2Card into promiscuous mode
o PrismStumbler : scans for beaconframes from accesspoints
operates by constantly switching channels an monitors any frames recived
on the currently selected channel C & perl
o Sniffer Wireless : commercial wireless sniffer
o ssidsniff : discover access points and save captured traffic
comes with a configure script and supports Cisco Aironet and random
prism2 based cards.
o StumbVerter : NetStumbler support tool
standalone application which allows you to import Network Stumbler's
summary files into Microsoft's MapPoint 2002 maps.
o wavemon : ncurses-based monitoring application for wireless network
Linux
o WaveRunner : Linux-powered HP iPAQ Pocket PC that verifies 802.11b
deployments
detects rogue access points and clients
o WaveStumbler : 802.11 network mapper for Linux
o WEPCrack: perl utility that cracks 802.11 WEP encryption keys using
weakness of RC4 key scheduling.
o Wellenreiter : wireless penetration tool ( gtkperl )
Linux
o witools : small collection of utilities to aid in the exploration of 802.11
wireless networks
FreeBSD compatible
23. IPSec Tips and Resources

I will use this page to collect IPsec tips and resources. If there is a good resource on the
net which is not here, please let us know:
• Encapsulating Security Payload:

o IP Encapsulating Security Payload ( RFC2406 )
o ESP CBC-Mode Cipher Algorithms ( RFC2451 )
o ESP DES-CBC Transform ( RFC1829 )
o ESP DES-CBC Cipher Algorithm With Explicit IV ( RFC2405 )
o Use of HMAC-MD5-96 within ESP and AH ( RFC2403 )
o Use of HMAC-RIPEMD-160-96 within ESP and AH( RFC2857 )
o Use of HMAC-SHA-1-96 within ESP and AH ( RFC2404 )
• GRE, Configuring IPSec with EIGRP and IPX Using GRE Tunneling
• Firewall, How to Enable IPSec Traffic Through a Firewall (Q233256)
• HMAC:
o HMAC: Keyed-Hashing for Message Authentication ( RFC2104 )
o HMAC-MD5 IP Authentication with Replay Prevention ( RFC2085 )
• IKE: The Internet Key Exchange ( RFC2409 )
• IP Authentication Header ( RFC2402 )
• IP Authentication using Keyed MD5 ( RFC1828 )
• IPSec Charter
• TechNet Webcast: IPsec and NAT-T—Finally in Harmony?
• IP Security Document Roadmap ( RFC2411 )
• ISKMP
o Internet Security Association and Key Management Protocol ( RFC2408 )
o Internet IP Security Domain of Interpretation for ISAKMP ( RFC2407 )
• Limitations, Traffic That Can, and Cannot Be Secured by IPSec (Q253169)
• Microsoft L2TP/IPSec VPN Client for Win98, ME and NT
• Microsoft L2TP/IPSec VPN Client for Windows 2000 and XP
• MPLS : A comparison between IPsec and Multiprotocol Label Switching VPNs
• NAT, IPSec/GRE with NAT : Cisco sample configuration
• NULL Encryption Algorithm and Its Use With IPsec ( RFC2410 )
• OAKLEY Key Determination Protocol ( RFC2412 )
• Security Architecture for the Internet Protocol ( RFC2401 )

• Server : Using IPSec to Lock Down a Server
• Windows2000 / XP :
o Client-to-Domain Controller and Domain Controller-to-Domain
Controller IPSec Support
o Configuring IPSec Between a W2K Server and a Cisco Device
o Configuring IPSec to Handle Trusted and Untrusted Domain
Authentication
o How to Configure IPSec Tunneling in Windows 2000
o How to Enable IPSec Traffic Through a Firewall
o Microsoft L2TP/IPSec VPN Client for Windows 2000 and XP
o Step-by-Step Guide to Internet Protocol Security (IPSec)
o Traffic That Can--and Cannot--Be Secured by IPSec
o Using IPSec in Windows 2000 and XP, Part 1
http://www.windowsnetworking.com/kbase/WindowsTips/WindowsXP/
AdminTips/Network/IPSecTipsandResources.html
24. FAQ IPv6 Protocol for Windows XP
http://www.microsoft.com/technet/network/ipv6/ipv6faq.mspx?pf=true
Also have an eBook named FAQ IPv6 Protocol for Windows XP
25. Configuring IPSec to Handle Trusted and Untrusted Domain

Authentication
SUMMARY
Computers that need to use IP Security Protocol (IPSec) for secure communications must
authenticate themselves before establishing an IPSec session. If the computers are part of
a Windows 2000-based domain, you can use Kerberos authentication, which is the
default authentication protocol.
If the computers belong to different domains in the same forest, you can still use
Kerberos if there is a trust established between the domains. If there is no trust between
the domains, you should use certificates to authenticate the computers.
MORE INFORMATION
Although it is possible to configure a computer to use more than one IPSec authentication
method (for example, Kerberos, certificate, and pre-shared key) by adding the appropriate
method in the Authentication Methods section of a rule's properties in an IPSec Policy,
having each side configured with all possible methods may not be the best configuration.
This is because both sides (the initiator and the responder) agree on an authentication
method to use; if the chosen method does not work, Windows 2000 does not attempt to
negotiate any other configured method. The list of authentication methods is defined so
that a Windows 2000-based host can propose different methods when it is negotiating
which method to use with another host. The list is not used for failover options. The
Internet Key Exchange (IKE) RFC 2409 does not specify if an implementation should--or
how to--retry negotiations if the chosen authentication method does not work.
When you are using multiple authentication methods, you should configure first the
method that is most commonly used--or the one that most commonly works. The
precedence order of the authentication methods follows the order in which they are
configured. The initiator proposes them in its configured order, and the responder finds
the one that it likes best based on its configured precedence order.
The following two scenarios are presented as examples.
Scenario 1: Clients Connecting to Servers in Different Domains

If clients need to establish IPSec sessions with servers in a different (or untrusted)
domain and also with servers in the same (or trusted) domain, this is a possible
configuration option:
Add Certificate and Kerberos to the clients' Authentication Methods list, listing
Certificate first. Configure the servers in the different (or untrusted) domain to use
Certificate only. Or, if the server needs also to use Kerberos for its domain clients, add
Kerberos but list Certificate first (so that Certificate authentication is chosen).
Configure the servers in the same (or trusted) domain to use Kerberos only if you want
them to choose Kerberos as the authentication method, or add Certificate if you need to
support Certificate authentication.
Scenario 2: Servers Service Clients Located Within and Outside the

Corporate Network/Domain
Configure the servers with all of the authentication methods they accept (for example,
Kerberos and Certificate). Then, configure the clients located within the corporate
network to use Kerberos only, unless you also want to use Certificate authentication.
Configure the clients located outside the corporate network to use Certificate
authentication only (so that Kerberos authentication is never chosen).
Computers that trust only systems in their own (or trusted) domain should use only
Kerberos as the authentication method.
APPLIES TO
Microsoft Windows 2000 Server
Microsoft Windows 2000 Advanced Server
Microsoft Windows 2000 Professional Edition
26. Display the Sharing Tab in XP Folder Properties
In Windows NT and Windows 2000, to share a folder you can use Explorer or My
Computer and right-click on a folder and you had access to a Sharing tab. Not in
Windows XP. That simple functionality is turned off by default. To turn it back on:
• Click Start
• Click My Computer
• Click Tools menu option
• Click Folder Options
• Click View tab
• In Advanced settings dialog, at the bottom:
• Uncheck Use simple file sharing (Recommended)
Now when you right-click a folder in Windows XP, you will see a Sharing option.
Windows XP Home Edition supports only Simple File Sharing. Windows XP
Professional supports both sharing models.
27. Disable Windows NT/W2K/XP Hidden Administrative Shares
The system automatically creates hidden "administrative shares" for its logical drives
C:, D:, and so forth which it names C$, D$ and so forth. It also creates the admin$ hidden
share for to the \winnt folder. These shares are designed for remote access support by
domain administrators. By default, if you delete these admin shares, they will be
recreated when you reboot. To disable permanently so they will not be recreated on the
next reboot, use the following Windows NT / Windows 2000 / Windows XP registry
hack:
Hive: HKEY_LOCAL_MACHINE
Key: SYSTEM\CurrentControlSet\Services\LanManServer\Parameters
Name: AutoShareServer for servers
Name: AutoShareWks for workstations
Type: REG_DWORD
Value: 0
For background: Q156365. For details on disabling in Windows XP, see Q314984. In
Windows 2000 and Windows XP, you disable the shares via
• Start
• Settings
• Control Panel
• Systems Tools panel
• Shared Folders
• Double-click the Shared Folders branch to expand it
• Click Shares
• In the Shared Folder column, right-click the share you want to disable
• Click Stop sharing
• Cick OK.
NOTE: If you disable an administrative share that you have created, it will not be
automatically enabled after you restart your computer, and you will need to recreate the
share.
Perhaps the best approach to protect hard drive resources on workstations is to disable the
server service if you can. There are a few workstation applications that need server
service running, in particular, some SNA emulation packages.
28. How to create and delete hidden or administrative shares on client

computers
INTRODUCTION
This step-by-step article describes how to create and delete hidden or administrative
shares on Microsoft Windows XP Professional-based, Windows 2000 Professional-based,
and Windows NT 4.0 Workstation-based computers.
MORE INFORMATION
A hidden share is identified by a dollar sign ($) at the end of the share name. Hidden
shares are not listed when you look through the shares on a computer or use the net view
command. The versions of Windows that are listed in the "Applies to" section create
hidden administrative shares that administrators, programs, and services can use to
manage the computer environment on the network. By default, Windows can enable the
following hidden administrative shares:
Root partitions or volumes
The system root folder
The FAX$ share
The IPC$ share
The PRINT$ share
Root partitions and volumes are shared as the drive letter name appended with the $ sign.
For example, drive letters C and D are shared as C$ and D$.
The system root folder (%SYSTEMROOT%) is shared as ADMIN$. This is your

Windows folder, and the administrative share provides administrators easy access to the
system root folder hierarchy over the network.
The FAX$ share is used by fax clients to send a fax. This shared folder caches files and
accesses cover pages that are stored on a file server.
The IPC$ share is used with temporary connections between clients and servers by using
named pipes for communication among network programs. It is primarily used for to
remotely administer network servers.
The PRINT$ share is used to remotely administer printers.
Hidden administrative shares that are created by the computer (such as ADMIN$ and C$)
can be deleted, but the computer re-creates them after you stop and restart the Server
service or restart your computer. Hidden shares that are created by users can be deleted,
and they are not re-created after you restart your computer. Microsoft Windows XP
Home Edition does not create hidden administrative shares.
Create a hidden share

To create a hidden share, follow these steps:
1. In Control Panel, double-click Administrative Tools, and then double-click
Computer Management.
2. Expand Shared Folders, right-click Shares, and then click New File Share.
In the Folder to share box, type the path of the folder that you want to share, or click
3.
Browse to locate the folder.
Type the share name that you want to use followed by a dollar sign, and then click
4.
Next.
To make the share accessible to administrators only, select the Administrators have
5.
full control; other users have no access check box, and then click Finish.
Click Yes to create another share, or click No to return to the Computer Management
6.
console.
Delete a hidden share

To delete a hidden share, follow these steps:
In Control Panel, double-click Administrative Tools, and then double-click
1.
2. Expand Shared Folders, and then click Shares..
In the Shared Folder column, right-click the share that you want to delete, click Stop
3.
sharing, and then click OK.
Troubleshooting
Test the functionality of your programs and services after you disable the default
administrative shares. Some Windows services depend on the existence of these shares.
Additionally, some third-party programs may require that some of the administrative
shares exist. For example, some backup programs may require these shares.
APPLIES TO
Microsoft Windows XP Professional
Microsoft Windows XP Media Center Edition 2002
Microsoft Windows XP Tablet PC Edition
Microsoft Windows XP Professional for Itanium-based systems
Microsoft Windows 2000 Professional Edition
Microsoft Windows NT Workstation 4.0 Developer Edition
http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q314984
29. Hidden Shares Are Not Available After You Use the System Policy
Editor
SYMPTOMS
Hidden shares are no longer available after you save changes with System Policy Editor
in registry mode.
CAUSE
The value for the AutoShareServer parameter was replaced with the setting in System
Policy Editor\Windows NT Network\Sharing\Create Hidden Drive Shares (server).
RESOLUTION
To resolve this problem you can edit the WINNT.ADM file or obtain Service Pack 3.
POLICY !!WorkstationShareAutoCreate
VALUENAME "AutoShareWks"
VALUEOFF NUMERIC 0
---->VALUEON NUMERIC 1 <----
PART !!ShareWks_Tip1 TEXT END PART
PART !!ShareWks_Tip2 TEXT END PART
END POLICY
POLICY !!ServerShareAutoCreate
VALUENAME "AutoShareServer"
VALUEOFF NUMERIC 0
PART !!ShareServer_Tip1 TEXT END PART
PART !!ShareServer_Tip2 TEXT END PART
END POLICY
and for BeepEnabled, add the indicated line:

POLICY !!Beep_Enabled
VALUENAME BeepEnabled
VALUEOFF NUMERIC 0
PART !!Beep_Tip1TEXTEND PART
PART !!Beep_Tip2TEXTEND PART
END POLICY
Add the lines surrounded by, ----> <----, but leave those characters out.
-OR-
To correct this problem, manually set the following Local Computer Properties in System
Policy Editor before saving changes to the registry:
Windows NT Network
Sharing
Create hidden drive shares (workstation)
Create hidden drive shares (server)
Windows NT Printers
Beep for error enabled
NOTE: You must manually set the Local Computer Properties mentioned above each
time you save changes to the registry. Their check boxes will be blank (clear) each time
you start System Policy Editor, unless you edit the WINNT.ADM file or obtain SP3.
STATUS
Microsoft has confirmed this to be a problem in Windows NT Server version 4.0. This
problem was corrected in the latest U.S. Service Pack for Windows NT version 4.0. For
information on obtaining the Service Pack, query on the following word in the Microsoft
Knowledge Base (without the spaces):
SERVPACK
APPLIES TO
Microsoft Windows NT Workstation 3.5
Microsoft Windows NT Workstation 3.51
Microsoft Windows NT Workstation 4.0 Developer Edition
Microsoft Windows NT Server 3.51
Microsoft Windows NT Server 4.0 Standard Edition
http://support.microsoft.com/kb/q156365/
30. Sharing files and folders overview
You can share the files and folders stored on your computer, on a network, and on the
Web. The method you choose depends on whom you want to share files with, and what
computer they will use to access the files.
If you both use the same computer
You can put the files you want to share in the Shared Documents folder. Files stored in
the Shared Documents folder or its subfolders are always available to other users on your
computer.
To share files and folders on your computer
1.Open My Documents
2.Click the file or folder you want to share.
3.Drag the file or folder to Shared Documents in Other Places.
Note
•To open My Documents, click Start, and then click My Documents.

•If you are connected to a network domain, the Shared Documents, Shared Pictures, and
Shared Music folders are not available.
•If the file or folder you want to share is not located in My Documents or its subfolders,
use Search to find it. To open Search, click Start, and then click Search.
•Moving or copying a file or folder to Shared Documents makes it available to everyone
who uses your computer.
Note
•If you are connected to a network domain, the Shared Documents, Shared Pictures, and
Shared Music folders are not available.
If both computers are on the same network
You can share a folder or drive on your computer with others on the network. You can
also control whether the files in the shared folder can be modified by other users.
If your computer is connected to a network domain, use this procedure:
To share a folder or drive
Using Shared Folders
1.Open Computer Management (Local)
2.In the console tree, click Shares.
Where?
Computer Management > System Tools > Shared Folders > Shares
3.On the Action menu, click New File Share.
4.Follow the steps in Create Shared Folder.
You will be prompted to select a folder or drive, type a new share name and description
of the shared resource, and set permissions. After you provide this information, click
Finish.
Note
•To open Computer Management, click Start, and then click Control Panel. Click
Performance and Maintenance, click Administrative Tools, and then double-click
•You must be a member of the Administrators or Power Users group to use Shared
Folders.
Using Windows Explorer
Open Windows Explorer, and then locate the shared folder or drive to which you want to
add a new share name.
If you are logged on to a domain, do the following:
1.Right-click the shared folder or drive, and then click Sharing and Security.
2.Click Share this folder.
3.Set any other options that you want, and then click OK.
If you are not logged on to a domain or if you are running Windows XP Home Edition,
do the following:
1.Right-click the shared folder or drive, and then click Properties.

2.On the Sharing tab, click Share this folder on the network.
3.Set any other options that you want, and then click OK.
Note
•To open Windows Explorer, click Start, point to All Programs, point to Accessories,
and then click Windows Explorer.
Using a command line
1. Open Command Prompt

2. Type: net share sharename=drive:path
Value Description
net share Creates, deletes, or displays shared resources.
sharename=drive:pathThe network name of the shared resource and the absolute path of
its location.
Note
•To open command prompt, click Start, point to All Programs, point to Accessories,
and then click Command Prompt.
•To view the complete syntax for this command, at a command prompt, type:
net help share
Note
•You can use Shared Folders to manage shared resources on both local and remote
computers. Windows Explorer and the command line allow you to manage shared
resources on your local computer only.
•You can hide the shared resource from users by typing $ as the last character of the
shared resource name. Users can map a drive to this shared resource, but they cannot see
the shared resource when they browse to it in Windows Explorer or in My Computer, or
when they use the net view command on the remote computer. For more information
about this command, see Net view
•You must have the appropriate permissions to complete this procedure.
If your computer is connected to a workgroup, use this procedure:
To share a drive or folder on the network
1.Open Windows Explorer, and then locate the drive or folder you want to share.
2.Right-click the drive or folder, and then click Sharing and Security.
• If you are sharing a drive, on the Sharing tab, click If you understand the risk
but still want to share the root of the drive, click here.
• If you are sharing a folder, go to the next step.
3.Do one of the following:
If the Share this folder on the network check box is available, select the check box.
If the Share this folder on the network check box is unavailable, this computer is not
on a network. If you would like to set up a home or small office network, click the
Network Setup Wizard link and follow the instructions to turn on file sharing. Once
file sharing is enabled, begin this procedure again.
Note
•To change the name of your folder on the network, type a new name for your folder in
the Share name text box. This will not change the name of the folder on your computer.
•To allow other users to change the files in your shared folder, select the Allow other
users to change my files check box.
•If you are logged on as a Guest, you cannot create a shared folder.
•The Sharing option is not available for the Documents and Settings, Program Files, and
WINDOWS system folders. In addition, you cannot share folders in other user's profiles
If you want to share your files online
You can publish pictures and documents on the Web using the Web Publishing Wizard.
The files will be stored in a private, online folder that you manage.
To publish a file or folder to the Web
1.Open My Computer
2.Double-click a drive or folder.
3.Click the file or folder you want to publish to the Web.
4.Under File and Folder Tasks:
click Publish this folder to the Web
-or-
click Publish this file to the Web.

5.Follow the instructions in the Web Publishing Wizard.
Note
• To open My Computer, click Start, and then click My Computer.

• During the Web publishing process, you may be asked to obtain a .NET Passport.
A passport provides personalized access to passport-enabled services and Web
sites by using your e-mail address.
• After you publish a file or folder to the Web, a shortcut to that site is placed in
your Web browser's favorites items.
• Publishing a folder to the Web copies the folder to a Web server or a network
location, such as a shared folder or an FTP site.
If you don't want others to access your files
You can prevent other users from accessing your folders and the files they contain. When
your computer is connected to a domain, this is called setting permissions for your file or
folder. When your computer is connected to a workgroup, this is called making your
folders private.
If your computer is connected to a network domain, use this procedure:
• To allow or deny a permission, in the Permissions for User or Group box, select
the Allow or Deny check box.
• To remove the group or user from the Group or user names box, click Remove.
Important
•If you are not joined to a domain and want to view the Security tab, see To display the
Security tab
Note
•In Windows XP Professional, the Everyone group no longer includes Anonymous
Logon.
•You can set file and folder permissions only on drives formatted to use NTFS
•To change permissions, you must be the owner or have been granted permission to do so
by the owner.
•Groups or users granted Full Control for a folder can delete files and subfolders within
that folder regardless of the permissions protecting the files and subfolders.
•If the check boxes under Permissions for user or group are shaded or if the Remove
button is unavailable, then the file or folder has inherited permissions from the parent
folder. For more information on how inheritance affects files and folders, see Related
Topics.
•When adding a new user or group, by default, this user or group will have Read &
Execute, List Folder Contents, and Read permissions.
31. IPconfig displays Windows NT/W2K/XP ip information
To find out what your ip address is, at the command line type:
ipconfig
You will see the default display: your ip address, network mask and gateway address for
your nic card and ras modem. Win9x had a nice gui version, winipcfg, but Microsoft did
not include it in the Windows NT / Windows 2000 / Windows XP line. Instead you must
use the command line ipconfig . To get all the options for ipconfig, at the commandline,
type:
ipconfig /?
USAGE:
ipconfig [/? | /all | /renew [adapter] | /release [adapter] |
/flushdns | /displaydns | /registerdns |
/showclassid adapter |
/setclassid adapter [classid] ]
where
adapter Connection name
(wildcard characters * and ? allowed, see examples)
Options:
/? Display this help message
/all Display full configuration information.
/release Release the IP address for the specified adapter.
/renew Renew the IP address for the specified adapter.
/flushdns Purges the DNS Resolver cache.
/registerdns Refreshes all DHCP leases and re-registers DNS
names
/displaydns Display the contents of the DNS Resolver Cache.
/showclassid Displays all the dhcp class IDs allowed for
adapter.
/setclassid Modifies the dhcp class id.
The default is to display only the IP address, subnet mask and

default gateway for each adapter bound to TCP/IP.
For Release and Renew, if no adapter name is specified, then the IP

address
leases for all adapters bound to TCP/IP will be released or renewed.
For Setclassid, if no ClassId is specified, then the ClassId is

removed.
Examples:
> ipconfig ... Show information.
> ipconfig /all ... Show detailed information
> ipconfig /renew ... renew all adapters
> ipconfig /renew EL* ... renew any connection that has its
name starting with EL
> ipconfig /release *Con* ... release all matching connections,
eg. "Local Area Connection 1" or
"Local Area Connection 2"
IP Refresh - Ipconfig and DHCP Client diagnostic Tool is a commercial utility with
support for more complex situations.
A winipcfg-like command, wntipcfg.exe is in the netmgmt.cab file of the Windows 2000

server Resource Kit.
The results of issuing the ipconfig /displaydns on my home Windows 2000 box:
Windows IP Configuration
www.techrepublic.com
----------------------------------------
Record Name . . . . . : www.techrepublic.com
Time To Live . . . . : 1834
A (Host) Record . . . : 208.50.157.239
Record Name . . . . . : techrepublic.com

Time To Live . . . . : 1834
Section . . . . . . . : Authority
NS Record . . . . . : DNS-SNV.techrepublic.com

Time To Live . . . . : 1834
NS Record . . . . . : DNS-LOU.techrepublic.com

Time To Live . . . . : 1834
NS Record . . . . . : DNS-BTF.techrepublic.com
Record Name . . . . . : DNS-SNV.techrepublic.com

Time To Live . . . . : 1834
A (Host) Record . . . : 208.50.157.213
Record Name . . . . . : DNS-LOU.techrepublic.com

Time To Live . . . . : 1834
A (Host) Record . . . : 12.43.21.240
Record Name . . . . . : DNS-BTF.techrepublic.com

Time To Live . . . . : 1834
A (Host) Record . . . : 12.43.21.13
ns1.canuck.gen.nz
----------------------------------------
Record Name . . . . . : ns1.canuck.gen.nz
Time To Live . . . . : 2145
A (Host) Record . . . : 206.40.46.70
ns1.realnames.com
----------------------------------------
Record Name . . . . . : ns1.realnames.com
Time To Live . . . . : 80038
A (Host) Record . . . : 216.86.229.5
ns2.sourcefire.com
----------------------------------------
Record Name . . . . . : ns2.sourcefire.com
Time To Live . . . . : 44872
A (Host) Record . . . : 151.196.107.165
hobbes.auburn.net
----------------------------------------
Record Name . . . . . : hobbes.auburn.net
Time To Live . . . . : 35205
A (Host) Record . . . : 209.16.236.10
dns2.dc.msft.net
----------------------------------------
Record Name . . . . . : DNS2.DC.MSFT.NET
Time To Live . . . . : 23278
A (Host) Record . . . : 207.68.128.152
nsjersey.realnames.com
----------------------------------------
Record Name . . . . . : nsjersey.realnames.com
Time To Live . . . . : 79515
A (Host) Record . . . : 209.185.190.204
ns7.flycast.com
----------------------------------------
Record Name . . . . . : ns7.flycast.com
Time To Live . . . . : 12469
A (Host) Record . . . : 216.52.6.21
ns3.europe.yahoo.com
----------------------------------------
Record Name . . . . . : ns3.europe.yahoo.com
Time To Live . . . . : 9861
A (Host) Record . . . : 217.12.4.71
ze.akadns.net
----------------------------------------
A (Host) Record . . . : 12.47.217.11
32. L2TP/IPsec NAT-T update for Windows XP and Windows 2000
SUMMARY
Microsoft has released an update package to enhance the current functionality of Layer
Two Tunneling Protocol (L2TP) and Internet Protocol security (IPsec) on computers that
run Microsoft Windows 2000, Microsoft Windows XP without service packs installed,
and Windows XP with Service Pack 1 (SP1).This functionality is included in Windows
XP Service Pack 2 (SP2). Computers that run Windows XP with a service pack do not
have to install this update package.
This update includes improvements to IPsec to better support virtual private network
(VPN) clients that are behind network address translation (NAT) devices. If you apply
this update to a computer that is running Windows XP, and if the IPsec service
encounters a runtime error and cannot start for any reason, the IPsec driver operates in
block mode because it cannot secure network traffic.
Note The IPsec service appears as "IPSEC services" in the list of system services.
For more information about the latest service pack for Windows XP, click the following
article number to view the article in the Microsoft Knowledge Base:
New IPsec features and Management and Monitor snap-ins

• After you install this update, Windows 2000 and Windows XP-based L2TP/IPsec
clients can create IPsec connections from behind a NAT device. The new IPsec
NAT-T functionality is based on the IETF Requests for Comments (RFC) 3193
and version 2 of the original IETF IPsec NAT-T Internet drafts. Windows XP
clients that have SP2 also have this enhanced connectivity option. IPsec NAT-T is
currently specified in RFCs 3947 and 3948.
• The updated IPsec Monitor snap-in can view computers that are running
Windows XP, but only if the Windows XP-based computer has SP2 installed.
• The updated IPsec Monitor snap-in can view computers that are running
Microsoft Windows Server 2003. Similarly, Windows Server 2003 can monitor
Windows XP-based computers that have SP2 installed.
• Computers that are running Windows 2000 cannot be monitored with this snap-in.
• The new IPsec Management snap-in switches to read-only mode when it
encounters policy objects that contain advanced features that were created in
Windows Server 2003 (for example, DH2048, Certificate Mapping, or dynamic
filters). This behavior causes the snap-in objects (for example, rules, filter lists, or
main mode offerings) to become uneditable if they contain references to these
new settings. The IPsec Management snap-in switches to read-only mode so that
it cannot accidentally remove critical advanced features.
• The updated IPsec services on Windows XP-based computers can expose most of
the new features that are provided in a Windows Server 2003 policy.
Note Certificate Mapping is not available.

• If an earlier version of the IPseccmd tool is installed on a Windows XP-based
computer (this tool is not available in Windows 2000), an updated IPseccmd is
installed in the drive:\Program Files\Support Tools folder.
The updated IPseccmd has the following features:
o It dynamically turns Internet Key Exchange (IKE) logging on and off.

o It displays information about a currently assigned policy.
o It lets you create a persistent IPsec policy.
Note The earlier version of IPseccmd does not work on updated computers, and the
updated IPseccmd does not work on computers that are not updated.
33. SmbRelay captures NTLM hashes
Smbrelay and Smbrelay2 collect NTLM password hashes and writes them to hashes.txt in
a format usable by L0phtcrack so the passwords can be cracked later. It is an SMB man-
in-the-middle attack.
SMBRelay takes advantage of the Server Message Block (SMB) file sharing protocol.
SMB is layered onto NetBIOS, the networking application interface first created by IBM
and adopted by Microsoft for DOS. When you share a Windows directory or drive over a
local area network, you are most likely utilizing SMB over NetBIOS over NetBEUI, IPX,
or TCP/IP. OK one might ask, what does DOS have to do with a modern network
exploit?
Microsoft has maintained backward compatibility with its older "dialects." This
backward compatibility means that when a SMB session is initiated, a more primitive
"plain text" level of authentication can often be negotiated that provides for maximum
exposure of the password data. Because SMB was developed to facilitate file and print
sharing on local networks, a Windows client will automatically attempt to log onto an
SMB server. In the process, the host and client will exchange password hashes. These
pairs of password hashes, the challenge from the host plus the response from the client,
can be sniffed and saved for later cracking by L0phtcrack.
The only effective way to block SMB hijacking is to use SMB signing. Unfortunately
there is a performance hit. See Registry Tip #206: SMB Signing for the implementation
details. If your concern is hackers coming across the firewall and using SMB session
hijacking, you can block that by not allowing UDP ports 137 and 138 as well as TCP
ports 139 and 445 from coming through the firewall.
Sir Dystic's SMBRelay automates the process by functioning first as a data relay between
the client and host, sending on all but the authentication data. Then the attacker
disconnects the client and binds the host to a new IP relay address that the attacker can
log on to, all the while maintaining the original client's host privileges. At the same time
NTLM password hashes exchanged by the client and host are collected and saved to a
text file.
SmbRelay is setup to so that when it receives a connection on port 139, it connects back
to the connecting computer's port 139, and relays the packets between the client and
server of the connecting Windows machine, making modifications to these packets when
necessary. After connecting and authenticating it disconnects the target's client and binds
to port 139 on a new IP address. This IP address (the relay address) can then be
connected to directly from windows using "net use \\192.1.1.1" and then used by all of
the networking built into Windows. It relays all the SMB traffic, except for the
negotiation and authentication. You can disconnect from and reconnect to this virtual IP
as long as the target host stays connected. SMBRelay is multi-threaded and handles
multiple connections simultaneously. It will create new IP addresses sequentially,
removing them when the target host disconnects. It will not allow the same IP address to
connect twice, unless a successful connection to that target was achieved and
disconnected. If this happens, it may use the same relay address again for another
connection.
34. XP : speedup access to network shares
I have seen reports that Windows XP is slow when accessing network shares. I use XP
daily on my local home network and a corporate LAN. I haven't noticed the network
slowness. But if you do, there are reports that deleting a particular registry key resolved
the problem. It certainly works for Windows 2000. You can give it a try in XP. I would
backup the key first.
HKEY_LOCAL_MACHINE/Software/Microsoft/Windows/Current
Version/Explorer/RemoteComputer/NameSpace/{D6277990-4C6A-11CF-8D87-
00AA0060F5BF}
To backup and delete the key, In the regedt32 registry editor navigate to the NameSpace
key :
• Right click {D6277990-4C6A-11CF-8D87-00AA0060F5BF}

• Click Export. From the Export Registry File dialog box in the File Name text box
:
• Type the filename of your choice as in restoreshare
• Click Save
This saves the file names (in my example), restoreshare.reg to the My Documents
folder. Its now safe to delete the key.
• Right click {D6277990-4C6A-11CF-8D87-00AA0060F5BF}
• Click Delete
• Click Yes in the Confirm Key Delete dialog box.
If your system is unstable or weird after deleting this key, you can restore the key. In
Explorer, double-click on your reg file. This will restore the deleted registry key.
35. How to reset Internet Protocol (TCP/IP) in Windows XP
INTRODUCTION
In Microsoft Windows XP, the TCP/IP stack is considered to be a core component of the
operating system, and you cannot remove TCP/IP. Therefore, when you view the list of
components for a network interface, you may notice that the Uninstall button is disabled
when Internet Protocol (TCP/IP) is selected. In extreme cases, the best solution for this
issue may be to reinstall the Internet Protocol stack. But with the NetShell utility, you can
reset the TCP/IP stack to restore it to its state that existed when the operating system was
installed. This article describes how to use the NetShell utility for this purpose.
MORE INFORMATION
Manual method to reset TCP/IP
The NetShell utility (netsh) is a command-line scripting interface for configuring and
monitoring Windows XP networking. This tool provides an interactive network shell
interface to the user.
In Windows XP, a reset command is available in the IP context of the NetShell utility.
When you run the reset command, it rewrites pertinent registry keys that are used by the
Internet Protocol (TCP/IP) stack to reach the same result as the removal and the
reinstallation of the protocol.
SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\
SYSTEM\CurrentControlSet\Services\DHCP\Parameters\
Command usage
netsh int ip reset [log_file_name]
To manually run the command successfully, you must specify a file name for the log
where actions that are taken by netsh will be recorded. For example, at a command
prompt, type either of the samples that are listed in the "Command samples" section. The
TCP/IP stack will then be reset on a system, and the actions that were taken will be
recorded in the log file, Resetlog.txt. The first sample creates the log file in the current
directory, while the second sample creates a path where the log will reside. In either case,
where the specified log file already exists, the new log will be appended to the end of the
existing file.
Warning Programs that access or monitor the Internet such as antivirus, firewall or proxy
clients may be negatively affected when you run the netsh winsock reset command. If
you have a program that no longer functions correctly after you use this resolution,
reinstall the program to restore functionality.
Command samples
netsh int ip reset resetlog.txt
netsh int ip reset c:\resetlog.txt
Sample Log File for NETSH INT IP RESET

The following is a sample of the log file that is generated by netsh when an IP reset
command is issued. The actual log file may vary depending on the configuration of the
system where the command is issued. When the TCP/IP registry keys have not been
altered from their original configuration, there may be no actions logged in the file.
reset
SYSTEM\CurrentControlSet\Services\Dhcp\Parameters\Options\15\RegLocatio
n
old REG_MULTI_SZ =
SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\?\DhcpDom
ain
SYSTEM\CurrentControlSet\Services\TcpIp\Parameters\DhcpDomain
added
SYSTEM\CurrentControlSet\Services\Netbt\Parameters\Interfaces\Tcpip_{2D
DD011E-B1B6-4886-87AC-B4E72693D10C}\NetbiosOptions
added
SYSTEM\CurrentControlSet\Services\Netbt\Parameters\Interfaces\Tcpip_{BA
A9D128-54BB-43F6-8922-313D537BE03E}\NetbiosOptions
reset
SYSTEM\CurrentControlSet\Services\Netbt\Parameters\Interfaces\Tcpip_{BD
2859BA-B26A-4E2B-A3FE-3D246F90A81A}\NameServerList
old REG_MULTI_SZ =
10.1.1.2
deleted
SYSTEM\CurrentControlSet\Services\Netbt\Parameters\EnableLmhosts
added
SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{2DDD011E
-B1B6-4886-87AC-B4E72693D10C}\AddressType
added
-B1B6-4886-87AC-B4E72693D10C}\DefaultGatewayMetric
added
-B1B6-4886-87AC-B4E72693D10C}\DisableDynamicUpdate
deleted
-B1B6-4886-87AC-B4E72693D10C}\DontAddDefaultGateway
reset
-B1B6-4886-87AC-B4E72693D10C}\EnableDhcp
old REG_DWORD = 0
added
-B1B6-4886-87AC-B4E72693D10C}\NameServer
added
-B1B6-4886-87AC-B4E72693D10C}\RawIpAllowedProtocols
added
-B1B6-4886-87AC-B4E72693D10C}\TcpAllowedPorts
added
-B1B6-4886-87AC-B4E72693D10C}\UdpAllowedPorts
added
SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{5B3675C3
-6EB9-4936-B991-04DA31024C4E}\DisableDynamicUpdate
reset
-6EB9-4936-B991-04DA31024C4E}\EnableDhcp
old REG_DWORD = 0
reset
-6EB9-4936-B991-04DA31024C4E}\IpAddress
old REG_MULTI_SZ =
12.12.12.12
deleted
-6EB9-4936-B991-04DA31024C4E}\IpAutoconfigurationAddress
deleted
-6EB9-4936-B991-04DA31024C4E}\IpAutoconfigurationMask
deleted
-6EB9-4936-B991-04DA31024C4E}\IpAutoconfigurationSeed
reset
-6EB9-4936-B991-04DA31024C4E}\RawIpAllowedProtocols
old REG_MULTI_SZ =
0
reset
-6EB9-4936-B991-04DA31024C4E}\SubnetMask
old REG_MULTI_SZ =
255.255.255.0
reset
-6EB9-4936-B991-04DA31024C4E}\TcpAllowedPorts
old REG_MULTI_SZ =
0
reset
-6EB9-4936-B991-04DA31024C4E}\UdpAllowedPorts
old REG_MULTI_SZ =
0
added
SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{BAA9D128
-54BB-43F6-8922-313D537BE03E}\AddressType
added
-54BB-43F6-8922-313D537BE03E}\DefaultGatewayMetric
added
-54BB-43F6-8922-313D537BE03E}\DisableDynamicUpdate
deleted
-54BB-43F6-8922-313D537BE03E}\DontAddDefaultGateway
reset
-54BB-43F6-8922-313D537BE03E}\EnableDhcp
old REG_DWORD = 0
added
-54BB-43F6-8922-313D537BE03E}\NameServer
added
-54BB-43F6-8922-313D537BE03E}\RawIpAllowedProtocols
added
-54BB-43F6-8922-313D537BE03E}\TcpAllowedPorts
added
-54BB-43F6-8922-313D537BE03E}\UdpAllowedPorts
reset
SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{BD2859BA
-B26A-4E2B-A3FE-3D246F90A81A}\DefaultGateway
old REG_MULTI_SZ =
10.1.1.2
reset
-B26A-4E2B-A3FE-3D246F90A81A}\DefaultGatewayMetric
old REG_MULTI_SZ =
0
added
-B26A-4E2B-A3FE-3D246F90A81A}\DisableDynamicUpdate
reset
-B26A-4E2B-A3FE-3D246F90A81A}\EnableDhcp
old REG_DWORD = 0
reset
-B26A-4E2B-A3FE-3D246F90A81A}\IpAddress
old REG_MULTI_SZ =
10.1.1.1
deleted
-B26A-4E2B-A3FE-3D246F90A81A}\IpAutoconfigurationAddress
deleted
-B26A-4E2B-A3FE-3D246F90A81A}\IpAutoconfigurationMask
deleted
-B26A-4E2B-A3FE-3D246F90A81A}\IpAutoconfigurationSeed
reset
-B26A-4E2B-A3FE-3D246F90A81A}\NameServer
old REG_SZ = 10.1.1.2,10.1.1.3
reset
-B26A-4E2B-A3FE-3D246F90A81A}\RawIpAllowedProtocols
old REG_MULTI_SZ =
0
reset
-B26A-4E2B-A3FE-3D246F90A81A}\SubnetMask
old REG_MULTI_SZ =
255.255.255.0
reset
-B26A-4E2B-A3FE-3D246F90A81A}\TcpAllowedPorts
old REG_MULTI_SZ =
0
reset
-B26A-4E2B-A3FE-3D246F90A81A}\UdpAllowedPorts
old REG_MULTI_SZ =
0
deleted
SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DontAddDefaultGatewa
yDefault
deleted
SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\EnableIcmpRedirect
deleted
SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\EnableSecurityFilter
s
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\SearchList
deleted
SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\UseDomainNameDevolut
ion
<completed>
REFERENCES
For additional information, click the following article number to view the article in the
Microsoft Knowledge Base:
314067 (http://support.microsoft.com/kb/314067/) How to troubleshoot TCP/IP
connectivity with Windows XP
For additional information, click the following article number to view the article in the
Microsoft Knowledge Base:
811259 (http://support.microsoft.com/kb/811259/) How to determine and recover from
Winsock2 corruption
36. How to troubleshoot TCP/IP connectivity with Windows XP
INTRODUCTION
There are tools that can provide useful information when you are trying to determine the
cause of TCP/IP networking problems under Microsoft Windows XP. This article lists
recommendations for using these tools to diagnose network problems. Although this list
is not complete, the list does provide examples that show how you can use these tools to
track down problems on the network..
MORE INFORMATION
TCP/IP troubleshooting tools
The following list shows some of the TCP/IP diagnostic tools that are included with
Windows XP:
Basic tools
• Network Diagnostics in Help and Support
Contains detailed information about the network configuration and the results of
automated tests.
• Network Connections folder
Contains information and configuration for all network connections on the
computer. To locate the Network Connections folder, click Start, click Control
Panel, and then click Network and Internet Connections.
• IPConfig command
Displays current TCP/IP network configuration values, updates, or releases,
Dynamic Host Configuration Protocol (DHCP) allocated leases, and display,
register, or flush Domain Name System (DNS) names.
• Ping command
Sends ICMP Echo Request messages to verify that TCP/IP is configured correctly
and that a TCP/IP host is available.
Advanced tools
• Hostname command
Displays the name of the host computer.
• Nbtstat command
Displays the status of current NetBIOS over TCP/IP connections, updates the
NetBIOS name cache, and displays the registered names and scope ID.
• PathPing command
Displays a path of a TCP/IP host and packet losses at each router along the way.
• Route command
Displays the IP routing table and adds or deletes IP routes.
• Tracert command
Displays the path of a TCP/IP host.
To view the correct command syntax to use with each of these tools, type -? at a
command prompt after the name of the tool.
Windows XP Professional tools

Windows XP Professional contains the following additional tools:
• Event viewer
Records system errors and events.
• Computer Management
Changes network interface drivers and other components.
Troubleshooting
The procedure that you use to troubleshoot TCP/IP issues depends on the type of network
connection that you are using and the connectivity problem that you are experiencing.
Automated troubleshooting
For most issues that involve Internet connectivity, start by using the Network Diagnostics
tool to identify the source of the issue. To use Network Diagnostics, follow these steps:
1. Click Start, and then click Help and Support.

2. Click the link to Use Tools to view your computer information and diagnose
problems, and then click Network Diagnostics in the list on the left.
3. When you click Scan your system, Network Diagnostics gathers configuration
information and performs automated troubleshooting of the network connection.
4. When the process is completed, look for any items that are marked "FAILED" in
red, expand those categories, and then view the additional details about what the
testing showed.
You can either use that information to resolve the issue or you can provide the
information to a network support professional for help. If you compare the tests that
failed with the documentation in the Manual Troubleshooting section later in this article,
you may be able to determine the source of the issue. To interpret the results for TCP/IP,
expand the Network Adapters section of the results, and then expand the network adapter
that failed the testing.
You can also start the Network Diagnostics interface directly by using the following
command:
netsh diag gui
Manual troubleshooting
To manually troubleshoot your TCP/IP connectivity, use the following methods in the
order that they appear:
Method 1: Use the IPConfig tool to verify the configuration
To use the IPConfig tool to verify the TCP/IP configuration on the computer that is
experiencing the problem, click Start, click Run, and then type cmd. You can now use
the ipconfig command to determine the host computer configuration information,
including the IP address, the subnet mask, and the default gateway.
The /all parameter for IPConfig generates a detailed configuration report for all
interfaces, including any remote access adapters. You can redirect IPConfig output to a
file to paste the output into other documents. To do this, type:
ipconfig > \folder_name\file_name
The output receives the specified file name and is stored in the specified folder.
You can review the IPConfig output to identify issues that exist in the computer network
configuration. For example, if a computer is manually configured with an IP address that
duplicates an existing IP address that is already detected, the subnet mask appears as
0.0.0.0.
If your local IP address is returned as 169.254.y.z with a subnet mask of 255.255.0.0, the
IP address was assigned by the Automatic Private IP Addressing (APIPA) feature of
Windows XP Professional. This assignment means that TCP/IP is configured for
automatic configuration, that no DHCP server was found, and that no alternative
configuration is specified. This configuration has no default gateway for the interface.
If your local IP address is returned as 0.0.0.0, the DHCP Media Sensing feature override
turned on because the network adapter detected its lack of connection to a network, or
TCP/IP detected an IP address that duplicates a manually configured IP address.
If you do not identify any issues in the TCP/IP configuration, go to Method 2.
Method 2: Use the Ping tool to test your connectivity
If you do not identify any issues in the TCP/IP configuration, determine whether the
computer can connect to other host computers on the TCP/IP network. To do this, use the
Ping tool.
The Ping tool helps you verify IP-level connectivity. The ping command sends an ICMP
Echo Request message to a destination host. Use Ping whenever you want to verify that a
host computer can send IP packets to a destination host. You can also use Ping to isolate
network hardware problems and incompatible configurations.
Note If you ran the ipconfig /all command, and the IP configuration appeared, you do not
have to ping the loopback address and your own IP address. IPConfig has already
performed these tasks to display the configuration. When you troubleshoot, verify that a
route exists between the local computer and a network host. To do this, use the following
command:
ping IP address
NoteIP address is the IP address of the network host that you want to connect to.
To use the ping command, follow these steps:
1. Ping the loopback address to verify that TCP/IP is installed and correctly
configured on the local computer. To do this, type the following command:
ping 127.0.0.1
If the loopback test fails, the IP stack is not responding. This problem may occur
if any one or more of the following conditions is true:
o The TCP drivers are corrupted.
o The network adapter is not working.
o Another service is interfering with IP.
2. Ping the IP address of the local computer to verify that the computer was correctly
added to the network. If the routing table is correct, this procedure just forwards
the packet to the loopback address of 127.0.0.1. To do this, type the following
command:
ping IP address of local host
If the loopback test succeeds but you cannot ping the local IP address, there may
be an issue with the routing table or with the network adapter driver.
3. Ping the IP address of the default gateway to verify that the default gateway is
working and that you can communicate with a local host on the local network. To
do this, type the following command:
ping IP address of default gateway
If the ping fails, you may have an issue with the network adapter, the router or
gateway device, the cabling, or other connectivity hardware.
4. Ping the IP address of a remote host to verify that you can communicate through a
router. To do this, type the following command:
ping IP address of remote host
If the ping fails, the remote host may not be responding, or there may be a
problem with the network hardware between computers. To rule out an
unresponsive remote host, use Ping again to a different remote host.
5. Ping the host name of a remote host to verify that you can resolve a remote host
name. To do this, type the following command:
ping Host name of remote host
Ping uses name resolution to resolve a computer name into an IP address.

Therefore, if you successfully ping an IP address but you cannot ping a computer
name, there is a problem with host name resolution, not with network
connectivity. Verify that DNS server addresses are configured for the computer,
either manually in the properties of TCP/IP, or by automatic assignment. If DNS
server addresses are listed when you type the ipconfig /all command, try to ping
the server addresses to make sure that they are accessible.
If you cannot use Ping successfully at any point, verify the following configurations:
• Make sure that the local computer's IP address is valid and that it is correct on the
General tab of the Internet Protocol (TCP/IP) Properties dialog box or when it is
used with the Ipconfig tool.
• Make sure that a default gateway is configured and that the link between the host and
the default gateway is working. For troubleshooting purposes, make sure that only
one default gateway is configured. Although you can configure more than one default
gateway, gateways after the first gateway are used only if the IP stack determines that
the original gateway is not working. The purpose of troubleshooting is to determine
the status of the first configured gateway. Therefore, you can delete all the other
gateways to simplify your task.
• Make sure that Internet Protocol security (IPSec) is not turned on. Depending on the
IPSec policy, Ping packets may be blocked or may require security. For more
information about IPSec, go to Method 7: Verify Internet Protocol security (IPSec).
Important If the remote computer that you are pinging is across a high-delay link such
as a satellite link, response may take longer. You can use the -w (wait) parameter to
specify a longer timeout period than the default timeout of four seconds.
Method 3: Use the PathPing tool to verify a route
The PathPing tool detects packet loss over multiple-hop paths. Run a PathPing analysis to
a remote host to verify that the routers on the way to the destination are operating
correctly. To do this, type the following command:
pathping IP address of remote host
Method 4: Use the Arp tool to clear the ARP cache
If you can ping both the loopback address (127.0.0.1) and your IP address but you cannot
ping any other IP addresses, use the Arp tool to clear out the Address Resolution Protocol
(ARP) cache. To view the cache entries, type any one of the following commands:
arp -a
arp -g
To delete the entries, type the following command:
arp -d IP address
To flush the ARP cache, type the following command:
netsh interface ip delete arpcache
Method 5: Verify the default gateway
The gateway address must be on the same network as the local host. Otherwise, messages
from the host computer cannot be forwarded outside the local network. If the gateway
address is on the same network as the local host, make sure that the default gateway
address is correct. Make sure that the default gateway is a router, not just a host. And
make sure that the router is enabled to forward IP datagrams.
Method 6: Use the Tracert tool or the Route tool to verify communications
If the default gateway responds correctly, ping a remote host to make sure that network-
to-network communications are working correctly. If communications are not working
correctly, use the Tracert tool to trace the path of the destination. For IP routers that are
Microsoft Windows 2000-based or Microsoft Windows NT 4.0-based computers, use the
Route tool or the Routing and Remote Access snap-in to view the IP routing table. For
other IP routers, use the vendor-designated appropriate tool or facility to examine the IP
routing table.
Most frequently, you receive the following four error messages when you use Ping during
troubleshooting:
TTL Expired in Transit
This error message means that the number of required hops exceeds the Time to Live
(TTL). To increase TTL, by use the ping -i command. A routing loop may exist. Use the
Tracert command to determine whether misconfigured routers have caused a routing
loop.
Destination Host Unreachable
This error message means that no local or remote route exists for a destination host at the
sending host or at a router. Troubleshoot the local host or the router's routing table.
Request Timed Out
This error message means that the Echo Reply messages were not received in the
designated timeout period. By default, the designated timeout period is four seconds. Use
the ping -w command to increase the timeout.
Ping request could not find host
This error message means that the destination host name cannot be resolved. Verify the
name and the availability of DNS or WINS servers.
Method 7: Verify Internet Protocol security (Ipsec)
IPSec can improve security on a network, but changing network configurations or

troubleshooting problems more difficult. Sometimes, IPSec policies require secured
communication on a Windows XP Professional-based computer. These requirements can
make it difficult to connect to a remote host. If IPSec is implemented locally, you can
turn off the IPSEC Services service in the Services snap-in.
If the difficulties end when you stop the IPSec services, IPSec policies are either blocking
the traffic or requiring security for the traffic. Ask the security administrator to modify
the IPSec policy.
Method 8: Verify packet filtering

Because of mistakes in packet filtering, address resolution or connectivity may not work.
To determine whether packet filtering is the source of a network problem, turn off
TCP/IP packet filtering. To do this, follow these steps:
1. Click Start, click Control Panel, click Network and Internet Connections, and
then click Network Connections.
2. Right-click the local area connection that you want to modify, and then click
Properties.
3. On the General tab, in the This connection uses the following items list, click
Internet Protocol (TCP/IP), and then click Properties.
4. Click Advanced, and then click the Options tab.
5. In the Optional Settings dialog box, click TCP/IP Filtering, and then click the
Properties tab.
6. Click to clear the Enable TCP/IP Filtering (All adapters) check box, and then
click OK.
To ping an address, use its DNS name, its NetBIOS computer name, or its IP address. If
the ping succeeds, the packet filtering options may be misconfigured or too restrictive.
For example, the filtering can allow the computer to act as a Web server, but, to do this,
the filtering may turn off tools such as remote administration. To restore a wider range of
permissible filtering options, change the permitted values for the TCP port, the UDP port,
and the IP protocol.
Method 9: Verify the connection to a specific server
To determine the cause of connectivity problems when you are trying to connect to a
specific server through NetBIOS-based connections, use the nbtstat -n command on the
server to determine what name the server registered on the network.
The nbtstat -n output command lists several names that the computer has registered.
The list will include a name that looks similar to the computer's name that is configured
on the Computer Name tab under System in Control Panel. If not, try one of the other
unique names that the nbtstat command displays.
The Nbtstat tool can also display the cached entries for remote computers from #PRE
entries in the Lmhosts file or from recently resolved names. If the name that the remote
computers are using for the server is the same, and the other computers are on a remote
subnet, make sure that the other computers have the computer's name-to-address mapping
in their Lmhosts files or WINS servers.
Method 10: Verify remote connections
To determine why a TCP/IP connection to a remote computer stops responding, use the
netstat -a command to show the status of all activity for TCP and UDP ports on the local
computer.
Typically, a good TCP connection shows 0 bytes in the Sent and Received queues. If
data is blocked in either queue or the state of the queues is irregular, the connection may
be faulty. If data is not blocked, and the state of the queues is typical, you may be
experiencing network or program delay.
Method 11: Use the Route tool to examine the routing table
For two hosts to exchange IP datagrams, both hosts must have a route to each other, or
they must use default gateways that have a route. To view the routing table on a
Windows XP-based host, type the following command:
route print
Method 12: Use the Tracert tool to examine paths
Tracert sends ICMP Echo Request messages that have incrementally higher values in the
IP header TTL field to determine the path from one host to another through a network.
Then Tracert analyzes the ICMP messages that are returned. With Tracert, you can track
the path from router to router for up to 30 hops. If a router has failed, or the packet is
routed into a loop, Tracert reveals the problem. After you locate the problem router, you
can contact the router administrator if the router is offsite, or you can restore the router to
fully functional status if the router is under your control.
Method 13: Troubleshoot gateways
If you receive the following error message during configuration, determine whether the
default gateway is located on the same logical network as the computer's network
adapter:
Your default gateway does not belong to one of the configured interfaces
Compare the network ID part of the default gateway IP address with the network IDs of
the computer's network adapters. Specifically, verify that the bitwise logical AND of the
IP address and the subnet mask equals the bitwise logical AND of the default gateway
and the subnet mask.
For example, a computer that has a single network adapter that is configured with an IP
address of 172.16.27.139 and a subnet mask of 255.255.0.0 must use a default gateway of
the form 172.16.y.z. The network ID for this IP interface is 172.16.0.0.
Additional resources
The following resources contain additional information about how to troubleshoot
Microsoft TCP/IP:
See the "Configuring TCP/IP" topic in the documentation for the Microsoft Windows XP
Professional Resource Kit.
See "Introduction to TCP/IP" in the TCP/IP Core Networking Guide of the Microsoft
Windows 2000 Server Resource Kit for general information about the TCP/IP protocol
suite.
See "Unicast Routing Overview" in the Internetworking Guide of the Microsoft Windows
2000 Server Resource Kit for more information about routing principles.
See "TCP/IP Troubleshooting" in the TCP/IP Core Networking Guide of the Microsoft
Windows 2000 Server Resource Kit for more information about IP packet filtering.
37. How to determine and recover from Winsock2 corruption
Important This article contains information about how to modify the registry. Make sure
to back up the registry before you modify it. Make sure that you know how to restore the
registry if a problem occurs. For more information about how to back up, restore, and
modify the registry, click the following article number to view the article in the Microsoft
Knowledge Base:
SYMPTOMS
When you try to release and renew the IP address by using the Ipconfig program
(Ipconfig.exe), you may receive one of the following error messages.
Message 1
An error occurred while renewing interface 'Internet': An operation was
attempted on something that is not a socket.
Message 2
An error occurred while renewing interface Local Area Connection: the
requested service provider could not be loaded or initialized.
When you start Internet Explorer, you may receive the following error message:
The page cannot be displayed
When you use your computer, you may receive the following error message:
Initialization function INITHELPERDLL in IPMONTR.DLL failed to start
with error code 10107
Additionally, you may have no IP address or no Automatic Private IP Addressing
(APIPA) address, and you may be receiving IP packets but not sending them.
When you use the ipconfig /renew command, you may receive the following error
messages.
Message 1
An error occurred while renewing interface local area connection: an
operation was attempted on something that is not a socket. Unable to contact
driver Error code 2.
Message 2
The operation failed since no adapter is in the state permissible for this
operation.
Message 3
The attempted operation is not supported for the type of object referenced.
In Device Manager, when you click Show Hidden Devices, the TCP/IP Protocol Driver
is listed as disabled under Non-Plug and Play drivers, and you receive error code 24.
When you create a dial-up connection, you may receive the following error message:
Error 720: No PPP Control Protocols Configured
RESOLUTION
Manual steps to determine whether the Winsock2 key is corrupted
To determine if the symptoms are caused by a problem with the Winsock2 key, use one
of the following methods.
Method 1: Use the Netdiag tool

To use the Netdiag tool, you must install the Microsoft Windows XP Support Tools. To
do so, follow these steps.
Notes
• If you already have Support Tools installed, go to the second procedure in this
section.
• If you do not have Support Tools installed and you do not have the Windows XP
Setup CD, go to Method 2.
1. Insert your Windows XP Setup CD, and then locate the Support\Tools folder.
2. Double-click the Setup.exe file.
3. Follow the steps on the screen until you reach the Select An Installation Type
screen.
4. On the Select An Installation Type screen, click Complete, and then click Next.
When the installation is complete, follow these steps:

1. Click Start, click Run, type Command, and then click OK.
2. Type netdiag /test:winsock, and then press ENTER.
The Netdiag tool will return the test results for several network components, including
the Winsock. For more details about the test, use /v at the end of the netdiag command:
netdiag /test:winsock /v
Method 2: Use the Msinfo32 program

Note Use this method only if you do not have a Windows XP Setup CD and you do not
have Support Tools installed.
1. Click Start, click Run, type Msinfo32, and then click OK.
2. Expand Components, expand Network, and then click Protocol.
3. You will have ten sections under Protocol. The section headings will include the
following names if the Winsock2 key is undamaged:
• MSAFD Tcpip [TCP/IP]
• MSAFD Tcpip [UDP/IP]
• RSVP UDP Service Provider
• RSVP TCP Service Provider
• MSAFD NetBIOS [\Device\NetBT_Tcpip...
If the names are anything different from those in this list, the Winsock2 key is corrupted,
or you have a third-party add-on, such as proxy software, installed.
If you have a third-party add-on installed, the name of the add-on will replace the letters
"MSAFD" in the list.
If there are more than ten sections in the list, you have third-party additions installed.
If there are fewer than ten sections, there is information missing.
Note These entries represent an installation with only the TCP/IP protocol installed. You
can have a working Winsock and see additional entries if another protocol is installed.
For example, if you install NWLink IPX/SPX, you will see 7 additional sections, for a
total of 17. Below is an example heading of one of the new sections:
MSAFD nwlnkipx [IPX]
Also, each of the new sections that are created by installing NWLink IPX/SPX start with
"MSAFD." Therefore, there are still only two sections that do not start with those letters.
If the Netdiag test fails, or if you determined that there is Winsock corruption by looking
at Msinfo32, you must repair the Winsock2 key by using the steps in the next section.
Manual steps to recover from Winsock2 corruption
Windows XP with Service Pack 2 instructions

To repair Winsock if you have Windows XP Service Pack 2 (SP2) installed, type netsh
winsock reset at the command prompt, and then press ENTER.
Note Restart the computer after you run this command. Additionally, for computers that
are running Windows XP SP2, there is a new netsh command that can rebuild the
Winsock key. For more information, visit the following Web site:
http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/sp2netwk.mspx
(http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/sp2netwk.mspx)
Warning Programs that access or monitor the Internet such as antivirus, firewall, or
proxy clients may be negatively affected when you run the netsh winsock reset
command. If you have a program that no longer functions correctly after you use this
resolution, reinstall the program to restore functionality.
Note If these steps do not resolve the problem, follow the steps in the next section.
Windows XP without Service Pack 2 instructions

To repair Winsock if you do not have Windows XP SP2 installed, delete the corrupted
registry keys, and then reinstall the TCP/IP protocol.
Step 1: Delete the corrupted registry keys
Warning Serious problems might occur if you modify the registry incorrectly by using
Registry Editor or by using another method. These problems might require that you
reinstall your operating system. Microsoft cannot guarantee that these problems can be
solved. Modify the registry at your own risk.
For more information about how to back up the registry, click the following article
number to view the article in the Microsoft Knowledge Base:
322756 How to back up, edit, and restore the registry in Windows XP and Windows
Server 2003
1. Click Start, and then click Run.
2. In the Open box, type regedit, and then click OK.
3. In Registry Editor, locate the following keys, right-click each key, and then click
Delete:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Winsock
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Winsock2
4. When you are prompted to confirm the deletion, click Yes.
Note Restart the computer after you delete the Winsock keys. Doing so causes the
Windows XP operating system to create new shell entries for those two keys. If you do
not restart the computer after you delete the Winsock keys, the next step does not work
correctly.
Step 2: Install TCP/IP
1. Right-click the network connection, and then click Properties.

2. Click Install.
3. Click Protocol, and then click Add.
4. Click Have Disk.
5. Type C:\Windows\inf, and then click OK.
6. On the list of available protocols, click Internet Protocol (TCP/IP), and then
click OK.
If Internet Protocol (TCP/IP) does not appear, follow these steps:

a. Click Start, and then click Search.
b. In the Search Companion pane, click More advanced options.
c. Click to select the following three check boxes:
• Search system folders
• Search hidden files and folders
• Search subfolders
d. In the All or part of the file name box, type nettcpip.inf, and then click
Search.
e. In the results pane, right-click Nettcpip.inf, and then click Install.
7. Restart the computer.
APPLIES TO
Microsoft Windows Server 2003, Standard Edition (32-bit x86)
Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
Microsoft Windows XP Home Edition
Microsoft Windows XP Professional

Windows XP Admin Tips-Network

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Windows XP Admin Tips-Network

Uploaded by

Copyright:

Available Formats

Windows XP Admin Tips ~ network ~ 1

Windows XP Admin Tips

• Created on Jul 27, 2006.

How to avoid problems arising from APIPA

• Created on Mar 01, 2006.

A cheap and easy way of using an XP box as a router.

Open Regedit and navigate to:

Find the following registry value:

Set this value to 1 to enable IP routing on the box.

3. Reliable File and Folder Sharing in Windows XP

• Created on Aug 13, 2005.

Sharing files on computers directly connected to Internet is not recommended. However,

4. Map Your Network For Better Protection and Incident Response

• Created on Mar 07, 2005.

In an enterprise network with thousands or even tens of thousands of devices, it seems

• LANSurveyor from Neon Software

5. Shared printer separator page for Windows 2000 and Windows XP

• Created on Mar 23, 2004.

You implement a separator page by

• Right-clicking the shared printer you want to add a separator page to

6. Control default internet programs

• Created on Mar 22, 2004.

• HTML editor : Notepad

7. Give XP ability to search Active Directory

• Created on Mar 23, 2004.

Rundll32.exe is an application included with Windows that executes functions in

The following command starts the Add Printer Wizard:

8. Do it yourself WHOIS command

• Created on Mar 17, 2004.

The results are:

Domain Name: MICROSOFT.COM

Record last updated on 19-Mar-2001.

Domain servers in listed order:

9. DNSLint can verify DNS records

• Created on Mar 23, 2004.

DNSLint is a command-line Microsoft utility designed to help you diagnose common

DNSLint syntax is:

• Created on Mar 23, 2004.

Use the classic logon screen

Require users to press CTRL+ALT+DEL before the classic logon

11. HOW TO: Change the Logon Screen Saver in Windows

Change the logon screen saver

You have now changed the logon screen saver.

Change the logon screen saver timeout time

Disable the logon screen saver

You have now disabled the logon screen saver.

• Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)

12. Toggle XP logon to Windows 2000 logon mode

• Press and hold the Alt + Ctrl keys

You can flip back by pressing the Esc key.

13. Manage the DNS resolver cache with IPCONFIG

E:\Documents and Settings\Wayne>ipconfig /displaydns

Record Name . . . . . : udns1.ultradns.net

Record Name . . . . . : udns2.ultradns.net

Use this command to flush the resolver cache:

To check out all the options:

E:\Documents and Settings\Wayne>ipconfig /?

The default is to display only the IP address, subnet mask and

For Release and Renew, if no adapter name is specified, then the IP

For Setclassid, if no ClassId is specified, then the ClassId is

name starting with EL

14. nslookup and DNS Zone Transfers