1.4.network tools

7/27/2019 1.4.Network Tools

1/51

Network Tools

Ifconfig traceroute

arp netcat

ping tcpdmp

route Wireshark


2/51

Ifconfig

Network configuration and statusifconfig status of all network interfaces

ifconfig eth0

status of ethernet 0connection

ifconfig eth0 down shuts ethernet 0down

ifconfig eth0 up

starts ethernet 0ifconfig eth0 172.16.13.97 assigns

IP address to ethernet 0

man ifconfig more info


3/51

ifconfig output

eth1 Link encap:Ethernet HWaddr 00:0A:B7:FE:36:DBinet addr:140.211.110.121 Bcast:140.211.110.255 Mask:255.255.255.0inet6 addr: fe80::20a:b7ff:fefe:36db/64 Scope:LinkUP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1RX packets:5024 errors:1246 dropped:0 overruns:0 frame:1246TX packets:446 errors:0 dropped:0 overruns:0 carrier:0collisions:11 txqueuelen:1000RX bytes:1329231 (1.2 MiB) TX bytes:45872 (44.7 KiB)Interrupt:3 Base address:0x100

lo Link encap:Local Loopbackinet addr:127.0.0.1 Mask:255.0.0.0inet6 addr: ::1/128 Scope:HostUP LOOPBACK RUNNING MTU:16436 Metric:1RX packets:157 errors:0 dropped:0 overruns:0 frame:0TX packets:157 errors:0 dropped:0 overruns:0 carrier:0collisions:0 txqueuelen:0RX bytes:43623 (42.6 KiB) TX bytes:43623 (42.6 KiB)


4/51

ipconfig

(Win)

Network configuration and status

ipconfig

brief status of all networkinterfaces

ipconfig -All complete status of allnetwork interfaces

ipconfig -? - more info


5/51

ipconfig

(Win)


6/51

Ipconfig

Output(Win)


7/51

arp

Modify or extract arp cache

arp

Address HWtype HWaddress Flags Mask IfaceBBCisco-91.sou.edu ether 00:30:F2:C9:A0:B8 C eth0


8/51

Arp Example

Modify or extract arp cache

arp

Address HWtype HWaddress Flags Mask IfaceBBCisco-91.sou.edu ether 00:30:F2:C9:A0:B8 C eth0


9/51

Arp (Win)


10/51

Arp Example (Win)


11/51

ping

Sends ICMP echo request

Type = 8 echo request

0 echo reply

Code = 0

Payload - as sent by the requester

returned by the reply

Linux echo request sent after each reply until

terminated with a ctrl c Summary statistics are calculated


12/51

ping options

Options:

-c xx Number of requests to send

-Q x Type of service

-s xxx Size of payload

-b Broadcast

-t xxx Set ttl to xxx


13/51

Ping Example

Used to test network connections

Used to test network speeds

Used in DDoS attacks[quirrel@somewhere]# ping 172.16.13.50 -c 5 -s 1000

PING 172.16.13.50 (172.16.13.50) from 140.211.91.82 : 1000(1024) bytes of data.1008 bytes from 172.16.13.50: icmp_seq=1 ttl=255 time=0.459 ms1008 bytes from 172.16.13.50: icmp_seq=2 ttl=255 time=0.441 ms1008 bytes from 172.16.13.50: icmp_seq=3 ttl=255 time=0.432 ms1008 bytes from 172.16.13.50: icmp_seq=4 ttl=255 time=0.402 ms

1008 bytes from 172.16.13.50: icmp_seq=5 ttl=255 time=0.388 ms

--- 172.16.13.50 ping statistics ---5 packets transmitted, 5 received, 0% loss, time 4000msrtt min/avg/max/mdev = 0.388/0.424/0.459/0.031 ms
mailto:squirrel@somewheremailto:squirrel@somewhere


14/51

ping options (Win)


15/51

ping Example (Win)


16/51

route

Configure or report status of host's

routing tableroute -n

Kernel IP routing tableDestination Gateway Genmask Flags Metric Ref Use Iface192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 vmnet8127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo


17/51

route Options(Win)


18/51

route Options(Win)(continued)


19/51

route Example (Win)


20/51

traceroute host_name

Determines connectivity to a remote host

Uses UDP

Options

-f set initial ttl

-F set don't frag bit

-I use echo request instead of UDP

-t set type of service -v verbose output


21/51

traceroute Example

traceroute www.f-prot.com

1 BBCisco-91.sou.edu (140.211.91.1) 0.654 ms 0.544 ms 0.504 ms2 scrubber.sou.edu (140.211.102.34) 0.416 ms 0.386 ms 0.522 ms3 sou-pop.nero.net (140.211.4.1) 1.638 ms 1.598 ms 1.561 ms4 corv-car2-gw.nero.net (140.211.1.25) 15.474 ms 24.891 ms corv-car2-gw.nero.net (140.211.0.185) 22.227 ms5 corv-car1-gw.nero.net (207.98.64.193) 20.046 ms 20.204 ms 21.661 ms

6 ptld-core1-gw.nero.net (207.98.64.21) 21.631 ms 18.890 ms 31.521 ms7 ptld-core2-gw.nero.net (207.98.64.177) 18.932 ms 28.446 ms 23.135 ms8 ptck-core1-gw.nero.net (207.98.64.10) 19.978 ms 18.329 ms 30.266 ms9 POS6-1.hsipaccess2.Seattle1.Level3.net (63.211.200.245) 26.382 ms 31.671 ms 21.383 ms10 ge-4-0-1.mp1.Seattle1.level3.net (209.247.9.61) 25.033 ms 28.164 ms 28.482 ms11 gig11-1.hsa1.Seattle1.level3.net (209.247.9.46) 19.209 ms 44.756 ms 22.834 ms12 core1.Seattle.Teleglobe.net (209.0.227.142) 54.156 ms 62.715 ms 34.783 ms13 if-13-0.core2.Sacramento.Teleglobe.net (64.86.83.193) 45.352 ms 50.686 ms 47.254 ms14 if-1-0.core2.Sacramento.Teleglobe.net (64.86.83.222) 46.497 ms 62.374 ms 75.823 ms15 if-9-0.core2.Chicago3.Teleglobe.net (64.86.83.137) 98.147 ms 98.298 ms 103.634 ms16 if-2-0.core3.NewYork.Teleglobe.net (64.86.83.218) 97.669 ms 103.466 ms 100.087 ms17 if-10-0.core1.NewYork.Teleglobe.net (66.110.8.133) 97.588 ms 103.310 ms 100.475 ms

18 if-5-0-0.bb6.NewYork.teleglobe.net (207.45.221.104) 179.906 ms 101.384 ms 187.031 ms19 ix-1-0-1.bb6.NewYork.Teleglobe.net (207.45.205.114) 163.676 ms 162.706 ms 165.844 ms20 MultiGigabit-13.backbone-hofdab1.linanet.is (62.145.129.187) 166.070 ms 164.363 ms 176.033 ms21 gigabit-1-1.skulagata.linanet.is (213.220.64.7) 167.057 ms 180.174 ms 191.346 ms22 customer-gigabit-1-123.skulagata.linanet.is (62.145.130.150) 171.756 ms !X * 163.602 ms !X
http://www.f-prot.com/http://core1.seattle.teleglobe/http://core1.seattle.teleglobe/http://www.f-prot.com/http://www.f-prot.com/http://www.f-prot.com/http://www.f-prot.com/


22/51

tracert Usage (Win)


23/51

tracert Example (Win)


24/51


25/51

whois Usage (Win)

Whois IP [Address] - Also works


26/51

whoisExample

(Win)


27/51

netstat Example

Show the status of all network connections

Shows all listening ports


28/51

Netstat - linux


29/51

netstat Example


30/51

netstat (Win)


31/51

netstat Example (Win)


32/51

tcpdump

Packet sniffer

Installed with Linux Commonly used

Often used as the data file for GUI

backends


33/51

tcpdump Syntax

Syntax:tcpdump (options) I (interface) w (dump file)

tcpdump c 1000 i eth0 w etho.dmp


34/51

tcpdump Options

-n do not convert host addresses to names-nn do not convert protocols and ports to names

-i ethn listen on interface eth0, eth1, eth2-c xx exit after xx packets-e print link level info-f file_name read packets from file file_name-v slightly verbose-vv verbose-vvv very verbose-w file_name write packets to file file_name

-x write packets in hex-X write packets in hex and ASCII-S write absolute sequence and acknowledgment numbers


35/51

tcpdump Example

16:31:47.114550 172.16.13.3.1127 > 172.16.13.50.21: S [tcp sum ok] 10580321:10580321(0) win 8192 (DF) (ttl 128, id 6487, len 48)0x0000 4500 0030 1957 4000 8006 6f1b ac10 0d03 [email protected] ac10 0d32 0467 0015 00a1 7161 0000 0000 ...2.g....qa....0x0020 7002 2000 7a4b 0000 0204 05b4 0101 0402 p...zK..........16:31:47.114784 172.16.13.50.21 > 172.16.13.3.1127: S [tcp sum ok] 378086426:378086426(0) ack 10580322

win 32120 (DF) (ttl 64, id 4418, len 48)0x0000 4500 0030 1142 4000 4006 b730 ac10 0d32 E..0.B@[email protected] ac10 0d03 0015 0467 1689 241a 00a1 7162 .......g..$...qb0x0020 7012 7d78 e21e 0000 0204 05b4 0101 0402 p.}x............16:31:47.114932 172.16.13.3.1127 > 172.16.13.50.21: . [tcp sum ok] ack 378086427 win 8760 (DF) (ttl 128, id6743, len 40)0x0000 4500 0028 1a57 4000 8006 6e23 ac10 0d03 E..([email protected]#....0x0010 ac10 0d32 0467 0015 00a1 7162 1689 241b ...2.g....qb..$.0x0020 5010 2238 6a23 0000 0000 0000 0000 P."8j#........

16:31:50.144368 172.16.13.50.21 > 172.16.13.3.1127: P 378086427:378086510(83) ack 10580322 win 32120 (DF)[tos 0x10] (ttl 64, id 4443, len 123)0x0000 4510 007b 115b 4000 4006 b6bc ac10 0d32 E..{.[@[email protected] ac10 0d03 0015 0467 1689 241b 00a1 7162 .......g..$...qb0x0020 5018 7d78 f978 0000 3232 3020 5369 7379 P.}x.x..220.Sisy0x0030 7068 7573 2046 5450 2073 6572 7665 7220 phus.FTP.server.0x0040 2856 6572 7369 6f6e 2077 752d 322e 362e (Version.wu-2.6.0x0050 3028 0(


36/51

tcpdump Output

16:32:01.569837 172.16.13.50.21 > 172.16.13.3.1127:Time of packet Src IP Addr.prt Dest IP Addr.prt

F [tcp sum ok] 378086579:378086579(0) ack 10580352Flgs ptcl chsum Sequence# Acknowledgment#

Beginning:Ending Diff

win 32120 (DF) [tos 0x10] (ttl 64, id 4449, len 40)Window Don't Frag Type of service IP Dgram


37/51

Wireshark

User friendly GUI backend for tcpdump


38/51


39/51


40/51


41/51


42/51


43/51


44/51


45/51


46/51


47/51

netcat

Read & write UDP/TCP datahttp://www.atstake.com/research/tools/

Useful to test networks and performance
http://www.atstake.com/research/tools/http://www.atstake.com/research/tools/http://www.atstake.com/research/tools/


48/51

netcat

Copies data across network connections.

Uses UDP or TCP.

Reliable and robust.

Used directly at the command level.

Can be driven by other programs and scripts.

Very useful in forensic capture of a live system.

Simple paradigm

On the remote collecting system open a listening port.

On current/compromised system pipe data to remote system.

Connection is closed automatically after data transfer has completed.


49/51

netcat Usage

Remote logging system:

# nc -l -p 8888 > date_started

-l listen mode

-p port number

Pipes the data from the connection to the file - date_started

Possibly compromised system:

# F:\>tools\date.exe | F:\>tools\nc.exe 192.168.1.100 8888 -w 3

-w 3 times out in 3 seconds

Uses the uncorrupted date binary from the forensics USB/CDROM.

Uses the uncorrupted nc binary from the forensics USB/CDROM.

Sends the output to 192.168.1.100 port 8888


50/51

netcat Usage

Log the start of the data collection.

(Remote)C:\>Case\nc.exe -l -p 8888 > date_started

(Corrupt)F:\>tools\date | F:\>tools\nc.exe 192.168.1.100 8888 -w 3

Get network status.

(Remote)C:\>Case\nc.exe -l -p 8888 > netstat.doc

(Corrupt)F:\>tools\netstat | F:\>tools\nc.exe 192.168.1.100 8888 -w 3


51/51

Computer Security II: Lab 2

Use traceroute to trace a connection to either www.f-prot.com or www.fsecure.com. Describe the routeand calculate some of the latencies through the major routers.

Using the host command find the owner offtp.osuosl.org. Are there any other IP addresses that belong to

Apple.

Setup Wireshark to capture only packets to and from your workstation. Set it in capture mode. In a

terminal window connect to ftp.osuosl.org.

ftp

Open

ftp.osuosl.org

User name: password

Password:

ls

close

quit

Using the Wireshark capture function draw a diagram of the connection packets together with the

sequence and acknowledge numbers. Check the arithmetic to make sure the connections are correct.
http://www.f-prot.com/http://www.fsecure.com/ftp://ftp.osuosl.org/ftp://ftp.osuosl.org/ftp://ftp.osuosl.org/ftp://ftp.osuosl.org/http://www.fsecure.com/http://www.f-prot.com/http://www.f-prot.com/http://www.f-prot.com/

1.4.network tools

Documents