1.4.network tools
TRANSCRIPT
-
7/27/2019 1.4.Network Tools
1/51
Network Tools
Ifconfig traceroute
arp netcat
ping tcpdmp
route Wireshark
-
7/27/2019 1.4.Network Tools
2/51
Ifconfig
Network configuration and statusifconfig status of all network interfaces
ifconfig eth0
status of ethernet 0connection
ifconfig eth0 down shuts ethernet 0down
ifconfig eth0 up
starts ethernet 0ifconfig eth0 172.16.13.97 assigns
IP address to ethernet 0
man ifconfig more info
-
7/27/2019 1.4.Network Tools
3/51
ifconfig output
eth1 Link encap:Ethernet HWaddr 00:0A:B7:FE:36:DBinet addr:140.211.110.121 Bcast:140.211.110.255 Mask:255.255.255.0inet6 addr: fe80::20a:b7ff:fefe:36db/64 Scope:LinkUP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1RX packets:5024 errors:1246 dropped:0 overruns:0 frame:1246TX packets:446 errors:0 dropped:0 overruns:0 carrier:0collisions:11 txqueuelen:1000RX bytes:1329231 (1.2 MiB) TX bytes:45872 (44.7 KiB)Interrupt:3 Base address:0x100
lo Link encap:Local Loopbackinet addr:127.0.0.1 Mask:255.0.0.0inet6 addr: ::1/128 Scope:HostUP LOOPBACK RUNNING MTU:16436 Metric:1RX packets:157 errors:0 dropped:0 overruns:0 frame:0TX packets:157 errors:0 dropped:0 overruns:0 carrier:0collisions:0 txqueuelen:0RX bytes:43623 (42.6 KiB) TX bytes:43623 (42.6 KiB)
-
7/27/2019 1.4.Network Tools
4/51
ipconfig
(Win)
Network configuration and status
ipconfig
brief status of all networkinterfaces
ipconfig -All complete status of allnetwork interfaces
ipconfig -? - more info
-
7/27/2019 1.4.Network Tools
5/51
ipconfig
(Win)
-
7/27/2019 1.4.Network Tools
6/51
Ipconfig
Output(Win)
-
7/27/2019 1.4.Network Tools
7/51
arp
Modify or extract arp cache
arp
Address HWtype HWaddress Flags Mask IfaceBBCisco-91.sou.edu ether 00:30:F2:C9:A0:B8 C eth0
-
7/27/2019 1.4.Network Tools
8/51
Arp Example
Modify or extract arp cache
arp
Address HWtype HWaddress Flags Mask IfaceBBCisco-91.sou.edu ether 00:30:F2:C9:A0:B8 C eth0
-
7/27/2019 1.4.Network Tools
9/51
Arp (Win)
-
7/27/2019 1.4.Network Tools
10/51
Arp Example (Win)
-
7/27/2019 1.4.Network Tools
11/51
ping
Sends ICMP echo request
Type = 8 echo request
0 echo reply
Code = 0
Payload - as sent by the requester
returned by the reply
Linux echo request sent after each reply until
terminated with a ctrl c Summary statistics are calculated
-
7/27/2019 1.4.Network Tools
12/51
ping options
Options:
-c xx Number of requests to send
-Q x Type of service
-s xxx Size of payload
-b Broadcast
-t xxx Set ttl to xxx
-
7/27/2019 1.4.Network Tools
13/51
Ping Example
Used to test network connections
Used to test network speeds
Used in DDoS attacks[quirrel@somewhere]# ping 172.16.13.50 -c 5 -s 1000
PING 172.16.13.50 (172.16.13.50) from 140.211.91.82 : 1000(1024) bytes of data.1008 bytes from 172.16.13.50: icmp_seq=1 ttl=255 time=0.459 ms1008 bytes from 172.16.13.50: icmp_seq=2 ttl=255 time=0.441 ms1008 bytes from 172.16.13.50: icmp_seq=3 ttl=255 time=0.432 ms1008 bytes from 172.16.13.50: icmp_seq=4 ttl=255 time=0.402 ms
1008 bytes from 172.16.13.50: icmp_seq=5 ttl=255 time=0.388 ms
--- 172.16.13.50 ping statistics ---5 packets transmitted, 5 received, 0% loss, time 4000msrtt min/avg/max/mdev = 0.388/0.424/0.459/0.031 ms
mailto:squirrel@somewheremailto:squirrel@somewhere -
7/27/2019 1.4.Network Tools
14/51
ping options (Win)
-
7/27/2019 1.4.Network Tools
15/51
ping Example (Win)
-
7/27/2019 1.4.Network Tools
16/51
route
Configure or report status of host's
routing tableroute -n
Kernel IP routing tableDestination Gateway Genmask Flags Metric Ref Use Iface192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 vmnet8127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
-
7/27/2019 1.4.Network Tools
17/51
route Options(Win)
-
7/27/2019 1.4.Network Tools
18/51
route Options(Win)(continued)
-
7/27/2019 1.4.Network Tools
19/51
route Example (Win)
-
7/27/2019 1.4.Network Tools
20/51
traceroute host_name
Determines connectivity to a remote host
Uses UDP
Options
-f set initial ttl
-F set don't frag bit
-I use echo request instead of UDP
-t set type of service -v verbose output
-
7/27/2019 1.4.Network Tools
21/51
traceroute Example
traceroute www.f-prot.com
1 BBCisco-91.sou.edu (140.211.91.1) 0.654 ms 0.544 ms 0.504 ms2 scrubber.sou.edu (140.211.102.34) 0.416 ms 0.386 ms 0.522 ms3 sou-pop.nero.net (140.211.4.1) 1.638 ms 1.598 ms 1.561 ms4 corv-car2-gw.nero.net (140.211.1.25) 15.474 ms 24.891 ms corv-car2-gw.nero.net (140.211.0.185) 22.227 ms5 corv-car1-gw.nero.net (207.98.64.193) 20.046 ms 20.204 ms 21.661 ms
6 ptld-core1-gw.nero.net (207.98.64.21) 21.631 ms 18.890 ms 31.521 ms7 ptld-core2-gw.nero.net (207.98.64.177) 18.932 ms 28.446 ms 23.135 ms8 ptck-core1-gw.nero.net (207.98.64.10) 19.978 ms 18.329 ms 30.266 ms9 POS6-1.hsipaccess2.Seattle1.Level3.net (63.211.200.245) 26.382 ms 31.671 ms 21.383 ms10 ge-4-0-1.mp1.Seattle1.level3.net (209.247.9.61) 25.033 ms 28.164 ms 28.482 ms11 gig11-1.hsa1.Seattle1.level3.net (209.247.9.46) 19.209 ms 44.756 ms 22.834 ms12 core1.Seattle.Teleglobe.net (209.0.227.142) 54.156 ms 62.715 ms 34.783 ms13 if-13-0.core2.Sacramento.Teleglobe.net (64.86.83.193) 45.352 ms 50.686 ms 47.254 ms14 if-1-0.core2.Sacramento.Teleglobe.net (64.86.83.222) 46.497 ms 62.374 ms 75.823 ms15 if-9-0.core2.Chicago3.Teleglobe.net (64.86.83.137) 98.147 ms 98.298 ms 103.634 ms16 if-2-0.core3.NewYork.Teleglobe.net (64.86.83.218) 97.669 ms 103.466 ms 100.087 ms17 if-10-0.core1.NewYork.Teleglobe.net (66.110.8.133) 97.588 ms 103.310 ms 100.475 ms
18 if-5-0-0.bb6.NewYork.teleglobe.net (207.45.221.104) 179.906 ms 101.384 ms 187.031 ms19 ix-1-0-1.bb6.NewYork.Teleglobe.net (207.45.205.114) 163.676 ms 162.706 ms 165.844 ms20 MultiGigabit-13.backbone-hofdab1.linanet.is (62.145.129.187) 166.070 ms 164.363 ms 176.033 ms21 gigabit-1-1.skulagata.linanet.is (213.220.64.7) 167.057 ms 180.174 ms 191.346 ms22 customer-gigabit-1-123.skulagata.linanet.is (62.145.130.150) 171.756 ms !X * 163.602 ms !X
http://www.f-prot.com/http://core1.seattle.teleglobe/http://core1.seattle.teleglobe/http://www.f-prot.com/http://www.f-prot.com/http://www.f-prot.com/http://www.f-prot.com/ -
7/27/2019 1.4.Network Tools
22/51
tracert Usage (Win)
-
7/27/2019 1.4.Network Tools
23/51
tracert Example (Win)
-
7/27/2019 1.4.Network Tools
24/51
-
7/27/2019 1.4.Network Tools
25/51
whois Usage (Win)
Whois IP [Address] - Also works
-
7/27/2019 1.4.Network Tools
26/51
whoisExample
(Win)
-
7/27/2019 1.4.Network Tools
27/51
netstat Example
Show the status of all network connections
Shows all listening ports
-
7/27/2019 1.4.Network Tools
28/51
Netstat - linux
-
7/27/2019 1.4.Network Tools
29/51
netstat Example
-
7/27/2019 1.4.Network Tools
30/51
netstat (Win)
-
7/27/2019 1.4.Network Tools
31/51
netstat Example (Win)
-
7/27/2019 1.4.Network Tools
32/51
tcpdump
Packet sniffer
Installed with Linux Commonly used
Often used as the data file for GUI
backends
-
7/27/2019 1.4.Network Tools
33/51
tcpdump Syntax
Syntax:tcpdump (options) I (interface) w (dump file)
tcpdump c 1000 i eth0 w etho.dmp
-
7/27/2019 1.4.Network Tools
34/51
tcpdump Options
-n do not convert host addresses to names-nn do not convert protocols and ports to names
-i ethn listen on interface eth0, eth1, eth2-c xx exit after xx packets-e print link level info-f file_name read packets from file file_name-v slightly verbose-vv verbose-vvv very verbose-w file_name write packets to file file_name
-x write packets in hex-X write packets in hex and ASCII-S write absolute sequence and acknowledgment numbers
-
7/27/2019 1.4.Network Tools
35/51
tcpdump Example
16:31:47.114550 172.16.13.3.1127 > 172.16.13.50.21: S [tcp sum ok] 10580321:10580321(0) win 8192 (DF) (ttl 128, id 6487, len 48)0x0000 4500 0030 1957 4000 8006 6f1b ac10 0d03 [email protected] ac10 0d32 0467 0015 00a1 7161 0000 0000 ...2.g....qa....0x0020 7002 2000 7a4b 0000 0204 05b4 0101 0402 p...zK..........16:31:47.114784 172.16.13.50.21 > 172.16.13.3.1127: S [tcp sum ok] 378086426:378086426(0) ack 10580322
win 32120 (DF) (ttl 64, id 4418, len 48)0x0000 4500 0030 1142 4000 4006 b730 ac10 0d32 E..0.B@[email protected] ac10 0d03 0015 0467 1689 241a 00a1 7162 .......g..$...qb0x0020 7012 7d78 e21e 0000 0204 05b4 0101 0402 p.}x............16:31:47.114932 172.16.13.3.1127 > 172.16.13.50.21: . [tcp sum ok] ack 378086427 win 8760 (DF) (ttl 128, id6743, len 40)0x0000 4500 0028 1a57 4000 8006 6e23 ac10 0d03 E..([email protected]#....0x0010 ac10 0d32 0467 0015 00a1 7162 1689 241b ...2.g....qb..$.0x0020 5010 2238 6a23 0000 0000 0000 0000 P."8j#........
16:31:50.144368 172.16.13.50.21 > 172.16.13.3.1127: P 378086427:378086510(83) ack 10580322 win 32120 (DF)[tos 0x10] (ttl 64, id 4443, len 123)0x0000 4510 007b 115b 4000 4006 b6bc ac10 0d32 E..{.[@[email protected] ac10 0d03 0015 0467 1689 241b 00a1 7162 .......g..$...qb0x0020 5018 7d78 f978 0000 3232 3020 5369 7379 P.}x.x..220.Sisy0x0030 7068 7573 2046 5450 2073 6572 7665 7220 phus.FTP.server.0x0040 2856 6572 7369 6f6e 2077 752d 322e 362e (Version.wu-2.6.0x0050 3028 0(
-
7/27/2019 1.4.Network Tools
36/51
tcpdump Output
16:32:01.569837 172.16.13.50.21 > 172.16.13.3.1127:Time of packet Src IP Addr.prt Dest IP Addr.prt
F [tcp sum ok] 378086579:378086579(0) ack 10580352Flgs ptcl chsum Sequence# Acknowledgment#
Beginning:Ending Diff
win 32120 (DF) [tos 0x10] (ttl 64, id 4449, len 40)Window Don't Frag Type of service IP Dgram
-
7/27/2019 1.4.Network Tools
37/51
Wireshark
User friendly GUI backend for tcpdump
-
7/27/2019 1.4.Network Tools
38/51
-
7/27/2019 1.4.Network Tools
39/51
-
7/27/2019 1.4.Network Tools
40/51
-
7/27/2019 1.4.Network Tools
41/51
-
7/27/2019 1.4.Network Tools
42/51
-
7/27/2019 1.4.Network Tools
43/51
-
7/27/2019 1.4.Network Tools
44/51
-
7/27/2019 1.4.Network Tools
45/51
-
7/27/2019 1.4.Network Tools
46/51
-
7/27/2019 1.4.Network Tools
47/51
netcat
Read & write UDP/TCP datahttp://www.atstake.com/research/tools/
Useful to test networks and performance
http://www.atstake.com/research/tools/http://www.atstake.com/research/tools/http://www.atstake.com/research/tools/ -
7/27/2019 1.4.Network Tools
48/51
netcat
Copies data across network connections.
Uses UDP or TCP.
Reliable and robust.
Used directly at the command level.
Can be driven by other programs and scripts.
Very useful in forensic capture of a live system.
Simple paradigm
On the remote collecting system open a listening port.
On current/compromised system pipe data to remote system.
Connection is closed automatically after data transfer has completed.
-
7/27/2019 1.4.Network Tools
49/51
netcat Usage
Remote logging system:
# nc -l -p 8888 > date_started
-l listen mode
-p port number
Pipes the data from the connection to the file - date_started
Possibly compromised system:
# F:\>tools\date.exe | F:\>tools\nc.exe 192.168.1.100 8888 -w 3
-w 3 times out in 3 seconds
Uses the uncorrupted date binary from the forensics USB/CDROM.
Uses the uncorrupted nc binary from the forensics USB/CDROM.
Sends the output to 192.168.1.100 port 8888
-
7/27/2019 1.4.Network Tools
50/51
netcat Usage
Log the start of the data collection.
(Remote)C:\>Case\nc.exe -l -p 8888 > date_started
(Corrupt)F:\>tools\date | F:\>tools\nc.exe 192.168.1.100 8888 -w 3
Get network status.
(Remote)C:\>Case\nc.exe -l -p 8888 > netstat.doc
(Corrupt)F:\>tools\netstat | F:\>tools\nc.exe 192.168.1.100 8888 -w 3
-
7/27/2019 1.4.Network Tools
51/51
Computer Security II: Lab 2
Use traceroute to trace a connection to either www.f-prot.com or www.fsecure.com. Describe the routeand calculate some of the latencies through the major routers.
Using the host command find the owner offtp.osuosl.org. Are there any other IP addresses that belong to
Apple.
Setup Wireshark to capture only packets to and from your workstation. Set it in capture mode. In a
terminal window connect to ftp.osuosl.org.
ftp
Open
ftp.osuosl.org
User name: password
Password:
ls
close
quit
Using the Wireshark capture function draw a diagram of the connection packets together with the
sequence and acknowledge numbers. Check the arithmetic to make sure the connections are correct.
http://www.f-prot.com/http://www.fsecure.com/ftp://ftp.osuosl.org/ftp://ftp.osuosl.org/ftp://ftp.osuosl.org/ftp://ftp.osuosl.org/http://www.fsecure.com/http://www.f-prot.com/http://www.f-prot.com/http://www.f-prot.com/