Professional Documents
Culture Documents
Ifconfig
arp
ping
route
traceroute
netcat
tcpdmp
Wireshark
Ifconfig
Network configuration and status
ifconfig status of all network interfaces
ifconfig eth0 status of ethernet 0
connection
ifconfig eth0 down shuts ethernet 0
down
ifconfig eth0 up starts ethernet 0
ifconfig eth0 172.16.13.97 assigns
IP address to ethernet 0
man ifconfig more info
ifconfig output
eth1
lo
ipconfig
(Win)
Network configuration and status
ipconfig brief status of all network
interfaces
ipconfig -All complete status of all
network interfaces
ipconfig -? - more info
ipconfig
(Win)
Ipconfig
Output
(Win)
arp
Modify or extract arp cache
arp
Address
BBCisco-91.sou.edu
HWtype
ether
HWaddress
00:30:F2:C9:A0:B8
Flags Mask
C
Iface
eth0
Arp Example
Modify or extract arp cache
arp
Address
BBCisco-91.sou.edu
HWtype
ether
HWaddress
00:30:F2:C9:A0:B8
Flags Mask
C
Iface
eth0
Arp (Win)
ping
Sends ICMP echo request
Type = 8 echo request
0 echo reply
Code = 0
Payload - as sent by the requester
returned by the reply
ping options
Options:
-c xx
-Q x
-s xxx
-b
-t xxx
Ping Example
Used to test network connections
Used to test network speeds
Used in DDoS attacks
[quirrel@somewhere]# ping 172.16.13.50 -c 5 -s 1000
PING
1008
1008
1008
1008
1008
--- 172.16.13.50 ping statistics --5 packets transmitted, 5 received, 0% loss, time 4000ms
rtt min/avg/max/mdev = 0.388/0.424/0.459/0.031 ms
route
Configure or report status of host's
routing table
route -n
Kernel IP routing table
Destination
Gateway
192.168.0.0
0.0.0.0
127.0.0.0
0.0.0.0
Genmask
255.255.255.0
255.0.0.0
Use Iface
0 vmnet8
0 lo
route Options(Win)
route Options(Win)
(continued)
traceroute host_name
Determines connectivity to a remote host
Uses UDP
Options
-f
-F
-I
-t
-v
traceroute Example
traceroute www.f-prot.com
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
host
Forward and reverse DNS lookups
host www.f-prot.com
www.f-prot.com has address 213.220.100.1
www.f-prot.com has address 213.220.100.2
www.f-prot.com has address 213.220.100.3
host 213.220.100.3
3.100.220.213.in-addr.arpa domain name pointer aula.frisk-software.com.
whois
Example
(Win)
netstat Example
Show the status of all network connections
Shows all listening ports
Netstat - linux
netstat Example
netstat (Win)
tcpdump
Packet sniffer
Installed with Linux
Commonly used
Often used as the data file for GUI
backends
tcpdump Syntax
Syntax:
tcpdump (options) I (interface) w (dump file)
tcpdump c 1000 i eth0 w etho.dmp
tcpdump Options
-n
-nn
-i ethn
-c xx
-e
-f file_name
-v
-vv
-vvv
-w file_name
-x
-X
-S
tcpdump Example
16:31:47.114550 172.16.13.3.1127 > 172.16.13.50.21: S [tcp sum ok] 10580321:10580321(0) win 8192 <mss
1460,nop,nop,sackOK> (DF) (ttl 128, id 6487, len 48)
0x0000 4500 0030 1957 4000 8006 6f1b ac10 0d03
E..0.W@...o.....
0x0010 ac10 0d32 0467 0015 00a1 7161 0000 0000
...2.g....qa....
0x0020 7002 2000 7a4b 0000 0204 05b4 0101 0402
p...zK..........
16:31:47.114784 172.16.13.50.21 > 172.16.13.3.1127: S [tcp sum ok] 378086426:378086426(0) ack 10580322
win 32120 <mss 1460,nop,nop,sackOK> (DF) (ttl 64, id 4418, len 48)
0x0000 4500 0030 1142 4000 4006 b730 ac10 0d32
E..0.B@.@..0...2
0x0010 ac10 0d03 0015 0467 1689 241a 00a1 7162
.......g..$...qb
0x0020 7012 7d78 e21e 0000 0204 05b4 0101 0402
p.}x............
16:31:47.114932 172.16.13.3.1127 > 172.16.13.50.21: . [tcp sum ok] ack 378086427 win 8760 (DF) (ttl 128, id
6743, len 40)
0x0000 4500 0028 1a57 4000 8006 6e23 ac10 0d03
E..(.W@...n#....
0x0010 ac10 0d32 0467 0015 00a1 7162 1689 241b
...2.g....qb..$.
0x0020 5010 2238 6a23 0000 0000 0000 0000
P."8j#........
16:31:50.144368 172.16.13.50.21 > 172.16.13.3.1127: P 378086427:378086510(83) ack 10580322 win 32120 (DF)
[tos 0x10] (ttl 64, id 4443, len 123)
0x0000 4510 007b 115b 4000 4006 b6bc ac10 0d32
E..{.[@.@......2
0x0010 ac10 0d03 0015 0467 1689 241b 00a1 7162
.......g..$...qb
0x0020 5018 7d78 f978 0000 3232 3020 5369 7379
P.}x.x..220.Sisy
0x0030 7068 7573 2046 5450 2073 6572 7665 7220
phus.FTP.server.
0x0040 2856 6572 7369 6f6e 2077 752d 322e 362e
(Version.wu-2.6.
0x0050 3028
0(
tcpdump Output
[tcp
ptcl
[tos 0x10]
Type of service
Wireshark
User friendly GUI backend for tcpdump
netcat
Read & write UDP/TCP data
http://www.atstake.com/research/tools/
netcat
Copies data across network connections.
Uses UDP or TCP.
Reliable and robust.
Used directly at the command level.
Can be driven by other programs and scripts.
Very useful in forensic capture of a live system.
Simple paradigm
On the remote collecting system open a listening port.
On current/compromised system pipe data to remote system.
netcat Usage
Remote logging system:
# nc -l -p 8888 > date_started
-l listen mode
-p port number
Pipes the data from the connection to the file - date_started
Possibly compromised system:
# F:\>tools\date.exe | F:\>tools\nc.exe 192.168.1.100 8888 -w 3
-w 3 times out in 3 seconds
Uses the uncorrupted date binary from the forensics USB/CDROM.
Uses the uncorrupted nc binary from the forensics USB/CDROM.
Sends the output to 192.168.1.100 port 8888
netcat Usage
Log the start of the data collection.
(Remote)C:\>Case\nc.exe -l -p 8888 > date_started
(Corrupt)F:\>tools\date | F:\>tools\nc.exe 192.168.1.100 8888 -w 3
Get network status.
(Remote)C:\>Case\nc.exe -l -p 8888 > netstat.doc
(Corrupt)F:\>tools\netstat | F:\>tools\nc.exe 192.168.1.100 8888 -w 3
Use traceroute to trace a connection to either www.f-prot.com or www.fsecure.com. Describe the route
and calculate some of the latencies through the major routers.
Using the host command find the owner of ftp.osuosl.org. Are there any other IP addresses that belong to
Apple.
Setup Wireshark to capture only packets to and from your workstation. Set it in capture mode. In a
terminal window connect to ftp.osuosl.org.
ftp
Open
ftp.osuosl.org
User name: password
Password:
ls
close
quit
Using the Wireshark capture function draw a diagram of the connection packets together with the
sequence and acknowledge numbers. Check the arithmetic to make sure the connections are correct.