Title: Network Tools
1Network Tools
- Ifconfig traceroute
- arp netcat
- ping tcpdmp
- route Wireshark
2Ifconfig
- Network configuration and status
- ifconfig status of all network interfaces
- ifconfig eth0 status of ethernet 0 connection
- ifconfig eth0 down shuts ethernet 0 down
- ifconfig eth0 up starts ethernet 0
- ifconfig eth0 172.16.13.97 assigns IP address
to ethernet 0 - man ifconfig more info
3ifconfig output
eth1 Link encapEthernet HWaddr
000AB7FE36DB inet
addr140.211.110.121 Bcast140.211.110.255
Mask255.255.255.0 inet6 addr
fe8020ab7fffefe36db/64 ScopeLink
UP BROADCAST RUNNING MULTICAST MTU1500
Metric1 RX packets5024 errors1246
dropped0 overruns0 frame1246 TX
packets446 errors0 dropped0 overruns0
carrier0 collisions11 txqueuelen1000
RX bytes1329231 (1.2 MiB) TX
bytes45872 (44.7 KiB) Interrupt3 Base
address0x100 lo Link encapLocal
Loopback inet addr127.0.0.1
Mask255.0.0.0 inet6 addr 1/128
ScopeHost UP LOOPBACK RUNNING
MTU16436 Metric1 RX packets157
errors0 dropped0 overruns0 frame0
TX packets157 errors0 dropped0 overruns0
carrier0 collisions0 txqueuelen0
RX bytes43623 (42.6 KiB) TX bytes43623
(42.6 KiB)
4ipconfig(Win)
- Network configuration and status
- ipconfig brief status of all network interfaces
- ipconfig -All complete status of all network
interfaces - ipconfig -? - more info
5ipconfig(Win)
6IpconfigOutput(Win)
7arp
- Modify or extract arp cache
arp Address HWtype HWaddress
Flags Mask Iface BBCisco-91.sou
.edu ether 0030F2C9A0B8 C
eth0
8Arp Example
- Modify or extract arp cache
arp Address HWtype HWaddress
Flags Mask Iface BBCisco-91.sou
.edu ether 0030F2C9A0B8 C
eth0
9Arp (Win)
10Arp Example (Win)
11ping
- Sends ICMP echo request
- Type 8 echo request
- 0 echo reply
- Code 0
- Payload - as sent by the requester
- returned by the reply
- Linux echo request sent after each reply until
terminated with a ctrl c - Summary statistics are calculated
12ping options
- Options
- -c xx Number of requests to send
- -Q x Type of service
- -s xxx Size of payload
- -b Broadcast
- -t xxx Set ttl to xxx
13Ping Example
- Used to test network connections
- Used to test network speeds
- Used in DDoS attacks
quirrel_at_somewhere ping 172.16.13.50 -c 5 -s
1000 PING 172.16.13.50 (172.16.13.50) from
140.211.91.82 1000(1024) bytes of data. 1008
bytes from 172.16.13.50 icmp_seq1 ttl255
time0.459 ms 1008 bytes from 172.16.13.50
icmp_seq2 ttl255 time0.441 ms 1008 bytes from
172.16.13.50 icmp_seq3 ttl255 time0.432
ms 1008 bytes from 172.16.13.50 icmp_seq4
ttl255 time0.402 ms 1008 bytes from
172.16.13.50 icmp_seq5 ttl255 time0.388
ms --- 172.16.13.50 ping statistics --- 5
packets transmitted, 5 received, 0 loss, time
4000ms rtt min/avg/max/mdev 0.388/0.424/0.459/0.
031 ms
14ping options (Win)
15ping Example (Win)
16route
- Configure or report status of host's routing table
route -n Kernel IP routing table Destination
Gateway Genmask Flags Metric Ref
Use Iface 192.168.0.0 0.0.0.0
255.255.255.0 U 0 0 0
vmnet8 127.0.0.0 0.0.0.0 255.0.0.0
U 0 0 0 lo
17route Options(Win)
18route Options(Win)(continued)
19route Example (Win)
20traceroute host_name
- Determines connectivity to a remote host
- Uses UDP
- Options
- -f set initial ttl
- -F set don't frag bit
- -I use echo request instead of UDP
- -t set type of service
- -v verbose output
21traceroute Example
traceroute www.f-prot.com 1
BBCisco-91.sou.edu (140.211.91.1) 0.654 ms
0.544 ms 0.504 ms 2 scrubber.sou.edu
(140.211.102.34) 0.416 ms 0.386 ms 0.522 ms 3
sou-pop.nero.net (140.211.4.1) 1.638 ms 1.598
ms 1.561 ms 4 corv-car2-gw.nero.net
(140.211.1.25) 15.474 ms 24.891 ms
corv-car2-gw.nero.net (140.211.0.185) 22.227 ms
5 corv-car1-gw.nero.net (207.98.64.193) 20.046
ms 20.204 ms 21.661 ms 6 ptld-core1-gw.nero.ne
t (207.98.64.21) 21.631 ms 18.890 ms 31.521
ms 7 ptld-core2-gw.nero.net (207.98.64.177)
18.932 ms 28.446 ms 23.135 ms 8
ptck-core1-gw.nero.net (207.98.64.10) 19.978 ms
18.329 ms 30.266 ms 9 POS6-1.hsipaccess2.Seattl
e1.Level3.net (63.211.200.245) 26.382 ms 31.671
ms 21.383 ms 10 ge-4-0-1.mp1.Seattle1.level3.net
(209.247.9.61) 25.033 ms 28.164 ms 28.482
ms 11 gig11-1.hsa1.Seattle1.level3.net
(209.247.9.46) 19.209 ms 44.756 ms 22.834
ms 12 core1.Seattle.Teleglobe.net
(209.0.227.142) 54.156 ms 62.715 ms 34.783
ms 13 if-13-0.core2.Sacramento.Teleglobe.net
(64.86.83.193) 45.352 ms 50.686 ms 47.254
ms 14 if-1-0.core2.Sacramento.Teleglobe.net
(64.86.83.222) 46.497 ms 62.374 ms 75.823
ms 15 if-9-0.core2.Chicago3.Teleglobe.net
(64.86.83.137) 98.147 ms 98.298 ms 103.634
ms 16 if-2-0.core3.NewYork.Teleglobe.net
(64.86.83.218) 97.669 ms 103.466 ms 100.087
ms 17 if-10-0.core1.NewYork.Teleglobe.net
(66.110.8.133) 97.588 ms 103.310 ms 100.475
ms 18 if-5-0-0.bb6.NewYork.teleglobe.net
(207.45.221.104) 179.906 ms 101.384 ms 187.031
ms 19 ix-1-0-1.bb6.NewYork.Teleglobe.net
(207.45.205.114) 163.676 ms 162.706 ms 165.844
ms 20 MultiGigabit-13.backbone-hofdab1.linanet.is
(62.145.129.187) 166.070 ms 164.363 ms
176.033 ms 21 gigabit-1-1.skulagata.linanet.is
(213.220.64.7) 167.057 ms 180.174 ms 191.346
ms 22 customer-gigabit-1-123.skulagata.linanet.is
(62.145.130.150) 171.756 ms !X 163.602 ms !X
22tracert Usage (Win)
23tracert Example (Win)
24host
- Forward and reverse DNS lookups
host www.f-prot.com www.f-prot.com has address
213.220.100.1 www.f-prot.com has address
213.220.100.2 www.f-prot.com has address
213.220.100.3
host 213.220.100.3 3.100.220.213.in-addr.arpa
domain name pointer aula.frisk-software.com.
25whois Usage (Win)
Whois IP Address - Also works
26whois Example (Win)
27netstat Example
- Show the status of all network connections
- Shows all listening ports
28Netstat - linux
29netstat Example
30netstat (Win)
31netstat Example (Win)
32tcpdump
- Packet sniffer
- Installed with Linux
- Commonly used
- Often used as the data file for GUI backends
33tcpdump Syntax
Syntax tcpdump (options) I (interface) w
(dump file) tcpdump c 1000 i eth0 w etho.dmp
34tcpdump Options
-n do not convert host addresses to
names -nn do not convert protocols and ports to
names -i ethn listen on interface eth0, eth1,
eth2 -c xx exit after xx packets -e print link
level info -f file_name read packets from file
file_name -v slightly verbose -vv verbose -vvv
very verbose -w file_name write packets to file
file_name -x write packets in hex -X write
packets in hex and ASCII -S write absolute
sequence and acknowledgment numbers
35tcpdump Example
163147.114550 172.16.13.3.1127 gt
172.16.13.50.21 S tcp sum ok
1058032110580321(0) win 8192 ltmss
1460,nop,nop,sackOKgt (DF) (ttl 128, id 6487, len
48) 0x0000 4500 0030 1957 4000 8006 6f1b ac10
0d03 E..0.W_at_...o..... 0x0010 ac10 0d32 0467 0015
00a1 7161 0000 0000 ...2.g....qa.... 0x0020 7002
2000 7a4b 0000 0204 05b4 0101 0402 p...zK.........
. 163147.114784 172.16.13.50.21 gt
172.16.13.3.1127 S tcp sum ok
378086426378086426(0) ack 10580322 win 32120
ltmss 1460,nop,nop,sackOKgt (DF) (ttl 64, id 4418,
len 48) 0x0000 4500 0030 1142 4000 4006 b730
ac10 0d32 E..0.B_at_._at_..0...2 0x0010 ac10 0d03 0015
0467 1689 241a 00a1 7162 .......g.....qb 0x0020
7012 7d78 e21e 0000 0204 05b4 0101
0402 p.x............ 163147.114932
172.16.13.3.1127 gt 172.16.13.50.21 . tcp sum
ok ack 378086427 win 8760 (DF) (ttl 128, id
6743, len 40) 0x0000 4500 0028 1a57 4000 8006
6e23 ac10 0d03 E..(.W_at_...n.... 0x0010 ac10 0d32
0467 0015 00a1 7162 1689 241b ...2.g....qb... 0x0
020 5010 2238 6a23 0000 0000 0000 0000
P."8j........ 163150.144368 172.16.13.50.21 gt
172.16.13.3.1127 P 378086427378086510(83) ack
10580322 win 32120 (DF) tos 0x10 (ttl 64, id
4443, len 123) 0x0000 4510 007b 115b 4000 4006
b6bc ac10 0d32 E..._at_._at_......2 0x0010 ac10 0d03
0015 0467 1689 241b 00a1 7162 .......g.....qb 0x0
020 5018 7d78 f978 0000 3232 3020 5369
7379 P.x.x..220.Sisy 0x0030 7068 7573 2046 5450
2073 6572 7665 7220 phus.FTP.server. 0x0040 2856
6572 7369 6f6e 2077 752d 322e 362e (Version.wu-2.6
. 0x0050 3028
0(
36tcpdump Output
163201.569837 172.16.13.50.21 gt
172.16.13.3.1127 Time of packet Src IP
Addr.prt Dest IP Addr.prt F tcp sum ok
378086579378086579(0) ack 10580352 Flgs ptcl
chsum Sequence Acknowledgment
BeginningEnding Diff win
32120 (DF) tos 0x10 (ttl 64, id
4449, len 40) Window Don't Frag Type of
service IP Dgram
37Wireshark
- User friendly GUI backend for tcpdump
38(No Transcript)
39(No Transcript)
40(No Transcript)
41(No Transcript)
42(No Transcript)
43(No Transcript)
44(No Transcript)
45(No Transcript)
46(No Transcript)
47netcat
- Read write UDP/TCP data
- http//www.atstake.com/research/tools/
- Useful to test networks and performance
48netcat
Copies data across network connections. Uses UDP
or TCP. Reliable and robust. Used directly at the
command level. Can be driven by other programs
and scripts. Very useful in forensic capture of a
live system. Simple paradigm On the remote
collecting system open a listening port. On
current/compromised system pipe data to remote
system. Connection is closed automatically after
data transfer has completed.
49netcat Usage
Remote logging system nc -l -p 8888 gt
date_started -l listen mode -p port
number Pipes the data from the connection to the
file - date_started Possibly compromised
system F\gttools\date.exe F\gttools\nc.exe
192.168.1.100 8888 -w 3 -w 3 times out in 3
seconds Uses the uncorrupted date binary from the
forensics USB/CDROM. Uses the uncorrupted nc
binary from the forensics USB/CDROM. Sends the
output to 192.168.1.100 port 8888
50netcat Usage
- Log the start of the data collection.
- (Remote)C\gtCase\nc.exe -l -p 8888 gt date_started
- (Corrupt)F\gttools\date F\gttools\nc.exe
192.168.1.100 8888 -w 3 - Get network status.
- (Remote)C\gtCase\nc.exe -l -p 8888 gt netstat.doc
- (Corrupt)F\gttools\netstat F\gttools\nc.exe
192.168.1.100 8888 -w 3
51Computer Security II Lab 2
- Use traceroute to trace a connection to either
www.f-prot.com or www.fsecure.com. Describe the
route and calculate some of the latencies through
the major routers. -
- Using the host command find the owner of
ftp.osuosl.org. Are there any other IP addresses
that belong to Apple. -
- Setup Wireshark to capture only packets to and
from your workstation. Set it in capture mode.
In a terminal window connect to ftp.osuosl.org. - ftp
- Open
- ftp.osuosl.org
- User name password
- Password
- ls
- close
- quit
-
- Using the Wireshark capture function draw a
diagram of the connection packets together with
the sequence and acknowledge numbers. Check the
arithmetic to make sure the connections are
correct.