160 likes | 424 Views
Network Tools. Outline. ethereal (now wireshark) nmap netstat, sockstat tracert or traceroute nslookup or host Knoppix. Ethereal. http://www.ethereal.com Captures packets from a live network connection Capture Filters / display filters Dissects 700+ protocols Statistics. Nmap.
E N D
Outline • ethereal (now wireshark) • nmap • netstat, sockstat • tracert or traceroute • nslookup or host • Knoppix
Ethereal • http://www.ethereal.com • Captures packets from a live network connection • Capture Filters / display filters • Dissects 700+ protocols • Statistics
Nmap • http://www.insecure.org/nmap/ • “Network Mapper” • What hosts are available • What services/applications are available • What operating system • What type of packet filters/firewalls • Port scanning mechanism • c:\> nmap –v –a www.gatech.edu • "nmap" without options will show a short list of options. Linux or unix: use "man nmap".
# nmap -v -sT -p 20-25,80,110,123,443,3306 www.gatech.edu Starting nmap 3.93 ( http://www.insecure.org/nmap/ ) at 2005-10-18 16:32 EDT Initiating Connect Scan against www.gatech.edu (130.207.165.120) [11 ports]16:32 Discovered open port 80/tcp on 130.207.165.120 The Connect() Scan took 11.25s to scan 11 total ports. Host tlweb.gatech.edu (130.207.165.120) appears to be up ... good. Interesting ports on tlweb.gatech.edu (130.207.165.120): PORT STATE SERVICE 20/tcp closed ftp-data 21/tcp filtered ftp 22/tcp closed ssh 23/tcp closed telnet 24/tcp closed priv-mail 25/tcp closed smtp 80/tcp open http 110/tcp closed pop3 123/tcp closed ntp 443/tcp closed https 3306/tcp filtered mysql Nmap finished: 1 IP address (1 host up) scanned in 11.981 seconds Raw packets sent: 2 (68B) | Rcvd: 1 (46B)
Netstat • Displays active ports, network connections, routing tables, interface statistics, masquerade connections, multicast memberships, etc. • Indicates how vulnerable a PC is to attacks • c:\> netstat -b c:\> netstat -e -s • Linux or UNIX: try "%netstat -a" and "netstat -o" %netstat -r # will show routing like Linux "%route" %man netstat to find appropriate options
# netstat -b Active Internet connections Proto Recv-Q Send-Q Local Address Foreign Address (state) tcp4 0 0 localhost.49769 localhost.ipp CLOSE_WAIT tcp4 0 0 localhost.49768 localhost.ipp CLOSE_WAIT tcp4 0 0 localhost.49718 localhost.ipp CLOSE_WAIT tcp4 0 0 localhost.49717 localhost.ipp CLOSE_WAIT tcp4 0 0 localhost.netinfo-loca localhost.945 ESTABLISHED tcp4 0 0 localhost.945 localhost.netinfo-loca ESTABLISHED udp4 0 0 *.49413 *.* udp4 0 0 *.9912 *.* udp4 0 0 localhost.49399 localhost.49399 udp4 0 0 *.ipp *.* udp4 0 0 localhost.49156 localhost.1022 udp4 0 0 localhost.49155 localhost.1022 udp4 0 0 localhost.1022 *.* udp4 0 0 localhost.49152 localhost.1023 udp4 0 0 localhost.1023 *.* udp4 0 0 *.mdns *.* udp4 0 0 localhost.netinfo-loca *.* udp4 0 0 *.syslog *.* udp6 0 0 *.514 *.* Active LOCAL (UNIX) domain sockets Address Type Recv-Q Send-Q Inode Conn Refs Nextref Addr 1f7b188 stream 0 0 0 1f7b2d8 0 0 /tmp/.pgp-agent-copeland-501 (many other internal socket connections)
root# netstat -e -s netstat: illegal option -- e [OPTIONS DIFFER FOR OS's] usage: netstat [-Aan] [-f address_family] [-M core] [-N system] netstat [-bdghimnrs] [-f address_family] [-M core] [-N system] netstat [-bdn] [-I interface] [-M core] [-N system] [-w wait] netstat -m [-M core] [-N system] pb2:/ root# netstat -s ["-s" is for statistics] tcp: 88515 packets sent 30786 data packets (11438091 bytes) 33 data packets (24237 bytes) retransmitted 0 resends initiated by MTU discovery 12554 ack-only packets (2124 delayed) 38594 window update packets 6548 control packets 141942 packets received 22731 acks (for 11441627 bytes) 2955 duplicate acks 127378 packets (137974213 bytes) received in-sequence 104 completely duplicate packets (134299 bytes) 7 old duplicate packets 0 packets with some dup. data (0 bytes duped) 1836 out-of-order packets (2266419 bytes) 79 window update packets 23 packets received after close 2 discarded for bad checksums 2284 connection requests 2011 connection accepts 4 bad connection attempts
sockstat shows the user,application that opened each socket copeland% sockstat -4 USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS copeland LaunchCF 26267 39 tcp4 127.0.0.1:50456 127.0.0.1:631 copeland firefox- 26234 19 tcp4 127.0.0.1:50532 127.0.0.1:631 copeland firefox- 26234 28 tcp4 127.0.0.1:50531 127.0.0.1:631 copeland mozilla- 1017 25 tcp4 127.0.0.1:5180 *:* copeland mozilla- 1017 26 udp4 127.0.0.1:49399 127.0.0.1:49399 copeland TextEdit 1000 9 tcp4 127.0.0.1:49768 127.0.0.1:631 copeland TextEdit 1000 10 tcp4 127.0.0.1:49769 127.0.0.1:631 root AppleFil 371 30 tcp4 *:548 *:* root cupsd 330 0 tcp4 127.0.0.1:631 *:* root cupsd 330 2 udp4 *:631 *:* root ntpd 325 5 udp4 *:123 *:* root ntpd 325 6 udp4 127.0.0.1:123 *:* root ntpd 325 7 udp4 192.168.1.133:123 *:* root automoun 324 7 udp4 127.0.0.1:1022 *:* root Director 308 6 tcp4 127.0.0.1:945 127.0.0.1:1033 root automoun 306 7 udp4 127.0.0.1:1023 *:* nobody mDNSResp 170 4 udp4 *:5353 *:* root netinfod 125 6 udp4 127.0.0.1:1033 *:* root netinfod 125 7 tcp4 127.0.0.1:1033 *:* root netinfod 125 8 tcp4 127.0.0.1:1033 127.0.0.1:945 root syslogd 81 5 udp4 *:514 *:*
tracert (traceroute) • List intermediate routers in path to destination • Sends Internet Control Message Protocol (ICMP) echo packets with incrementing IP Time-To-Live (TTL) values to the destination • c:\> tracert www.gatech.edu • (on Linux %traceroute www.gatech.edu) • Alternatives: pathping – report packet loss
# traceroute www.gatech.edu traceroute to www.gatech.edu (130.207.165.120), 30 hops max, 40 byte pkts 1 10.240.218.1 (10.240.218.1) 1012.12 ms 10.256 ms 9.427 ms 2 10.240.218.1 (10.240.218.1) 9.912 ms 10.5 ms 11.346 ms 3 68.86.110.17 (68.86.110.17) 9.731 ms 8.884 ms 38.159 ms 4 68.86.106.133 (68.86.106.133) 10.817 ms 10.317 ms 10.187 ms 5 68.86.106.129 (68.86.106.129) 10.705 ms 9.236 ms 9.193 ms 6 68.86.106.125 (68.86.106.125) 12.139 ms 10.837 ms 33.716 ms 7 68.86.106.13 (68.86.106.13) 10.551 ms 9.956 ms 9.46 ms 8 68.86.106.9 (68.86.106.9) 37.252 ms 9.095 ms 11.282 ms 9 68.86.107.9 (68.86.107.9) 33.98 ms 10.516 ms 10.92 ms 10 c-66-56-22-162.hsd1.ga.comcast.net (66.56.22.162) 10.861 ms 13.678 ms 11.162 ms 11 gw2-sox.sox.gatech.edu (199.77.194.6) 18.354 ms 12.827 ms 13.145 ms 12 campus2-rtr.gatech.edu (130.207.254.118) 12.128 ms 14.005 ms 10.287 ms 13 tlweb.gatech.edu (130.207.165.120) 12.754 ms 12.484 ms 15.765 ms 14 tlweb.gatech.edu (130.207.165.120) 11.034 ms 42.625 ms 10.954 ms
nslookup (also 'host' and 'dig') • NSLOOKUP is a tool that is used for troubleshooting and checking DNS entries • A DNS server must translate the domain name into its corresponding IP address • Lookup types: • IP address, canonical name for an alias, host info, mail exchanger records, nameserver record, all records (a, cname,hinfo,mx,ns,any) • c:\>nslookup >set type=mx >gatech.edu
Find the Mail Server for addresses ending in "gatech.edu" # nslookup -t=mx gatech.edu Note: nslookup is deprecated and may be removed from future releases. Consider using the `dig' or `host' programs instead. Run nslookup with the `-sil[ent]' option to prevent this message from appearing. Server: 68.87.96.3 Address: 68.87.96.3#53 Non-authoritative answer: Name: gatech.edu Address: 130.207.244.244
knoppix-std (now 'std') • http://www.s-t-d.org/ • Linux distribution that runs from a bootable CD in memory without changing the native operating system of the host computer • Open source security tools
Other Things • Ping • Snort • http://www.honeynet.org/index.html • http://www.sectools.org/