1 / 19

Network Tools (screen shots added)

Learn about useful network tools such as Ethereal (Wireshark), Nmap, Netstat, and Tracert. Capture and analyze network packets, scan for open ports, view active connections, and trace network routes.

joshk
Download Presentation

Network Tools (screen shots added)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Network Tools(screen shots added) ECE-6612 October 14, 2005 Cherita Corbett, John Copeland

  2. Outline • ethereal (now wireshark) • nmap • netstat, sockstat • tracert or traceroute • nslookup or host • Knoppix

  3. Ethereal • http://www.ethereal.com • Captures packets from a live network connection • Capture Filters / display filters • Dissects 700+ protocols • Statistics

  4. Ethereal

  5. Nmap • http://www.insecure.org/nmap/ • “Network Mapper” • What hosts are available • What services/applications are available • What operating system • What type of packet filters/firewalls • Port scanning mechanism • c:\> nmap –v –a www.gatech.edu • "nmap" without options will show a short list of options. Linux or unix: use "man nmap".

  6. # nmap Nmap 3.93 Usage: nmap [Scan Type(s)] [Options] <host or net list> Some Common Scan Types ('*' options require root privileges) * -sS TCP SYN stealth port scan (default if privileged (root)) -sT TCP connect() port scan (default for unprivileged users) * -sU UDP port scan -sP ping scan (Find any reachable machines) * -sF,-sX,-sN Stealth FIN, Xmas, or Null scan (experts only) -sV Version scan probes open ports determining service & app names/versions -sR RPC scan (use with other scan types) Some Common Options (none are required, most can be combined): * -O Use TCP/IP fingerprinting to guess remote operating system -p <range> ports to scan. Example range: 1-1024,1080,6666,31337 -F Only scans ports listed in nmap-services -v Verbose. Its use is recommended. Use twice for greater effect. -P0 Don't ping hosts (needed to scan www.microsoft.com and others) * -Ddecoy_host1,decoy2[,...] Hide scan using many decoys -6 scans via IPv6 rather than IPv4 -T <Paranoid|Sneaky|Polite|Normal|Aggressive|Insane> General timing policy -n/-R Never do DNS resolution/Always resolve [default: sometimes resolve] -oN/-oX/-oG <logfile> Output normal/XML/grepable scan logs to <logfile> -iL <inputfile> Get targets from file; Use '-' for stdin * -S <your_IP>/-e <devicename> Specify source address or network interface --interactive Go into interactive mode (then press h for help) Example: nmap -v -sS -O www.my.com 192.168.0.0/16 '192.88-90.*.*'

  7. # nmap -v -sT -p 20-25,80,110,123,443,3306 www.gatech.edu Starting nmap 3.93 ( http://www.insecure.org/nmap/ ) at 2005-10-18 16:32 EDT Initiating Connect Scan against www.gatech.edu (130.207.165.120) [11 ports]16:32 Discovered open port 80/tcp on 130.207.165.120 The Connect() Scan took 11.25s to scan 11 total ports. Host tlweb.gatech.edu (130.207.165.120) appears to be up ... good. Interesting ports on tlweb.gatech.edu (130.207.165.120): PORT STATE SERVICE 20/tcp closed ftp-data 21/tcp filtered ftp 22/tcp closed ssh 23/tcp closed telnet 24/tcp closed priv-mail 25/tcp closed smtp 80/tcp open http 110/tcp closed pop3 123/tcp closed ntp 443/tcp closed https 3306/tcp filtered mysql Nmap finished: 1 IP address (1 host up) scanned in 11.981 seconds Raw packets sent: 2 (68B) | Rcvd: 1 (46B)

  8. Netstat • Displays active ports, network connections, routing tables, interface statistics, masquerade connections, multicast memberships, etc. • Indicates how vulnerable a PC is to attacks • c:\> netstat -b c:\> netstat -e -s • Linux or UNIX: try "%netstat -a" and "netstat -o" %netstat -r # will show routing like Linux "%route" %man netstat to find appropriate options

  9. # netstat -b Active Internet connections Proto Recv-Q Send-Q Local Address Foreign Address (state) tcp4 0 0 localhost.49769 localhost.ipp CLOSE_WAIT tcp4 0 0 localhost.49768 localhost.ipp CLOSE_WAIT tcp4 0 0 localhost.49718 localhost.ipp CLOSE_WAIT tcp4 0 0 localhost.49717 localhost.ipp CLOSE_WAIT tcp4 0 0 localhost.netinfo-loca localhost.945 ESTABLISHED tcp4 0 0 localhost.945 localhost.netinfo-loca ESTABLISHED udp4 0 0 *.49413 *.* udp4 0 0 *.9912 *.* udp4 0 0 localhost.49399 localhost.49399 udp4 0 0 *.ipp *.* udp4 0 0 localhost.49156 localhost.1022 udp4 0 0 localhost.49155 localhost.1022 udp4 0 0 localhost.1022 *.* udp4 0 0 localhost.49152 localhost.1023 udp4 0 0 localhost.1023 *.* udp4 0 0 *.mdns *.* udp4 0 0 localhost.netinfo-loca *.* udp4 0 0 *.syslog *.* udp6 0 0 *.514 *.* Active LOCAL (UNIX) domain sockets Address Type Recv-Q Send-Q Inode Conn Refs Nextref Addr 1f7b188 stream 0 0 0 1f7b2d8 0 0 /tmp/.pgp-agent-copeland-501 (many other internal socket connections)

  10. root# netstat -e -s netstat: illegal option -- e [OPTIONS DIFFER FOR OS's] usage: netstat [-Aan] [-f address_family] [-M core] [-N system] netstat [-bdghimnrs] [-f address_family] [-M core] [-N system] netstat [-bdn] [-I interface] [-M core] [-N system] [-w wait] netstat -m [-M core] [-N system] pb2:/ root# netstat -s ["-s" is for statistics] tcp: 88515 packets sent 30786 data packets (11438091 bytes) 33 data packets (24237 bytes) retransmitted 0 resends initiated by MTU discovery 12554 ack-only packets (2124 delayed) 38594 window update packets 6548 control packets 141942 packets received 22731 acks (for 11441627 bytes) 2955 duplicate acks 127378 packets (137974213 bytes) received in-sequence 104 completely duplicate packets (134299 bytes) 7 old duplicate packets 0 packets with some dup. data (0 bytes duped) 1836 out-of-order packets (2266419 bytes) 79 window update packets 23 packets received after close 2 discarded for bad checksums 2284 connection requests 2011 connection accepts 4 bad connection attempts

  11. sockstat shows the user,application that opened each socket copeland% sockstat -4 USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS copeland LaunchCF 26267 39 tcp4 127.0.0.1:50456 127.0.0.1:631 copeland firefox- 26234 19 tcp4 127.0.0.1:50532 127.0.0.1:631 copeland firefox- 26234 28 tcp4 127.0.0.1:50531 127.0.0.1:631 copeland mozilla- 1017 25 tcp4 127.0.0.1:5180 *:* copeland mozilla- 1017 26 udp4 127.0.0.1:49399 127.0.0.1:49399 copeland TextEdit 1000 9 tcp4 127.0.0.1:49768 127.0.0.1:631 copeland TextEdit 1000 10 tcp4 127.0.0.1:49769 127.0.0.1:631 root AppleFil 371 30 tcp4 *:548 *:* root cupsd 330 0 tcp4 127.0.0.1:631 *:* root cupsd 330 2 udp4 *:631 *:* root ntpd 325 5 udp4 *:123 *:* root ntpd 325 6 udp4 127.0.0.1:123 *:* root ntpd 325 7 udp4 192.168.1.133:123 *:* root automoun 324 7 udp4 127.0.0.1:1022 *:* root Director 308 6 tcp4 127.0.0.1:945 127.0.0.1:1033 root automoun 306 7 udp4 127.0.0.1:1023 *:* nobody mDNSResp 170 4 udp4 *:5353 *:* root netinfod 125 6 udp4 127.0.0.1:1033 *:* root netinfod 125 7 tcp4 127.0.0.1:1033 *:* root netinfod 125 8 tcp4 127.0.0.1:1033 127.0.0.1:945 root syslogd 81 5 udp4 *:514 *:*

  12. tracert (traceroute) • List intermediate routers in path to destination • Sends Internet Control Message Protocol (ICMP) echo packets with incrementing IP Time-To-Live (TTL) values to the destination • c:\> tracert www.gatech.edu • (on Linux %traceroute www.gatech.edu) • Alternatives: pathping – report packet loss

  13. # traceroute www.gatech.edu traceroute to www.gatech.edu (130.207.165.120), 30 hops max, 40 byte pkts 1 10.240.218.1 (10.240.218.1) 1012.12 ms 10.256 ms 9.427 ms 2 10.240.218.1 (10.240.218.1) 9.912 ms 10.5 ms 11.346 ms 3 68.86.110.17 (68.86.110.17) 9.731 ms 8.884 ms 38.159 ms 4 68.86.106.133 (68.86.106.133) 10.817 ms 10.317 ms 10.187 ms 5 68.86.106.129 (68.86.106.129) 10.705 ms 9.236 ms 9.193 ms 6 68.86.106.125 (68.86.106.125) 12.139 ms 10.837 ms 33.716 ms 7 68.86.106.13 (68.86.106.13) 10.551 ms 9.956 ms 9.46 ms 8 68.86.106.9 (68.86.106.9) 37.252 ms 9.095 ms 11.282 ms 9 68.86.107.9 (68.86.107.9) 33.98 ms 10.516 ms 10.92 ms 10 c-66-56-22-162.hsd1.ga.comcast.net (66.56.22.162) 10.861 ms 13.678 ms 11.162 ms 11 gw2-sox.sox.gatech.edu (199.77.194.6) 18.354 ms 12.827 ms 13.145 ms 12 campus2-rtr.gatech.edu (130.207.254.118) 12.128 ms 14.005 ms 10.287 ms 13 tlweb.gatech.edu (130.207.165.120) 12.754 ms 12.484 ms 15.765 ms 14 tlweb.gatech.edu (130.207.165.120) 11.034 ms 42.625 ms 10.954 ms

  14. nslookup (also 'host' and 'dig') • NSLOOKUP is a tool that is used for troubleshooting and checking DNS entries • A DNS server must translate the domain name into its corresponding IP address • Lookup types: • IP address, canonical name for an alias, host info, mail exchanger records, nameserver record, all records (a, cname,hinfo,mx,ns,any) • c:\>nslookup >set type=mx >gatech.edu

  15. Find the Mail Server for addresses ending in "gatech.edu" # nslookup -t=mx gatech.edu Note: nslookup is deprecated and may be removed from future releases. Consider using the `dig' or `host' programs instead. Run nslookup with the `-sil[ent]' option to prevent this message from appearing. Server: 68.87.96.3 Address: 68.87.96.3#53 Non-authoritative answer: Name: gatech.edu Address: 130.207.244.244

  16. knoppix-std (now 'std') • http://www.s-t-d.org/ • Linux distribution that runs from a bootable CD in memory without changing the native operating system of the host computer • Open source security tools

  17. Other Things • Ping • Snort • http://www.honeynet.org/index.html • http://www.sectools.org/

  18. http://www.honeynet.org/scans/index.html

  19. http://www.knoppix-std.org/

More Related