Hands-On Network Security: Practical Tools & Methods Security Training Course Dr. Charles J. Antonelli The University of Michigan 2012
Hands-On Network Security Module 1 Fundamental Tools
Roadmap • Review of generally useful tools Linux (Unix) centric • General overview Several tools revisited later • There are many, many other useful tools Some introduced in course modules Most freely available on the Internet 04/12 cja 2012 3
Tool Basics • less, man • netcat • su, sudo • ps • ifconfig • top • netstat • vmstat • tcpdump • lsof • wireshark, tshark • /proc • tcpreplay • whois • traceroute • nslookup, dig • tcptraceroute • Accounting • nmap/zenmap • Miscellany 04/12 cja 2012 4
less, man • less Standard paginating tool for Unix/Linux • man Standard manual page tool for Unix/Linux 04/12 cja 2012 5
su • su id Change to user id If no id , change to the superuser (root) Authenticate by giving new user ’ s password Starts a command shell with new user ’ s privileges • Invocation su su – Like su, but executes a login shell, which gets the correct command search paths 04/12 cja 2012 6
sudo • sudo command Run commands as root Authenticate by giving your own password Runs command with the root ’ s privileges Convenience & control Control who may sudo and what commands they can run Log operations performed under sudo Config file /etc/sudoers • Invocation sudo service network restart Runs the service command with root privileges sudo -s Executes a command shell with root privileges sudo -i Like su - , this executes a login shell with root privileges 04/12 cja 2012 7
ifconfig • Get (and set) network interface configuration IP address and mask Hardware address Bytes sent/received/dropped/overrun/… • /sbin/ifconfig [interface] [options] • Useful to discover host ’ s IP address(es) and interface status 04/12 cja 2012 8
netstat • Displays network-related status Network connections Routing tables Interface statistics Multicast memberships 04/12 cja 2012 9
netstat • /bin/netstat w/o args, displays open sockets -a display listening sockets also -t show active TCP sockets -u show active UDP sockets -p show PID and process name -r display routing tables -n don ’ t convert host addresses to names 04/12 cja 2012 10
libpcap • Packet capture library • Obtains packets from host platform • Created at LBL • Maintained at www.tcpdump.org Sources, no binaries Version 1.2.1 released January 1, 2012 04/12 cja 2012 11
tcpdump • Full-content packet capture and display • Packet input Directly from network interface From libpcap-format file • Packet output To screen To libpcap-format file • Packet filtering • Version 4.2.1 released January 1, 2012 at www.tcpdump.org 04/12 cja 2012 12
tcpdump • /usr/sbin/tcpdump -i in listen on interface in -n don ’ t convert host addresses to names -X dump packet in hex and ascii -e dump Ethernet header also -r fn read from pcap-format file -w fn write out pcap-format file • Documentation at www.tcpdump.org 04/12 cja 2012 13
wireshark, tshark • Full-content packet capture and display • Built-in protocol dissectors 1,170 protocols and counting (version 1.6.7, released April 6, 2012) • Packet input Directly from network interface From libpcap-format file, and many other formats • Packet output Interactive, screen-oriented • Packet filtering On capture On display 04/12 cja 2012 14
wireshark, tshark • Other features capinfos dumpcap editcap mergecap text2pcap • http://www.wireshark.org/ 04/12 cja 2012 15
tcpreplay • Sends stored packets to network Useful for presenting fixed inputs to IDSs • Packet input From libpcap-format file • Packet output To network interface • Features tcpprep – determine client/server packets and prepare cache tcpreplay – replay pcap files at user-determined speeds tcprewrite – edit TCP, IP, Layer 2 headers on the fly tcpbridge – bridge network segments with tcprewrite tcpcapinfo – pcap file decoder 04/12 cja 2012 16
tcpreplay • Canonical invocation tcpreplay -i eth0 sample.pcap • Options: -t as fast as possible -M rate send at this rate (Mbps) -p # send this number of packets per second -x m send mtimes as fast … • http://tcpreplay.synfin.net/ • Some packets are not meant to be replayed 04/12 cja 2012 17
traceroute • Uses TTL field in IP packet to map a network packet ’ s path from source to destination host • Generates a serial list of routers between source and destination • Depends on ICMP messages If ICMP is blocked at the border, this won ’ t work • Maintained at http://www-nrg.ee.lbl.gov/ftp.html 04/12 cja 2012 18
tcptraceroute • Uses TCP SYN packets instead of ICMP or UDP echo Originally developed & maintained at http://michael.toren.net/code/tcptraceroute/ Now inactive Better to use a modern traceroute ’ s –T option 04/12 cja 2012 19
nmap/zenmap • Network mapping tool Version 5.50 released January, 2011 • Really a network scanner • Swiss army knife • Two-step process Identifies hosts on specified network segment(s) Scans specified ports on each host • Read the man page thoroughly Especially for limitations … • Zenmap is a GUI for nmap • Generally under-appreciated 04/12 cja 2012 20
nmap • nmap subnet e.g. 141.211.244.0/26 -n don ’ t map addresses to names -sS TCP SYN port scan -sT TCP connect port scan -sU UDP port scan -sV detect service verions -s… several more advanced scans -O use fingerprinting to guess remote OS -T manually set scan rate -p range range of ports to scan … many more • Maintained at http://www.insecure.org/nmap/ 04/12 cja 2012 21
netcat • TCP/UDP utility http://nc110.sourceforge.net/ … the original, from 1996 http://netcat.sourceforge.net/ … the portable version • Another, older, swiss army knife • Features Send and receive TCP/UDP Listen on arbitrary ports TCP proxies Shell-script clients & servers • Read the man page thoroughly • Generally under-appreciated 04/12 cja 2012 22
ps • Process status utility • Features Standard & custom process status listings Resource utilization summaries • Read the man page thoroughly 04/12 cja 2012 23
ps • ps (none) show your processes ax show all processes l show your processes, long format u show your processes, user format v show your processes, virtual memory format -l show your processes, long format -f show your processes, full format -F show your processes, extra full format -H show your processes, tree format -Lm show all processes, with threads … many more 04/12 cja 2012 24
top • Display Linux tasks • Features Dynamic process listings Ordered by specified resource System utilization summaries An interactive interface for process manipulation An extensive interactive interface for configuration • Read the man page thoroughly 04/12 cja 2012 25
top • top (none) show summary and process stats, updated every 3 secs -d n … every n secs -u user … stats for user user only • Interactive commands 1 toggle between aggregate and individual CPU stats k kill a process O change sort order r renice a process u show stats for specified user h interactive help … many more 04/12 cja 2012 26
vmstat • Report virtual memory statistics • Reports Processes running Physical memory usage Swap space I/O Block I/O System interrupts and context switches CPU utilization … all in 80 characters 04/12 cja 2012 27
vmstat • vmstat (none) show status n show status every n seconds -a show active/inactive instead of buffered/cached -f # fork() system calls since boot -m show kernel memory management stats (slabinfo) 04/12 cja 2012 28
lsof • List open files Created for U NIX to find running processes preventing filesystem unmounts Many additional Linux features • For each process, shows Root and current directories Mapped shared memory libraries Open file names, descriptors, major/minor/inode numbers Open sockets, states, peer names Mapped shared memory libraries 04/12 cja 2012 29
lsof • lsof (none) shows open files for all devices for all processes -p pid shows open files for process pid -u user shows open files for user name or uid user /dev/sdx shows open files for device /dev/sdx /path/file shows process that have /path/file open -i @host shows processes connected to host host … many more 04/12 cja 2012 30
/proc • File-system view of userland • Features Global system status Per-process status • Much more detail than e.g. ps • Official interface for system information • Addresses a long-standing need in U NIX 04/12 cja 2012 31
Recommend
More recommend