hands on network security practical tools methods
play

Hands-On Network Security: Practical Tools & Methods Security - PowerPoint PPT Presentation

Hands-On Network Security: Practical Tools & Methods Security Training Course Dr. Charles J. Antonelli The University of Michigan 2012 Hands-On Network Security Module 1 Fundamental Tools Roadmap Review of generally useful tools


  1. Hands-On Network Security: Practical Tools & Methods Security Training Course Dr. Charles J. Antonelli The University of Michigan 2012

  2. Hands-On Network Security Module 1 Fundamental Tools

  3. Roadmap • Review of generally useful tools  Linux (Unix) centric • General overview  Several tools revisited later • There are many, many other useful tools  Some introduced in course modules  Most freely available on the Internet 04/12 cja 2012 3

  4. Tool Basics • less, man • netcat • su, sudo • ps • ifconfig • top • netstat • vmstat • tcpdump • lsof • wireshark, tshark • /proc • tcpreplay • whois • traceroute • nslookup, dig • tcptraceroute • Accounting • nmap/zenmap • Miscellany 04/12 cja 2012 4

  5. less, man • less  Standard paginating tool for Unix/Linux • man  Standard manual page tool for Unix/Linux 04/12 cja 2012 5

  6. su • su id  Change to user id  If no id , change to the superuser (root)  Authenticate by giving new user ’ s password  Starts a command shell with new user ’ s privileges • Invocation  su  su –  Like su, but executes a login shell, which gets the correct command search paths 04/12 cja 2012 6

  7. sudo • sudo command  Run commands as root  Authenticate by giving your own password  Runs command with the root ’ s privileges  Convenience & control  Control who may sudo and what commands they can run  Log operations performed under sudo  Config file /etc/sudoers • Invocation  sudo service network restart  Runs the service command with root privileges  sudo -s  Executes a command shell with root privileges  sudo -i  Like su - , this executes a login shell with root privileges 04/12 cja 2012 7

  8. ifconfig • Get (and set) network interface configuration  IP address and mask  Hardware address  Bytes sent/received/dropped/overrun/… • /sbin/ifconfig [interface] [options] • Useful to discover host ’ s IP address(es) and interface status 04/12 cja 2012 8

  9. netstat • Displays network-related status  Network connections  Routing tables  Interface statistics  Multicast memberships 04/12 cja 2012 9

  10. netstat • /bin/netstat  w/o args, displays open sockets  -a display listening sockets also  -t show active TCP sockets  -u show active UDP sockets  -p show PID and process name  -r display routing tables  -n don ’ t convert host addresses to names 04/12 cja 2012 10

  11. libpcap • Packet capture library • Obtains packets from host platform • Created at LBL • Maintained at www.tcpdump.org  Sources, no binaries  Version 1.2.1 released January 1, 2012 04/12 cja 2012 11

  12. tcpdump • Full-content packet capture and display • Packet input  Directly from network interface  From libpcap-format file • Packet output  To screen  To libpcap-format file • Packet filtering • Version 4.2.1 released January 1, 2012 at www.tcpdump.org 04/12 cja 2012 12

  13. tcpdump • /usr/sbin/tcpdump  -i in listen on interface in  -n don ’ t convert host addresses to names  -X dump packet in hex and ascii  -e dump Ethernet header also  -r fn read from pcap-format file  -w fn write out pcap-format file • Documentation at www.tcpdump.org 04/12 cja 2012 13

  14. wireshark, tshark • Full-content packet capture and display • Built-in protocol dissectors  1,170 protocols and counting (version 1.6.7, released April 6, 2012) • Packet input  Directly from network interface  From libpcap-format file, and many other formats • Packet output  Interactive, screen-oriented • Packet filtering  On capture  On display 04/12 cja 2012 14

  15. wireshark, tshark • Other features  capinfos  dumpcap  editcap  mergecap  text2pcap • http://www.wireshark.org/ 04/12 cja 2012 15

  16. tcpreplay • Sends stored packets to network  Useful for presenting fixed inputs to IDSs • Packet input  From libpcap-format file • Packet output  To network interface • Features  tcpprep – determine client/server packets and prepare cache  tcpreplay – replay pcap files at user-determined speeds  tcprewrite – edit TCP, IP, Layer 2 headers on the fly  tcpbridge – bridge network segments with tcprewrite  tcpcapinfo – pcap file decoder 04/12 cja 2012 16

  17. tcpreplay • Canonical invocation  tcpreplay -i eth0 sample.pcap • Options:  -t as fast as possible  -M rate send at this rate (Mbps)  -p # send this number of packets per second  -x m send mtimes as fast  … • http://tcpreplay.synfin.net/ • Some packets are not meant to be replayed 04/12 cja 2012 17

  18. traceroute • Uses TTL field in IP packet to map a network packet ’ s path from source to destination host • Generates a serial list of routers between source and destination • Depends on ICMP messages  If ICMP is blocked at the border, this won ’ t work • Maintained at http://www-nrg.ee.lbl.gov/ftp.html 04/12 cja 2012 18

  19. tcptraceroute • Uses TCP SYN packets instead of ICMP or UDP echo  Originally developed & maintained at http://michael.toren.net/code/tcptraceroute/  Now inactive  Better to use a modern traceroute ’ s –T option 04/12 cja 2012 19

  20. nmap/zenmap • Network mapping tool  Version 5.50 released January, 2011 • Really a network scanner • Swiss army knife • Two-step process  Identifies hosts on specified network segment(s)  Scans specified ports on each host • Read the man page thoroughly  Especially for limitations … • Zenmap is a GUI for nmap • Generally under-appreciated 04/12 cja 2012 20

  21. nmap • nmap  subnet e.g. 141.211.244.0/26  -n don ’ t map addresses to names  -sS TCP SYN port scan  -sT TCP connect port scan  -sU UDP port scan  -sV detect service verions  -s… several more advanced scans  -O use fingerprinting to guess remote OS  -T manually set scan rate  -p range range of ports to scan  … many more • Maintained at http://www.insecure.org/nmap/ 04/12 cja 2012 21

  22. netcat • TCP/UDP utility  http://nc110.sourceforge.net/ … the original, from 1996  http://netcat.sourceforge.net/ … the portable version • Another, older, swiss army knife • Features  Send and receive TCP/UDP  Listen on arbitrary ports  TCP proxies  Shell-script clients & servers • Read the man page thoroughly • Generally under-appreciated 04/12 cja 2012 22

  23. ps • Process status utility • Features  Standard & custom process status listings  Resource utilization summaries • Read the man page thoroughly 04/12 cja 2012 23

  24. ps • ps  (none) show your processes  ax show all processes  l show your processes, long format  u show your processes, user format  v show your processes, virtual memory format  -l show your processes, long format  -f show your processes, full format  -F show your processes, extra full format  -H show your processes, tree format  -Lm show all processes, with threads  … many more 04/12 cja 2012 24

  25. top • Display Linux tasks • Features  Dynamic process listings  Ordered by specified resource  System utilization summaries  An interactive interface for process manipulation  An extensive interactive interface for configuration • Read the man page thoroughly 04/12 cja 2012 25

  26. top • top  (none) show summary and process stats, updated every 3 secs  -d n … every n secs  -u user … stats for user user only • Interactive commands  1 toggle between aggregate and individual CPU stats  k kill a process  O change sort order  r renice a process  u show stats for specified user  h interactive help  … many more 04/12 cja 2012 26

  27. vmstat • Report virtual memory statistics • Reports  Processes running  Physical memory usage  Swap space I/O  Block I/O  System interrupts and context switches  CPU utilization  … all in 80 characters 04/12 cja 2012 27

  28. vmstat • vmstat  (none) show status  n show status every n seconds  -a show active/inactive instead of buffered/cached  -f # fork() system calls since boot  -m show kernel memory management stats (slabinfo) 04/12 cja 2012 28

  29. lsof • List open files  Created for U NIX to find running processes preventing filesystem unmounts  Many additional Linux features • For each process, shows  Root and current directories  Mapped shared memory libraries  Open file names, descriptors, major/minor/inode numbers  Open sockets, states, peer names  Mapped shared memory libraries 04/12 cja 2012 29

  30. lsof • lsof  (none) shows open files for all devices for all processes  -p pid shows open files for process pid  -u user shows open files for user name or uid user  /dev/sdx shows open files for device /dev/sdx  /path/file shows process that have /path/file open  -i @host shows processes connected to host host  … many more 04/12 cja 2012 30

  31. /proc • File-system view of userland • Features  Global system status  Per-process status • Much more detail than e.g. ps • Official interface for system information • Addresses a long-standing need in U NIX 04/12 cja 2012 31

Recommend


More recommend