i) ARP - Address resolution Protocol
arp -a
(gives the name, IP address and Mac address of the neighbour
systems that your system is aware of)
=====OUTPUT========
lenovo.inca.infoblox.com (10.32.0.115) at 00:1a:6b:cd:b5:06 [ether] on eth0
loaner-it-lx.inca.infoblox.com (10.32.0.101) at 00:1c:c0:2f:89:25 [ether] on eth0
eng_gw.inca.infoblox.com (10.32.0.1) at 00:04:96:10:8d:e0 [ether] on eth0
=============
2) traceroute - Traces the route a packet travels to reach the destination and list all the routers that it crosses
traceroute 10.34.90.110
====OUTPUT======
traceroute to 10.34.90.110 (10.34.90.110), 30 hops max, 60 byte packets
1 eng_gw.inca.info.com (10.32.0.1) 1.121 ms 1.155 ms 1.193 ms
2 eng-switch.inca.info.com (10.255.34.2) 88.346 ms 88.535 ms 88.717 ms
3 scmserver1 (10.34.90.110) 75.210 ms 75.315 ms 75.423 ms
==========
3) ping - Basic way to check if the host in a network is alive
=====OUTPUT======
ping 10.34.90.110
PING 10.34.90.110 (10.34.90.110) 56(84) bytes of data.
64 bytes from 10.34.90.110: icmp_req=1 ttl=62 time=9.63 ms
64 bytes from 10.34.90.110: icmp_req=1 ttl=62 time=9.85 ms (DUP!)
=================
a) ping -c 3 10.34.90.110
ping only three times
In the below example, 80 is the port number for http
=====OUTPUT======
[amurugan@amurugan-lx ~]$ lsof -i:80
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
firefox-b 469 amurugan 67u IPv4 50922854 0t0 TCP amurugan-lx.inca.info.com:54066->solint3.sols.com:http (ESTABLISHED)
firefox-b 469 amurugan 81u IPv4 65637618 0t0 TCP amurugan-lx.inca.info.com:37499->phx1-dw-xw-lb.cnet.com:http (ESTABLISHED)
===============
b) Type the following command to see IPv4 port(s), enter:
Can be used to figure out the devices connected to USB
=========OUTPUT======
[3288265.502041] pl2303 ttyUSB0: pl2303 converter now connected to ttyUSB0
======================
6) ifconfig - Check if your interface is configured
=======OUTPUT========
a) To set up an interface, issue the following command
ifconfig eth0 128.42.14.176 netmask 255.255.255.0 up
b) deactive eth0
=======OUTPUT============
[amurugan@amurugan-lx ~]$ route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.32.0.0 0.0.0.0 255.255.0.0 U 1 0 0 eth0
0.0.0.0 10.32.0.1 0.0.0.0 UG 0 0 0 eth0
=========================
a) route add -net <naddr> netmask <maddr> gw <gaddr> eth0
b) route add default gw <gaddr> eth0
or
ip route add default via <gaddr> dev eth0
c) route add -host 10.0.0.1 gw 192.168.1.254 eth0
d)
If you wanted to add a route to an individual server, then the "-host" switch would be used with no netmask value. (The route command automatically knows the mask should be 255.255.255.255).
This is the part of networking that maps www.yahoo.com onto an IP address. You'll need to have 3 files: /etc/host.conf, /etc/hosts, /etc/resolv.conf. Respectively, they should contain:
d) To capture all the packets related to dhcp, issue the below command
tcpdump -i any port bootps or port bootpc
or
tcpdump -i any port 67 or port 68
e) To split a large pcap file into smaller 10Mb file
]# netstat -ntlp | grep 389
d) ss is used to dump socket statistics
ss -ntlp | grep synergy
LISTEN 0 3 *:24800 *:* users:(("synergys",2697,6))
a) To see all the packets related to dhcp in wireshark GUI, apply the filter
bootp
b) tcpdump -i any port bootps or port bootpc
or
tcpdump -i any port 67 or port 68
c) Filters for wireshark GUI,
ip.src == 10.35.2.74
ip.dst == 10.32.1.171
ip.addr == 10.35.2.74
ip.src != 10.1.2.3 or ip.dst != 10.4.5.6
tcp.port == 25
tcp.dstport == 25
ip.src==192.168.0.0/16 and ip.dst==192.168.0.0/16
smb || nbns || dcerpc || nbss || dns
ip.src == 10.43.54.65 or ip.dst == 10.43.54.65
! ( ip.addr == 10.43.54.65 )
To filter based on mac address
eth.addr==00:30:48:bc:96:0f and eth.src== 00:30:48:bc:96:0f
and eth.dst==ff:ff:ff:ff:ff:ff
d) To filter based on dhcp option type number:
bootp.option.type==118
e) :X: You don't need to remember all the filters, Easy way is to select the particular field you want to filter, right click, select "apply as filter" and click Selected.
13) nmap - Network exploration tool and security / port scanner
a) To do a simple scan on the network or host
nmap -sP 10.35.0.0/24 <= Ping Scan
nmap –sP 192.168.0.1-255 <= Ping Scan
b) nmap –sT 192.168.0.1
simplest form of scanning. It connects to every open port on the target
machine and lists the open ports
c) nmap -O -v 10.x.x.x
If you need more information about the host you are scanning.
14) arp-scan - The ARP scanner
arp-scan --interface=eth0 192.168.0.0/24
15) Netfilter - IP tables rules
a) List all rules
iptables -L
b) Flush all policies
iptables -F
c)Chain Drop all the input/output/forward packets
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
d)Policy Allow only from particular source
iptables -A INPUT -i eth0 -s 10.32.0.0/16 -j ACCEPT
iptables -A INPUT -i eth0 -s 10.32.1.171 -j ACCEPT
iptables -A OUTPUT -i eth0 -s 10.32.0.0/16 -j ACCEPT
iptables -A OUTPUT -i eth0 -s 10.32.1.171 -j ACCEPT
e) Block outgoing traffic
# block outgoing traffic to ip 1.2.3.4
iptables -A OUTPUT -d 1.2.3.4 -j DROP
# block outgoing traffic to port 5678
iptables -A OUTPUT -p tcp –dport 5678 -j DROP
# block outgoing traffic to 1.2.3.4:5678
iptables -A OUTPUT -p tcp -d 1.2.3.4 –dport 5678 -j DROP
f) To save and restore iptables
i) saves the current iptables rules to a file
iptables-save > rules.txt
ii) To restore the iptables rules from a file
iptables-restore < rules.txt
Note:
-A: Append to the INPUT/OUTPUT/FORWARD chain
-i : interface
-s: Source address (Layer 3)
-d: Destination address (Layer 3)
-j : Jump or Target ACCEPT/DROP/DENY/REJECT/LOG
[Layer4] --sport(source port), --dport(destination port),
-p (protocol tcp/udp)
iptables commands
1. name of chain - action(what to do to the chain(Append/Insert/Replace)
2. name of table(filter), - mangle/nat/user-defined
3. layer3 object(source/destination address) -s/-d
4. optionally layer4 object (tcp/udp protocols/ports) -p, --sport/--dport
5. Jump/Target -j - ACCEPT/DROP/DENY/REJECT/LOG
============================
16) vmstat
1. Execute vmstat
# vmstat 1
2. Execute vmstat ‘X’ seconds and (‘N’number of times)
#vmstat 2 6
3. Vmstat with timestamps
vmstat command with -t parameter shows timestamps with every line printed as shown below.
]$ vmstat -t 1 5
4. Statistics of Various Counter
vmstat command and -s switch displays summary of various event counters and memory statistics.
]$ vmstat -s
1030800 total memory
524656 used memory
277784 active memory
185920 inactive memory
506144 free memory
26864 buffer memory
5. Disks Statistics
vmstat with -d option display all disks statistics.
[tecmint@tecmint ~]$ vmstat -d
disk- ------------reads------------ ------------writes----------- -----IO------
total merged sectors ms total merged sectors ms cur sec
ram0 0 0 0 0 0 0 0 0 0 0
ram1 0 0 0 0 0 0 0 0 0 0
6. Display Statistics in Megabytes
The vmstat displays in Megabytes with parameters -S and M(Uppercase & megabytes). By default vmstat displays statistics in kilobytes.
[root@tecmint ~]# vmstat -S M 1 5
7. Display CPU and I/O statistics
iostat without arguments displays CPU and I/O statistics of all partitions as shown below.
[root@tecmint ~]# iostat
Linux 2.6.32-279.el6.i686 (tecmint.com) 09/03/2012 _i686_ (1 CPU)
avg-cpu: %user %nice %system %iowait %steal %idle
0.12 0.01 1.54 2.08 0.00 96.24
Device: tps Blk_read/s Blk_wrtn/s Blk_read Blk_wrtn
sda 3.59 161.02 13.48 1086002 90882
dm-0 5.76 159.71 13.47 1077154 90864
dm-1 0.05 0.38 0.00 2576 0
8. Shows only CPU Statistics
iostat with -c arguments displays only CPU statistics as shown below.
[root@tecmint ~]# iostat -c
9. Shows only Disks I/O Statistics
iostat with -d arguments displays only disks I/O statistics of all partitions as shown.
[root@tecmint ~]# iostat -d
10. Shows I/O statistics only of a single device.
By default it displays statistics of all partitions, with -p and device name arguments displays only disks I/O statistics for specific device only as shown.
[root@tecmint ~]# iostat -p sda
11. Display LVM Statistics
With -N (Uppercase) parameter displays only LVM statistics as shown.
[root@tecmint ~]# iostat -N
12. iostat version.
With -V (Uppercase) parameter displays version of iostat as shown.
[root@tecmint ~]# iostat -V
=================================================
arp -a
(gives the name, IP address and Mac address of the neighbour
systems that your system is aware of)
=====OUTPUT========
lenovo.inca.infoblox.com (10.32.0.115) at 00:1a:6b:cd:b5:06 [ether] on eth0
loaner-it-lx.inca.infoblox.com (10.32.0.101) at 00:1c:c0:2f:89:25 [ether] on eth0
eng_gw.inca.infoblox.com (10.32.0.1) at 00:04:96:10:8d:e0 [ether] on eth0
=============
2) traceroute - Traces the route a packet travels to reach the destination and list all the routers that it crosses
traceroute 10.34.90.110
====OUTPUT======
traceroute to 10.34.90.110 (10.34.90.110), 30 hops max, 60 byte packets
1 eng_gw.inca.info.com (10.32.0.1) 1.121 ms 1.155 ms 1.193 ms
2 eng-switch.inca.info.com (10.255.34.2) 88.346 ms 88.535 ms 88.717 ms
3 scmserver1 (10.34.90.110) 75.210 ms 75.315 ms 75.423 ms
==========
3) ping - Basic way to check if the host in a network is alive
=====OUTPUT======
ping 10.34.90.110
PING 10.34.90.110 (10.34.90.110) 56(84) bytes of data.
64 bytes from 10.34.90.110: icmp_req=1 ttl=62 time=9.63 ms
64 bytes from 10.34.90.110: icmp_req=1 ttl=62 time=9.85 ms (DUP!)
=================
a) ping -c 3 10.34.90.110
ping only three times
4) lsof - list open files
Can be used to check if a port is in use or not and how many are used along with PID numberIn the below example, 80 is the port number for http
=====OUTPUT======
[amurugan@amurugan-lx ~]$ lsof -i:80
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
firefox-b 469 amurugan 67u IPv4 50922854 0t0 TCP amurugan-lx.inca.info.com:54066->solint3.sols.com:http (ESTABLISHED)
firefox-b 469 amurugan 81u IPv4 65637618 0t0 TCP amurugan-lx.inca.info.com:37499->phx1-dw-xw-lb.cnet.com:http (ESTABLISHED)
===============
b) Type the following command to see IPv4 port(s), enter:
# lsof -Pnl +M -i4c) Type the following command to see IPv6 listing port(s), enter: # lsof -Pnl +M -i6
5) dmesg
dmesg - print or control the kernel ring bufferCan be used to figure out the devices connected to USB
=========OUTPUT======
[3288265.502041] pl2303 ttyUSB0: pl2303 converter now connected to ttyUSB0
======================
6) ifconfig - Check if your interface is configured
=======OUTPUT========
ifconfig
eth0 Link encap:Ethernet HWaddr 00:60:08:93:0E:05
inet addr:128.42.14.176 Bcast:128.42.14.255 Mask:255.255.255.0
EtherTalk Phase 2 addr:49600/201
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:33933225 errors:0 dropped:0 overruns:0 frame:0
TX packets:38375051 errors:0 dropped:0 overruns:0 carrier:0
collisions:0
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
EtherTalk Phase 2 addr:0/0
UP LOOPBACK RUNNING MTU:3924 Metric:1
RX packets:3527806 errors:0 dropped:0 overruns:0 frame:0
TX packets:3527806 errors:0 dropped:0 overruns:0 carrier:0
collisions:0
====================a) To set up an interface, issue the following command
ifconfig eth0 128.42.14.176 netmask 255.255.255.0 up
b) deactive eth0
ifdown eth0
c) activate eth0
ifup eth0
7) route
Routing is just a set of rules that control how network traffic is directed=======OUTPUT============
[amurugan@amurugan-lx ~]$ route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.32.0.0 0.0.0.0 255.255.0.0 U 1 0 0 eth0
0.0.0.0 10.32.0.1 0.0.0.0 UG 0 0 0 eth0
=========================
a) route add -net <naddr> netmask <maddr> gw <gaddr> eth0
b) route add default gw <gaddr> eth0
or
ip route add default via <gaddr> dev eth0
c) route add -host 10.0.0.1 gw 192.168.1.254 eth0
d)
ip route show ip route add 192.168.1.0/24 dev eth0 ip route delete 192.168.1.0/24 dev eth0 If you wanted to add a route to an individual server, then the "-host" switch would be used with no netmask value. (The route command automatically knows the mask should be 255.255.255.255).
8) Name resolution
This is the part of networking that maps www.yahoo.com onto an IP address. You'll need to have 3 files: /etc/host.conf, /etc/hosts, /etc/resolv.conf. Respectively, they should contain:
/etc/host.conf: order hosts,bind multi on
/etc/hosts: 127.0.0.1 localhost loopback <yaddr> this.host.nameIf you don't have a hostname, then you can leave off the second line.
/etc/resolv.conf: domain yourdept.yourcompany.com search yourdept.yourcompany.com yourcompany.com nameserver <daddr>You can add additional 'nameserver <daddr>' lines if you have a secondary (or tertiary) DNS. The search line is just a list of domains to be searched when you type an incomplete hostname. The domain line corresponds to the domain that you belong to.
9) TCPDUMP
a) tcpdump -i eth0 tcp port 80
This will monitor the interface eth0 for all traffic being sent to or from port 80
b) tcpdump -i eth0 tcp dst port 80 and src host 10.32.2.56
only watches outbound traffic to port 80, ignoring all inbound traffic on port 80
c) tcpdump -q -i eth0 tcp dst port 22 and src host 10.32.2.56
don’t need all the extraneous information and just want to see the connections directly
d) To capture all the packets related to dhcp, issue the below command
tcpdump -i any port bootps or port bootpc
or
tcpdump -i any port 67 or port 68
e) To split a large pcap file into smaller 10Mb file
tcpdump -r old_file -w new_files -C 10 10) netstat
a) The netstat -nr command will provide the contents of the touting table. Networks with a gateway of 0.0.0.0 are usually directly connected to the interface. No gateway is needed to reach your own directly connected interface, so a gateway address of 0.0.0.0 seems appropriate. The route with a destination address of 0.0.0.0 is your default gateway.]# netstat -nr
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
255.255.255.255 0.0.0.0 255.255.255.255 UH 40 0 0 wlan0
192.168.1.0 0.0.0.0 255.255.255.0 U 40 0 0 wlan0
127.0.0.0 0.0.0.0 255.0.0.0 U 40 0 0 lo
0.0.0.0 192.168.1.1 0.0.0.0 UG 40 0 0 wlan0
b) To list only the listening sockets
]# netstat -ntl | grep <port number>
or
]# netstat -l | grep http
c) To show to Program and PID to which each socket belongs
]# netstat -ntlp | grep 389
# netstat -tulpn | grep :80d) ss is used to dump socket statistics
ss -ntlp | grep synergy
LISTEN 0 3 *:24800 *:* users:(("synergys",2697,6))
11) snoop - coming soon
12) wireshark tips
a) To see all the packets related to dhcp in wireshark GUI, apply the filter
bootp
b) tcpdump -i any port bootps or port bootpc
or
tcpdump -i any port 67 or port 68
c) Filters for wireshark GUI,
ip.src == 10.35.2.74
ip.dst == 10.32.1.171
ip.addr == 10.35.2.74
ip.src != 10.1.2.3 or ip.dst != 10.4.5.6
tcp.port == 25
tcp.dstport == 25
ip.src==192.168.0.0/16 and ip.dst==192.168.0.0/16
smb || nbns || dcerpc || nbss || dns
ip.src == 10.43.54.65 or ip.dst == 10.43.54.65
! ( ip.addr == 10.43.54.65 )
To filter based on mac address
eth.addr==00:30:48:bc:96:0f and eth.src== 00:30:48:bc:96:0f
and eth.dst==ff:ff:ff:ff:ff:ff
d) To filter based on dhcp option type number:
bootp.option.type==118
e) :X: You don't need to remember all the filters, Easy way is to select the particular field you want to filter, right click, select "apply as filter" and click Selected.
13) nmap - Network exploration tool and security / port scanner
a) To do a simple scan on the network or host
nmap -sP 10.35.0.0/24 <= Ping Scan
nmap –sP 192.168.0.1-255 <= Ping Scan
b) nmap –sT 192.168.0.1
simplest form of scanning. It connects to every open port on the target
machine and lists the open ports
c) nmap -O -v 10.x.x.x
If you need more information about the host you are scanning.
14) arp-scan - The ARP scanner
arp-scan --interface=eth0 192.168.0.0/24
15) Netfilter - IP tables rules
a) List all rules
iptables -L
b) Flush all policies
iptables -F
c)Chain Drop all the input/output/forward packets
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
d)Policy Allow only from particular source
iptables -A INPUT -i eth0 -s 10.32.0.0/16 -j ACCEPT
iptables -A INPUT -i eth0 -s 10.32.1.171 -j ACCEPT
iptables -A OUTPUT -i eth0 -s 10.32.0.0/16 -j ACCEPT
iptables -A OUTPUT -i eth0 -s 10.32.1.171 -j ACCEPT
e) Block outgoing traffic
# block outgoing traffic to ip 1.2.3.4
iptables -A OUTPUT -d 1.2.3.4 -j DROP
# block outgoing traffic to port 5678
iptables -A OUTPUT -p tcp –dport 5678 -j DROP
# block outgoing traffic to 1.2.3.4:5678
iptables -A OUTPUT -p tcp -d 1.2.3.4 –dport 5678 -j DROP
f) To save and restore iptables
i) saves the current iptables rules to a file
iptables-save > rules.txt
ii) To restore the iptables rules from a file
iptables-restore < rules.txt
Note:
-A: Append to the INPUT/OUTPUT/FORWARD chain
-i : interface
-s: Source address (Layer 3)
-d: Destination address (Layer 3)
-j : Jump or Target ACCEPT/DROP/DENY/REJECT/LOG
[Layer4] --sport(source port), --dport(destination port),
-p (protocol tcp/udp)
iptables commands
1. name of chain - action(what to do to the chain(Append/Insert/Replace)
2. name of table(filter), - mangle/nat/user-defined
3. layer3 object(source/destination address) -s/-d
4. optionally layer4 object (tcp/udp protocols/ports) -p, --sport/--dport
5. Jump/Target -j - ACCEPT/DROP/DENY/REJECT/LOG
============================
16) vmstat
1. Execute vmstat
# vmstat 1
2. Execute vmstat ‘X’ seconds and (‘N’number of times)
#vmstat 2 6
3. Vmstat with timestamps
vmstat command with -t parameter shows timestamps with every line printed as shown below.
]$ vmstat -t 1 5
4. Statistics of Various Counter
vmstat command and -s switch displays summary of various event counters and memory statistics.
]$ vmstat -s
1030800 total memory
524656 used memory
277784 active memory
185920 inactive memory
506144 free memory
26864 buffer memory
5. Disks Statistics
vmstat with -d option display all disks statistics.
[tecmint@tecmint ~]$ vmstat -d
disk- ------------reads------------ ------------writes----------- -----IO------
total merged sectors ms total merged sectors ms cur sec
ram0 0 0 0 0 0 0 0 0 0 0
ram1 0 0 0 0 0 0 0 0 0 0
6. Display Statistics in Megabytes
The vmstat displays in Megabytes with parameters -S and M(Uppercase & megabytes). By default vmstat displays statistics in kilobytes.
[root@tecmint ~]# vmstat -S M 1 5
7. Display CPU and I/O statistics
iostat without arguments displays CPU and I/O statistics of all partitions as shown below.
[root@tecmint ~]# iostat
Linux 2.6.32-279.el6.i686 (tecmint.com) 09/03/2012 _i686_ (1 CPU)
avg-cpu: %user %nice %system %iowait %steal %idle
0.12 0.01 1.54 2.08 0.00 96.24
Device: tps Blk_read/s Blk_wrtn/s Blk_read Blk_wrtn
sda 3.59 161.02 13.48 1086002 90882
dm-0 5.76 159.71 13.47 1077154 90864
dm-1 0.05 0.38 0.00 2576 0
8. Shows only CPU Statistics
iostat with -c arguments displays only CPU statistics as shown below.
[root@tecmint ~]# iostat -c
9. Shows only Disks I/O Statistics
iostat with -d arguments displays only disks I/O statistics of all partitions as shown.
[root@tecmint ~]# iostat -d
10. Shows I/O statistics only of a single device.
By default it displays statistics of all partitions, with -p and device name arguments displays only disks I/O statistics for specific device only as shown.
[root@tecmint ~]# iostat -p sda
11. Display LVM Statistics
With -N (Uppercase) parameter displays only LVM statistics as shown.
[root@tecmint ~]# iostat -N
12. iostat version.
With -V (Uppercase) parameter displays version of iostat as shown.
[root@tecmint ~]# iostat -V
=================================================
No comments:
Post a Comment