Linux Networking
Basics
netcat Commands
# Connect
nc -zv <ip> <port>
# Listen
nc -l -p <port> # Listen on port
nc -w3 <ip> <port> # Listen for connection from IP on port
# Search banners
echo | nc -v -n -w1 <ip> <port min>-<port max>
# Port scan
nc –v –n –z –w1 <ip> <port>
Telnet loop
#!/bin/bash
for i in $(cat ips); do
echo quit | timeout --signal=9 3 telnet "$i" 443
done
DNS
Resolve own IP
dig +short myip.opendns.com @resolver1.opendns.com
Resolve a name via nsswitch
getent hosts <host name>
CloudShark: Sharing network traces DNS Lookup
dig <domain>
dig <domain> +noall +answer
dig <domain> +short
dig MX <domain>
dig NS <domain>
dig ANY <domain>
dig -x <IP>
dig -x <IP> +short
dig @8.8.8.8 <domain>
dig -f input.txt +noall +answer
DNS RR warpsrv: CLI wrapper for DNS RR connections
apt-get install -y wrapsrv netcat
export eval $(wrapsrv <DNS name> "netcat -z %h %p && echo http_proxy=http://%h:%p")
[DNSSEC - Verisign Online Tester] (https://dnssec-debugger.verisignlabs.com/) DNS - CAA Support: Providers and Tools
DNS Servers
- Bind
- PowerDNS
- NSD
- ldns
DNS over TLS/HTTPS resolvers
DNS over TLS servers
Configuration
ethtool - Usage
ethtool eth0 # Print general info on eth0
ethtool -i eth0 # Print kernel module info
ethtool -S eth0 # Print eth0 traffic statistics
ethtool -a eth0 # Print RX, TX and auto-negotiation settings
ethtool -p eth0 # Blink LED
# Changing NIC settings...
ethtool -s eth0 speed 100
ethtool -s eth0 autoneg off
ethtool -s eth0 duplex full
ethtool -s eth0 wol g # Turn on wake-on-LAN
Do not forget to make changes permanent in e.g.
/etc/network/interfaces.
ip - Usage
ip link show
ip link set eth0 up
ip addr show
ip neigh show
miitool - Show Link Infos
# mii-tool -v
eth0: negotiated 100baseTx-FD flow-control, link ok
product info: vendor 00:07:32, model 17 rev 4
basic mode: autonegotiation enabled
basic status: autonegotiation complete, link ok
capabilities: 1000baseT-HD 1000baseT-FD 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD
advertising: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD flow-control
link partner: 1000baseT-HD 1000baseT-FD 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD flow-control
Enable Jumbo Frames
ifconfig eth1 mtu 9000
Allow binding IP that does not exist
sysctl -w net.ipv4.ip_nonlocal_bind=1
NFS - Tuning Secrets: SGI Slides on NFS Performance
Troubleshooting
Black Hole Route: To block IPs create route on loopback
route add -net 91.65.16.0/24 gw 127.0.0.1 lo # for a subnet
route add 91.65.16.4 gw 127.0.0.1 lo # for a single IP
Quick Access Log IP Top List
tail -100000 access.log | awk '{print $1}' | sort | uniq -c |sort -nr|head -25
Find out if IP is used before configuring it
arping <IP>
Traceroute with AS and network name lookup
lft -AN www.google.de
dailychanges.com: Tracks DNS changes Tuning network settings
Measuring
vnstat - Short term measurement bytes/packets min/avg/max:
vnstat -l # Live listing until Ctrl-C and summary
vnstat -tr # 5s automatic traffic sample
vnstat - Long term statistics:
vnstat -h # last hours (including ASCII graph)
vnstat -d # last days
vnstat -w # last weeks
vnstat -m # last months
vnstat -t # top 10 days
Benchmarks
Using curl metrics
You can use curl to measure resolving, time to connect, time to first byte and total time like this:
Issue sequential requests (each with new connection)
while true; do
curl -w "$(date +%FT%T) dns %{time_namelookup} connect %{time_connect} firstbyte %{time_starttransfer} total %{time_total} HTTP %{http_code}\n" -o /dev/null -s "https://example.com"
sleep 1
done
Issue sequential HTTP/1.1 requests on 1 connection
curl -w "$(date +%FT%T) dns %{time_namelookup} connect %{time_connect} firstbyte %{time_starttransfer} total %{time_total} HTTP %{http_code}\n" --keepalive -K <(printf 'url="https://example.com/"\n%.0s' {1..10000})
Discovery
LLDP
lldpctl
lldpctl eth0
nmap commands
Scan a Single Host or an IP Address
Scan a Single IP Address:
nmap 192.168.1.1
Scan a Host Name:
nmap server.shellhacks.com
Increase Verbosity Level:
nmap -v server.shellhacks.com
nmap -vv server.shellhacks.com
Scan Multiply IP Addresses
Scan Multiple IP Addresses:
nmap 192.168.1.1 192.168.1.2 192.168.1.3
nmap 192.168.1.1,2,3
Scan a Subnet:
nmap 192.168.1.0/24
nmap 192.168.1.*
Scan a Range of IP Addresses (192.168.1.0 – 192.168.1.200):
nmap 192.168.1.0-200
Scan Network for Active Computers
Scan for Active Hosts on a network:
nmap -sn 192.168.1.0/24
Scan a List of Hosts From Input File
Scan hosts/networks from the Input File:
nmap -iL input.txt
Format of the input file:
# Entries can be in any of the formats accepted by Nmap on the command line
# (IP address, hostname, CIDR, IPv6, or octet ranges). Each entry must be separated
# by one or more spaces, tabs, or newlines.
$ cat input.txt
server.shellhacks.com
192.168.1.0/24
192.168.2.1,2,3
192.168.3.0-200
Exclude IP/Hosts/Networks From Nmap Scan
Exclude Targets from Nmap scan:
nmap 192.168.1.0/24 --exclude 192.168.1.1
nmap 192.168.1.0/24 --exclude 192.168.1.1 192.168.1.5
nmap 192.168.1.0/24 --exclude 192.168.1.1,2,3
Exclude List of hosts from a file:
nmap 192.168.1.0/24 --excludefile exclude.txt
Format of the exclude file is the same as format of the input file shown above.
Scan For Specific Ports
Scan for a Single Port:
nmap -p 80 192.168.1.1
Scan for Several Ports:
nmap -p 80,443 192.168.1.1
Scan for a Port Range:
nmap -p 80-1000 192.168.1.1
Scan for All Ports:
nmap -p "*" 192.168.1.1
Scan for top most Common Ports:
nmap --top-ports 5 192.168.1.1
nmap --top-ports 10 192.168.1.1
Determine Supported IP Protocols
Determine which IP Protocols (TCP, UDP, ICMP, etc.) are supported by target host:
nmap -sO 192.168.1.1
Scan For TCP/UDP Ports
Scan for All TCP Ports:
nmap -sT 192.168.1.1
Scan for Particular TCP Ports:
nmap -p T:80 192.168.1.1
Scan for All UDP Ports:
nmap -sU 192.168.1.1
Scan for Particular UDP Ports:
nmap -p U:53 192.168.1.1
Combine scanning of different ports:
nmap -p U:53,79,113,T:21-25,80,443,8080 192.168.1.1
Perform a Fast Scan
Enable Fast Mode:
nmap -F 192.168.1.1
Scan fewer ports than the default scan.
Display the Reason a Port is in a Particular State
Display the Reason why Nmap thinks that a port is in a particular state:
nmap --reason 192.168.1.1
Show Only Open Ports
Show Only Open Ports (or possibly open):
nmap --open 192.168.1.1
OS Detection
One of Nmap’s best-known features is remote OS detection using TCP/IP stack fingerprinting. Nmap sends a series of TCP and UDP packets to the remote host and examines the responses.
After performing dozens of tests, Nmap compares the results to its database and prints out the OS details if there is a match.
Turn on OS Detection:
nmap -O 192.168.1.1
Service Version Detection
Turn on Version Detection:
nmap -sV 192.168.1.1
Discover what version of software is running on a remote host.
Firewall Detection
Find out if a host is protected by any Packet Filters or Firewall:
nmap -sA 192.168.1.1
MAC Address Spoofing
Spoof your MAC Address:
nmap --spoof-mac 00:11:22:33:44:55 192.168.1.1
Spoof your MAC Address with a Random MAC:
nmap --spoof-mac 0 192.168.1.1
Scan a Firewall For Security Vulnerabilities
These three scan types exploit a subtle loophole in the TCP RFC to differentiate between open and closed ports. When scanning systems compliant with this RFC, any packet not containing SYN, RST, or ACK bits will result in a returned RST if the port is closed and no response at all if the port is open.
As long as none of those three bits are included, any combination of the other three (FIN, PSH, and URG) are OK.
TCP Null Scan:
nmap -sN 192.168.1.1
Don’t set any bits (TCP flag header is 0).
TCP Fin Scan:
nmap -sF 192.168.1.1
Set just the TCP FIN bit.
TCP Xmas Scan:
nmap -sX 192.168.1.1
Set the FIN, PSH and URG flags (lighting the packet up like a Christmas tree).
Stealthy Scan
TCP SYN Scan:
nmap -sS 192.168.0.1
Well known as a half-open scanning, as it doesn’t open a full TCP connection.
Disable Host Discovery (No Ping)
Don’t ping host before scanning:
nmap -Pn 192.168.1.1
Disable DNS Resolution
Never do reverse DNS Resolution on the active IP addresses it finds:
nmap -n 192.168.1.1
Save Output of Nmap Scan to a File
Save output of Nmap scan to a TEXT File:
nmap 192.168.1.1 > output.txt
nmap -oN output.txt 192.168.1.1
Save output of Nmap scan to an XML File:
nmap -oX output.xml 192.168.1.1
# Network scan
nmap -sP 192.168.0.0/24
# Host scan
nmap <ip>
nmap -F <ip> # fast
nmap -O <ip> # detect OS
nmap -sV <ip> # detect services and versions
nmap -sU <ip> # detect UDP services
# Alternative host discovery
nmap -PS <ip> # TCP SYN scan
nmap -PA <ip> # TCP ACK scan
nmap -PO <ip> # IP ping
nmap -PU <ip> # UDP ping
# Alternative service discovery
nmap -sS <ip>
nmap -sT <ip>
nmap -sA <ip>
nmap -sW <ip>
# Checking firewalls
nmap -sN <ip>
nmap -sF <ip>
nmap -sX <ip>
Debugging
X-Trace - Multi-protocol tracing framework iptraf - Real-time statistics in ncurses interfaces mtr - Debug routing/package loss issues netstat - The different modes
# Typically used modes
netstat -rn # List routes
netstat -tlnp # List all open TCP connections
netstat -tlnpc # Continuously do the above
netstat -tulpen # Extended connection view
netstat -a # List all sockets
# And more rarely used
netstat -s # List per protocol statistics
netstat -su # List UDP statistics
netstat -M # List masqueraded connections
netstat -i # List interfaces and counters
netstat -o # Watch time/wait handling
nttcp - TCP performance testing
# On sending host
nttcp -t -s
# On receiving host
nttcp -r -s
List Kernel Settings
sysctl net
SNMP - Dump all MIBs: When you need to find the MIB for an object known only by name try
snmpwalk -c public -v 1 -O s <myhost> .iso | grep <search string>
Hurricane Electric - BGP Tools: Statistics on all AS as well as links to their looking glasses. darkstat - libpcap monitoring