Hands-On Network Security: Practical Tools & Methods Security - - PowerPoint PPT Presentation

Hands-On Network Security: Practical Tools & Methods

Security Training Course

• Dr. Charles J. Antonelli

The University of Michigan 2012

Hands-On Network Security

Module 1 Fundamental Tools

3

Roadmap

• Review of generally useful tools
• Linux (Unix) centric
• General overview
• Several tools revisited later
• There are many, many other useful tools
• Some introduced in course modules
• Most freely available on the Internet

04/12

cja 2012

Tool Basics

• less, man
• su, sudo
• ifconfig
• netstat
• tcpdump
• wireshark, tshark
• tcpreplay
• traceroute
• tcptraceroute
• nmap/zenmap
• netcat
• ps
• top
• vmstat
• lsof
• /proc
• whois
• nslookup, dig
• Accounting
• Miscellany

04/12 4

cja 2012

5

less, man

• less
• Standard paginating tool for Unix/Linux
• man
• Standard manual page tool for Unix/Linux

04/12

cja 2012

su

• su id
• Change to user id

 If no id, change to the superuser (root)

• Authenticate by giving new user’s password
• Starts a command shell with new user’s privileges
• Invocation
• su
• su –

 Like su, but executes a login shell, which gets the correct command search paths

04/12

cja 2012

6

sudo

• sudo command
• Run commands as root
• Authenticate by giving your own password
• Runs command with the root’s privileges
• Convenience & control

 Control who may sudo and what commands they can run  Log operations performed under sudo  Config file /etc/sudoers

• Invocation
• sudo service network restart

 Runs the service command with root privileges

• sudo -s

 Executes a command shell with root privileges

• sudo -i

 Like su -, this executes a login shell with root privileges

04/12

cja 2012

7

8

ifconfig

• Get (and set) network interface

configuration

• IP address and mask
• Hardware address
• Bytes sent/received/dropped/overrun/…
• /sbin/ifconfig [interface] [options]
• Useful to discover host’s IP address(es)

and interface status

04/12

cja 2012

9

netstat

• Displays network-related status
• Network connections
• Routing tables
• Interface statistics
• Multicast memberships

04/12

cja 2012

10

netstat

• /bin/netstat
• w/o args, displays open sockets
• -a

display listening sockets also

• -t

show active TCP sockets

• -u

show active UDP sockets

• -p

show PID and process name

• -r

display routing tables

• -n

don’t convert host addresses to names

04/12

cja 2012

11

libpcap

• Packet capture library
• Obtains packets from host platform
• Created at LBL
• Maintained at www.tcpdump.org
• Sources, no binaries
• Version 1.2.1 released January 1, 2012

04/12

cja 2012

12

tcpdump

• Full-content packet capture and display
• Packet input
• Directly from network interface
• From libpcap-format file
• Packet output
• To screen
• To libpcap-format file
• Packet filtering
• Version 4.2.1 released January 1, 2012 at

www.tcpdump.org

04/12

cja 2012

13

tcpdump

• /usr/sbin/tcpdump
• -i in

listen on interface in

• -n

don’t convert host addresses to names

• -X

dump packet in hex and ascii

• -e

dump Ethernet header also

• -r fn

read from pcap-format file

• -w fn

write out pcap-format file

• Documentation at www.tcpdump.org

04/12

cja 2012

14

wireshark, tshark

• Full-content packet capture and display
• Built-in protocol dissectors
• 1,170 protocols and counting (version 1.6.7, released April 6,

2012)

• Packet input
• Directly from network interface
• From libpcap-format file, and many other formats
• Packet output
• Interactive, screen-oriented
• Packet filtering
• On capture
• On display

04/12

cja 2012

15

wireshark, tshark

• Other features
• capinfos
• dumpcap
• editcap
• mergecap
• text2pcap
• http://www.wireshark.org/

04/12

cja 2012

tcpreplay

• Sends stored packets to network
• Useful for presenting fixed inputs to IDSs
• Packet input
• From libpcap-format file
• Packet output
• To network interface
• Features
• tcpprep – determine client/server packets and prepare cache
• tcpreplay – replay pcap files at user-determined speeds
• tcprewrite – edit TCP, IP, Layer 2 headers on the fly
• tcpbridge – bridge network segments with tcprewrite
• tcpcapinfo – pcap file decoder

04/12

cja 2012

16

tcpreplay

• Canonical invocation
• tcpreplay -i eth0 sample.pcap
• Options:
• -t

as fast as possible

• -M rate send at this rate (Mbps)
• -p #

send this number of packets per second

• -x m

send mtimes as fast

• …
• http://tcpreplay.synfin.net/
• Some packets are not meant to be replayed

04/12

cja 2012

17

18

traceroute

• Uses TTL field in IP packet to map a network

packet’s path from source to destination host

• Generates a serial list of routers between

source and destination

• Depends on ICMP messages
• If ICMP is blocked at the border, this won’t work
• Maintained at http://www-nrg.ee.lbl.gov/ftp.html

04/12

cja 2012

19

tcptraceroute

• Uses TCP SYN packets instead of ICMP
• r UDP echo
• Originally developed & maintained at

http://michael.toren.net/code/tcptraceroute/  Now inactive

• Better to use a modern traceroute’s –T option

04/12

cja 2012

20

nmap/zenmap

• Network mapping tool
• Version 5.50 released January, 2011
• Really a network scanner
• Swiss army knife
• Two-step process
• Identifies hosts on specified network segment(s)
• Scans specified ports on each host
• Read the man page thoroughly
• Especially for limitations …
• Zenmap is a GUI for nmap
• Generally under-appreciated

04/12

cja 2012

21

nmap

• nmap
• subnet

e.g. 141.211.244.0/26

• -n

don’t map addresses to names

• -sS

TCP SYN port scan

• -sT

TCP connect port scan

• -sU

UDP port scan

• -sV

detect service verions

• -s…

several more advanced scans

• -O

use fingerprinting to guess remote OS

• -T

manually set scan rate

• -p range range of ports to scan
• …

many more

• Maintained at http://www.insecure.org/nmap/

04/12

cja 2012

22

netcat

• TCP/UDP utility
• http://nc110.sourceforge.net/

… the original, from 1996

• http://netcat.sourceforge.net/

… the portable version

• Another, older, swiss army knife
• Features
• Send and receive TCP/UDP
• Listen on arbitrary ports
• TCP proxies
• Shell-script clients & servers
• Read the man page thoroughly
• Generally under-appreciated

04/12

cja 2012

23

ps

• Process status utility
• Features
• Standard & custom process status listings
• Resource utilization summaries
• Read the man page thoroughly

04/12

cja 2012

24

ps

• ps
• (none)

show your processes

• ax

show all processes

• l

show your processes, long format

• u

show your processes, user format

• v

show your processes, virtual memory format

• -l

show your processes, long format

• -f

show your processes, full format

• -F

show your processes, extra full format

• -H

show your processes, tree format

• -Lm

show all processes, with threads

• …

many more 04/12

cja 2012

25

top

• Display Linux tasks
• Features
• Dynamic process listings
• Ordered by specified resource
• System utilization summaries
• An interactive interface for process manipulation
• An extensive interactive interface for configuration
• Read the man page thoroughly

04/12

cja 2012

26

top

• top
• (none)

show summary and process stats, updated every 3 secs

• -d n

… every n secs

• -u user

… stats for user user only

• Interactive commands
• 1

toggle between aggregate and individual CPU stats

• k

kill a process

• O

change sort order

• r

renice a process

• u

show stats for specified user

• h

interactive help

• …

many more 04/12

cja 2012

27

vmstat

• Report virtual memory statistics
• Reports
• Processes running
• Physical memory usage
• Swap space I/O
• Block I/O
• System interrupts and context switches
• CPU utilization
• … all in 80 characters

04/12

cja 2012

28

vmstat

• vmstat
• (none)

show status

• n

show status every n seconds

• -a

show active/inactive instead of buffered/cached

• -f

# fork() system calls since boot

• -m

show kernel memory management stats (slabinfo) 04/12

cja 2012

29

lsof

• List open files
• Created for UNIX to find running processes

preventing filesystem unmounts

• Many additional Linux features
• For each process, shows
• Root and current directories
• Mapped shared memory libraries
• Open file names, descriptors, major/minor/inode numbers
• Open sockets, states, peer names
• Mapped shared memory libraries

04/12

cja 2012

30

lsof

• lsof
• (none)

shows open files for all devices for all processes

• -p pid

shows open files for process pid

• -u user

shows open files for user name or uid user

• /dev/sdx shows open files for device /dev/sdx
• /path/file shows process that have /path/file open
• -i @host shows processes connected to host host
• …

many more 04/12

cja 2012

/proc

• File-system view of userland
• Features
• Global system status
• Per-process status
• Much more detail than e.g. ps
• Official interface for system information
• Addresses a long-standing need in UNIX

04/12

cja 2012

31

32

whois

• Looks up information stored in various

Network Information Centers (NICs) for

• several Top Level Domains (TLDs)
• .edu, .com, .net, .org
• Useful for finding remote domain

administrators

04/12

cja 2012

33

nslookup, dig

• Tools for querying DNS name servers
• Useful for turning IP addresses into

names

• And vice versa
• Can retrieve all DNS RRs, e.g. MX, …
• nslookup superseded by dig

04/12

cja 2012

34

Accounting

• Linux process accounting
• Writes an accounting record each time a process

finishes

• Commands
• sudo accton –on

turn accounting on

• sudo accton –off

turn accounting off

• sa

show accounting information

• lastcomm

show last command executed by users

• Caveat
• Notoriously inaccurate

 To whom should the op-complete interrupt processing be charged? 04/12

cja 2012

35

Miscellany

• strings
• Useful for extracting text from arbitrary files
• nice
• Used to lower (or raise, if root) the

scheduling priority of a process

• dstat
• Unified, one line, customizable system status

04/12

cja 2012