Hands-On Network Security: Practical Tools & Methods

Security Training Course

Dr. Charles J. Antonelli The University of Michigan

2012

Hands-On Network Security

Module 1 Fundamental Tools

3

Roadmap

•  Review of generally useful tools   Linux (Unix) centric

•  General overview   Several tools revisited later

•  There are many, many other useful tools   Some introduced in course modules  Most freely available on the Internet

04/12 cja 2012

Tool Basics

•  less, man •  su, sudo •  ifconfig •  netstat •  tcpdump •  wireshark, tshark •  tcpreplay •  traceroute •  tcptraceroute •  nmap/zenmap

•  netcat •  ps •  top •  vmstat •  lsof •  /proc •  whois •  nslookup, dig •  Accounting •  Miscellany

04/12 4 cja 2012

5

less, man

•  less   Standard paginating tool for Unix/Linux

•  man   Standard manual page tool for Unix/Linux

04/12 cja 2012

su

•  su id   Change to user id  If no id, change to the superuser (root)

  Authenticate by giving new user’s password   Starts a command shell with new user’s privileges

•  Invocation   su   su –  Like su, but executes a login shell, which gets the

correct command search paths

04/12 cja 2012 6

sudo

•  sudo command   Run commands as root   Authenticate by giving your own password   Runs command with the root’s privileges   Convenience & control

 Control who may sudo and what commands they can run  Log operations performed under sudo  Config file /etc/sudoers

•  Invocation   sudo service network restart

 Runs the service command with root privileges   sudo -s

 Executes a command shell with root privileges   sudo -i

 Like su -, this executes a login shell with root privileges

04/12 cja 2012 7

8

ifconfig

•  Get (and set) network interface configuration   IP address and mask  Hardware address   Bytes sent/received/dropped/overrun/…

•  /sbin/ifconfig [interface] [options] •  Useful to discover host’s IP address(es)

and interface status

04/12 cja 2012

9

netstat

•  Displays network-related status  Network connections  Routing tables   Interface statistics  Multicast memberships

04/12 cja 2012

10

netstat

•  /bin/netstat   w/o args, displays open sockets   -a display listening sockets also   -t show active TCP sockets   -u show active UDP sockets   -p show PID and process name   -r display routing tables   -n don’t convert host addresses to names

04/12 cja 2012

11

libpcap

•  Packet capture library •  Obtains packets from host platform •  Created at LBL •  Maintained at www.tcpdump.org

  Sources, no binaries   Version 1.2.1 released January 1, 2012

04/12 cja 2012

12

tcpdump

•  Full-content packet capture and display •  Packet input

  Directly from network interface   From libpcap-format file

•  Packet output   To screen   To libpcap-format file

•  Packet filtering •  Version 4.2.1 released January 1, 2012 at

www.tcpdump.org

04/12 cja 2012

13

tcpdump

•  /usr/sbin/tcpdump   -i in listen on interface in   -n don’t convert host addresses to names   -X dump packet in hex and ascii   -e dump Ethernet header also   -r fn read from pcap-format file   -w fn write out pcap-format file

•  Documentation at www.tcpdump.org

04/12 cja 2012

14

wireshark, tshark

•  Full-content packet capture and display •  Built-in protocol dissectors

  1,170 protocols and counting (version 1.6.7, released April 6, 2012)

•  Packet input   Directly from network interface   From libpcap-format file, and many other formats

•  Packet output   Interactive, screen-oriented

•  Packet filtering   On capture   On display

04/12 cja 2012

15

wireshark, tshark

•  Other features   capinfos   dumpcap   editcap  mergecap   text2pcap

•  http://www.wireshark.org/

04/12 cja 2012

tcpreplay

•  Sends stored packets to network   Useful for presenting fixed inputs to IDSs

•  Packet input   From libpcap-format file

•  Packet output   To network interface

•  Features   tcpprep – determine client/server packets and prepare cache   tcpreplay – replay pcap files at user-determined speeds   tcprewrite – edit TCP, IP, Layer 2 headers on the fly   tcpbridge – bridge network segments with tcprewrite   tcpcapinfo – pcap file decoder

04/12 cja 2012 16

tcpreplay

•  Canonical invocation   tcpreplay -i eth0 sample.pcap

•  Options:   -t as fast as possible   -M rate send at this rate (Mbps)   -p # send this number of packets per second   -x m send mtimes as fast   …

•  http://tcpreplay.synfin.net/ •  Some packets are not meant to be replayed

04/12 cja 2012 17

18

traceroute

•  Uses TTL field in IP packet to map a network packet’s path from source to destination host

•  Generates a serial list of routers between source and destination

•  Depends on ICMP messages   If ICMP is blocked at the border, this won’t work

•  Maintained at http://www-nrg.ee.lbl.gov/ftp.html

04/12 cja 2012

19

tcptraceroute

•  Uses TCP SYN packets instead of ICMP or UDP echo  Originally developed & maintained at

http://michael.toren.net/code/tcptraceroute/  Now inactive

  Better to use a modern traceroute’s –T option

04/12 cja 2012

20

nmap/zenmap

•  Network mapping tool   Version 5.50 released January, 2011

•  Really a network scanner •  Swiss army knife •  Two-step process

  Identifies hosts on specified network segment(s)   Scans specified ports on each host

•  Read the man page thoroughly   Especially for limitations …

•  Zenmap is a GUI for nmap •  Generally under-appreciated

04/12 cja 2012

21

nmap

•  nmap   subnet e.g. 141.211.244.0/26   -n don’t map addresses to names   -sS TCP SYN port scan   -sT TCP connect port scan   -sU UDP port scan   -sV detect service verions   -s… several more advanced scans   -O use fingerprinting to guess remote OS   -T manually set scan rate   -p range range of ports to scan   … many more

•  Maintained at http://www.insecure.org/nmap/

04/12 cja 2012

22

netcat

•  TCP/UDP utility   http://nc110.sourceforge.net/ … the original, from 1996   http://netcat.sourceforge.net/ … the portable version

•  Another, older, swiss army knife •  Features

  Send and receive TCP/UDP   Listen on arbitrary ports   TCP proxies   Shell-script clients & servers

•  Read the man page thoroughly •  Generally under-appreciated

04/12 cja 2012

23

ps

•  Process status utility •  Features

  Standard & custom process status listings   Resource utilization summaries

•  Read the man page thoroughly

04/12 cja 2012

24

ps

•  ps   (none) show your processes   ax show all processes   l show your processes, long format   u show your processes, user format   v show your processes, virtual memory format   -l show your processes, long format   -f show your processes, full format   -F show your processes, extra full format   -H show your processes, tree format   -Lm show all processes, with threads   … many more

04/12 cja 2012

25

top

•  Display Linux tasks •  Features

  Dynamic process listings   Ordered by specified resource   System utilization summaries   An interactive interface for process manipulation   An extensive interactive interface for configuration

•  Read the man page thoroughly

04/12 cja 2012

26

top

•  top   (none) show summary and process stats, updated every 3 secs   -d n … every n secs   -u user … stats for user user only

•  Interactive commands   1 toggle between aggregate and individual CPU stats   k kill a process   O change sort order   r renice a process   u show stats for specified user   h interactive help   … many more

04/12 cja 2012

27

vmstat

•  Report virtual memory statistics •  Reports

  Processes running   Physical memory usage   Swap space I/O   Block I/O   System interrupts and context switches   CPU utilization   … all in 80 characters

04/12 cja 2012

28

vmstat

•  vmstat   (none) show status   n show status every n seconds   -a show active/inactive instead of buffered/cached   -f # fork() system calls since boot   -m show kernel memory management stats (slabinfo)

04/12 cja 2012

29

lsof

•  List open files   Created for UNIX to find running processes

preventing filesystem unmounts   Many additional Linux features

•  For each process, shows   Root and current directories   Mapped shared memory libraries   Open file names, descriptors, major/minor/inode numbers   Open sockets, states, peer names   Mapped shared memory libraries

04/12 cja 2012

30

lsof

•  lsof   (none) shows open files for all devices for all processes   -p pid shows open files for process pid   -u user shows open files for user name or uid user   /dev/sdx shows open files for device /dev/sdx   /path/file shows process that have /path/file open   -i @host shows processes connected to host host   … many more

04/12 cja 2012

/proc

•  File-system view of userland •  Features

 Global system status   Per-process status

•  Much more detail than e.g. ps •  Official interface for system information •  Addresses a long-standing need in UNIX

04/12 cja 2012 31

32

whois

•  Looks up information stored in various Network Information Centers (NICs) for

•  several Top Level Domains (TLDs)   .edu, .com, .net, .org

•  Useful for finding remote domain administrators

04/12 cja 2012

33

nslookup, dig

•  Tools for querying DNS name servers •  Useful for turning IP addresses into

names   And vice versa  Can retrieve all DNS RRs, e.g. MX, …

•  nslookup superseded by dig

04/12 cja 2012

34

Accounting

•  Linux process accounting   Writes an accounting record each time a process

finishes •  Commands

  sudo accton –on turn accounting on   sudo accton –off turn accounting off   sa show accounting information   lastcomm show last command executed by users

•  Caveat   Notoriously inaccurate

 To whom should the op-complete interrupt processing be charged?

04/12 cja 2012

35

Miscellany

•  strings  Useful for extracting text from arbitrary files

•  nice  Used to lower (or raise, if root) the

scheduling priority of a process •  dstat

 Unified, one line, customizable system status

04/12 cja 2012