Hands-On Network Security: Practical Tools & Methods
Security Training Course
Dr. Charles J. Antonelli The University of Michigan
2012
Hands-On Network Security
Module 1 Fundamental Tools
3
Roadmap
• Review of generally useful tools Linux (Unix) centric
• General overview Several tools revisited later
• There are many, many other useful tools Some introduced in course modules Most freely available on the Internet
04/12 cja 2012
Tool Basics
• less, man • su, sudo • ifconfig • netstat • tcpdump • wireshark, tshark • tcpreplay • traceroute • tcptraceroute • nmap/zenmap
• netcat • ps • top • vmstat • lsof • /proc • whois • nslookup, dig • Accounting • Miscellany
04/12 4 cja 2012
5
less, man
• less Standard paginating tool for Unix/Linux
• man Standard manual page tool for Unix/Linux
04/12 cja 2012
su
• su id Change to user id If no id, change to the superuser (root)
Authenticate by giving new user’s password Starts a command shell with new user’s privileges
• Invocation su su – Like su, but executes a login shell, which gets the
correct command search paths
04/12 cja 2012 6
sudo
• sudo command Run commands as root Authenticate by giving your own password Runs command with the root’s privileges Convenience & control
Control who may sudo and what commands they can run Log operations performed under sudo Config file /etc/sudoers
• Invocation sudo service network restart
Runs the service command with root privileges sudo -s
Executes a command shell with root privileges sudo -i
Like su -, this executes a login shell with root privileges
04/12 cja 2012 7
8
ifconfig
• Get (and set) network interface configuration IP address and mask Hardware address Bytes sent/received/dropped/overrun/…
• /sbin/ifconfig [interface] [options] • Useful to discover host’s IP address(es)
and interface status
04/12 cja 2012
9
netstat
• Displays network-related status Network connections Routing tables Interface statistics Multicast memberships
04/12 cja 2012
10
netstat
• /bin/netstat w/o args, displays open sockets -a display listening sockets also -t show active TCP sockets -u show active UDP sockets -p show PID and process name -r display routing tables -n don’t convert host addresses to names
04/12 cja 2012
11
libpcap
• Packet capture library • Obtains packets from host platform • Created at LBL • Maintained at www.tcpdump.org
Sources, no binaries Version 1.2.1 released January 1, 2012
04/12 cja 2012
12
tcpdump
• Full-content packet capture and display • Packet input
Directly from network interface From libpcap-format file
• Packet output To screen To libpcap-format file
• Packet filtering • Version 4.2.1 released January 1, 2012 at
www.tcpdump.org
04/12 cja 2012
13
tcpdump
• /usr/sbin/tcpdump -i in listen on interface in -n don’t convert host addresses to names -X dump packet in hex and ascii -e dump Ethernet header also -r fn read from pcap-format file -w fn write out pcap-format file
• Documentation at www.tcpdump.org
04/12 cja 2012
14
wireshark, tshark
• Full-content packet capture and display • Built-in protocol dissectors
1,170 protocols and counting (version 1.6.7, released April 6, 2012)
• Packet input Directly from network interface From libpcap-format file, and many other formats
• Packet output Interactive, screen-oriented
• Packet filtering On capture On display
04/12 cja 2012
15
wireshark, tshark
• Other features capinfos dumpcap editcap mergecap text2pcap
• http://www.wireshark.org/
04/12 cja 2012
tcpreplay
• Sends stored packets to network Useful for presenting fixed inputs to IDSs
• Packet input From libpcap-format file
• Packet output To network interface
• Features tcpprep – determine client/server packets and prepare cache tcpreplay – replay pcap files at user-determined speeds tcprewrite – edit TCP, IP, Layer 2 headers on the fly tcpbridge – bridge network segments with tcprewrite tcpcapinfo – pcap file decoder
04/12 cja 2012 16
tcpreplay
• Canonical invocation tcpreplay -i eth0 sample.pcap
• Options: -t as fast as possible -M rate send at this rate (Mbps) -p # send this number of packets per second -x m send mtimes as fast …
• http://tcpreplay.synfin.net/ • Some packets are not meant to be replayed
04/12 cja 2012 17
18
traceroute
• Uses TTL field in IP packet to map a network packet’s path from source to destination host
• Generates a serial list of routers between source and destination
• Depends on ICMP messages If ICMP is blocked at the border, this won’t work
• Maintained at http://www-nrg.ee.lbl.gov/ftp.html
04/12 cja 2012
19
tcptraceroute
• Uses TCP SYN packets instead of ICMP or UDP echo Originally developed & maintained at
http://michael.toren.net/code/tcptraceroute/ Now inactive
Better to use a modern traceroute’s –T option
04/12 cja 2012
20
nmap/zenmap
• Network mapping tool Version 5.50 released January, 2011
• Really a network scanner • Swiss army knife • Two-step process
Identifies hosts on specified network segment(s) Scans specified ports on each host
• Read the man page thoroughly Especially for limitations …
• Zenmap is a GUI for nmap • Generally under-appreciated
04/12 cja 2012
21
nmap
• nmap subnet e.g. 141.211.244.0/26 -n don’t map addresses to names -sS TCP SYN port scan -sT TCP connect port scan -sU UDP port scan -sV detect service verions -s… several more advanced scans -O use fingerprinting to guess remote OS -T manually set scan rate -p range range of ports to scan … many more
• Maintained at http://www.insecure.org/nmap/
04/12 cja 2012
22
netcat
• TCP/UDP utility http://nc110.sourceforge.net/ … the original, from 1996 http://netcat.sourceforge.net/ … the portable version
• Another, older, swiss army knife • Features
Send and receive TCP/UDP Listen on arbitrary ports TCP proxies Shell-script clients & servers
• Read the man page thoroughly • Generally under-appreciated
04/12 cja 2012
23
ps
• Process status utility • Features
Standard & custom process status listings Resource utilization summaries
• Read the man page thoroughly
04/12 cja 2012
24
ps
• ps (none) show your processes ax show all processes l show your processes, long format u show your processes, user format v show your processes, virtual memory format -l show your processes, long format -f show your processes, full format -F show your processes, extra full format -H show your processes, tree format -Lm show all processes, with threads … many more
04/12 cja 2012
25
top
• Display Linux tasks • Features
Dynamic process listings Ordered by specified resource System utilization summaries An interactive interface for process manipulation An extensive interactive interface for configuration
• Read the man page thoroughly
04/12 cja 2012
26
top
• top (none) show summary and process stats, updated every 3 secs -d n … every n secs -u user … stats for user user only
• Interactive commands 1 toggle between aggregate and individual CPU stats k kill a process O change sort order r renice a process u show stats for specified user h interactive help … many more
04/12 cja 2012
27
vmstat
• Report virtual memory statistics • Reports
Processes running Physical memory usage Swap space I/O Block I/O System interrupts and context switches CPU utilization … all in 80 characters
04/12 cja 2012
28
vmstat
• vmstat (none) show status n show status every n seconds -a show active/inactive instead of buffered/cached -f # fork() system calls since boot -m show kernel memory management stats (slabinfo)
04/12 cja 2012
29
lsof
• List open files Created for UNIX to find running processes
preventing filesystem unmounts Many additional Linux features
• For each process, shows Root and current directories Mapped shared memory libraries Open file names, descriptors, major/minor/inode numbers Open sockets, states, peer names Mapped shared memory libraries
04/12 cja 2012
30
lsof
• lsof (none) shows open files for all devices for all processes -p pid shows open files for process pid -u user shows open files for user name or uid user /dev/sdx shows open files for device /dev/sdx /path/file shows process that have /path/file open -i @host shows processes connected to host host … many more
04/12 cja 2012
/proc
• File-system view of userland • Features
Global system status Per-process status
• Much more detail than e.g. ps • Official interface for system information • Addresses a long-standing need in UNIX
04/12 cja 2012 31
32
whois
• Looks up information stored in various Network Information Centers (NICs) for
• several Top Level Domains (TLDs) .edu, .com, .net, .org
• Useful for finding remote domain administrators
04/12 cja 2012
33
nslookup, dig
• Tools for querying DNS name servers • Useful for turning IP addresses into
names And vice versa Can retrieve all DNS RRs, e.g. MX, …
• nslookup superseded by dig
04/12 cja 2012
34
Accounting
• Linux process accounting Writes an accounting record each time a process
finishes • Commands
sudo accton –on turn accounting on sudo accton –off turn accounting off sa show accounting information lastcomm show last command executed by users
• Caveat Notoriously inaccurate
To whom should the op-complete interrupt processing be charged?
04/12 cja 2012
35
Miscellany
• strings Useful for extracting text from arbitrary files
• nice Used to lower (or raise, if root) the
scheduling priority of a process • dstat
Unified, one line, customizable system status
04/12 cja 2012