Network Tools screen shots added

1
Network Tools(screen shots added)

• ECE-6612
• October 14, 2005
• Cherita Corbett, John Copeland

2
Outline

• ethereal (now wireshark)
• nmap
• netstat, sockstat
• tracert or traceroute
• nslookup or host
• Knoppix

3
Ethereal

• http//www.ethereal.com
• Captures packets from a live network connection
• Capture Filters / display filters
• Dissects 700 protocols
• Statistics

4
Ethereal
5
Nmap

• http//www.insecure.org/nmap/
• Network Mapper
• What hosts are available
• What services/applications are available
• What operating system
• What type of packet filters/firewalls
• Port scanning mechanism
• c\gt nmap v a www.gatech.edu
• "nmap" without options will show a short list of
  options. Linux or unix use "man nmap".

6

• nmap
• Nmap 3.93 Usage nmap Scan Type(s) Options
  lthost or net listgt
• Some Common Scan Types ('' options require root
  privileges)
• -sS TCP SYN stealth port scan (default if
  privileged (root))
• -sT TCP connect() port scan (default for
  unprivileged users)
• -sU UDP port scan
• -sP ping scan (Find any reachable machines)
• -sF,-sX,-sN Stealth FIN, Xmas, or Null scan
  (experts only)
• -sV Version scan probes open ports determining
  service app names/versions
• -sR RPC scan (use with other scan types)
• Some Common Options (none are required, most can
  be combined)
• -O Use TCP/IP fingerprinting to guess remote
  operating system
• -p ltrangegt ports to scan. Example range
  1-1024,1080,6666,31337
• -F Only scans ports listed in nmap-services
• -v Verbose. Its use is recommended. Use twice
  for greater effect.
• -P0 Don't ping hosts (needed to scan
  www.microsoft.com and others)
• -Ddecoy_host1,decoy2,... Hide scan using many
  decoys
• -6 scans via IPv6 rather than IPv4
• -T ltParanoidSneakyPoliteNormalAggressiveIns
  anegt General timing policy

7

• nmap -v -sT -p 20-25,80,110,123,443,3306
  www.gatech.edu
• Starting nmap 3.93 ( http//www.insecure.org/nmap/
  ) at 2005-10-18 1632 EDT
• Initiating Connect Scan against www.gatech.edu
  (130.207.165.120) 11 ports1632
• Discovered open port 80/tcp on 130.207.165.120
• The Connect() Scan took 11.25s to scan 11 total
  ports.
• Host tlweb.gatech.edu (130.207.165.120) appears
  to be up ... good.
• Interesting ports on tlweb.gatech.edu
  (130.207.165.120)
• PORT STATE SERVICE
• 20/tcp closed ftp-data
• 21/tcp filtered ftp
• 22/tcp closed ssh
• 23/tcp closed telnet
• 24/tcp closed priv-mail
• 25/tcp closed smtp
• 80/tcp open http
• 110/tcp closed pop3
• 123/tcp closed ntp
• 443/tcp closed https

8
Netstat

• Displays active ports, network connections,
  routing tables, interface statistics, masquerade
  connections, multicast memberships, etc.
• Indicates how vulnerable a PC is to attacks
• c\gt netstat -b
• c\gt netstat -e -s
• Linux or UNIX try "netstat -a" and "netstat
  -o"
• netstat -r will show routing like Linux
  "route"
• man netstat to find appropriate options

9
netstat -b Active Internet connections Proto
Recv-Q Send-Q Local Address Foreign
Address (state) tcp4 0 0
localhost.49769 localhost.ipp
CLOSE_WAIT tcp4 0 0 localhost.49768
localhost.ipp CLOSE_WAIT tcp4
0 0 localhost.49718 localhost.ipp
CLOSE_WAIT tcp4 0 0
localhost.49717 localhost.ipp
CLOSE_WAIT tcp4 0 0
localhost.netinfo-loca localhost.945
ESTABLISHED tcp4 0 0 localhost.945
localhost.netinfo-loca ESTABLISHED udp4
0 0 .49413 .
udp4 0 0 .9912
. udp4 0 0
localhost.49399 localhost.49399
udp4 0 0 .ipp .
udp4 0 0
localhost.49156 localhost.1022
udp4 0 0 localhost.49155
localhost.1022 udp4 0 0
localhost.1022 .
udp4 0 0 localhost.49152
localhost.1023 udp4 0 0
localhost.1023 .
udp4 0 0 .mdns .
udp4 0 0
localhost.netinfo-loca .
udp4 0 0 .syslog .
udp6 0 0 .514
. Active LOCAL
(UNIX) domain sockets Address Type Recv-Q
Send-Q Inode Conn Refs Nextref Addr
1f7b188 stream 0 0 0 1f7b2d8
0 0 /tmp/.pgp-agent-copeland-501
(many other internal socket connections)
10
root netstat -e -s netstat illegal option -- e
OPTIONS DIFFER
FOR OS's usage netstat -Aan -f
address_family -M core -N system
netstat -bdghimnrs -f address_family -M
core -N system netstat -bdn -I
interface -M core -N system -w wait
netstat -m -M core -N system pb2/ root
netstat -s "-s" is for
statistics tcp 88515 packets sent
30786 data packets (11438091 bytes)
33 data packets (24237 bytes)
retransmitted 0 resends initiated
by MTU discovery 12554 ack-only
packets (2124 delayed) 38594 window update
packets 6548 control packets
141942 packets received 22731
acks (for 11441627 bytes) 2955
duplicate acks 127378 packets (137974213 bytes)
received in-sequence 104
completely duplicate packets (134299 bytes)
7 old duplicate packets
0 packets with some dup. data (0 bytes duped)
1836 out-of-order packets (2266419
bytes)
79 window update packets 23
packets received after close 2
discarded for bad checksums 2284
connection requests 2011 connection
accepts 4 bad connection attempts
11
sockstat shows the user,application that opened
each socket
copeland sockstat -4 USER COMMAND PID
FD PROTO LOCAL ADDRESS FOREIGN ADDRESS
copeland LaunchCF 26267 39 tcp4
127.0.0.150456 127.0.0.1631 copeland
firefox- 26234 19 tcp4 127.0.0.150532
127.0.0.1631 copeland firefox- 26234
28 tcp4 127.0.0.150531 127.0.0.1631
copeland mozilla- 1017 25 tcp4
127.0.0.15180 copeland
mozilla- 1017 26 udp4 127.0.0.149399
127.0.0.149399 copeland TextEdit 1000
9 tcp4 127.0.0.149768 127.0.0.1631
copeland TextEdit 1000 10 tcp4
127.0.0.149769 127.0.0.1631 root
AppleFil 371 30 tcp4 548
root cupsd 330
0 tcp4 127.0.0.1631
root cupsd 330 2 udp4 631
root ntpd
325 5 udp4 123
root ntpd 325 6 udp4
127.0.0.1123 root
ntpd 325 7 udp4 192.168.1.133123
root automoun 324
7 udp4 127.0.0.11022
root Director 308 6 tcp4
127.0.0.1945 127.0.0.11033 root
automoun 306 7 udp4 127.0.0.11023
nobody mDNSResp 170
4 udp4 5353
root netinfod 125 6 udp4
127.0.0.11033 root
netinfod 125 7 tcp4 127.0.0.11033
root netinfod 125
8 tcp4 127.0.0.11033 127.0.0.1945
root syslogd 81 5 udp4 514

12
tracert (traceroute)

• List intermediate routers in path to destination
• Sends Internet Control Message Protocol (ICMP)
  echo packets with incrementing IP Time-To-Live
  (TTL) values to the destination
• c\gt tracert www.gatech.edu
• (on Linux traceroute www.gatech.edu)
• Alternatives pathping report packet loss

13
traceroute www.gatech.edu traceroute to
www.gatech.edu (130.207.165.120), 30 hops max, 40
byte pkts 1 10.240.218.1 (10.240.218.1)
1012.12 ms 10.256 ms 9.427 ms 2 10.240.218.1
(10.240.218.1) 9.912 ms 10.5 ms 11.346 ms 3
68.86.110.17 (68.86.110.17) 9.731 ms 8.884 ms
38.159 ms 4 68.86.106.133 (68.86.106.133)
10.817 ms 10.317 ms 10.187 ms 5 68.86.106.129
(68.86.106.129) 10.705 ms 9.236 ms 9.193 ms 6
68.86.106.125 (68.86.106.125) 12.139 ms 10.837
ms 33.716 ms 7 68.86.106.13 (68.86.106.13)
10.551 ms 9.956 ms 9.46 ms 8 68.86.106.9
(68.86.106.9) 37.252 ms 9.095 ms 11.282 ms 9
68.86.107.9 (68.86.107.9) 33.98 ms 10.516 ms
10.92 ms 10 c-66-56-22-162.hsd1.ga.comcast.net
(66.56.22.162) 10.861 ms 13.678 ms 11.162
ms 11 gw2-sox.sox.gatech.edu (199.77.194.6)
18.354 ms 12.827 ms 13.145 ms 12
campus2-rtr.gatech.edu (130.207.254.118) 12.128
ms 14.005 ms 10.287 ms 13 tlweb.gatech.edu
(130.207.165.120) 12.754 ms 12.484 ms 15.765
ms 14 tlweb.gatech.edu (130.207.165.120) 11.034
ms 42.625 ms 10.954 ms
14
nslookup (also 'host' and 'dig')

• NSLOOKUP is a tool that is used for
  troubleshooting and checking DNS entries
• A DNS server must translate the domain name into
  its corresponding IP address
• Lookup types
• IP address, canonical name for an alias, host
  info, mail exchanger records, nameserver record,
  all records (a, cname,hinfo,mx,ns,any)
• c\gtnslookup
• gtset typemx
• gtgatech.edu

15
Find the Mail Server for addresses ending in
"gatech.edu"
nslookup -tmx gatech.edu Note nslookup is
deprecated and may be removed from future
releases. Consider using the dig' or host'
programs instead. Run nslookup with the
-silent' option to prevent this message from
appearing. Server 68.87.96.3 Address
68.87.96.353 Non-authoritative
answer Name gatech.edu Address
130.207.244.244
16
knoppix-std

• http//www.s-t-d.org/
• Linux distribution that runs from a bootable CD
  in memory without changing the native operating
  system of the host computer
• Open source security tools

17

• Snort IDS http//www.snort.org/
• http//www.honeynet.org/index.html
• 100 tools -
• http//www.sectools.org/
• Exploits
• http//http//www.metasploit.com/

18
http//www.honeynet.org/scans/index.html
19
http//www.knoppix-std.org/
20
SSH Login without a password
ct5138-02 copeland ssh-keygen -t
rsa Generating public/private rsa key pair. Enter
file in which to save the key (/Users/copeland/.ss
h/id_rsa) ENTER Enter passphrase (empty for
no passphrase) ENTER
ENTER Enter Key Enter same
passphrase again ENTER Your identification has
been saved in /Users/copeland/.ssh/id_rsa. Your
public key has been saved in /Users/copeland/.ssh/
id_rsa.pub. The key fingerprint
is 99e661f776cb33c899e12d96401cb35
9 copeland_at_ct5138-02.ece.gatech.edu
ct5138-02 copeland scp .ssh/id_rsa.pub
yamsrv1.ece.gatech.edu.ssh/authorized_keys
NOTE 1 The authenticity of host
'yamsrv1.ece.gatech.edu (130.207.232.12)' can't
be established. RSA key fingerprint is
9c07e81d6afafb5b4035e32a1dd39576. A
re you sure you want to continue connecting
(yes/no)? yes Warning Permanently added
'yamsrv1.ece.gatech.edu,130.207.232.12' (RSA) to
the list of known hosts. copeland_at_yamsrv1.ece.gate
ch.edu's password YOUR PASSWORD id_rsa.pub
100 243 0.2KB/s 0000
NOTE 1 This will delete any public keys
already in ".ssh/authorized_keys". If you are
adding a key, send the file to .ssh/X. Then log
on to yamserv1 and do "cat .ssh/X gtgt
.ssh/authorized_keys". You should now be able to
"ssh" or "scp" log onto "yamserv1" without a
password.