1 Network Tools (screen shots added)ECE-6612 October 14, 2005 Cherita Corbett, John Copeland

2 Outline ethereal (now wireshark) nmap netstat, sockstattracert or traceroute nslookup or host Knoppix

3 Ethereal http://www.ethereal.comCaptures packets from a live network connection Capture Filters / display filters Dissects 700+ protocols Statistics

4 Ethereal

5 Nmap http://www.insecure.org/nmap/ “Network Mapper”What hosts are available What services/applications are available What operating system What type of packet filters/firewalls Port scanning mechanism c:\> nmap –v –a "nmap" without options will show a short list of options. Linux or unix: use "man nmap".

6 # nmap Nmap 3.93 Usage: nmap [Scan Type(s)] [Options] Some Common Scan Types ('*' options require root privileges) * -sS TCP SYN stealth port scan (default if privileged (root)) -sT TCP connect() port scan (default for unprivileged users) * -sU UDP port scan -sP ping scan (Find any reachable machines) * -sF,-sX,-sN Stealth FIN, Xmas, or Null scan (experts only) -sV Version scan probes open ports determining service & app names/versions -sR RPC scan (use with other scan types) Some Common Options (none are required, most can be combined): * -O Use TCP/IP fingerprinting to guess remote operating system -p ports to scan. Example range: ,1080,6666,31337 -F Only scans ports listed in nmap-services -v Verbose. Its use is recommended. Use twice for greater effect. -P0 Don't ping hosts (needed to scan and others) * -Ddecoy_host1,decoy2[,...] Hide scan using many decoys -6 scans via IPv6 rather than IPv4 -T General timing policy -n/-R Never do DNS resolution/Always resolve [default: sometimes resolve] -oN/-oX/-oG Output normal/XML/grepable scan logs to -iL Get targets from file; Use '-' for stdin * -S /-e Specify source address or network interface --interactive Go into interactive mode (then press h for help) Example: nmap -v -sS -O /16 ' *.*'

7 # nmap -v -sT -p 20-25,80,110,123,443,3306 www.gatech.eduStarting nmap 3.93 ( ) at :32 EDT Initiating Connect Scan against ( ) [11 ports]16:32 Discovered open port 80/tcp on The Connect() Scan took 11.25s to scan 11 total ports. Host tlweb.gatech.edu ( ) appears to be up ... good. Interesting ports on tlweb.gatech.edu ( ): PORT STATE SERVICE 20/tcp closed ftp-data 21/tcp filtered ftp 22/tcp closed ssh 23/tcp closed telnet 24/tcp closed priv-mail 25/tcp closed smtp 80/tcp open http 110/tcp closed pop3 123/tcp closed ntp 443/tcp closed https 3306/tcp filtered mysql Nmap finished: 1 IP address (1 host up) scanned in seconds Raw packets sent: 2 (68B) | Rcvd: 1 (46B)

8 Netstat Displays active ports, network connections, routing tables, interface statistics, masquerade connections, multicast memberships, etc. Indicates how vulnerable a PC is to attacks c:\> netstat -b c:\> netstat -e -s • Linux or UNIX: try "%netstat -a" and "netstat -o" %netstat -r # will show routing like Linux "%route" %man netstat to find appropriate options

9 # netstat -b Active Internet connections Proto Recv-Q Send-Q Local Address Foreign Address (state) tcp localhost localhost.ipp CLOSE_WAIT tcp localhost localhost.ipp CLOSE_WAIT tcp localhost localhost.ipp CLOSE_WAIT tcp localhost localhost.ipp CLOSE_WAIT tcp localhost.netinfo-loca localhost ESTABLISHED tcp localhost localhost.netinfo-loca ESTABLISHED udp * *.* udp * *.* udp localhost localhost.49399 udp *.ipp *.* udp localhost localhost.1022 udp localhost localhost.1022 udp localhost *.* udp localhost localhost.1023 udp localhost *.* udp *.mdns *.* udp localhost.netinfo-loca *.* udp *.syslog *.* udp * *.* Active LOCAL (UNIX) domain sockets Address Type Recv-Q Send-Q Inode Conn Refs Nextref Addr 1f7b188 stream f7b2d /tmp/.pgp-agent-copeland-501 (many other internal socket connections)

10 root# netstat -e -s netstat: illegal option -- e [OPTIONS DIFFER FOR OS's] usage: netstat [-Aan] [-f address_family] [-M core] [-N system] netstat [-bdghimnrs] [-f address_family] [-M core] [-N system] netstat [-bdn] [-I interface] [-M core] [-N system] [-w wait] netstat -m [-M core] [-N system] pb2:/ root# netstat -s ["-s" is for statistics] tcp: 88515 packets sent 30786 data packets ( bytes) 33 data packets (24237 bytes) retransmitted 0 resends initiated by MTU discovery 12554 ack-only packets (2124 delayed) 38594 window update packets 6548 control packets packets received 22731 acks (for bytes) 2955 duplicate acks packets ( bytes) received in-sequence 104 completely duplicate packets ( bytes) 7 old duplicate packets 0 packets with some dup. data (0 bytes duped) 1836 out-of-order packets ( bytes) 79 window update packets 23 packets received after close 2 discarded for bad checksums 2284 connection requests 2011 connection accepts 4 bad connection attempts

11 sockstat shows the user,application that opened each socketcopeland% sockstat -4 USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS copeland LaunchCF tcp : :631 copeland firefox tcp : :631 copeland firefox tcp : :631 copeland mozilla tcp : *:* copeland mozilla udp : :49399 copeland TextEdit tcp : :631 copeland TextEdit tcp : :631 root AppleFil tcp4 *: *:* root cupsd tcp : *:* root cupsd udp4 *: *:* root ntpd udp4 *: *:* root ntpd udp : *:* root ntpd udp : *:* root automoun udp : *:* root Director tcp : :1033 root automoun udp : *:* nobody mDNSResp udp4 *: *:* root netinfod udp : *:* root netinfod tcp : *:* root netinfod tcp : :945 root syslogd udp4 *: *:*

12 tracert (traceroute) List intermediate routers in path to destinationSends Internet Control Message Protocol (ICMP) echo packets with incrementing IP Time-To-Live (TTL) values to the destination c:\> tracert (on Linux %traceroute Alternatives: pathping – report packet loss

13 # traceroute www.gatech.edutraceroute to ( ), 30 hops max, 40 byte pkts ( ) ms ms ms ( ) ms ms ms ( ) ms ms ms ( ) ms ms ms ( ) ms ms ms ( ) ms ms ms ( ) ms ms ms ( ) ms ms ms ( ) ms ms ms 10 c hsd1.ga.comcast.net ( ) ms ms ms 11 gw2-sox.sox.gatech.edu ( ) ms ms ms 12 campus2-rtr.gatech.edu ( ) ms ms ms 13 tlweb.gatech.edu ( ) ms ms ms 14 tlweb.gatech.edu ( ) ms ms ms

14 nslookup (also 'host' and 'dig')NSLOOKUP is a tool that is used for troubleshooting and checking DNS entries A DNS server must translate the domain name into its corresponding IP address Lookup types: IP address, canonical name for an alias, host info, mail exchanger records, nameserver record, all records (a, cname,hinfo,mx,ns,any) c:\>nslookup >set type=mx >gatech.edu

15 Find the Mail Server for addresses ending in "gatech.edu"# nslookup -t=mx gatech.edu Note: nslookup is deprecated and may be removed from future releases. Consider using the `dig' or `host' programs instead. Run nslookup with the `-sil[ent]' option to prevent this message from appearing. Server: Address: #53 Non-authoritative answer: Name: gatech.edu Address:

16 knoppix-std (now 'std') http://www.s-t-d.org/Linux distribution that runs from a bootable CD in memory without changing the native operating system of the host computer Open source security tools

17 Other Things http://www.honeynet.org/index.html Ping Snort

18

19