The Basics
Ping/pathping/telnet/dig/traceroute/whois/netstat/nslookup.
While there are many whiz-bang high-tech tools out there to assist in security
auditing, don't forget about the basics! Everyone should be very familiar with these
tools as they come with most operating systems (except that Windows omits whois and uses the name tracert).
They can be very handy in a pinch, although for more advanced usage you may be
better off with Hping2 and Netc…
To establish
if there is network connectivity to a host:
·
ping
ipaddress/nameofhost
Pathping
Pathping
displays information for the destination computer and all routers along the way.
For example, to display the information of all router paths to yahoo.com, use
command pathping yahoo.com.
·
pathping ipaddress/nameofhost
After running pathping, you first see the results for the route as it is
tested for problems. This is the same path as that shown by the tracert command. The pathping
command then displays a busy message for the next 325 seconds (this time varies
by the hop count). During this time, pathping gathers
information from all the routers previously listed and from the links among
them. At the end of this period, it displays the test results.
The Node/Link, Lost/Sent=Pct
and Address categories provide the most useful information.
Telnet
"a
terminal emulation program for TCP/IP networks such as the Internet. The Telnet
program runs on your computer and connects your PC to a server on the network.
You can then enter commands through the Telnet program and they will be
executed as if you were entering them directly on the server console. This
enables you to control the server and communicate with other servers on the
network. To start a Telnet session, you must log in to a server by entering a
valid username and password. Telnet is a common way to remotely control Web
servers."
-www.frognet.net
·
telnet
ipaddress/nameofhost
Tracert
“Tracert is
a Windows based command-line tool that you can use to trace the path that an
Internet Protocol (IP) packet takes to its destination from a source. Tracert will determine the path taken to a destination. It
does this by sending Internet Control Message Protocol (ICMP) Echo Request
messages to the destination. When sending traffic to the destination, it will
incrementally increase the Time to Live (TTL) field values to aid in finding
the path taken to that destination address. The path is outlined from this
process.”
-www.windowsnetworking.com
·
tracert ipaddress/nameofhost
The output
is a list of routers used along the way, with their ms ratings and ip addresses/hostnames.
Default
number of hops is 30. To change this (in this case to 50):
·
tracert –h 50 ipaddress/nameofhost
Tracert also doesn’t help you to find ‘latency’. To trace a path and provide
network latency and packet loss for each router and link in the path, use the pathping command.
Whois
Every domain
legally registered with ICANN for use on the internet has a WHOIS database
entry; by checking the WHOIS database, you can learn about the ownership and
related details of other sites.
Useful to find out about who sent you that spam, who runs a competitors
website, etc.
Retrieving a
WHOIS record for .com, .net, .org, .info, .biz, and .us domains is as easy as
dropping by whois.sc
and entering the domain name in the query box on the front page. The official
WHOIS service is actually run by InterNIC, but I find whois.sc
more useful, as it provides additional data which InterNIC
does not. Similar search services are available for other top-level domains,
such as Nominet
for
The results
will provide all the basic information included in the WHOIS database, such as
the details of the registrant, registrar, administrative and technical
contacts; the nameservers which provide information
on where traffic for that domain should be routed; and the dates of creation
and next renewal for the domain. The results from whois.sc
(but not InterNIC) also include additional data such
as site's description and keywords, whether it has an SSL certificate, where it
is listed in DMOZ,
the specifics of the server software, the IP address and location, and more.
My order of
preference:
·
http://www.networksolutions.com/whois/index.jsp
And for
·
http://www.nic.uk/other/whois/contract/
And Global:
·
http://www.infobear.com/whois.shtml
Netstat
Netstat is
a TCP/IP tool that comes with most versions of Windows and UNIX. It's the
quickest way to check what TCP and UDP ports are in use on a computer. Best of
all, because it's a built-in utility, it's available on most computers. You
don't need to download anything. After you use Netstat
to provide a list of ports in use, you can check to see whether all of them
should indeed be in use. The output from the netstat
command can also give you pointers to programs that are running on your
computer and that may present vulnerability. In addition, you can use Netstat to list all current connections that your computer
has established to other computers, as well as what incoming connections exist.
You get results about both open connections and listening ports by using the –a option, as in netstat–a.
Because Netstat is most likely included with your
operating system, you can use it directly from a command line.
To show all
active/current connections on your PC:
·
netstat
The results
show the protocol (usually TCP), the local address (the MAC address), the
foreign address (the IP address), and the connection state.
To show same
as above plus listening ports
·
netstat –a
To see if
packets are flowing ion/out of machine
·
netstat –e
To see
packets in/out categorised according to their protocols:
·
netstat –e –s
One of the biggest
concepts in TCP/IP networking is routing. NETSTAT allows you to examine a
computer’s routing tables by following the NETSTAT command with the –R
parameter. For each active route, NETSTAT will display the destination address,
the net mask, the gateway, the interface, and the metric. Beneath this
information, NETSTAT will display persistent routes seperately,
NETSTAT also differentiates between the routes associated with each network
interface on multihomed machines:
·
netstat –r
Where domain name is the
name of an external mail domain, and then press ENTER. The mail exchanger (MX)
resource record for the domain that you entered should be displayed. If the MX
record is not displayed, DNS is not configured to resolve external domain
names.
·
At
a command prompt, type Nslookup, and then press ENTER (to see local DNS configuration).
OR
·
At
a command prompt, type Nslookup domain name,
and then press ENTER (to see DNS configuration for that domain).
THEN
·
Type
server <IP address>, where IP address is the IP
address of your external DNS server.
·
Type
set q=MX,
and then press ENTER.
·
Type
(any) <domain name>. The results show the records retrieved from the selected
DNS server.
For most commands, typing cmd /? (Windows)
or cmd –help (Linux) will show the relevant help
pages. For nslookup, enter the application by typing nslookup, then type ? at the prompt.
“While Nmap was once a UNIX-only tool,
a Windows version was released in 2000 and has since become the second most
popular Nmap platform (behind Linux). Because of this
popularity and the fact that many Windows users do not have a compiler, binary
executables are distributed for each major Nmap
release. While it has improved dramatically, the Windows port is not quite as
efficient or stable as on UNIX. Here are some known limitations:
·
You cannot generally scan your own
machine from itself (using a loopback IP such as
127.0.0.1 or any of its registered IP addresses). This is a Windows limitation
that we haven't found a way around. If you really want to do this, use a TCP
connect scan without pinging (-sT -P0)
as that uses the high level socket API rather than sending raw packets.
·
Nmap only supports Ethernet interfaces (including many 802.11 wireless
cards) unless you use the -sT -P0
options. RAS connections (such as PPP dialups) are not supported. This support
was dropped when Microsoft removed raw TCP/IP socket support in Windows XP SP2.
Now Nmap must send lower-level ethernet
frames instead.
·
Version detection cannot use SSL
scan-through”
-www.http://insecure.org/nmap
“Linux is far and away the most popular platform for running
Nmap. In one user survey, 86% said that Linux was at
least one of the platforms on which they run Nmap.
Linux users can choose between a source code install or using binary packages provided by their distribution. The
binary packages are generally quicker and easier to install, and are often
slightly customized to use the distribution's standard directory paths and
such. These packages also allow for consistent management in terms of
upgrading, removing, or surveying software on the system. A downside is that
packages created by the distributions are necessarily behind the Insecure.Org
source releases. Most Linux distributions (particularly Debian
and Gentoo) keep their Nmap
package relatively current, though a few are way out of date. Choosing the
source install allows for more flexibility in determining how Nmap is built and optimized for your system. To build Nmap from source, see the section
called “UNIX Compilation and installation from source code”. Here are
simple package instructions for the most common distributions.
Nmap ("Network Mapper") is a free open
source utility for network exploration or security auditing. It was designed to
rapidly scan large networks, although it works fine against single hosts. Nmap uses raw IP packets in novel ways to determine what
hosts are available on the network, what services (application name and
version) those hosts are offering, what operating systems (and OS versions)
they are running, what type of packet filters/firewalls are in use, and dozens
of other characteristics. Nmap runs on most types of
computers and both console and graphical versions are available. Nmap is free and open source.”
-www.http://insecure.org/nmap
Nmap is a
command line tool. However you can install NmapFE ontop of Nmap. This will result
in Nmap having a GUI. This only works in Linux – not Winodws.
Nmap Commands
There are a
lot of nmap commands. Included here are some of the
basic commands that any user of nmap must know.
(Ideally run
as root in Linux)
First initial scans of network (host
discovery)…
To scan a
range/list of hosts:
·
nmap 192.168.1.0-255
This shows a
list of all hosts that are up and have open ports. Very useful!
To see a list
of machines (can be UP or DOWN):
·
nmap –sL 192.168.1.0-100 (List Scan)
To see a
list of machines that are UP:
·
nmap –sP 192.168.1.0-100 (Ping Scan)
This shows a
simple list of machines that are up and a few details for each one.
To skip the
procedure for establishing if each host is up, and go on to scan each machine
to show more detail for one (this will show open ports/services for each
machine):
·
nmap –P0 192.168.1.0-100
Why would a
user do this? Sometimes pings are blocked and domain seems down when it isn’t.
The –P0 treats all hosts as up and doesn’t try to ascertain if they’re
available, and goes ahead with port probing.
To scan an
IPv6 network:
·
nmap –sT 192.168.1.0-100
From
personal experience it seems that this shows more open ports than other nmap commands for scanning a network. Obviously it can scan
IPv6 and shows any that are available.
To find
‘interesting’ ports, MAC addresses and machine names:
·
nmap –sS 192.168.1.0-100
To find out
what OS each machine is running:
·
nmap – O 192.168.1.0-100
After scanning network to establish
which machines are available, we can select a specific machine to scan in more
depth (to find open ports, etc)…
To scan a
specific domain/host for open ports:
·
nmap www.domainhostname.co.uk
This will
scan all ports up to 1024 as well as higher numbered ports listed in the
Services File. This obviously scans 1 host.
To scan
specific ports:
…will scan just UDP port 53 and TCP ports 21
to 25.
Once you discover a machine's visible ports, you need to know which services are running on them in order to inventory them or determine to which exploits the machine is vulnerable. The –sV option enables version detection interrogation, but a better option is –A which enables both OS detection and version detection.
·
nmap –sV hostdomainname.co.uk (shows services)
·
nmap –A hostdomainname.co.uk (shows services AND OS)
Nmap output: open = port is open. Close = port is closed. Filtered = port
isn’t accessible, probably due to intervening firewall.
Nmap is an
in-depth tool and these are just some of the basic commands that are typically
used. For more information, type nmap
–help at the prompt.
Nessus
Nessus isone of the best free network vulnerability scanner available,
and the best to run on UNIX at any price. It is constantly updated, with more
than 11,000 plugins for the free (but registration
and EULA-acceptance required) feed. Key features include remote and local
(authenticated) security checks, a client/server
architecture with a GTK graphical interface, and an embedded scripting language
for writing your own plugins or understanding the
existing ones. Nessus 3 is now
closed source, but is still free-of-cost unless you want the very newest plugins.
But I haven’t (as yet) used it! So no
instructions!
SamSpade (1.14)
“Sam Spade is one of the
most comprehensive network investigation tools in existence. It acts as a
sleuth that finds as much public information about an IP address or DNS address
as you can imagine. Suppose that your logs show that someone tried to scan your
network for open ports and the log lists the potential intruder's IP address.
No problem — Sam Spade to the rescue.
You can use Sam Spade to find more information about the IP
address, such as who the address is registered to and
the route between your computer and the computer at the remote IP address. Then
you can query the registration records for this IP address and find out the
Internet Service Provider (ISP) who owns the IP address, including the contact
information. This is just one example of the many tools included that you can
use to track down information.”
- Publishers Description
Sam Spade
provides a consistent GUI and implementation for many handy network query
tasks. It was designed with tracking down spammers in mind, but can be useful
for many other network exploration, administration, and security tasks. It
includes tools such as ping, nslookup, whois, dig, traceroute, finger,
raw HTTP web browser, DNS zone transfer, SMTP relay check, website search, and
more. Non-Windows users can enjoy online versions of many of their tools.
Installation
Website is
currently down (8/July/2007), but Samspade (For
Windows) can be downloaded from:
·
http://static.samspade.org/ssw/spade114.exe
Examples of Using Samspade…
Decoding a URL:
In a phishing case, you first check the message for phishing characteristics by viewing the message's HTML
source code. In the source code, you find a spoofed link to the bank web site.
These days, many phishing attacks obfuscate the URL
to make it more difficult to identify a spoofed link. Sam Spade includes a
feature to decode a URL. Although this feature doesn't unravel an obfuscated
source, it does return the alias and IP addresses associated with a URL on the
Internet.
For example, if you use Sam
Spade's Decode URL tool to look up the URL http://www.microsoft.com, the tool
confirms the canonical name as www.microsoft.com and returns the associated IP
addresses. In fact, you'll see quite a few addresses, which is appropriate
given Microsoft's size and
business model. However, suppose the message allegedly from Microsoft contains
a link to http://www.micros0ft.com. If you enter this URL in Decode URL, the
tool confirms the alias because someone registered it as a domain name. But the
tool returns only one IP address—which should set off alarm bells, because a
large company likely has multiple Web gateways. Note that, as with any
investigation, you need to use the tool's output together with your own
experience and intuition to determine whether you're looking at legitimate or
malicious activity.
Now, you can right-click the IP address Sam Spade returned
to access a context-aware set of commands you can run against the address.
Select IP block, and Sam Spade will tell you
that the IP address associated with www.micros0ft.com is registered to Verizon Internet Services. It's doubtful that a company as
large as Microsoft would use an ISP that serves residential and small business
customers, adding to the evidence that micros0ft.com is a misleading Web site
related to a phishing scam.
Analyzing Email Headers:
Every email message includes Inter-net headers, which Sam Spade can parse to
help you separate legitimate email from spam or phishing
attacks. To use Microsoft Outlook to find the raw Internet headers, open an
email message, select the View menu, then click
Options. Next, select and copy the Internet headers. Switch to Sam Spade, click
the Tools menu, then click Parse Email Headers. Paste
the copied data into the dialog box that appears, and click the Parse button.
Sam Spade opens two new
windows. The first window contains a colour-coded analysis of the headers, which
highlights useful information such as sender email address and domain and the
IP address of the originating server. The second
window is an email message containing a copy of the header, which you can send
to an ISP abuse address. Sam Spade looks up the abuse email address (available
from the ISP via its domain information records) and creates an email message
for you; the tool even includes a set of predefined abuse email templates you
can choose from, including Webhosting, clickthrough, dialup, dropbox,
relay, and dns. You need only edit the email message
and click Send.
A phishing
message often spoofs the From address of a well-known
domain. For example, some email senders route messages through their own domain
or maybe their ISP's domain. Other companies hire third parties to send their
email. But spoofing the IP address of the sending computer is much more
difficult. Even if the phishing perpetrator uses a
mail relay, the relay won't match the IP address associated with the domain in
the email message's From address. Using email Internet
header information, you can right-click the sending IP address (or resolved
name) and select the Whois tool to perform additional
analysis, as Figure
1 shows. (Note that the IP addresses in Figure 1
are whited out for privacy reasons.)
I used this feature, for
example, to analyze an email message I received from eTrade,
which came from a mail server named
eppsuiron1.adp-ics.com. Sam Spade identified the server owner as ADP-BPS. I
then searched for ADP-BPS and ADP-ICS in Google and found that ADP-ICS stands for
Automatic Data Processing Investor Communication Services, a division of ADP's
Brokerage Services Group. Everything checked out.
Sam Spade's most helpful
feature is its context awareness. It can recognize Fully Qualified Domain Names
(FQDNs) and IP addresses from any of its output
windows. To investigate further, just right-click one of these objects and
select from the several additional tasks. For example, after you parse the
email headers, you can right-click the sender IP address and select IP block
to learn more about the network owner of that IP address. All the tools in
Sam Spade have context-aware menus, making it easier and quicker to investigate
by using the bundled suite than by using each tool individually.
DNS and IP Lookup:
I use Sam Spade predominately for its IP address lookup and DNS reverse lookup
features. In the tool suite, right-click an FQDN or enter it into the main
field, then click the Whois tool. Sam Spade returns
reverse DNS lookup information from one of a variety of Whois
sites. The tool bundle also includes the DNS lookup tools Dig and Nslookup.
Sam Spade colour-codes its output, letting you easily scan for relevant
information, such as organization name and host country. The tool also gives
you information about a net-block (a block of consecutive IP addresses, aka a subnet) so that you can see whether the ISP
is, for example, a large provider for a DSL or cable service or a provider for
a single company. In addition, Sam Spade includes a rudimentary port scanner, an SMTP relay
test tool, a blackhole lookup tool, and a Web site
fetching tool similar to Wget.
On the Case:
Sam Spade lets you easily run multiple commands to look for different pieces of
information and further analyze the results by using the tool's context-aware
menus. You can even configure the suite's logging to save all the interesting
information you find during your investigations and copy it to another program
or write it to a text file. Although spam, phishing,
and other email threats continue to grow, you probably won't analyze even a
fraction of the total email you receive. But when you do need to investigate a
suspicious email message, Sam Spade is on the case.
- Most of
the above is from
http://www.windowsitpro.com/Windows/Articles/ArticleID/50635/pg/2/2.html
Ntop
Ntop shows
network usage in a way similar to what top does for processes. Ntop runs its own small Web server and can use HTTPS, so
you don't need to run Apache or another Web server to take advantage of the
graphical interface. If that weren't enough, it readily interfaces with
scripting languages like Perl and PHP. It can also store persistent network
data in a database, such as MySQL, for later
analysis.
The use of:
…make ntop easy to use and suitable for monitoring various kind of networks.
Installation:
I have used Ntop in Ubuntu and is installed
easily via apt-get/synaptic.
After installation type sudo ntop to start it. It will ask for password.
From here
you can access the ntop service from any browser on
the LAN by typing:
What is Ntop used for?
Network Optimisation and Planning…
·
Passive
network mapping: identification of
·
Routers
and Internet Servers (DNS, Proxy).
·
Traffic
Distribution (Local vs. Remote).
·
Service
Mapping: service usage (DNS,
·
Routing).
·
Network
traffic map (Graphwiz)
Network Inventory…
·
Identification
of routers and internet servers
·
(DNS,
NFS, proxy).
·
Resource
(Hw Manufacturer), services and
·
OS
inventory.
·
Unhealthy
hosts.
And More…
Integrating ntop
into your network:
Configuration:
Ntop's performance vary
according to the way ntop is deployed. Below you can
find simple scenarios where you can deploy your ntop
instance.
1. Simple Host
This is probably the most common scenario: you install
ntop on your PC that's part of a LAN you use for your
daily tasks. In this case you will probably see only a portion of the traffic,
so don't complain if ntop can't tell you all about
your network.
2.
Border
Gateway
In this case you'll see only the traffic from/to your LAN. As your ntop will probably need to analyze several packets, you
should consider options such as -b, -n, -z in order to reduce the amount of
work needed to analyze all the traffic.
1.
Mirror
Line
On this case you will see packets that were not supposed to be received by the
PC where ntop runs. Due to this, ntop
(usually) cannot trust MAC addresses but just IPs.
Hence do not forget to use -o otherwise you'll see some strange trafic figures.
Bottom line:
All this
information can be accessed using any standard web browser. To have enough
information to work on, you may wish to run NTOP for at least a couple of days
(non-stop) in a production environment. (This may vary depending on the size of
your network. For a medium departmental LAN, a couple of days should be fine).
Some Ntop Options:
'CONNECTION
MATRIX':
·
Shows
which station is talking to what server and the amount of traffic being
exchanged
·
Monitoring
of the most intensive bandwidth senders and receivers - Heavy traffic is not
only caused by physical media but also by other system intensive actions (e.g.
users downloading large files). This can cause severe bottlenecks to your LAN.
TRAFFIC
MEASUREMENT:
·
Traffic measurement consists in measuring the usage of relevant traffic activities.
·
Ntop tracks network usage, generating a series of statistics for each host
in the local
·
Subnet
and for the subnet as a whole. The needed information is collected by the host.
RUNNING NTOP BY SIMPLY OBSERVING THE
TRAFFIC ON THE NETWORK:
·
This
arrangement offloads the processing requirements from operational nodes to the ntop host. All packets in the subnet are captured and
associated with a sender/receiver pair. In this way, it is possible to track
all traffic activities of a particular host.
The following shows the information
registered by ntop for each host
connected to the (broadcast) network…
DATA
SENT/RECEIVED:
·
The
total traffic (volume and packets) generated or received by the host.
Classified according to network protocol (IP, IPX, AppleTalk, etc.) and IP
protocol (FTP, HTTP, NFS, etc.)
USED
BANDWIDTH:
·
Actual,
average and peak bandwidth usage.
IP
MULTICAST:
·
Total
amount of multicast traffic generated or received by the host.
TCP
SESSIONS HISTORY:
·
Currently
active TCP sessions established/accepted by the host and associated traffic
statistics.
UDP
TRAFFIC:
·
Total
amount of UDP traffic sorted by port.
TCP/UDP
USED SERVICES:
·
List
of IP-based services (e.g. open and active ports) provided by the host with the
list of the last five hosts that used them.
TRAFFIC
DISTRIBUTION:
·
Local
traffic, local to remote traffic, remote to local traffic (local hosts are
attached to the broadcast network).
IP TRAFFIC
DISTRIBUTION:
·
UDP
vs. TCP traffic, relative distribution of the IP protocols according to the
host name.
Ntop also reports global traffic
statistics, including:
TRAFFIC
DISTRIBUTION:
·
Local
(subnet) traffic, local vs. remote (outside specified/local subnet), remote vs.
local.
PACKETS
DISTRIBUTION:
·
Total
number of packets sorted by packet size, unicast vs.
broadcast vs. multicast and IP vs. non-IP traffic.
USED
BANDWIDTH:
·
Actual,
average and peak bandwidth usage.
PROTOCOL
UTILIZATION AND DISTRIBUTION:
·
Distribution
of the observed traffic according to both protocol and source/destination
(local vs. remote).
LOCAL
SUBNET TRAFFIC MATRIX:
·
Monitored
traffic between each pair of hosts in the subnet.
NETWORK
FLOWS:
·
Traffic
statistics for user-defined flows (traffic of particular interest to the user)
- Most of the above is taken from:
http://www.ntop.org/ntop-overview.pdf
Don’t forget to ‘Shutdown’ ntop when finished monitoring!
Ntop is an indepth application. Indeed there are
course held just to train network admins to use it.
As can be imagined I have only given the briefest guide.
There are LOTS of
network/security/scanning applications out there, and I have only outlined the
ones that I’ve used. If you want to scan wireless networks, have a look at:
Kismet, Netstumbler, and Aircrack.
A popular lightweight network intrusion detection application is Snort. Enjoy!
And lastly…
A popular
Linux Distro containing LOTS of
network/scanning/vulnerability/exploit/wireless applications is the Backtrack live distro.
Enjoy!
