Linux_Networking

Wireshark -- Spy on the line.
Nmap -- Great scanning tool.
Tcpdump -- The humble wire watcher.
git - everybodies friendly repo

linux networking ss iproute2 netstat

ss is a utility to investigate network ports and is part of the iproute2 package. It has a similar functionality to the deprecated netstat utility. See ss(8), Common usage includes:

cmds	Discription
`ss -at`	Display all TCP Sockets w/ service names
`ss -atn`	Display all TCP Sockets w/ port numbers
`ss -au`	Display all UDP Sockets

scanning bugbounty hack nmap

Nmap has a shodan plugin: nmap --script=shodan-api --script-args='shodan-api.apikey=XXXXXX' google.com

tac	Discription
-sn	Disable Port Scan
-Pn	Skip host discovery, don't ping the host
-n	Skip DNS Resolution

namp will realize it has nothing left to do and will run the shodan-api script. You could also set the api-key directly into the nse script too.

wget download website

Download entire website: wget -m -p -E -k www.example.com

Explained:

Option	Discription
`-m, --mirror`	Infinite recursion & time-stamp, keep FTP dir list.
`-p, --page-requisites`	Get all images, etc. needed to display HTML page.
`-E, --adjust-extension`	Save HTML/CSS files with .html/.css extensions.
`-k, --convert-links`	Make links in downloaded HTML point to local files.

Alternatively:

wget \
    --recursive \
    --no-clobber \
    --page-requisites \
    --html-extension \
    --convert-links \
    --restrict-file-names=windows \
    --domains website.org \
    --no-parent \
        www.website.org/tutorials/html/

dhcp access_point wifi ap hostapd

Note: Debian 10, look at /etc/default/isc-dhcp-server, make sure you have added all the interfaces you want dhcp server to be on, also Hostapd need to make sure you unmask first:

systemctl unmask
systemctl enable
systemctl start hostapd

Note: Ubuntu, look at /etc/ufw/sysctl.conf make sure you have uncommented net/ipv4/ip_forward=1.

Note: Here is an example of an /etc/network/interfaces in Debian:

# loopback network interface
auto lo
iface lo inet loopback

# Management network interface
auto eth0
  iface eth0 inet dhcp
  post-up echo 1 > /proc/sys/net/ipv6/conf/$IFACE/disable_ipv6

#wireless access point
auto wlan0
iface wlan0 inet static
  address 10.4.0.14
  netmask 255.255.255.240
#  gateway 10.4.0.14
  wireless-mode Master
  post-up echo 1 > /proc/sys/net/ipv6/conf/$IFACE/disable_ipv6

#auto eth1
#iface eth1 inet static
#  address 10.0.0.1
#  netmask 255.255.255.0
#iface eth1 inet manual
#  up ip link set $IFACE promisc on arp off up
#  down ip link set $IFACE promisc off down
#  post-up ethtool -G $IFACE rx ; for i in rx tx sg tso ufo gso gro lro; do ethtool -K $IFACE $i off; done
  #post-up echo 1 > /proc/sys/net/ipv6/conf/$IFACE/disable_ipv6

Note: To stop Network Manager from messing with the internal interfaces, we added the keyfile and the mac addresses of the NICs and WIFIs that it is not suppose to manage.

[main]
plugins=ifupdown,keyfile,ofono
dns=dnsmasq

[ifupdown]
managed=false

[keyfile]
unmanaged-devices=mac:00:50:ba:d7:fe:b6;mac:00:1c:26:1b:ea:fa

Note: If you want to use dnsmasq in Debian then look at /etc/defaults/dnsmasq file, make sure ENABLE is set:

# by setting DNSMASQ_OPTS to --conf-file=<file>
DNSMASQ_OPTS="--conf-file=/etc/dnsmasq.alt"
# Whether or not to run the dnsmasq daemon; set to 0 to disable.
ENABLED=1

Note: Here's an example simple configuration for dnsmasq, the file could be /etc/dnsmasq.alt:

no-resolv
bind-interfaces
interface=wlan0
dhcp-range=10.4.0.1,10.4.0.13,4h
# opendns nameervers
server=208.67.222.222
server=208.67.220.220
# nameservers from google
#server=8.8.8.8
#server=8.8.4.4
log-dhcp

Note: Enable hostapd, in /etc/defaults:

DAEMON_CONF="/etc/hostapd/hostapd.conf"

Note: Here's a simple hostapd.conf configuration:

interface=wlan0
driver=nl80211
ssid=**************************
logger_syslog=-1
logger_syslog_level=1
hw_mode=g
#wmm_enabled=1
#nl80211=1
channel=8
macaddr_acl=0
#auth_algs=1
ignore_broadcast_ssid=0
wpa=3
wpa_passphrase=*****************
wpa_key_mgmt=WPA-PSK
wpa_pairwise=TKIP
rsn_pairwise=CCMP

This I have not tested fully, but it's something to try out in the future. Dnsmasq combined with dnscrypt-proxy provide caching, encryption and server-side authentication. Said to be useful to protect a laptop from potentially hostile networks.

apt-get install dnsmasq dnscrypt-proxy

Configure /etc/resolv.conf to use dnsmasq:

nameserver 127.0.0.1

Configure /etc/dnsmasq.conf

# ignore resolv.conf
no-resolv
# Listen only on localhost
listen-address=127.0.0.1
# dnscrypt is on port 40
server=127.0.0.1#40

Configure /etc/systemd/system/sockets.target.wants/dnscrypt-proxy.socket with the following 5 lines if you are using systemd

[Socket]
ListenStream=
ListenDatagram=
ListenStream=127.0.0.1:40
ListenDatagram=127.0.0.1:40

Then, restart both daemons!

Look at the examples: man tcpdump | less -Ip examples

Tcpdump filter for HTTP GET: sudo tcpdump -s 0 -A 'tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420'

Filter for HTTP POST: sudo tcpdump -s 0 -A 'tcp dst port 80 and (tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x504f5354)'

Monitor HTTP traffic including request and response headers and message body: https://sites.google.com/site/jimmyxu101/testing/use-tcpdump-to-monitor-http-traffic

tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'
tcpdump -X -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'

For more information on the bit-twiddling in the TCP headers see: http://www.wireshark.org/tools/string-cf.html

Always try to use iptables-save and iptables-restore
use iptables-restore --test to test if it comes back.
if dealing with WIFI make sure you use rfkill list to see if interface is blocking at all.

-t filter --the default if none given--

INPUT (for packets destined to local sockets) FORWARD (for packets being routed through the box) OUTPUT (for locally-generated packets)

-t nat --as of 3.7--

PREROUTING (for altering packets as soon as they come in) OUTPUT (for altering locally-genrated packets before routering) POSTROUTING (for altering packets as they are about to go out)

-t mangle

--until 2.4.17-- PREROUTING (for alitering incoming packets before routing) OUTPUT (for altering locally-generated packets before routing) --as of 2.4.18-- INPUT (for packets coming into the box itself) FORWARD (for altering packets being routed through the box) POSTROUTING (for altering packets as they are about to go out)

-t raw

Note: used to configure exemptions from connection tracking, in combination with the NOTRACK target. It registers at the netfilter hooks with higher priority and is thus called before ip_conntrack, or any other IP tables. PREROUTING (for packets arriving via any network interface) OUTPUT (for packets generated by local processes)

-t security

Note: used for MAC (Mandatory Access Control from SELinux) networking rules, such as those enabled by the SECMARK and CONNSECMARK targets. The security table is called after the filter table, allowing any DAC (Discretionary Access Control) rules in filter table to take effect before MAC rules. INPUT (for packets comming into the box itself) OUTPUT (for altering locally-generated packets before routing) FORWARD (for altering packets being routed through the box.

There are 3 types of options. Commands, Parameters, Other Options.

-A, --append

chain rule-specification

-C, --check

chain rule-specification

-D, --delete

chain rule-specification

-D, --delete

chain rulenum

-I, --insert chain [rulenum] rule-specificaation

Note: Insert rule(s) at rulenum, the default is 1 (at the head/top)

-R, --replace chain rulenum rule-specification

Note: Rules are numbered starting at 1

-L, --list [chain]

Note: list all rules or one chain. Like every other iptable command, it applies to the specified table (filter is the default), so NAT rules get listed by: iptables -t nat -n -L note: it is offen used with the -n option to avoid long DNS lookups. note: The exact rules are suppressed until you use: iptables -L -v

-S, --list-rules [chain]

note: like all other commands, applies to a table (filter is the default).

-F, --flush [chain]

Flush selected chain (all chains in the table if none is given).

-Z, --zero [chain [rulenum]]

Zero out the packet and byte counters in all chains. Its legal to specify -L, --list as well, to see the counters immediately before they are cleared. (See above).

-N, --new-chain chain

Create a new user-defined chain by the given name. (can not pre-exist)

-X, --delete-chain chain

Delete a user created chain, must remove all the rules and references to this chain first. if chain name is not supplied, it will try to delete any chain it can.

-P, --policy chain target

Set ppolicy for a built-in chain to the given target.

-E, --rename-chain old-chain new-chain

The parameters make up a rule specification.

-4, --ipv4 -6, --ipv6

Only used to mix rules in one ip(6)tables-retore command.

[!] -p, --protocol protocol

The protocol of a rule or a packet to check. Can be one of tcp, udp, udplite, icmp, icmpv6, esp, ah, sctp, mh or the special keyword "all", or a numeric value. A protocol name from /etc/protocols is also allowed. 0 is equivlent to all. all will match with all protocols and is taken as default when this option is omitted.

[!] -s, --source address[/mask][,...]

Source address can either be a network name, a host name, a network IP address (with /mask), or a plain IP address. note: Specifying any name to be resolved with a remote query such as DNS is a really bad idea!

[!] -d, --destination address[/mask][,...]

Destination address, see source address above.

-m, --match match

Speifies a match of extension modul that tests for a property. Matches are in the order giving on the command line. If one extension yields false, evaluation will stop.

-j, --jump target

This Specifies the target rule (ie. what to do if the packet matches). Target can be user defined chain, a built-in (which decides the fate of the packet immediately), or an extension. note: if this option is omitted, then matching the rule will have no effect on the packet's fate, but the counters on the rule will be incremented. (unles there is a --goto)

-g, --goto chain

This specifies that the processing should continue in a user specifed chain. Unlike --jump option return will not continue processing in this chain but instead in the chain that called us via --jump

[!] -i, --in-interface name

Name of an interface via which a packet was recieved (only for packets entering the INPUT, FORWARD and PREROUTING chains). note: if interface name ends in a "+", then any interface which begins with this name will match. note: If this option is omitted, any interface name will match.

[!] -o, --out-interface name

Name of an interface via which a packet is going to be sent (for packets entering the FORWARD, OUTPUT and POSTROUTING chains). Same notes as above.

[!] -f, --fragment

Only for ipv4. Rule refers to the second and further IPv4 fragments of fragmented packets.

-c, --set-counters packets bytes

This enables the administrator to initialize the packet and byte counters of a rule (during INSERT, APPEND, REPLACE operations).

-v, --verbose

^- DO use this!! all the time!!!

-w, --wait

wait for the xtables lock.

-n, --numeric

Don't display hostnames do numerical ip.

-x, --exact

display exact numbers instead of with K's M's and G's

--line-numbers

only used with -L, --list to display line numbers.

--modprobe=command

when adding or inserting rules use this modprobe cmd.

Make sure ip_forwarding is turned on in sysctl.conf
These lines are an example:

iptables -A FORWARD -i eth0 -o eth2 -s 10.0.0.1/24 -d 10.20.0.1/24 -j ACCEPT iptables -A FORWARD -i eth2 -o eth0 -s 10.20.0.1/24 -d 10.0.0.1/24 -j ACCEPT

how to let out DHCP:

iptables -A OUTPUT -o wlan0 -p udp -m udp --dport 68 -j ACCEPT

scapy -- Mess with packets.
Apache2 -- The daddy of all webservers.
Namecheap -- Configuring dynamic IP for DNS.
Virtualization -- Virtualization of machines.

Libvirt Networking Handbook:

https://jamielinux.com/docs/libvirt-networking-handbook/bridged-network.html

Wake up on LAN:
- sudo nmcli connection modify "Wired connection 1" 802-3-ethernet.wake-on-lan magic

MAKE SURE you installed rfkill.

echo 1 > "/proc/sys/net/ipv4/ip_forward"

Libvirt Networking Handbook:

https://jamielinux.com/docs/libvirt-networking-handbook/bridged-network.html

Wake up on LAN:
- sudo nmcli connection modify "Wired connection 1" 802-3-ethernet.wake-on-lan magic

MAKE SURE you installed rfkill.

echo 1 > "/proc/sys/net/ipv4/ip_forward"

## eth0 is INTERNET, wlan0 is LAN. sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE sudo iptables -A FORWARD -i eth0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT sudo iptables -A FORWARD -i wlan0 -o eth0 -j ACCEPT

NB: forward in from the tun0 out to virbr0

iptables -I FORWARD 1 -i tun0 -o virbr0 -j ACCEPT

To connect to VM's with virt-viewer:

Make sure you have virsh -c qemu:///system list --all showing them
You might have to start them.
make sure sshd is open and running.
$ virt-viewer -f --connect qemu+ssh://[email protected]/system <NAME>

firewall-cmd --add-forward-port=port=2222:proto=tcp:toport=22:toaddr=192.168.124.48

success

This forwards the port 2222/tcp to 192.168.124.48:22 (for SSHing to a VM)

create bridge with ovs-vsctl add-br br0
Add a port to the bridge for the NIC that you want your guests to communicate over (e.g. eth0): ovs-vsctl add-port br0 eth0

ToDo:

read the code for the simpler dissectors.
they are in the epan/dissectors directory.
under packets-[protocolname].c

Questions:

How do I filter for just one port say 'port 3030'?

Some Notes:

Realtime log, along with a pcap capture.
I should know exactly my MACs, all of my MACs.

Tips:

Also use Follow The TCP Stream!
Use Statistics-Packet Lengths.. Chapter 8:
Use:
- Statistics->Protocol Hierarchy Look under UDP on DNS: The end pakets N, tells you how many packets there are, query and responce, presume dividing that by 2 to get just queries.
- Then can apply this filter for the queries: 'dns.flags == 0x0100' to view all the sites that your web app is trying.
Statistics->HTTP->Requests, click on Create Stat.
Statistics->Summery <- shows how long the process takes.

Question:

https://code.wireshark.org/review/gitweb?p=wireshark.git;a=tree

at this website, how to I browse the code for the version that I have?

Protocol Issues: -Connection initiation -Negotiation of connection characteristcs -Data formatting -Error detection and correction -connection termination

mount -o bind /dev /mnt/openwrt/dev mount -t proc none /mnt/openwrt/proc

put /var on the HDD, for logs
- logging more is better.

This is a logging box.

dnsmasq runs dhcp [and caching dns ?]

have to add ddns for freedns.afraid.org

--background --dyndns_system [email protected] -u guest -p guest -a wooowooo.mooo.com,M2xIc25pOWVqMlFJU044QjBSZWZnenIzOjE0NDEzNjcz --update_period_sec 600 --forced_update_period 864000 --log_file /tmp/ddns/ddns.log --cache_dir /tmp/ddns --exec ddns_success ^ this is probably a cronjob. ^ maybe its called inadyn, this is from inadyn.conf

trying to install dnsmasq, got this: Job for dnsmasq.service failed because the control prcess exited with err code. "systemctl status dnsmsaq.service" and "journalctl -xe" for details

invoke-rc.d: initscript dnsmasq, action "start" failed

#!/bin/bash
#Initial wifi interface configuration
ifconfig $1 up 10.0.0.1 netmask 255.255.255.0
sleep 2
###########Start DHCP, comment out / add relevant section##########
#Thanks to Panji
#Doesn't try to run dhcpd when already running
if [ "$(ps -e | grep dhcpd)" == "" ]; then
dhcpd $1 &
fi
###########
#Enable NAT
iptables --flush
iptables --table nat --flush
iptables --delete-chain
iptables --table nat --delete-chain
iptables --table nat --append POSTROUTING --out-interface $2 -j MASQUERADE
iptables --append FORWARD --in-interface $1 -j ACCEPT

#Thanks to lorenzo
#Uncomment the line below if facing problems while sharing PPPoE, see lorenzo's comment for more details
#iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

sysctl -w net.ipv4.ip_forward=1
#start hostapd
hostapd /etc/hostapd/hostapd.conf 1>/dev/null
killall dhcpd

# disables dnsmasq reading any other files like /etc/resolv.conf for nameservers
no-resolv
# Interface to bind to
interface=wlan0
# Specify starting_range,end_range,lease_time
dhcp-range=10.0.0.3,10.0.0.20,12h
# dns addresses to send to the clients
server=8.8.8.8
server=8.8.4.4

###########Start dnsmasq, modify if required##########
if [ -z "$(ps -e | grep dnsmasq)" ]
then
 dnsmasq
fi
###########

#Enable NAT
iptables --flush
iptables --table nat --flush
iptables --delete-chain
iptables --table nat --delete-chain
iptables --table nat --append POSTROUTING --out-interface $2 -j MASQUERADE
iptables --append FORWARD --in-interface $1 -j ACCEPT

#Thanks to lorenzo
#Uncomment the line below if facing problems while sharing PPPoE, see lorenzo's comment for more details
#iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

sysctl -w net.ipv4.ip_forward=1

#start hostapd
hostapd /etc/hostapd/hostapd.conf 1> /dev/null
killall dnsmasq

Make sure the link is up.

# ip link set dev wlan0_ap up

Had to add this to /etc/NetworkManager/NetworkManager.conf

[keyfile] unmanaged-devices=mac:<hwaddr>

a> dnsmasq was not setup.. b> AND MORE!!! the IP address was wrong after I got dnsmasq to do dhcp c> I had to log in with another computer (maybe I should have 2 wifi's)

Moral: NEVER TEST 1 laptop and/or WIFI card, if its not working!!!

Note: its kind of funny how disconnected things are.

if you kill -9 hostapd, still the links wlan stays up! after Auths.

Note: on MarioCoin

edited /etc/sysctl.ctl to enable forward, and turned on a bunch of the security features. If something is weird in the networking check this file again for clues about it.

It was super easy to setup a new service's Let's Encrypt TLS cert with Apache2 and the command certbot. it was install certbot via apt then run it, this is what I ran:

sudo apt install apache2 certbot
sudo certbot --apache -d pong.securityrabbit.com

And it did everything! then setup a systemd timer.

The command that renews the cert, I set up to run every Wed. /usr/bin/certbot renew and this renews all the certs for this account.

Find WPS wifi APs in the area $ sudo airmon-ng start wlan0 $ wash -i mon0

One of the goals is to get the bssid of the AP. $ airodump-ng mon0 <channel>

Used for capture and showing what wifi is in the area
To show what wifi is in the area:

To monitor one AP: $ airodump-ng -c 2 --bssid 00:17:7C:22:CB:80 -w dump mon0

this is to focus on one AP.
also the -w writes out to a file.

Test to see if packet inject will work. $ sudo aireplay-ng --test -e HelloKitty08 -a C0:56:27:0B:EB:89 wlan4mon

a score of 100% is great.
-a == access point MAC

To inject [untested]: $ aireplay-ng -1 0 -e HelloKitty08 -a C0:56:27:0B:EB:89 -h <SOURCE> mon0

This creates a fake-auth
SOURCE is a client use what thats connected to the AP, NOT yours!
Issues:
- If this: "Denied (code 12), wrong ESSID or WPA ?" means that you have the run ESSID, check spelling.
- If not "channel 1" then airmon-ng start wlan4 6 for channel 6.

Gets the password from the WPS of the AP. $ reaver -i mon0 -b XX:XX:XX:XX:XX:XX

Use the -vv option to see everything thats going on (Recommended)
This may take some hours, hopefully less than 3.

Know Issues:

As in the pic above, you saw the first line read "Switching wlan0 to channel 6". (Yours will be mon0 instead of wlan0). Sometimes, it keeps switching interfaces forever.
Sometimes it never gets a beacon frame, and gets stuck in the waiting for beacon frame stage.
Sometimes it never associates with the target AP.
Sometimes the response is too slow, or never comes, and a (0x02) or something error is displayed.

In most cases, such errors suggest:

Something wrong with wireless card.
AP is very choosy, won't let you associate.
The AP does not use WPS.
You are very far from the AP.

$ sqlmap --tor --tor-type=SOCKS5 -u \

"http://www.hackable.org/view_section.php?id=10" \ --user-agent="Googlebot (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"

This uses Tor on port 9050 as http proxy then makes also changes the

useragent.