205.2. Advanced Network Configuration and Troubleshooting

Weight: 4

Description: Candidates should be able to configure a network device to implement various network authentication schemes. This objective includes configuring a multi-homed network device and resolving communication problems.

Key Knowledge Areas:

  • Utilities to manipulate routing tables

  • Utilities to configure and manipulate ethernet network interfaces

  • Utilities to analyze the status of the network devices

  • Utilities to monitor and analyze the TCP/IP traffic

Terms and Utilities:

  • ip

  • ifconfig

  • route

  • arp

  • ss

  • netstat

  • lsof

  • ping, ping6

  • nc

  • tcpdump

  • nmap

In this lesson we discuss about some other Network tools which help up in network trouble shooting.

What is socket?

In computer networking, and more definitely in software terms, a port is a logical entity which acts as a endpoint of communication to identify a given application or process on an Linux operating system. It is a 16-bit number (0 to 65535) which differentiates one application from another on end systems. Different categories of ports are:

  • 0-1023 – the Well Known Ports, also referred to as System Ports.

  • 1024-49151 – the Registered Ports, also known as User Ports.

  • 49152-65535 – the Dynamic Ports, also referred to as the Private Ports.

The two most popular Internet transport protocols, Transmission Control Protocol (TCP) and the User Datagram Protocol (UDP) and other less known protocols use port numbers for communication sessions.

A combination of an IP address, port and protocol such as TCP/UDP is known as a socket, and every service must have a unique socket.

netstat

netstat (network statistics)outputs network connections form local host perspective, routing, interface statistics, connections and multicast information. so its pretty handy.

netstat it self give us a log list of network information which might not be useful, so lets try some useful switches:

useful netstat command switches

Description

-s , --statistics

gives summary by protocol type and message type

-i , --interfaces

Display a table of all network interfaces

-r , --route

shows routing table information

-a , --all

Show both listening and non-listening sockets

-t , --tcp

Enabales listening of tcp ports

-u , --udp

Enables listening of udp ports

-l , --listening

Prints only listening sockets

-p , --program

Shows PID and the name of associated program

-e , --extend

Shows additional information, use twice for more info

-n , --numeric

Shows numerical addresses

netstat supports ipv6.

ss

The ss command is capable of showing more information than the netstat and is faster. The netstat command reads various /proc files to gather information. However this approach falls weak when there are lots of connections to display. This makes it slower.

The ss command gets its information directly from kernel space. The options used with the ss commands are very similar to netstat making it an easy replacement.

If we use the ss command without any arguments or options, it will return a complete list of TCP sockets with established connections:

useful ss command

Description

-l , --listening

Display only listening sockets

-4

for IPv4

-6

for IPv6

-a , --all

Display both listening and non-listening (for TCP this means established connections) sockets

-t , --tcp

Shows established or CONNECTED tcp connections

-u , --udp

Shows established or CONNECTED tcp connections

-s , --summary

Print summary statistics.

-o , --options

time information of each connection would be displayed

-n , --numeric

Do not try to resoleve service names

lsof

To get a list of files which are opened by users and associated processes with them we use lsof (LiSt Open Files).

lsof useful commmands

Description

lsof -n

Do not tries to resolve IP Addresses to DNS

lsof /var/log/syslog

Shows which processes have opened specific file

lsof +D /var/log

List opened files under a Directory

lsof /home

List processes using a mount point

lsof -u payam

List files opened by a specific user

lsof -p 1357

all open files by specific process

lsof -c ssh

List opened files based on process names starting with ...

lsof -t /var/log/syslog

list process id of a process which opened /var/log/syslog

lsof -i

list all network connections

ping

PING (Packet INternet Groper) command is the best way to test connectivity between two nodes. Whether it is Local Area Network (LAN) or Wide Area Network (WAN).

How does ping work? Ping use ICMP (Internet Control Message Protocol) to communicate to other devices.When a user pings a host on the Internet, a series of ICMP packets are sent to the host, which responds by sending packets in return. The user’s client is then able to compute the round trip time between two points on the Internet.

You can ping host name or ip address :

In Linux ping command keep executing until we interrupt.

useful ping switches

Description

-v

verbose mode

-V

Show version and exit

-c 5

Stop after sending 5 ECHO_REQUEST packets.

-i 0.9

Increase / decrease pint time interval

-O

Report outstanding ECHO REPLAY before sending next packet

- w 10

Specify a timeout, in seconds, before ping exits regardless of how many packets have been sent or received

-s 100

Change the default packet size from 56 to 100

-R

Record and print route of how ECHO_REQUEST sent and ECHO_REPLY received

-a

Audible ping: Give beep when the peer is reachable

ping6

Regular ping command only works with IPv4 address. Use ping6 command to send ICMPv6 ECHO_REQUEST packets to network hosts from a host or gateway. Try to set IPv6 gateway and test:

nc

Netcat (also known as ‘nc’ or ‘Swiss Army knife’) is a networking utility used for reading or writing from TCP and UDP sockets using an easy interface. Netcat is used by Administrators, Developers and pen testers because of its features.

With netcat (nc) we can setup kind of client server connection over a specific port. For demo lets start chatting between two servers, server1 starts listening on port 12345:

send text stream from server2 to server1:

and see the result on server1:

netcat useful switches

Description

-4

Forces nc to use IP v4 only

-6

Forces nc to use IP v6 only

-v

Give more verbose output

-n

Do not DNS Lookup for IP Addresses, Host Name or ports

-k

allow server to continue listening after client disconnect

-u

use udp

-w

setting up time out

also we can use nc for prt scanning although netcat is not the best tool for the job:

-z says that nc should just scan for listening daemons, without sending any data to them. can not be used with -l option.

tcpdump

tcpdump is command-line packet sniffers and analyzer tool which is used to capture or filter TCP/IP packets which recieved or transfered over a network on a specific interface.

tcpdump also give us a option to save captured packets in a file in a pcap format. It is very useful for future analysis and also file can be viewed by tcpdump command or a open source GUI based tool like Wireshark.

watch some usefull tcpdum commands:

useful tcpdump command

Description

tcpdump -D

Display available interfaces

tcpdum -i ens33

Capture Packets from specific interface

tcpdump -c 10 -i ens33

Capture only N neumber of packets

tcpdump -w myfile.pcap -i ens33

Capture and save packets in a file

tcpdump -r myfile.pcap

Read captured packets file

tcpdump -n -i ens33

Capture IP address Packets

tcpdum -i ens33 tcp

Only TCP Packets are captured

tcpdump -i ens33 port 22

Capture packets from specific port

tcpdump -i eth0 src 192.168.10.150

Capture packets from source IP

tcpdump -i eth0 dst 209.85.144.139

Capture packets from destination IP

tcpdump -i ens33 ipv6

Sniffing for IPv6

nmap

nmap (Network Mapper) is a security scanner.It is used to discover hosts and services on a computer network, whith the goal of building a "map" of the network. To accomplish it, Nmap sends specially designed packets to the target host(s) and then analyzes the responses. Nmap can adapt to network conditions including latency and congestion during a scan. The Nmap user community continues to develop and refine the tool.

Nmap was originally written for Linux, but it has been ported to major operating systems, such as Windows, Solaris, HP-UX, etc. There is even a free and open source GUI called Zenmap.

Although usually used for port scanning, Nmap offers many additional features:

  • host discovery.

  • operating system detection.

  • service version detection.

  • network information about targets, such as DNS names, device types, and MAC addresses.

  • ability to scan for well-known vulnerabilities.

    nmap is not installed by default on most of linux distros and we need to install it:

Before start scanning please note that Port scanning without authorization is sometimes against the provider's acceptable use policy (AUP).

Till the end of war Its better to test it on your own network and do not take the risk. nmap command with no option just prints its long list of switches and options. For our demonstartion we scan scanme.nmap.org :

The -v option enables verbose mode.

nmap Target selection

Description

nmap 192.168.10.151

scan a single IP

nmap scanme.nmap.org

scan a host

nmap 192.168.10.150-155

scan a range of IPs

nmap 192.168.10.0/24

scan a subnet

nmap -iL myserverlist.txt

scan targets from a text file

nmap -6 [IP-V6-HERE]

enables IP v6 scanning

okey and ports:

nmap port selection

Dedscription

nmap -p 22 192.168.10.151

scan a single port

nmap -p 1-100 192.168.10.151

scan a range of port

nmap -F 192.168.10.151

Fast-scan 100 most common ports

nmap -p- 192.168.10.151

scan all 65535 ports

Hmm. nmap has different techniques for scanning. But before explaining them we review some fundamentals.

TCP 3-Way Handshake Diagram

Below is a very simplified diagram of the TCP 3-way handshake process. Have a look at the diagram on the right as you examine the list of events on the left.

Event

Diagram

after this small review we can talk about nmap different methods of scanning:

  • TCP SYN Scan (-sS)

It is a basic scan, and it is also called half-open scanning because this technique allows Nmap to get information from the remote host without the complete TCP handshake process, Nmap sends SYN packets to the destination, but it does not create any sessions, As a result, the target computer can’t create any log of the interaction because no session was initiated, making this feature an advantage of the TCP SYN scan.nmap -sT 192.168.10.151

  • TCP connect() scan (-sT)

This the default scanning technique used, if and only if the SYN scan is not an option, because the SYN scan requires root privilege. Unlike the TCP SYN scan, it completes the normal TCP three way handshake process and requires the system to call connect(), which is a part of the operating system. Keep in mind that this technique is only applicable to find out the TCP ports, not the UDP ports. nmap -sT 192.168.10.151

  • UDP Scan (-sU)

As the name suggests, this technique is used to find an open UDP port of the target machine. It does not require any SYN packet to be sent because it is targeting the UDP ports. But we can make the scanning more effective by using -sS along with –sU. UDP scans send the UDP packets to the target machine, and waits for a response—if an error message arrives saying the ICMP is unreachable, then it means that the port is closed; but if it gets an appropriate response, then it means that the port is open.

nmap -sU 192.168.10.151

  • FIN Scan (-sF)

Sometimes a normal TCP SYN scan is not the best solution because of the firewall. IDS and IPS scans might be deployed on the target machine, but a firewall will usually block the SYN packets. A FIN scan sends the packet only set with a FIN flag, so it is not required to complete the TCP handshaking.

The target computer is not able to create a log of this scan (again, an advantage of FIN). Just like a FIN scan, we can perform an xmas scan (-sX) and Null scan (-sN). The idea is same but there is a difference between each type of scan.

  • Ping Scan (-sP)

Ping scanning is unlike the other scan techniques because it is only used to find out whether the host is alive or not, it is not used to discover open ports. Ping scans require root access s ICMP packets can be sent, but if the user does not have administrator privilege, then the ping scan uses connect() call. nmap -sP 192.168.10.151

  • Version Detection (-sV)

Version detection is the right technique that is used to find out what software version is running on the target computer and on the respective ports. It is unlike the other scanning techniques because it is not used to detect the open ports, but it requires the information from open ports to detect the software version. In the first step of this scan technique, version detection uses the TCP SYN scan to find out which ports are open. nmap -sV 192.168.10.151

  • Idle Scan (-sI)

Idle scan is one of my favorite techniques, and it is an advance scan that provides complete anonymity while scanning. In idle scan, Nmap doesn’t send the packets from your real IP address—instead of generating the packets from the attacker machine, Nmap uses another host from the target network to send the packets. ex: nmap -sI 192.168.1.6 192.168.1.1

The idle scan technique (as mentioned above) is used to discover the open ports on 192.168.1.1 while it uses the zombie_host (192.168.1.6) to communicate with the target host. So this is an ideal technique to scan a target computer anonymously.

There are many other scanning techniques are available like FTP bounce, fragmentation scan, ... but that is enough for LPIC exam.

Previous205.1. Basic networking configurationNext205.3 Troubleshooting Network Issues

Last updated