LPIC3 Exam Guide

334.1 Network Hardening

Topic 334: Network Security

Weight: 4
Description: Candidates should be able to secure networks against common threats. This includes analyzing network traffic of specific nodes and protocols.
Key Knowledge Areas:
  • Understand wireless networks security mechanisms
  • Configure FreeRADIUS to authenticate network nodes
  • Use Wireshark and tcpdump to analyze network traffic, including filters and statistics
  • Use Kismet to analyze wireless networks and capture wireless network traffic
  • Identify and deal with rogue router advertisements and DHCP messages
  • Awareness of aircrack-ng and bettercap
The following is a partial list of the used files, terms and utilities:
  • radiusd
  • radmin
  • radtest
  • radclient
  • radlast
  • radwho
  • radiusd.conf
  • /etc/raddb/*
  • wireshark
  • tshark
  • tcpdump
  • kismet
  • ndpmon


What is the RADIUS Protocol?

Remote Authentication Dial-In User Service or RADIUS is a networking protocol that offers centralized Authentication, Authorization and Accounting (AAA) management for users who connect and network service.
  • Authentication is the process of determining whether the client (user, device, or process) is a genuine user of the system.
  • Authorization is the process of determining what the client is allowed to do on the network.
  • Accounting is the process of monitoring the client’s activity on the network and providing the information necessary to calculate the cost for services.
You don't have to use all three of the AAA protocols, but only the ones you need. For example, you may not need accounting but only client authentication, or perhaps all you want is accounting, and client authorization is managed by something else.
It is extremely efficient and manages thousands of requests on modest hardware. Of course it works for all network protocols and not just dialup, but the name remains the same.


FreeRADIUS is the open source RADIUS implementation, and is the most widely-used RADIUS server.

Install Freeradius

[[email protected] ~]# dnf install freeradius freeradius-utils freeradius-mysql freeradius-perl

Start Freeradius Service

[[email protected] ~]# systemctl enable radiusd --now
Created symlink /etc/systemd/system/multi-user.target.wants/radiusd.service → /usr/lib/systemd/system/radiusd.service.
[[email protected] ~]# systemctl status radiusd
● radiusd.service - FreeRADIUS high performance RADIUS server.
Loaded: loaded (/usr/lib/systemd/system/radiusd.service; enabled; vendor preset: disabled)
Active: active (running) since Thu 2022-09-08 11:44:19 +0430; 2s ago
Process: 863414 ExecStart=/usr/sbin/radiusd -d /etc/raddb (code=exited, status=0/SUCCESS)
Process: 863411 ExecStartPre=/usr/sbin/radiusd -C (code=exited, status=0/SUCCESS)
Process: 863372 ExecStartPre=/bin/sh /etc/raddb/certs/bootstrap (code=exited, status=0/SUCCESS)
Process: 863370 ExecStartPre=/bin/chown -R radiusd.radiusd /var/run/radiusd (code=exited, status=0/SUCCESS)
Main PID: 863417 (radiusd)
Tasks: 6 (limit: 12245)
Memory: 78.6M
CGroup: /system.slice/radiusd.service
└─863417 /usr/sbin/radiusd -d /etc/raddb
Sep 08 11:44:18 rocky8 sh[863372]: URI:http://www.example.com/example_ca.crl
Sep 08 11:44:18 rocky8 sh[863372]: Certificate is to be certified until Nov 7 07:14:18 2022 GMT (60 days)
Sep 08 11:44:18 rocky8 sh[863372]: Write out database with 1 new entries
Sep 08 11:44:18 rocky8 sh[863372]: Data Base Updated
Sep 08 11:44:18 rocky8 sh[863372]: openssl pkcs12 -export -in client.crt -inkey client.key -out client.p12 -passin pass:'whatever' -passout pass:'w>
Sep 08 11:44:18 rocky8 sh[863372]: chmod g+r client.p12
Sep 08 11:44:18 rocky8 sh[863372]: openssl pkcs12 -in client.p12 -out client.pem -passin pass:'whatever' -passout pass:'whatever'
Sep 08 11:44:18 rocky8 sh[863372]: chmod g+r client.pem
Sep 08 11:44:18 rocky8 sh[863372]: cp client.pem '[email protected]'.pem
Sep 08 11:44:19 rocky8 systemd[1]: Started FreeRADIUS high performance RADIUS server..


For every part of FreeRADIUS, in the configuration directory (/etc/raddb, /etc/freeradius or similar) there is a fully commented example file included, that explains what it does, and how to use it. Read those sample files too!
Again, many of the configuration files are ONLY documented in the comments included in the files.
Reading the configuration files is REQUIRED to fully understand how to create complex configurations of the server.

Main configuration files


radmin - FreeRADIUS Administration tool, is a FreeRADIUS Server administration tool that connects to the control socket of a running server, and gives a command-line interface to it.
At this time, only a few commands are supported. Please type "help" at the command prompt for detailed information about the supported commands.
radmin [-d config_directory] [-D dictionary_directory] [-e command] [-E] [-f socket_file] [-h] [-i input_file] [-n name] [-q]


The security protections offered by this command are limited to the permissions on the Unix domain socket, and the server configuration. If someone can connect to the Unix domain socket, they have a substantial amount of control over the server.
The following command-line options are accepted by the program.
-d config directory
Defaults to /etc/raddb. radmin looks here for the server configuration files to find the "listen" section that defines the control socket filename.
-D dictionary directory
Set main dictionary directory. Defaults to /usr/share/freeradius.
-e command
Run command and exit.
-E Echo commands as they are being executed.
-f socket_file
Specify the socket filename directly. The radiusd.conf file is not read.
-h Print usage help information.
-i input_file
Reads input from the specified file. If not specified, stdin is used. This also sets "-q".
-n mname
Read raddb/name.conf instead of raddb/radiusd.conf.
-q Quiet mode.
The commands implemented by the command-line interface are almost completely controlled by the server. There are a few commands interpreted locally by radmin:
Reconnect to the server.
quit Exit from radmin.
exit Exit from radmin.
The other commands are implemented by the server. Type "help" at the prompt for more information.
debug file /var/log/radius/bob.log
Set debug logs to /var/log/radius/bob.log. There is very little checking of this filename. Rogue administrators may be able use this command to over-write almost any
file on the system. If those administrators have write access to "radius.conf", they can do the same thing without radmin, too.
debug condition '(User-Name == "bob")'
Enable debugging output for all requests that match the condition. Any "unlang" condition is valid here. The condition is parsed as a string, so it must be enclosed in
single or double quotes. Strings enclosed in double-quotes must have back-slashes and the quotation marks escaped inside of the string.
Only one debug condition can be active at a time.
debug condition '((User-Name == "bob") || (Packet-Src-IP-Address =='
A more complex condition that enables debugging output for requests containing User-Name "bob", or requests that originate from source IP address
debug condition
Disable debug conditionals.
radmin have a long list of commands, read it man page, this was only a part of that!

Basic Configuration

Always start with the "default" configuration. It will work everywhere, and do almost everything you need. The only change you will need to make is to define users and passwords.
Making a lot of changes to the configuration files is the best way to break the server. Don't do that.

Define a Client IP

For initial testing from localhost with radtest(see in this lesson), the server comes with a default definition for and ::1
For testing from external machines, edit /etc/raddb/clients.conf and add an entry. There are many examples and the syntax is easy:
client NAME {
ipaddr = IPADDRESS
secret = SECRET

Define a User and Password

Edit /etc/raddb/users and create an example user account as the first entry. i.e. at the top of the file, such as:
testing Cleartext-Password := "password"

Start the server in debugging mode

At this point you should be able to manually start radiusd. You should do this with the debugging enabled so that you can see what happens:
$ radiusd -X
The location and the name of the FreeRADIUS server executable may vary, for example it could be /usr/sbin/freeradius. But the -X parameter is essential, always use it!
Lots of output will scroll by, and it will eventually say:
Read to process requests.
Sometimes people want to change default port to run on 1645, the old RADIUS port (the new one is 1812), if replacing a legacy RADIUS server. Other than that, it's possible that the EAP Module initial setup will fail.


Once the FreeRADIUS server is operational, you can use radtest to test an account from the command line,command format:
radtest {username} {password} {hostname} 0 {radius_secret}
[[email protected] ~]# radtest -h
Usage: radtest [OPTIONS] user passwd radius-server[:port] nas-port-number secret [ppphint] [nasname]
-d RADIUS_DIR Set radius directory
-t <type> Set authentication method
type can be pap, chap, mschap, or eap-md5
-P protocol Select udp (default) or tcp
-x Enable debug output
-4 Use IPv4 for the NAS address (default)
-6 Use IPv6 for the NAS address
our example:
$ radtest testing password localhost 0 testing123
Where testing is the user name configured above, and password is the password for the user. These can be real user names and passwords, of course.
You should see output like:
Sending Access-Request of id 226 to
User-Name = 'testing'
User-Password = 'password'
NAS-IP-Address = radius.domain.com
NAS-Port = 10
rad_recv : Access-Accept packet from host,id=226, length=56
Framed-IP-Address =
Framed-Protocol = PPP
Service-Type = Framed-User
Framed-Compression = Van-Jacobson-TCP-IP
Framed-IP- Netmask =
The key is to get an 'Access Accept' response.
At this point you should have text-file authentication working in FreeRADIUS. Also based on the default settings, the authentication methods now work for the testing user
  • PAP
  • CHAP
  • MS-CHAPv1
  • MS-CHAPv2
  • PEAP
  • EAP-MD5.
If you made changes to the default configuration, odds are that one or more of these authentication methods will stop working.
The next step is to add more users, and/or to configure directories and databases.


radclient is a radius client program included as part of FreeRADIUS. It can send arbitrary RADIUS packets to a RADIUS server, then shows the reply. It can be used to test changes you made in the configuration of the radius server, or it can be used to monitor if a radius server is up.
radclient reads radius attribute/value pairs from it standard input, or from a file specified on the command line. It then encodes these attribute/value pairs using the dictionary, and sends them to the remote server.
The User-Password and CHAP-Password attributes are automatically encrypted before the packet is sent to the server.
[[email protected] ~]# radclient -h
Usage: radclient [options] server[:port] <command> [<secret>]
<command> One of auth, acct, status, coa, disconnect or auto.
-4 Use IPv4 address of server
-6 Use IPv6 address of server.
-c <count> Send each packet 'count' times.
-d <raddb> Set user dictionary directory (defaults to /etc/raddb).
-D <dictdir> Set main dictionary directory (defaults to /usr/share/freeradius).
-f <file>[:<file>] Read packets from file, not stdin.
If a second file is provided, it will be used to verify responses
-F Print the file name, packet number and reply code.
-h Print usage help information.
-n <num> Send N requests/s
-p <num> Send 'num' packets from a file in parallel.
-q Do not print anything out.
-r <retries> If timeout, retry sending the packet 'retries' times.
-s Print out summary information of auth results.
-S <file> read secret from file, not command line.
-t <timeout> Wait 'timeout' seconds before retrying (may be a floating point number).
-v Show program version information.
-x Debugging mode.
-P <proto> Use proto (tcp or udp) for transport.
echo "User-Name = test" | /usr/local/bin/radclient localhost:1812 auth s3cr3t
echo "User-Name=test,User-Password=mypass,Framed-Protocol=PPP " | /usr/local/bin/radclient localhost:1812 auth s3cr3t
echo "Message-Authenticator = 0x00" | /usr/local/bin/radclient localhost:1812 auth s3cr3t


The FreeRADIUS server can write an accounting log in the wtmp format of the local system. radlast is a frontend for the systems last command ( it just calls last with the -f path_to_radwtmp_file argument, and passes all options on the command line to the system last command.)
[[email protected] ~]# radlast -h
last [options] [<username>...] [<tty>...]
Show a listing of last logged in users.
-<number> how many lines to show
-a, --hostlast display hostnames in the last column
-d, --dns translate the IP number back into a hostname
-f, --file <file> use a specific file instead of /var/log/wtmp
-F, --fulltimes print full login and logout times and dates
-i, --ip display IP numbers in numbers-and-dots notation
-n, --limit <number> how many lines to show
-R, --nohostname don't display the hostname field
-s, --since <time> display the lines since the specified time
-t, --until <time> display the lines until the specified time
-p, --present <time> display who were present at the specified time
-w, --fullnames display full user and domain names
-x, --system display system shutdown entries and run level changes
--time-format <format> show timestamps in the specified <format>:
-h, --help display this help
-V, --version display version
For more details see last(1).


The FreeRADIUS server can be configured to maintain an active session database in a file called radutmp. This utility shows the content of that session database.
[[email protected] ~]# radwho -h
radwho: invalid option -- 'h'
Usage: radwho [-d raddb] [-cfihnprRsSZ] [-N nas] [-P nas_port] [-u user] [-U user]
-c Show caller ID, if available.
-d Set the raddb directory (default is /etc/raddb).
-F <file> Use radutmp <file>.
-i Show session ID.
-n No full name.
-N <nas-ip-address> Show entries matching the given NAS IP address.
-p Show port type.
-P <port> Show entries matching the given nas port.
-r Print output as raw comma-delimited data.
-R Print output as RADIUS attributes and values.
includes ALL information from the radutmp record.
-s Show full name.
-S Hide shell users from radius.
-u <user> Show entries matching the given user.
-U <user> Like -u, but case-sensitive.
-Z Include accounting stop information in radius output. Requires -R.
For example,
$ radwho -ZRN | radclient -f - radius.example.net acct testing123
will result in all an Accounting-Request packet being sent to the RADIUS server, which tells the server that the NAS rebooted. i.e. It "zaps" all of the users on that NAS.
To "zap" one user, specify NAS, username, and NAS port:
$ radwho -ZRN -u user -P 10 | radclient -f - radius.example.net acct testing123
Other combinations are also possible.

Network Utilities


tcpdump is a packet sniffing and packet analyzing tool for a System Administrator to troubleshoot connectivity issues in Linux. It is used to capture, filter, and analyze network traffic such as TCP/IP packets going through your system. It is many times used as a security tool as well. tcpdump also give us a option to save the captured information in a pcap file, these pcap files can then be opened through Wireshark or through the command tool itself.
[[email protected] ~]# tcpdump port 22 -c5
dropped privs to tcpdump
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens160, link-type EN10MB (Ethernet), capture size 262144 bytes
22:22:31.564185 IP rocky8.ssh > Flags [P.], seq 1291099877:1291100053, ack 3488420628, win 1432, length 176
22:22:31.614585 IP > rocky8.ssh: Flags [.], ack 176, win 4103, length 0
22:22:31.748273 IP rocky8.ssh > Flags [P.], seq 176:288, ack 1, win 1432, length 112
22:22:31.749019 IP rocky8.ssh > Flags [P.], seq 288:368, ack 1, win 1432, length 80
22:22:31.749953 IP > rocky8.ssh: Flags [.], ack 368, win 4102, length 0
5 packets captured
6 packets received by filter
0 packets dropped by kernel
Tcpdump continues to capture packets until it receives an interrupt signal. You can interrupt capturing by pressing Ctrl+C. In this case, since I am connected to this server using ssh, tcpdump captured all these packets. To limit the number of packets captured and stop tcpdump, i have used the -c (for count) option.
By default, tcpdump resolves IP addresses and ports into names, as shown in the previous example. When troubleshooting network issues, it is often easier to use the IP addresses and port numbers; disable name resolution by using the option -n and port resolution with -nn:
[[email protected] ~]# tcpdump port 22 -c5 -nn
dropped privs to tcpdump
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens160, link-type EN10MB (Ethernet), capture size 262144 bytes
22:47:27.536043 IP > Flags [P.], seq 1291106181:1291106229, ack 3488423124, win 1432, length 48
22:47:27.537150 IP > Flags [P.], seq 48:160, ack 1, win 1432, length 112
22:47:27.537386 IP > Flags [P.], seq 160:240, ack 1, win 1432, length 80
22:47:27.537523 IP > Flags [.], ack 240, win 4105, length 0
22:47:27.537602 IP > Flags [P.], seq 240:304, ack 1, win 1432, length 64
5 packets captured
5 packets received by filter
0 packets dropped by kernel
some use full tcpdump commands:
tcpdump command
tcpdump -D
Display available interfaces
tcpdum -i ens33
Capture Packets from specific interface
tcpdump -c 10 -i ens33
Capture only N neumber of packets
tcpdump -w myfile.pcap -i ens33
Capture and save packets in a file
tcpdump -r myfile.pcap
Read captured packets file
tcpdump -n -i ens33
Capture IP address Packets
tcpdum -i ens33 tcp
Only TCP Packets are captured
tcpdump -i ens33 port 22
Capture packets from specific port
tcpdump -i eth0 src
Capture packets from source IP
tcpdump -i eth0 dst
Capture packets from destination IP
tcpdump -i ens33 ipv6
Sniffing for IPv6

What is PCAP?

Packet Capture or PCAP (also known as libpcap) is an application programming interface (API) that captures live network packet data from OSI model Layers 2-7. Network analyzers like Wireshark create .pcap files to collect and record packet data from a network. PCAP comes in a range of formats including Libpcap, WinPcap, and PCAPng.
These PCAP files can be used to view TCP/IP and UDP network packets. If you want to record network traffic then you need to create a .pcapfile. You can create a .pcapfile by using a network analyzer or packet sniffing tool like Wireshark or tcpdump.
to get familiar with pcap-filters try man pcap-filter. The most important filters to know for the exam are:
• host IP
• port PORT
• portrange PORT-PORT
• tcp portrange PORT-PORT


Wireshark is a popular open source graphical user interface (GUI) tool for analyzing packets. However, it also provides a powerful command-line utility called TShark for people who prefer to work on the Linux command line.


tshark. The terminal version of Wireshark supports similar options and is a lot useful when a Graphical User Interface (GUI) isn’t available.
[[email protected] ~]# tshark
Running as user "root" and group "root". This could be dangerous.
Capturing on 'ens160'
1 0.000000000 → TCP 60 63368 → 22 [ACK] Seq=1 Ack=1 Win=4104 Len=0
2 0.502419349 → SSH 118 Server: Encrypted packet (len=64)
3 0.560927325 → TCP 60 63368 → 22 [ACK] Seq=1 Ack=65 Win=4104 Len=0
^C 4 1.021169855 → SSH 150 Server: Encrypted packet (len=96)
5 1.072133101 → TCP 60 63368 → 22 [ACK] Seq=1 Ack=161 Win=4103 Len=0
5 packets captured
tshark examples:
tshark Command
tshark -D
get a list of the available network interfaces
tshark -i enp0s3
capture specific network interface traffic
tshark -i enp0s3 -c 5
capture 5 number of packets
tshark -i enp0s3 -i usbmon1 -i lo
capture multiple interfaces traffic
tshark -i enp0s3 -f "port 80 or port 53" -c 3
only capture packets from ports 80 or 53
tshark -i enp0s3 -w /tmp/test_capture.pcap
Saving Captured Traffic to a File
tshark -i enp0s3 -a duration:120 -w /tmp/test_capture.pcap
auto stop after 120 sec
tshark -i enp0s3 -a filesize:50 -w /tmp/test_capture.pcap
auto stop after 50K file size
tshark -i enp0s3 -f "port 53 or port 21" -b filesize:15 -a files:2 -w /tmp/test_capture.pcap
use “-b” with a filesize flag to save each file of size 15 Kb, maximum number of files=2
tshark -r /tmp/test_capture.pcap | head
reading .pacap files
tshark -r /tmp/test_capture.pcap -T fields -e frame.number -e ip.src -e ip.dst | head
Selecting Fields to Output via -T fields
tshark -i enp0s3 -c 1 -V host
show entire packets


• Neighbor Discovery Protocol Monitor
• Compiled versions available for BSD, OSX, and Debian
• Used for monitoring ICMPv6 packets
• Writes output to syslog


Kismet is a wireless network and device detector, sniffer, wardriving tool, and WIDS (wireless intrusion detection) framework. Kismet works with Wi-Fi interfaces, Bluetooth interfaces, some SDR (software defined radio) hardware like the RTLSDR, and other specialized capture hardware.


[email protected]:~# kismet_client -h
Usage: kismet_client [OPTION]
*** Generic Options ***
-h, --help The obvious


[email protected]:~# kismet_drone -h
Usage: kismet_drone [OPTION]
Nearly all of these options are run-time overrides for values in the
kismet.conf configuration file. Permanent changes should be made to
the configuration file.
*** Generic Options ***
-f, --config-file Use alternate configuration file
--no-line-wrap Turn of linewrapping of output
(for grep, speed, etc)
-s, --silent Turn off stdout output after setup phase
--daemonize Spawn detatched in the background
*** Kismet Remote Drone Options ***
--drone-listen Override Kismet drone listen options
*** Packet Capture Source Options ***
-c, --capture-source Specify a new packet capture source
(Identical syntax to the config file)
-C, --enable-capture-sources Enable capture sources (comma-separated
list of names or interfaces)

kismet_server Usage Example

Start the Kismet server, using the wireless interface as the capture source (-c wlan0) and use the external GPSD option (–use-gpsd-gps):
[email protected]:~# kismet_server -c wlan0 --use-gpsd-gps
ERROR: Kismet was started as root, NOT launching external control binary.
This is NOT the preferred method of starting Kismet as Kismet will
continue to run as root the entire time. Please read the README
file section about Installation & Security and be sure this is what
you want to do.
INFO: Reading from config file /etc/kismet/kismet.conf
INFO: No 'dronelisten' config line and no command line drone-listen
argument given, Kismet drone server will not be enabled.
INFO: Created alert tracker...
INFO: Creating device tracker...
INFO: Registered 80211 PHY as id


Aircrack-ng is a complete suite of tools to assess WiFi network security.
It focuses on different areas of WiFi security:
  • Monitoring: Packet capture and export of data to text files for further processing by third party tools
  • Attacking: Replay attacks, deauthentication, fake access points and others via packet injection
  • Testing: Checking WiFi cards and driver capabilities (capture and injection)
  • Cracking: WEP and WPA PSK (WPA 1 and 2)
All tools are command line which allows for heavy scripting. A lot of GUIs have taken advantage of this feature. It works primarily on Linux but also Windows, macOS, FreeBSD, OpenBSD, NetBSD, as well as Solaris and even eComStation 2.


The Swiss Army knife for 802.11, BLE, IPv4 and IPv6 networks reconnaissance and MITM attacks.
bettercap is a powerful, easily extensible and portable framework written in Go which aims to offer to security researchers, red teamers and reverse engineers an easy to use, all-in-one solution with all the features they might possibly need for performing reconnaissance and attacking WiFi networks, Bluetooth Low Energy devices, wireless HID devices and Ethernet networks.

Network Threads

Rogue Router Advertisements

• This is a problem on IPv6 networks where malicious router advertisements may be used to hijack traffic on unsecured networks.
• It can be mitigated by adjusting your kernel to not accept router advertisements:
  • /proc/sys/net/ipv6/conf//forwarding
  • /proc/sys/net/ipv6/conf//accept_ra

Rouge DHCP Messages

• This is an issue that is best dealt with at the switch level.
• DHCP traffic should be restricted to solely the switch port running the DHCP server that is trusted.
• This is done using DHCP snooping.