Search This Blog

Saturday, February 21, 2009

TCPDUMP

TCPdump is a very powerful command line interface packet sniffer. It must be launched as root or with superuser rights because of the its use of the promiscuous mode or to be sure to have sufficent privilileges on a network device or a socket. Wireshark (formerly ethereal) can be used as an alternative to TCPdump but with a GUI interface. Wireshark can be used to read the logs captured by TCPdump too.
1. TCPDUMP DOWNLOAD 2. TCPDUMP USE


1. TCPDUMP DOWNLOAD: To download TCPdump:

#apt-get install tcpdump
To see the TCPdump dependencies:
#apt-cache depends tcpdump
tcpdump Depends: libc6 Depends: libpcap0.8 Depends: libssl0.9.8 To see the installed TCPdump version:
#apt-cache policy tcpdump
tcpdump: Installed: 3.9.4-2ubuntu0.1 Candidate: 3.9.4-2ubuntu0.1 Version table: *** 3.9.4-2ubuntu0.1 0 500 http://security.ubuntu.com dapper-security/main Packages 100 /var/lib/dpkg/status 3.9.4-2 0 500 http://ch.archive.ubuntu.com dapper/main Packages


2. TCPDUMP USE To display the Standard TCPdump output:

#tcpdump
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes 21:57:29.004426 IP 192.168.1.2.1034 > valve-68-142-64-164.phx3.llnw.net.27014: UDP, length 53 21:57:31.228013 arp who-has 192.168.1.2 tell 192.168.1.1 21:57:31.228020 arp reply 192.168.1.2 is-at 00:04:75:22:22:22 (oui Unknown) 21:57:38.035382 IP 192.168.1.2.1034 > valve-68-142-64-164.phx3.llnw.net.27014: UDP, length 53 21:57:38.613206 IP valve-68-142-64-164.phx3.llnw.net.27014 > 192.168.1.2.1034: UDP, length 36 To display the verbose output:
#tcpdump -v
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes 22:00:11.625995 IP (tos 0x0, ttl 128, id 30917, offset 0, flags [none], proto: UDP (17), length: 81) 192.168.1.2.1034 > valve-68-142-64-164.phx3.llnw.net.27014: UDP, length 53 22:00:20.691903 IP (tos 0x0, ttl 128, id 31026, offset 0, flags [none], proto: UDP (17), length: 81) 192.168.1.2.1034 > valve-68-142-64-164.phx3.llnw.net.27014: UDP, length 53 22:00:21.230970 IP (tos 0x0, ttl 114, id 4373, offset 0, flags [none], proto: UDP (17), length: 64) valve-68-142-64-164.phx3.llnw.net.27014 > 192.168.1.2.1034: UDP, length 36 22:00:26.201715 arp who-has 192.168.1.2 tell 192.168.1.1 22:00:26.201726 arp reply 192.168.1.2 is-at 00:04:11:11:11:11 (oui Unknown) 22:00:29.706020 IP (tos 0x0, ttl 128, id 31133, offset 0, flags [none], proto: UDP (17), length: 81) 192.168.1.2.1034 > valve-68-142-64-164.phx3.llnw.net.27014: UDP, length 53 22:00:38.751355 IP (tos 0x0, ttl 128, id 31256, offset 0, flags [none], proto: UDP (17), length: 81) 192.168.1.2.1034 > valve-68-142-64-164.phx3.llnw.net.27014: UDP, length 53 Network interfaces available for the capture:
#tcpdump -D
1.eth0 2.any (Pseudo-device that captures on all interfaces) 3.lo To display numerical addresses rather than symbolic (DNS) addresses:
#tcpdump -n
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes 22:02:36.111595 IP 192.168.1.2.1034 > 68.142.64.164.27014: UDP, length 53 22:02:36.669853 IP 68.142.64.164.27014 > 192.168.1.2.1034: UDP, length 36 22:02:41.702977 arp who-has 192.168.1.2 tell 192.168.1.1 22:02:41.702984 arp reply 192.168.1.2 is-at 00:04:11:11:11:11 22:02:45.106515 IP 192.168.1.2.1034 > 68.142.64.164.27014: UDP, length 53 22:02:50.392139 IP 192.168.1.2.138 > 192.168.1.255.138: NBT UDP PACKET(138) 22:02:54.139658 IP 192.168.1.2.1034 > 68.142.64.164.27014: UDP, length 53 22:02:57.866958 IP 125.175.131.58.3608 > 192.168.1.2.9501: S 3275472679:3275472679(0) win 65535 To display the quick output:
#tcpdump -q
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes 22:03:55.594839 IP a213-22-130-46.cpe.netcabo.pt.3546 > 192.168.1.2.9501: tcp 0 22:03:55.698827 IP 192.168.1.2.9501 > a213-22-130-46.cpe.netcabo.pt.3546: tcp 0 22:03:56.068088 IP a213-22-130-46.cpe.netcabo.pt.3546 > 192.168.1.2.9501: tcp 0 22:03:56.068096 IP 192.168.1.2.9501 > a213-22-130-46.cpe.netcabo.pt.3546: tcp 0 22:03:57.362863 IP 192.168.1.2.1034 > valve-68-142-64-164.phx3.llnw.net.27014: UDP, length 53 22:03:57.964397 IP valve-68-142-64-164.phx3.llnw.net.27014 > 192.168.1.2.1034: UDP, length 36 22:04:06.406521 IP 192.168.1.2.1034 > valve-68-142-64-164.phx3.llnw.net.27014: UDP, length 53 22:04:15.393757 IP 192.168.1.2.1034 > valve-68-142-64-164.phx3.llnw.net.27014: UDP, length 53 Capture the traffic of a particular interface:
tcpdump -i eth0
To capture the UDP traffic:
#tcpdump udp
To capture the TCP port 80 traffic:
#tcpdump port http
To capture the traffic from a filter stored in a file:
#tcpdump -F file_name
To create a file where the filter is configured (here the TCP 80 port)
#vim file_name
port 80
To stop the capture after 20 packets:
#tcpdump -c 20
To send the capture output in a file instead of directly on the screen:
#tcpdump -w capture.log
To read a capture file:
#tcpdump -r capture.log
reading from file capture.log, link-type EN10MB (Ethernet) 09:33:51.977522 IP 192.168.1.36.40332 > rr.knams.wikimedia.org.www: P 1548302662:1548303275(613) ack 148796145 win 16527 09:33:52.031729 IP rr.knams.wikimedia.org.www > 192.168.1.36.40332: . ack 613 win 86 09:33:52.034414 IP rr.knams.wikimedia.org.www > 192.168.1.36.40332: P 1:511(510) ack 613 win86 09:33:52.034786 IP 192.168.1.36.40332 > rr.knams.wikimedia.org.www: . ack 511 win 16527 The captured data isn't stored in plain text so you cannot read it with a text editor, you have to use a special tool like TCPdump (see above) or Wireshark (Formerly Ethereal) which provides a graphical interface. The capture.log file is opened with Wireshark.
To display the packets having "www.openmaniak.com" as their source or destination address:
#tcpdump host www.openmaniak.com
To display the FTP packets coming from 192.168.1.100 to 192.168.1.2:
#tcpdump src 192.168.1.100 and dst 192.168.1.2 and port ftp
To display the packets content:
#tcpdump -A
Packets capture during a FTP connection. The FTP password can be easily intercepted because it is sent in clear text to the server. tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on ath0, link-type EN10MB (Ethernet), capture size 96 bytes 20:53:24.872785 IP ubuntu.local.40205 > 192.168.1.2.ftp: S 4155598838:4155598838(0) win 5840 ....g.................... ............ 20:53:24.879473 IP ubuntu.local.40205 > 192.168.1.2.ftp: . ack 1228937421 win 183 ....g.I@............. ........ 20:53:24.881654 IP ubuntu.local.40205 > 192.168.1.2.ftp: . ack 43 win 183 ....g.I@.......8..... ......EN 20:53:26.402046 IP ubuntu.local.40205 > 192.168.1.2.ftp: P 0:10(10) ack 43 win 183 ....g.I@......`$..... ...=..ENUSER teddybear 20:53:26.403802 IP ubuntu.local.40205 > 192.168.1.2.ftp: . ack 76 win 183 ....h.I@............. ...>..E^ 20:53:29.169036 IP ubuntu.local.40205 > 192.168.1.2.ftp: P 10:25(15) ack 76 win 183 ....h.I@......#c..... ......E^PASS wakeup 20:53:29.171553 IP ubuntu.local.40205 > 192.168.1.2.ftp: . ack 96 win 183 ....h.I@.,........... ......Ez 20:53:29.171649 IP ubuntu.local.40205 > 192.168.1.2.ftp: P 25:31(6) ack 96 win 183 ....h.I@.,........... ......EzSYST 20:53:29.211607 IP ubuntu.local.40205 > 192.168.1.2.ftp: . ack 115 win 183 ....h.I@.?.....j..... ......Ez 20:53:31.367619 IP ubuntu.local.40205 > 192.168.1.2.ftp: P 31:37(6) ack 115 win 183 ....h.I@.?........... ......EzQUIT 20:53:31.369316 IP ubuntu.local.40205 > 192.168.1.2.ftp: . ack 155 win 183 ....h.I@.g........... ......E. 20:53:31.369759 IP ubuntu.local.40205 > 192.168.1.2.ftp: F 37:37(0) ack 156 win 183 ....h.I@.h.....e..... ......E. We see in this capture the FTP username (teddybear) and password (wakeup).

Thursday, February 12, 2009

IP Address Range Function in Python

def ipAddrRange(startAddr, endAddr):
 def incrAddr(addrList):
    addrList[3] += 1
    for i in (3,2,1):
      if addrList[i] == 256:
         addrList[i] = 0
         addrList[i-1] += 1
 def asString(addrList):
     return ".".join(map(str,addrList))
 startAddrList = map(int,startAddr.split("."))
 endAddrList = map(int,endAddr.split("."))
 curAddrList = startAddrList[:]
 yield asString(curAddrList)
 for i in range(4):
     while curAddrList[i] < endAddrList[i]:
         incrAddr(curAddrList)
         yield asString(curAddrList)

for addr in ipAddrRange("10.255.255.250","11.0.0.20"):
print addr


E-mail Alert on Root SSH Login

Want to be notified instantly when someone logs into your server as root? No problem, check out this nice tutorial on email notification for root logins. Keeping track of who logs into your server and when is very important, especially when you're dealing with the super user account. We recommend that you use an email address not hosted on the server your sending the alert from.

So lets get started!

  • Login to your server and su to root.
  • vim /root/.bashrc
  • Scroll to the end of the file then add the following:
echo 'ALERT - Root Shell Access (YourserverName) on:' `date` `who` | mail -s "Alert: Root Access from `who | cut -d'(' -f2 | cut -d')' -f1`" you@yourdomain.com
  • Replace YourServerName with the handle for your actual server
  • Replace you@yourdomain.com with your actual email address
  • Now logout of SSH, close the connection and log back in! You should receive an email address of the root login alert a few minutes afterwards.

Note: This is a great tool for servers that have multiple admins or if you give someone SSH access for whatever reason, although you should give out the root password to as few people as humanly possible and be sure to change it often.

This will not magically alert you when a hacker runs the latest kernel exploit on your server and logs into SSH because they will create their own SSH/telnet connection. You should keep your system up to date, install a firewall and follow the latest security releases.

Tuesday, February 10, 2009

How To Tail (View) Multiple Files on UNIX / Linux Console

tail is one of the best tool to view log files in a real time (tail -f /path/to/log.file). The program MultiTail lets you view one or multiple files like the original tail program. The difference is that it creates multiple windows on your console (with ncurses). This is one of those dream come true program for UNIX sys admin job. You can browse through several log files at once and do various operations like search for errors and much more.

Install MultiTail

Type the following command under Debian / Ubuntu Linux: $ sudo apt-get update $ sudo apt-get install multitail If you are using FreeBSD, enter: # portsnap fetch update # cd /usr/ports/sysutils/multitail # make install clean

How To View Multiple Files Like tail Command

To view /var/log/messages and /var/log/auth.log, enter: # multilog /var/log/messages /var/log/auth.log Sample output:

How do I run a command and view a log file?

Simply use command as follows: # multitail /var/log/iptables.log -l "ping server.nixcraft.in" OR # multitail /var/log/httpd.log -l "netstat -nat" The -l option allows command to execute in a window. Do not forget to use "'s if the external command needs parameter! (e.g. -l "ping host").

How do I display 3 logfiles in 2 columns?

To see all 3 files related to anti mail server gateway, enter: # multitail -s 2 /var/log/maillog /var/log/FuzzyOcr.log /var/log/antivirus.log multitail has many other useful options. Please read man page for further details: man multitail

Regular Expression

Regular Expression is really cool, All should know it;) Initially you might feel that its too complex but when u get into it u feel its look complex but it is really cool and easy to use. It completes big task in few lines....... Its really great;) Below is my first function in Python which i have used to search for a String using '*' to escape and search in string. Cheers Python B) def SearchString(pattern,string): ulist = pattern.split('*') if len(ulist) > 1: k = '^' + ulist[0] + '[\w|\_|\-]*' + ''.join([ i + '[\w|\_|\-]*' for i in ulist[1:-1]]) + ulist[-1] + '$' print k if re.search(k,user) != None: return "Found" else: return "Not Found" elif ulist == string: return "Found" else: return "Not Found" >>> SearchUser('vin*jda*is','vinojdavis') ^vin[\w|\_|\-]*jda[\w|\_|\-]*is$ 'Found' >>> SearchUser('vi**jda*is','vinojdavis') ^vi[\w|\_|\-]*[\w|\_|\-]*jda[\w|\_|\-]*is$ 'Found' >>> SearchUser('vin*jda*is','viojdavis') ^vin[\w|\_|\-]*jda[\w|\_|\-]*is$ 'Not Found'

Tuesday, February 3, 2009

Kill process in Linux or terminate a process in UNIX or Linux systems

Q. How do I kill process in Linux?

A. Linux and all other UNIX like oses comes with kill command. The command kill sends the specified signal (such as kill process) to the specified process or process group. If no signal is specified, the TERM signal is sent.

Kill process using kill command under Linux/UNIX

kill command works under both Linux and UNIX/BSD like operating systems.

Step #1: First, you need to find out process PID (process id)

Use ps command or pidof command to find out process ID (PID). Syntax: ps aux | grep processname pidof processname

For example if process name is lighttpd, you can use any one of the following command to obtain process ID: # ps aux | grep lighttpdOutput:

lighttpd  3486  0.0  0.1   4248  1432 ?        S    Jul31   0:00 /usr/sbin/lighttpd -f /etc/lighttpd/lighttpd.conf
lighttpd  3492  0.0  0.5  13752  3936 ?        Ss   Jul31   0:00 /usr/bin/php5-cg

OR use pidof command which is use to find the process ID of a running program: # pidof lighttpdOutput:

3486

Step #2: kill process using PID (process id)

Above command tell you PID (3486) of lighttpd process. Now kill process using this PID: # kill 3486 OR # kill -9 3486 Where,

  • -9 is special Kill signal, which will kill the process.

killall command examples

DO NOT USE killall command on UNIX system (Linux only command). You can also use killall command. The killall command kill processes by name (no need to find PID): # killall -9 lighttpd Kill Firefox process: # killall -9 firefox-bin As I said earlier killall on UNIX system does something else. It kills all process and not just specific process. Do not use killall on UNIX system (use kill -9).

Sunday, February 1, 2009

Variable Datatypes & Range in C

Variable Types:
There are a number of ‘built-in’ data types in C. These are listed below. Where a
shorter version of the type name exists, this is given in brackets; essentially the base
type int is implicit whenever short , long, or unsigned are used.
  1. short int (short)
  2. unsigned short int (unsigned short )
  3. char
  4. unsigned char
  5. signed char
  6. int
  7. unsigned int (unsigned )
  8. long int (long)
  9. unsigned long int (unsigned long )
  10. float
  11. double
  12. long double
The range of values that can be stored in variables of these types will depend on the
compiler and computer that you are using, but on an IBM PCs and the Borland Turbo
C compiler the ranges are:
  • short int -128 ® 127 (1 byte)
  • unsigned short int 0 ® 255 (1 byte)
  • char 0 ® 255 or -128 ® +127 2 (1 byte)
  • unsigned char 0 ® 255 (1 byte)
  • signed char -128 ® 127 (1 byte)
  • int -32,768 ® +32,767 (2 bytes)
  • unsigned int 0 ® +65,535 (2 bytes)
  • long int -2,147,483,648 ® +2,147,483,647 (4 bytes)
  • unsigned long int 0 ® 4,294,967,295 (4 bytes)
  • float single precision floating point (4 bytes)
  • double double precision floating point (8 bytes)
  • long doubl e extended precision floating point (10 bytes)