Home

last update: 2020-09-20 at 22:00:23 CEST

Networking

Find Duplicate an IP address in your Network

Assuming your ip is 10.200.127.56 on eth0, arping will sent an an ARP who-has query to the specified IP address

Note
if -d is given arping will exit with -1 if two different MAC addresses answer (and thats exactly what we want)
sudo arping -d -I eth0 -c 2 10.200.127.56
echo $?

Capture Traffic

Capture network traffic with tcpdump. The snaplen is set to 64k to capture all packet sizes up to the maximum of ip. SSH traffic on the default port 22 is not captured

tcpdump -nni eth0 -w packet.dump -s 65535 not port 22

Visualize Network Traffic

Tools to visualize network traffic: wireshark, tnv, afterglow, INAV, tcpdump, tcpick

  • tcpick is a tcp stream sniffer and connection tracker

To view the dump on the console use:

tcpdump -ttttnnr traffic.dump

or:

tcpdump -qns 0 -A -r traffic.dump

or:

tcpick -C -yP -r traffic.dump

Get the IP from ifconfig (sed version)

Replace eth0 with the interface you are interested in. If ommiting it all IPs from all interfaces are listed

/sbin/ifconfig eth0 | sed -rn 's/.*inet addr:([^ ]+) .*/\1/p'

Simulate Network Impairments

Adding Delay

The following command uses the traffic shaper (tc) in the kernel to add an artificial RTT on the localhost interface. The second command deletes the rule. lo specifies the localhost interface, replace it with eth0 if needed. add adds a discipline, del deletes it, change changes it.

sudo tc qdisc add dev lo root netem delay 500ms
sudo tc qdisc del dev lo root netem delay 500ms
$ping localhost
PING localhost (127.0.0.1) 56(84) bytes of data.
64 bytes from localhost (127.0.0.1): icmp_seq=1 ttl=64 time=1000 ms
64 bytes from localhost (127.0.0.1): icmp_seq=2 ttl=64 time=1000 ms
64 bytes from localhost (127.0.0.1): icmp_seq=3 ttl=64 time=1000 ms

using non-uniform distribution, delay is 50ms variation 20ms

sudo tc qdisc add dev lo root netem delay 50ms 20ms distribution normal

Adding Loss

sudo tc qdisc add dev lo root netem loss 0.1%
sudo tc qdisc del dev lo root netem loss 0.1%

Delay and Loss

Here we use a RTT of 100ms and drop every 1 of 1000 packets

tc qdisc add dev lo root netem delay 50ms loss 0.1%

Emulate packet burst losses

This will cause 0.3% of packets to be lost, and each successive probability depends by a quarter on the last one.

sudo tc qdisc add dev eth0 root netem loss 0.3% 25%

(Prob_n = 0.25 * Prob_n-1 + 0.75 * Random)

Show Current Disciplines

tc qdisc show

Create Custom Packets

hping2 usage examples

Often considered a complementary tool to Nmap, hping is used for network scanning, as well as crafting TCP/IP packets. Please note that given the packet crafting involved, if you are running as root yet you receive an error saying that the operation is not permitted it could be due to a host firewall.

Send TCP SYN packets to port 0 on host example.com (note that hping will increment the source port by 1 for each packet sent):

hping example.com -S -V

Send TCP SYN packets to port 443 on host example.com:

hping example.com -S -V -p 443

Send TCP packets to port 443 on host example.com with the SYN + ACK flags set:

hping example.com -S -A -V -p 443

Send TCP packets to port 443 on host example.com with the SYN + ACK + FIN flags set:

hping example.com -S -A -F -V -p 443

Send TCP SYN packets every 5 seconds to port 443 on host example.com: hping example.com -S -V -p 443 -i 5 Send TCP SYN packets every 100,000 microseconds (i.e. every 0.1 second or 10 per second) to port 443 on host example.com. Note that verbose has been removed:

hping example.com -S -p 443 -i u100000

Send TCP SYN packets every 10,000 microseconds (i.e. every 0.01 second or 100 per second) to port 443 on host example.com:

hping example.com -S -p 443 -i u10000

Send TCP SYN packets every 10,000 microseconds (i.e. every 0.01 second or 100 per second) to port 443 on host example.com. Stop after 500 packets: hping example.com -S -p 443 -i u10000 -c 500 Send UDP packets to port 111 on host example.com (argument --udp can be substituted with -2):

hping example.com --udp -V -p 111

Send ICMP echo request packets to host example.com (argument --icmp can be substituted with -1):

hping example.com --icmp -V

Send ICMP timestamp request packets to host example.com: hping example.com --icmp --icmp-ts -V Portscan TCP ports 100 to 110 on host example.com (argument --scan can be substituted with -8)

hping example.com -V --scan 100-110

Send UDP packets spoofed to be from source host 192.168.1.150 to host example.com

hping example.com --udp --spoof 192.168.1.150

Send UDP packets spoofed to be from various random source IP addresses to host example.com

hping example.com --udp --rand-source

Send UDP packets with the data portion padded with 100 bytes to host example.com

hping example.com -V --udp --data 100

Send UDP packets with the data portion padded with 100 bytes but containing the contents of payload.txt to host example.com (the payload will be truncated if it is smaller than what is specified by the --data argument)

hping example.com -V --udp --file payload.txt --data 100

IPtables Firewall

Disable iptables

-F flushes all rules, -X deletes a chain, -P sets a new policy for a chain, -t specify table to operate on (without specifying a table the filter table is used)

iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT