CSCI 251 Systems and
Networks
Lab 6 - Network Exploration Tools
Mar 03, 2010
Warning
This lab discusses several software tools that should be used with
extreme care. Although they belong in the toolset of a sysadmin, they
are also used by 'blackhats'. Intrusion Detection Systems often go on
alert when they detect an external agent probing their systems with
such tools.
We'll keep our use of these tools at a somewhat local level,
usually restricting use to our local subnet. There are many such
tools and rather than attempting a broad survey, we'll select just a
few to examine.
Note: Keep a log/record of your activities along with supporting
printouts. This will constitute essential input for your documentation
of this lab. You
may find use of the tee
command with appropriate file names useful. Examples of using tee are given in Task #2 and in
Task #4 (section 4.2), but it would be generally useful.
Objectives
- Investigate these utilities and learn to use them
- traceroute
- nmap, zenmap
- netstat
- tcpdump
- Make use of man pages to become more independent
Preparation
Check that the following utilities are installed on your host system (if not, report to the instructor):- traceroute
- nmap
- netstat (likely already installed)
If not already installed on your vbx, install
the following:
- traceroute
- nmap, zenmap
- netstat (likely already installed)
- tcpdump
Some of these tools have more capabilities if used as root. Tcpdump
requires that you be root to use it at all. Although
you have root privileges in the vbx, it is enclosed within a host system for
which you only have user privileges. Consequently, any Internet
exploration we do looking outside the host machine will be somewhat hampered, one
way or
the other. In each case, we'll specify whether to use your vbx or the host system.
Task #1: From the man pages
The utilities listed above are just four among the many sysadmin
tools available to us. Look at the man page for each of the above and
give a short description (in your own words) of each utility which
describes
- what the utility can do
- how it differs from the other three utilities
Task #2: Investigate the host system
Note: All commands in this section are
to be performed as a user in a terminal on the host system.
2.1 traceroute
From your OS251 terminal,
try
traceroute www.debian.org | tee
task2.1.txt
Explain what the result tells us. What machine appears to be the
gateway from inside our lan?
Now try entering
/sbin/route
Does the result (when the truncated name is extended) corroborate that
from traceroute? Explain.
Finally try
/sbin/ifconfig eth0
What netmask ('Mask')is reported? What does that mean?
2.2 nmap
2.2.1 Do a ping scan of our LAN
i.e. don't change the first 24 bits, but investigate the rest:
nmap -sP 192.168.18.0/24
How does the command notation relate to the netmask reported in 2.1? Explain what the above command
does (in detail) and give a summary of
the results in your own words.
2.2.2 Do a TCP connect scan
Pick another students machine in this lab and do a TCP connect scan
and -A
(to
enable OS fingerprinting and OS version detection).
nmap -sT -A 192.168.18.x
where 'x' designates the machine being investigated.
Explain what the above command does (in detail) and give a summary of
the results in your own words.
2.2.3 Try a TCP SYN scan
nmap -sS -P0 -A -v 192.168.18.x
Was it successful?
2.2.4 Do this scan on the suspected OS251 gateway found in 2.1.
nmap -sT -A -sV 192.168.18.y
where 'y' designates the machine being investigated. Explain what the
suggested command does (in detail) and give a summary of
the results in your own words.
Task #3: Investigate your vbx
Note: In almost all cases, commands in
this section are to be performed as root in a vbx terminal. Exceptions
will be indicated.
3.1 traceroute
From your vbx terminal,
try
traceroute www.debian.org
Terminate the command once you start seeing asterisks on the screen.
Explain what the result tells us. What machine appears to be the
gateway from inside our lan? Also try -T option.
Now try entering
/sbin/route
Does the result (when the truncated name is extended) corroborate that
from traceroute? Explain.
Finally try
/sbin/ifconfig eth0
What netmask is reported? What does that mean?
3.2 nmap/zenmap
3.2.1 From your vbx terminal,
do a ping scan of our LAN
i.e. don't change the first 24 bits, but investigate the rest:
nmap -sP 10.0.2.0/24
How does the command notation relate to the netmask reported in 3.1? Explain what the above command
does (in detail) and give a summary of
the results in your own words. What new machine is present?
3.2.2 Do a TCP connect scan to
that new machine
nmap -sT -A 10.0.2.x
where 'x' designates the machine being investigated. Give a summary of
the results in your own words and make a guess at the purpose of the
new machine.
3.2.3 Try a TCP SYN scan on your vbx machine
nmap -sS -P0 -A -v 10.0.2.15
Was it successful? Compare to the result from 2.2.3.
3.2.4 Do this scan on the
suspected vbx gateway found in 3.1.
nmap -sT -O -sV 10.0.2.y
where 'y' designates the machine being investigated. Explain what the
suggested command does (in detail) and give a summary of
the results in your own words.
3.2.5 Try zenmap to
scan
the same machine as in 3.2.4,
above. Try it again as user instead of root and note the differences.
Describe the difference in usability between nmap and zenmap in your
own words.
Task #4: netstat [Note: Use the man page freely for this Task.]
Note: All commands in this section are
to be performed as a user in a terminal on the host.
4.1 Active services
With your browser closed, enter:
netstat --inet -a
If not much is going on you might just see services listening, awaiting
incoming requests e.g.
Active
Internet
connections (servers and established)
Proto Recv-Q Send-Q Local
Address
Foreign Address
State
tcp
0 0
localhost:2208
*:*
LISTEN
tcp
0 0
localhost:59720
*:*
LISTEN
tcp
0 0
localhost:mysql
*:*
LISTEN
tcp
0 0
*:www
*:*
LISTEN
tcp
0 0
*:ssh
*:*
LISTEN
tcp
0 0
localhost:ipp
*:*
LISTEN
Now start the browser, and once again enter
netstat --inet -a
and note what differences you see.
4.2 Continuous capture
To catch some activity leading to established connections, make an ssh
connection (even to localhost) and redirect a continuous netstat
capture to a text file as follows:
netstat --inet -a -c | tee task4.2.txt
and immediately after hitting the enter key for the previous
line, start some ssh activity. After a short time
(e.g. 20 seconds), switch back to the console and stop netstat with a
CTRL-C. Then examine the task4.2.txt file and compare to the results
observed in 4.1,
explaining the differences between the results.
Then respond to these specific questions:
- What do the differences in the State column mean?
- Looking at the examples above (based on browser activity) we see
that some of the rows with ESTABLISHED
States are connecting via www , yet we see above in the
4th line of the table that www is
in
a LISTEN State. What
does that mean?
4.3 Other options
Try these options:
netstat -i
netstat -r
Explain their output.
Investigate at least one other option and explain its output.
Task #5: tcpdump
Note: In all cases, commands in this
section are to be performed as root in a vbx terminal.
TCPDump (http://www.tcpdump.org) is the premiere
packet sniffer of the 'nix world. An extremely powerful (and
potentially complex) tool, TCPDump can monitor, capture, and decode all
packets crossing a given interface. While not very fun to watch, it is
indispensable when it comes to troubleshooting connections.
TCPDump is generally configured from the command line at run time.
There are many options. Here are examples for you to try:
5.1 Capture all traffic involving host 10.0.2.15
tcpdump host
10.0.2.15
To get some modest activity going for capture, open a second vbx
terminal and ssh into your OS251. Do you see any arp activity?
Explain what the above command does (in detail) and give a summary of
the results in your own words.
5.2 Capture HTTP packets on eth0 (catch some browser activity):
Start your vbx browser and try
tcpdump -i eth0
port 80 and tcp
Access www.debian.org with your browser to create some activity.
Explain what the above command does (in detail) and give a summary of
the results in your own words.
5.3 Again capture packets on eth0, but now decode packets
in ASCII with:
tcpdump -Ai eth0
port 22 and host 10.0.2.15 and tcp
Explain what the above command does (in detail) and give a summary of
the results (compare to the prior result) in your own words. Note that
the ability to decode into ASCII, by hand or automatically, makes
anything transferred by plain text dangerous. For example, this is one
of the reasons that telnet
disappeared in favor of ssh.
Passwords were transferred in plain text by telnet.
5.4
Try the same scan, but scan your gateway. Try to get an ssh connection
with the gateway.
With your
tcpdump -Ai eth0
port 22 and host 10.0.2.2 and tcp
Can you see the ssh
connection attempt?
Note that here we are connecting to a machine that is not our vbx host.
So we can examine other traffic that goes by.
Task #6
Submit your report for this assignment to the instructor by email
per the following specification:
Report Specification
- Submit as an email attachment
with this file name format:
<username_on_host>-lab6.txt
e.g. jayeward-lab6.txt
- as a single file produced by concatenating any files generated
from the tasks above, but interject separators as appropriate.
- The file must be plain ascii (e.g. not a MS Word document, not
pdf
etc.).
To receive credit, the properly configured email (with
attachment) must be received by 8 AM, Monday, March 8, 2010.