Network/security investigation commands/tools etc.

Hello.
I am Kawa from the System Solutions Department and my collarbone is critical.

Recently, it has become mainstream to move everything to the cloud, but it suddenly occurred to me that the technology that was created based on physical networks is still being used as a matter of course even in cloud environments. I realize that there are times when I realize this.

For example, when determining the range of a subnet, when there is no ping response from a server, when you want to check whether a port is open, etc., all the parts that can be set without consciously with cloud services require network knowledge. It will be.

So this time, I would like to introduce some commands and tools that can be used for network investigations.

Operating environment

OS used: Ubuntu18.0.4
*The following tools have been confirmed to work on CentOS 7.9. Please read "yum" when installing.

Communication confirmation, network test tool “hping3”

apt install hping3

A well-known command-based network investigation/testing tool .
Not only ICMP, but also TCP/UDP packets can be sent with arbitrary flags set, data size can be specified, etc., and it can be used for network tests. Of course, misuse is strictly prohibited.

■Command example
▼ Send a ping once without thinking anything

hping3 -c 1 1.1.1.1 HPING 1.1.1.1 (ens33 1.1.1.1): NO FLAGS are set, 40 headers + 0 data bytes --- 1.1.1.1 hping statistic --- 1 packets transmitted, 0 packets received, 100% packet loss round-trip min/avg/max = 0.0/0.0/0.0 ms

▼Send one SYN packet to TCP/443, source port to TCP/8080, default gateway

hping3 --traceroute -V -S -c 1 -p 443 -s 8080 10.0.0.1 using ens33, addr: 10.0.0.10, MTU: 1500 HPING 10.0.0.1 (ens33 10.0.0.10): S set, 40 headers + 0 data bytes hop=1 TTL 0 during transit from ip=10.0.0.2 name=_gateway hop=1 hoprtt=4.0 ms --- 10.0.0.1 hping statistic --- 1 packets transmitted, 1 packets received, 0% packet loss round- trip min/avg/max = 4.0/4.0/4.0 ms

You can see that there was a response from port 443.

▼Can also be used as a security check. In the example below, a SYN scan is performed on ports TCP1-100 to 10.0.0.1.

hping3 -S -8 1-100 10.0.0.1 Scanning 10.0.0.1 (10.0.0.1), port 1-100 100 ports to scan, use -V to see all the replies +----+------ -----+---------+---+-----+------+-----+ |port| serv name | flags |ttl| id | win | len | +----+-----------+---------+---+-----+-----+-- ---+ 22 ssh : .S..A... 128 13078 64240 46 80 http : .S..A... 128 13590 64240 46 All replies received. Done. Not responding ports: (1 tcpmux) (2 nbp) (3 ) (4 echo) (5 ) (6 zip) (7 echo) (8 ) (9 discard) (10 ) (11 systat) (12 ) (13 daytime) (14 ) (15 netstat) (16 ) (17 qotd) (18 msp) (19 chargen) (20 ftp-data) (21 ftp) (23 telnet) (24 ) (25 smtp) (26 ) (27 ) (28 ) (29 ) (30 ) ( 31 ) (32 ) (33 ) (34 ) (35 ) (36 ) (37 time) (38 ) (39 rlp) (40 ) (41 ) (42 nameserver) (43 whois) (44 ) (45 ) (46 ) (47 ) (48 ) (49 tacacs) (50 re-mail-ck) (51 ) (52 ) (53 domain) (54 ) (55 ) (56 ) (57 ) (58 ) (59 ) (60 ) (61 ) (62 ) (63 ) (64 ) (65 tacacs-ds) (66 ) (67 bootps) (68 bootpc) (69 tftp) (70 gopher) (71 ) (72 ) (73 ) (74 ) ( 75 ) (76 ) (77 ) (78 ) (79 finger) (81 ) (82 ) (83 ) (84 ) (85 ) (86 ) (87 link) (88 kerberos) (89 ) (90 ) (91 ) (92 ) (93 ) (94 ) (95 supdup) (96 ) (97 ) (98 linuxconf) (99 ) (100 ) 

You can see that there was a SYN-ACK response from the port that responded (SSH, HTTP). You can see if unnecessary ports are open, etc.

A slightly stronger version of traceroute “mtr”

An evolved version of traceroute used for route investigation

apt install mtr

▼Basic form. Unlike normal traceroute, the average/maximum/minimum response speed along the route is also displayed, which is useful for troubleshooting. It is also possible to send at any interval using the "-i" option (default 1 second).

mtr -t 1.1.1.1 hostname (10.0.0.10) Keys: Help Display mode Restart statistics Order of fields quit Packets Pings Host Loss% Snt Last Avg Best Wrst StDev 1. _gateway 0.0% 17 0.4 0.5 0.4 1.0 0.1 ... 10. one.one.one.one 0.0% 16 14.6 13.8 12.1 16.1 1.2

▼You can also use "-T" for TCP packets and "-u" for UDP packets.

mtr -T -t 1.1.1.1 mtr -u -t 1.1.1.1

▼ Only the results will be displayed after background execution with the "-r" option.

mtr -r beyondjapan.com Start: 2022-10-11T14:15:33+0900 HOST: hostname Loss% Snt Last Avg Best Wrst StDev 1.|-- _gateway 0.0% 10 0.5 0.5 0.4 0.6 0.1 2.|-- ? ?? 100.0 10 0.0 0.0 0.0 0.0 0.0

I lost it along the way.

A slightly useful ARP command "arp-scan"

apt install arp-scan

The ARP command often used in physical networks , but it allows you to check the hosts in the same network and list them including their MAC addresses. arp-scan is useful because it also displays vendor information.

arp-scan -l Interface: eth0, type: EN10MB, MAC: 00:15:5d:e1:28:70, IPv4: 192.168.80.77 Starting arp-scan 1.9.7 with 4096 hosts (https://github.com /royhills/arp-scan) 192.168.80.1 00:15:5d:8f:b3:18 Microsoft Corporation

Network/security tool "nmap"

This is a tool that can be used to investigate unnecessary open ports on nmap which are mainly used for port scanning This is not a problem if you use it internally, but if it is a server that is published externally, it can become a security hole, so using tools like this to investigate can help improve security (of course, misuse is strictly prohibited. Please use it).

apt install nmap

▼Check if TCP/80 is open

nmap -p 80 10.0.0.1 Starting Nmap 7.60 ( https://nmap.org ) at 2022-10-11 14:32 JST Nmap scan report for 10.0.0.1 Host is up (0.00042s latency). PORT STATE SERVICE 80/ tcp filtered http...

Since the State is "filtered", it turns out that TCP/80 is not open.

By specifying a hyphen in the port number part, you can check multiple ports at once. Since stealth scanning is performed, use for third-party resources is strictly prohibited.

Packet capture tool "tcpdump", a must-have for network engineers

A standard packet capture tool .
the output file Wireshark , you can view the captured packets on the GUI. Since the contents of unencrypted packets are visible, they are only for use in local environments.

apt install tcpdump

▼Basically, specify and capture a specific interface or host. This time, specify the interface "ens33" and output to the file "captured.pcap".

tcpdump -i ens33 -w captured.pcap

After stopping the capture, you can check the contents with the following options

tcpdump -r captored.pcap 14: 46: 33.494124 ARP, Request Who -Has Tell 10.0.0.1 55.250.1900: UDP, Length 175 14:46 :34.588083 IP 10.0.0.1.54475 > 239.255.255.250.1900: UDP, length 175

If you pull out the file and put it into Wireshark, it will be displayed in color so it will be easier to see. You can also sort things easily (I would like to write an article about Wireshark someday).

Summary of summary

This is an introduction to network/security related tools.

At Beyond, we mainly use cloud environments, so I don't really have much experience with it, but there are some areas that cannot or are difficult to fully migrate to the cloud, such as internal networks, remote work environments, guest Wi-Fi when customers visit, and internal security. exists. The tools I introduced this time are definitely useful techniques for troubleshooting cloud environments, so I think it will be a refreshing change of pace if you take this opportunity to learn while using them :)

complete