2. Networking and scripting
- ifconfig vs ip a
┌──(kali㉿kali)-[~] └─$ ifconfig eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.246.131 netmask 255.255.255.0 broadcast 192.168.246.255 inet6 fe80::20c:29ff:fef5:a0ed prefixlen 64 scopeid 0x20<link> ether 00:0c:29:f5:a0:ed txqueuelen 1000 (Ethernet) RX packets 3631 bytes 4431820 (4.2 MiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 1174 bytes 132518 (129.4 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536 inet 127.0.0.1 netmask 255.0.0.0 inet6 ::1 prefixlen 128 scopeid 0x10<host> loop txqueuelen 1000 (Local Loopback) RX packets 90 bytes 32957 (32.1 KiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 90 bytes 32957 (32.1 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 ┌──(kali㉿kali)-[~] └─$ ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 link/ether 00:0c:29:f5:a0:ed brd ff:ff:ff:ff:ff:ff inet 192.168.246.131/24 brd 192.168.246.255 scope global dynamic noprefixroute eth0 valid_lft 1181sec preferred_lft 1181sec inet6 fe80::20c:29ff:fef5:a0ed/64 scope link noprefixroute valid_lft forever preferred_lft forever - eth0
- inet = IPv4 address
- netmask
- inet6 = IPv6 addreess
- ether = MAC address
- IPv4 is in decimal notation
- IPv6 is in hexadecimal notation
- IP addresses communicate over layer 3 over a router
- 128 64 32 16 8 4 2 1
- 1 1 1 1 1 1 1 1
- MAC addresses communicate over layer 2 over switches
- first 3 items are the manufacturer
OSI Layers¶
- Layer 3 - Network layer
- IP addresses communicate over Layer 3
- Router
- Layer 2 - Data link Layer
- MAC addresses communicate over Layer 2
- Switches
- Layer 4 - Transport Layer
- TCP - Transmission Control Protocol
- Conmection orieneted
- High reliability
- need to make a connection
- website, http, https
- ssh, ftp
- most commonly scanned protocol
- 3 way handshake
- SYN > SYN ACK > ACK
- UDP - User Datagram Protocol
- Connectionless
- steaming service
- DNS, VOIP
- TCP - Transmission Control Protocol
Common Ports and protocols¶
- **TCP **
- FTP 21
- File Transfer Protocol - placing and retrieving files on a machine
- SSH 22, Telnet 23
- both do similar things when connecting
- SSH encrypts traffic
- Telnet sends data in clear text
- SMTP 25
- DNS 53
- Domain naming service
- translates IP addresses to Name
- HTTP 80 , HTTPS 44
- HTTP sends in clear text
- HTTPS does not
- POP3 110
- SMB 139 + 445
- one of the most common port on a pentest
- IMAP 143
- RDP 3389
- Remote Desktop Protocol
- FTP 21
- UDP
- *DNS 53
-
- Domain naming service*
- translates IP addresses to Name
- DHCP 67, 68
- way to assign IP addresses to devices
- TFTP 69
- Trivial File Transfer protocol
- Uses UDP instead of TCP
- SNMP 161
- Simple Network Management Protocol
- Provides information disclosure
OSI model¶
All People Seem To Need Data Processing - 7 Application - HTTP, SMTP - Grill - 6 Presentation - WMV, JPEG, MOV - Hood - 5 Session - Session Management - Dashboard - 4 Transport - TCP / UDP - Seats - 3 Network - Routing, IP Addresses - Roof - 2 Data Link - Switching, MAC Addresses - Truck - 1 Physical- data cables, cat6 - Tires
ping - machine that I'm talking to, Are you there?
┌──(kali㉿kali)-[~]
└─$ ping 192.168.246.131
PING 192.168.246.131 (192.168.246.131) 56(84) bytes of data.
64 bytes from 192.168.246.131: icmp_seq=1 ttl=64 time=0.015 ms
64 bytes from 192.168.246.131: icmp_seq=2 ttl=64 time=0.041 ms
64 bytes from 192.168.246.131: icmp_seq=3 ttl=64 time=0.024 ms
64 bytes from 192.168.246.131: icmp_seq=4 ttl=64 time=0.023 ms
^C
--- 192.168.246.131 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3057ms
rtt min/avg/max/mdev = 0.015/0.025/0.041/0.009 ms
arp and ip n - ties the ip and MAC addresses together
┌──(kali㉿kali)-[~]
└─$ arp -a
? (192.168.246.2) at 00:50:56:ed:e4:07 [ether] on eth0
? (192.168.246.254) at 00:50:56:e5:ab:47 [ether] on eth0
┌──(kali㉿kali)-[~]
└─$ ip n
192.168.246.2 dev eth0 lladdr 00:50:56:ed:e4:07 STALE
192.168.246.254 dev eth0 lladdr 00:50:56:e5:ab:47 STALE
netstat -shows open and active connections to your computer
route or ip r - shows the IP routing table
┌──(kali㉿kali)-[~]
└─$ route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 192.168.246.2 0.0.0.0 UG 100 0 0 eth0
192.168.246.0 0.0.0.0 255.255.255.0 U 100 0 0 eth0
┌──(kali㉿kali)-[~]
└─$ ip r
default via 192.168.246.2 dev eth0 proto dhcp metric 100
192.168.246.0/24 dev eth0 proto kernel scope link src 192.168.246.131 metric 100
- ping data info
-if 64 bytes returned we know that ip is alive
┌──(kali㉿kali)-[~] └─$ ping 192.168.0.27 130 ⨯ PING 192.168.0.27 (192.168.0.27) 56(84) bytes of data. 64 bytes from 192.168.0.27: icmp_seq=1 ttl=128 time=0.765 ms 64 bytes from 192.168.0.27: icmp_seq=2 ttl=128 time=1.80 ms 6 --- 192.168.0.27 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 7074ms rtt min/avg/max/mdev = 0.675/1.236/1.817/0.501 ms┌──(kali㉿kali)-[~] └─$ ping 192.168.0.27 -c 1 > ip.txt ┌──(kali㉿kali)-[~] └─$ cat ip.txt PING 192.168.0.27 (192.168.0.27) 56(84) bytes of data. 64 bytes from 192.168.0.27: icmp_seq=1 ttl=128 time=0.639 ms --- 192.168.0.27 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.639/0.639/0.639/0.000 ms ┌──(kali㉿kali)-[~] └─$ cat ip.txt | grep "64 bytes" 64 bytes from 192.168.0.27: icmp_seq=1 ttl=128 time=0.639 ms - we can send our ping to a text file with >
- then grep 64 bytes to pull out the ping string with 64 bytes with grep "64 bytes"
- then we can pull out just the IP address withcut at -delimter space, 4th field with cut -d " " -f 4
-
then we can pull just the IP address and lose the : with translate -delete ":" with tr -d ":"
-
Creating a script to scan for live IPs within the range of the last octet of the ip
-
mousepad ipsweep.sh
#!/bin/bash for ip in `seq 1 254`; do ping -c 1 192.168.0.$ip | grep "64 bytes" | cut -d " " -f 4 | tr -d ":" done -
more robust version instead of hard coding the first 3 octets of the ip
#!/bin/bash for ip in `seq 1 254`; do ping -c 1 $1.$ip | grep "64 bytes" | cut -d " " -f 4 | tr -d ":" done #./ipsweep.sh 192.168.0-add conditional statement to prevent breakage from no ip input at CLI┌──(kali㉿kali)-[~] └─$ ./ipsweep.sh 192.168.0 192.168.0.1 192.168.0.3 192.168.0.5 192.168.0.6 192.168.0.8#!/bin/bash if [ "$1" == "" ] then echo "You forgot an IP address" echo "Syntax: ./ipsweep.sh ?.?.?" else for ip in `seq 1 254`; do ping -c 1 $1.$ip | grep "64 bytes" | cut -d " " -f 4 | tr -d ":" done fi
-using script in a one-liner nmap scan of multiple IPs - what nmap looks like for one scan
┌──(kali㉿kali)-[~]
└─$ nmap 192.168.0.27
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-28 06:35 EDT
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 3.05 seconds
for ip in $(cat ips.txt); do nmap $ip; done
┌──(kali㉿kali)-[~]
└─$ for ip in $(cat ips.txt); do nmap $ip; done
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-28 06:39 EDT
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 3.05 seconds
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-28 06:39 EDT
Nmap scan report for 192.168.0.3
Host is up (0.0068s latency).
Not shown: 997 filtered tcp ports (no-response)
PORT STATE SERVICE
80/tcp open http
443/tcp open https
8080/tcp open http-proxy
Nmap done: 1 IP address (1 host up) scanned in 23.42 seconds
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-28 06:40 EDT