Networking

Network Connection

Status

netstat

# -t: tcp, -u: udp, -l: listen, -p: programs, -n: don't resolve names
netstat -lnptu
# -r: route
netstat -rn

Connectivity of Hosts

ping <target-ip>

# Stop after 5 times
ping -c 5 <target-ip>

# No DNS resolution
ping -n 3 <target-ip>

Trace Route Path Between Two Nodes

traceroute <target-ip>

Investigate Packets/Traffic

• ICMP

  Check the status of network connections between nodes.

  1. Start Tcpdump

     To start analyzing, start tcpdump. Here we use eth0 interface.

     sudo tcpdump -i eth0 icmp
     
     # For Wireshark
     sudo tcpdump -i eth0 icmp -w /tmp/tcpdump.pcap

  2. Send Packets to Target

     For example, send 5 packets to target.

     sudo ping -c 5 <target-ip>

  3. Check Results of Tcpdump

     To check the details, use Wireshark.

     wireshark /tmp/tcpdump.pcap

DNS Resolver

Check the condition of the name resolution

ping example.com

If you cannot ping the target website, the DNS resolver is not working. To change the DNS resolver, update the original nameserver to the new one in /etc/resolv.conf. For example:

...
# nameserver x.x.x.x
nameserver 8.8.8.8
...

Below are some representative DNS servers.

• Google - 8.8.8.8 & 8.8.4.4

• Quad9 - 9.9.9.9 & 149.112.112.112

• OpenDNS - 208.67.222.222 & 208.67.220.220

• Cloudflare - 1.1.1.1 & 1.0.0.1

After updating /etc/resolv.conf, restart the name resolution service.

sudo systemctl restart systemd-resolved.service

Send Packet with MAC/IP Spoofing

1. IP Spoofing

   sudo ./run_scapy
   
   >>> spoof_example = IP(src='172.1.1.20', dst='172.1.1.40')
   >>> send(spoof_example)

2. MAC and IP Spoofing

   sudo ./run_scapy
   
   >>> spoofed_MAC_and_IP = Ether(src='00:0c:29:1a:2b:3c', dst='00:0c:29:bd:da:cf', type=0x0800)/IP(src='172.1.1.24', dst='172.1.1.40')