1
00:00:00,000 --> 00:00:12,120
On Linux, you will find different useful utilities that allow you to analyze networking, including

2
00:00:12,120 --> 00:00:19,840
tcpdump and nmap, which are amazing to analyze network traffic as well as open ports.

3
00:00:19,840 --> 00:00:22,240
So let's talk about tcpdump.

4
00:00:22,240 --> 00:00:25,920
tcpdump is dumping network traffic.

5
00:00:25,920 --> 00:00:29,080
And here on the slide, you can see a couple of examples.

6
00:00:29,080 --> 00:00:31,520
Let me demonstrate.

7
00:00:31,520 --> 00:00:37,799
So if you just use tcpdump, then it's going to listen on all network interfaces.

8
00:00:37,799 --> 00:00:40,759
And as you can see, it's quite busy.

9
00:00:40,759 --> 00:00:45,840
And it's showing what it's what is coming on and what type of traffic was detected.

10
00:00:45,840 --> 00:00:52,360
Like here, an ARP request, ARP requests are playing a role very fundamentally at tcp IP

11
00:00:52,360 --> 00:00:53,360
communication.

12
00:00:53,360 --> 00:00:54,360
Look at that.

13
00:00:54,360 --> 00:01:00,320
This is a Canon scanner, apparently scanner and printer, we can even see the model name

14
00:01:00,320 --> 00:01:01,320
of it.

15
00:01:01,320 --> 00:01:04,279
Here we can see some DNS traffic.

16
00:01:04,279 --> 00:01:08,160
So it's requesting for a pointer and no such domain.

17
00:01:08,160 --> 00:01:10,360
And that can be quite useful.

18
00:01:10,360 --> 00:01:17,360
Now if you want to do tcpdump efficiently, you might want to add the name of the interface.

19
00:01:17,360 --> 00:01:28,599
So tcpdump minus I ENS 160 is only going to dump what was found on interface ENS 160.

20
00:01:28,599 --> 00:01:35,080
That can be convenient, particularly if you have multiple network interfaces.

21
00:01:35,080 --> 00:01:41,320
Add the option minus A to show packets in ASCII format makes it a little bit more readable.

22
00:01:41,320 --> 00:01:47,879
Well, that is assuming that the packet is in a readable format.

23
00:01:47,879 --> 00:02:01,720
You can also use tcpdump minus W, let's call it dump dot, well, tmpdump dot pcap.

24
00:02:01,720 --> 00:02:04,639
And that is creating a packet capture file.

25
00:02:04,639 --> 00:02:10,000
And this packet capture file is convenient, because it allows you to later analyze what

26
00:02:10,000 --> 00:02:11,919
is going on.

27
00:02:11,919 --> 00:02:17,919
That's probably a little bit nicer if I am going to generate some traffic.

28
00:02:17,919 --> 00:02:21,839
So ping to nu dot nl.

29
00:02:21,839 --> 00:02:22,839
And what else?

30
00:02:22,839 --> 00:02:24,240
Well, that should be enough.

31
00:02:24,240 --> 00:02:30,880
Just a ping request from a network perspective should be interesting.

32
00:02:30,880 --> 00:02:36,320
Now if you are interested in what is going on on a specific port, you can also add more

33
00:02:36,320 --> 00:02:37,320
filtering.

34
00:02:37,320 --> 00:02:44,679
So tcpdump port 22 for SSH traffic only.

35
00:02:44,679 --> 00:02:46,160
So here we go.

36
00:02:46,160 --> 00:02:55,279
I'm opening a new window, and I'm going to use SSH to 192.168.29.142.

37
00:02:55,279 --> 00:02:56,720
And oh, look at that.

38
00:02:56,720 --> 00:03:00,279
SSH traffic is dumped right here.

39
00:03:00,279 --> 00:03:06,600
And if you want to filter a little bit more, you can add a source.

40
00:03:06,880 --> 00:03:15,880
Because in many occasions, the result of utilities like tcpdump tends to be overwhelming.

41
00:03:15,880 --> 00:03:20,520
Okay, I have used tcpdump to dump some packets.

42
00:03:20,520 --> 00:03:24,199
Now I am going to check if we have Wireshark.

43
00:03:24,199 --> 00:03:30,119
So dnf search Wireshark, yeah, we do.

44
00:03:30,119 --> 00:03:36,759
So I'm going to use dnf install on Wireshark.

45
00:03:36,759 --> 00:03:37,759
And that is good enough.

46
00:03:37,759 --> 00:03:38,759
I don't need the CLI.

47
00:03:38,759 --> 00:03:46,520
CLI is command line, and the nice thing about Wireshark is that it is a graphical utility.

48
00:03:46,520 --> 00:03:51,160
It allows you to perfectly visualize what is going on.

49
00:03:51,160 --> 00:03:58,520
Now in order to do this, I need chmod 644 on tmpdumppcap.

50
00:03:58,520 --> 00:04:00,919
That's a packet capture file.

51
00:04:00,919 --> 00:04:06,679
Because these are files that you can analyze in an amazing way using Wireshark.

52
00:04:06,679 --> 00:04:08,679
So here is Wireshark.

53
00:04:08,679 --> 00:04:13,960
And in Wireshark, you can do a live packet capture.

54
00:04:13,960 --> 00:04:20,519
So in the live packet capture, you can filter what exactly you want to do.

55
00:04:20,519 --> 00:04:23,260
And then you start capturing packets.

56
00:04:23,260 --> 00:04:26,279
So you can identify what you want to do.

57
00:04:26,600 --> 00:04:30,600
I don't want to do a Cisco remote packet capture.

58
00:04:30,600 --> 00:04:34,920
I want to show you what is in this file that we created.

59
00:04:35,640 --> 00:04:39,000
So I need to navigate to the tmp directory.

60
00:04:39,720 --> 00:04:44,600
And in the tmp directory, there is the dump.pcap.

61
00:04:45,239 --> 00:04:48,359
pcap is the standard format for a packet capture.

62
00:04:48,359 --> 00:04:50,519
And here you can see what it looks like.

63
00:04:51,160 --> 00:04:53,239
Now this is a little bit boring.

64
00:04:53,239 --> 00:04:58,679
But we have the information about the ping request.

65
00:04:59,239 --> 00:05:01,720
So it starts with the DNS request.

66
00:05:01,720 --> 00:05:04,200
And in the DNS request, open it.

67
00:05:04,200 --> 00:05:09,640
And you can analyze exactly what is going on in your packet information.

68
00:05:10,200 --> 00:05:13,799
And that's a quick introduction to tcpdump as well as Wireshark.

69
00:05:13,799 --> 00:05:16,679
These are really very amazing utilities.

70
00:05:17,399 --> 00:05:21,480
Let's get back to the slides because I want to tell you about something else.

71
00:05:21,480 --> 00:05:22,760
It's called NMAP.

72
00:05:23,480 --> 00:05:26,040
So NMAP is a very powerful utility.

73
00:05:26,040 --> 00:05:27,959
Some consider it a hacking utility.

74
00:05:27,959 --> 00:05:34,760
And for that reason, you should never ever use NMAP without authorization by the target host owner.

75
00:05:35,720 --> 00:05:40,119
If you do, you risk getting blocked from the network where you are using it.

76
00:05:40,920 --> 00:05:45,799
Now the nice thing about NMAP is that you can use it for analyzing networks and ports.

77
00:05:45,799 --> 00:05:48,839
It will show you ports that are open on remote hosts.

78
00:05:49,720 --> 00:05:55,559
And it will do that in different ways, allowing you to get beyond the firewall.

79
00:05:55,559 --> 00:05:59,880
Because how are you going to sniff for ports on a host that has a firewall running?

80
00:05:59,880 --> 00:06:02,040
Well, NMAP can help you with that.

81
00:06:02,040 --> 00:06:07,000
I'm going to show you a couple of examples about this fantastic utility.

82
00:06:07,959 --> 00:06:09,640
To start with, I need to install it.

83
00:06:09,640 --> 00:06:13,720
So dnf install minus y nmap.

84
00:06:14,600 --> 00:06:19,320
And then I'm going to use it on, let me use IP addresses.

85
00:06:19,320 --> 00:06:24,760
Be very, very careful using NMAP on the internet, or better, don't do it at all.

86
00:06:24,760 --> 00:06:29,480
So I'm going to use it on 192.168.29.142.

87
00:06:29,480 --> 00:06:32,920
I know that that's an IP address that is open on my system.

88
00:06:32,920 --> 00:06:38,359
And now there we can see that this is only using SSH.

89
00:06:38,359 --> 00:06:40,200
You see that port SSH?

90
00:06:41,160 --> 00:06:45,880
It has detected that it's a VMware brand network card.

91
00:06:45,880 --> 00:06:51,000
Now, if I use minus O, minus O is for operating system detection.

92
00:06:51,000 --> 00:06:53,880
And that should tell me which operating system it has found.

93
00:06:54,519 --> 00:07:01,239
And as you can see, it has found Linux kernel 4.x, 5.x.

94
00:07:01,239 --> 00:07:05,239
So this is the kernel range that it has detected.

95
00:07:05,799 --> 00:07:11,640
Based on the specifics in the protocol headers that NMAP encounters,

96
00:07:11,640 --> 00:07:15,480
it can tell you pretty precisely what it has found.

97
00:07:15,480 --> 00:07:20,519
What I also like is NMAP minus SN.

98
00:07:20,519 --> 00:07:22,040
That's for scan network.

99
00:07:22,040 --> 00:07:24,760
And I'm going to scan it on my local network.

100
00:07:24,760 --> 00:07:31,399
It's an easy way to figure out if there are any IP addresses available that I wasn't aware of.

101
00:07:31,399 --> 00:07:35,399
So as you can see, it all starts with the IP address.

102
00:07:35,399 --> 00:07:37,559
And there we can see some more information.

103
00:07:38,279 --> 00:07:43,399
So we have this 146, for instance, or 124.

104
00:07:43,399 --> 00:07:46,040
I have no idea what 124 is.

105
00:07:46,040 --> 00:07:53,720
So I'm going to use NMAP minus SA on 192.168.29.124.

106
00:07:54,359 --> 00:08:00,519
The minus SA is checking if a firewall is available.

107
00:08:01,480 --> 00:08:06,359
Maybe I should do it on 142 because the result is a little bit disappointing.

108
00:08:06,359 --> 00:08:08,920
And we don't see anything cool right here.

109
00:08:09,480 --> 00:08:12,600
Okay, let's do an NMAP minus SV.

110
00:08:13,799 --> 00:08:17,239
Because if you have services that are running,

111
00:08:18,200 --> 00:08:22,519
you might be interested in finding the version of the service.

112
00:08:22,519 --> 00:08:24,920
So here we can see the version of the service.

113
00:08:24,920 --> 00:08:26,440
Why is that interesting?

114
00:08:26,440 --> 00:08:29,079
Well, some versions have vulnerabilities.

115
00:08:29,079 --> 00:08:31,239
And this allows you to figure it out.

116
00:08:32,119 --> 00:08:41,320
Now, NMAP minus P 80.443.22 on a specific host.

117
00:08:42,119 --> 00:08:46,599
And I'm including 22 because I know for sure that that one is listening.

118
00:08:46,599 --> 00:08:49,159
It's just scanning on these specific ports.

119
00:08:49,159 --> 00:08:51,880
I made a typo, by the way, in port 442.

120
00:08:51,880 --> 00:08:53,320
That doesn't really matter.

121
00:08:53,320 --> 00:08:56,599
What matters is that it allows you to scan on specific ports.

122
00:08:57,159 --> 00:08:59,479
Now, if ever you encounter a machine,

123
00:08:59,479 --> 00:09:02,359
and you think, hey, some heavy firewalling is going on,

124
00:09:03,000 --> 00:09:05,559
you might be in for a stealth scan.

125
00:09:05,559 --> 00:09:10,039
So the stealth scan is going to listen to your servers

126
00:09:10,039 --> 00:09:14,200
and is trying to detect what exactly is going on.

127
00:09:14,200 --> 00:09:16,440
And oh boy, even with the stealth scan,

128
00:09:16,440 --> 00:09:21,239
it's done pretty fast on this 192.168.29.2,

129
00:09:21,239 --> 00:09:22,440
which is my router,

130
00:09:22,440 --> 00:09:26,840
which apparently has no further ports that are active.

131
00:09:27,960 --> 00:09:30,919
Be prepared for a long wait in some cases

132
00:09:30,919 --> 00:09:32,919
where you are using a stealth scan.