Herramientas de usuario

Herramientas del sitio


enlaces:utilidades_de_red

Diferencias

Muestra las diferencias entre dos versiones de la página.

Enlace a la vista de comparación

Ambos lados, revisión anteriorRevisión previa
Próxima revisión
Revisión previa
enlaces:utilidades_de_red [2012/08/07 14:38] – [Forzar el modo ethernet] cayuenlaces:utilidades_de_red [2019/01/22 15:34] (actual) – [Parser y formateador de salida NMap] cayu
Línea 348: Línea 348:
  
 http://es.wikipedia.org/wiki/Tipos_de_Sniffer http://es.wikipedia.org/wiki/Tipos_de_Sniffer
- 
-==== Network Grep - ngrep ==== 
- 
-Muestra y busca paquetes. Ngrep se esfuerza por proveer de la mayoría de características comunes del "grep" de GNU, aplicándolas a la capa de network ({"network layer"} del modelo de referencia OSI). ngrep es consciente de la presencia de pcap y permite usar expresiones regulares que concuerden con el "payload" ( o sea la carga, el cuerpo, y _no_ los encabezados) de los paquetes. Actualmente reconoce TCP, UDP, e ICMP sobre Ethernet, PPP, SLIP e interfaces nulas {"null interfaces"}, y comprende la lógica de un filtro "bpf" de la misma manera que herramientas más comunes de sniffing como tcpdump y snoop. 
- 
- 
-Usage examples: 
- 
-<code> 
-ngrep '' udp (print all UDP packets) 
- 
-ngrep '' icmp (print all ICMP packets) 
- 
-ngrep '' port 53 (print TCP or UDP port 53 packets) 
- 
-ngrep '' tcp port 23 (print TCP port 23 packets) 
- 
-ngrep 'LILWORD' port 138 (print Microsoft browsing traffic for NT domain LILWORLD) 
- 
-ngrep -iq 'rcpt to|mail from' tcp port 25 (monitor current delivery and print sender and recipients) 
- 
-ngrep 'user' port 110 (monitor POP3) 
- 
-ngrep -q 'abcd' icmp (Microsoft operating systems fill the ICMP payload with the alphabet; is the "pinging" host running a  
-Microsoft operating system?) 
- 
-ngrep -iq 'user-agent' tcp port 80 (determine client application that client host is running) 
- 
-ngrep '220' port 21 (determine version of FTP server) 
- 
-ngrep 'SSH' port 22 (investigate Secure Shell) 
- 
-ngrep -v '' port 23 (see all traffic but telnet) 
- 
-ngrep -d le0 '' (listen to le0) 
-</code> 
- 
- 
-Useful flags: 
- 
-<code> 
--A n (prints out "n" packets after the match) 
- 
--l (pipe the output of ngrep to another program for more processing) 
- 
--v (print all lines not matching the expression) 
- 
--d (specify the device you want to monitor) 
-</code> 
- 
- 
-http://ngrep.sourceforge.net/ 
- 
- 
-Un posteo interesante en un blog : http://seguridadyredes.nireblog.com/post/2010/02/24/esas-pequenas-utilidades-ngrep 
- 
  
  
Línea 469: Línea 413:
  
  
-==== Netcat ==== 
  
- Netcat is a featured networking utility which reads and writes data across network connections, using the TCP/IP protocol. 
-It is designed to be a reliable "back-end" tool that can be used directly or easily driven by other programs and scripts. At the same time, it is a feature-rich network debugging and exploration tool, since it can create almost any kind of connection you would need and has several interesting built-in capabilities. 
- 
-It provides access to the following main features: 
- 
-    * Outbound and inbound connections, TCP or UDP, to or from any ports. 
-    * Featured tunneling mode which allows also special tunneling such as UDP to TCP, with the possibility of specifying all network parameters (source port/interface, listening port/interface, and the remote host allowed to connect to the tunnel. 
-    * Built-in port-scanning capabilities, with randomizer. 
-    * Advanced usage options, such as buffered send-mode (one line every N seconds), and hexdump (to stderr or to a specified file) of trasmitted and received data. 
-    * Optional RFC854 telnet codes parser and responder.  
- 
- 
-The GNU Netcat is distributed freely under the GNU General Public License (GPL).  
- 
-<code bash> 
-echo  -e "GET / HTTP/1.0\r\n" | nc 192.168.1.1 80 
-</code> 
- 
-Para pasar un archivo de un equipo a otros podemos ejecutar 
- 
-Desde el servidor 
-<code> 
-cat backup.iso | nc -l 3333 
-</code> 
-Desde el cliente 
-<code> 
-nc 192.168.0.1 3333 > backup.iso 
-</code> 
-Si queremos poner un contador 
-<code> 
-nc 192.168.0.1 3333 | pv -b > backup.iso 
-</code> 
- 
-Otro ejemplo 
- 
-Desde el servidor 
-<code> 
-dd if=/dev/hdb5 | gzip -9 | nc -l 3333 
-</code> 
-Desde el cliente 
-<code> 
-nc 192.168.0.1 3333 | pv -b > myhdb5partition.img.gz 
-</code> 
- 
-Referencias : 
- 
-http://netcat.sourceforge.net/ 
- 
- 
-Tutorial con ejemplos prácticos : http://crysol.org/node/28 
- 
-Mas ejemplos : http://www.g-loaded.eu/2006/11/06/netcat-a-couple-of-useful-examples/ 
- 
-==== MSN Dump ==== 
- 
-Sniffea eh interpreta lo que va por el puerto 1863 :p 
- 
-<code perl> 
-#!/usr/bin/perl -w 
-# quick dirty msn sniffer 
-# http://miscname.com/ 
-# $Id: msndump.pl,v 1.3 2004/11/17 10:00:33 meh Exp $ 
- 
-#To capture live traffic from device eth0 run: 
-#msndump.pl -i eth0 
- 
-#To capture from tcpdump traffic.pcap file run: 
-#msndump.pl -r traffic.pcap 
- 
-# you need Net::Pcap and Net::Packet 
-# use cpan or get manually 
-# http://search.cpan.org/CPAN/authors/id/A/AT/ATRAK/NetPacket-0.04.tar.gz 
-# http://search.cpan.org/CPAN/authors/id/K/KC/KCARNUT/Net-Pcap-0.05.tar.gz 
- 
-my $lowuid='1001'; 
-my $lowgid='1001'; 
- 
-my $filter = 'tcp and port 1863'; 
- 
-# no modify below 
-use Getopt::Std; 
-use Net::Pcap; 
-use NetPacket::IP; 
-use NetPacket::Ethernet qw (:strip); 
-use Fcntl; 
-$|=1; 
-my $flags |= O_NONBLOCK; 
- 
-my %opts; 
-getopt("wicr",\%opts); 
-if ( (!($opts{i})) && (!($opts{r})) ) { 
-print "[ msndump - miscname.com ]\n Usage:\n\t-i rl0 || -r file.pcap\n\t-c X - capture X packets\n\t-w freshIMz.txt\n\n"; 
-exit; 
-} 
- 
-if ((!$opts{r}) && ($> != '0')) { 
-die ("you need uid 0\n"); 
-} 
- 
-# main loop 
-my $exitvar = '0'; 
-while ($exitvar == '0') { 
- 
-# create pcap 
-my $pcap = &cap_pkt; 
-if (!($pcap)) { 
-  die ("cant capture\n"); 
-} 
- 
-# drop privs 
-my $GID="$lowgid"; 
-my $UID="$lowuid"; 
-my $EGID="$lowgid $lowgid"; 
- 
-# -w if set 
-if ($opts{w}) { 
-  open (FILEOUT,">$opts{w}") || die ("cant open $opts{w} ($!)\n"); 
-  fcntl(FILEOUT, F_SETFL, $flags) or die ("couldn't set nonblock for $opts{w} ($!)\n"); 
-} 
- 
-# capture loop 
-if (($opts{c}) && ($opts{c} =~ /(\d+)/)) { 
-  print "stopping after $1 packets\n"; 
-         Net::Pcap::loop($pcap, $1, \&proc_pkt, 0); 
-  $exitvar = '1'; 
-} else { 
-         Net::Pcap::loop($pcap, -1, \&proc_pkt, 0); 
-  my %stats; 
-  Net::Pcap::stats($pcap, \%stats); 
-  print "saw $stats{ps_recv} packets, dropped $stats{ps_drop}\n"; 
-} 
- 
-# free it 
-print "cleaning up\n"; 
-Net::Pcap::close($pcap); 
-# close fh 
-if ($opts{w}) { 
-  print "wrote $opts{w}.\n"; 
-  close FILEOUT; 
-} 
-} 
- 
-# sub procs below 
-sub cap_pkt { 
- 
-my ($pcap,$dev,$err,$mask,$net,$filter2); 
-my $snaplen = 14096; # seen some big im's :( 
-my $promisc = 1; # promisc of course 
-my $timeout = 0; # timeout 
- 
-# file.pcap? 
-if ($opts{r}) { 
-  print "reading from '$opts{r}'\n"; 
-  $pcap = Net::Pcap::open_offline($opts{r}, \$err); 
-  if (!($pcap)) { 
-   die("error opening $opts{r} ($err)\n"); 
-      } 
-} else { 
- 
-  # set dev from cmdline 
-  $dev = $opts{i}; 
-  print "dumping on '$opts{i}'\n"; 
- 
-  # get netmask for filter 
-  if ((Net::Pcap::lookupnet($dev, \$net, \$mask, \$err)) == -1 ) { 
-          die ("Net::Pcap::lookupnet failed ($err)\n"); 
-      } 
-     
-  # open it 
-  $pcap = Net::Pcap::open_live($dev, $snaplen, $promisc, $timeout, \$err); 
-  if (!($pcap)) { 
-   die ("can't create packet fd ($err)\n"); 
-  } 
-} 
-    
-# sanity check 
-if (!($pcap)) { 
-  die ("sanity check failed - \$pcap null\n"); 
-} elsif (!($mask)) { 
-  $mask = '0'; # for open_offline 
-} 
- 
-# make filter struct 
-if (Net::Pcap::compile($pcap, \$filter2, $filter, 1, $mask) != '0') { 
-   die ("broken filter ($filter)\n"); 
-} 
-# apply 
-Net::Pcap::setfilter($pcap, $filter2); 
- 
-return $pcap; 
-} 
- 
-sub proc_pkt { 
- 
-my($user_data, $hdr, $pkt) = @_; 
-my ($user,$msg); 
- 
-my $ip_obj = NetPacket::IP->decode(eth_strip($pkt)); 
-#my $ip_obj = NetPacket::IP::strip($pkt); 
- 
-# check if its a message (or a p2p file transfer) 
-# if your reading this, include 'P2P-Dest:' in your message body to avoid sniffer ;) 
-if (($ip_obj->{data} !~ /MSG/m) || ($ip_obj->{data} =~ /P2P-Dest:/m)) { 
-  ; 
-} else { 
-  print $ip_obj->{data}; 
-  # extract goodies 
-  if ( (($ip_obj->{data} =~ /MSG (.*)\@(.*)/)) || (($ip_obj->{data} =~ /P4-Context: (.*)/)) ) { 
-   $user = "$1\@$2"; 
-  } 
- 
-  if ($ip_obj->{data} =~ /X-MMS-IM-Format:\s.*\r(.*)/s) { #\s\w+\=\w+\;\s\w+\=\w+\;\s\w+\=\w+\;\s\w+\=\w+\;\s\w+\=\w+\;(.*)/m) { 
-   $msg = $1; 
-  } 
- 
-  # display if we have both 
-  if (($user) || ($msg)) 
-  { 
-   if(!$user) 
-   { 
-    $user = "unknown user"; 
-   } 
-   if (!($opts{w})) { 
-    print "\n----------------------------------------------------\n"; 
-    print "src_ip($ip_obj->{src_ip}) dst_ip($ip_obj->{dest_ip})\n"; 
-    print "TO/FROM: $user\nMESSAGE:\n$msg\n"; 
-   } else { 
-    print FILEOUT "\n----------------------------------------------------\n"; 
-    print FILEOUT "src_ip($ip_obj->{src_ip}) dst_ip($ip_obj->{dest_ip})\n"; 
-    print FILEOUT "TO/FROM: $user\nMESSAGE: \n$msg\n\n"; 
-   } 
-  } 
-} 
-} 
-</code> 
  
 ==== Python Proxy ==== ==== Python Proxy ====
Línea 793: Línea 501:
 } }
 </code> </code>
 +
 +==== hping3 ====
 +**hping3** is a free packet generator and analyzer for the TCP/IP protocol. Hping is one of the de-facto tools for security auditing and testing of firewalls and networks, and was used to exploit the Idle Scan scanning technique now implemented in the Nmap port scanner. The new version of hping, hping3, is scriptable using the Tcl language and implements an engine for string based, human readable description of TCP/IP packets, so that the programmer can write scripts related to low level TCP/IP packet manipulation and analysis in a very short time.
 +
 +Like most tools used in computer security, hping3 is useful to security experts.
 +
 +hping3 should be used to… *Traceroute/ping/probe hosts behind a firewall that blocks attempts using the standard utilities. *Perform the idle scan (now implemented in nmap with an easy user interface). *Test firewalling rules. *Test IDSes. *Perform DDOS attack *Exploit known vulnerabilties of TCP/IP stacks. *Networking research. *Learn TCP/IP (hping was used in networking courses). *Write real applications related to TCP/IP testing and security. *Automated firewalling tests. *Proof of concept exploits. *Networking and security research when there is the need to emulate complex TCP/IP behaviour. *Prototype IDS systems.
 +
 +== Few commands ==
 +Finding Hping3
 +<code>
 +hping3 –h
 +</code>
 +hping3 Default
 +<code>
 +hping3 -S 192.168.1.105 -p 80
 +</code>
 +Fragment Packets with hping3
 +<code>
 +hping3 -f 192.168.1.105 -p 80
 +</code>
 +Sending Data with hping3
 +<code>
 +hping3 -f 192.168.1.105 -p 80 -d 10 -E malware
 +</code>
 +Traceroute with hping3
 +<code>
 +hping3 -z -t 1 -S google.com -p 80
 +</code>
 +Predicting Sequence Numbers with hping3
 +<code>
 +hping3 -Q -S google.com -p 80
 +</code>
 +hping3 for Uptime
 +<code>
 +hping3 --tcp-timestamp -S google.com -p 80
 +</code>
 +
 +Ref.: @cyberhawksecurity 
 +
enlaces/utilidades_de_red.1344350311.txt.gz · Última modificación: 2012/08/07 14:38 por cayu