This will extract the contents of files.tar.gz to the current directory:
tar -xzf files.tar.gz
I find that a good mnemonic for this is the “angry German ordering you to extract an archive” mnemonic:
Xtract Ze Files!!…
Introduction
Scapy is a powerful interactive packet manipulation tool, packet generator, network scanner, network discovery tool, and packet sniffer. It is written in the Python, and is installed by default on Backtrack 4+. On Ubuntu it can be installed using this command:
sudo apt-get install scapy
The official scapy documentation is located here, and you may also need a Python Cheat Sheet.
Scapy Basics
Execute scapy at the command-line to run the Python interpreter with the scapy libraries loaded.
Start up scapy and run the ls() command. This will list all supported packet types.
$ scapy Welcome to Scapy (2.0.0.5 beta) >>> ls() ARP : ARP ASN1_Packet : None BOOTP : BOOTP CookedLinux : cooked linux DHCP : DHCP options ...more
List all available functions using lsc():
>>> lsc() sr : Send and receive packets at layer 3 sr1 : Send packets at layer 3 and return only the first answer srp : Send and receive packets at layer 2 srp1 : Send and receive packets at layer 2 and return only the first answer srloop : Send a packet at layer 3 in loop and print the answer each time
The ls() command can do much more. Show the contents of the IP structure with ls(IP)…
Other posts in the ARP series: The ARP protocol explained, Viewing and manipulating the ARP cache on Windows and Linux
Remember that each network interface maintains a table of (IP->MAC) mappings in its ARP cache. The ARP protocol packet has the following structure:
There are two types of ARP packets: request and reply. The type is determined by the Operation Code field. The tabel below shows a scenario of normal operation:
This ARP packet is encapsulated in an Ethernet frame with the following values:
Normally an ARP request is sent because the sender wants to talk to a given IP address and needs to find out the associated MAC address. But sometimes the sender generates an ARP packet to inform the receivers about some information, instead of asking for information. This is called gratuitous ARP and is commonly used in the following situations:
Routers and other network hardware may cache routing information gained from multiple gratuitous ARP packets. Read this page for more information. For gratuitous…
Other posts in the ARP series: The ARP protocol explained and An introduction to ARP cache poisoning.
Both Windows and Linux have a tool called arp. I tested this with Windows 7 and Linux kernel 2.6.31, but this information should be true for just about every OS version since the dawn of TCP/IP.
Command Overview
Be aware that there is one ARP cache (table) per interface, as opposed to the routing table, which is global for the system.
Windows: arp.exe
Open an elevated command prompt (you need administrator rights). Now you can type arp to execute the Windows ARP cache manager.
Display the current ARP entries for each interface with arp -a:
[sourcecode language="text" classname="nonum"]
C:>arp -a
Interface: 232.19.232.231 — 0xb
Internet Address Physical Address Type
232.19.232.2 22-22-2c-27-ac-22 dynamic
232.19.232.22 22-21-f3-23-3e-23 dynamic
232.19.232.32 22-29-33-c1-c2-24 dynamic
232.19.232.91 22-2d-29-a9-33-17 dynamic
232.19.232.231 22-22-29-c2-22-b7 dynamic
232.19.232.242 …
Introduction
The Address Resolution Protocol, or ARP, is used for resolution of network-layer addresses (IP) to link-layer addresses (MAC). This post describes the basics of the ARP protocol, viewing and manipulating your arp cache is discussed in the next post.
Other posts on the ARP protocol are available here:
ARP Basics
When a system wants to send data to another computer, it prepares an IP packet with the appropriate destination IP. This packet is passed down to the link-layer (usually Ethernet). This layer needs to encapsulate the IP packet in an Ethernet frame before it can be sent.
An Ethernet frame must be addressed to a destination hardware address (MAC address). But which MAC address corresponds with the destination IP address? This is looked up in the ARP cache. The ARP cache contains mappings of the form (IP - MAC).
Source and Destination Hosts on the Same Local Network
The sending host will first look up the destination IP address in its routing table. If the destination IP is on the same physical network (subnet) then there are no routers between the host…
Nmap is without a doubt the best free network security scanner. An nmap command that is very useful for mapping out all hosts on a subnet is displayed below:
nmap -sS -sV -O 192.168.0.0/24
The meaning of the options is:
SYN scan is the default and most popular scan option for good reasons. It can be performed quickly, scanning thousands of ports per second on a fast network not hampered by restrictive firewalls. It is also relatively unobtrusive and stealthy since it never completes TCP connections.
After TCP and/or UDP ports are discovered using one of the other scan methods, version detection interrogates those ports to determine more about what is actually running. The
nmap-service-probesdatabase contains probes for querying various services and match expressions to recognize and parse responses. Nmap tries to determine the service protocol (e.g. FTP, SSH, Telnet, HTTP), the application name (e.g. ISC BIND, Apache httpd, Solaris telnetd), the version number, hostname, device type (e.g. printer, router), the OS…
By default, networking is disabled in Backtrack 4. The reason for this is that stealth is an important factor in penetration testing, so a system that starts sending out noisy DHCP requests after booting can be a bad thing.
Enabling networking
The easiest way to enable networking is to use the init script:
/etc/init.d/networking start
This will attempt to start the network interfaces in the file /etc/network/interfaces. Generally you don’t need to worry about the file’s contents; all relevant network interfaces will be enabled automatically and a DHCP lookup will start. If you are not using a wireless network card this is probably all you need to do. The rest of this page describes tools for a more manual approach.
Usually, your physical network card will be called eth0, and your wireless network card will be called wlan0.
ifconfig
Ifconfig is used to configure network interfaces. Without arguments, ifconfig shows the currently active interfaces:
$ ifconfig
eth0 Link encap:Ethernet HWaddr 00:01:40:A4:b1:92
inet addr:120.89.168.243 Bcast:120.89.175.255 Mask:255.255.240.0
inet6 addr: 2001:610:1948:8000:211:50ff:fd34:b192/64 Scope:Global
inet6
…
This is a summary of IP addressing types. We look at unicast, broadcast, multicast and anycast addressing of IP packets, and also describe the destination MAC addresses for each case. Some of the text and all of the images are courtesy of Wikipedia, I just added my comments.
There are four forms of IP addressing, each with its own unique properties:
Unicast
Available in: IPv4 and IPv6.
The most common addressing scheme of an IP address is unicast addressing – available in both IPv4 and IPv6. It normally refers to a single sender or a single receiver, and can be used for both sending and receiving. Usually, a unicast address is associated with a single device or host, but it is not a one-to-one correspondence. Some individual PCs have several distinct unicast addresses, each for its own distinct purpose. Sending the same data to multiple unicast addresses requires the sender to send all the data many times over, once for each recipient.
…
Say you have identified – through Wireshark or other means – that your computer is communicating with a certain IP. If you suspect this might be a rogue process or a virus ‘phoning home’ then you might want to dig a little deeper.
The oldest trick in the book is to use netstat. A post on Techrepublic describes this method in-depth, but I will describe the important elements here. With command below you get a list of all TCP and UDP sockets, and their associated process ID’s:
netstat -noa
The image below is courtescy of Techrepublic
Now you can use the process ID (PID) to find the name of the process. The default Windows task manager does not display them, but they are easily enabled through View -> Select Columns. Check the PID box, see the image below.
Of course if you are using Process Explorer (as you should) then the PID’s are at your disposal already. With other tools in the the brilliant Sysinternals suite you can make life even easier. The TCPView tool was specifically built for the problem we are trying to solve:
TCPView is a Windows program that will show you detailed listings of all TCP and UDP endpoints on your system, including the local and
…
On Ubuntu, after you use apt-get install <packagename> you usually have no idea which files were installed and where. To see all files belonging to any package use the dpkg tool:
$ dpkg -L apache2 /. /usr /usr/share /usr/share/doc /usr/share/bug /usr/share/bug/apache2 /usr/share/bug/apache2/control /usr/share/doc/apache2 /usr/share/bug/apache2/script
You can also list all installed packages using dpkg –list:
$ dpkg --list Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Cfg-files/Unpacked/Failed-cfg/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name Version Description +++-=========================================-=======================================-============================================ ii acpid 1.0.6-9ubuntu8
…
