4/18/05
Red Hat Linux Network Management Tools
Core System Utilities and Tools
> arp, ifconfig, netstat, ping, tcpdump, traceroute
Additional System Utilities and Tools
> arpwatch, ethereal, fping, nmap, xtraceroute
*** Chap 2
MIB Browsers are great for probing an agent for specific information or learning the structure and format of new MIBs
1.3.6
1.3.6.1.1.2 dod.internet.mgmt
1.3.6.1.1.4.1.2.2 dod.internet.mgmt.private.enterprises.cisco
1.3.6.1.1.4.1.2.42 dod.internet.mgmt.private.enterprises.sun
Using a packet capture tool, the entire SNMP packet could be decoded
SNMPv1 specifies collection of MIB objects known as MIB-II
SNMPv1 problems:
1) lacks robust security - limit set operations
2) slow
3) agents play on single, simplistic role of accepting commands
SNMPv2:
1) expanded data types, 64bit counters
2) fast - getbulk PDU
3) more efficient row creation and deletion
SNMPv3:
1) security model based on DES, MD5
2) defined view based access control model
SNMPv1 message format
3 pieces - Version, Comm Name, SNMP PDU
PDUs can be one of five different types
1) getrequest
2) getnextrequest
3) setrequest
4) getresponse
5) trap
SNMP v2 defines
1) getbulkrequest
2) inform request
GetRequest(sysDescr, sysUpTime)
Get Request message format
5 pieces
PDU type, Request ID, 0, 0, Variable Bindings
RMON monitor
this device collects network performance and packet contents for later analysis and reporting
GetResponse - eache of the SNMP operations, with exception of trap receives a getResponse. Includes following fields:
PDU type, Request ID, Error Status, Error Index, Var Bindings
Trap fields
PDU Type
Enterprise
Agent Addr
Generic Trap - one of predefined traps
Specific Trap - usually zero, unless generic=6
Time Stamp
Var bindings
predefined traps
coldstart(0)
warmstart(1)
linkdown(2)
linkup(3)
authfailure(4)
egpneighborlost(5)
enterprisespecifiec(6)
SNMPv1 response codes
toobig - retn by agent, if response would be too big
nosuchname- bad set request
badvalue
read-only
generror - PDU fails for reason other than the above
tranmission of SNNP message
1) basic PDU constructed
2) protocol layer formats message
3) entire message encoded using ASN.1
*** Chap3
ICMP error message types
Echo request/reply
dest unreachable
source quench
redirect
time exceeded
ARP, OUI codes
http://standards.ieee.org/regauth/oui/oui.txt
netstat -t # display currectly established connections
Table 4.8 Linux agent MIB objects that map to netstat output
RX-OK IfInUcastPkts + ifInNUcastPkts
RX-ERR IfInErrors
RX_DRP IfInDiscards
TX-OK IfOutUcastPkts + ifOutNUcastPkts
TX-ERR IfOutErrors
TX-DRP If
ping -f # flood
tcpdump
promiscuous mode used by RMON probes
ethereal - GUI based
tcpdump -d le1 -x 0 tcp and port 21
-x hex dump of network frames, displays link-level header info such as source and dest
traceroute display codes
* No response to probe packets
! TTL in the received packet set to 1
!H Dest host is unreachable
!N Dest net is unreachable
!P Dest proto is unreach
!S source route option has failed, should not happen
!F fragmentation needed for probe packet, should not happen
!X blocked to admin down
!N> ICMP error, where N is that number
traceroute on multi-homed, selects first interface it encounters
traceroute , by default uses UDP 33434
traceroute -I use ICMP protocol
Chap 4
Arpwatch, one of most useful options -i, controls interface
- net station, excellent way to know when new stuff hooked to network
- changed Ethernet address, new Ethernet card
- flip flop - most seen addresses
- new activity
Ethereal
Fping
Nmap by default, scan from 0-1024
-O flag, for fingerprinting
-sS TCP SYN, scan TCP ports using half-open
-sF FIN, stealth fin,
nmap-os-fingerprints, /usr/local/lib/nmap
-sU - UDP scan
-sT TCP scan
-sP ping sweep
nmap -p 161 -sU -o results 10.0.0.0/24
Xtraceroute - lattitude, longitutde
### CHAP 6 - Overview of MIB II
at group - mapping from net addr to phys addr
dot3 group - low level datalink medium for each of the defined interfaces
### Chap 7 - Using SNMP Agents
Linux, UCD agent, supports SNMP v1, v2, v3
getbulk, get-inform
and USM, user security model
agent: snmpd
Sun, agent snmpdx provides master/subagent
Linux agent
supports MIB-II, SNMPv2, SMUX MIB, host resource MIB, UCD-SNMP Mibs
located in /usr/local/share/snmp/mibs
- monitor disk-space usage
-monitor system processes
-monitor system load
-invoke UNIX commands
-monitor agent information and status
-provide access to key MIB Objects
### Chap 8 - SNMP Tools
monitoring admin functions
- SNMP system heartbeat, get-request, sysUpTime
- system up/down messages, traps
- protocol statistics, MIBII, IP, ICMP, TCP, SNMP
-interface performance measurements, MIB II-
-system process activity, UCD agent
-routing,
-performance statistics
commands
- snmpdelta
- snmpget -d # cool, HEX/Ascii dump
- snmpgetnext
- snmpnetstat
- snmpset
- snmpstatus
- snmptable
- snmptest
- snmptraslate # cool
- snmptrap
- snmptrapd
- snmpwalk
- snmpbulkwalk # cool
- tkmib # cool
-m/-M specified MIBs that should be loaded
snmpdelta - very useful in tracking networking errors
snmpdelta -R remote-gw public ifInDiscards.1
snmpset
- disabling/enabling network IF
- updating device, ie. sysContact
- resetting traffic counters
- restarting agent
- modifying some config pararm
snmptranslate system.sysDescr
.1.3.6.1.2.1.1.1
-d # dump all info from RFC1213-MIB.txt
snmpbulkwalk -v 2c cisco-gw1 public
snmpconf - provides ability to configure devices using snmpset
tkMib - front end to snmpget, getnext, walk, snmptable
[root@localhost ~]# tkmib
ERROR: You don't have the SNMP perl module installed. Please obtain this by
getting the latest source release of the net-snmp toolkit from
http://www.net-snmp.org/download/ . The perl module is contained in
the perl/SNMP directory. See the INSTALL file there for
instructions.
ERROR: You don't have the Tk module installed. You should be able to
install this by running (as root):
perl -MCPAN -e 'install Tk'
Monday, April 18, 2005
Sunday, April 17, 2005
3 security tools: snort swatch portsentry
4/17/05
3 security tools
snort swatch portsentry
My Checklist
1. NMAP the offender.
2. NSLookup, Whois, etc. I even go so far as to use GeoIP to get city, state, ISP, etc. Get email addresses to send to.
3. Look for open proxies on the address in the case of SPAM. If so, just drop the search there.
4. Nessus check for potential vulns that might have been exploited by common/known worms. Essentially, find how they were exploited, and if there is no known reason, assume they are malicious.
5. Take necessary actions to blacklist or block the IP on the offending protocol, or in some rare cases, kill the IP altogether. (rarer cases, the subnet)
6. Google. You'd be amazed at what I can do here. I put in the direct IP, I put in email addresses I've collected to find out where the person posts, etc. I get to know the individual, who they are, and further deduce if they are malicious. I used to even go so far as to imiate someone of the opposite sex their age and talk to them on their favorite IM and ask them if they are a h4x0r and can help me "get back at my brother, the bully at school, the girl that stole my boyfriend" etc. (never assume the gender of a /. poster)
7. Email at a minimum 5 people, including Incident Response (https://forms.us-cert.gov/report/), the offending ISP, any emails off of the website of the IP in question, etc. Half the emails I CC just so that the individuals take the email seriously. Occasionally these will contain logs, IM logs, who the person is, what they do in their spare time, what forums they visit, their picture (if any) and etc. I do this from a TOR-accessed Hushmail account, so no one knows who the hell it is. One time I sent the email to the offender's mother. He sure thanked me with some profanities on that one (which were subsequently forwarded to his mother).
There's ways of "attacking back" in such a way that script kiddies die out, but you have to totally overwhelm them with your sheer capability to outsmart them.
Let's face it, we're all guilty of being lax in our network activity and leave IP trails on logs that Google indexes. It makes no sense to sit back and complain about script kiddies when it's quite obvious that we're unwilling to take them to task when they probe. The information is there, you just gotta do some digging and learn how to use Google's Advanced features. It's important to make your response to their actions overwhelming, so they are never tempted to turn back to random probing again.
3 security tools
snort swatch portsentry
My Checklist
1. NMAP the offender.
2. NSLookup, Whois, etc. I even go so far as to use GeoIP to get city, state, ISP, etc. Get email addresses to send to.
3. Look for open proxies on the address in the case of SPAM. If so, just drop the search there.
4. Nessus check for potential vulns that might have been exploited by common/known worms. Essentially, find how they were exploited, and if there is no known reason, assume they are malicious.
5. Take necessary actions to blacklist or block the IP on the offending protocol, or in some rare cases, kill the IP altogether. (rarer cases, the subnet)
6. Google. You'd be amazed at what I can do here. I put in the direct IP, I put in email addresses I've collected to find out where the person posts, etc. I get to know the individual, who they are, and further deduce if they are malicious. I used to even go so far as to imiate someone of the opposite sex their age and talk to them on their favorite IM and ask them if they are a h4x0r and can help me "get back at my brother, the bully at school, the girl that stole my boyfriend" etc. (never assume the gender of a /. poster)
7. Email at a minimum 5 people, including Incident Response (https://forms.us-cert.gov/report/), the offending ISP, any emails off of the website of the IP in question, etc. Half the emails I CC just so that the individuals take the email seriously. Occasionally these will contain logs, IM logs, who the person is, what they do in their spare time, what forums they visit, their picture (if any) and etc. I do this from a TOR-accessed Hushmail account, so no one knows who the hell it is. One time I sent the email to the offender's mother. He sure thanked me with some profanities on that one (which were subsequently forwarded to his mother).
There's ways of "attacking back" in such a way that script kiddies die out, but you have to totally overwhelm them with your sheer capability to outsmart them.
Let's face it, we're all guilty of being lax in our network activity and leave IP trails on logs that Google indexes. It makes no sense to sit back and complain about script kiddies when it's quite obvious that we're unwilling to take them to task when they probe. The information is there, you just gotta do some digging and learn how to use Google's Advanced features. It's important to make your response to their actions overwhelming, so they are never tempted to turn back to random probing again.
Subscribe to:
Posts (Atom)
