Introduction to RAW-sockets

http://tuprints.ulb.tu-darmstadt.de/6243/1/TR-18.pdf

Linux sistemin ping response dönüşünü engelleme

Aşağıdaki iptables komutu ile bunu gerçekleştirebilirsiniz.

iptables -I INPUT -p icmp --icmp-type echo-request -j REJECT

SS7 hack explained: what can you do about it?

https://www.theguardian.com/technology/2016/apr/19/ss7-hack-explained-mobile-phone-vulnerability-snooping-texts-calls

ssh based vpn solution: xiringuito

SSH-based "VPN for poors"

VPN made easy! No configuration. No VPN servers. No hassle. Just plug and use!

This is the "VPN without VPN" software done using nice built-in capabilities of SSH.

https://github.com/ivanilves/xiringuito

Ücretsiz olarak kullanabileceğiniz en iyi 10 networking monitoring çözümü

1. monit
2. ganglia
3. munin
4. cacti
5. nagios
6. zabbix
7. observium
8. zenoss
9. collectd
10. argus

Kaynak:

sixrevisions.com/tools/10-free-server-network-monitoring-tools-that-kick-ass

Ağ yöneticileri için sertifikasyon yol haritası

Kaynak:

http://www.itcareerfinder.com/brain-food/blog/entry/it-certification-path-network-administrator.html

Linux: how to optimize an ethernet adapter settings

 Platform:

Red Hat Enterprise Linux Server release 6.5 (Santiago)
how to learn ethernet device driver details



ethtool -i eth1

# ethtool -i eth1
driver: igb
version: 5.2.5
firmware-version: 2.1.0
bus-info: 0000:01:00.1
supports-statistics: yes
supports-test: yes
supports-eeprom-access: yes
supports-register-dump: yes
supports-priv-flags: no


# lspci -v | grep -A 14 '01:00.1'
01:00.1 Ethernet controller: Intel Corporation 82575EB Gigabit Network Connection (rev 02)
Subsystem: Intel Corporation Device 34de
Flags: bus master, fast devsel, latency 0, IRQ 28
Memory at b1a00000 (32-bit, non-prefetchable) [size=128K]
I/O ports at 1000 [size=32]
Memory at b1a40000 (32-bit, non-prefetchable) [size=16K]
Capabilities: [40] Power Management version 2
Capabilities: [50] MSI: Enable- Count=1/1 Maskable- 64bit+
Capabilities: [60] MSI-X: Enable+ Count=10 Masked-
Capabilities: [a0] Express Endpoint, MSI 00
Capabilities: [100] Advanced Error Reporting
Capabilities: [140] Device Serial Number 00-1e-67-ff-ff-0c-9a-29
Kernel driver in use: igb
Kernel modules: igb

how to list ethernet adapter list

[root@server~]# lspci | grep Ethernet
01:00.0 Ethernet controller: Intel Corporation 82575EB Gigabit Network Connection (rev 02)
01:00.1 Ethernet controller: Intel Corporation 82575EB Gigabit Network Connection (rev 02)
02:00.0 Ethernet controller: Intel Corporation I350 Gigabit Network Connection (rev 01)
02:00.1 Ethernet controller: Intel Corporation I350 Gigabit Network Connection (rev 01)

how to learn supported RX / TX ring buffer settings of an ethernet adapter

# ethtool -g eth1
Ring parameters for eth1:
Pre-set maximums:
RX: 4096
RX Mini: 0
RX Jumbo: 0
TX: 4096
Current hardware settings:
RX: 256
RX Mini: 0
RX Jumbo: 0
TX: 256

how to change ethernet adapter rx tx ring buffer settings

# ethtool -G eth1 rx 4096 tx 4096
# ethtool -g eth1
Ring parameters for eth1:
Pre-set maximums:
RX: 4096
RX Mini: 0
RX Jumbo: 0
TX: 4096
Current hardware settings:
RX: 4096
RX Mini: 0
RX Jumbo: 0
TX: 4096

how to change ethernet features for increase ids/ips packet processing performance

disable RX checksumming :
# ethtool -K eth1 rx off


disable TX checksumming
# ethtool -K eth1 tx off

disable TCP segmentation offload
# ethtool -K eth1 tso off

disable generic receive offload
# ethtool -K eth1 gro off

disable generic segmentation offload
# ethtool -K eth1 gso off


disable scatter-gather
# ethtool -K eth1 sg off

how to show features of ethernet adapter



# ethtool -k eth1
Features for eth1:
rx-checksumming: on
tx-checksumming: on
tx-checksum-ipv4: on
tx-checksum-ip-generic: off [fixed]
tx-checksum-ipv6: on
tx-checksum-fcoe-crc: off [fixed]
tx-checksum-sctp: off [fixed]
scatter-gather: on
tx-scatter-gather: on
tx-scatter-gather-fraglist: off [fixed]
tcp-segmentation-offload: on
tx-tcp-segmentation: on
tx-tcp-ecn-segmentation: off [fixed]
tx-tcp6-segmentation: on
udp-fragmentation-offload: off [fixed]
generic-segmentation-offload: on
generic-receive-offload: on
large-receive-offload: off
rx-vlan-offload: on
tx-vlan-offload: on
ntuple-filters: off [fixed]
receive-hashing: on
highdma: on [fixed]
rx-vlan-filter: on [fixed]
vlan-challenged: off [fixed]
tx-lockless: off [fixed]
netns-local: off [fixed]
tx-gso-robust: off [fixed]
tx-fcoe-segmentation: off [fixed]
fcoe-mtu: off [fixed]
tx-nocache-copy: on
loopback: off [fixed]
rx-fcs: off [fixed]
rx-all: off [fixed]


Keywords: eth0 overrun problem, eth0 drop problem, packet processsing, ips, ids, suricata, snort, bro network security monitor, packet drop


2015-10-08 - Ali Okan Yuksel - yukselao@yandex.com

netcat ile bağlantı testleri

Netcat is a featured networking utility which reads and writes data across network connections, using the TCP/IP protocol.

It is designed to be a reliable "back-end" tool that can be used directly or easily driven by other programs and scripts. At the same time, it is a feature-rich network debugging and exploration tool, since it can create almost any kind of connection you would need and has several interesting built-in capabilities.

TCP server:
# nc -k -l 23

UDP server:
# nc -k -u -l 23

TCP client:
# nc -w0 172.16.41.82 23 <<< "tcp client example"

UDP client:
# nc -w0 -u 172.16.41.82 23 <<< "udp client example"

-w:  timeout
-k:
-l: listen

 Syntax

nc [-46bCDdhklnrStUuvZz] [-I length] [-i interval] [-O length]
   [-P proxy_username] [-p source_port] [-q seconds] [-s source]
   [-T toskeyword] [-V rtable] [-w timeout] [-X proxy_protocol]
   [-x proxy_address[:port]] [destination] [port]

Options

-4    Forces nc to use IPv4 addresses only.
-6    Forces nc to use IPv6 addresses only.
-b    Allow broadcast.
-C    Send CRLF as line-ending.
-D    Enable debugging on the socket.
-d    Do not attempt to read from stdin.
-h    Prints out nc help.
-I length    Specifies the size of the TCP receive buffer.
-i interval    Specifies a delay time interval between lines of text sent and received. Also causes a delay time between connections to multiple ports.
-k    Forces nc to stay listening for another connection after its current connection is completed. It is an error to use this option without the -l option.
-l    Used to specify that nc should listen for an incoming connection rather than initiate a connection to a remote host. It is an error to use this option in conjunction with the -p, -s, or -z options. Additionally, any timeouts specified with the -w option are ignored.
-n    Do not do any DNS or service lookups on any specified addresses, hostnames or ports.
-O length    Specifies the size of the TCP send buffer.
-P proxy_username    Specifies a username to present to a proxy server that requires authentication. If no username is specified then authentication will not be attempted. Proxy authentication is only supported for HTTP CONNECT proxies at present.
-p source_port    Specifies the source port nc should use, subject to privilege restrictions and availability.
-q seconds    after EOF on stdin, wait the specified number of seconds and then quit. If seconds is negative, wait forever.
-r    Specifies that source and/or destination ports should be chosen randomly instead of sequentially within a range or in the order that the system assigns them.
-S    Enables the RFC 2385 TCP MD5 signature option.
-s source    Specifies the IP of the interface which is used to send the packets. For UNIX-domain datagram sockets, specifies the local temporary socket file to create and use so that datagrams can be received. It is an error to use this option in conjunction with the -l option.
-T toskeyword    Change IPv4 TOS value. toskeyword may be one of critical, inetcontrol, lowcost, lowdelay, netcontrol, throughput, reliability, or one of the DiffServ Code Points: ef, af11 ... af43, cs0 ... cs7; or a number in either hex or decimal.
-t    Causes nc to send RFC 854 DON'T and WON'T responses to RFC 854 DO and WILL requests. This makes it possible to use nc to script telnet sessions.
-U    Specifies to use UNIX-domain sockets.
-u    Use UDP instead of the default option of TCP. For UNIX-domain sockets, use a datagram socket instead of a stream socket. If a UNIX-domain socket is used, a temporary receiving socket is created in /tmp unless the -s flag is given.
-V rtable    Set the routing table to be used. The default is 0.
-v    Have nc give more verbose output.
-w timeout    Connections which cannot be established or are idle timeout after timeout seconds. The -w flag has no effect on the -l option, i.e. nc will listen forever for a connection, with or without the -w flag. The default is no timeout.
-X proxy_protocol    Requests that nc should use the specified protocol when talking to the proxy server. Supported protocols are "4" (SOCKS v.4), "5" (SOCKS v.5) and "connect" (HTTPS proxy). If the protocol is not specified, SOCKS version 5 is used.
-x proxy_address[:port]    Requests that nc should connect to destination using a proxy at proxy_address and port. If port is not specified, the well-known port for the proxy protocol is used (1080 for SOCKS, 3128 for HTTPS).
-Z    DCCP mode.
-z    Specifies that nc should just scan for listening daemons, without sending any data to them. It is an error to use this option in conjunction with the -l option.

"hacking team" hacked

Someone hacked the cyberweapons arms manufacturer Hacking Team and posted 400 GB of internal company data.

Hacking Team is a pretty sleazy company, selling surveillance software to all sorts of authoritarian governments around the world. Reporters Without Borders calls it one of the enemies of the Internet. Citizen Lab has published many reports about their activities.
...
Source: https://www.schneier.com/blog/archives/2015/07/hacking_team_is.html

Slashdot thread. Hacker News thread.

Tixati bittorrent client http://www.tixati.com/

moongen: fully scriptable high-speed packet generator

MoonGen is a fully scriptable high-speed packet generator built on DPDK and LuaJIT. It can saturate a 10 GBit connection with 64 byte packets on a single CPU core while executing user-provided Lua scripts for each packet.

Multi-core support allows for even higher rates. It also features precise and accurate timestamping and rate control

https://www.kernel.org/doc/Documentation/vm/hugetlbpage.txt

echo 128 > /sys/kernel/mm/hugepages/hugepages-2048kB/nr_hugepages
mkdir /mnt/huge
mount -t hugetlbfs nodev /mnt/huge

Installation steps

1.  Install the dependencies (see below)
2.  git submodule update --init
3.  ./build.sh
4.  ./setup-hugetlbfs.sh
5.  Run MoonGen from the build directory

## Dependencies

• * gcc
• * make
• * cmake
• * kernel headers (for the DPDK igb-uio driver)

Platform:

root@aliokan-xubuntu:/usr/src/MoonGen/build# uname -a
Linux aliokan-xubuntu 3.13.0-53-generic #89-Ubuntu SMP Wed May 20 10:34:39 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
 
root@aliokan-xubuntu:/usr/src/MoonGen/build# lsb_release -a
No LSB modules are available.
Distributor ID:    Ubuntu
Description:    Ubuntu 14.04.2 LTS
Release:    14.04
Codename:    t

# ./MoonGen quality-of-service-test.lua
EAL: Detected lcore 0 as core 0 on socket 0
EAL: Detected lcore 1 as core 1 on socket 0
EAL: Detected lcore 2 as core 2 on socket 0
EAL: Detected lcore 3 as core 3 on socket 0
EAL: Support maximum 64 logical core(s) by configuration.
EAL: Detected 4 lcore(s)
EAL: No free hugepages reported in hugepages-2048kB
PANIC in rte_eal_init():
Cannot get hugepage information
11: [./MoonGen() [0x416c23]]
10: [/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf5) [0x7fb133556ec5]]
9: [./MoonGen(main+0x7c) [0x41693c]]
8: [/usr/src/MoonGen/deps/luajit/usr/local/lib/libluajit-5.1.so.2(lua_pcall+0x2d) [0x7fb1344570cd]]
7: [/usr/src/MoonGen/deps/luajit/usr/local/lib/libluajit-5.1.so.2(+0xa5d3) [0x7fb1344485d3]]
6: [/usr/src/MoonGen/deps/luajit/usr/local/lib/libluajit-5.1.so.2(+0x5ce66) [0x7fb13449ae66]]
5: [/usr/src/MoonGen/deps/luajit/usr/local/lib/libluajit-5.1.so.2(+0x49084) [0x7fb134487084]]
4: [/usr/src/MoonGen/deps/luajit/usr/local/lib/libluajit-5.1.so.2(+0xc6d0) [0x7fb13444a6d0]]
3: [./MoonGen(rte_eal_init+0xf83) [0x427173]]
2: [./MoonGen(__rte_panic+0xc9) [0x4167a9]]
1: [./MoonGen(rte_dump_

Çözüm:

root@aliokan-xubuntu:/usr/src/MoonGen/build# grep Huge /proc/meminfo
AnonHugePages:    223232 kB
HugePages_Total:       0
HugePages_Free:        0
HugePages_Rsvd:        0
HugePages_Surp:        0
Hugepagesize:       2048 k

root@aliokan-xubuntu:/usr/src/MoonGen/build# echo 20 > /proc/sys/vm/nr_hugepages

root@aliokan-xubuntu:/usr/src/MoonGen/build# grep Huge /proc/meminfo
AnonHugePages:    223232 kB
HugePages_Total:      20
HugePages_Free:       20
HugePages_Rsvd:        0
HugePages_Surp:        0
Hugepagesize:       2048 kB

logs: https://gist.github.com/anonymous/e517b7ccd8c6a0d6f682

http://www.cnblogs.com/zzqcn/p/4024205.html 

pentest: plecost

What's Plecost?

Plecost is a vulnerability fingerprinting and vulnerability finder for Wordpress blog engine

Installation

Install Plecost is so easy:

$ python3 -m pip install plecost

Scan a web site si so simple:
$ plecost http://SITE.com

pentest: mz - mausezahn

Mausezahn is a free fast traffic generator written in C which allows you to send nearly every possible and impossible packet. It is mainly used to test VoIP or multicast networks but also for security audits to check whether your systems are hardened enough for specific attacks.

Mausezahn can be used for example:

• As traffic generator (e. g. to stress multicast networks)
• To precisely measure jitter (delay variations) between two hosts (e. g. for VoIP-SLA verification)
• As didactical tool during a datacom lecture or for lab exercises
• For penetration testing of firewalls and IDS
• For DoS attacks on networks (for audit purposes of course)
• To find bugs in network software or appliances
• For reconnaissance attacks using ping sweeps and port scans
• To test network behaviour under strange circumstances (stress test, malformed packets, ...)

As of version 0.38, Mausezahn supports the following protocols:

• ARP
• BPDU or PVST
• CDP
• LLDP
• IP
• IGMP
• UDP
• TCP (stateless)
• ICMP (partly)
• DNS
• RTP optionally RX-mode for jitter measurements
• Syslog

multicast test traffic:

# mz eth1 -c 0 -d 0 -A rand -a rand -B 226.1.1.1 -t udp dp=123 -P "Multicast test packet"







Linux: dropped packet stats

ifconfig

 ... 
 RX packets:522 errors:0 dropped:0 overruns:0 frame:0
 TX packets:406 errors:0 dropped:0 overruns:0 frame:0
 ...

cat /proc/net/dev

Inter-| Receive ... 
 face | bytes packets errs drop fifo frame ... 
 eth0:  87689 785 0 0 0 0 ...
 ...

cat /proc/net/udp

 so local_address rem_address ... drops
 277: 00000000:0044 00000000:0000 ... 0 
 ...

cat /proc/net/snmp

...
Tcp: ...
Udp: InDatagrams NoPorts InErrors OutDatagrams RcvbufErrors SndbufErrors
Udp: 453 0 0 452 0 0
...

You can also see this on a per-process basis using:

cat /proc/<pid>/net/{udp,dev,snmp}

Set file format of the output capture file (.pcap)

editcap - Edit and/or translate the format of capture files
Editcap is a program that reads some or all of the captured packets from the infile, optionally converts them in various ways and writes the resulting packets to the capture outfile (or outfiles).


örnek:

# editcap -F libpcap radius_00002_20150324120131.pcap  rad2.pcap

Split pcap smaller parts

tcpdump -r old_file -w new_files -C 10

Blackhat 2015 - Asia

Black hat 2015 - Asia içerikleri yayınlandı.

https://www.blackhat.com/asia-15/briefings.html

netmap - high speed packet I/O

project home: http://info.iet.unipi.it/~luigi/netmap/


netmap / VALE is a framework for high speed packet I/O. Implemented as a kernel module for FreeBSD and Linux, it supports access to network cards (NICs), host stack, virtual ports (the "VALE" switch), and "netmap pipes". netmap can easily do line rate on 10G NICs (14.88 Mpps), moves over 20 Mpps on VALE ports, and over 100 Mpps on netmap pipes.