Network Analysis

Use lft to trace hops in the network

sudo lft <IP:PORT>
  • If you suspect that there is a VM or docker being hosted in a different port you can use lft and check if there are differences in the results.

Find the processes associated with a port

lsof -i -n -P <port_number>

Shows TCP open connections in the Listen state

lsof -wnP -iTCP -sTCP:LISTEN
ip
Bring interface up
sudo ip link set eth0 up
Display the Routing Table
ip route show
Add a route
sudo ip route add 192.168.2.0/24 via 192.168.1.254
Delete a Route
sudo ip route del 192.168.2.0/24
Add a Default Gateway
sudo ip route add default via 192.168.1.1
ping

Ping and TCPdump Network Analysis for RCE Detection

  • Simply ping your own host, you can use the command directly or as a payload for a script:

ping -c 1 10.10.14.6
  • And catch it with tcpdump:

sudo tcpdump -ni <interface> icmp

TTL Values and OS Fingerprinting

  • The TTL value in the ping response is a starting value decremented by one for each hop the packet takes; Values differ between operating systems:

  • Linux/Unix -> 64

  • Windows -> 128

  • Cisco -> 255

Send 4 packages
ping -c 4 example.com
  • It sends ICMP Echo Request packets to a target and waits for ICMP Echo Reply packets in return.

Output Example
PING 192.168.1.1 (192.168.1.1) 56(84) bytes of data.
64 bytes from 192.168.1.1: icmp_seq=1 ttl=64 time=0.123 ms
64 bytes from 192.168.1.1: icmp_seq=2 ttl=64 time=0.120 ms
64 bytes from 192.168.1.1: icmp_seq=3 ttl=64 time=0.122 ms
  • TTL (Time to Live): The maximum number of hops a packet can traverse before being discarded.

  • Time: The round-trip time (RTT) for the packet to reach the destination and return.

ss
Listening ports & services
ss -tuln
Listening ports + PID
ss -tulnp | grep PID
Trace the network path
traceroute example.com
tripwire
Initialize the Tripwire database
sudo tripwire --init
Check the integrity of the system
sudo tripwire --check
Generate a report
sudo tripwire --update

Last updated