Netstat

netstat -i # interfaces

Kernel Interface table
Iface   MTU Met   RX-OK RX-ERR RX-DRP RX-OVR    TX-OK TX-ERR TX-DRP TX-OVR Flg
enp3s0     1500 0    555086      0      0 0        563301      0      0      0 BMRU
lo        65536 0    197296      0      0 0        197296      0      0      0 LRU

netstat -rn # routing table

Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         192.168.1.1     0.0.0.0         UG        0 0          0 enp3s0
192.168.1.0     0.0.0.0         255.255.255.0   U         0 0          0 enp3s0

traceroute 8.8.4.4 | head -2

traceroute to 8.8.4.4 (8.8.4.4), 30 hops max, 60 byte packets
 1  192.168.1.1 (192.168.1.1)  0.444 ms  0.486 ms  0.551 ms

netstat -tu | head -4 | tail -2 # tcp/udp

tcp        0      0 localhost:46209         localhost:49724         ESTABLISHED
tcp        0      0 localhost:46209         localhost:42836         ESTABLISHED

netstat -tu -a | grep -i listen | head -4 # all connections -> connected, listening, etc. default is stablished, time_wait

tcp        0      0 localhost:43820         *:*                     LISTEN     
tcp        0      0 localhost:37554         *:*                     LISTEN     
tcp        0      0 localhost:48466         *:*                     LISTEN     
tcp        0      0 localhost:36696         *:*                     LISTEN     

netstat -atu -e # extended

netstat -elt | head -4 # only listening

netstat -tn | grep :22

tcp        0      0 192.168.56.1:50076      192.168.56.12:22        ESTABLISHED

netstat -t | grep -i ssh

tcp        0      0 192.168.56.1:50076      192.168.56.12:ssh       ESTABLISHED

netstat -s # summery

netstat -plt | grep --color=no 'python' | head -2 |  tail -2 # program

(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
tcp        0      0 localhost:43820         *:*                     LISTEN      13525/python3   
tcp        0      0 localhost:37554         *:*                     LISTEN      13525/python3   

# my favorite is peanut, like peanut butter :)
sudo netstat -peanut

SS

ss -tn | head -3

State      Recv-Q Send-Q Local Address:Port               Peer Address:Port              
ESTAB      0      0      127.0.0.1:42658              127.0.0.1:51951              
ESTAB      0      0      127.0.0.1:43614              127.0.0.1:53910              

ss -ulna # connection less

State      Recv-Q Send-Q Local Address:Port               Peer Address:Port              
UNCONN     0      0      127.0.0.1:53                       *:*                  
UNCONN     0      0            *:68                       *:*                  

ss -nt '( dport = :80 or dport = :443 )' src 192.168.1.0/24 dst 54.229.110.0/24

State      Recv-Q Send-Q Local Address:Port               Peer Address:Port              
ESTAB      0      0      192.168.1.102:47372              54.229.110.205:443                

ss -lnu sport = :domain

State      Recv-Q Send-Q Local Address:Port               Peer Address:Port              
UNCONN     0      0      127.0.0.1:53                       *:*                  

ss -lp | grep python | head -1

tcp    LISTEN     0      100    127.0.0.1:37774                 *:*                     users:(("python3",pid=6821,fd=23))

ss -lup

State      Recv-Q Send-Q Local Address:Port                 Peer Address:Port                
UNCONN     0      0      127.0.0.1:domain                   *:*                    
UNCONN     0      0          *:bootpc                   *:*                    

Nmap

nmap 192.168.0.1

nmap 192.168.0.0/30  # 192.168.0.*  192.168.0.0-80 --exclude 192.168.1.100
# nmap -iL /tmp/scanlist.txt --excludefile /tmp/exclude.txt

nmap -iL ./listToScan --excludefile ./excludeLst

nmap 192.168.0.1 -p 80

nmap 192.168.0.1 -p 80-800

nmap 192.168.0.1 -p 80,443,22,23,20-21 -sV | head | tail -6 #  -sV determine service/version info

PORT    STATE  SERVICE  VERSION
20/tcp  closed ftp-data
21/tcp  open   ftp      vsftpd 2.0.8 or later
22/tcp  closed ssh
23/tcp  closed telnet
80/tcp  closed http

sudo nmap -O 192.168.0.1 # Os

nmap -p80 192.168.1.1

Starting Nmap 7.01 ( https://nmap.org ) at 2017-03-21 02:14 IRST
Nmap scan report for 192.168.1.1
Host is up (0.00052s latency).
PORT   STATE SERVICE
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 0.04 seconds

nmap --reason -F 192.168.1.1

Starting Nmap 7.01 ( https://nmap.org ) at 2017-03-24 02:10 IRDT
Nmap scan report for 192.168.1.1
Host is up, received syn-ack (0.0083s latency).
Not shown: 98 closed ports
Reason: 98 conn-refused
PORT   STATE SERVICE REASON
53/tcp open  domain  syn-ack
80/tcp open  http    syn-ack

Nmap done: 1 IP address (1 host up) scanned in 0.05 seconds

nmap -sP 192.168.1.1,100,102 #  do not scan ports :same as -sn --- only show which one are up  /24  0-20

Starting Nmap 7.01 ( https://nmap.org ) at 2017-03-24 02:23 IRDT
Nmap scan report for 192.168.1.1
Host is up (0.00064s latency).
Nmap scan report for 192.168.1.102
Host is up (0.00013s latency).
Nmap done: 3 IP addresses (2 hosts up) scanned in 1.20 seconds

nmap -p80 192.168.1.1 -vvv

nmap --iflist | grep vbox.*1$ # interface and routes

vboxnet1 (vboxnet1) (none)/0                    ethernet down 1500  0A:00:27:00:00:01

nmap -sT -sU 127.0.0.1 -p T:8888,U:53 | grep open # sT, sU search tcp, udp

8888/tcp open  sun-answerbook

nmap --top-ports 5 192.168.1.1 | egrep 'open|close'

21/tcp  closed ftp
22/tcp  closed ssh
23/tcp  closed telnet
80/tcp  open   http
443/tcp closed https

nmap -f 127.0.0.1 # use tiny fragmented IP packets

nmap --spoof-mac 0 127.0.0.1 | grep Spo

Spoofing MAC address 9F:E3:A6:2F:EC:13 (No registered vendor)

sudo nmap -n -D 127.0.0.1,127.0.0.2,127.0.0.3 192.x.x.1 --spoof-mac 0

nmap -PU # udp ping to bypass fw

nc / netcat

The nc (or netcat) utility is used for just about anything under the sun involving TCP, UDP, or UNIX-domain sockets.
It can open TCP connections, send UDP packets, listen on arbitrary TCP and UDP ports, do port scanning, and deal with both IPv4 and IPv6.

nc -zv 192.168.1.1 53 80

Connection to 192.168.1.1 53 port [tcp/domain] succeeded!
Connection to 192.168.1.1 80 port [tcp/http] succeeded!

nc -zv 192.168.1.1 53-80 2>&1 | grep -vi ref

Connection to 192.168.1.1 53 port [tcp/domain] succeeded!
Connection to 192.168.1.1 80 port [tcp/http] succeeded!

nc towel.blinkenlights.nl 23 # star wars

nc: getaddrinfo: Temporary failure in name resolution

# simple chat
nc -l 6030 # srv
nc 127.0.0.1 6033 # client

# send date
ss sport = 6033

Netid  State      Recv-Q Send-Q Local Address:Port                 Peer Address:Port                

cat slackware.iso | pv | nc -l 6033 # srv
nc 127.0.0.1 6033 > slackware.iso

nc -ul4 8080 # use udp instead of default tcp

ss -lu src 127.0.0.1 sport = http-alt # 8080

State      Recv-Q Send-Q Local Address:Port                 Peer Address:Port                
UNCONN     0      0      127.0.0.1:http-alt                 *:*                    

ncat

ncat -ltk 127.0.0.1 40601 # same as nc keep open (alive) nc has it too

nmap 127.0.0.1 -p 40601 | grep open

40601/tcp open  unknown

ss -tl sport = 40601

State      Recv-Q Send-Q Local Address:Port                 Peer Address:Port                
LISTEN     0      10     127.0.0.1:40601                    *:*                    

ncat -u -e /bin/bash -l 127.0.0.1 40401 -k --allow 127.0.0.1 -m 2

netstat -luan | grep 40401

udp        0      0 127.0.0.1:40401         0.0.0.0:*                          

sudo nmap -sU 127.0.0.1 -p 40401 --reason

Resources:

man netstat
man nmap
man ss
man netcat (nc is same)
man ncat

---

Lecture notes

• All lecture notes are available at github in ipynb format: https://github.com/ravexina/linux-notes.

• There are html exports of project available at: https://ravexina.github.io/linux-notes.

License

Linux Notes by Milad As (Ravexina) is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.

---