Shashikant shah

Sunday, 4 November 2012

LSOF (List Open File)


It is a command line utility which is used to list the information about the files that are opened by various processes. In linux, everything is a file, ( pipes, sockets, directories, devices, etc.). So by using lsof, you can get the information about any opened files.

COMMAND - process name.

PID - process ID

USER - Username

FD – Represents the file descriptor

  1. cwd – Current Working Directory
  2. txt – Text file
  3. mem – Memory mapped file
  4. mmap – Memory mapped device
  5. NUMBER – Represent the actual file descriptor. The character after the number i.e ’1u’, represents the mode in which the file is opened. r for read, w for write, u for read and write
TYPE – Specifies the type of the file.
  1. REG – Regular File
  2. DIR – Directory
  3. FIFO – First In First Out
  4. CHR – Character special file
DEVICE - device number

SIZE - file size

NODE - node number

NAME - full path of the name

  1. /proc/PID/cmdline : process arguments
  2. /proc/PID/cwd : process current working directory (symlink)
  3. /proc/PID/exe : path to actual process executable file (symlink)
  4. /proc/PID/environ : environment used by process
  5. /proc/PID/root : the root path as seen by the process. For most processes this will be a link to / unless the process is running in a chroot jail.
  6. /proc/PID/status : basic information about a process including its run state and memory usage.
  7. /proc/PID/task : hard links to any tasks that have been started by this (the parent) process.


Install lsof service.

Yum install lsof*

1.List processes which opened a specific file

# lsof /var/log/syslog


2.List opened files under a directory

# lsof +D /var/log/

3.List opened files based on process names starting with

# lsof -c ssh -c init

4.List processes using a mount point

# lsof /home

5.List files opened by a specific user

# lsof -u username

6.Sometimes you may want to list files opened by all users, expect some 1 or 2. In that case you can use the ‘^’ to exclude only the particular user as follows

# lsof -u ^username

7.List all open files by a specific process

# lsof -p PID

8.List all the users who are using a particular file

# lsof /bin/vi

9.Lists all processes that use the bash shell

# lsof /bin/bash

10.Lists all opened files that are not opened by the given user

# lsof -u ^user

11.Process list a la ps aux

# lsof -d txt

12.Lists all deleted files,that are still opened and use up disk space(files with less than one link)
# lsof +L1

Finding Network Connection


1.List all network connections (You can also use ‘-i4′ or ‘-i6′ to list only)

# lsof -i

2.List all network files in use by a specific process

# lsof -i -a -p 234
OR
# lsof -i -a -c ssh

3.List processes which are listening on a particular port

# lsof -i :25

4.List all TCP or UDP connections

# lsof -i tcp; lsof -i udp;

5.List all Network File System ( NFS ) files

# lsof -N -u username -a

6.Lists all network files opened by the user www-data (boolean and with -a)

# lsof -a -i -u www-data

7.Lists all active connections

# lsof -i|grep '\->'





Install NMAP (Network Mapper) and Zenmap




Mmap is a powerfull scanner available in Linux system. We can findout, all the ways a computer communicates with other computers on a network.

Features of Nmap :-

1. Flexible :- advanced techniques for mapping out networks filled with IP filters, firewalls, routers.
This includes many port scanning TCP and UDP, and OS detection, version detection.

2. Powerful :- Nmap has been used to scan huge networks of literally hundreds of thousands of
machines.

3. Portable :- Most operating systems are supported, including Linux, Microsoft Windows,
FreeBSD, OpenBSD, Solaris, Mac OS X, HP-UX, NetBSD, Sun OS.

4. Easy :- Easy to operting Nmap .E.g – <nmap – A -V target>. You can used Zenmap is a GUI.

5. free :- It is a free Nmap.

6. Popular :- Thousands of people download Nmap every day. and it is included with many
operating systems (Redhat Linux, Debian Linux, Gentoo, FreeBSD, OpenBSD, etc).


Advantage of Nmap :-

1. Find computers on a network.

2. Find open ports on those computers.

3. Find out, what services are using those ports.

4. Find out, what operating system is on the computers.

5. Find out, detection application name and version number.

6. Raw Socket (sending) :- The system API for sending custom packets is called raw sockets.
Unfortunately this sockets can't be used to listen for raw packets on the wire.

7. NSE :- Let a programmer choose what to do with the services it finds. The programmer can write
Nmap Scripting Engine programs in the Lua Programming language.

8. Three way handshake on tcp/ip.

a) SYN (Synchronous) :- The active open is performed by the client sending a SYN to the server.
the client sets the segment's sequence number to a random value A.

b) SYN-ACK (acknowledgment) :- In response, the server replies with a SYN-ACK. The
acknowledgment number is set to one more than the received sequence
number (A + 1), and the sequence number that the server chooses for the
packet is another random number, B.

c) ACK (acknowledgment) :- Finally, the client sends an ACK back to the server. The sequence
number is set to the received acknowledgement value i.e. A + 1, and the
acknowledgement number is set to one more than the received sequence
number i.e. B + 1.

9. Graphical interface Nmap.

Zenmap used.

Syntax :-
 
nmap [Scan Type(s)] [Options] {target specification}
TARGET SPECIFICATION:
-iL
Input from list of hosts/networks
-iR
Choose random targets
--exclude <host1[,host2][,host3],...>
Exclude hosts/networks
--excludefile <exclude_file>
Exclude list from file

HOST DISCOVERY:
-sL
List Scan - list targets to scan
-sP
Ping Scan - go no further than determining if host is online
-P0
Treat all hosts as online -- skip host discovery
-PS/PA/PU [portlist]
TCP SYN/ACK or UDP discovery to given ports
-PE/PP/PM
ICMP echo, timestamp, and netmask request discovery probes
-n/-R
Never do DNS resolution/Always resolve [default: sometimes]
--dns-servers <serv1[,serv2],...>
Specify custom DNS servers
--system-dns
Use OS's DNS resolver


SCAN TECHNIQUES:
-sS/sT/sA/sW/sM
TCP SYN/Connect()/ACK/Window/Maimon scans
-sN/sF/sX
TCP Null, FIN, and Xmas scans
--scanflags <flags>
Customize TCP scan flags
-sI <zombie host[:probeport]>
Idlescan
-sO
IP protocol scan
-b <ftp relay host>
FTP bounce scan


PORT SPECIFICATION AND SCAN ORDER:
-p <port ranges>
Only scan specified ports
Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080
-F
Fast - Scan only the ports listed in the nmap-services file)
-r
Scan ports consecutively - don't randomize


SERVICE/VERSION DETECTION:
-sV
Probe open ports to determine service/version info
--version-intensity <level>
Set from 0 (light) to 9 (try all probes)
--version-light
Limit to most likely probes (intensity 2)
--version-all
Try every single probe (intensity 9)
--version-trace
Show detailed version scan activity (for debugging)


OS DETECTION:
-O
Enable OS detection
--osscan-limit
Limit OS detection to promising targets
--osscan-guess
Guess OS more aggressively


TIMING AND PERFORMANCE:
Options which take <time> are in milliseconds, unless you append 's' (seconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m).
-T[0-5]
Set timing template (higher is faster)
--min-hostgroup/max-hostgroup <size>
Parallel host scan group sizes
--min-parallelism/max-parallelism <time>
Probe parallelization
--min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout <time>
Specifies probe round trip time.
--max-retries <tries>
Caps number of port scan probe retransmissions.
--host-timeout <time>
Give up on target after this long
--scan-delay/--max-scan-delay <time>
Adjust delay between probes


FIREWALL/IDS EVASION AND SPOOFING:
-f; --mtu <val>
fragment packets (optionally w/given MTU)
-D <decoy1,decoy2[,ME],...>
Cloak a scan with decoys
-S <IP_Address>
Spoof source address
-e <iface>
Use specified interface
-g/--source-port <portnum>
Use given port number
--data-length <num>
Append random data to sent packets
--ttl <val>
Set IP time-to-live field
--spoof-mac <mac address/prefix/vendor name>
Spoof your MAC address
--badsum
Send packets with a bogus TCP/UDP checksum


OUTPUT:
-oN/-oX/-oS/-oG <file>
Output scan in normal, XML, s|<rIpt kIddi3, and Grepable format, respectively, to the given filename.
-oA <basename>
Output in the three major formats at once
-v
Increase verbosity level (use twice for more effect)
-d[level]
Set or increase debugging level (Up to 9 is meaningful)
--packet-trace
Show all packets sent and received
--iflist
Print host interfaces and routes (for debugging)
--log-errors
Log errors/warnings to the normal-format output file
--append-output
Append to rather than clobber specified output files
--resume <filename>
Resume an aborted scan
--stylesheet <path/URL>
XSL stylesheet to transform XML output to HTML
--webxml
Reference stylesheet from Insecure.Org for more portable XML
--no-stylesheet
Prevent associating of XSL stylesheet w/XML output

MISC:
-6
Enable IPv6 scanning
-A
Enables OS detection and Version detection
--datadir <dirname>
Specify custom Nmap data file location
--send-eth/--send-ip
Send using raw ethernet frames or IP packets
--privileged
Assume that the user is fully privileged
-V
Print version number


1.IP Scanning with range

# nmap -sP 192.168.0.0/24

# nmap -sP 192.168.0.1-254

2.Port Scanning with range port 100 – port 200

# nmap 192.168.0.11 -p100-200

# nmap -p21,22,80 192.168.0.123

3.Scanning Operating system on target IP

# nmap -O 192.168.0.11

4.nmap Faster Execution faster scan, use -T4

# nmap -A -T4 192.168.0.11

5.Version detection

# nmap -A -T4 -F 192.168.0.123

# nmap -A -T4 192.168.0.123

6.Choose between TCP and UDP protocol

# nmap -p T:3000-4000 192.168.0.123

7.Chek Only UDP

# nmap -sU 192.168.0.123

8.check Only TCP SYN (half-open) scanning

# nmap -sS 192.168.0.123
# nmap -sS 192.168.0.0/24


9.nmap TCP FIN scanning

# nmap -v -sF 192.168.0.0/24

10.nmap TCP Xmas tree scanning
Useful to see if firewall protecting against this kind of attack or not:

# nmap -v -sX 192.168.0.0/24

11.nmap TCP Windows scanning

# nmap -v -sW 192.168.0.0/24

12.nmap TCP RPC scanning

# nmap -v -sR 192.168.0.0/24

13.nmap remote software version scanning

# nmap -v -sV 192.168.0.0/24


-: Graphical interface :-

Application -> SystemTools -> NmapFE

OR

Same version nmap and zenmap.

# wget nmap.org/dist/zenmap-6.01-1.noarch.rpm

rpm -ivh zenamp-6.01-1.noarch.rpm