Icon
Icon
Icon
Icon
Icon
Icon
4:37 AM
0 comments


Power of the Linux ip, netstat, and route Utilities
These tools form the heart of UNIX routing configuration and observation. However, they provide far more features than can be discussed in this text. For details and operating system variations beyond the most important facilities, consult the manual pages. We will heavily rely on these tools and introduce features as we proceed.

Linux provides a new approach to unified administration via the iproute2 facility (see Example 7-10). The command itself is called ip. You can get help for the ip tool by typing ip help. This also works at sublevels. Example 7-10 prints the interface statistics equivalent to ifconfig, the link status, the routing table, and its neighbors from a MAC point of view.

Example 7-10. Linux ip Facility

[root@callisto:~#] ip

Usage: ip [ OPTIONS ] OBJECT { COMMAND | help }

where OBJECT := { link | addr | route | rule | neigh | tunnel |

maddr | mroute | monitor }

OPTIONS := { -V[ersion] | -s[tatistics] | -r[esolve] |

-f[amily] { inet | inet6 | ipx | dnet | link } | -o[neline] }



[root@callisto:~#] ip -s addr

1: lo: mtu 16436 qdisc noqueue

link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00

inet 127.0.0.1/8 brd 127.255.255.255 scope host lo

2: eth0: mtu 1500 qdisc pfifo_fast qlen 100

link/ether 00:10:5a:d7:93:60 brd ff:ff:ff:ff:ff:ff

inet 192.168.14.1/24 brd 192.168.14.255 scope global eth0

3: eth1: mtu 1500 qdisc pfifo_fast qlen 100

link/ether 52:54:05:e3:51:87 brd ff:ff:ff:ff:ff:ff

inet 192.168.1.1/24 brd 192.168.1.255 scope global eth1



[root@callisto:~#] ip -s link

1: lo: mtu 16436 qdisc noqueue

link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00

RX: bytes packets errors dropped overrun mcast

4834 66 0 0 0 0

TX: bytes packets errors dropped carrier collsns

4834 66 0 0 0 0

2: eth0: mtu 1500 qdisc pfifo_fast qlen 100

link/ether 00:10:5a:d7:93:60 brd ff:ff:ff:ff:ff:ff

RX: bytes packets errors dropped overrun mcast

0 0 0 0 0 0

TX: bytes packets errors dropped carrier collsns

21850 265 0 0 0 0

3: eth1: mtu 1500 qdisc pfifo_fast qlen 100

link/ether 52:54:05:e3:51:87 brd ff:ff:ff:ff:ff:ff

RX: bytes packets errors dropped overrun mcast

3246131 5550 0 0 0 151

TX: bytes packets errors dropped carrier collsns

609700 5029 0 0 0 78



[root@callisto:~#] ip -s route

192.168.1.0/24 dev eth1 scope link

192.168.14.0/24 dev eth0 scope link

127.0.0.0/8 dev lo scope link

default via 192.168.1.254 dev eth1



[root@callisto:~#] ip -s neigh

192.168.1.2 dev eth1 lladdr 08:00:46:64:74:1b ref 1 used 19/0/18 nud reachable

192.168.1.254 dev eth1 lladdr 48:54:e8:8c:0a:3f ref 13 used 193/220/325 nud stale




Example 7-11 demonstrates several different approaches to print the routing table. Examples 7-11 through 7-18 present various examples of the netstat and route utilities and explain the abbreviations used in the UNIX routing tables (collected from different man pages). As usual, consult the command's manual pages for further details.

Example 7-11. Linux netstat and route in Action

[root@callisto:~#] netstat -rn

Kernel IP routing table

Destination Gateway Genmask Flags MSS Window irtt Iface

192.168.1.0 0.0.0.0 255.255.255.0 U 40 0 0 eth1

192.168.14.0 0.0.0.0 255.255.255.0 U 40 0 0 eth0

127.0.0.0 0.0.0.0 255.0.0.0 U 40 0 0 lo

0.0.0.0 192.168.1.254 0.0.0.0 UG 40 0 0 eth1



[root@callisto:~#] route -n

Kernel IP routing table

Destination Gateway Genmask Flags Metric Ref Use Iface

192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1

192.168.14.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0

127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo

0.0.0.0 192.168.1.254 0.0.0.0 UG 0 0 0 eth1



[root@callisto:~#] route -een

Kernel IP routing table

Destination Gateway Genmask Flags Metric Ref Use Iface MSS Window irtt

192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1 40 0 0

192.168.14.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 40 0 0

127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo 40 0 0

0.0.0.0 192.168.1.254 0.0.0.0 UG 0 0 0 eth1 40 0 0




Example 7-12. Possible Routing Table Flags (Linux)

U (route is up)

H (target is a host)

G (use gateway)

R (reinstate route for dynamic routing)

D (dynamically installed by daemon or redirect)

M (modified from routing daemon or redirect)

A (installed by addrconf)

C (cache entry)

! (reject route)




Example 7-13. Possible Routing Table Flags (FreeBSD)

1 RTF_PROTO1 Protocol specific routing flag #1

2 RTF_PROTO2 Protocol specific routing flag #2

3 RTF_PROTO3 Protocol specific routing flag #3

B RTF_BLACKHOLE Just discard pkts (during updates)

b RTF_BROADCAST The route represents a broadcast address

C RTF_CLONING Generate new routes on use

c RTF_PRCLONING Protocol-specified generate new routes on use

D RTF_DYNAMIC Created dynamically (by redirect)

G RTF_GATEWAY Destination requires forwarding by intermediary

H RTF_HOST Host entry (net otherwise)

L RTF_LLINFO Valid protocol to link address translation

M RTF_MODIFIED Modified dynamically (by redirect)

R RTF_REJECT Host or net unreachable

S RTF_STATIC Manually added

U RTF_UP Route usable

W RTF_WASCLONED Route was generated as a result of cloning

X RTF_XRESOLVE External daemon translates proto to link address




Example 7-14. Possible Routing Table Flags (OpenBSD)

1 RTF_PROTO1 Protocol specific routing flag #1.

2 RTF_PROTO2 Protocol specific routing flag #2.

3 RTF_PROTO3 Protocol specific routing flag #3.

B RTF_BLACKHOLE Just discard pkts (during updates).

C RTF_CLONING Generate new routes on use.

D RTF_DYNAMIC Created dynamically (by redirect).

G RTF_GATEWAY Destination requires forwarding by intermediary.

H RTF_HOST Host entry (net otherwise).

L RTF_LLINFO Valid protocol to link address translation.

M RTF_MODIFIED Modified dynamically (by redirect).

R RTF_REJECT Host or net unreachable.

S RTF_STATIC Manually added.

U RTF_UP Route usable.

X RTF_XRESOLVE External daemon translates proto to link address.




Example 7-15. OpenBSD route in Action

[root@ganymed:~#] route -nv show

Routing tables



Internet:

Destination Gateway Flags

default 111.11.117.1 UG

127.0.0.0 127.0.0.1 UG

127.0.0.1 127.0.0.1 UH

192.168.1.0 link#1 U

192.168.1.1 52:54:5:e3:51:87 UH

192.168.1.2 8:0:46:64:74:1b UH

192.168.2.0 link#2 U

192.168.2.7 0:10:5a:c4:2c:4 UH

192.168.44.1 192.168.44.1 UH

192.168.45.0 link#1 U

111.11.117.0 link#3 U

111.11.117.1 0:5:9a:5b:23:fc UH

111.11.117.206 127.0.0.1 UGH




Example 7-16. OpenBSD netstat

[root@ganymed:~#] netstat -rn -f inet

Routing tables



Internet:

Destination Gateway Flags Refs Use Mtu Interface

default 111.11.117.1 UGS 3 7564 1500 ne5

127/8 127.0.0.1 UGRS 0 0 33224 lo0

127.0.0.1 127.0.0.1 UH 2 0 33224 lo0

192.168.1/24 link#1 UC 0 0 1500 ne3

192.168.1.1 52:54:5:e3:51:87 UHL 0 5450 1500 ne3

192.168.1.2 8:0:46:64:74:1b UHL 1 2840 1500 ne3

192.168.2/24 link#2 UC 0 0 1500 ne4

192.168.2.7 0:10:5a:c4:2c:4 UHL 0 652 1500 ne4

192.168.44.1 192.168.44.1 UH 0 0 33224 lo1

192.168.45/24 link#1 UC 0 0 1500 ne3

111.11.117/24 link#3 UC 0 0 1500 ne5

111.11.117.1 0:5:9a:5b:23:fc UHL 1 0 1500 ne5

111.11.117.206 127.0.0.1 UGHS 0 0 33224 lo0




Example 7-17. FreeBSD netstat

[root@castor:~#] netstat –rn –f inet

Routing tables



Internet:

Destination Gateway Flags Refs Use Netif Expire

default 192.168.2.254 UGSc 4 1064 xl0

127.0.0.1 127.0.0.1 UH 0 0 lo0

192.168.2 link#1 UC 1 0 xl0

192.168.2.254 52:54:05:e3:e4:2f UHLW 5 27 xl0 603

192.168.7 link#2 UC 1 0 ed0

192.168.7.254 00:00:0c:1a:a9:a8 UHLW 1 28 ed0 396




Example 7-18. Effect of Interfaces/Line Protocols Going Down

[root@callisto:~#] ifconfig eth0 down

[root@callisto:~#] route -n

Kernel IP routing table

Destination Gateway Genmask Flags Metric Ref Use Iface

192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1

127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo

0.0.0.0 192.168.1.254 0.0.0.0 UG 0 0 0 eth1


ARP-Related Tools
ARP is an important protocol both from a networking and a security point of view. From a practical point of view, it often becomes an issue when changing network adapters, dealing with HSRP/VRRP (Virtual Router Redundancy Protocol), and dealing with static NAT entries of firewalls. Modern ARP sniffers and spoofing utilities can cause havoc even in switched environments. Note that due to the lack of security within the ARP protocol, ARP replies are generally accepted without hesitation.

Among the most interesting tools are iptraf (see Figure 7-1) and ettercap (Figure 7-2). iptraf includes a LAN station (MAC) monitor, traffic statistics, and helpful statistics about protocol families (TCP/UDP/IP/ICMP) and packet sizes. ettercap is a versatile tool in switched and nonswitched environments. You can use it for ARP poisoning, man-in-the-middle attacks, OS fingerprinting, sniffing, and other tasks.

Other interesting standard command-line utilities are discussed in the following list and demonstrated in Example 7-19.

arpwatch/arpmonitor

arpoison

arpspoof (part of the dsniff package)

arping

arp-sk

For details, consult the man pages. Example 7-19 presents the arping tool, which combines the well-known ping behavior with ARP information. arp-sk is a flexible and versatile tool to dig deep into ARP statistics and ARP simulation. Finally, arpwatch and arpmonitor turn your workstation into a monitoring station for ARP traffic.

Example 7-19. Some Examples of ARP Monitoring

[root@callisto:~#] arping

Usage: arping [-fqbDUAV] [-c count] [-w timeout] [-I device] [-s source] destination

-f : quit on first reply

-q : be quiet

-b : keep broadcasting, don't go unicast

-D : duplicate address detection mode

-U : Unsolicited ARP mode, update your neighbours

-A : ARP answer mode, update your neighbours

-V : print version and exit

-c count : how many packets to send

-w timeout : how long to wait for a reply

-I device : which ethernet device to use (eth0)

-s source : source ip address

destination : ask for what ip address



[root@callisto:~#] arping -I eth1 192.168.1.254

ARPING 192.168.1.254 from 192.168.1.1 eth1

Unicast reply from 192.168.1.254 [48:54:E8:8C:0A:3F] 0.941ms

Unicast reply from 192.168.1.254 [48:54:E8:8C:0A:3F] 0.871ms

Unicast reply from 192.168.1.254 [48:54:E8:8C:0A:3F] 0.882ms

Unicast reply from 192.168.1.254 [48:54:E8:8C:0A:3F] 0.889ms

Unicast reply from 192.168.1.254 [48:54:E8:8C:0A:3F] 0.877ms

Sent 5 probes (1 broadcast(s))

Received 5 response(s)



[root@callisto:~#] arp-sk

arp-sk version 0.0.15 (Sun Dec 1 18:35:24 CET 2002)

Author: Frederic Raynal



Usage: arp-sk

-w --who-has send a ARP Who-has

-r --reply send a ARP Reply

-p --arping (bad) RARP emulation (NOT YET IMPLEMANTED)

-m --arpmim Man in the Middle (NOT YET IMPLEMANTED)



-d --dst dst in link layer ()

-s --src dst in link layer ()

--rand-hwa set random addresses in link header

--rand-hwa-dst set random dst in link header

--rand-hwa-src set random src in link header



-D --arp-dst dst in ARP message ([hostname | hostip][:MAC])

-S --arp-src dst in ARP message ([hostname | hostip][:MAC])

--rand-arp set random addresses in ARP message

--rand-arp-dst set random dst addresses in ARP message

--rand-arp-src set random src addresses in ARP message

--rand-arp-hwa-dst set random dst MAC address in ARP message

--rand-arp-log-dst set random dst IP address in ARP message

--rand-arp-hwa-src set random src MAC address in ARP message

--rand-arp-log-src set random src IP address in ARP message



-i --interface specify interface (eth0)

-c --count # of packets to send (infinity)

-t --time wait the specified number of seconds between sending \

each packet (or X micro seconds with -t uX)

--rand-time randomize the sending period of the packets

--beep beeps for each packet sent

-a --addr-spaces addresses to use in the ARP packet (eth/ip)

-n --network broadcast address to use for icmp-timestamp

--use-ts an icmp-timestamp is sent to resolve MAC to IP

-N --call-dns force address resolution in outputs (default is off)

-V --version print version and exit

-h --help this help :)



[root@callisto:~#] arp-sk -i eth1 192.168.1.254

- Warning: no mode given, using default.

+ Running mode "reply"

+ Ifname: eth1

+ Source MAC: 52:54:05:e3:51:87

+ Source ARP MAC: 52:54:05:e3:51:87

+ Source ARP IP : 192.168.1.1

+ Target MAC: ff:ff:ff:ff:ff:ff

+ Target ARP MAC: ff:ff:ff:ff:ff:ff

+ Target ARP IP : 255.255.255.255



--- Start classical sending ---

TS: 18:48:45.447550

To: ff:ff:ff:ff:ff:ff From: 52:54:05:e3:51:87 0x0806

ARP For 255.255.255.255 (ff:ff:ff:ff:ff:ff):

192.168.1.1 is at 52:54:05:e3:51:87



TS: 18:48:50.445497

To: ff:ff:ff:ff:ff:ff From: 52:54:05:e3:51:87 0x0806

ARP For 255.255.255.255 (ff:ff:ff:ff:ff:ff):

192.168.1.1 is at 52:54:05:e3:51:87



--- 255.255.255.255 (ff:ff:ff:ff:ff:ff) statistic ---

To: ff:ff:ff:ff:ff:ff From: 52:54:05:e3:51:87 0x0806

ARP For 255.255.255.255 (ff:ff:ff:ff:ff:ff):

192.168.1.1 is at 52:54:05:e3:51:87

Total time: 10 sec



[root@callisto:~#] arpwatch -?

Version 2.1a11

usage: arpwatch [-dN] [-f datafile] [-i interface] [-n net[/width]] [-r file]



###### arpwatch running in debug mode without detaching from terminal ######



[root@callisto:~#] arpwatch -i eth1 -d



From: arpwatch (Arpwatch)

To: root

Subject: new station (callisto)



hostname: callisto

ip address: 192.168.1.1

ethernet address: 52:54:5:e3:51:87

ethernet vendor:

timestamp: Saturday, January 31, 2004 19:02:40 +0100



[root@callisto:~#] arpmonitor

-i ????

Usage mode:

./arpmonitor -i -s|e -p

-i , interface to check

-s or -e , output: yslog or stdrr - default: syslog

-p setup promisc mode (auto clean on ctrl-C) - default: no promisc mode



[root@callisto:~#] arpmonitor -i eth1 -e

eth1ArpMonitor: Initializing...

ArpMonitor: HW address: 52:54:05:E3:51:87

ArpMonitor: IP address: 192.168.1.1

ArpMonitor: Netmask : 255.255.255.0

ArpMonitor: Broadcast : 192.168.1.255

ArpMonitor: received SIGINT, giving up

Lab 7-1: ARP Security Issues
This lab's task is to experiment with networking and security issues of the various manifestations of the ARP protocol. As already mentioned, this book pretty much excludes security discussions and has a different focus. However, every aspect of networking and systems administration has related security aspects as well. Equipped with tools such as ettercap, arping, arp-sk, and the toolbox of Chapter 6, try to get a feeling of how easy or difficult it is to do the following:

MAC spoofing

ARP spoofing

ARP cache poisoning

MAC-based DoS (denial of service)

Man-in-the-middle attacks

Proxying and hijacking

Study networking aspects such as proxy ARP behavior of your operating system and derive a security policy to cope with threads and weaknesses originating from the ARP suite of protocols. For hints, inspiration, and guidance, look at the sources mentioned in the "Recommended Reading" section at the end of this chapter.

If You Enjoyed This Post Please Take a Second To Share It.

You Might Also Like

Stay Connected With Free Updates

Subscribe via Email

teaser