Network Utility Programs

1-28-2015
For this class, there will be homework exercises requiring the use of:

   nmap  ping    traceroute   tcpdump   wireshark   nslookup (or "host" or "dig"), whois (installed with dig),  ssh, and telnet.

The best way to run network utilities is under UNIX (Linux or Mac OS X ("Terminal" or "X11").  The most useful are installed with the OS (traceroute, ping, netstat, nslookup, dig, whois, tcpdump, ...).  "wireshark" can be selected as a network utility during a Linux install.  Instructions on use can be obtained from the "man" pages (for manual) by typing "man program-name" at the command line.

Wireshark - Network monitor program, can be installed on Linux, Mac or Windows - http://wireshark.org

nmap, a  port-scanning tool (http://www.insecure.org/nmap/)  (Windows also)

GnuPG - GNU Privacy Guard - open source programs for using PGP -  www.gnupg.org,
http://www.csc.gatech.edu/copeland/jac/6612/pgp/2011_gpg_Macintosh.html,
http://www.csc.gatech.edu/copeland/jac/6612/pgp/2011_gpg_Windows.html

c Compiler
- gcc is standard in unix, linux, and MacOS. Install cygwin http://cygwin.com on Windows.

For Mac

To install additional UNIX applications, install MacPorts, www.macports.org , then use MacPorts to install apps (e.g., in Terminal: >sudo port install nmap).  If "sudo" does not work, do "su", root password, then >port install nmap.  You may have to first  Enable Root User (in Finder, click on Help, type "Root User" in the search box, click on "Enable Root User").  ">" indicates the Terminal prompt (which may differ and which you do not type).

Host-Based Firewall - for servers use the "Sharing" panel in "System Preferences ...".  This will allow specific open server ports, but with no restriction on incoming IP addresses.  The "/etc/hosts.allow" file appears to be recognized by the sshd server, and perhaps other servers, but only lines like "all : 130.207.  " or "all :130.207.0.0/255.255.0.0" can be used (no server specification, or netmask specification by  /16).

The application "Little Snitch" ($25, http://www.obdev.at/products/littlesnitch/download.html) works like the Vista firewall, limiting network connections by application, ports, and IP ranges.  The rule table is built up by selections in a pop-up box whenever a new connection is attempted.  You can manually edit the rules (e.g., change 130.207.225.12 to a subnet like 130.207.0.0/16). 

I highly recommend "RBrowser" ($29, http://www.rbrowser.com/) for transferring files between Macs and/or UNIX systems, and synchronizing remote folders. It is easier than remote mounting Mac disks, and works with any remote host running an ssh server. Good GUI interface.

For Windows


Windows has ping, nslookup, telnet, and "tracert" available from the "Command Prompt"  terminal window (cmd.exe).

"Command Prompt" -(terminal)  Start -> Run -> type "CMD"  The program is %systemroot%\windows32\cmd.exe

Windows - unix environment - cygwin - http://www.cygwin.com/  When you run "setup.exe", on the "Select Packages" screen, select the optional installs of  "gcc-compiler" under "development utils" to get the gcc c compiler and "openssh" under "Net" to install the ssh terminal and ssh-keygen.  You can run "setup.exe" again later to add other UNIX programs.

cygwin will provide a good ssh terminal to access a UNIX system, but if you really want the power of a UNIX computer where you can be "root", I recommend installing the Ubuntu variant of Linux (http://www.ubuntu.com, http://www.sobell.com) as a dual-boot or virtual machine (http://www.parallels.com) on your PC. This will give you a nice GUI - desktop and windowing.

MSDNAA Website, that has Visual Studio versions 2003, 2005, and 2008: http://msdn02.e-academy.com/git_ece  You can down load these for use at home, as long as your are a registered student of GA Tech.  The site requires a user name and password obtained from msdnaa-help@ece-help.gatech.edu.

"dig" and "whois" - http://members.shaw.ca/nicholas.fong/dig/  "whois" is installed when "dig" is installed.

"notepad++" for true text file editing of .bat and .conf files.  http://sourceforge.net/projects/notepad-plus/ or Google for it. Windows "Notepad" may add problematic control characters, and Wordpad and Word definitely will.

  Wireshark- Network monitor program - http://wireshark.org

  WinSCP - a SFTP and SCP client for Windows using SSH. Its main function is secure copying of files between a local and a remote computer - http://sourceforge.net/projects/winscp/

  SSH Server for Windows - sshd.  FreeSSHd - http://www.freesshd.com/ and SSHwindows - http://sourceforge.net/projects/sshwindows/.

   PuTTY - a telnet and ssh client for Windows - http://www.chiark.greenend.org.uk/~sgtatham/putty/

   PingPlotter - A Windows XP program that does pings and traceroutes, - http://www.pingplotter.com


You need a remote server to practice doing things over the network.  You probably already have an account user on the ECE UNIX servers.


Try to log onto (with SSH) to ecelinsrva.ece.gatech.edu    See http://www.ece-help.gatech.edu/unix/index.html

Look at the tutorial: http://www.ece-help.gatech.edu/unix/tutorial/index.html

To ease logging on, look at http://www.csc.gatech.edu/copeland/jac/6612/info/SSH-No-Password-Login.txt


You can capture network traffic by saving the file from a Wireshark capture, or capturing directly from the command line with tcpdump: http://www.tcpdump.org/.  A standard UNIX utility program, tcpdump uses the same capture filtering commands as Wireshark (they both use lib/pcaplib). To write your own analysis programs, you need the format of these capture files: http://wiki.wireshark.org/Development/LibpcapFileFormat.



Up to Date Information

SANS Institute

Computer Emergency Response Taskforce (CERT)

Cisco -Security Advisories,

   Cisco "Internet Protocol Journal" http://www.cisco.com/ipj/

    Example - "Handling IP Addresses" - http://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_9-1/ip_addresses.html

IEEE Computer Society

IEEE CS Technical Committee on Security and Privacy

Slashdot

Linux Security - linuxsecurity.com, Patches at www.linuxsecurity.com/advisories/

Government Organizations

U.S. Dept. of Justice - Cyber Crime

U.S. FBI - Cyber Crime

Secure Sockets Layer (SSL) for Web data transfer

Recent Attack Information.  Netcraft.

Add SSL to a socket (e.g., add TLS to email):

socat - (http://www.dest-unreach.org/socat/

Stunnel - (http://www.stunnel.org/)

Hacker Information

2600 magazine

Security Products

Test your Windows Configuration - Shields Up

See What Your Computer tell's every Web Site you Access

Georgia Tech Security Info (free anti-virus for GT students)

Writing Secure Software

Learn Unix Commands in 10 Minutes  - ECE UNIX Tutorial

Secure Programming for Linux and Unix HOWTO

The Network Time Protocol , NTP (need accurate time for forensics)

The Official U.S. Government Time


Odds and Ends (old notes)

The best way to run network utilities is under UNIX (Linux or Mac OSX).  The most useful are installed with the OS (traceroute, ping, netstat, nslookup, dig, whois, tcpdump, ...).  "wireshark" can be selected as a network utility during a Linux install.  Instructions on use can be obtained from the "man" pages (for manual) by typing "man program-name" at the command line.

Windows has ping, nslookup, telnet, and "tracert" available in the Command Prompt terminal window.  You can "redirect" the output into a text (.txt) file (e.g., tracert www.cnn.com > C:\mystuff\trace.txt) and then edit the file in "Notepad" or "Wordpad".

  Ethereal (now "wireshark") - Network monitor program, can be installed on Linux, Mac (see info/Install-wireshark-on-MacOS.html), Windows - http://wireshark.org

  WinSCP - a SFTP and SCP client for Windows using SSH. Its main function is secure copying of files between a local and a remote computer - http://sourceforge.net/projects/winscp/

   OpenSSH for Windows - ssh client and server - http://www.networksimplicity.com/openssh/

   PuTTY - a telnet and ssh client for Windows - http://www.chiark.greenend.org.uk/~sgtatham/putty/

   PingPlotter - A Windows XP program that does ping's and traceroute's, - http://www.pingplotter.com

   dig - similar to "nslookup", does automatic iterative name resolution with "+trace" option.  A good version for Windows is from http://members.shaw.ca/nicholas.fong/dig/  (includes "whois").

"whois" gives information about the owner and operator of a subnet.

A different approche to downloading programs into Windows is to boot up Linux from a CD that already has the utilities installed.  These CDs will do just that, without affecting your hard disk or the Windows OS on it.

   Knoppix - Boot disc creates a Linux OS in RAM - http://knoppix.org/ (German- click on flag for English)

   STD - Boot disc creates a (old) Linux OS in RAM with many network security tools - http://s-t-d.org/

Some things can be done from certain Web sites.  I like the Geek Tools "whois" lookup, but the "whois" utility in Linux and MacOS now also does a good job of selecting the right registrar based on the IP address.

   Geek Tools - A Web site that does pings, traceroutes, and whois, ... - http://www.geektools.com 

  Ditto - look at http://lg.he.com and get the Hurricane Electric "HE" app for smartphones.