One of the strengths of Linux is its rich set of networking tools and utilities. Because the Internet is its native land, it’s not a big surprise. While learning networking technologies, like as a CCNA candidate, we can use a lot of them. In this article I try to collect some tools which can help in various situations: some of them are for testing, some to demonstrate network vulnerabilities and some to help deeper understanding protocols and technologies. Each of them can cooperate with Cisco devices smoothly, therefore we can use them in our CCNA studies. I try to follow the OSI model: starting the utilities can be used in the lower layers up to the application layer, but the basic technology will be Ethernet.
The first utility is for hackers (or crackers, more precisely) to break switching environments. As we know, switches maintain a MAC-address table, in which they store information about ports and MAC-addresses of devices connected to that port. The switches dynamically fill this table with data, and of course it has finite capacity (for example on a 3725 router with 16ESW module it can store 8192 MAC addresses). The goal is to keep the data in this table as few as possible, as the switch needs to search in this frequently. What happens when the address table is full? It depends on the switch model, but some are starting to get slow, and some start to get to work as a hub. Why is this dangerous? Because if a hacker starts sniffing on a switch, in normal cases cannot see the traffic on other ports, but in hub mode all traffic can be seen on all ports. And what can a hacker do to fill the MAC-table of a switch? He uses the tool named “macof.”
macof is part of the package called “dsniff” (which contains other tools also, and can be installed with the command apt-get install dsniff). Its sole purpose is this: flood bogus MAC addresses to the network, and to fill the MAC-table of the switch. Usage is really simple: the “–i” parameter defines the interface to send traffic. In the topology attached to this article use the macof –i eth0 command. The screen shows the output traffic, and when we issue the show mac-address-table count command on SW1, soon we can observe that the table entries are close to the maximum allowed of 8192. Although the switch won’t start to work as a hub, we can observe a slowdown. When we stop the flooding by pressing CTRL-C, the switch soon clears the fake entries and everything gets back to normal.
How do we protect our switches from this kind of attack? We use port-security because the allowed MAC addresses on a port restricted (default is 1), and the attack is unsuccessful. Unfortunately the switch module in GNS3 doesn’t support port-security and we need to use a real device (or practice with Packet Tracer).
Cisco Discovery Protocol is a Layer2 protocol which can be useful if we need some information about neighbor devices. There are some similar purpose protocols on the market: LLDP or EDP, for example. Although CDP seems to be a Cisco-only protocol, that’s not the case: Linux has utilities to take advantage of CDP.
First of all look at “cdpr,” the CDP message reporter, which primarily can be used to gather information from a neighboring Cisco device. Install it with apt-get install cdpr, then use with the following command: cdpr –d eth0 –v. The first parameter defines the interface to listen on, the second increases verbosity. The program starts and soon displays the data (if you don’t want to wait too much, issue the cdp timer 5 command on SW1 – this sets the CDP packet sending rate to 5 seconds instead of the default of 60 seconds).
When we want to advertise CDP messages to our neighbors, we can use the LADVD (Link Advertising Daemon) package. This software supports the LLDP (Link-layer Discovery Protocol) out of the box, but in addition to this we can enable CDP, Extreme Discovery Protocol (EDP), Foundry Discovery Protocol (FDP) and Nortel Discovery Protocol (NDP) also. After we install it with apt-get install ladvd, the daemon program starts to work and automatically enables the supported protocols based on the packet type it receives. If we watch the syslog messages with the tail –f /var/log/syslog command, we can observe the following:
On the Cisco device it also appears the CDP neighbor:
Another similar tool is “lldpd.” Install with apt-get install lldpd (first remove ladvd with apt-get remove ladvd). Locate the file /etc/default/lldpd, uncomment and modify the DAEMON_ARGS line to the following:
This will enable CDP also. After restarting with service lldpd restart command, we can check the operation on the Cisco device again.
Address Resolution Protocol (ARP) is important in Layer2 and Layer3 too as it maps IP addresses to MAC addresses. The operation of ARP is simple and if we want to observe it, install a sniffer like WireShark, or a simpler one: “tcpdump”. Issue the following command in one terminal window: tcpdump –i eth0 ‘arp or icmp’, then issue a ping to 10.1.1.10 in another terminal. Soon we can see the following:
The first two lines with timestamps are the ARP request and the reply, and then come some ICMP echo-request/reply messages. We can display the ARP cache by arp –a or alternatively with ip neighbor show commands.
Now we will demonstrate the weaknesses of ARP. We can easily spoof a MAC address and establish a man-in-the-middle attack. The logic is that there are gratuitous ARP messages that are used to notify a host about a MAC address change – but a hacker can use this to lie about the MAC address of the default gateway for a client, and from this point the client talks to the hacker’s machine instead of the real gateway. For the demonstration lets suppose, that R2 uses R3 as the default gateway, and our Linux host will be the attacker. From the R2 ping R3, then display the ARP table with show ip arp command:
Note the MAC address of the 10.1.1.30 host.
Now, we’ll use the “arpspoof” tool, which is part of the “dsniff” package. Issue the following command (the parameters: the interface to use, the MAC to restore after spoofing, the target host and the gateway):
arpspoof -i eth0 -c own -t 10.1.1.20 10.1.1.30
We can see that our Linux host is continuously sending fake gratuitous ARPs to the target host about the gateway’s address – if we issue a show ip arp command again on R2, the MAC address changes, and this is the address of the Linux host. Now if R2 wants to connect to R3, uses this MAC and 10.1.1.30 as IP address. By default, Linux doesn’t forward packets between its interfaces, so we need to enable the IP forwarding feature. A temporary method is to set the appropriate kernel value with the following command (think of it like switching a Registry key in Windows):
echo 1 > /proc/sys/net/ipv4/ip_forward
Now start a tcpdump session again (if we stopped the previous by pressing CTRL-C), and ping R3 from R2. Under normal circumstances we won’t see any traffic on Linux as we’re in switched network, but at this time it works and we can easily capture traffic between two hosts on another switchports – a successful MiM attack! If we want to hide our traces, press CTRL-C on arpspoof, and it restores the original MACs, so a host won’t recognize anything suspicious. There’s another tool called Ettercap, which has GUI, and even a script-kiddie can use it. We can protect our network from this, fortunately, with various methods. The simplest one is to use static ARP entries, but you can find more information in the reference at the end of this article.
In the network layer we have well known tools to test connectivity: ping and traceroute (tracert in Windows). Ping is almost the same, except that it works continuously until we press CTRL-C. Traceroute is a bit more sophisticated than its counterpart in Windows. tracert sends packets to the destination with a starting TTL value in the IP packet of 1, which packets are ICMP echo-requests. Because the first router (the first hop) decreases the TTL by one, it becomes zero and the router drops it with an ICMP error message of “Time to live exceeded.” The source host then sends another packets with TTL=2, which will be dropped by the second hop towards the destination, and this process repeats until the destination host replies with echo-reply. But there’s another solution to determine if we are at the destination, by sending UDP or TCP packets with invalid destination port settings. When we get “Port unreachable” error message instead of echo-reply at the end, we know that we’re there. traceroute in Linux can use the –I, -U and –T switches for ICMP, UDP and TCP methods, respectively. Why this is useful? Because some admins are blocking ICMP traffic on their firewalls, and our trace will fail, but when we use UDP or TCP, we still have a chance to get to the destination.
There’s a tool that combines ping and traceroute – its name is “mtr.” After installing with apt-get install mtr, start the program by issuing mtr –t google.com. The output on my machine is the following:
As we can see, mtr lets us easily discover the bottlenecks of the network.I In my case, the router with IP address 220.127.116.11 drops a lot of packets for some reason. The other statistics also help to find the nodes causing problems.
IP addressing, subnetting and supernetting is a hard topic for many CCNA candidates. There are a lot of utilities under the category of IP/Subnet/VLSM/CIDR calculators, which help to easily calculate subnet masks, addresses and other information needed for proper addressing. One of them is “ipcalc.” Lets use this utility to solve the following problem:
We have the 192.168.10.0/26 network. What is the decimal netmask and the first/last useable address on this subnet?
The solution is really simple: type ipcalc 192.168.10.0/26, and the output is:
Another problem: divide the 192.168.1.0/24 network to subnets which have 120, 60 and 10 hosts, respectively (this is a VLSM problem). The solution is to use the split function:
ipcalc -s 120 60 10 192.168.1.0/24
The output shows all the three subnets. Here’s the third one:
Third example: what are the parameters of the network the 192.168.1.77/28 address is in? The solution is to simply show this address to ipcalc and it’ll tell you everything you want to know. One last usage advice: if we have to compute wildcard masks, for example ACLs or OSPF, ipcalc is our friend also.
To help supernetting or aggregating separate networks into one bigger network, “aggregate” will help to compute the summarized address. We just have to add the networks and CIDR prefixes, at the end press CTRL-D and see the result. For example (the result is marked with red):
On our way up we arrived at the transport layer, where TCP and UDP are the most important protocols. There are typical utilities in this layer also, the most important is netstat. Its main purpose is to display the state of network connections, but it can show the routing table also by the “-r” switch. Although the command is the same as in Windows, the parameters differ a bit in Linux. For example, if we want to see all the connections using TCP and don’t want to use DNS resolution, use the following form:
If we want to see the process that uses the given port, add the “-p” switch, and for UDP use “-u” instead of “-t” – these are the most frequently used command line switches. In the CCNA we cannot read about similar command on a router, but try this: set up telnet on R2, and connect to it from Linux. Then issue the show tcp brief command on the router. On routers with IOS version 12.4(x)T or 15, there’s a better way: use the show control-plane host open-ports command.
Close this part with a rather famous hacker tool which also connected to ports: “nmap.” This program is to discover many parameters of a given host: open ports, the software that uses them and the OS version. The software is even in a lot of films, just check the webpage for details below. If we don’t want to use it like a CLI ninja, we can install ZenMap GUI. We can use predefined profiles, just choose a target and a profile, then click on Scan button and wait. Below is the output of scanning nmap.org (the situation when hangman is being hanged):
I hope that you find some useful information in this article – experiment with the mentioned tools, and soon we’ll continue with more.
ARP spoofing and mitigation: http://www.cisco.com/c/en/us/products/collateral/switches/catalyst-6500-series-switches/white_paper_c11_603839.html
Online version of ipcalc: http://jodies.de/ipcalc
NMAP in movies: http://nmap.org/movies/