Jump to content

wildweaselmi

Members
  • Posts

    2,015
  • Joined

  • Last visited

Recent Profile Visitors

3,255 profile views

wildweaselmi's Achievements

Newbie

Newbie (1/14)

0

Reputation

  1. wildweaselmi

    Animated Images

    some funny animated images
  2. Version 1.0.0

    1 download

    providing a google chrome RPM
  3. This is a quick tutorial to help find information quickly using tcpdump. I'm not going to get into explaining everything just some quick commands to find what you are looking for. Capture HTTPS Traffic tcpdump -nnSX port 443 NOTE: You can use the same command to capture any traffic, just change the port 21:57:41.587391 IP 10.11.24.11.60394 > 146.88.138.28.443: Flags [S], seq 2618307083, win 29200, options [mss 1460,sackOK,TS val 1261029685 ecr 0,nop,wscale 7], length 0 0x0000: 4500 003c fb3e 4000 4006 00f3 0a0b 180b E..<.>@.@....... 0x0010: 9258 8a1c ebea 01bb 9c10 320b 0000 0000 .X........2..... 0x0020: a002 7210 3eb9 0000 0204 05b4 0402 080a ..r.>........... 0x0030: 4b29 c935 0000 0000 0103 0307 K).5........ Shows some HTTPS traffic, with hex display (encrypted). Check out what tcpdump see's as available interfaces tcpdump -D this will list all your available interfaces like on my machine it shows the following 1.virbr0 2.nflog (Linux netfilter log (NFLOG) interface) 3.nfqueue (Linux netfilter queue (NFQUEUE) interface) 4.ens160 5.ens192 6.any (Pseudo-device that captures on all interfaces) 7.lo [Loopback] Show everything hitting any interface tcpdump -i any Show everything hitting a certain interface tcpdump -i ens192 Show all traffic related to an ip address use host tcpdump host 10.11.24.11 example of the output is here from a ping 22:07:50.840177 ARP, Request who-has usdet1lvdwb001.mwg.com tell netweb.mwg.com, length 46 22:07:50.840226 ARP, Reply usdet1lvdwb001.mwg.com is-at 00:50:56:97:af:fd (oui Unknown), length 28 22:07:50.840494 IP netweb.mwg.com > usdet1lvdwb001.mwg.com: ICMP echo request, id 23003, seq 1, length 64 22:07:50.840522 IP usdet1lvdwb001.mwg.com > netweb.mwg.com: ICMP echo reply, id 23003, seq 1, length 64 22:07:51.840121 IP netweb.mwg.com > usdet1lvdwb001.mwg.com: ICMP echo request, id 23003, seq 2, length 64 22:07:51.840161 IP usdet1lvdwb001.mwg.com > netweb.mwg.com: ICMP echo reply, id 23003, seq 2, length 64 Filter by Source and/or Destination tcpdump src 10.11.24.11 tcpdump dst 10.11.24.20 Find packets by a certain Network/Subnet tcpdump net 10.11.24.0/24
  4. wildweaselmi

    general images

    some linux focused images
  5. In the environment I work in we have multiple firewalls in a path so the likely of your traffic being blocked is high. Most of us use to troubleshoot using telnet which has many many flaws and not a great method of testing but it was all we had. Here is an example of testing using telnet telnet 10.11.24.11:80 telnet: 10.11.24.11:80: Name or service not known 10.11.24.11:80: Unknown host The telnet results don't really give you anything to tell you if its successful or not. Then I discovered at a young age the power of nmap (which is probably why it was quickly blocked in most companys) Here is an example of testing using nmap nmap -p 80 10.11.24.11 Starting Nmap 6.40 ( http://nmap.org ) at 2019-07-10 10:58 EDT Nmap scan report for wildweaselmi.thezah.com (10.11.24.11) Host is up (0.000053s latency). PORT STATE SERVICE 80/tcp open http Nmap done: 1 IP address (1 host up) scanned in 0.07 seconds Just so you can see what it looks like to see a closed port nmap -p 443 10.11.24.11 Starting Nmap 6.40 ( http://nmap.org ) at 2019-07-10 11:04 EDT Nmap scan report for wildweaselmi.thezah.com (10.11.24.11) Host is up (0.000047s latency). PORT STATE SERVICE 443/tcp closed https Nmap done: 1 IP address (1 host up) scanned in 0.07 seconds nmap is super quick and very easy to use to get accurate results but it was quickly blocked by corporate security and is no longer an acceptable tool. In researching I discovered what most people use which is netcat. Here is an example of the same test using netcat nc -zv 10.11.24.11 80 Connection to 10.11.24.11 80 port [tcp/http] succeeded! Its very clear that port 80 is open on 10.11.24.11 And for clarity sake, here is an example testing a closed port using netcat nc -zv 10.11.24.11 443 nc: connect to 10.11.24.11 port 443 (tcp) failed: Connection refused Yet again, its very clear that port 443 is not open on 10.11.24.11 or its being blocked along the path by a firewall or some other device. As with just about any corporation, you find tools that work and they get taken away. Our company is now blocking the use of netcat due to security risks associated with the tool but not offering any other tool as a replacement. Now I can use bash as a testing tool and here is that example cat < /dev/tcp/127.0.0.1/22 SSH-2.0-OpenSSH_7.7 here is a test using bash for the successful connection shown above. It just comes back to the command line with no messages which means success cat < /dev/tcp/10.11.24.11/80 Here is the other test we did above with netcat that failed so you can see the message bash will show. cat < /dev/tcp/10.11.24.11/443 -bash: connect: Connection refused -bash: /dev/tcp/10.11.24.11/443: Connection refused NOTE: using bash is very slow and not always reliable but it appears to be more reliable than telnet but not as good as netcat I'm having to now test using tcpdump which is a very very painful way for me to test but security doesn't give a dang about how easy or difficult it is for you or me. As a test scenario I can open a port up on a destination box using netcat while we still have it by running nc -l 5678 Now on my source box I'll confirm that 5678 is open for testing nc -zv 10.11.24.11 5678 Before we just jump into troubleshooting connection issues with tcpdump its important to understand the three way handshake needed for communication (SYN, SYN/ACK, ACK) As long as the ports your client are trying to communicate are turned on and listening on the server its very easy and not complicated. Below you will see two examples of the above. Client being 10.11.24.12 and Server being 10.11.24.11 First tcpdump is capturing the open port 80 on the server. You can see the entire SYN, SYN/ACK, ACK cycle in this successful communication. Now let's look at a scenario where the port is just not turned on (or listening) on the server. In this case 10.11.24.11 does not have 443 on so what do we capture if we attempt to communicate to that port. You can see you don't have the complete 3 way handshake. You see the SYN coming from the client but you don't get a SYN/ACK back but instead a RST/ACK from the server telling you that the port isn't listening. Now let's try the same test but to a different server that is behind a firewall (10.47.208.46) using the same client (10.11.24.12). First you can see a success capture going through the firewall over port 443 Now here is a capture of the same client to the same server over 9300 which is on the server and listening which you can confirm by logging onto the server and running a quick netstat command netstat -anp | grep "9300" Now we perform a capture and see the communication doesn't get any further than a SYN, RST/ACK (no difference than above without a Firewall) Hope this helps you.
  6. Yea yea, I know this title is very generic and yes we all like to bag on Microsoft but this is more of a very high level side by side with Microsofts product, Windows. Why is Wordpress like Windows? They both are slow over time. The more you add the slower it gets. The more software, plugins you add the slower it gets. They are both very insecure and require a separate security package. Here is my experience with Wordpress since this is all just a learning experiment. I built a community on Joomla using Kunena as a forum and EasyBlog as my blog and eDocman as my File Management and I forget what I used for my Media. The site was quick but again, security was a big hole. First I noticed tons of issues with Kunena so I moved to phpBB3 which was and is a fantastic forum package but its 3rd party so you need to use a bridge to integrate into your Joomla site and that takes resources and you would occasionally get a sync error between Joomla and phpBB3. When you are using software that isn't fully integrated then you discover issues like the search plugin doesn't search everything. So I did some research and Wordpress is the most used web software, just like Microsoft Windows is the most used operating system but what the most have in common is price. Windows is cheap in comparison and likewise Wordpress is free. So obviously free typically attracts tons of people. Now Joomla is also free but with both Wordpress and Joomla what isn't free are all the addons needed to make it a usable site and now you depend on the developers of those addons to keep them up to date and support. In my experience some addon companies were better than others for both Joomla and Wordpress addons. I like Wordpress plugin manager way better with the reviews, easy to search for type of plugin where Joomla is more like a Sears catalog where you have to find the category and hope you pick the right one. Most addons are free to install but if you want any real functionality you have to pay for the upgrade and the payment is a yearly subscription. No longer are the days where you buy a plugin and you own it. Now you subscribe for a pretty hefty price and you keep paying "the man" or you will get infected. So as you see I settled on a web software that has all those addons (files, calendar, blog, etc) included. Yes I have to pay $210/year for the software but that includes all the updates to maintain the software and very quick response for support. If you go for a free solution like Wordpress or Joomla be prepared to pay way more than $210 for less functionality. Let me share some examples so you know I'm not just blowing smoke. Gallery IPB: included Wordpress: rtMedia ($499 ) or MediaPress ($ ) Joomla: File Management/Downloads IPB: included Wordpress: WPDM ($199) Joomla: Blog IPB: included Wordpress: included Joomla: EasyBlog ($ ) Recipes IPB: included Wordpress: Joomla: Calendar/Events IPB: included Wordpress: EventON ($215 ) Joomla: Project Management IPB: doesn't offer anything Wordpress: WeDevs WP Project Management ($249) Joomla: Articles IPB: included Wordpress: Joomla: included Support Tickets IPB: included Wordpress: Joomla: Forms IPB: limited Wordpress: Gravity Forms (workflow is awesome) Joomla: Link Library IPB: none Wordpress: Link Library Joomla: Security IPB: built in Wordpress: iThemes ($ ) Joomla: Groups IPB: included Wordpress: BuddyBoss Joomla: community builder or Forums IPB: included Wordpress: bbpress (tools) Joomla: kuena or phpbb3 bridge Backup System IPB: none Wordpress: Updraft or Backupbuddy ($ ) Joomla:
  7. Sometimes your linux box has been running for such a long time you may have forgotten what the heck you are running. The quickest and easiest way to identify what you have is run the following command lsb_release -a example: If that doesn't work for one reason or another try this command instead cat /etc/*-release example: You may also want to know what kernel version you are running uname -a or uname -mrs example: Linux = Kernel name 3.2.0-35-generic-pae = Kernel version number i686 = Machine hardware name Finally you can see what kernel and gcc version with the following command cat /proc/version example:
  8. There are several commands to show how much memory is being used or how much is free or what process is taking how much memory. What command can you run to show the percentage of what is free? Would be helpful to compare to reporting tools to see if they match.
  9. NAME vmstat - Report virtual memory statistics SYNOPSIS vmstat [-a] [-n] [delay [ count]] vmstat [-f] [-s] [-m] vmstat [-S unit] vmstat [-d] vmstat [-p disk partition] vmstat [-V] DESCRIPTION vmstat reports information about processes, memory, paging, block IO, traps, and cpu activity. The first report produced gives averages since the last reboot. Addi- tional reports give information on a sampling period of length delay. The process and memory reports are instantaneous in either case. Options The -a switch displays active/inactive memory, given a 2.5.41 kernel or better. The -f switch displays the number of forks since boot. This includes the fork, vfork, and clone system calls, and is equivalent to the total number of tasks created. Each process is represented by one or more tasks, depending on thread usage. This display does not repeat. The -m displays slabinfo. The -n switch causes the header to be displayed only once rather than periodically. The -s switch displays a table of various event counters and memory statistics. This display does not repeat. delay is the delay between updates in seconds. If no delay is speci- fied, only one report is printed with the average values since boot. count is the number of updates. If no count is specified and delay is defined, count defaults to infinity. The -d reports disk statistics (2.5.70 or above required) The -p followed by some partition name for detailed statistics (2.5.70 or above required) The -S followed by k or K or m or M switches outputs between 1000, 1024, 1000000, or 1048576 bytes The -V switch results in displaying version information. FIELD DESCRIPTION FOR VM MODE Procs r: The number of processes waiting for run time. b: The number of processes in uninterruptible sleep. Memory swpd: the amount of virtual memory used. free: the amount of idle memory. buff: the amount of memory used as buffers. cache: the amount of memory used as cache. inact: the amount of inactive memory. (-a option) active: the amount of active memory. (-a option) Swap si: Amount of memory swapped in from disk (/s). so: Amount of memory swapped to disk (/s). IO bi: Blocks received from a block device (blocks/s). bo: Blocks sent to a block device (blocks/s). System in: The number of interrupts per second, including the clock. cs: The number of context switches per second. CPU These are percentages of total CPU time. us: Time spent running non-kernel code. (user time, including nice time) sy: Time spent running kernel code. (system time) id: Time spent idle. Prior to Linux 2.5.41, this includes IO-wait time. wa: Time spent waiting for IO. Prior to Linux 2.5.41, shown as zero. FIELD DESCRIPTION FOR DISK MODE Reads total: Total reads completed successfully merged: grouped reads (resulting in one I/O) sectors: Sectors read successfully ms: milliseconds spent reading Writes total: Total writes completed successfully merged: grouped writes (resulting in one I/O) sectors: Sectors written successfully ms: milliseconds spent writing IO cur: I/O in progress s: seconds spent for I/O FIELD DESCRIPTION FOR DISK PARTITION MODE reads: Total number of reads issued to this partition read sectors: Total read sectors for partition writes : Total number of writes issued to this partition requested writes: Total number of write requests made for partition FIELD DESCRIPTION FOR SLAB MODE cache: Cache name num: Number of currently active objects total: Total number of available objects size: Size of each object pages: Number of pages with at least one active object totpages: Total number of allocated pages pslab: Number of pages per slab NOTES vmstat does not require special permissions. These reports are intended to help identify system bottlenecks. Linux vmstat does not count itself as a running process. All linux blocks are currently 1024 bytes. Old kernels may report blocks as 512 bytes, 2048 bytes, or 4096 bytes. Since procps 3.1.9, vmstat lets you choose units (k, K, m, M) default is K (1024 bytes) in the default mode vmstat uses slabinfo 1.1 FIXME FILES /proc/meminfo /proc/stat /proc/*/stat SEE ALSO iostat(1), sar(1), mpstat(1), ps(1), top(1), free(1) BUGS Does not tabulate the block io per device or count the number of system calls. AUTHORS Written by Henry Ware ;. Fabian Frédérick ; (diskstat, slab, partitions...)
  10. Sometimes its helpful to know what ports on your Mac are in LISTENING status. So here are a few commands that I found helpful in my quest to find what ports are open. $ netstat -atp tcp | grep -i "listen" tcp4 0 0 *.irdmi *.* LISTEN tcp4 0 0 localhost.49155 *.* LISTEN tcp4 0 0 localhost.49154 *.* LISTEN tcp4 0 0 localhost.49153 *.* LISTEN tcp4 0 0 localhost.49152 *.* LISTEN tcp4 0 0 *.kerberos *.* LISTEN tcp6 0 0 *.kerberos *.* LISTEN tcp4 0 0 *.ssh *.* LISTEN tcp6 0 0 *.ssh *.* LISTEN tcp4 0 0 localhost.ipp *.* LISTEN tcp6 0 0 localhost.ipp *.* LISTEN tcp4 0 0 *.rfb *.* LISTEN tcp6 0 0 *.rfb *.* LISTEN And also I used $ sudo lsof -i -P | grep -i "listen" Password: launchd 1 root 26u IPv6 0x6a234a812945c29f 0t0 TCP *:5900 (LISTEN) launchd 1 root 28u IPv4 0x6a234a81294621ef 0t0 TCP *:5900 (LISTEN) launchd 1 root 30u IPv6 0x6a234a812945c29f 0t0 TCP *:5900 (LISTEN) launchd 1 root 31u IPv4 0x6a234a81294621ef 0t0 TCP *:5900 (LISTEN) launchd 1 root 43u IPv6 0x6a234a812945b89f 0t0 TCP *:22 (LISTEN) launchd 1 root 46u IPv4 0x6a234a812946104f 0t0 TCP *:22 (LISTEN) launchd 1 root 52u IPv4 0x6a234a812946191f 0t0 TCP localhost:631 (LISTEN) launchd 1 root 53u IPv6 0x6a234a812945bd9f 0t0 TCP localhost:631 (LISTEN) launchd 1 root 54u IPv6 0x6a234a812945bd9f 0t0 TCP localhost:631 (LISTEN) launchd 1 root 55u IPv6 0x6a234a812945b89f 0t0 TCP *:22 (LISTEN) launchd 1 root 56u IPv4 0x6a234a812946104f 0t0 TCP *:22 (LISTEN) launchd 1 root 59u IPv4 0x6a234a812946191f 0t0 TCP localhost:631 (LISTEN) pma_agent 70 root 19u IPv4 0x6a234a812945db6f 0t0 TCP *:8000 (LISTEN) bcua-serv 76 root 16u IPv4 0x6a234a812945e43f 0t0 TCP localhost:49154 (LISTEN) bcua-serv 76 root 19u IPv4 0x6a234a812945feaf 0t0 TCP localhost:49155 (LISTEN) mtmfs 79 root 4u IPv4 0x6a234a812945f5df 0t0 TCP localhost:49152 (LISTEN) mtmfs 79 root 6u IPv4 0x6a234a812945ed0f 0t0 TCP localhost:49153 (LISTEN) kdc 96 root 6u IPv6 0x6a234a812945b39f 0t0 TCP *:88 (LISTEN) kdc 96 root 8u IPv4 0x6a234a812946077f 0t0 TCP *:88 (LISTEN)
  11. We may deploy several servers and we need an easy quick way to see if they are now responding I found fping to work best Throw all your IP's in a text file (for example pinglist.txt) and run it sudo fping -a -r 0 -f pinglist.txt
  12. On my Ubuntu Installation I found the installation at ls -l /usr/local/nagios/etc/ -rw-rw-r-- 1 nagios nagios 12270 Aug 4 07:09 cgi.cfg -rw-rw-r-- 1 nagios nagios 12270 Aug 3 15:05 cgi.cfg~ -rw-r--r-- 1 root root 50 Aug 3 15:07 htpasswd.users -rw-rw-r-- 1 nagios nagios 44904 Nov 2 08:22 nagios.cfg -rw-rw-r-- 1 nagios nagios 44833 Aug 4 06:58 nagios.cfg~ drwxrwxr-x 2 nagios nagios 4096 Nov 2 08:44 objects -rw-rw---- 1 nagios nagios 1315 Aug 4 07:09 resource.cfg -rw-rw---- 1 nagios nagios 1315 Aug 3 15:05 resource.cfg~ drwxr-xr-x 2 root root 4096 Nov 2 09:42 servers ls -l /usr/local/nagios/etc/objects -rw-r--r-- 1 root root 7473 Sep 11 10:30 1 -rw-rw-r-- 1 nagios nagios 7890 Nov 2 08:44 commands.cfg -rw-rw-r-- 1 nagios nagios 7707 Aug 3 15:05 commands.cfg~ -rw-rw-r-- 1 nagios nagios 2138 Aug 4 07:09 contacts.cfg -rw-rw-r-- 1 nagios nagios 2144 Aug 4 06:59 contacts.cfg~ -rw-r--r-- 1 root root 157 Nov 2 08:39 custom-servicegroups.cfg -rw-rw-r-- 1 nagios nagios 5375 Aug 4 07:09 localhost.cfg -rw-rw-r-- 1 nagios nagios 5375 Aug 3 15:05 localhost.cfg~ -rw-rw-r-- 1 nagios nagios 3096 Aug 4 07:09 printer.cfg -rw-rw-r-- 1 nagios nagios 3096 Aug 3 15:05 printer.cfg~ -rw-rw-r-- 1 nagios nagios 3265 Aug 4 07:09 switch.cfg -rw-rw-r-- 1 nagios nagios 3265 Aug 3 15:05 switch.cfg~ -rw-rw-r-- 1 nagios nagios 10621 Aug 4 07:09 templates.cfg -rw-rw-r-- 1 nagios nagios 10621 Aug 3 15:05 templates.cfg~ -rw-rw-r-- 1 nagios nagios 3180 Aug 4 07:09 timeperiods.cfg -rw-rw-r-- 1 nagios nagios 3180 Aug 3 15:05 timeperiods.cfg~ -rw-rw-r-- 1 nagios nagios 3991 Aug 4 07:09 windows.cfg -rw-rw-r-- 1 nagios nagios 3991 Aug 3 15:05 windows.cfg~ ls -l /usr/local/nagios/etc/servers -rw-r--r-- 1 root root 6867 Nov 2 09:30 dfw1oapdn101.cfg -rw-r--r-- 1 root root 6867 Nov 2 09:31 dfw1oapdn102.cfg -rw-r--r-- 1 root root 6885 Nov 2 09:29 dfw1oapdn103.cfg -rw-r--r-- 1 root root 6432 Nov 2 09:41 gridtest.cfg -rw-r--r-- 1 root root 642 Nov 2 07:24 hostgroup.cfg -rw-r--r-- 1 root root 6930 Nov 2 09:37 lab1oapdn101.cfg -rw-r--r-- 1 root root 6211 Nov 2 09:42 lab1oapdn102.cfg -rw-r--r-- 1 root root 6856 Nov 2 09:26 sat1oapdn101.cfg -rw-r--r-- 1 root root 7189 Nov 2 09:25 sat1oapdn102.cfg -rw-r--r-- 1 root root 6868 Nov 2 09:27 sat1oapdn103.cfg
  13. It helps, sometimes, to know what the last commands issued from a user on a Linux box was. I found troubleshooting this is helpful or to to help learning and it's just sometimes good to know. The easiest way I found is to issue the following command to identify what commands have been issued by a certain user on your linux operating system sudo vim /home/USER_YOU_WANT_TO_VIEW/.bash_history
  14. There comes a time that the DNS server(s) do not have the name to address resolution you need so just add it to your local hosts file. Mac OS X 10.2 or later Edit the /private/etc/hosts file. For more information on how to use the hosts file, open Terminal and type: man hosts Note: Editing this file requires root privileges. I suggest typing while in Terminal sudo nano /private/etc/hosts It may be a good idea to flush the DNS Cache that is running by then typing the following after you save the hosts file dscacheutil -flushcache
  15. Switching operating systems is a scary and can be exciting adventure. It can also be a major pain in the butt. I am not author of any book but hope I can help fill in some blanks. If you want a recommendation on a book, for beginners I strongly recommend a book called Teach Yourself VISUALLY Mac OS X Leopard It has proven itself to people of all ages on getting up and going with there move from Windows to Mac. Here are some basic things you may or may not know. Open Applications... In Windows you click the Start button - Click on Programs - Select Your Application In Mac OS X you click the Finder (looks like a smiley face) - Click on Applications - Select Your Application Check Email without having to purchase any additional application... In Windows you click on Outlook Express In Mac you click on Apple Mail (both are equal in functionality, Apple Mail seems to handle large amount of mail quite a bit quicker to include searching) Check Email with purchase of additional application... (mostly for us business people that need to connect to Outlook Exchange servers) In Windows you open Microsoft Outlook In Mac you open Microsoft Entourage (Microsoft Outlook is better but not be a whole lot. Entourage sync's with Outlook Exchange server to include Mail and Calendar without any issues) Word Processor included with operating system In Windows you click Start - Programs - Accessories - either Notepad or Wordpad In Mac OS X you click the Finder (looks like a smiley face) - Click on Applications - TextEdit (note that all Mac Applications are found in the exact same place... Finder - Applications unless you move them somewhere else) (I'll keep adding to this article so it will probably never be finished)
×
×
  • Create New...