Common Tasks

Contents

Common Tasks#

Common Tasks#

Inventory interfaces and addresses, what the box thinks it is on the network.

$ ip -br address
$ ip -br link
$ ip -4 route; ip -6 route
$ resolvectl status 2>/dev/null || cat /etc/resolv.conf

Map listening services, the local attack surface.

$ sudo ss -tulnp
$ sudo ss -tlnp | awk 'NR>1{print $5,$7}'
$ sudo lsof -iTCP -sTCP:LISTEN -P -n

Snapshot established connections, who is talking to whom.

$ ss -tnp state established | head -30
$ ss -tunp | sort -u
$ sudo lsof -i -P -n | grep ESTABLISHED

Inspect firewall state, what is allowed in or out.

$ sudo nft list ruleset 2>/dev/null
$ sudo iptables -S; sudo iptables -t nat -S
$ sudo ufw status verbose 2>/dev/null
$ sudo firewall-cmd --list-all 2>/dev/null

Probe reachability and path, where does traffic go.

$ ping -c 3 1.1.1.1
$ mtr -wbzc 10 1.1.1.1
$ tracepath example.com
$ dig +short example.com; dig +trace example.com

Capture traffic on the wire, when log inference is not enough.

$ sudo tcpdump -i any -nn -s0 -c 200 'port not 22' -w /tmp/cap.pcap
$ sudo tshark -i any -Y 'http.request' -c 50

Hunt for tunnels and proxies, VPNs, SSH, SOCKS, custom listeners.

$ ip -d link | grep -E 'tun|tap|wg|ppp'
$ ss -tnp | grep -E '127\.0\.0\.1:[0-9]+ '
$ env | grep -i -E 'proxy'

Bring an interface up or down, renumber, refresh, recover.

$ sudo ip link set eth0 up
$ sudo ip link set eth0 down
$ sudo ip addr flush dev eth0
$ sudo dhclient -r eth0; sudo dhclient eth0

Set a static address and route, transient (no reboot).

$ sudo ip addr add 10.0.0.42/24 dev eth0
$ sudo ip route add default via 10.0.0.1 dev eth0
$ sudo ip route del default
$ sudo ip neigh show

Configure DNS, check resolver, override temporarily.

$ resolvectl status; resolvectl query example.com
$ sudo resolvectl dns eth0 1.1.1.1 9.9.9.9
$ getent hosts example.com
$ sudo systemctl restart systemd-resolved

Open or close a port, ufw / firewalld / nft, the everyday verbs.

$ sudo ufw allow 443/tcp; sudo ufw delete allow 443/tcp
$ sudo firewall-cmd --add-port=443/tcp --permanent; sudo firewall-cmd --reload
$ sudo nft add rule inet filter input tcp dport 443 accept
$ sudo iptables -I INPUT -p tcp --dport 443 -j ACCEPT

Test a port from the outside, did the firewall change take.

$ nc -vz example.com 443
$ curl -v https://example.com/ -o /dev/null
$ nmap -Pn -p 443 example.com
$ openssl s_client -connect example.com:443 -servername example.com </dev/null

Forward a port over SSH, pivot, expose, tunnel.

$ ssh -L 8080:localhost:80 user@host          # local forward
$ ssh -R 9000:localhost:22 user@host          # remote forward
$ ssh -D 1080 user@host                       # SOCKS proxy
$ ss -tnp | grep ssh

Measure throughput and latency, saturate the pipe, time the RTT.

$ iperf3 -s                                   # server
$ iperf3 -c <server> -t 10                    # client
$ ping -c 100 -i 0.2 <host> | tail -3
$ curl -w '%{time_namelookup} %{time_connect} %{time_total}\n' -o /dev/null -s https://example.com