diff --git a/cheatsheets/iptables b/cheatsheets/iptables new file mode 100644 index 0000000..badc271 --- /dev/null +++ b/cheatsheets/iptables @@ -0,0 +1,18 @@ +# Show hit for rules with auto refresh +watch --interval 0 'iptables -nvL | grep -v "0 0"' + +# Show hit for rule with auto refresh and highlight any changes since the last refresh +watch -d -n 2 iptables -nvL + +# Block the port 902 and we hide this port from nmap. +iptables -A INPUT -i eth0 -p tcp --dport 902 -j REJECT --reject-with icmp-port-unreachable + +# Note, --reject-with accept: +# icmp-net-unreachable +# icmp-host-unreachable +# icmp-port-unreachable <- Hide a port to nmap +# icmp-proto-unreachable +# icmp-net-prohibited +# icmp-host-prohibited or +# icmp-admin-prohibited +# tcp-reset diff --git a/cheatsheets/tcpdump b/cheatsheets/tcpdump new file mode 100644 index 0000000..0011635 --- /dev/null +++ b/cheatsheets/tcpdump @@ -0,0 +1,63 @@ +# TCPDump is a packet analyzer. It allows the user to intercept and display TCP/IP +# and other packets being transmitted or received over a network. (cf Wikipedia). +# Note: 173.194.40.120 => google.com + +# Intercepts all packets on eth0 +tcpdump -i eth0 + +# Intercepts all packets from/to 173.194.40.120 +tcpdump host 173.194.40.120 + +# Intercepts all packets on all interfaces from / to 173.194.40.120 port 80 +# -nn => Disables name resolution for IP addresses and port numbers. +tcpdump -nn -i any host 173.194.40.120 and port 80 + +# Make a grep on tcpdump (ASCII) +# -A => Show only ASCII in packets. +# -s0 => By default, tcpdump only captures 68 bytes. +tcpdump -i -A any host 173.194.40.120 and port 80 | grep 'User-Agent' + +# With ngrep +# -d eth0 => To force eth0 (else ngrep work on all interfaces) +# -s0 => force ngrep to look at the entire packet. (Default snaplen: 65536 bytes) +ngrep 'User-Agent' host 173.194.40.120 and port 80 + +# Intercepts all packets on all interfaces from / to 8.8.8.8 or 173.194.40.127 on port 80 +tcpdump 'host ( 8.8.8.8 or 173.194.40.127 ) and port 80' -i any + +# Intercepts all packets SYN and FIN of each TCP session. +tcpdump 'tcp[tcpflags] & (tcp-syn|tcp-fin) != 0' + +# To display SYN and FIN packets of each TCP session to a host that is not on our network +tcpdump 'tcp[tcpflags] & (tcp-syn|tcp-fin) != 0 and not src and dst net local_addr' + +# To display all IPv4 HTTP packets that come or arrive on port 80 and that contain only data (no SYN, FIN no, no packet containing an ACK) +tcpdump 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' + +# Saving captured data +tcpdump -w file.cap + +# Reading from capture file +tcpdump -r file.cap + +# Show content in hexa +# Change -x to -xx => show extra header (ethernet). +tcpdump -x + +# Show content in hexa and ASCII +# Change -X to -XX => show extra header (ethernet). +tcpdump -X + +# Note on packet maching: +# Port matching: +# - portrange 22-23 +# - not port 22 +# - port ssh +# - dst port 22 +# - src port 22 +# +# Host matching: +# - dst host 8.8.8.8 +# - not dst host 8.8.8.8 +# - src net 67.207.148.0 mask 255.255.255.0 +# - src net 67.207.148.0/24