Mac Network Commands Cheat Sheet

After writing up the presentation for MacSysAdmin in Sweden, I decided to go ahead and throw these into a quick cheat sheet for anyone who’d like to have them all in one place. Good luck out there, and stay salty. Get an ip address for en0: ipconfig getifaddr en0 Same thing, but setting and echoing a variable: ip=`ipconfig getifaddr en0` ; echo $ip View the subnet mask of en0: ipconfig getoption en0 subnet_mask View the dns server for en0: ipconfig getoption en0 domain_name_server Get information about how en0 got its dhcp on: ipconfig getpacket en1 View some network info: ifconfig en0 Set en0 to have an ip address of 10.10.10.10 and a subnet mask of 255.255.255.0: ifconfig en0 inet 10.10.10.10 netmask 255.255.255.0 Show a list of locations on the computer: networksetup -listlocations Obtain the active location the system is using: networksetup -getcurrentlocation Create a network location called Work and populate it with information from the active network connection: networksetup -createlocation Work populate Delete a network location called Work: networksetup -deletelocation Work Switch the active location to a location called Work: networksetup -switchlocation Work Switch the active location to a location called Work, but also show the GUID of that location so we can make scripties with it laters: scselect Work List all of the network interfaces on the system: networksetup -listallnetworkservices Rename the network service called Ethernet to the word Wired: networksetup -renamenetworkservice Ethernet Wired Disable a network interface: networksetup -setnetworkserviceenabled off Change the order of your network services: networksetup -ordernetworkservices “Wi-Fi” “USB Ethernet” Set the interface called Wi-Fi to obtain it if it isn’t already networksetup -setdhcp Wi-Fi Renew dhcp leases: ipconfig set en1 BOOTP && ipconfig set en1 DHCP ifconfig en1 down && ifconfig en1 up Renew a dhcp lease in a script: echo "add State:/Network/Interface/en0/RefreshConfiguration temporary" | sudo scutil Configure a manual static ip address: networksetup -setmanual Wi-Fi 10.0.0.2 255.255.255.0 10.0.0.1 Configure the dns servers for a given network interface: networksetup -setdnsservers Wi-Fi 10.0.0.2 10.0.0.3 Obtain the dns servers used on the Wi-Fi interface: networksetup -getdnsservers Wi-Fi Stop the application layer firewall: launchctl unload /System/Library/LaunchAgents/com.apple.alf.useragent.plist
launchctl unload /System/Library/LaunchDaemons/com.apple.alf.agent.plist Start the application layer firewall: launchctl load /System/Library/LaunchDaemons/com.apple.alf.agent.plist
launchctl load /System/Library/LaunchAgents/com.apple.alf.useragent.plist Allow an app to communicate outside the system through the application layer firewall: socketfilterfw -t
“/Applications/FileMaker Pro/FileMaker Pro.app/Contents/MacOS/FileMaker Pro” See the routing table of a Mac: netstat -nr Add a route so that traffic for 10.0.0.0/32 communicates over the 10.0.9.2 network interface: route -n add 10.0.0.0/32 10.0.9.2 Log bonjour traffic at the packet level: sudo killall -USR2 mDNSResponder Stop Bonjour: launchctl unload -w /System/Library/LaunchDaemons/com.apple.mDNSResponder.plist
 Start Bojour: launchctl load -w /System/Library/LaunchDaemons/com.apple.mDNSResponder.plist Put a delay in your pings: ping -i 5 192.168.210.1 Ping the hostname 5 times and then stop the ping: ping -c 5 google.com Flood ping the host: ping -f localhost Set the packet size during your ping: ping -s 100 google.com Customize the source IP during your ping: ping -S 10.10.10.11 google.com View disk performance: iostat -d disk0 Get information about the airport connection on your system: /System/Library/PrivateFrameworks/Apple80211.framework/Versions/A/Resources/airport -I Scan the available Wireless networks: /System/Library/PrivateFrameworks/Apple80211.framework/Versions/A/Resources/airport -s Trace the path packets go through: traceroute google.com Trace the routes without looking up names: traceroute -n google.com Trace a route in debug mode: traceroute -d google.com View information on all sockets: netstat -at View network information for ipv6: netstat -lt View per protocol network statistics: netstat -s View the statistics for a specific network protocol: netstat -p igmp Show statistics for network interfaces: netstat -i View network information as it happens (requires ntop to be installed): ntop Scan port 80 of www.google.com /System/Library/CoreServices/Applications/Network\ Utility.app/Contents/Resources/stroke www.google.com 80 80 Port scan krypted.com stealthily: nmap -sS -O krypted.com/24 Establish a network connection with www.apple.com: nc -v www.apple.com 80 Establish a network connection with gateway.push.apple.com over port 2195 /usr/bin/nc -v -w 15 gateway.push.apple.com 2195 Establish a network connection with feedback.push.apple.com only allowing ipv4 /usr/bin/nc -v -4 feedback.push.apple.com 2196 Setup a network listener on port 2196 for testing: /usr/bin/nc -l 2196 Capture some packets: tcpdump -nS Capture all the packets: tcpdump -nnvvXS Capture the packets for a given port: tcpdump -nnvvXs 548 Capture all the packets for a given port going to a given destination of 10.0.0.48: tcpdump -nnvvXs 548 dst 10.0.0.48 Capture the packets as above but dump to a pcap file: tcpdump -nnvvXs 548 dst 10.0.0.48 -w /tmp/myfile.pcap Read tcpdump (cap) files and try to make them human readable: tcpdump -qns 0 -A -r /var/tmp/capture.pcap What binaries have what ports and in what states are those ports: lsof -n -i4TCP Make an alias for looking at what has a listener open, called ports: alias ports='lsof -n -i4TCP | grep LISTEN' Report back the name of the system: hostname Flush the dns cache: dscacheutil -flushcache Clear your arp cache: arp -ad View how the Server app interprets your network settings: serveradmin settings network Whitelist the ip address 10.10.10.2: /Applications/Server.app/Contents/ServerRoot/usr/libexec/afctl -w 10.10.10.2 Finally, the script network_info.sh shows information about a Macs network configuration. Both active and inactive network interfaces are listed, in the order that they are used by the OS and with a lot of details (MAC-address, interface name, router, subnet mask etc.).

Quick nmap Hacks

The nmap application is a pretty easy-to-use tool that can be used to port scan objects in a network environment. To obtain mmap in an easy-to-use package installer, for OS X check out the download page at http://nmap.org/download.html#macosx (use the same page to grab it for Windows or *nix as well). Once downloaded run the package/rpm/whatever. Before I scan a system, I like to pull the routing table and eth info to determine how scans are being run, which can be run by using the mmap command anong with the —iflist option: nmap —iflist Basic Scanning To then scan a computer, just use the mmap command followed by the host name or even throw a -v option in there to see more information (you can use a hostname or an IP): nmap -v www.apple.com Use the -6 option if scanning via IPv6: nmap -v -6 8a33:1a2c::83::1a Can drop the -v for less info on these, but I usually like more than less. Shows ports, states, services (for the ports) and a MAC address for each IP being scanned. You can also scan a range of IPs. I usually take the lazy way for this, by using a wildcard. I can replace an octet to scan all objects in that octet. For example, to scan all systems running on the 192.168.210 class B: nmap 192.168.210.* You can scan a subnet, which can cover more or less than one octet worth of IPs, by including the net mask: nmap 192.168.210.0/24 You can also just list a range, which is much easier in some cases, using the —exclude option to remove an address that will be angry if port scanned: nmap 192.168.210.1-100 —exclude 192.168.210.25 Or to do a few hosts within that range: nmap 192.168.210.1,10,254 Of you can even use the following to read in a list of addresses and subnets where each is on its own line: nmap -iL ~/nmaplist.txt By default, mmap is scanning all ports. However, if you know what you’re looking for, scans can be processed much faster if you constrain it to a port or range of ports. Use the -p option to identify a port and then T: for only TCP or U: for only UDP, or neither to do both. Additionally, you can scan a range of ports or separate ports using the same syntax used for identifying multiple hosts. For example, here we’ll scan 53, 80, 110, 443 and 143: nmap -p 53,80,110,143,443 DO OS detection using the -A option: nmap -A www.apple.com For true remote OS detection, use -O with —osscan-guess: mmap -v -O —osscan-guess mail.krypted.com We can also output to a text file, using the -o option (or of course > filename but -o is more elegant here unless you’re parsing elsewhere in the line): mmap -v -o ~/Desktop/nmapresults.txt -O —osscan-guess mail.krypted.com Firewalls Next, we’ll look at trying to bypass pesky annoyances like stageful packet inspection on firewalls. First, check whether there is actually a firewall using -s: nmap -sA www.apple.com Scan even if the host is protected by a firewall: nmap -PN www.apple.com Just check to see if some devices are up even if behind a firewall: nmap -sP 192.168.210.10-20 Run a scan using Syn and ACK scans, run mmap along with the either -PS or -PA options (shown respectively): nmap -PS 443 www.apple.com nmap -PA 443 www.apple.com Try to determine why ports are in a specific state: nmap —reason www.apple.com Show all sent/recvd packets: nmap —packet-trace www.apple.com Try to read the header of remote ports to determine a version number of the software: nmap -sV www.apple.com Security Scanning Next, we can look at actually using nmap to test the attacking waters a little bit. First, we’ll try and spoof another MAC address, using the —spoof-mac options. We’ll use the 0 position after that option to indicate that we’re randomly generating a Mac, although we could use a real MAC in place of the 0: nmap -v -sT —spoof-mac 0 www.apple.com Next, let’s try to add a decoy, which allows us to spoof some IPs and use that as decoys so our target doesn’t suspect our IP as one that’s actually scanning them (note that our IP we’re testing from is 192.168.210.210): nmap -n -192.168.210.1,192.168.210.10,192.168.210.210,192.168.210.254 Then, send some crazy packets (not an official term like magic packets, just my own term for throwing a curve ball at things and testing for the viability of syn-flood or Xmas packet attacking): nmap -sX www.apple.com Configure a custom mtu: nmap —mtu 64 www.apple.com Fragment your packets: nmap -f www.apple.com Note: None of Apple’s servers were damaged in the writing of this article. I did a find/replace at the end, when I realized I didn’t want all of you hitting www.krypted.com.

More Information About DHCP Leases in OS X

You can obtain a pretty decent amount of information about leases your OS X computer gets just by looking in the Network System Preference pane, for each interface. Screen Shot 2013-10-02 at 10.16.16 PM However, you can get a little lot more information, as with most things, from the command line. First, we’re going to take a look at en0 on our host and see what the MAC address is: ifconfig en0 ether Now, we can look in the /var/db/dhcpclient/leases directory to see a list of all of the leases we have running on our system. Based on the MAC address of our computer, we should see a file there that starts with the name of our interface and finishes with our MAC address. Let’s cat this file: cat en0-1\,84\:38\:35\:63\:87\:2e The output is similar to the following (a standard plist): <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>IPAddress</key> <string>192.168.210.144</string> <key>LeaseLength</key> <integer>86400</integer> <key>LeaseStartDate</key> <date>2013-10-03T02:43:36Z</date> <key>PacketData</key> <data> AgEGAPSEH9QAAAAAAAAAAMCo0pAAAAAAAAAAAIQ4NWOHLgAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABjglNjNQEFNgTAqNIBAQT///8A MwQAAVGAAwTAqNIBBggEAgICzg0cDP8= </data> <key>RouterHardwareAddress</key> <data> ABfFg9DO </data> <key>RouterIPAddress</key> <string>192.168.210.1</string> </dict> </plist> This shows us the amount of time our lease is valid for, when the lease what provided to us, what IP was provided and the IP of our router. We can then key off of that information as needed (e.g. for other scripts/tools).

Setting Up Multiple IPs in Ubuntu

A standard network interface will look similar to the following in /etc/network/interfaces: auto eth0 iface eth0 inet static address 192.168.210.100 netmask 255.255.255.0 broadcast 192.168.210.255 gateway 192.168.210.1 Adding more IP addresses to those interfaces is as simple as creating an alias, done by duplicating the information for the initial interface and appending a colon followed by 0,1,2,3,etc according to how many aliases are needed, minus the gateway (the initial IPs gateway will be used): auto eth0:0 iface eth0:0 inet static address 192.168.210.101 netmask 255.255.255.0 broadcast 192.168.210.255 auto eth0:1 iface eth0:1 inet static address 192.168.210.102 netmask 255.255.255.0 broadcast 192.168.210.255 When finished, run an ifconfig to verify that the new interfaces are up and then ping them from a client system.