When running a DNS/BIND server on Linux or macOS, you can check the version number by running a simple named command with the -v option.
The output is as follows:
BIND 9.9.7-P3 (Extended Support Version)
The cd command has lots of fun little shortcuts. One I use frequently is the -. The ~ always takes you to your home directory, but using cd – will take you to the last directory you were in. For example, if you do the following on a Mac:
Then you do .. (which is a shortcut for the directory above the one you’re in):
Then pwd will show that you’re in /Users. But, if you cd to – again:
Now you’re back in your home folder. The – expands to OLDPWD. Quick tip. Nothing more to see here.
The wc command is used to count words, characters and lines. Here, we’ll run it a few different ways. -l shows the number of lines in a file. For example, in my home directory, I can use it to see how many lines are in my .gitconfig file:
wc -l .gitconfig
This would output something like the following:
Or count the number of characters with -c:
wc -c .gitconfig
Or check the number of words:
wc -w .gitconfig
You can also run it against multiple files. For example, here I’ll check the number of lines in both my .gitconfig file and my .gitignore_global files:
wc -l .gitconfig .gitignore_global
Let’s say I have a list of numbers and I want to take an average of them. I can use this to quickly figure out how many numbers I have (and so will divide by) before tallying them up.
The free command in Linux is used to show memory utilization. When run without any options, you can see the used and available space of swap and physical memory. By default, the option is displayed in kilobytes but when run with a -b option it is shown in bytes or -m will show in megabytes or -g in gigabytes or -t in terabytes. So to see the free space in bytes run the following:
The -o option shows the output adjusted for the buffer. The -t option also adds a total column as well as a line for total that shows swap and physical, combined. The -s will update the output and is followed by a number of seconds. To see the number of times it happened, use the -c option. So to see the output every 60 seconds:
free -cs 60
The low and high stats are shown using the -l option:
As with many commands, you can see the version of the command using the -V option:
Finally, use the –help option to see the available options, no matter the version or OS.
You can do some pretty simple testing of ports and network communications using strategies I’ve outlined in the past with tcpdump, trace route, telnet, curl, stroke and of course ping. However, netcat has a few interesting things you can do with it; namely actually run a port super-quickly to test traffic between subnets, forcing scans of ipv6 traffic, debugging sockets, keeping connections alive, parodying through SOCKS 4 and 5 and just checking for daemons that are listening rather than actually sending data to them.
In this first example, we’re going to just check that Apple’s web server is accessible (adding -v for verbose output):
/usr/bin/nc -v www.apple.com 80
The result would be pretty verbose
found 0 associations
found 1 connections:
src 10.10.20.176 port 50575
dst 18.104.22.168 port 80
rank info not available
TCP aux info available
Connection to www.apple.com port 80 [tcp/http] succeeded!
HTTP/1.0 408 Request Time-out
Date: Tue, 29 Jul 2014 15:41:34 GMT
Expires: Tue, 29 Jul 2014 15:41:34 GMT
The server timed out while waiting for the browser’s request.<P>
If we added a -w to timeout we’ll cut out all the cruft (but wouldn’t know that the server’s at Akamai). Next, we’ll get a little more specific and fire up a test to check Apple’s push gateway at, using port 2195:
/usr/bin/nc -v -w 15 gateway.push.apple.com 2195
But, I want the cruft for the purposes of this article. Next, we can add a -4 to force connections over IPv4 and check the Apple feedback server and port 2196, also required for APNs functionality:
/usr/bin/nc -v -4 feedback.push.apple.com 2196
Right about now, something is probably happening at Apple where they’re getting sick of me sending all this data their direction, so let’s add a -z option, to just scan for daemons, without actually sending any data their way:
/usr/bin/nc -vz -4 feedback.push.apple.com 2196
Because of how NAT works, you might notice that the src port keeps changing (incrementing actually). Here’s the thing, we’re gonna’ go ahead and force our source port to stay the same as our destination port using the -p option:
/usr/bin/nc -vz -4 -p 2196 feedback.push.apple.com 2196
Now, what if this is failing? Well, let’s spin up a listener. I like to start on my own subnet, then move to another subnet on the same network and ultimately to another network so I’m checking zone-by-zone so-to-speak, for such a failure. So, we can spin up a listener with netcat in a few seconds using the -l option on another host:
/usr/bin/nc -l 2196
Then I can scan myself:
/usr/bin/nc 127.0.0.1 2196
I could also do this as a range if I forgot which port I used per host:
/usr/bin/nc 127.0.0.1 2195-2196
Now, as is often the case, if our connection problem is because data isn’t parodying, we can also use nc to check that using the -x operator followed by an IP and then : and a port. For example:
/usr/bin/nc -vz -4 -w 10 -p 2196 -x 10.0.0.2:8080 feedback.push.apple.com 2195-2196
Fun times with push notifications. Enjoy.
The nmap application is a pretty easy-to-use tool that can be used to port scan objects in a network environment. To obtain mmap in an easy-to-use package installer, for OS X check out the download page at http://nmap.org/download.html#macosx (use the same page to grab it for Windows or *nix as well). Once downloaded run the package/rpm/whatever.
Before I scan a system, I like to pull the routing table and eth info to determine how scans are being run, which can be run by using the mmap command anong with the —iflist option:
To then scan a computer, just use the mmap command followed by the host name or even throw a -v option in there to see more information (you can use a hostname or an IP):
nmap -v www.apple.com
Use the -6 option if scanning via IPv6:
nmap -v -6 8a33:1a2c::83::1a
Can drop the -v for less info on these, but I usually like more than less. Shows ports, states, services (for the ports) and a MAC address for each IP being scanned.
You can also scan a range of IPs. I usually take the lazy way for this, by using a wildcard. I can replace an octet to scan all objects in that octet. For example, to scan all systems running on the 192.168.210 class B:
You can scan a subnet, which can cover more or less than one octet worth of IPs, by including the net mask:
You can also just list a range, which is much easier in some cases, using the —exclude option to remove an address that will be angry if port scanned:
nmap 192.168.210.1-100 —exclude 192.168.210.25
Or to do a few hosts within that range:
Of you can even use the following to read in a list of addresses and subnets where each is on its own line:
nmap -iL ~/nmaplist.txt
By default, mmap is scanning all ports. However, if you know what you’re looking for, scans can be processed much faster if you constrain it to a port or range of ports. Use the -p option to identify a port and then T: for only TCP or U: for only UDP, or neither to do both. Additionally, you can scan a range of ports or separate ports using the same syntax used for identifying multiple hosts. For example, here we’ll scan 53, 80, 110, 443 and 143:
nmap -p 53,80,110,143,443
DO OS detection using the -A option:
nmap -A www.apple.com
For true remote OS detection, use -O with —osscan-guess:
mmap -v -O —osscan-guess mail.krypted.com
We can also output to a text file, using the -o option (or of course > filename but -o is more elegant here unless you’re parsing elsewhere in the line):
mmap -v -o ~/Desktop/nmapresults.txt -O —osscan-guess mail.krypted.com
Next, we’ll look at trying to bypass pesky annoyances like stageful packet inspection on firewalls. First, check whether there is actually a firewall using -s:
nmap -sA www.apple.com
Scan even if the host is protected by a firewall:
nmap -PN www.apple.com
Just check to see if some devices are up even if behind a firewall:
nmap -sP 192.168.210.10-20
Run a scan using Syn and ACK scans, run mmap along with the either -PS or -PA options (shown respectively):
nmap -PS 443 www.apple.com
nmap -PA 443 www.apple.com
Try to determine why ports are in a specific state:
nmap —reason www.apple.com
Show all sent/recvd packets:
nmap —packet-trace www.apple.com
Try to read the header of remote ports to determine a version number of the software:
nmap -sV www.apple.com
Next, we can look at actually using nmap to test the attacking waters a little bit. First, we’ll try and spoof another MAC address, using the —spoof-mac options. We’ll use the 0 position after that option to indicate that we’re randomly generating a Mac, although we could use a real MAC in place of the 0:
nmap -v -sT —spoof-mac 0 www.apple.com
Next, let’s try to add a decoy, which allows us to spoof some IPs and use that as decoys so our target doesn’t suspect our IP as one that’s actually scanning them (note that our IP we’re testing from is 192.168.210.210):
nmap -n -192.168.210.1,192.168.210.10,192.168.210.210,192.168.210.254
Then, send some crazy packets (not an official term like magic packets, just my own term for throwing a curve ball at things and testing for the viability of syn-flood or Xmas packet attacking):
nmap -sX www.apple.com
Configure a custom mtu:
nmap —mtu 64 www.apple.com
Fragment your packets:
nmap -f www.apple.com
Note: None of Apple’s servers were damaged in the writing of this article. I did a find/replace at the end, when I realized I didn’t want all of you hitting www.krypted.com.
The Southern California Linux Expo Call For Papers is open for SCALE 2009:
I recently read an article that Solaris is a dead OS (or will be rather shortly). I beg to differ, proveded the hardware support is there. Solaris can still multithread better than anyone. Solaris’ ZFS is still the most superior file system available (although before the ReiserFS founder got put in prison for wasting his wife it looked poised for greatness) and the Sun hardware is still best of breed. Sun as a company is also going to be building tighter integration into MySQL, which should help boost numbers.
But the pony-tail-laden chief of Sun definitely has his work cut out for him. There are certain acquisitions that have not been smooth (cough – tape libraries) and still need to get finished up. There’s also the need to find a really good synergy between MySQL and Sun, where the Open Source community can continue to love and leverage MySQL without being forced into Sun products, but still provide a value-add from using Sun products. Hard thing to do. There’s also Java and all the services surrounding it and of course OpenSolaris, which is picking up new converts all the time – but which still lacks the trend setting aspects of Fedora and Ubuntu.
To me it seems that what Sun really needs is an identity. It really seems that there’s a lack of a cohesive vision that encompasses all of the products they have. Take NetApp as an example. They’re a storage vendor. Same with EMC – although EMC has purchased a lot of other companies, those purchases are geared towards driving storage sales. Sun just seems to be blowing around in the winds of a certain economy and IT market, both should be rectified if they are to retain their position in the IT community.
In short, Sun needs to circle the wagons, perhaps divest assets that do not work with the core and reinvest heavily into the core with the increased cash position that would provide. Sun has some of the most talented engineers in the world. They need to retain them and allow them to innovate – in much the same way that Google has allowed their engineers to innovate. Sun also needs to rebuild their sales channel from the ground up, getting away from the monolithic sales strategy and zeroing in on what helps their core – hard to do without really telling the world what your core is. I wish them all the luck, ’cause I love their products (a love that goes back to my Sparc20 days). I don’t think it’s too late, but they need to do something soon or they will end up not surviving.
No, this isn’t the new version of my wife (although there is a new version out and it’s awesome;). Instead, LISA’08 is the 22nd year of the Large Installation System Administration conference in San Diego California. LISA runs from November 9 to November 14th of 2008 and looks to be a conference those who do mass deployment might not want to miss. The biggee this year is virtualization: ESX, ESX 3i, Xen, etc. But there are alos talks on security, forensics, the Linux Kernel, Performance tools for Solaris and Linux, Perl mods, network performance tuning, wireshark, diskless Linux, SELinux, mass deployment of database servers, disk-to-disk backups for Unix, cfengine, directory services, incident response and documentation. Way more stuff too, but what is oddly missing is even a cursory mention of Mac OS X. I suppose the mass deployments that we’re all working on in the Mac world just don’t matter. We did talk about doing something down there, but it doesn’t seem as though the LISA coordinators think there’s much interest in the Mac. Hmmmm… Either way, if you’re a Mac guy, you’re sure to pick up lots of great *nix and network skillz there, so you might as well head down if you can.