Differences
This shows you the differences between two versions of the page.
|
ep:labs:04:contents:tasks:ex2 [2021/10/05 12:58] radu.mantu [02. [??p] Network Exploration] |
ep:labs:04:contents:tasks:ex2 [2025/02/11 23:36] (current) cezar.craciunoiu |
||
|---|---|---|---|
| Line 1: | Line 1: | ||
| - | ==== 02. [??p] Network Exploration ==== | + | ==== 02. [20p] Swap space ==== |
| - | === [??p] Task A - ARP vs ICMP === | + | <note warning> |
| + | Before starting this task, call the assistant to show him your progress. If you manage to freeze your PC, it might prove tricky to do so afterwards. | ||
| + | </note> | ||
| - | The [[https://datatracker.ietf.org/doc/html/rfc826|Address Resolution Protocol (ARP)]] resolves layer 2 addresses (MAC) from layer 3 addresses (e.g.: IP). Normally, all hosts are compelled to reply to ARP requests, but this can be fiddled with using tools such as **arptables**. You can show the currently known neighbors using **iproute2**. | + | === [10p] Task A - Swap File === |
| - | <code bash> | + | First, let us check what swap devices we have enabled. Check the //NAME// and //SIZE// columns of the following command: |
| - | $ ip -c neigh show | + | <code> |
| + | $ swapon --show | ||
| </code> | </code> | ||
| + | No output means that there are no swap devices available. | ||
| - | <note tip> | + | If you ever installed a Linux distro, you may remember creating a separate //swap partition//. This, however, is only one method of creating swap space. The other is by adding a //swap file//. Run the following commands: |
| - | //Pro tip #2//: yes, **ip** can also generate color output. Most people don't know this and still use **ifconfig**, even though it's already deprecated at this point. Add this as an alias to your //.bashrc// or //.zshrc// and source it. | + | <code> |
| + | $ sudo swapoff -a | ||
| + | $ sudo dd if=/dev/zero of=/swapfile bs=1024 count=$((4 * 1024 * 1024)) | ||
| + | $ sudo chmod 600 /swapfile | ||
| + | $ sudo mkswap /swapfile | ||
| + | $ sudo swapon /swapfile | ||
| - | <code bash> | + | $ swapon --show |
| - | # alias for iproute2 color output | + | |
| - | alias ip='ip -c' | + | |
| </code> | </code> | ||
| - | </note> | ||
| - | The [[https://datatracker.ietf.org/doc/html/rfc792|Internet Control Message Protocol (ICMP)]] is an ancillary protocol meant mainly to report errors between hosts. Sometimes it can also be used to perform measurements (**ping**) or to inform network participants of better routes ([[https://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/nx-os-software/213841-understanding-icmp-redirect-messages.html|Redirect Messages]]). There are many ICMP functionalities, most of which are now deprecated. Note that some network equipment may not be capable of understanding new and officially recognized protocols, while other may not even recognize experimental ICMP codepoints (i.e.: [[https://www.iana.org/assignments/icmp-parameters/icmp-parameters.xhtml|type=253,254]]) and simply drop the packet. Because ICMP can be used to stage attacks in a network, some operating systems (e.g.: Windows ≥7) went so far as to disable Echo Replies by default. | + | Just to clarify what we did: |
| + | * disabled all swap devices | ||
| + | * created a 4Gb zero-initialized file | ||
| + | * set the permission to the file so only //root// can edit it | ||
| + | * created a swap area from the file using **mkswap** (works on devices too) | ||
| + | * activated the swap area | ||
| - | == The Task(s) == | + | The new swap area is temporary and will not survive a reboot. To make it permanent, we need to register it in [[https://en.wikipedia.org/wiki/Fstab|/etc/fstab]] by adding a line such as this: |
| - | Use **arp-scan** to scan your //local// network while monitoring ARP traffic with **wireshark** to get a sense of what's going on. | + | <code> |
| - | After that, use the following script to identify hosts discoverable via ARP but not ICMP. | + | /swapfile swap swap defaults 0 0 |
| + | </code> | ||
| - | <spoiler> | + | === [10p] Task B - Does it work? === |
| - | //Hint: click on the file name to download the snippet below.// | + | |
| - | <file bash localnet-ping.sh> | + | In one terminal run **vmstat** and look at the //swpd// and //free// columns. |
| - | #!/bin/bash | + | <code> |
| + | $ vmstat -w 1 | ||
| + | </code> | ||
| - | # localnet-ping.sh - performs differential ARP / ICMP scan | + | In another terminal, open a python shell and allocate a bit more memory than the available RAM. Identify the moment when the newly created swap space is being used. |
| - | # $1 : [required] interface name | + | |
| - | if [ "$#" -ne 1 ]; then | + | One thing you might notice is that the value in **vmstat**'s //free// column is lower than before. This does not mean that you have less available RAM after creating the swap file. Remember using the **dd** command to create a 4GB file? A big chunk of RAM was used to buffer the data that was written to disk. If //free// drops to unacceptable levels, the kernel will make sure to reclaim some of this buffer/cache memory. To get a clear view of how much available memory you actually have, try running the following command: |
| - | echo "Usage: ./localnet-ping.sh <interface>" | + | |
| - | exit 1 | + | |
| - | fi | + | |
| - | # generate list of IPs and hostnames in local network for given interface | ||
| - | localnet_hosts=$(sudo arp-scan \ | ||
| - | --interface=$1 `# scanned network` \ | ||
| - | --localnet `# only local network` \ | ||
| - | | head -n -3 `# hide footer lines` \ | ||
| - | | tail -n +3 `# hide header lines` \ | ||
| - | | awk '{$2=""; print $0}' `# hide MAC address` \ | ||
| - | ) | ||
| - | |||
| - | # process generated list, one item at a time | ||
| - | while read -r it; do | ||
| - | # separate IP from hostname | ||
| - | current_ip=$(awk '{print $1}' <<< $it) | ||
| - | current_host=$(awk '{$1=""; print $0}' <<< $it) | ||
| - | |||
| - | printf '\033[1;33m%15s %-35s \033[0;33m==> \033[0m' \ | ||
| - | $current_ip "$current_host" | ||
| - | |||
| - | # ping current host | ||
| - | ping -c 1 `# only one ping` \ | ||
| - | -W 1 `# 1s timeout` \ | ||
| - | $current_ip `# target host` \ | ||
| - | 1>/dev/null 2>&1 | ||
| - | |||
| - | # evaluate ping success | ||
| - | if [ $? -eq 0 ]; then | ||
| - | printf '\033[1;32mok\n\033[0m' | ||
| - | else | ||
| - | printf '\033[1;31mfail\n\033[0m' | ||
| - | fi | ||
| - | done <<< "$localnet_hosts" | ||
| - | </file> | ||
| - | </spoiler> | ||
| - | |||
| - | <solution -hidden> | ||
| <code bash> | <code bash> | ||
| - | $ sudo arp-scan --interface eth0 --localnet | + | $ free -h |
| </code> | </code> | ||
| - | </solution> | ||
| - | === [??p] Task B - nmap vs traceroute === | + | Observe that once you close the python shell and the memory is freed, //swpd// still displays a non-zero value. Why? There simply isn't a reason to clear the data from the swap area. If you really want to clean up the used swap space, try the following: |
| - | + | <code> | |
| - | **nmap** is a network exploration tool and a port scanner. Today, we will look only at a specific functionality that it shares with the **traceroute** utility. | + | $ vmstat |
| - | + | $ sudo swapoff -a && sudo swapon -a | |
| - | Route discovery is simple in principle: IPv4 packets have a **Time to Live (TTL)** field that is decremented by 1 with each hop, thus ensuring a limited packet lifespan (imagine routing loops without TTL). Even if the TTL is 0, the layer 3 network equipment //must// process the received packet (the destination host can accept a packet with TTL=0). Routers //may// check the TTL field only if they are to forward the packet. If the TTL is already 0, the packet is dropped and a //ICMP Time-To-Live Exceeded// message is issued to the source IP. By sending packets with incrementally larger TTL values, it is possible to obtain the IP of each router on the path (at least in theory). | + | $ vmstat |
| - | + | ||
| - | == The Task(s) == | + | |
| - | + | ||
| - | With 8.8.8.8 as a target, use **wireshark** to view the traffic generated by both **nmap** and **traceroute**. What differences can you find in their default mode of operation? | + | |
| - | + | ||
| - | <code bash> | + | |
| - | $ sudo nmap \ | + | |
| - | -sn `# disable port scan` \ | + | |
| - | -Pn `# disable host discovery` \ | + | |
| - | -tr `# perform traceroute` \ | + | |
| - | 8.8.8.8 | + | |
| - | $ traceroute 8.8.8.8 | + | |
| </code> | </code> | ||
| <solution -hidden> | <solution -hidden> | ||
| - | **traceroute**: | + | Output here: |
| - | * increments TTL starting from 1 | + | |
| - | * uses UDP by default (can also use ICMP and TCP if specified) | + | |
| - | **nmap**: | + | |
| - | * starts off with a high TTL value and decrements it | + | |
| - | * uses ICMP because we didn't perform a port scan first | + | |
| - | </solution> | + | |
| - | If we do allow for a port scan by removing ''-sn'' (default is a TCP-based scan; use ''-sU'' for a UDP scan), this will take place //before// the actual traceroute. What changes does this bring? | + | {{ :ep:labs:ep2017_l2_ex05.png?550 |}} |
| - | <solution -hidden> | + | Free memory goes down, swap usage goes up. |
| - | **nmap** has collected information about open ports, so it uses the same protocol (i.e.: TCP, UDP respectively) since it knows that the packets will reach the destination. If OS detection is enabled, it should be able to guess the distance (in number of hops) and start off with a proper TTL value. Otherwise, it starts from 10, decreasing to 1 and then increasing from 11 to 30 until the destination host is actually reached. This is done for the sake of its internal caching algorithm that presumably requires 5 less packets per experiment than **traceroute**. | + | |
| </solution> | </solution> | ||
| + | Create two swap files. Set their priorities to 10 and 20, respectively. \\ | ||
| + | Include the commands (copy+paste) or a screenshot of the terminal. \\ | ||
| + | Also add 2 advantages and disadvantages when using a //swap file// comparing with a //swap partition//. | ||
