Network management: Difference between revisions

From Han Wiki
Jump to navigation Jump to search
 
(10 intermediate revisions by the same user not shown)
Line 1: Line 1:
= Defense =
== Block all packets from a 1.2.3.0/24 ==
<source lang="console">
$ sudo iptables -I INPUT -s 117.25.128.0/24 -j DROP
</source>
= Tray =
== Making a samba share ==
== Making a samba share ==


Line 5: Line 17:
at the end of <span class="shell">/etc/samba/smb.conf</span> add a share config.
at the end of <span class="shell">/etc/samba/smb.conf</span> add a share config.


<syntaxhighlight lang="properties">
<source lang="properties">
[ea]
[ea]
         comment = pistis - echo admin
         comment = pistis - echo admin
Line 12: Line 24:
         read only = No
         read only = No
         create mask = 0755
         create mask = 0755
</syntaxhighlight>
</source>


then add the Samba account.
then add the Samba account.


<syntaxhighlight lang="bash">
<source lang="bash">
$ sudo smbpasswd -a mhan
$ sudo smbpasswd -a mhan
</syntaxhighlight>
</source>


then restart samba
then restart samba


<syntaxhighlight lang="bash">
<source lang="bash">
$ sudo systemctl restart smbd.service nmbd.service
$ sudo systemctl restart smbd.service nmbd.service
</syntaxhighlight>
</source>


then on Windows execute the following. For the username, you may have to enter it in the form <span class="package">mhan@pistis</span> or <span class="package">pistis\mhan</span>. Enter the password you used when you added the Samba account for the user.
then on Windows execute the following. For the username, you may have to enter it in the form <span class="package">mhan@pistis</span> or <span class="package">pistis\mhan</span>. Enter the password you used when you added the Samba account for the user.


<syntaxhighlight lang="doscon">
<source lang="doscon">
C:\>net use Z: \\pistis\ea /savecred /persistent:yes
C:\>net use Z: \\pistis\ea /savecred /persistent:yes
</syntaxhighlight>
</source>
 


== Checking the accessibility of a port through the network ==
== Checking the accessibility of a port through the network ==
Line 45: Line 58:
<source lang="bash">
<source lang="bash">
$ traceroute pisteo.example.com
$ traceroute pisteo.example.com
</source>
== Get public IP address from CLI ==
<source lang="console">
$ dig +short myip.opendns.com @resolver1.opendns.com // this one doesn't seem to work
$ dig TXT +short o-o.myaddr.l.google.com @ns1.google.com | awk -F'"' '{ print $2}'
$ wget -qO- http://ipecho.net/plain | xargs echo
</source>
== Query DNS record ==
<source lang="console">
$ dig +short -t txt _acme-challenge.domain.com
"kjg8gWocWWlJXrQIVYsxT1b7JkPsQoI2iJlsaetnOAU"
$ host -t txt _acme-challenge.domain.com
_acme-challenge.domain.com descriptive text "kjg8gWocWWlJXrQIVYsxT1b7JkPsQoI2iJlsaetnOAU"
</source>
== Get local IP address from CLI ==
<source lang="console">
$ hostname -I | awk '{print $1}'
192.168.86.21
</source>
== Get server certificate fingerprint ==
<source lang="console">
$ gnutls-cli --insecure vpn.server.edu
Processed 0 CA certificate(s).
Resolving 'vpn.server.edu'...
Connecting to '129.24.220.45:443'...
- Certificate type: X.509
- Got a certificate list of 1 certificates.
- Certificate[0] info:
- subject `C=US,postalCode=12331,ST=VA,L=Springfield,street=1 University of Muchakan,O=University of Muchakan,OU=IT,CN=vpn.server.edu', issuer `C=US,ST=MI,L=Ann Arbor,O=Internet2,OU=InCommon,CN=InCommon RSA Server CA', RSA key 2048 bits, signed using RSA-SHA256, activated `2019-04-04 00:00:00 UTC', expires `2020-04-03 23:59:59 UTC', SHA-1 fingerprint `9521c4b9db51e376a9527ca38d46925e09e171f1'
        Public Key ID:
                4390f7806426e1db181442a4b31dfe2887fb5b33
        Public key's random art:
                +--[ RSA 2048]----+
                | o+ =+=o        |
                | . + +o.o        |
                |o . o  ..o      |
                | = . = .  .      |
                |. o o . S        |
                | . o    .      |
                |o o o            |
                | + oE            |
                |..o...          |
                +-----------------+
- Status: The certificate is NOT trusted. The certificate issuer is unknown.
*** PKI verification of server certificate failed...
- Description: (TLS1.2)-(RSA)-(AES-128-CBC)-(SHA256)
- Session ID: BB:02:45:FF:1D:DB:E9:D3:25:FF:BA:80:8B:45:01:FF:27:04:26:41:50:A8:9D:9A:E6:62:C8:0F:50:4D:85:9B
- Version: TLS1.2
- Key Exchange: RSA
- Cipher: AES-128-CBC
- MAC: SHA256
- Compression: NULL
- Options: safe renegotiation,
- Handshake was completed
- Simple Client Mode:
^C
$
</source>
== Network tracing using tools built in to Windows ==
<source lang="dos">
c:\files> netsh trace start scenario=NetConnection capture=yes report=yes persistent=no maxsize=1024 correlation=no traceFile=C:\Temp\NetTrace.etl
</source>
</source>

Latest revision as of 17:45, 24 March 2021

Defense

Block all packets from a 1.2.3.0/24

$ sudo iptables -I INPUT -s 117.25.128.0/24 -j DROP


Tray

Making a samba share

  • Last tested on Ubuntu 16.04 LTS (xenial) & Windows 10.0.10586

at the end of /etc/samba/smb.conf add a share config.

[ea]
        comment = pistis - echo admin
        path = /var/www/ea
        admin users = mhan
        read only = No
        create mask = 0755

then add the Samba account.

$ sudo smbpasswd -a mhan

then restart samba

$ sudo systemctl restart smbd.service nmbd.service

then on Windows execute the following. For the username, you may have to enter it in the form mhan@pistis or pistis\mhan. Enter the password you used when you added the Samba account for the user.

C:\>net use Z: \\pistis\ea /savecred /persistent:yes


Checking the accessibility of a port through the network

Checking if port 8080 is accessible on pisteo.example.com

$ sudo hping3 -T -t 1 -p 8080 pisteo.example.com


Tracing a route

$ traceroute pisteo.example.com

Get public IP address from CLI

$ dig +short myip.opendns.com @resolver1.opendns.com // this one doesn't seem to work

$ dig TXT +short o-o.myaddr.l.google.com @ns1.google.com | awk -F'"' '{ print $2}'

$ wget -qO- http://ipecho.net/plain | xargs echo


Query DNS record

$ dig +short -t txt _acme-challenge.domain.com
"kjg8gWocWWlJXrQIVYsxT1b7JkPsQoI2iJlsaetnOAU"
$ host -t txt _acme-challenge.domain.com
_acme-challenge.domain.com descriptive text "kjg8gWocWWlJXrQIVYsxT1b7JkPsQoI2iJlsaetnOAU"


Get local IP address from CLI

$ hostname -I | awk '{print $1}'
192.168.86.21


Get server certificate fingerprint

$ gnutls-cli --insecure vpn.server.edu
Processed 0 CA certificate(s).
Resolving 'vpn.server.edu'...
Connecting to '129.24.220.45:443'...
- Certificate type: X.509
- Got a certificate list of 1 certificates.
- Certificate[0] info:
 - subject `C=US,postalCode=12331,ST=VA,L=Springfield,street=1 University of Muchakan,O=University of Muchakan,OU=IT,CN=vpn.server.edu', issuer `C=US,ST=MI,L=Ann Arbor,O=Internet2,OU=InCommon,CN=InCommon RSA Server CA', RSA key 2048 bits, signed using RSA-SHA256, activated `2019-04-04 00:00:00 UTC', expires `2020-04-03 23:59:59 UTC', SHA-1 fingerprint `9521c4b9db51e376a9527ca38d46925e09e171f1'
        Public Key ID:
                4390f7806426e1db181442a4b31dfe2887fb5b33
        Public key's random art:
                +--[ RSA 2048]----+
                | o+ =+=o         |
                | . + +o.o        |
                |o . o  ..o       |
                | = . = .  .      |
                |. o o . S        |
                | . o     .       |
                |o o o            |
                | + oE            |
                |..o...           |
                +-----------------+

- Status: The certificate is NOT trusted. The certificate issuer is unknown.
*** PKI verification of server certificate failed...
- Description: (TLS1.2)-(RSA)-(AES-128-CBC)-(SHA256)
- Session ID: BB:02:45:FF:1D:DB:E9:D3:25:FF:BA:80:8B:45:01:FF:27:04:26:41:50:A8:9D:9A:E6:62:C8:0F:50:4D:85:9B
- Version: TLS1.2
- Key Exchange: RSA
- Cipher: AES-128-CBC
- MAC: SHA256
- Compression: NULL
- Options: safe renegotiation,
- Handshake was completed

- Simple Client Mode:


^C
$


Network tracing using tools built in to Windows

c:\files> netsh trace start scenario=NetConnection capture=yes report=yes persistent=no maxsize=1024 correlation=no traceFile=C:\Temp\NetTrace.etl