Merge pull request #153 from ImmortalPC/master

[IPTABLES,TCPDUMP] Add cheats for iptables and tcpdump
2014-03-30 10:04:22 -04:00 · 2014-03-30 10:04:22 -04:00 · a858032d60
parent 0ab7dcdcc9 65c50bc5b3
commit a858032d60
3 changed files with 84 additions and 0 deletions
--- a/cheatsheets/iptables
+++ b/cheatsheets/iptables
@ -0,0 +1,18 @@
 # Show hit for rules with auto refresh
 watch --interval 0 'iptables -nvL | grep -v "0     0"'
 # Show hit for rule with auto refresh and highlight any changes since the last refresh
 watch -d -n 2 iptables -nvL
 # Block the port 902 and we hide this port from nmap.
 iptables -A INPUT -i eth0 -p tcp --dport 902 -j REJECT --reject-with icmp-port-unreachable
 # Note, --reject-with accept:
 #	icmp-net-unreachable
 #	icmp-host-unreachable
 #	icmp-port-unreachable <- Hide a port to nmap
 #	icmp-proto-unreachable
 #	icmp-net-prohibited
 #	icmp-host-prohibited or
 #	icmp-admin-prohibited
 #	tcp-reset
--- a/cheatsheets/ssh
+++ b/cheatsheets/ssh
@ -16,5 +16,8 @@ ssh -X -t user@example.com 'chromium-browser'
 # To create a SOCKS proxy on localhost and port 9999
 ssh -D 9999 user@example.com
 # -X use an xsession, -C compress data, "-c blowfish" use the encryption blowfish
 ssh user@example.com -C -c blowfish -X
 # For more information, see:
 # http://unix.stackexchange.com/q/12755/44856
--- a/cheatsheets/tcpdump
+++ b/cheatsheets/tcpdump
@ -0,0 +1,63 @@
 # TCPDump is a packet analyzer. It allows the user to intercept and display TCP/IP
 # and other packets being transmitted or received over a network. (cf Wikipedia).
 # Note: 173.194.40.120 => google.com
 # Intercepts all packets on eth0
 tcpdump -i eth0
 # Intercepts all packets from/to 173.194.40.120
 tcpdump host 173.194.40.120
 # Intercepts all packets on all interfaces from / to 173.194.40.120 port 80
 # -nn => Disables name resolution for IP addresses and port numbers.
 tcpdump -nn -i any host 173.194.40.120 and port 80
 # Make a grep on tcpdump (ASCII)
 # -A  => Show only ASCII in packets.
 # -s0 => By default, tcpdump only captures 68 bytes.
 tcpdump -i -A any host 173.194.40.120 and port 80 | grep 'User-Agent'
 # With ngrep
 # -d eth0 => To force eth0 (else ngrep work on all interfaces)
 # -s0 => force ngrep to look at the entire packet. (Default snaplen: 65536 bytes)
 ngrep 'User-Agent' host 173.194.40.120 and port 80
 # Intercepts all packets on all interfaces from / to 8.8.8.8 or 173.194.40.127 on port 80
 tcpdump 'host ( 8.8.8.8 or 173.194.40.127 ) and port 80' -i any
 # Intercepts all packets SYN and FIN of each TCP session.
 tcpdump 'tcp[tcpflags] & (tcp-syn|tcp-fin) != 0'
 # To display SYN and FIN packets of each TCP session to a host that is not on our network
 tcpdump 'tcp[tcpflags] & (tcp-syn|tcp-fin) != 0 and not src and dst net local_addr'
 # To display all IPv4 HTTP packets that come or arrive on port 80 and that contain only data (no SYN, FIN no, no packet containing an ACK)
 tcpdump 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'
 # Saving captured data
 tcpdump -w file.cap
 # Reading from capture file
 tcpdump -r file.cap
 # Show content in hexa
 # Change -x to -xx => show extra header (ethernet).
 tcpdump -x
 # Show content in hexa and ASCII
 # Change -X to -XX => show extra header (ethernet).
 tcpdump -X
 # Note on packet maching:
 # Port matching:
 # - portrange 22-23
 # - not port 22
 # - port ssh
 # - dst port 22
 # - src port 22
 #
 # Host matching:
 # - dst host 8.8.8.8
 # - not dst host 8.8.8.8
 # - src net 67.207.148.0 mask 255.255.255.0
 # - src net 67.207.148.0/24