mirror of
https://github.com/cheat/cheat.git
synced 2024-12-18 18:55:06 +01:00
[IPTABLES,TCPDUMP] Add cheats for iptables and tcpdump
This commit is contained in:
parent
0ab7dcdcc9
commit
b4c5b7f2f9
18
cheatsheets/iptables
Normal file
18
cheatsheets/iptables
Normal file
@ -0,0 +1,18 @@
|
||||
# Show hit for rules with auto refresh
|
||||
watch --interval 0 'iptables -nvL | grep -v "0 0"'
|
||||
|
||||
# Show hit for rule with auto refresh and highlight any changes since the last refresh
|
||||
watch -d -n 2 iptables -nvL
|
||||
|
||||
# Block the port 902 and we hide this port from nmap.
|
||||
iptables -A INPUT -i eth0 -p tcp --dport 902 -j REJECT --reject-with icmp-port-unreachable
|
||||
|
||||
# Note, --reject-with accept:
|
||||
# icmp-net-unreachable
|
||||
# icmp-host-unreachable
|
||||
# icmp-port-unreachable <- Hide a port to nmap
|
||||
# icmp-proto-unreachable
|
||||
# icmp-net-prohibited
|
||||
# icmp-host-prohibited or
|
||||
# icmp-admin-prohibited
|
||||
# tcp-reset
|
63
cheatsheets/tcpdump
Normal file
63
cheatsheets/tcpdump
Normal file
@ -0,0 +1,63 @@
|
||||
# TCPDump is a packet analyzer. It allows the user to intercept and display TCP/IP
|
||||
# and other packets being transmitted or received over a network. (cf Wikipedia).
|
||||
# Note: 173.194.40.120 => google.com
|
||||
|
||||
# Intercepts all packets on eth0
|
||||
tcpdump -i eth0
|
||||
|
||||
# Intercepts all packets from/to 173.194.40.120
|
||||
tcpdump host 173.194.40.120
|
||||
|
||||
# Intercepts all packets on all interfaces from / to 173.194.40.120 port 80
|
||||
# -nn => Disables name resolution for IP addresses and port numbers.
|
||||
tcpdump -nn -i any host 173.194.40.120 and port 80
|
||||
|
||||
# Make a grep on tcpdump (ASCII)
|
||||
# -A => Show only ASCII in packets.
|
||||
# -s0 => By default, tcpdump only captures 68 bytes.
|
||||
tcpdump -i -A any host 173.194.40.120 and port 80 | grep 'User-Agent'
|
||||
|
||||
# With ngrep
|
||||
# -d eth0 => To force eth0 (else ngrep work on all interfaces)
|
||||
# -s0 => force ngrep to look at the entire packet. (Default snaplen: 65536 bytes)
|
||||
ngrep 'User-Agent' host 173.194.40.120 and port 80
|
||||
|
||||
# Intercepts all packets on all interfaces from / to 8.8.8.8 or 173.194.40.127 on port 80
|
||||
tcpdump 'host ( 8.8.8.8 or 173.194.40.127 ) and port 80' -i any
|
||||
|
||||
# Intercepts all packets SYN and FIN of each TCP session.
|
||||
tcpdump 'tcp[tcpflags] & (tcp-syn|tcp-fin) != 0'
|
||||
|
||||
# To display SYN and FIN packets of each TCP session to a host that is not on our network
|
||||
tcpdump 'tcp[tcpflags] & (tcp-syn|tcp-fin) != 0 and not src and dst net local_addr'
|
||||
|
||||
# To display all IPv4 HTTP packets that come or arrive on port 80 and that contain only data (no SYN, FIN no, no packet containing an ACK)
|
||||
tcpdump 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'
|
||||
|
||||
# Saving captured data
|
||||
tcpdump -w file.cap
|
||||
|
||||
# Reading from capture file
|
||||
tcpdump -r file.cap
|
||||
|
||||
# Show content in hexa
|
||||
# Change -x to -xx => show extra header (ethernet).
|
||||
tcpdump -x
|
||||
|
||||
# Show content in hexa and ASCII
|
||||
# Change -X to -XX => show extra header (ethernet).
|
||||
tcpdump -X
|
||||
|
||||
# Note on packet maching:
|
||||
# Port matching:
|
||||
# - portrange 22-23
|
||||
# - not port 22
|
||||
# - port ssh
|
||||
# - dst port 22
|
||||
# - src port 22
|
||||
#
|
||||
# Host matching:
|
||||
# - dst host 8.8.8.8
|
||||
# - not dst host 8.8.8.8
|
||||
# - src net 67.207.148.0 mask 255.255.255.0
|
||||
# - src net 67.207.148.0/24
|
Loading…
Reference in New Issue
Block a user