Basic ASA Security Policy

LAB Task

1) Configure the IP address, Security Name ,Host Name and Security Level according the given topology.

2) Configure the static routing.

3) Configure the Object-Group for Network(HOSTS) and Service(Protocol)

a. MGMT-HOSTS(2.2.2.2, 4.4.4.4)

b. TELNET-and-SSH(telnet, ssh)

4) Only host 2.2.2.2, 4.4.4.4 allow service telnet and ssh for Host 1.1.1.1.

LAB Configuration

#############################################################################

R1>

hostname R1

interface Loopback0

 ip address 1.1.1.1 255.255.255.255

interface Ethernet0/0

 ip address 10.1.101.20 255.255.255.0

ip route 0.0.0.0 0.0.0.0 10.1.101.10

line vty 0 4

 password cisco

 login    

 transport input telnet

R1>

#################################################################################

R2>

hostname R2      

interface Loopback0

 ip address 2.2.2.2 255.255.255.255

interface Ethernet0/0

 ip address 10.1.102.20 255.255.255.0

ip route 0.0.0.0 0.0.0.0 10.1.102.10

line vty 0 4

 password cisco

 login    

 transport input telnet

R2>

################################################################################

R4>

hostname R4

interface Loopback0

 ip address 4.4.4.4 255.255.255.255

interface Ethernet0/0

 ip address 10.1.104.20 255.255.255.0

ip route 0.0.0.0 0.0.0.0 10.1.104.10

line vty 0 4

 password cisco

 login    

 transport input telnet

R4>

#################################################################################

ASA-FW(config)# 

hostname ASA-FW

enable password 8Ry2YjIyt7RRXU24 encrypted

interface Ethernet0

 nameif outside

 security-level 0

 ip address 10.1.102.10 255.255.255.0 

interface Ethernet1

 nameif inside

 security-level 80

 ip address 10.1.101.10 255.255.255.0 

interface Ethernet2

 nameif DMZ   

 security-level 50

 ip address 10.1.104.10 255.255.255.0 

object-group network MGMT-HOSTS

 network-object host 2.2.2.2

 network-object host 4.4.4.4

object-group service TELNET-and-SSH tcp

 port-object eq telnet

 port-object eq ssh

access-list OUTSIDE_IN extended permit tcp object-group MGMT-HOSTS host 1.1.1.1 object-group TELNET-and-SSH 

access-list OUTSIDE_IN extended permit icmp any any echo-reply 

access-list DMZ_IN extended permit icmp any any echo-reply 

access-list DMZ_IN extended permit tcp object-group MGMT-HOSTS host 1.1.1.1 object-group TELNET-and-SSH 

access-group OUTSIDE_IN in interface outside

access-group DMZ_IN in interface DMZ

route outside 0.0.0.0 0.0.0.0 10.1.102.20 1 

route inside 1.1.1.1 255.255.255.255 10.1.101.20 1 

route DMZ 4.4.4.4 255.255.255.255 10.1.104.20 1 

ASA-FW(config)#

##################################################################################

Thanks

Basic ASA Configuration

 LAB Task

1) Configure the all basic configuration according to topology in case of ASA inside security level 80, DMZ security level 50 and 0 security level for outside network.

2) Configure the routing for inside and DMZ(Data Center) zone we uses static(Known Network) route and for outside we uses default(Unknown Network) route.

Addressing:

Device	Interface	IP Address
R1	Loopback 0	1.1.1.1/32
	E0/0	10.1.101.1/24
R2	Loopback 0	2.2.2.2/32
	E0/0	10.1.102.2/24
R4	Loopback 0	4.4.4.4/32
	E0/0	10.1.104.4/24
AAA	DMZ: Eth1	10.1.101.10/24
	inside: Eth2	10.1.104.10/24
	outside: Eth0	10.1.102.10/24

LAB Solution 

#Inside Zone#####################################################################

R1#

hostname R1

interface Loopback0

 ip address 1.1.1.1 255.255.255.255

interface Ethernet0/0

 ip address 10.1.101.1 255.255.255.0

ip route 0.0.0.0 0.0.0.0 10.1.101.10

R1#

#Outside Zone####################################################################

R2#

hostname R2

interface Loopback0

 ip address 2.2.2.2 255.255.255.255

interface Ethernet0/0

 ip address 10.1.102.2 255.255.255.0

ip route 0.0.0.0 0.0.0.0 10.1.101.10

R2#

#DMZ Zone###################################################################

R4(config)#

hostname R4

interface Loopback0

 ip address 4.4.4.4 255.255.255.255

interface Ethernet0/0

 ip address 10.1.104.4 255.255.255.0

ip route 0.0.0.0 0.0.0.0 10.1.104.10

R4(config)#

#ASA Firewall################################################################

AAA(config)#

hostname AAA

interface Ethernet0

 nameif outside

 security-level 0

 ip address 10.1.102.10 255.255.255.0 

interface Ethernet1

 nameif inside

 security-level 80

 ip address 10.1.101.10 255.255.255.0 

interface Ethernet2

 nameif DMZ   

 security-level 50

 ip address 10.1.104.10 255.255.255.0 

route outside 0.0.0.0 0.0.0.0 10.1.102.2 1 

route inside 1.1.1.1 255.255.255.255 10.1.101.1 1 

route DMZ 4.4.4.4 255.255.255.255 10.1.104.4 1 

AAA(config)# 

################################################################################

Thanks 

LAB Gateway Load Balancing Protocol

LAB Task 

1) Assign the IPv4 address on all interface according the given topology.

2) Configure the Gateway Load Balancing Protocol according the given topology. GLBP group number and gateway is 111, 150.1.1.254 and configure the key-chain authentication for GLBP key name "GLBP", key-string is "CCNP".

3) Configure the Dynamic NAT for router R1,R2 and R4, where 150.1.1.0/24 is inside network and network 10.0.0.4/30, 10.0.0.8/30 and 10.0.0.12/30 are out side network.

4) Configure the Dynamic Routing according to given topology and member interface.

5) Configure the Default route and NAT for R3, where Network 10.0.0.4/30, 10.0.0.8/30 and 10.0.0.12/30 are in side network and 150.3.3.3 is outside interface.

LAB Solution 

##############################################################################

R3>

hostname R3

interface Ethernet0/0

 ip address 10.0.0.6 255.255.255.252

 ip nat inside   

interface Ethernet0/1

 ip address 10.0.0.10 255.255.255.252

 ip nat inside

interface Ethernet0/2

 ip address 10.0.0.13 255.255.255.252

 ip nat inside         

interface Ethernet0/3

 ip address 150.3.3.3 255.255.255.0

 ip nat outside        

router eigrp 254

 network 10.0.0.0     

ip nat inside source list 1 interface Ethernet0/3 overload

access-list 1 permit 10.0.0.4 0.0.0.3

access-list 1 permit 10.0.0.8 0.0.0.3

access-list 1 permit 10.0.0.12 0.0.0.3

R3#

############################################################################

R1>

hostname R1  

key chain GLBP

 key 1    

  key-string CCNP

  cryptographic-algorithm md5

interface Ethernet0/0

 ip address 150.1.1.1 255.255.255.0

 ip nat inside

 glbp 111 ip 150.1.1.254

 glbp 111 priority 10

 glbp 111 preempt

 glbp 111 authentication md5 key-chain GLBP     

interface Ethernet0/1

 ip address 10.0.0.5 255.255.255.252

 ip nat outside          

router eigrp 254

 network 10.0.0.0

ip nat inside source list 1 interface Ethernet0/1 overload      

access-list 1 permit 150.1.1.0 0.0.0.255

R1#

################################################################################

R2>

hostname R2

key chain GLBP

 key 1    

  key-string CCNP

  cryptographic-algorithm md5

interface Ethernet0/0

 ip address 150.1.1.2 255.255.255.0

 ip nat inside

 glbp 111 ip 150.1.1.254

 glbp 111 priority 20

 glbp 111 preempt

 glbp 111 authentication md5 key-chain GLBP

interface Ethernet0/1

 ip address 10.0.0.9 255.255.255.252

 ip nat outside

router eigrp 254

 network 10.0.0.0

ip nat inside source list 1 interface Ethernet0/1 overload

access-list 1 permit 150.1.1.0 0.0.0.255

R2(config)#

#################################################################################

R4>

hostname R4

key chain GLBP

 key 1    

  key-string CCNP

  cryptographic-algorithm md5

interface Ethernet0/0

 ip address 150.1.1.4 255.255.255.0

 ip nat inside

 glbp 111 ip 150.1.1.254

 glbp 111 priority 30

 glbp 111 preempt

 glbp 111 authentication md5 key-chain GLBP

interface Ethernet0/1

 ip address 10.0.0.14 255.255.255.252

 ip nat outside

router eigrp 254

 network 10.0.0.0

ip nat inside source list 1 interface Ethernet0/1 overload

access-list 1 permit 150.1.1.0 0.0.0.255

R4#

##############################################################################          

VPCS> show ip all 

NAME   IP/MASK              GATEWAY           MAC                DNS

VPCS1  150.1.1.10/24        150.1.1.254       00:50:79:66:68:16  

VPCS>

#############################################################################

VPCS> show ip all

NAME   IP/MASK              GATEWAY           MAC                DNS

VPCS1  150.1.1.20/24        150.1.1.254       00:50:79:66:68:15  

VPCS>

############################################################################

VPCS> show ip all

NAME   IP/MASK              GATEWAY           MAC                DNS

VPCS1  150.1.1.30/24        150.1.1.254       00:50:79:66:68:17  

VPCS> 

Thanks

Cisco Router Booting Process

1) As we know that ROM stand for Read Only Memory. It stores four components POST, Bootstrap program, ROMMON mode and Mini IOS.

2) POST stand for Power On Self Test, it is a low level diagnostic program utility that performs various tests on hardware components. It verifies that all necessary components are present and operational.

3) Bootstrap program is the second utility in booting sequence. It controls the search and load process of IOS. Bootstrap program is responsible for finding IOS on all possible locations and loading it in RAM.

4) ROMMON is a portable IOS program that allows us to perform various diagnostic tests. This program is also used for password recovery procedure. It has its own mode known as ROMMON mode. If bootstrap successes in finding and loading operation of IOS, then boot sequence will not enter in this mode. Boot sequence will enter in this mode automatically, if it fails to load IOS in RAM from all possible locations. You can manually enter in this mode for diagnostic purpose. Run reload command from privileged mode to reboot the router. Press + C key combination ( CTRL Key with C Key ) in first 60 seconds of boot sequence.

5) Mini-IOS is a fallback utility that contains a stripped down version of IOS. This is used in critical situations where IOS image in flash is not found. Mini-IOS contains only IP code that allows you to load IOS from other resources such as TFTP Server. Cisco IOS mode used by this stripped down IOS utility known as RXBOOT mode.

6) Flash is a nonvolatile memory. Data store in flash is not lost when you turn off the router.

7) NVRAM is another permanent memory in router. Data stored in NVRAM is also remain safe. Router use NVRAM to store configuration files.

8) RAM is a temporary memory. Information stored in RAM does not remain in power off stage. Everything in RAM is erased, when you turn off the router. RAM is the fastest memory among these memories.

A. RAM is responsible for decompressed IOS during the boot process.

B. During the boot process running configuration is also copied in RAM from NVRAM.

C. RAM is responsible for store ARP, CDP, Routing and Neighbor table.

D. Interface input and output buffers are also stored in RAM.

Configuration register value is a special register that is used to control the booting process. You can check current configuration register value with "show version" command from exec mode .

A. Setting of 0x2100 will always boot router in ROMMON mode.

B. Setting of 0x2101 will always boot router in RXBOOT mode.

C. Setting of 0x2102 to 0x210F will always load first valid IOS from flash.

D. The setting of 0x2142 causes the router to ignore the startup-config file in NVRAM and proceed without a configuration. Thus the setting of 0x2142 is used for password recovery process of router.

[1]

Router is powered on.

[2]

Power on self test (POST) is performed to check hardware components including memory and interfaces.

[3]

Bootstrap program is loaded and executed.

[4]

Bootstrap reads configuration register value to determine how the router will boot up.

[5]

Depending on the value of configuration register, bootstrap program finds and loads the IOS image.

[6]

If bootstrap fails to load IOS from all possible locations it will drop boot sequence in ROMMON mode for troubleshooting.

[7]

If IOS is loaded, the IOS will try to find and load the configuration.

[8]

If configuration is not presented, system configuration dialog would be launched.

[9]

If configuration is loaded, you would be presented in CLI interface.

Cisco ASA Packet Process Algo

 Here is a diagram of how the Cisco ASA processes the packet that it receives-

A: The packet is reached at the ingress interface.

B: Once the packet reaches the internal buffer of the interface, the input counter of the interface is incremented by one.

#show interface

C: ASA first looks at its internal connection table details in order to verify if this is a current connection. If the packet flow matches a current connection, then the Access Control List (ACL) check is bypassed and the packet is moved forward.

#show conn

Syslog message when there is no connection entry:

%ASA-6-106015: Deny TCP (no connection) from IP_address/port to

 IP_address/port flags tcp_flags on interface interface_name

D: If packet flow does not match a current connection, then the TCP state is verified. If it is a SYN packet or UDP (User Datagram Protocol) packet, then the connection counter is incremented by one and the packet is sent for an ACL check. If it is not a SYN packet, the packet is dropped and the event is logged.

#show access-list

Syslog message when the packet is denied by an ACL:

%ASA-4-106023: Deny protocol src [interface_name:source_address/source_port]

 dst interface_name:dest_address/dest_port by access_group acl_ID

E: The packet is processed as per the interface ACLs. It is verified in sequential order of the ACL entries and if it matches any of the ACL entries, it moves forward. Otherwise, the packet is dropped and the information is logged. The ACL hit count is incremented by one when the packet matches the ACL entry.

F: The packet is verified for the translation rules. If a packet passes through this check, then a connection entry is created for this flow and the packet moves forward. Otherwise, the packet is dropped and the information is logged.

#show xlate

Syslog message when there is no translation rule found:

%ASA-3-305005: No translation group found for protocol src interface_name:

 source_address/source_port dst interface_name:dest_address/dest_port

G: The packet is subjected to an Inspection Check. This inspection verifies whether or not this specific packet flow is in compliance with the protocol. ASA has a built-in inspection engine that inspects each connection as per its pre-defined set of application-level functionality. If it passed the inspection, it is moved forward. Otherwise, the packet is dropped and the information is logged.

#show service-policy inspect

Syslog message when a packet is denied by Security Inspection:

%ASA-4-405104: H225 message received from outside_address/outside_port to

 inside_address/inside_port before SETUP

H: Additional security checks will be implemented if a Content Security (CSC) module is involved.

#show run static

I: The IP header information is translated as per the Network Address Translation/ Port Address Translation (NAT/PAT) rule and checksums are updated accordingly. The packet is forwarded to Advanced Inspection and Prevention Security Services Module (AIP-SSM)  for IPS related security checks when the AIP module is involved.

#show run nat

J: The packet is forwarded to the egress interface based on the translation rules. If no egress interface is specified in the translation rule, then the destination interface is decided based on the global route lookup.

#show run global

K: On the egress interface, the interface route lookup is performed. Remember, the egress interface is determined by the translation rule that takes the priority.

#show nat

L: Once a Layer 3 route has been found and the next hop identified, Layer 2 resolution is performed. The Layer 2 rewrite of the MAC header happens at this stage.

#show route

#show arp

Syslog message when there is no route information:

%ASA-6-110003: Routing failed to locate next-hop for protocol from src

 interface:src IP/src port to dest interface:dest IP/dest port

M: The packet is transmitted on the wire, and interface counters increment on the egress interface.

Thanks

Himanshu

Iperf Point to Point Performance

Iperf is a widely used tool for network performance measurement and tuning. It is significant as a cross-platform tool that can produce standardized performance measurements for any network. Iperf has client and server functionality, and can create data streams to measure the throughput between the two ends in one or both directions. Typical iperf output contains a time-stamped report of the amount of data transferred and the throughput measured.

UDP: When used for testing UDP capacity, iperf allows the user to specify the datagram size and provides results for the datagram throughput and the packet loss.

TCP: When used for testing TCP capacity, iperf measures the throughput of the payload. Iperf uses 1024 × 1024 for mebibytes and 1000 × 1000 for megabytes.

Step 1: Install the Iperf 

Link : https://iperf.fr/iperf-download.php

Step 2: Take the high configuration machine for server and execute the given command in screenshot.

Now your node A is prepared for service. 

 iperf -s 

Step 3: Now install the iperf on client and execute this command given on screenshot. 

 iperf -c Node A(Server IP) 

---------------------------------------------------------------------------------------------------------------------------
That many OSes and hosts have upper limits on the TCP window size.
nodeA> iperf -s
------------------------------------------------------------
Server listening on TCP port 5001
TCP window size: 60.0 KByte (default)
------------------------------------------------------------
[  4] local <IP Addr node2> port 5001 connected with <IP Addr node1> port 2357
[ ID] Interval       Transfer     Bandwidth
[  4]  0.0-10.1 sec   6.5 MBytes   5.2 Mbits/sec
nodeB> iperf -c node2
------------------------------------------------------------
Client connecting to node1, TCP port 5001
TCP window size: 59.9 KByte (default)
------------------------------------------------------------
[  3] local <IP Addr node1> port 2357 connected with <IP Addr node2> port 5001
[ ID] Interval       Transfer     Bandwidth
[  3]  0.0-10.0 sec   6.5 MBytes   5.2 Mbits/sec
-------------------------------------------------------------------------------------------------------------------------
nodeA> iperf -s -w 130k
------------------------------------------------------------
Server listening on TCP port 5001
TCP window size:  130 KByte
------------------------------------------------------------
[  4] local <IP Addr node 2> port 5001 connected with <IP Addr node 1> port 2530
[ ID] Interval       Transfer     Bandwidth
[  4]  0.0-10.1 sec  19.7 MBytes  15.7 Mbits/sec
nodeB> iperf -c node2 -w 130k
------------------------------------------------------------
Client connecting to node2, TCP port 5001
TCP window size:  129 KByte (WARNING: requested  130 KByte)
------------------------------------------------------------
[  3] local <IP Addr node1> port 2530 connected with <IP Addr node2> port 5001
[ ID] Interval       Transfer     Bandwidth
[  3]  0.0-10.0 sec  19.7 MBytes  15.8 Mbits/sec
--------------------------------------------------------------------------------------------------------------------------
Another test to do is run parallel TCP streams.
nodeA> iperf -s -w 300k
------------------------------------------------------------
Server listening on TCP port 5001
TCP window size:  300 KByte
------------------------------------------------------------
[  4] local <IP Addr node2> port 5001 connected with <IP Addr node1> port 6902
[ ID] Interval       Transfer     Bandwidth
[  4]  0.0-10.2 sec  20.9 MBytes  16.5 Mbits/sec
[  4] local <IP Addr node2> port 5001 connected with <IP Addr node1> port 6911
[  5] local <IP Addr node2> port 5001 connected with <IP Addr node2> port 6912
[ ID] Interval       Transfer     Bandwidth
[  5]  0.0-10.1 sec  21.0 MBytes  16.7 Mbits/sec
[  4]  0.0-10.3 sec  12.0 MBytes   9.4 Mbits/sec
nodeB> ./iperf -c node2 -w 300k
------------------------------------------------------------
Client connecting to node2, TCP port 5001
TCP window size:  299 KByte (WARNING: requested  300 KByte)
------------------------------------------------------------
[  3] local <IP Addr node2> port 6902 connected with <IP Addr node1> port 5001
[ ID] Interval       Transfer     Bandwidth
[  3]  0.0-10.2 sec  20.9 MBytes  16.4 Mbits/sec
nodeB> iperf -c node2 -w 300k -P 2
------------------------------------------------------------
Client connecting to node2, TCP port 5001
TCP window size:  299 KByte (WARNING: requested  300 KByte)
------------------------------------------------------------
[  4] local <IP Addr node2> port 6912 connected with <IP Addr node1> port 5001
[  3] local <IP Addr node2> port 6911 connected with <IP Addr node1> port 5001
[ ID] Interval       Transfer     Bandwidth
[  4]  0.0-10.1 sec  21.0 MBytes  16.6 Mbits/sec
[  3]  0.0-10.2 sec  12.0 MBytes   9.4 Mbits/sec
---------------------------------------------------------------------------------------------------------------------------
A secondary tuning issue for TCP is the maximum transmission unit (MTU). 
nodeA> iperf -s -m
------------------------------------------------------------
Server listening on TCP port 5001
TCP window size: 60.0 KByte (default)
------------------------------------------------------------
[  4] local <IP Addr node3> port 5001 connected with <IP Addr node4> port 1096
[ ID] Interval       Transfer     Bandwidth
[  4]  0.0- 2.0 sec   1.8 MBytes   6.9 Mbits/sec
[  4] MSS size 1448 bytes (MTU 1500 bytes, ethernet)
[  4] Read lengths occurring in more than 5% of reads:
[  4]   952 bytes read   219 times (16.2%)
[  4]  1448 bytes read  1128 times (83.6%)
Here is a host that doesn't support Path MTU Discovery. It will only send and receive small 576 byte packets.
nodeA> iperf -s -m
------------------------------------------------------------
Server listening on TCP port 5001
TCP window size: 32.0 KByte (default)
------------------------------------------------------------
[  4] local <IP Addr node4> port 5001 connected with <IP Addr node3> port 13914
[ ID] Interval       Transfer     Bandwidth
[  4]  0.0- 2.3 sec   632 KBytes   2.1 Mbits/sec
WARNING: Path MTU Discovery may not be enabled.
[  4] MSS size 536 bytes (MTU 576 bytes, minimum)
[  4] Read lengths occurring in more than 5% of reads:
[  4]   536 bytes read   308 times (58.4%)
[  4]  1072 bytes read    91 times (17.3%)
[  4]  1608 bytes read    29 times (5.5%)
--------------------------------------------------------------------------------------------------------------------------
iPerf creates a constant bit rate UDP stream.
nodeA> iperf -s -u -i 1
------------------------------------------------------------
Server listening on UDP port 5001
Receiving 1470 byte datagrams
UDP buffer size: 60.0 KByte (default)
------------------------------------------------------------

nodeB> iperf -c node2 -u -b 10m
------------------------------------------------------------
Client connecting to node2, UDP port 5001
Sending 1470 byte datagrams
UDP buffer size: 60.0 KByte (default)
------------------------------------------------------------

----------------------------------------------------------------------------------------------------------------------------
To test multicast, run several servers with the bind option (-B, --bind) set to the multicast group address. 
nodeB> iperf -c 224.0.67.67 -u --ttl 5 -t 5
------------------------------------------------------------
Client connecting to 224.0.67.67, UDP port 5001
Sending 1470 byte datagrams
Setting multicast TTL to 5
UDP buffer size: 32.0 KByte (default)
------------------------------------------------------------

nodeA> iperf -s -u -B 224.0.67.67 -i 1
------------------------------------------------------------
Server listening on UDP port 5001
Binding to local address 224.0.67.67
Joining multicast group  224.0.67.67
Receiving 1470 byte datagrams
UDP buffer size: 32.0 KByte (default)
------------------------------------------------------------

nodeA> iperf -s -u -B 224.0.67.67 -i 1
------------------------------------------------------------
Server listening on UDP port 5001
Binding to local address 224.0.67.67
Joining multicast group  224.0.67.67
Receiving 1470 byte datagrams
UDP buffer size: 60.0 KByte (default)
------------------------------------------------------------

-----------------------------------------------------------------------------------------------------------------------------
IPv6 Mode
Get the IPv6 address of the node using the 'ifconfig' command.
Server side:
$ iperf -s -V
Client side:
$ iperf -c <Server IPv6 Address> -V>

Using Representative Streams to measure bandwidth
Use the -F or -I option. If you want to test how your network performs with compressed / uncompressed streams, just create representative streams and use the -F option to test it.
The -F option is for file input.
The -I option is for input from stdin.

Client: $ iperf -c <server address> -F <file-name>
Client: $ iperf -c <server address> -I
Thanks
Himanshu

Host Traffic Filter(Wire Shark)

Some useful Wire Shark filter for host.

Now you config it...

Ethernet Address

eth.dst == ff:ff:ff:ff:ff:ff

eth.dst == ff-ff-ff-ff-ff-ff

eth.dst == ffff.ffff.ffff

IPv4 Address

ip.addr == 192.168.0.1

ip.addr == 129.111.0.0/16

IPv6 Address

ipv6.addr == ::1

Text String

http.request.uri == "https://www.google.com/"

Filtering DNS Traffic

dns.qry.name == "www.petenetlive.com"

HTTP or DNS

Sets a filter to display all http and dns protocols.

TCP Packet

tcp.port==xxx

Sets filters to display all TCP resets

tcp.flags.reset==1

TCP Stream

tcp.stream eq X

Sequence Number

tcp.seq == x

Filters all HTTP GET and POST requests

http.request

For More Filters, Go to Wire Shark... 

Thanks 

Himanshu

Host Information Gathering(Nmap)

Network Mapper

Nmap is a free and open-source network scanner created by Gordon Lyon. Nmap is used to discover hosts and services on a computer network by sending packets and analyzing the responses. Nmap provides a number of features for probing computer networks, including host discovery and service and operating system detection.

Software Installation

NMAP is open-source software and you can easy to download and easy to install.

Note : WinPcap require for installation. WinPcap has been recognized as the industry-standard tool for link-layer network access in Windows environments, allowing applications to capture and transmit network packets bypassing the protocol stack, and including kernel-level packet filtering, a network statistics engine and support for remote packet capture.

Type of Access in NMAP

There are two type of access in NMAP .

1) GUI Access of  Nmap

2) CLI Access of  Nmap

GUI Access of NMAP

CLI Access of NMAP

1. Scan a System with Hostname and IP Address- The Nmap tool offers various methods to scan a system.

A: Scan using Hostname

[root@uconfigit ~]# nmap google.com

B: Scan using IP Address

[root@uconfigit ~]# nmap 192.168.0.101

2. Scan using “-v” option- “-v” option is giving more detailed information about the remote machine.

[root@uconfigit ~]# nmap -v google.com

3. Scan Multiple Hosts- You can scan multiple hosts by simply writing their IP addresses or hostnames with Nmap.

[root@uconfigit ~]# nmap 192.168.0.1 192.168.0.2 192.168.0.3

4. Scan a whole Subnet- You can scan a whole subnet or IP range with Nmap by providing * wildcard with it.

[root@uconfigit ~]# nmap 192.168.0.*

5. Scan Multiple Servers using last octet of IP address- You can perform scans on multiple IP address by simple specifying last octet of IP address. For example, here I performing a scan on IP addresses 192.168.0.101, 192.168.0.102 and 192.168.0.103.

[root@uconfigit ~]# nmap 192.168.0.101,102,103

6. Scan list of Hosts from a File- Create a text file called “nmaptest.txt” and define all the IP addresses or hostname of the server that you want to do a scan.

[root@uconfigit ~]# cat > nmap.txt

192.168.0.1

192.168.0.2

192.168.0.3

192.168.0.4

192.168.0.5

192.168.0.6

192.168.0.7

192.168.0.8

192.168.0.9

192.168.0.10

[root@uconfigit ~]# nmap -iL nmaptest.txt

7. Scan an IP Address Range- You can specify an IP range while performing scan with Nmap.

[root@uconfigit ~]# nmap 192.168.0.1-100

8. Scan Network Excluding Remote Hosts- You can exclude some hosts while performing a full network scan or when you are scanning with wildcards with “–exclude” option.

[root@uconfigit ~]# nmap 192.168.0.* --exclude 192.168.0.10

9. Scan OS information and Traceroute- To enable OS & version detection, script scanning and traceroute, we can use “-A” option with NMAP.

[root@uconfigit ~]# nmap -A 192.168.0.1

10. Enable OS Detection with Nmap- Use the option “-O” and “-osscan-guess” also helps to discover OS information.

[root@uconfigit ~]# nmap -O google.com

11. Scan a Host to Detect Firewall- The below command will perform a scan on a remote host to detect if any packet filters or Firewall is used by host.

[root@uconfigit ~]# nmap -sA 192.168.0.1

12. Scan a Host to check its protected by Firewall- To scan a host if it is protected by any packet filtering software or Firewalls.

[root@uconfigit ~]# nmap -PN 192.168.0.1

13. Find out Live hosts in a Network- With the help of “-sP” option we can simply check which hosts are live and up in Network, with this option nmap skips port detection and other things.

[root@uconfigit ~]# nmap -sP 192.168.0.*

14. Perform a Fast Scan- You can perform a fast scan with “-F” option to scans for the ports listed in the nmap-services files and leaves all other ports.

[root@uconfigit ~]# nmap -F 192.168.0.1

15. Find Nmap version- You can find out Nmap version you are running on your machine with “-V” option.

[root@uconfigit ~]# nmap -V

16. Scan Ports Consecutively- Use the “-r” flag to don’t randomize.

[root@uconfigit ~]# nmap -r 192.168.0.1

17. Print Host interfaces and Routes- You can find out host interface and route information with nmap by using “–iflist” option.

[root@uconfigit ~]# nmap --iflist

18. Scan for specific Port- There are various options to discover ports on remote machine with Nmap. You can specify the port you want nmap to scan with “-p” option, by default nmap scans only TCP ports.

[root@uconfigit ~]# nmap -p 80 google.com

19. Scan a TCP Port- You can also specify specific port types and numbers with nmap to scan.

[root@uconfigit ~]# nmap -p T:8888,80 google.com

20. Scan a UDP Port

[root@uconfigit ~]# nmap -sU 53 google.com

21. Scan Multiple Ports- You can also scan multiple ports using option “-p“.

[root@uconfigit ~]# nmap -p 80,443 192.168.0.1

22. Scan Ports by Network Range- You can scan ports with ranges using expressions.

[root@uconfigit ~]#  nmap -p 80-160 192.168.0.1

23. Find Host Services version Numbers- We can find out service’s versions which are running on remote hosts with “-sV” option.

[root@uconfigit ~]# nmap -sV 192.168.0.1

24. Scan remote hosts using TCP ACK (PA) and TCP Syn (PS)- Sometimes packet filtering firewalls blocks standard ICMP ping requests, in that case, we can use TCP ACK and TCP Syn methods to scan remote hosts.

[root@uconfigit ~]# nmap -PS 192.168.0.1

25. Scan Remote host for specific ports with TCP ACK

[root@uconfigit ~]# nmap -PA -p 22,80 192.168.0.1

26. Scan Remote host for specific ports with TCP Syn

[root@server1 ~]# nmap -PS -p 22,80 192.168.0.1

27. Perform a stealthy Scan

[root@server1 ~]# nmap -sS 192.168.0.1

28. Check most commonly used Ports with TCP Syn

[root@server1 ~]# nmap -sT 192.168.0.1

29. Perform a tcp null scan to fool a firewall

[root@server1 ~]# nmap -sN 192.168.0.1

Thanks

Himanshu