radin/my-docs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

removed space from dir names

Browse Source
This commit is contained in:
radinpirouz
2026-04-10 23:46:40 +03:30
parent d14e844a38
commit 9c419f72c4
25 changed files with 0 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

40
Security-Networking/CronJob/CronJob.md Executable file
View File

@@ -0,0 +1,40 @@
```txt
.---------------- minute (0 - 59)
| .------------- hour (0 - 23)
| | .---------- day of month (1 - 31)
| | | .------- month (1 - 12) OR jan,feb,mar,apr ...
| | | | .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
| | | | |
* * * * * user-name command to be executed
```
Here are some examples to illustrate different cron job schedules:
### Example 1: Run at 12:55 every day
```
55 12 * * * root hi
```
This command runs `hi` as the `root` user every day at 12:55.
### Example 2: Run every minute
```
*/1 * * * * root hi
```
This command runs `hi` as the `root` user every minute.
### Example 3: Run every 2 minutes
```
*/2 * * * * root hi
```
This command runs `hi` as the `root` user every 2 minutes.
### Example 4: Run at specific minutes
```
10,20,30 10 * * * root hi
```
This command runs `hi` as the `root` user at 10:10, 10:20, and 10:30.
### Example 5: Run after every reboot
```
@reboot root hi
```
This command runs `hi` as the `root` user after system reboot.

75
Security-Networking/FileSharing/smb.md Executable file
View File

@@ -0,0 +1,75 @@
# آموزش نصب و تنظیم SMB در لینوکس
یا Server Message Block پروتکلی جهت به اشتراک گذاری فایل ها، چاپگرها و پورتهای سریال است. از این پروتکل می توان بر روی پروتکل TCP/IP یا بر روی دیگر پروتکل های شبکه استفاده کرد.
**این آموزش فقط روی Ubuntu 22.04 LTS آزمایش و تست شده است. اگر می خواهید روی Ubuntu Server از این آموزش استفاده کنید. به جای gedit از nano یا vim استفاده کنید**
## مرحله اول: نصب Samba
پروتکل SMB در لینوکس با Samba پیاده سازی می شود برای نصب Samba از دستور زیر استفاده کنید
sudo apt update
sudo apt install samba
**اختیاری:** با استفاده از دستور زیر از نصب بودن Samba اطمینان پیدا کنید
whereis samba
## مرحله دوم: تنظیمات Samba
نخست یک پوشه با نام و مسیر دلخواه که می خواهید آن را به اشتراک بگذارید بسازید یا انتخاب کنید. من با دستور زیر پوشه ای برای این پروژه می سازم
mkdir /home/mahdiyar/smbshare
**نکته: به جای Mahdiyar ُ نام کاربری خود را جایگزین کنید**
فایل تنظیمات **Samba** را با دستور زیر باز کنید
sudo gedit /etc/samba/smb.conf
۵ خط کد زیر را به آخر فایل اضافه کنید
[sambashare]
comment = Mahdiyar XPS File Share
path = /home/mahdiyar/smbshare
read only = no
browsable = yes
**نکته مهم:** به جای `/home/mahdiyar/smbshare` آدرس پوشه ای را که برای اشتراک گذاری انتخاب کردید قرار دهید
**نکته مهم:** به جای `Mahdiyar XPS File Share` متنی دلخواه که پوشه شما را توصیف می کند قرار دهید
با دستور زیر Smaba را Restart کرده و اطمینان پیدا کنید که به درستی کار می کند
sudo service smbd restart
sudo service smbd status
اگر از فایروال استفاده می کنید با دستور زیر Samba را به فایروال اضافه کنید
sudo ufw allow samba
با دستور زیر رمز عبوری برای Samba مشخص کنید
sudo smbpasswd -a username
**نکته مهم: username حتما باید نام کاربری شما در Ubuntu باشد**
## مرحله سوم: استفاده از SMB
حالا که سرور را آماده کردیم نوبت به استفاده از فولدری که به اشتراک گذاشتیم رسیده است
با دستور زیر در لینوکس IP سرور خود را مشخص می کنیم
ifconfig
### استفاده در ویندوز
با وارد کردن `//linuxserverip/sambashare` در منوی جستجو ویندوز می توان به پوشه که به اشتراک گذاشتیم دسترسی پیدا کرد
### استفاده در سیستم عامل های دیگر
[استفاده از SMB در اندروید](https://www.techrepublic.com/article/how-to-connect-to-an-smb-share-from-your-android-device/)
[استفاده از SMB در iPhone/iPad](https://osxdaily.com/2019/11/04/how-connect-smb-share-iphone-ipad-files-app/)
[استفاده از SMB در لینوکس (گنوم)](https://www.zdnet.com/article/how-to-connect-to-a-network-share-from-the-gnome-desktop/#:~:text=At%20the%20bottom%20of%20the,the%20computer%20hosting%20the%20sare%29.)

258
Security-Networking/Iptables/iptables.md Executable file
View File

@@ -0,0 +1,258 @@
# 🛡️ Iptables & Netfilter Guide
## 🌐 Overview
**iptables** works with **Netfilter** to manage and control network traffic on Linux systems.
---
## 🔗 Connection Types
1. **NEW** A new connection being initiated
2. **ESTABLISHED** An existing, ongoing connection
3. **RELATED** A new connection related to an existing one
---
## 🧰 iptables-persistent
Install iptables and save the rules to a file for persistence across reboots.
---
## 📂 Default Path
```plaintext
/etc/iptables
```
---
## ⚙️ Command Format
```bash
iptables -t <table-name> <option> <chain-name> <match> -j <action>
```
---
## 🏷️ Table Names
| Table Name | Purpose |
| ---------- | -------------------------------- |
| filter | Default Filtering Packets |
| nat | Network Address Translation |
| mangle | Packet alteration/editing |
| raw | Pre-processing packets before OS |
---
## 🔄 Chains
| Table | Chains |
| ------ | ----------------------------------------------- |
| filter | INPUT, OUTPUT, FORWARD |
| nat | PREROUTING, OUTPUT, POSTROUTING |
| mangle | PREROUTING, INPUT, FORWARD, OUTPUT, POSTROUTING |
| raw | PREROUTING, OUTPUT |
---
## 🚦 Chain Functions
| Chain | Description |
| ----------- | -------------------------------------------------------- |
| INPUT | Incoming connections to the server |
| OUTPUT | Outgoing packets from the server |
| FORWARD | Packets routed through the server to other destinations |
| PREROUTING | Edit packets before routing |
| POSTROUTING | Edit packets after routing and before exiting the server |
---
## 🔧 Options
| Option | Meaning |
| ------ | ----------- |
| `-A` | Append rule |
| `-I` | Insert rule |
| `-D` | Delete rule |
---
## 🎯 Actions
| Action | Description |
| ---------- | -------------------------------------------- |
| ACCEPT | Accept the packet |
| DROP | Drop the packet silently (no response) |
| REJECT | Drop the packet and send a rejection message |
| LOG | Log the packet details |
| MASQUERADE | Perform NAT masquerading |
---
## 🧩 iptables Command Examples & Explanations
---
### 1⃣ Save Current Rules to a File
```bash
iptables-save >> <file_path>
```
💾 **Explanation:**
This command saves the current iptables rules to a file (`<file_path>`). Useful for backing up or persisting your firewall rules.
---
### 2⃣ List Rules in Default Filter Table
```bash
iptables -nL
```
📜 **Explanation:**
Lists all rules in the default `filter` table, showing rules without resolving IPs to names (`-n` speeds it up).
---
### 3⃣ List Rules in NAT Table
```bash
iptables -t nat -nL
```
🔄 **Explanation:**
Lists all NAT table rules. NAT is used for modifying packets, like translating IP addresses.
---
### 4⃣ Allow Traffic from a Specific IP (Insert Rule)
```bash
iptables -t filter -I INPUT -s 192.168.1.100 -j ACCEPT
```
**Explanation:**
Inserts (`-I`) a rule at the top of the `INPUT` chain to ACCEPT all packets coming from IP `192.168.1.100`.
---
### 5⃣ Drop All Incoming Packets (Insert Rule)
```bash
iptables -t filter -I INPUT -j DROP
```
**Explanation:**
Inserts a rule to DROP all incoming packets on the `INPUT` chain, effectively blocking all new inbound traffic.
---
### 6⃣ Append Drop Rule at End of INPUT Chain
```bash
iptables -t filter -A INPUT -j DROP
```
**Explanation:**
Appends (`-A`) a rule at the end of the `INPUT` chain to drop packets that dont match previous ACCEPT rules.
---
### 7⃣ Allow Incoming TCP Traffic on Port 22 (SSH)
```bash
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
```
🔓 **Explanation:**
Allows incoming TCP traffic on port 22, which is commonly used for SSH connections.
---
### 8⃣ Drop Incoming TCP Traffic on Port 22 (SSH)
```bash
iptables -I INPUT -p tcp --dport 22 -j DROP
```
🚫 **Explanation:**
Inserts a rule to DROP all incoming TCP traffic destined for port 22, blocking SSH access.
---
### 9⃣ Drop TCP Traffic From a Specific IP
```bash
iptables -A INPUT -p tcp -s 192.168.1.100 -j DROP
```
📵 **Explanation:**
Drops all incoming TCP packets coming from IP `192.168.1.100`.
---
### 🔟 Allow Incoming TCP Traffic on Port 443 (HTTPS)
```bash
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
```
🔐 **Explanation:**
Allows incoming TCP traffic on port 443, used for secure HTTPS connections.
---
### 1⃣1⃣ Allow Multiple Ports Using Multiport Module
```bash
iptables -A INPUT -p tcp -m multiport --dports 22,443,80,3306 -j ACCEPT
```
🎯 **Explanation:**
Accepts incoming TCP traffic on multiple ports at once: SSH (22), HTTPS (443), HTTP (80), and MySQL (3306).
---
### 1⃣2⃣ Allow Multiple Ports From a Specific Subnet
```bash
iptables -A INPUT -p tcp -m multiport --dports 22,443,80,3306 -s 192.168.10.0/24 -j ACCEPT
```
🏠 **Explanation:**
Allows TCP traffic on ports 22, 443, 80, and 3306 but only if it originates from the subnet `192.168.10.0/24`.
---
### 1⃣3⃣ Limit Incoming Connections on Port 80
```bash
iptables -A INPUT -p tcp --dport 80 -m limit --limit 100/minute --limit-burst 200 -j ACCEPT
```
🚦 **Explanation:**
Limits HTTP (port 80) incoming connections to 100 per minute with a burst of 200, helping prevent DoS attacks.
---
### 1⃣4⃣ Redirect HTTP Traffic to HTTPS on Interface `ens33`
```bash
iptables -t nat -A PREROUTING -i ens33 -p tcp --dport 80 -j REDIRECT --to-port 443
```
🔄 **Explanation:**
In the `nat` table's PREROUTING chain, this redirects all HTTP traffic (port 80) arriving on interface `ens33` to HTTPS port 443.
## 🎉 Summary
* **iptables** is a powerful Linux firewall tool
* Works by managing **tables**, **chains**, and **rules**
* Supports filtering, NAT, packet mangling, and raw processing
* Persistence through `iptables-persistent` package
* Flexible commands for network security and traffic control

248
Security-Networking/hping3/01-Information.md Normal file
View File

@@ -0,0 +1,248 @@
# 01. Information What is `hping3`?
## Overview
`hping3` is a powerful network tool used primarily for:
- Crafting and sending custom TCP/IP packets
- Testing firewalls and intrusion detection systems (IDS/IPS)
- Network scanning, mapping, and discovery
- Performance and connectivity testing (latency, MTU, path issues)
From a DevOps/SRE perspective, `hping3` is like a “Swiss Army knife” for lowlevel network troubleshooting and securityoriented testing. It allows you to send packets with very precise control over headers and flags, which goes far beyond what tools like `ping` or `traceroute` can do.
> Note: `hping3` should be used only on networks and systems you are authorized to test. It can easily be mistaken for malicious traffic.
---
## Key Capabilities
### 1. Custom Packet Crafting
`hping3` lets you build packets with specific parameters:
- **IP layer**:
- Source/destination IP
- TTL, fragmentation, IP ID
- **TCP layer**:
- Source/destination port
- Flags (SYN, ACK, FIN, RST, PSH, URG)
- Sequence/ack numbers
- **UDP & ICMP**:
- Custom payloads
- Port selection (UDP)
- ICMP type and code
This is useful for:
- Reproducing odd traffic patterns seen in logs
- Simulating client behavior at the packet level
- Testing how devices and middleboxes handle specific combinations of flags
---
### 2. Stateful Firewall & IDS Testing
Because `hping3` can manipulate flags and headers, it is commonly used to test:
- Firewall rules (ingress/egress)
- NAT behavior
- IDS/IPS detection and blocking
Examples of what you can validate:
- Whether SYN packets to certain ports are correctly blocked or allowed
- How a firewall responds to fragmented packets
- Whether “stealth” scans are detected by security tooling
---
### 3. Port Scanning and Host Discovery
`hping3` can act as a flexible port scanner:
- TCP SYN scans on specific ports or ranges
- FIN/XMAS/NULL scans to observe firewall behavior
- Host discovery based on custom probes (TCP/UDP/ICMP)
While tools like `nmap` are more convenient for general scanning, `hping3` is useful when you need precise control over how probes are sent or you want to emulate specific traffic patterns.
---
### 4. Network Performance & Path Testing
`hping3` can be used to measure:
- Round-trip time (RTT) for various protocols and ports
- Packet loss and jitter under different conditions
- MTU/path issues with fragmentation control
Typical use cases:
- Measuring latency to a specific TCP port (e.g., 443) instead of relying on ICMP `ping`
- Determining whether ICMP is blocked and testing alternative paths with TCP/UDP
- Debugging connectivity problems through stateful devices that treat ICMP differently from TCP
---
### 5. Traceroute-like Functionality
`hping3` can perform traceroutestyle path discovery, but using TCP or UDP instead of ICMP:
- Helps when ICMP is filtered or rate-limited
- Shows how TCP packets to specific ports traverse the network
This is useful when:
- ICMP-based `traceroute` doesnt give meaningful results
- You need path information for application ports (e.g., 80, 443, 5432)
---
## Why DevOps/SRE Engineers Care
In modern environments (cloud, containers, microservices), networking problems often involve:
- Security groups, NACLs, firewalls
- Load balancers and proxies
- Overlay networks (e.g., Kubernetes CNI)
- Complex routing or NAT
`hping3` helps you:
- Validate security rules (e.g., between Kubernetes nodes, across VPCs/VNETs)
- Troubleshoot weird connectivity issues that dont show up with `ping`
- Investigate asymmetrical routing or stateful filtering
- Reproduce network conditions reported by applications or logs
It is especially valuable when standard utilities (`ping`, `curl`, `telnet`, `nc`) arent enough to reveal how packets are handled in transit.
---
## TCP Flags & Special Packets (FIN, URG, RST, XMAS) and Flooding
`hping3` gives you direct control over TCP flags. Understanding these is crucial for using it correctly and interpreting responses.
### FIN (Finish) flag / FIN packet
- **What it is**:
The FIN flag indicates that the sender has finished sending data and wants to gracefully close the TCP connection.
- **Normal use**:
Used at the end of a TCP session as part of the connection teardown (FIN/ACK, ACK).
- **In scanning/testing**:
- A **FIN scan** sends packets with only the FIN flag set to a port.
- On a **closed port**, the target should respond with `RST`.
- On an **open port**, many TCP/IP stacks ignore the packet (no response).
This behavior is used to infer whether ports are open/filtered without sending SYN packets that might be logged more aggressively.
### URG (Urgent) flag / URG packet
- **What it is**:
URG marks that some of the data in the TCP segment is “urgent” and should be prioritized by the receiving host.
- **Normal use**:
Rarely used in modern applications. Historically used for things like interrupt signals.
- **In scanning/testing**:
Setting the URG flag along with other flags can:
- Stress or test how TCP stacks handle unusual or rarely seen combinations
- Help detect middleboxes that mishandle or log such packets
Tools like `hping3` can create URG packets to see how targets or firewalls react.
### RST (Reset) flag / RST packet
- **What it is**:
The RST flag instructs the receiver to immediately terminate the TCP connection.
- **Normal use**:
- Sent when a packet arrives for a port where no service is listening.
- Used to abort a connection abruptly (e.g., when a process crashes or refuses a connection).
- **In scanning/testing**:
- When you send a SYN to a **closed** port, a typical response is a `RST` packet.
- Tools use the presence or absence of RST to determine whether a port is open or closed.
- You can also send RST packets to tear down existing connections (for testing, in controlled environments).
### XMAS packet
- **What it is**:
A “XMAS” (Christmas tree) packet is a TCP packet with multiple flags set at once, commonly: **FIN, PSH, URG**.
- **Why the name**:
Its called a “Christmas tree” packet because many flags are “lit up” at the same time, like lights on a tree.
- **In scanning/testing**:
- Used for **XMAS scans**.
- Similar to FIN scans:
- On **closed** ports, the host often responds with `RST`.
- On **open** ports, many stacks send no reply.
- Some older or non-standard TCP/IP stacks respond differently, leaking information about OS type or configuration.
- **Firewall/IDS behavior**:
XMAS packets are unusual and often treated as suspicious, so many devices log or drop them, which can be useful for testing detection.
---
## What is a Flood?
In the context of `hping3` and network testing, a **flood** means sending a very high rate of packets to a target, typically as fast as possible.
- **Purpose in legitimate testing**:
- Stress-test network devices (firewalls, load balancers, routers).
- Identify bottlenecks or performance limits in network paths.
- Observe how systems behave under heavy packet load (Do they drop packets? Do they rate-limit?).
- **Types of floods (conceptually)**:
- **SYN flood**: flood of TCP SYN packets to a port.
- **ICMP flood**: flood of ICMP echo requests.
- **UDP flood**: flood of UDP packets.
- **Use in `hping3`**:
- `hping3` can send packets in “flood mode” (no delays between packets).
- This is powerful and potentially disruptive: packet floods can consume bandwidth and CPU, degrade service, or trigger protective mechanisms.
- **Operational considerations**:
- Only perform flood tests on infrastructure you control and where such testing is explicitly allowed.
- Coordinate with network and security teams.
- Monitor carefully (CPU, memory, bandwidth, and logs) during tests to avoid unintended outages.
---
## Typical Usage Contexts
- **On-prem / data center**:
Test firewalls, routers, and IDS, validate segmentation between environments (e.g., prod vs. nonprod).
- **Cloud environments (AWS/Azure/GCP/etc.)**:
- Verify security group/NACL behavior at the packet level.
- Test connectivity between VPCs/VNETs, onprem VPNs, and cloud workloads.
- **Kubernetes & containerized apps**:
- Validate node-to-node or pod-to-pod connectivity.
- Test ingress/egress rules in CNIs and service meshes.
- Debug why a service is reachable via one path but not another.
---
## Limitations & Considerations
- Requires appropriate privileges (often root) to craft raw packets.
- Can generate traffic patterns similar to port scans or attacks, so:
- Always get proper authorization.
- Coordinate with security teams to avoid false alarms.
- Not designed as a full replacement for higher-level tools (e.g., `nmap`, `iperf`, `traceroute`), but as a complementary low-level tool.
- Behavior may differ slightly across OSes and network stacks.
---
## Installation (High-Level)
Availability varies by distribution, but generally:
- **Debian/Ubuntu**: via `apt` (package usually named `hping3`)
- **RHEL/CentOS/Fedora**: via `yum`/`dnf` or EPEL
- **macOS**: via Homebrew (if available) or compile from source
- **Others**: typically built from source from the official repository
(Installation instructions can be detailed in a separate document.)
---
## Summary
`hping3` is a low-level TCP/IP packet crafting and analysis tool used by DevOps/SRE and security engineers to:
- Test and validate firewall and network security policies
- Perform targeted port scans (including FIN/XMAS-style scans) and host discovery
- Troubleshoot complex connectivity and performance issues
- Generate controlled floods for stress tests (in authorized environments)

252
Security-Networking/hping3/02-Commands.md Normal file
View File

@@ -0,0 +1,252 @@
# 02. Commands Practical `hping3` Usage
This document explains common `hping3` commands and what they do at a packet/protocol level.
Replace `<target>` with an IP or hostname, and `<port>` with a TCP/UDP port number.
> Use these commands only on systems and networks you are authorized to test.
---
## 1. ICMP “Normal Ping”
```bash
hping3 -1 <target>
```
- `-1`: Use **ICMP mode** (type 8 echo request), similar to the standard `ping` command.
- Behavior:
- Sends ICMP echo request packets to `<target>`.
- Measures round-trip time (RTT) and indicates packet loss.
- Use case:
- Basic connectivity check when you want to use `hping3` instead of `ping`.
- Helpful if you want later to switch to more advanced testing without changing tools.
---
## 2. Send TCP ACK Packets
```bash
hping3 -A <target>
```
- `-A`: Set the **ACK** flag in TCP packets.
- Behavior:
- Sends TCP packets with the ACK flag set to the default port (0 unless `-p` is specified).
- Use case:
- Test firewall rules related to **established** connections (many firewalls allow ACK packets but block SYN).
- Map which hosts respond to unsolicited ACK packets and how (RST/no response).
To target a specific port (for example, 80):
```bash
hping3 -A <target> -p 80
```
---
## 3. Send TCP SYN Packets
```bash
hping3 -S <target>
```
- `-S`: Set the **SYN** flag in TCP packets.
- Behavior:
- Sends SYN packets to the default port (0 unless `-p` is specified).
- Use case:
- Test how the target responds to connection attempts.
- When combined with `-p`, this becomes a basic SYN scan for that port.
With a specific port:
```bash
hping3 -S <target> -p <port>
```
---
## 4. Send TCP FIN Packets
```bash
hping3 -F <target>
```
- `-F`: Set the **FIN** flag in TCP packets.
- Behavior:
- Sends packets that look like “finish” requests for a connection.
- Use case:
- Perform **FIN scans** (when combined with `-p`) to check firewall behavior:
- Closed ports typically respond with `RST`.
- Open ports often send no response.
- Useful for testing how devices treat non-SYN traffic.
Example with a port:
```bash
hping3 -F <target> -p 80
```
---
## 5. Send TCP RST (Reset) Packets
```bash
hping3 -R <target>
```
- `-R`: Set the **RST** flag in TCP packets.
- Behavior:
- Sends packets that instruct the receiver to immediately terminate a connection.
- Use case:
- Observe how the target or firewall handles unexpected RST packets.
- In controlled tests, can be used to tear down test connections.
With a specific port:
```bash
hping3 -R <target> -p 80
```
---
## 6. Send TCP URG (Urgent) Packets
```bash
hping3 -U <target>
```
- `-U`: Set the **URG** flag in TCP packets.
- Behavior:
- Marks data as “urgent” (though most modern applications rarely use it).
- Use case:
- Test how TCP stacks and firewalls handle **uncommon flags**.
- Validate logging/alerting for rare or suspicious traffic patterns.
Example with a port:
```bash
hping3 -U <target> -p 80
```
---
## 7. Send XMAS Packets
```bash
hping3 -X <target>
```
- `-X`: Send **XMAS** packets (commonly FIN + PSH + URG flags set).
- Behavior:
- Creates “Christmas tree” packets with multiple flags lit.
- Use case:
- **XMAS scans**:
- Closed ports usually respond with `RST`.
- Open ports often do not respond.
- Test firewall/IDS handling of obviously suspicious packets.
Example with a port:
```bash
hping3 -X <target> -p 80
```
---
## 8. Send SYN Packet to a Destination Port
```bash
hping3 -S <target> -p <port>
```
- `-S`: SYN flag.
- `-p <port>`: Destination port.
- Behavior:
- Sends a TCP SYN packet to the specified `<port>` on `<target>`.
- Use case:
- Simple port check:
- Open port: typically responds with SYN/ACK.
- Closed port: typically responds with RST.
- Validate firewall rules for a specific service port.
---
## 9. Send SYN Packets with Random Source Address
```bash
hping3 -S <target> --rand-source
```
- `-S`: SYN flag.
- `--rand-source`: Randomize the **source IP address** for each packet.
- Behavior:
- Target sees SYN packets as if they are coming from many different IPs.
- Use case (legitimate, controlled testing):
- Test how firewalls, load balancers, or DDoS protection handle **spoofed** or distributed-looking traffic.
- Validate rate-limiting or connection limiting across “different” clients.
Note: Because of IP spoofing, responses will not come back to you; this is for observing target-side behavior/logs.
---
## 10. SYN Flood with Random Source
```bash
hping3 -S <target> --rand-source --flood
```
- `-S`: SYN flag.
- `--rand-source`: Randomize source IP per packet.
- `--flood`: Send packets as fast as possible, no output per packet.
- Behavior:
- High-rate SYN traffic with spoofed source IPs.
- Use case:
- **Stress testing** and **capacity testing** of firewalls/load balancers/IPS in a lab or authorized environment.
- Warning:
- This can severely impact services and look like a SYN flood attack.
- Use only with explicit permission and monitoring in place.
---
## 11. ICMP Flood with Spoofed Source Address
```bash
hping3 -1 <target> -a <src-address> --flood
```
> Note: Your original example used `-i`, but for ICMP mode it should be `-1`.
- `-1`: ICMP mode (echo requests).
- `-a <src-address>`: Spoof **source IP** as `<src-address>`.
- `--flood`: Send packets as fast as possible.
- Behavior:
- Sends a high-rate ICMP echo request flood to `<target>` with a fake source IP.
- Use case:
- Test how devices handle **ICMP flood** conditions and spoofed traffic (in a controlled environment).
- Warning:
- Can consume bandwidth and trigger DDoS protections or rate limits.
- Only for authorized stress testing.
If you really meant `-i` (interval), that changes send rate instead of protocol:
```bash
hping3 -1 <target> -a <src-address> --flood
# or with custom interval (e.g., 10 ms):
hping3 -1 <target> -a <src-address> -i u10000
```
---
## 12. Check If Port 22 (SSH) Is Open
```bash
hping3 -S <target> -p 22 -c 1
```
- `-S`: SYN flag (start of TCP handshake).
- `-p 22`: Destination port 22 (typically SSH).
- `-c 1`: Send only **one** packet.
- Behavior:
- Sends a single SYN to port 22 on `<target>`.
- How to interpret:
- If you see a **SYN/ACK** response, port 22 is likely open and reachable.
- If you see a **RST**, port 22 is closed or actively refused.
- If there is **no response**, the port may be filtered by a firewall or silently dropped.
---
## Summary
- `-1`: ICMP mode (ping-like).
- `-S`, `-A`, `-F`, `-R`, `-U`, `-X`: Control which TCP flags are set (SYN, ACK, FIN, RST, URG, XMAS).
- `-p <port>`: Target a specific port.
- `--rand-source`: Spoof/randomize source IPs.
- `-a <src-address>`: Spoof a specific source IP.
- `--flood`: Send packets as fast as possible (for stress testing).
- `-c <count>`: Limit number of packets sent.

144
Security-Networking/nmap/Nmap.md Executable file
View File

@@ -0,0 +1,144 @@
### How to Install Nmap and Use Nmap for Scanning
1. **Update your system:**
```bash
sudo apt-get update
```
2. **Install Nmap:**
```bash
sudo apt install nmap
```
3. **Scan a single IP address:**
```bash
nmap [your_IP]
```
4. **Scan multiple IP addresses:**
```bash
nmap [your_IP1,your_IP2]
```
5. **Scan a range of IP addresses:**
```bash
nmap [your_IP1-your_IP100]
```
6. **Scan targets from a text file:**
```bash
nmap -iL filename.txt
```
7. **Check for live systems:**
```bash
nmap -sn [your_IP]
```
8. **Ping sweep:**
```bash
nmap -sP [your_IP]
```
9. **If ICMP is blocked:**
```bash
nmap -PN [your_IP]
```
10. **Scan specific port:**
```bash
nmap -p [your_port] [your_IP]
```
If ICMP is blocked:
```bash
nmap -PN [your_IP] -p [your_port]
```
11. **Scan multiple ports:**
```bash
nmap -p [port1,port2,port3-port6] [your_IP]
```
12. **Specify protocol:**
```bash
nmap -p http,https,ftp [your_IP]
```
13. **Scan TCP ports:**
```bash
nmap -p T:[port,port2] [your_IP]
```
14. **Get more information:**
```bash
nmap -p [your_port] -sV [your_IP]
```
15. **Detect operating system:**
```bash
nmap -O [your_IP] -p [your_port]
```
16. **Fast scan (top 100 ports):**
```bash
nmap -F [your_IP]
```
17. **Aggressive scan:**
```bash
nmap -A [your_IP] -p [your_port]
```
18. **Whois lookup:**
```bash
nmap -p [your_port] --script whois-ip [your_IP_or_domain]
```
19. **IP geolocation:**
```bash
nmap -p [your_port] --script ip-geolocation-* [IP]
```
20. **Detect Web Application Firewall (WAF):**
```bash
nmap -p [your_port] --script http-waf-detect [your_domain]
```
21. **Save results to a text file:**
```bash
nmap -Pn -p [your_port] [your_IP] -oN your_filename.txt
```
22. **Save results to an XML file:**
```bash
nmap -Pn -p [your_port] [your_IP] -oX filename.xml
```
23. **Save results to a grepable file:**
```bash
nmap -Pn -p [your_port] [your_IP] -oG filename.gnmap
```
24. **Save results to all formats:**
```bash
nmap -Pn -p [your_port] [your_IP] -oA filename
```
25. **Scan top ports:**
```bash
nmap --top-ports [number] [your_domain]
```
26. **Scan top ports and show open ones:**
```bash
nmap --top-ports [number] [your_domain] --open
```
27. **Check for open ports using different scan types:**
```bash
nmap -sT [your_IP] # TCP Scan
nmap -sS [your_IP] # SYN Scan
nmap -sX [your_IP] # XMAS Scan
nmap -sF [your_IP] # FIN Scan
nmap -sN [your_IP] # Null Scan
```

352
Security-Networking/tcpdump/main.md Normal file
View File

@@ -0,0 +1,352 @@
# tcpdump
## Overview
`tcpdump` is a powerful command-line packet analyzer used to capture and inspect network traffic in real time. It is widely used by DevOps engineers, network administrators, and security professionals for troubleshooting, monitoring, and debugging network-related issues.
It works by intercepting packets flowing through a network interface and displaying them based on defined filters.
---
## How tcpdump Works
### Packet Capture Mechanism
`tcpdump` relies on the **libpcap** library to capture packets. The process involves:
1. **Network Interface Access**
- tcpdump attaches to a network interface (e.g., `eth0`, `ens33`, `wlan0`).
2. **Promiscuous Mode**
- By default, tcpdump can enable promiscuous mode, allowing it to capture all packets on the network segment, not just those addressed to the host.
3. **Kernel-Level Filtering**
- Uses Berkeley Packet Filter (BPF) to filter packets efficiently in the kernel space before sending them to user space.
4. **Packet Decoding**
- Captured packets are decoded and printed in a human-readable format.
---
## Installation
### Linux (Debian/Ubuntu)
```bash
sudo apt update
sudo apt install tcpdump
````
### Linux (RHEL/CentOS)
```bash
sudo yum install tcpdump
```
### macOS
```bash
brew install tcpdump
```
---
## Basic Syntax
```bash
tcpdump [options] [filter expression]
```
---
## Common Options
| Option | Description |
| ------------------- | ------------------------------------- |
| `-i <interface>` | Specify network interface |
| `-c <count>` | Capture a specific number of packets |
| `-n` | Disable hostname resolution |
| `-nn` | Disable hostname and port resolution |
| `-v`, `-vv`, `-vvv` | Increase verbosity |
| `-X` | Show packet contents in hex and ASCII |
| `-A` | Display packet contents in ASCII |
| `-w <file>` | Write output to file |
| `-r <file>` | Read packets from file |
| `-s <snaplen>` | Set capture size |
| `-D` | List available interfaces |
---
## Common Use Cases
### 1. Capture Packets on an Interface
```bash
tcpdump -i eth0
```
### 2. Capture a Limited Number of Packets
```bash
tcpdump -i eth0 -c 10
```
### 3. Disable Name Resolution (Faster Output)
```bash
tcpdump -nn -i eth0
```
### 4. Capture and Save to File
```bash
tcpdump -i eth0 -w capture.pcap
```
### 5. Read from a Capture File
```bash
tcpdump -r capture.pcap
```
---
## Filtering with BPF (Berkeley Packet Filter)
Filters are the most powerful feature of tcpdump.
### Basic Structure
```bash
tcpdump [options] 'filter expression'
```
### Filter Types
#### Host Filter
```bash
tcpdump host 192.168.1.1
```
#### Source/Destination Filter
```bash
tcpdump src 192.168.1.1
tcpdump dst 192.168.1.1
```
#### Port Filter
```bash
tcpdump port 80
tcpdump src port 443
tcpdump dst port 22
```
#### Protocol Filter
```bash
tcpdump tcp
tcpdump udp
tcpdump icmp
```
#### Network Filter
```bash
tcpdump net 192.168.1.0/24
```
---
## Combining Filters
### Logical Operators
| Operator | Meaning |
| -------- | -------------------------- |
| `and` | Both conditions must match |
| `or` | Either condition matches |
| `not` | Negates the condition |
### Examples
```bash
tcpdump tcp and port 80
tcpdump host 192.168.1.1 and port 22
tcpdump not port 22
tcpdump tcp and (port 80 or port 443)
```
---
## Packet Output Interpretation
Example output:
```
14:32:10.123456 IP 192.168.1.10.54321 > 93.184.216.34.80: Flags [S], seq 123456, win 65535
```
### Breakdown
| Field | Description |
| ----------- | ------------------------------- |
| Timestamp | Packet capture time |
| Protocol | IP, ARP, etc. |
| Source | Source IP and port |
| Destination | Destination IP and port |
| Flags | TCP flags (SYN, ACK, FIN, etc.) |
| seq | Sequence number |
| win | Window size |
---
## TCP Flags
| Flag | Meaning |
| ---- | ---------------------- |
| SYN | Connection initiation |
| ACK | Acknowledgment |
| FIN | Connection termination |
| RST | Reset connection |
| PSH | Push data immediately |
| URG | Urgent data |
---
## Advanced Usage
### 1. Capture HTTP Traffic
```bash
tcpdump -i eth0 -A port 80
```
### 2. Capture HTTPS Traffic (Metadata Only)
```bash
tcpdump -i eth0 port 443
```
### 3. Capture DNS Queries
```bash
tcpdump -i eth0 port 53
```
### 4. Capture Traffic Between Two Hosts
```bash
tcpdump host 192.168.1.1 and 192.168.1.2
```
### 5. Capture Large Packets Fully
```bash
tcpdump -i eth0 -s 0
```
---
## Writing and Analyzing PCAP Files
### Capture to File
```bash
tcpdump -i eth0 -w traffic.pcap
```
### Analyze with tcpdump
```bash
tcpdump -r traffic.pcap
```
### Integration with Wireshark
* Export `.pcap` files and analyze using GUI tools like Wireshark.
---
## Performance Considerations
* Use `-n` or `-nn` to reduce DNS lookups.
* Apply filters to minimize captured data.
* Avoid capturing full packets unless necessary (`-s 0`).
* Use `-c` to limit capture size.
---
## Security and Permissions
* Requires root or sudo privileges:
```bash
sudo tcpdump -i eth0
```
* Be cautious when capturing sensitive data (credentials, tokens).
---
## Troubleshooting Scenarios
### 1. Debugging Connectivity Issues
```bash
tcpdump -i eth0 host <target-ip>
```
### 2. Checking Open Ports
```bash
tcpdump -i eth0 tcp port 22
```
### 3. Investigating Packet Loss
* Look for retransmissions and duplicate ACKs.
### 4. Diagnosing DNS Problems
```bash
tcpdump -i eth0 port 53
```
---
## Best Practices
* Always filter traffic to reduce noise.
* Capture only what is necessary.
* Store captures securely.
* Use rotation when capturing long sessions:
```bash
tcpdump -i eth0 -w file_%Y%m%d%H%M%S.pcap
```
---
## Limitations
* Cannot decrypt encrypted traffic (e.g., HTTPS).
* High traffic environments may drop packets.
* Output can become overwhelming without filters.
---
## Alternatives and Complementary Tools
* `tshark` (CLI version of Wireshark)
* `wireshark` (GUI packet analyzer)
* `ngrep` (network grep tool)
* `iftop` / `nload` (bandwidth monitoring)
---
## Summary
`tcpdump` is an essential tool in a DevOps engineers toolkit for low-level network inspection. Mastery of filtering, efficient capture strategies, and output interpretation enables effective debugging and monitoring of complex distributed systems.