Test6

Connect Wireless using terminal in linux or backtrack

For example, A wifi network with essid "MWM", with key "1234567890", and I want to connect to it
using an static IP:
IP: 192.168.1.5
MASK: 255.255.255.0
IP Gateway: 192.168.1.1
Step :

1. Check the interface with ifconfig to see the wireless

(usb) already up or not
2. iwconfig essid MWM key 1234567890
3. ifconfig <interface> 192.168.1.5 netmask 255.255.255.0 up
4. route add default gw 192.168.1.1

TCP DUMP
(http://www.computersecuritystudent.com/SECURITY_TOOLS/SNIFFER/lesson1/)
Tcpdump is a really useful program for capturing packets that are on the wire. It can be used to view
packets going through your own interface, on a network with a hub, or on a switched network (arpcache poisoning or mirrored switch ports).
The output from tcpdump can either be sent to the screen, written to a raw file using -w and viewed
with tcpdump (using -r) or the capture files can be read with a tool such as Wireshark.
Tcpdump is a tool that anyone who is interested in networks should be familiar with. It will help you
understand what normal traffic looks like on your network at a packet level so you can quickly
identify abnormal traffic.
The purpose of this blog post is to get a few of the commands documented to familierize myself with
tool so i can quickly apply filters when needed.
For the Windows users there is a very good port of tcpdump called Windump, the syntax is very
similar if not identical.

Using Tcpdump
When first running tcpdump without any filters the output can be overwhelming. Don't worry about
this, as you begin to get familiar with the filters you can quickly get to the information you want.

If you have multiple interfaces that are up you may need to use the -i {interface} switch.
tcpdump -i eth1
The command can be terminated with ctrl+c.
I recommend using the -n switch to prevent name resolution whilst you are performing the capture.
The name resolution can always be performed later.
tcpdump -i eth1 -n
You can also cut down the amount of data you capture by using the quiet option (-q)
tcpdump -q
Or to really cut down on what i can see I could use the following which would just display the from
and to, the protocol and the packet size:
tcpdump -qt
As previously mentioned the output of tcpdump can be sent to a file using the -w switch or straight
to a text file using the redirect >
I recommend writing the output to libpcap format using a command such as:
tcpdump -i eth1 -n -w capture.lpc
However, you may want to view the output on the screen as you write it to a file, this can be done
by using the -l switch and piping through tee into the file:
tcpdump -l | tee mydump

You can also limit the capture to a certain amount of packets using the -c switch. To only collect 100
packets:
tcpdump -c 100

The -c switch can also be used when reading from a packet capture file:
tcpdump -n -s 1514 -r capture.lpc -c 5 tcp
The command above will read the first 5 tcp packets from the capture.lpc file.

Collecting Packets Based on Size

Usually tcpdump does not collect the entire packet. Use the snaplen option -s 0 to force it to do so:
tcpdump -s 0
Or to only collect the first 1514 bytes of a packet:
tcpdump -s 1514
1514 bytes will capture the ethernet portion without VLAN tagging. To capture the VLAN tagging
information an additional 4 bytes will need to be added.

To only collect packets from a particular host:

tcpdump -i eth 1 -n -w capture.lpc host 208.68.234.113

Name Resolution
As mentioned earlier, by default tcpump will resolve network addresses into names. To disable this
use the -n switch. And to disable port resolution use -nn:
tcpdump -nn
Use -f to prevent remote name resolution.

If you are on a local LAN and want to capture only traffic based on a MAC address use:
tcpdump ether host 11:22:33:44:55:66:77:00
Or if you want the Ethernet header in the output use the -e option:
tcpdump -i eth1 -e -n -s 1514-w capture.lpc
To restrict the capture to a network use:
tcpdump -i eth1 -n -w capture.lpc -s 1514 net 192.168.1
or

tcpdump -i eth1 -n -w capture.lpc -s 1514 net 192.168.1.0 mask 255.255.255.0

Using Keywords
Keywords alow you to easily filter traffic. The Keywords that can be used are ip, tcp, udp, icmp and
igmp.
As an example of using keywords, to capture all IP traffic use keywords:
tcpdump -i eth1 -n -w capture.lpc -s 1514 ip
or to capture just TCP traffic:
tcpdump -i eth1 -n -w capture.lpc -s 1514 tcp
Other traffic types without keywords can be captured using the "ip proto" option:
tcpdump -i eth1 -n -w capture.lpc -s 1514 ip proto l2tp
or by its protocalnumber as found in the /etc/protocols file:
tcpdump -i eth1 -n -w capture.lpc -s 1514 ip proto 115

To capture traffic based on it's application from further up the stack such as ftp traffic specify the
port:
tcpdump -i eth1 -n -w capture.lpc -s 1514 port 21
And to capture the data portion of the FTP traffic as well you could add port 20:
tcpdump -i eth1 -n -w capture.lpc -s 1514 port 21 && port 20
This could have been specified by name as detailed in the /etc/services file.
tcpdump -i eth1 -n -w capture.lpc -s 1514 port ftp && port ftp-data
In the examples above I have used && to add 2 filters together. I could have used the word 'and'
instead. You can also use 'or' to idicate that i want one filter to apply or another filter to apply. ||
means the same as 'or' also.
tcpdump -i eth1 -n -w capture.lpc -s 1514 port http or https
tcpdump -i eth1 -n -w capture.lpc -s 1514 port 80 || 443

The above filters will capture the same data.

Filtering by Packet Size

You could create a filter to capture packets that are larger than a certain size (in bytes):
tcpdump -i eth1 -n -w capture.lpc -s 1514 greater 250
This type of filter can be useful if you are trying to locate certain types of packet based on attributes
from further up the stack.

We can also tell tcpdump to leave out certain types of traffic, in this example we don't want http or
https traffic but we want everything else:
tcpdump -i eth1 -n -w capture.lpc -s 1514 " (not tcp port http and not tcp port https)"

To view the output in output in ascii use -X (the verbose -v is optional):

tcpdump -i eth1 -n -w capture.lpc -s 1514 -X -v
To dump the whole packet in hex use:
tcpdump -i eth1 -n -w capture.lpc -s 1514 -x -v

Further Examples
To display a list of visited sites:
tcpdump -w dumpfile
tcpdump -r dumpfile > textfile
cat textfile /usr/bin/cut -f 8 -d ' ' /bin/grep -i www*

Looking at ICMP
Although you can capture all ICMP traffic, you could actually capture only particular types of ICMP
based on attributes of the protocol. For example, if i wanted to capture just ICMP echo requests

knowing that an ICMP echo request is a Type 8 i might use:

tcpdump -e -x "icmp[0]=8"
To capture just ICMP repies (Type 0) i might use:
tcpdump -e -x "icmp[0]=0"

Wireless Stuff
If i was curious about what networks wireless clients are probing for I could set my card into
promiscuous mode (ifconfig -i eth1 promisc), configure my wireless settings to monitor (iwconfig
eth1 mode monitor) and issue the following command:
tcpdump -i eth1 -s0 -nn -vv -t | grep -i request
This would reduce the output to just display probe requests from nearby wireless clients.

horst
horst is a small, lightweight IEEE802.11 wireless LAN analyzer with a text interface. Its basic
function is similar to tcpdump, Wireshark or Kismet, but its much smaller and shows different,
aggregated information which is not easily available from other tools. It is mainly targeted at
debugging wireless LANs with a focus on ad-hoc (IBSS) mode in larger mesh networks. It can be
useful to get a quick overview of whats going on on all wireless LAN channels and to identify
problems.
Shows signal/noise values per station
Calculates channel utilization (usage) by adding up the amount of time the packets actually occupy
the medium
Spectrum Analyzer shows signal levels and usage per channel
Graphical packet history, with signal/noise, packet type and physical rate
Shows all stations per ESSID and the live TSF per node as it is counting
Detects IBSS splits (same ESSID but different BSSID this is a common driver problem)
Statistics of packets/bytes per physical rate and per packet type
Has some support for mesh protocols (OLSR and batman)
Can filter specific packet types source addresses or BSSIDs

Client/server support for monitoring on remote nodes

horst is a Linux program and can be used on any wireless LAN monitor interface. The latest git
version can also be compiled and used on Mac OSX.

Usage notes
With all recent wireless drivers you can put the card into monitor mode and start horst on the
default interface (wlan0):
iwconfig wlan0 mode monitor channel X
horst
Or with newer mac80211 drivers you can use the modern way, using iw to add a monitor
interface while you can continue to use the existing interface:
iw dev wlan0 interface add mon0 type monitor
horst -i mon0
To use the client/server mode you can start a server (-q without a user interface) with
horst -i wlan0 -C -q
and connect a client with
horst -c IP
Only one client is allowed at a time.
To go straight into Spectrum Analyzer mode (changing channels) you can start horst with -s:
horst -s