选题: 4 Tools for Network Snooping on Linux

sources/tech/20180104 4 Tools for Network Snooping on Linux.md

@@ -0,0 +1,197 @@
+4 Tools for Network Snooping on Linux
+======
+Computer networking data has to be exposed, because packets can't travel blindfolded, so join us as we use `whois`, `dig`, `nmcli`, and `nmap` to snoop networks.
+
+Do be polite and don't run `nmap` on any network but your own, because probing other people's networks can be interpreted as a hostile act.
+
+### Thin and Thick whois
+
+You may have noticed that our beloved old `whois` command doesn't seem to give the level of detail that it used to. Check out this example for Linux.com:
+```
+$ whois linux.com
+Domain Name: LINUX.COM
+Registry Domain ID: 4245540_DOMAIN_COM-VRSN
+Registrar WHOIS Server: whois.namecheap.com
+Registrar URL: http://www.namecheap.com
+Updated Date: 2018-01-10T12:26:50Z
+Creation Date: 1994-06-02T04:00:00Z
+Registry Expiry Date: 2018-06-01T04:00:00Z
+Registrar: NameCheap Inc.
+Registrar IANA ID: 1068
+Registrar Abuse Contact Email: abuse@namecheap.com
+Registrar Abuse Contact Phone: +1.6613102107
+Domain Status: ok https://icann.org/epp#ok
+Name Server: NS5.DNSMADEEASY.COM
+Name Server: NS6.DNSMADEEASY.COM
+Name Server: NS7.DNSMADEEASY.COM
+DNSSEC: unsigned
+[...]
+
+```
+
+There is quite a bit more, mainly annoying legalese. But where is the contact information? It is sitting on whois.namecheap.com (see the third line of output above):
+```
+$ whois -h whois.namecheap.com linux.com
+
+```
+
+I won't print the output here, as it is very long, containing the Registrant, Admin, and Tech contact information. So what's the deal, Lucille? Some registries, such as .com and .net are "thin" registries, storing a limited subset of domain data. To get complete information use the `-h`, or `--host` option, to get the complete dump from the domain's `Registrar WHOIS Server`.
+
+Most of the other top-level domains are thick registries, such as .info. Try `whois blockchain.info` to see an example.
+
+Want to get rid of the obnoxious legalese? Use the `-H` option.
+
+### Digging DNS
+
+Use the `dig` command to compare the results from different name servers to check for stale entries. DNS records are cached all over the place, and different servers have different refresh intervals. This is the simplest usage:
+```
+$ dig linux.com
+<<>> DiG 9.10.3-P4-Ubuntu <<>> linux.com
+;; global options: +cmd
+;; Got answer:
+;; ->>HEADER<<<- opcode: QUERY, status: NOERROR, id: 13694
+;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
+
+;; OPT PSEUDOSECTION:
+; EDNS: version: 0, flags:; udp: 1440
+;; QUESTION SECTION:
+;linux.com. IN A
+
+;; ANSWER SECTION:
+linux.com. 10800 IN A 151.101.129.5
+linux.com. 10800 IN A 151.101.65.5
+linux.com. 10800 IN A 151.101.1.5
+linux.com. 10800 IN A 151.101.193.5
+
+;; Query time: 92 msec
+;; SERVER: 127.0.1.1#53(127.0.1.1)
+;; WHEN: Tue Jan 16 15:17:04 PST 2018
+;; MSG SIZE rcvd: 102
+
+```
+
+Take notice of the SERVER: 127.0.1.1#53(127.0.1.1) line near the end of the output. This is your default caching resolver. When the address is localhost, that means there is a DNS server installed on your machine. In my case that is Dnsmasq, which is being used by Network Manager:
+```
+$ ps ax|grep dnsmasq
+2842 ? S 0:00 /usr/sbin/dnsmasq --no-resolv --keep-in-foreground
+--no-hosts --bind-interfaces --pid-file=/var/run/NetworkManager/dnsmasq.pid
+--listen-address=127.0.1.1
+
+```
+
+The `dig` default is to return A records, which define the domain name. IPv6 has AAAA records:
+```
+$ $ dig linux.com AAAA
+[...]
+;; ANSWER SECTION:
+linux.com. 60 IN AAAA 64:ff9b::9765:105
+linux.com. 60 IN AAAA 64:ff9b::9765:4105
+linux.com. 60 IN AAAA 64:ff9b::9765:8105
+linux.com. 60 IN AAAA 64:ff9b::9765:c105
+[...]
+
+```
+
+Checkitout, Linux.com has IPv6 addresses. Very good! If your Internet service provider supports IPv6 then you can connect over IPv6. (Sadly, my overpriced mobile broadband does not.)
+
+Suppose you make some DNS changes to your domain, or you're seeing `dig` results that don't look right. Try querying with a public DNS service, like OpenNIC:
+```
+$ dig @69.195.152.204 linux.com
+[...]
+;; Query time: 231 msec
+;; SERVER: 69.195.152.204#53(69.195.152.204)
+
+```
+
+`dig` confirms that you're getting your lookup from 69.195.152.204. You can query all kinds of servers and compare results.
+
+### Upstream Name Servers
+
+I want to know what my upstream name servers are. To find this, I first look in `/etc/resolv/conf`:
+```
+$ cat /etc/resolv.conf
+# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
+# DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
+nameserver 127.0.1.1
+
+```
+
+Thanks, but I already knew that. Your Linux distribution may be configured differently, and you'll see your upstream servers. Let's try `nmcli`, the Network Manager command-line tool:
+```
+$ nmcli dev show | grep DNS
+IP4.DNS[1]: 192.168.1.1
+
+```
+
+Now we're getting somewhere, as that is the address of my mobile hotspot, and I should have thought of that myself. I can log in to its weird little Web admin panel to see its upstream servers. A lot of consumer Internet gateways don't let you view or change these settings, so try an external service such as [What's my DNS server?][1]
+
+### List IPv4 Addresses on your Network
+
+Which IPv4 addresses are up and in use on your network?
+```
+$ nmap -sn 192.168.1.0/24
+Starting Nmap 7.01 ( https://nmap.org ) at 2018-01-14 14:03 PST
+Nmap scan report for Mobile.Hotspot (192.168.1.1)
+Host is up (0.011s latency).
+Nmap scan report for studio (192.168.1.2)
+Host is up (0.000071s latency).
+Nmap scan report for nellybly (192.168.1.3)
+Host is up (0.015s latency)
+Nmap done: 256 IP addresses (2 hosts up) scanned in 2.23 seconds
+
+```
+
+Everyone wants to scan their network for open ports. This example looks for services and their versions:
+```
+$ nmap -sV 192.168.1.1/24
+
+Starting Nmap 7.01 ( https://nmap.org ) at 2018-01-14 16:46 PST
+Nmap scan report for Mobile.Hotspot (192.168.1.1)
+Host is up (0.0071s latency).
+Not shown: 997 closed ports
+PORT STATE SERVICE VERSION
+22/tcp filtered ssh
+53/tcp open domain dnsmasq 2.55
+80/tcp open http GoAhead WebServer 2.5.0
+
+Nmap scan report for studio (192.168.1.102)
+Host is up (0.000087s latency).
+Not shown: 998 closed ports
+PORT STATE SERVICE VERSION
+22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
+631/tcp open ipp CUPS 2.1
+Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
+
+Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+Nmap done: 256 IP addresses (2 hosts up) scanned in 11.65 seconds
+
+```
+
+These are interesting results. Let's try the same run from a different Internet account, to see if any of these services are exposed to big bad Internet. You have a second network if you have a smartphone. There are probably apps you can download, or use your phone as a hotspot to your faithful Linux computer. Fetch the WAN IP address from the hotspot control panel and try again:
+```
+$ nmap -sV 12.34.56.78
+
+Starting Nmap 7.01 ( https://nmap.org ) at 2018-01-14 17:05 PST
+Nmap scan report for 12.34.56.78
+Host is up (0.0061s latency).
+All 1000 scanned ports on 12.34.56.78 are closed
+
+```
+
+That's what I like to see. Consult the fine man pages for these commands to learn more fun snooping techniques.
+
+Learn more about Linux through the free ["Introduction to Linux" ][2]course from The Linux Foundation and edX.
+
+--------------------------------------------------------------------------------
+
+via: https://www.linux.com/learn/intro-to-linux/2018/1/4-tools-network-snooping-linux
+
+作者：[Carla Schroder][a]
+译者：[译者ID](https://github.com/译者ID)
+校对：[校对者ID](https://github.com/校对者ID)
+
+本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译，[Linux中国](https://linux.cn/) 荣誉推出
+
+[a]:https://www.linux.com/users/cschroder
+[1]:http://www.whatsmydnsserver.com/
+[2]:https://training.linuxfoundation.org/linux-courses/system-administration-training/introduction-to-linux