Linux Networking Commands


Investigate sockets

ss is a utility to investigate network ports and is part of the iproute2 package. It has a similar functionality to the deprecated netstat utility. See ss(8), Common usage includes:

cmds Discription
ss -at Display all TCP Sockets w/ service names
ss -atn Display all TCP Sockets w/ port numbers
ss -au Display all UDP Sockets

Scanning Targets

Nmap has a shodan plugin: nmap --script=shodan-api --script-args='shodan-api.apikey=XXXXXX'

tac Discription
-sn Disable Port Scan
-Pn Skip host discovery, don't ping the host
-n Skip DNS Resolution

namp will realize it has nothing left to do and will run the shodan-api script. You could also set the api-key directly into the nse script too.


Download entire website: wget -m -p -E -k


Option Discription
-m, --mirror Infinite recursion & time-stamp, keep FTP dir list.
-p, --page-requisites Get all images, etc. needed to display HTML page.
-E, --adjust-extension Save HTML/CSS files with .html/.css extensions.
-k, --convert-links Make links in downloaded HTML point to local files.


wget \
    --recursive \
    --no-clobber \
    --page-requisites \
    --html-extension \
    --convert-links \
    --restrict-file-names=windows \
    --domains \
    --no-parent \

Access Point

Note: Debian 10, look at /etc/default/isc-dhcp-server, make sure you have added all the interfaces you want dhcp server to be on, also Hostapd need to make sure you unmask first:

systemctl unmask
systemctl enable
systemctl start hostapd

Note: Ubuntu, look at /etc/ufw/sysctl.conf make sure you have uncommented net/ipv4/ip_forward=1.

Note: Here is an example of an /etc/network/interfaces in Debian:

# loopback network interface
auto lo
iface lo inet loopback

# Management network interface
auto eth0
  iface eth0 inet dhcp
  post-up echo 1 > /proc/sys/net/ipv6/conf/$IFACE/disable_ipv6

#wireless access point
auto wlan0
iface wlan0 inet static
#  gateway
  wireless-mode Master
  post-up echo 1 > /proc/sys/net/ipv6/conf/$IFACE/disable_ipv6

#auto eth1
#iface eth1 inet static
#  address
#  netmask
#iface eth1 inet manual
#  up ip link set $IFACE promisc on arp off up
#  down ip link set $IFACE promisc off down
#  post-up ethtool -G $IFACE rx ; for i in rx tx sg tso ufo gso gro lro; do ethtool -K $IFACE $i off; done
  #post-up echo 1 > /proc/sys/net/ipv6/conf/$IFACE/disable_ipv6

Note: To stop Network Manager from messing with the internal interfaces, we added the keyfile and the mac addresses of the NICs and WIFIs that it is not suppose to manage.




Note: If you want to use dnsmasq in Debian then look at /etc/defaults/dnsmasq file, make sure ENABLE is set:

# by setting DNSMASQ_OPTS to --conf-file=<file>
# Whether or not to run the dnsmasq daemon; set to 0 to disable.

Note: Here's an example simple configuration for dnsmasq, the file could be /etc/dnsmasq.alt:

# opendns nameervers
# nameservers from google

Note: Enable hostapd, in /etc/defaults:


Note: Here's a simple hostapd.conf configuration:


dnsmasq with dnscrypt-proxy

This I have not tested fully, but it's something to try out in the future. Dnsmasq combined with dnscrypt-proxy provide caching, encryption and server-side authentication. Said to be useful to protect a laptop from potentially hostile networks.

apt-get install dnsmasq dnscrypt-proxy

Configure /etc/resolv.conf to use dnsmasq:


Configure /etc/dnsmasq.conf

# ignore resolv.conf
# Listen only on localhost
# dnscrypt is on port 40

Configure /etc/systemd/system/ with the following 5 lines if you are using systemd


Then, restart both daemons!


Look at the examples: man tcpdump | less -Ip examples

Tcpdump filter for HTTP GET: sudo tcpdump -s 0 -A 'tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420'

Filter for HTTP POST: sudo tcpdump -s 0 -A 'tcp dst port 80 and (tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x504f5354)'

Monitor HTTP traffic including request and response headers and message body:

tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'
tcpdump -X -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'

For more information on the bit-twiddling in the TCP headers see:




-t filter --the default if none given--

INPUT (for packets destined to local sockets) FORWARD (for packets being routed through the box) OUTPUT (for locally-generated packets)

-t nat --as of 3.7--

PREROUTING (for altering packets as soon as they come in) OUTPUT (for altering locally-genrated packets before routering) POSTROUTING (for altering packets as they are about to go out)

-t mangle

--until 2.4.17-- PREROUTING (for alitering incoming packets before routing) OUTPUT (for altering locally-generated packets before routing) --as of 2.4.18-- INPUT (for packets coming into the box itself) FORWARD (for altering packets being routed through the box) POSTROUTING (for altering packets as they are about to go out)

-t raw

Note: used to configure exemptions from connection tracking, in combination with the NOTRACK target. It registers at the netfilter hooks with higher priority and is thus called before ip_conntrack, or any other IP tables. PREROUTING (for packets arriving via any network interface) OUTPUT (for packets generated by local processes)

-t security

Note: used for MAC (Mandatory Access Control from SELinux) networking rules, such as those enabled by the SECMARK and CONNSECMARK targets. The security table is called after the filter table, allowing any DAC (Discretionary Access Control) rules in filter table to take effect before MAC rules. INPUT (for packets comming into the box itself) OUTPUT (for altering locally-generated packets before routing) FORWARD (for altering packets being routed through the box.


There are 3 types of options. Commands, Parameters, Other Options.


-A, --append

chain rule-specification

-C, --check

chain rule-specification

-D, --delete

chain rule-specification

-D, --delete

chain rulenum

-I, --insert chain [rulenum] rule-specificaation

Note: Insert rule(s) at rulenum, the default is 1 (at the head/top)

-R, --replace chain rulenum rule-specification

Note: Rules are numbered starting at 1

-L, --list [chain]

Note: list all rules or one chain. Like every other iptable command, it applies to the specified table (filter is the default), so NAT rules get listed by: iptables -t nat -n -L note: it is offen used with the -n option to avoid long DNS lookups. note: The exact rules are suppressed until you use: iptables -L -v

-S, --list-rules [chain]

note: like all other commands, applies to a table (filter is the default).

-F, --flush [chain]

Flush selected chain (all chains in the table if none is given).

-Z, --zero [chain [rulenum]]

Zero out the packet and byte counters in all chains. Its legal to specify -L, --list as well, to see the counters immediately before they are cleared. (See above).

-N, --new-chain chain

Create a new user-defined chain by the given name. (can not pre-exist)

-X, --delete-chain chain

Delete a user created chain, must remove all the rules and references to this chain first. if chain name is not supplied, it will try to delete any chain it can.

-P, --policy chain target

Set ppolicy for a built-in chain to the given target.

-E, --rename-chain old-chain new-chain


The parameters make up a rule specification.

-4, --ipv4 -6, --ipv6

Only used to mix rules in one ip(6)tables-retore command.

[!] -p, --protocol protocol

The protocol of a rule or a packet to check. Can be one of tcp, udp, udplite, icmp, icmpv6, esp, ah, sctp, mh or the special keyword "all", or a numeric value. A protocol name from /etc/protocols is also allowed. 0 is equivlent to all. all will match with all protocols and is taken as default when this option is omitted.

[!] -s, --source address[/mask][,...]

Source address can either be a network name, a host name, a network IP address (with /mask), or a plain IP address. note: Specifying any name to be resolved with a remote query such as DNS is a really bad idea!

[!] -d, --destination address[/mask][,...]

Destination address, see source address above.

-m, --match match

Speifies a match of extension modul that tests for a property. Matches are in the order giving on the command line. If one extension yields false, evaluation will stop.

-j, --jump target

This Specifies the target rule (ie. what to do if the packet matches). Target can be user defined chain, a built-in (which decides the fate of the packet immediately), or an extension. note: if this option is omitted, then matching the rule will have no effect on the packet's fate, but the counters on the rule will be incremented. (unles there is a --goto)

-g, --goto chain

This specifies that the processing should continue in a user specifed chain. Unlike --jump option return will not continue processing in this chain but instead in the chain that called us via --jump

[!] -i, --in-interface name

Name of an interface via which a packet was recieved (only for packets entering the INPUT, FORWARD and PREROUTING chains). note: if interface name ends in a "+", then any interface which begins with this name will match. note: If this option is omitted, any interface name will match.

[!] -o, --out-interface name

Name of an interface via which a packet is going to be sent (for packets entering the FORWARD, OUTPUT and POSTROUTING chains). Same notes as above.

[!] -f, --fragment

Only for ipv4. Rule refers to the second and further IPv4 fragments of fragmented packets.

-c, --set-counters packets bytes

This enables the administrator to initialize the packet and byte counters of a rule (during INSERT, APPEND, REPLACE operations).

Other Options

-v, --verbose

^- DO use this!! all the time!!!

-w, --wait

wait for the xtables lock.

-n, --numeric

Don't display hostnames do numerical ip.

-x, --exact

display exact numbers instead of with K's M's and G's


only used with -L, --list to display line numbers.


when adding or inserting rules use this modprobe cmd.

Tips and Tricks

Connecting to subnets together

iptables -A FORWARD -i eth0 -o eth2 -s -d -j ACCEPT iptables -A FORWARD -i eth2 -o eth0 -s -d -j ACCEPT

iptables -A OUTPUT -o wlan0 -p udp -m udp --dport 68 -j ACCEPT

Other Interesting Networking Docs

Below is Older Unformated Stuff

Access Point Tip

HOWTO: Port Forward in linux

echo 1 > "/proc/sys/net/ipv4/ip_forward"

Access Point Tip

HOWTO: Port Forward in linux

echo 1 > "/proc/sys/net/ipv4/ip_forward"

HOWTO: Quick Dirty MASQ

## eth0 is INTERNET, wlan0 is LAN. sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE sudo iptables -A FORWARD -i eth0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT sudo iptables -A FORWARD -i wlan0 -o eth0 -j ACCEPT

Access VM's thru OpenVPN

NB: forward in from the tun0 out to virbr0

  1. iptables -I FORWARD 1 -i tun0 -o virbr0 -j ACCEPT

To connect to VM's with virt-viewer:

  1. Make sure you have virsh -c qemu:///system list --all showing them
  2. You might have to start them.
  3. make sure sshd is open and running.
  4. $ virt-viewer -f --connect qemu+ssh://kreator@ <NAME>

Fedora 26 way of Firewall

  1. firewall-cmd --add-forward-port=port=2222:proto=tcp:toport=22:toaddr=



HOWTO: Wireshark



Some Notes:



form a book?

Protocol Issues: -Connection initiation -Negotiation of connection characteristcs -Data formatting -Error detection and correction -connection termination

Router Stuff

mount -o bind /dev /mnt/openwrt/dev mount -t proc none /mnt/openwrt/proc

--background --dyndns_system -u guest -p guest -a,M2xIc25pOWVqMlFJU044QjBSZWZnenIzOjE0NDEzNjcz --update_period_sec 600 --forced_update_period 864000 --log_file /tmp/ddns/ddns.log --cache_dir /tmp/ddns --exec ddns_success ^ this is probably a cronjob. ^ maybe its called inadyn, this is from inadyn.conf

More Router Stuff

Notes on systemd

trying to install dnsmasq, got this: Job for dnsmasq.service failed because the control prcess exited with err code. "systemctl status dnsmsaq.service" and "journalctl -xe" for details

invoke-rc.d: initscript dnsmasq, action "start" failed

A BASH script for the NATing

#Initial wifi interface configuration
ifconfig $1 up netmask
sleep 2
###########Start DHCP, comment out / add relevant section##########
#Thanks to Panji
#Doesn't try to run dhcpd when already running
if [ "$(ps -e | grep dhcpd)" == "" ]; then
dhcpd $1 &
#Enable NAT
iptables --flush
iptables --table nat --flush
iptables --delete-chain
iptables --table nat --delete-chain
iptables --table nat --append POSTROUTING --out-interface $2 -j MASQUERADE
iptables --append FORWARD --in-interface $1 -j ACCEPT

#Thanks to lorenzo
#Uncomment the line below if facing problems while sharing PPPoE, see lorenzo's comment for more details
#iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

sysctl -w net.ipv4.ip_forward=1
#start hostapd
hostapd /etc/hostapd/hostapd.conf 1>/dev/null
killall dhcpd

a simple /etc/dnsmasq.conf

# disables dnsmasq reading any other files like /etc/resolv.conf for nameservers
# Interface to bind to
# Specify starting_range,end_range,lease_time
# dns addresses to send to the clients

Another NATing Script

###########Start dnsmasq, modify if required##########
if [ -z "$(ps -e | grep dnsmasq)" ]

#Enable NAT
iptables --flush
iptables --table nat --flush
iptables --delete-chain
iptables --table nat --delete-chain
iptables --table nat --append POSTROUTING --out-interface $2 -j MASQUERADE
iptables --append FORWARD --in-interface $1 -j ACCEPT

#Thanks to lorenzo
#Uncomment the line below if facing problems while sharing PPPoE, see lorenzo's comment for more details
#iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

sysctl -w net.ipv4.ip_forward=1

#start hostapd
hostapd /etc/hostapd/hostapd.conf 1> /dev/null
killall dnsmasq

Make sure the link is up.

# ip link set dev wlan0_ap up

Had to add this to /etc/NetworkManager/NetworkManager.conf

[keyfile] unmanaged-devices=mac:<hwaddr>

What The Hell The Solution Is

a> dnsmasq was not setup.. b> AND MORE!!! the IP address was wrong after I got dnsmasq to do dhcp c> I had to log in with another computer (maybe I should have 2 wifi's)

Note: its kind of funny how disconnected things are.

Note: on MarioCoin

certbot ACMEv2 and Lets Encrypt

It was super easy to setup a new service's Let's Encrypt TLS cert with Apache2 and the command certbot. it was install certbot via apt then run it, this is what I ran:

sudo apt install apache2 certbot
sudo certbot --apache -d

And it did everything! then setup a systemd timer.

The command that renews the cert, I set up to run every Wed. /usr/bin/certbot renew and this renews all the certs for this account.


Find WPS wifi APs in the area $ sudo airmon-ng start wlan0 $ wash -i mon0

airodump-ng mon0

One of the goals is to get the bssid of the AP. $ airodump-ng mon0 <channel>

To monitor one AP: $ airodump-ng -c 2 --bssid 00:17:7C:22:CB:80 -w dump mon0


Test to see if packet inject will work. $ sudo aireplay-ng --test -e HelloKitty08 -a C0:56:27:0B:EB:89 wlan4mon

To inject [untested]: $ aireplay-ng -1 0 -e HelloKitty08 -a C0:56:27:0B:EB:89 -h <SOURCE> mon0


Gets the password from the WPS of the AP. $ reaver -i mon0 -b XX:XX:XX:XX:XX:XX

Know Issues:

  1. As in the pic above, you saw the first line read "Switching wlan0 to channel 6". (Yours will be mon0 instead of wlan0). Sometimes, it keeps switching interfaces forever.
  2. Sometimes it never gets a beacon frame, and gets stuck in the waiting for beacon frame stage.
  3. Sometimes it never associates with the target AP.
  4. Sometimes the response is too slow, or never comes, and a (0x02) or something error is displayed.

In most cases, such errors suggest:

  1. Something wrong with wireless card.
  2. AP is very choosy, won't let you associate.
  3. The AP does not use WPS.
  4. You are very far from the AP.


$ sqlmap --tor --tor-type=SOCKS5 -u \

"" \ --user-agent="Googlebot (compatible; Googlebot/2.1; +"
  1. This uses Tor on port 9050 as http proxy then makes also changes the