ubuntu


Ubuntu: Headless wireshark (or wireshark from terminal)

Recently, we wanted to use wireshark on an Ubuntu through ssh and no X-Server forwarding enabled.
After a quick search we found tshark.

TShark is a network protocol analyzer. It lets you capture packet data from a live network, or read packets from a previously saved capture file, either printing a decoded form of those packets to the standard output or writing the packets to a file. TShark‘s native capture file format is pcap format, which is also the format used by tcpdump and various other tools.
Without any options set, TShark will work much like tcpdump. It will use the pcap library to capture traffic from the first available network interface and displays a summary line on stdout for each received packet.
TShark is able to detect, read and write the same capture files that are supported by Wireshark.

From: man tshark

Install tshark on Ubuntu


sudo apt-get install tshark -y;

Using tshark to capture all traffic on eth0 to a pcap file


sudo tshark -i eth0 -w something.pcap;

Note: If you just want to capture network traffic on a network interface and not use the additional features wireshark has to offer, you can also use tcpdumpas follows


#The following command will create a files that has in its name the current date and time using the date function.
sudo tcpdump -i eth0 -w "data.`date +%Y-%m-%d\ %H.%M`.pcap";


Ubuntu server 16.04+ MySQL port is only accessible from localhost (127.0.0.1)

Recently, we got access to an Ubuntu 16.04 LTS server that had MySQL server installed on it but was not accessible to our external servers.
The service was accessible when testing from localhost but it was not when testing from any other machine.
Executing nmap from another machine would return the value 3306/tcp closed mysql   conn-refused as below.

[bytefreaks@fedora ~]$ nmap -vv -p 3306 192.168.10.11


 
 Starting Nmap 7.40 ( https://nmap.org ) at 2017-03-06 17:21 EET
 Initiating Ping Scan at 17:21
 Scanning 192.168.10.11 [2 ports]
 Completed Ping Scan at 17:21, 0.06s elapsed (1 total hosts)
 Initiating Parallel DNS resolution of 1 host. at 17:21
 Completed Parallel DNS resolution of 1 host. at 17:21, 0.00s elapsed
 Initiating Connect Scan at 17:21
 Scanning 192.168.10.11 [1 port]
 Completed Connect Scan at 17:21, 0.06s elapsed (1 total ports)
 Nmap scan report for 46.101.137.70
 Host is up, received syn-ack (0.061s latency).
 Scanned at 2017-03-06 17:21:31 EET for 1s
 PORT     STATE  SERVICE REASON
 3306/tcp closed mysql   conn-refused
 
 Read data files from: /usr/bin/../share/nmap
 Nmap done: 1 IP address (1 host up) scanned in 0.16 seconds

The problem was with the default configuration of mysqld that is found in the file /etc/mysql/mysql.conf.d/mysqld.cnf.
At line 41 we got the following snippet:

# Instead of skip-networking the default is now to listen only on
# localhost which is more compatible and is not less secure.
bind-address            = 127.0.0.1

What the line bind-address            = 127.0.0.1 says is that, the service will only listen on localhost.
At this stage there are two solutions that you can apply using your favorite text editor (e.g. sudo nano /etc/mysql/mysql.conf.d/mysqld.cnf):

Solution A:

Completely remove the line bind-address            = 127.0.0.1 or comment it out by adding a # in front of it as follows #bind-address            = 127.0.0.1.

Solution B:

Replace 127.0.0.1 with the IP that you want mysql service to be available to. In our case the line became bind-address            = 192.168.10.11.

After you are done with the change, you need to restart the service for the change to take place:

bytefreaks@OSUbuntu:~$ sudo /etc/init.d/mysql restart
 [ ok ] Restarting mysql (via systemctl): mysql.service.

From an external machine you can verify that the configuration was applied correctly using nmap as below:

[bytefreaks@fedora ~]$ nmap -vv -p 3306 192.168.10.11
 Starting Nmap 7.40 ( https://nmap.org ) at 2017-03-06 17:24 EET
 Initiating Ping Scan at 17:24
 Scanning 192.168.10.11 [2 ports]
 Completed Ping Scan at 17:24, 0.06s elapsed (1 total hosts)
 Initiating Parallel DNS resolution of 1 host. at 17:24
 Completed Parallel DNS resolution of 1 host. at 17:24, 0.00s elapsed
 Initiating Connect Scan at 17:24
 Scanning 192.168.10.11 [1 port]
 Discovered open port 3306/tcp on 46.101.137.70
 Completed Connect Scan at 17:24, 0.06s elapsed (1 total ports)
 Nmap scan report for 46.101.137.70
 Host is up, received syn-ack (0.061s latency).
 Scanned at 2017-03-06 17:24:30 EET for 0s
 PORT     STATE SERVICE REASON
 3306/tcp open  mysql   syn-ack
 Read data files from: /usr/bin/../share/nmap
 Nmap done: 1 IP address (1 host up) scanned in 0.16 seconds

You should get the value 3306/tcp open  mysql   syn-ack.


Building SnoopSnitch on Ubuntu 16.10 64bit

Step A: Update the system and install all necessary packages

sudo dpkg --add-architecture i386;
sudo apt-get update;
sudo apt-get upgrade -y;
sudo apt-get install git openjdk-8-jdk dh-autoreconf ant libncurses5:i386 libstdc++6:i386 zlib1g:i386 -y;
cd ~/;
mkdir Android;
cd Android;

Step B: Download the Android SDK and install all required packages

The following download link we got it from this page https://developer.android.com/studio/

wget https://dl.google.com/android/android-sdk_r24.4.1-linux.tgz;
tar -xf android-sdk_r24.4.1-linux.tgz;
cd android-sdk-linux/tools;
#To list all available packages, including the obsolete extra-android-support
#./android list sdk --all –extended;
./android update sdk --no-ui --all --filter extra-android-support,tools,platform-tools,build-tools-19.1.0,android-19;

You will get a prompt for a license agreement, you need to type Y to proceed

November 20, 2015
Do you accept the license 'android-sdk-license-c81a61d9' [y/n]: y
cd ../..;
export ANDROID_HOME=`pwd`/android-sdk-linux;

Step C: Once the installation is complete, we need to install the Android NDK.

The following link we got it from https://developer.android.com/ndk/downloads/

wget https://dl.google.com/android/repository/android-ndk-r13b-linux-x86_64.zip;
unzip -q android-ndk-r13b-linux-x86_64.zip;
export NDK_DIR=`pwd`/android-ndk-r13b;
#If we do not update the PATH we will get the following error: ../libtool: line 1719: arm-linux-androideabi-ranlib: command not found
PATH=$PATH:`pwd`/android-ndk-r13b/toolchains/arm-linux-androideabi-4.9/prebuilt/linux-x86_64/bin;
mkdir Projects;
cd Projects;

Step D: Afterwards, we can download SnoopSnitch and all of the git submodules of it using the following command.

git clone --recursive https://opensource.srlabs.de/git/snoopsnitch.git;

Step E: Then we need to compile two separate parts of the project.

We will start by compiling contrib/ projects, that are the supplementary projects needed for SnoopSnitch to get data.

cd snoopsnitch/contrib/;
./compile.sh -t android -u;
cd ..;

Step F: Finally, we can proceed to compile the android project of SnoopSnitch.

cd ./SnoopSnitch;

We need to update Application.mk and add APP_ABI := armeabi to it.
We do this to make sure that we compile  diag-helper.c only for armeabi as the rest of the packages will be available only on that architecture.
If we do not do this and we have a processor that supports armeabi-v7a (or different), then it will only install diag-helper.so and it will ignore the rest. Which will of course cause the application to fail.

echo "APP_ABI := armeabi" >> jni/Application.mk;
ant debug;
~/Android/android-sdk-linux/platform-tools/adb start-server

Once the compilation is complete, we can upload our apk to a device using the following commands:

#First we make sure that the adb server is running
$ANDROID_HOME/platform-tools/adb start-server;
#Then we check that our device is visible to the adb
$ANDROID_HOME/platform-tools/adb devices;
#Finally, we install the application to the device.
$ANDROID_HOME/platform-tools/adb install bin/SnoopSnitch-debug.apk;

This guide was tested on freshly installed Ubuntu 16.10 64bit.

snoopsnitch-map

Useful links


Ubuntu/Bash: Get the IP of eth0

Following is a small snippet that will print on screen the IP of eth0 while in Ubuntu (Both server and desktop versions).
As you will see, it is not a very sound solution as it depends on the structure of the output of ifconfig eth0.

Nevertheless is works (for Ubuntu at least)! 🙂

ifconfig eth0 | grep "inet addr" | cut -d ':' -f 2 | cut -d ' ' -f 1

What this line does is: first it prints out the configuration information for eth0, then finds the line that contains the inet addr, using cut it gets the second column of the data after separating the line using the : symbol. Right now in the pipe we will have something similar to this 192.168.1.37 Bcast, so we need to filter out the last part as well. We do the last filtering by using cut again, this time by getting the first column while using the space character as the delimiter.

The Ubuntu version that was used for this tutorial is

$lsb_release -a
No LSB modules are available.
Distributor ID:	Ubuntu
Description:	Ubuntu 14.04.4 LTS
Release:	14.04
Codename:	trusty

The version of ifconfig for this tutorial is

$ifconfig --version
net-tools 1.60
ifconfig 1.42 (2001-04-13)

In case you want to assign the IP of eth0 to a variable, you can easily do as follows

ETH0=`ifconfig eth0 | grep "inet addr" | cut -d ':' -f 2 | cut -d ' ' -f 1`;