// Get Started with Your Favorite Security Tools
//
// by dual_parallel
//
// http://www.oldskoolphreak.com

This article is meant to give someone new to tcpdump, nmap, and/or snort
a jump-start for getting good data.  The tools discussed in this article
should be standard fare on any hacker's *nix box.  I'll introduce a tool,
show a general command for that tool and describe each part of the
command in English.

The first tool is tcpdump.  Tcpdump is a libpcap-based sniffer.  There's
lots of options, so read the man pages, or better yet, read RFC793.  To
start sniffing, use this:

tcpdump -i eth0 -e -t -x > sniff.txt

Tcpdump starts the sniffer; -i eth0 specifies the interface to listen on;
-e prints the link headers; -t does NOT print a timestamp (for cleaner
data); and -x prints a hex dump of the payload (just in case you want the
data).  Traffic is sent to the file sniff.txt.

The next tool is nmap.  Nmap is stealth scanner that identifies remote
operating systems by tcp packet sequence numbers.  For the stealthiest
scans, use a FIN, XMAS, or NULL scan.  But if you want to find win32
machines (like home broadband users), you can't use these stealthy scans.
You'll have to use a SYN scan because Microsoft do not follow standards,
and their operating systems handle packets differently.

nmap -sS -P0 -v -O -o /root/win_scan.txt 123.45.67.1-254

Nmap begins the scan; -sS is a SYN stealth scan; -P0 does not send an ICMP
packet to see if the targets are up; -v is verbose (recommended); -O
enables OS fingerprinting; -o logs the scan to the given file; and
finally the network segment to scan - boxes 1 through 254 on 123.45.67
(255 being the broadcast address).

Snort is one of my favorite tools.  Snort is a sniffer and a Network
Intrusion Detection System (NIDS).  Once you get the hang of it, you can
spend hours writing your own rules.  Make sure you download the Snort
Users Manual pdf with the tool.  When using Snort as an NIDS:

snort -e -h 192.168.1.0/24 -l /var/log/snort/snort.log -c snort.conf

Snort starts the tool; -e prints the link headers; -h 192.168.1.0/24 is
the home network, with /24 being the CIDR block that designates the 255
nodes on your class C; -l logs alerts to the given file (if not
designated, snort defaults to /var/log/snort); and -c designates the rules
file to use.  When using Snort as a sniffer, you can use -d to print out
the payload.

This should get you started after ./configure, make, make install.