Linux Admins: Discover, Map and Store

http://www.enterprisenetworkingplanet.com/netos/article.php/3650131
December 19, 2006 By Carla Schroder

At the cost of great exertion and mental prowess, I have collected just for you an astounding assortment of useful commands and tools for performing amazing feats like network host discovery and mapping your network, mapping IP addresses to their physical locations, spying on everyone who is logged into a computer and even better, faster, securer remote file access.

Discovering Who's On Your Network

Even small networks can pick up some surprise guests that slip in when you're not looking. Or maybe, as your network has grown, you haven't been very diligent about keeping track of IP addresses, so you want to make a list. You don't have to run around to every network host, but can perform host discovery from the comfort of your network administrator lair. There are a lot of ways to do this. One way is to use nmap. This example queries DNS for IP addresses and hostnames:

# nmap -sL 192.168.1.* | grep (
Starting Nmap 4.10 ( http://www.insecure.org/nmap/ ) at 2006-12-18 18:37 PST
Host phineasfreak.alrac.net (192.168.1.25) not scanned
Host freewheelinfranklin.alrac.net (192.168.1.26) not scanned
Host fatfreddy.alrac.net (192.168.1.50) not scanned
Nmap finished: 256 IP addresses (0 hosts up) scanned in 8.248 seconds

This command pings the network to see who is up, and reports IP addresses, hostnames, and MAC addresses and names:

# nmap -sP 192.168.1.*
Starting Nmap 4.10 ( http://www.insecure.org/nmap/ ) at 2006-12-18 18:42 PST
Host freewheelinfranklin.alrac.net (192.168.1.26) appears to be up.
MAC Address: 00:00:24:C1:1D:F0 (Connect AS)
Host fatfreddy.alrac.net (192.168.1.50) appears to be up.
MAC Address: 00:0D:B9:05:25:B4 (PC Engines GmbH)
Nmap finished: 256 IP addresses (5 hosts up) scanned in 4.657 seconds

Plain old nmap with no options finks off hosts that are up and what services are running:

# nmap 192.168.1.*
Interesting ports on fatfreddy.alrac.net (192.168.1.50):
Not shown: 1677 closed ports
PORT    STATE SERVICE
22/tcp  open  ssh
631/tcp open  ipp
MAC Address: 00:0D:B9:05:25:B4 (PC Engines GmbH)

You can even have nmap perform its famous operating system detection with nmap -sS -O 192.168.1.*. This shows everything that the previous nmap commands report plus the operating system running on each host. This is a slow scan, so take advantage to go take a healthy break.

Network Mapping With Cheops-ng

Cheops-ng is a GTK-based front end to nmap that draws nice diagrams of your network. You have to run it as root– using sudo doesn't work because it doesn't know how to handle the sudo password. Start it up like this:

# cheops-agent & 
# cheops-ng 

Enter 127.0.0.1 in the dialog box. First it runs an "enqueueing scan" at startup to discover your network hosts, then runs a detailed scan on each host in turn. This can take awhile– this is the command that it runs on each host:

nmap -oX - -n -sT -T Normal -O -sR -I -F -P0 [IP address]

When it is finished it stops itself, leaving behind a nice map of your network. This won't be entirely accurate if you have dumb switches– it won't see them because they are not ping-able, so it will look like the machine you are running the scan from is a switch<!---->.

You can configure different types of scans, save your maps and drag the images on the maps around. Right-clicking on the images of your hosts lets you see all the information that Cheops-ng collected.

Whowatch

whowatch monitors logins in real time, so you can see all users accessing your system as they come and go <!---->.

The display is similar to the finger command, except it continually updates like the top command. There are no command options, just toggle keys to use while it's running. You can see the process trees for each user, what process they used to log in, and even kill processes and users.

Finding IP Addresses on a Map

Go to ip-adress.com. The first thing you see will be your own location on a map, complete with latitude, longitude, name of your service provider, and a pin stuck right through your house. Once the shock of being discovered has passed, use this to spy on other people.

Easy Secure Remote File Editing With sshfs

We all have our favorite methods of using SSH for secure remote access. SSH is slick, quick, and operates well over slow links. The one downside is you have to transfer files to your local PC to edit them, then transfer them back. This isn't too bad, but there is an alternative for folks who want an easier way. With sshfs you can mount any remote filesystem to your local PC, and access it just like any local filesystem. This magic happens thanks to FUSE– Filesystem In Userspace.

If your system is already set up with FUSE and sshfs, and you have a local directory for the mountpoint, this command will do the job:

carla@xena:~$ sshfs stinkpad: temp/
carla@stinkpad's password:
carla@xena:~$

Open your favorite file manager to the mountpoint, and there are your remote files. If it doesn't work, follow these steps:

• Install sshfs and fuse-utils
• Create a mountpoint that you have permission to access. FUSE operates in userspace, so a subdirectory in your home directory works fine
• Create the fuse group and add yourself to it
• Log completely out, then log back in again
• Load the fuse kernel module (modprobe fuse)

Now run the sshfs command again. If it doesn't work again, take your error to message to Google, and take a look at the links in Resources. Most modern distributions have FUSE support in the kernel, so all you need to do is load the module. Look for CONFIG_FUSE_FS=m in your /boot/config-[version] file.

Unmount it like this:

carla@xena:~$ fusermount -u temp/sshfs 

Users who are new to sshfs always ask these questions:

1. Why not just run X over SSH?
2. Why not just use NFS?

The answer is do what you want, no one cares. Some things to consider: It's faster and more secure than running X over SSH, it's a heck of a lot easier to set up than NFS, and a zillion times more secure.

Resources

• Nmap
  
• Cheops-ng
  
• Whowatch
  
• sshfs
  
• FUSE