Cheatsheet

From Network Security Wiki
Jump to navigation Jump to search



ARP vs MAC Table vs CAM Table

   Ambox notice.png     Need to confirm if MAC Table is same as CAM table
ARP Table MAC Table (or CAM Table) CAM Table
Layer3 address to Layer2 address resolution Layer2 address to Interface binding
Matches IP addresses to MAC addresses Maps Ports to MAC addresses
Needed to forward packets at layer 3 Used to Switch frames to the right output interface
Kept by L3 devices Kept only by L2 devices
No entry for dest IP address, machine will send ARP request If no entry, switch will flood the frame
Default timeout is 4 hours Default timeout is 5 minutes
Filled by each ARP reply Filled by source MAC of each frame passing through switch


Fragmentation

Before fragmentation
Original IP Datagram
Sequence Identifier Total Length DF Flag MF Flag Fragment offset
0 345 5140 0 0 0
After fragmentation
IP Fragments(ethernet)
Sequence Identifier Total Length DF Flag MF Flag Fragment offset
0-0 345 1500 0 1 0
0-1 345 1500 0 1 185
0-2 345 1500 0 1 370
0-3 345 700 0 0 555

Headers

IPv4 Header Format
Version HLEN DSCP ECN Total Length
Identification Flags(DF,MF) Fragment Offset
Time To Live Protocol Header Checksum
Source IP Address
Destination IP Address
Options (if HLEN > 5)



TCP Header
Source port Destination port
Sequence number
Acknowledgment number (if ACK set)
Data offset Reserved
0 0 0
N
S
C
W
R
E
C
E
U
R
G
A
C
K
P
S
H
R
S
T
S
Y
N
F
I
N
Window Size
Checksum Urgent pointer (if URG set)
Options (if data offset > 5. Padded at the end with "0" bytes if necessary.)
...


UDP Header
Source port Destination port
Length Checksum



DNS Headers
Identification QR Opcode A
A
T
C
R
D
R
A
Z A
D
C
D
RCode
Total Questions Total Answers
Total Authority Resource Records Total Additional Resource Records


  • AD Authentic Data
  • CD Checking Disabled
ARP Headers
Hardware type (Ethernet = 1)
Protocol type (IPv4 = 0x0800)
Hardware address length (Ethernet size is 6) Protocol address length (IPv4 size is 4.)
Operation ( 1 for request; 2 for reply)
Source MAC
Source IP
Dest MAC
Dest IP


GARP
GARP.png


  • ICMP Header
Code 
Checksum 
Rest of Header 


DNS

Record Types
A 	Address record 	 	 	 	Returns a 32-bit IPv4 address,
AAAA 	IPv6 address record 	
CNAME 	Canonical name record 	 	 	Alias of one name to another, DNS lookup will continue by retrying the lookup with the new name.
LOC 	Location record 	 	 	Specifies a geographical location associated with a domain name
MX 	Mail exchange record 	 	 	Maps a domain name to a list of message transfer agents for that domain
NS 	Name server record 	 	 	Delegates a DNS zone to use the given authoritative name servers
PTR 	Pointer record 	 	 	 	Pointer to a canonical name. Unlike a CNAME, DNS processing stops and just the name is returned. The most common use is for implementing reverse 
                                                DNS lookups.
SOA 	Start of [a zone of] authority record 	Specifies authoritative information about a DNS zone, including the primary name server, the email of the domain administrator, the domain serial
                                                number,etc
SRV 	Service locator 	 	 	Generalized service location record, used for newer protocols instead of creating protocol-specific records such as MX.
TXT 	Text record 	 	 	 	Originally for arbitrary human-readable text in a DNS record. Now more often carries machine-readable data, opportunistic encryption, Sender Policy
                                                Framework, etc.
* 	All cached records 	 	 	Returns all cached records of all types known to the name server. If the name server does not have any information on the name, the request will be 
                                                forwarded on.
AXFR 	Authoritative Zone Transfer 	 	Transfer entire zone file from the master name server to secondary name servers.
IXFR 	Incremental Zone Transfer 	 	Requests a zone transfer of the given zone but only differences from a previous serial number.


Glue Record
  • A glue record is a term for a record that's served by a DNS server that's not authoritative for the zone, to avoid a condition of impossible dependencies for a DNS zone.
  • What glue records do is to allow the TLD's servers to send extra information in their response to the query for the example.com zone - to send the IP address that's configured for the name servers.
  • It's not authoritative, but it's a pointer to the authoritative servers, allowing for the loop to be resolved.

TCP

  • Parameters determined during Handshake:
MSS  (default is 536)
WSF
SACK Permitted

  • MTU vs MSS
Mtu mss.png
  • RTO: Four ACKs acknowledging the same packet, which are not piggybacked on data and do not change the receiver's advertised window.
  • Fast Retransmission
- If RTO has a larger value
- If sender receives four acknowledgments with same value (three duplicates)
- Segment expected by all of these Ack is resent immediately
  • Fast Recovery:
-
-
  • Congestion Control
Slow Start - Exponential Increase
- Sender starts with cwnd = 1 MSS, Size increases 1 MSS each time one Ack arrives, Increases the rate exponentially(1,2,4,8....) until a threshold is reached
Congestion Avoidance - Additive Increase
- Increases the cwnd Additively, When a “window” is Ack cwnd is increased by 1, Window = No of segments transmitted during RTT
- The increase is based on RTT, not on the number of arrived ACKs, Congestion window increases additively until congestion is detected
Congestion Detection - Multiplicative Decrease
- If congestion occurs, Window size must be decreased, Sender knows about congestion via RTO or 3 Dup Acks received, Size of Threshold is dropped to half
  • Tahoe
- If RTO occured, TCP Reacts Strongly
- Reduces cwnd back to 1 Segment, starts the slow start phase again
  • Reno
- If 3 Duplicate ACKs are received, TCP has a Weaker Reaction
- Starts the Congestion Avoidance phase
- This is called fast transmission and fast recovery

  • Both consider RTO and Duplicate ACKs as packet loss events.
  • Behavior of Tahoe and Reno differ primarily in how they react to duplicate ACKs.
Event Tahoe Reno
3 Dup Acks Performs a fast retransmit
Sets the slow start threshold to half of the current congestion window
Reduces the congestion window to 1 MSS
Resets to slow start state
Perform a fast retransmit
Skip the slow start phase by instead halving the congestion window
(instead of setting it to 1 MSS like Tahoe)
Setting the slow start threshold equal to the new congestion window
Enter a phase called fast recovery.
RTO (Ack time out) Slow start is used
Reduce congestion window to 1 MSS
Slow start is used
Reduce congestion window to 1 MSS
  • Silly Window Syndrome: Sender creates data slowly or Receiver consumes slowly or both.

Syndrome due to Sender:

- Nagle’s Algorithm: Send data initially, accumulate data in output buffer, Wait for Ack or till 1 MSS Data in Buffer

Syndrome due to Receiver:

- Clark’s Solution: Announce window size 0 till 1) enough space for 1 MSS in Buffer or Half Receive buffer is empty
- Delayed Acknowledgment: Segment not acknowledged immediately, Sender TCP does not slide its window, reduces traffic, sender may unnecessarily retransmit, Not delay more than 500 ms.


  • Persistence Timer
- Issue of Deadlock created by Lost Ack, used to reset Window size 0 advertized earlier, is resolved by this timer
- Sending TCP sends a special segment(1 byte of new data) called Probe, causes the receiving TCP to resend Ack
- If no reply, another probe is sent and value of persistence timer is doubled and reset 
- Sender continues sending probes, doubling, resetting value of persistence timer until it reaches a threshold(generally 60s)
- After that the sender sends one probe segment every 60s until the window is reopened

VPN Messages

  • Phase 1 - Main Mode
Cookie,Proposal List
Cookie,Accepted Proposal
DH Key,Nonce
DH Key,Nonce
ID,ID Hash
ID,ID Hash
  • Phase 1 - Aggressive Mode
ID,Proposal List,DH Key,Nonce
ID,Accepted Proposal,DH Key,Nonce,ID Hash
ID Hash




  • Phase 2 - Quick Mode
Ph1 Hash,Message ID,Proposal List,Nonce, DH Key,Proxy-ID 
Ph1 Hash,Message ID,Accepted Proposal,Nonce,DH Key,Proxy-ID 
Ph1 Hash,Message ID,Nonce 






HTTP

HTTP Error Codes
Category Type Code
1XX Informational 100 = Continue
2XX Successful 200 = OK
201 = Created (URL)
202 = Accepted (request accepted but not acted upon immediately)
203 = Non-authoritative Information(info in header is from local or third-party copy, not from original server)
204 = No Content (in body)
3XX Re-directional 301 = Moved Permanently
302 = Found (temporary redirect)
304 = Not Modified
305 = Use Proxy (URL must be accessed through the proxy mentioned in the Location header)
307 = Temporary Redirect (requested page has moved temporarily to a new url)
4XX Client Error 400 = Bad Request
401 = Unauthorized
402 = Payment Required
403 = Forbidden
404 = Not Found
405 = Method Not Allowed
5XX Server Error 500 = Internal Server Error
501 = Not Implememted
502 = Bad Gateway or Proxy
503 = Service Unavailable
504 = Gateway or Proxy Timeout
505 = HTTP Version Not Supported
HTTP1.0 vs HTTP1.1

HTTP/1.0:

  • Uses a new connection for each request/response exchange
  • Closed connections after every request.
  • Supports GET, POST, HEAD request methods

HTTP/1.1:

  • Connection may be used for one or more request/response exchanges
  • Uses persistent connections, save bandwidth & reduces latency as it does not require to do TCP Handshake again for every file download (like images, css, etc.)
  • HTTP Pipeline feature in which client sends multiple requests before waiting for each response.
  • Supports OPTIONS, PUT, DELETE, TRACE, CONNECT request methods


HTTP Request Methods
GET:       Retrieve Data
HEAD:      Header only without Response Body
POST:      Submits Data to DB, web forum, etc
PUT:       Replaces target resource with the uploaded content
DELETE:    Removes target resource given by URI
CONNECT:   Used when the client wants to establish a transparent connection to a remote host, usually to facilitate SSL-encrypted communication (HTTPS) through an HTTP proxy
OPTIONS:   Returns the HTTP methods that the server supports for the specified URL
TRACE:     Performs a message loop back test to see what (if any) changes or additions have been made by intermediate servers
PATCH:     Applies partial modifications to a resource.
PUT vs PATCH
PUT method only allows a complete replacement of a document. 
PATCH is used to make changes to part of the resource at a location.

Cookie

  • Session cookie
  • Persistent cookie
  • Secure cookie
  • Http-only cookie
  • Same-site cookie
  • Third-party cookie
  • Supercookie
Other uses
  • Zombie cookie

FTP

Active-Passive FTP.JPG

SSL Handshake

SSL Handshake.png
--> Client Hello
<-- Server Hello, Certificate, Server Hello Done
--> Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message(Finished)
<-- Change Cipher Spec, Encrypted Handshake Message(Finished)
--> Application Data(GET)
<-- Encrypted Handshake Message(Hello Request)


  1. Client sends the supported parameters
  2. Server chooses the parameters; Sends the certificate; And first half of the Diffie-Hellman key exchange
  3. Client sends the second half of the Diffie-Hellman exchange, Computes the session keys; Switches to encrypted communication
  4. Server computes the session keys; Switches to encrypted communication.

NetScaler

  • LB Methods:
Least Connection     = Service with fewest active connections
Round Robin          = Rotates a list of services
Least Response time  = Fewest active connections & lowest average response time
Least Bandwidth      = Service serving least amount of traffic measured in mbps
Least Packets        = Service that received fewest packets
Source IP Hash       =
Destination IP Hash  =
  • Persistence Methods:
SOURCE IP      =
COOKIE Insert  = Connections having same HTTP Cookie inserted by Set-Cookie directive from server belong to same persistence session.
SSL Session    = Connections having same SSL session ID
RULE           = All connection matching a user defined rule
URL Passive    = requests having same server ID(Hexadecimal of Server IP & Port) of service to which request is to be fwded
Dest IP        =
SRC IP DST IP  =
CALL ID        = Same Caller ID in SIP Header
  • What is Stateful & Stateless Persistence? Which one is more scalable/Efficient?
Stateless Session Persistence: Cookie inserted by ADC is more efficient because no need to create a table, NS will insert cookie & forget, with reply, it will read cookie value, decrypt it & fwd request.
State-full Session Persistence: Server will insert cookie, NS will hash it & fwd based on Hash value but will need to keep a table in memory with all hashes & IP Addresses.
Same is true for Source IP based Persistence, Also inefficient behind NAT
Using Set-cookie-header = by Server - insert Name & Value Fields
Client sends cookie in Cookie Header
Who ever generates cookie, will be able to read it

OSPF

  • States
Down  
Attempt
Init      Hello sent out all int
2-Way     Hello rcvd cont own RID in ngbr list
ExStart   Determine master slave
Exchange  Master sends DBD first, then Slave
Loading   Comp DBDs, send LSR for missing LSAs
Full      LSDB of ngbr are fully syncd
  • LSA Type
Type 1 - Router LSAs          Sent from router to other routers in the same area, has info reg router's int in the same area, int IPs, adjacent routers
Type 2 - Network LSAs         Generated by the DR on a multi access segment, similar to LSA Type 1
Type 3 - Network Summary LSA  Generated by ABRs, contain the subnets & costs 
Type 4 - ASBR summary LSA     Same as summary LSA except the destination advertised by ABR is ASBR, ABR in same area as the ASBR will originate the Type 4 LSA.
Type 5 - AS external LSA      Generated by ASBRs, Flooded throughout the AS to advertise a route external to OSPF
Type 7 - NSSA External LSA    Generated by the ASBR in an NSSA area, Converted into a type 5 LSA by the ABR when leaving the area
  • Packet Types
Type 1 - Hello 
Type 2 - Database Description (DBD) 
Type 3 - Link-State request (LSR) 
Type 4 - LSU (Contain LSAs)
Type 5 - LSAck
  • Neighbor Requirements:
Same area
Same authentication config
Same subnet
Same hello/dead interval
Matching stub flags
  • LSA Details
OSFF LSA 2.png
  • OSPF path selection: O > O*IA > O*E1 > O*E2.
  • “area range” summarize type 3 LSA’.
  • “summary-address” summarize type 5 & 7 LSA’s.
  • Auto-cost reference BW (Default = 100mb), formula = 100000000/Int-Bw.

BGP

  • Route Selection Criteria
Attribute Which is better Direction
Next Hop reachable Route cannot be used if next hop is unreachable
Weight Bigger
Local Preference Bigger
Locally Injected Locally injected is better than iBGP/eBGP learned
AS Path Length Smaller
Origin Prefer I over E & E over Unknown
MED Smaller
Neighbor Type Prefer eBGP over iBGP
IGP Metric to Next Hop Smaller



  • BGP States
Idle
Active         Attempting to connect
Connect        TCP session established
OpenSent       Open message sent
OpenConfirm    Response received
Established    Adjacency established
  • BGP Messages
Open
Update 
Keepalive       Sent every 60 seconds
Notification    Always indicate something is wrong


  • Directions
Aspath prepend:  Applied outwardly.
                 Impacts incoming path.
                 Shorter the as-path length higher the preference
                 As-path prepend is the way to add AS number to the list of subnet u want to advertise. 
                 This is a way to route poisoning. 
                 Tell the outside world not to follow the path.
Local preference:  Applied while the traffic coming inside.  
                   Impacts traffic while going out.  
                   Non transitive. 
                   Propagates within the same as-path.
                   Higher the local preference value higher the preference
MED:  Multiexitdescriptor
      When your router has connection with two other routers with same AS. 
      Let's say you have 2 subnets behind your router.  
      You can use MED value to mention which networks should be accessed through which links. 
      It is advertised outwards. 
      Impacts the incoming traffic. 
      Semi transitive. 
      Propagates to one AS.
      Lower the MED value higher the preference.
      MED should be used carefully as it reduces network resiliency.

VPN Monitor vs DPD vs IKE Heartbeat


VPN Monitor DPD IKE Heartbeat
Juniper Proprietary RFC Standard Juniper Proprietary
Work with Non Juniper Work with Non Juniper Cannot work with Non Juniper
Uses ICMP Uses ICMP(encrypted IKE Phase 1 message(R-U-THERE)) --
Goes inside the Phase 2 Tunnel Goes through Phase 1 Tunnel --
Implies VPN is UP Implies peer is up and responding Enhancement to detect tunnel availability
Works if supported by one peer only -- Both ends must support
Configured in Phase 2 Configured in Phase 1 Configured in Phase 1


SRX Architecture

First Path
Screens
Static NAT | Dest NAT
Route ==> Forwarding Lookup
Zones
Policy
Reverse Static NAT | Source NAT
Service ALG
Session
Fast Path
Screens
TCP
NAT
Service ALG




ScreenOS

  • ScreenOS Flow order
Sanity Check 
Screening
Session lookup 
Route Lookup 
Policy lookup
Session creation 
ARP lookup 
  • Route preference order
Policy Based Routing 
Source Interface Based Routing 
Source Routing 
Destination Routing 



  • NAT Preference order
Mapped IP 
Virtual IP 
Policy Based NAT (NAT-Src & NAT-Dst) 
Interface Based NAT 



SYN Flood Protection

Threshold = Proxy connections above this limit
If Syn-cookie is enabled, no sessions established between client & firewall or firewall & server directly
Alarm Threshold = Alarm/Alert (to log)
Queue Size = The number of proxied connections held in queue
After this the firewall starts rejecting new connection requests
Timeout Value is maximum time before a half-completed connection is dropped from the queue
The range is 0–50s; default is 20s

Flows

  • Complete Flow of PC opening a Website:
  1. Check NW config
  2. DHCP if not configured
  3. Check Domain name in Browser Cache
  4. Check Domain name in OS Cache
  5. Check if an entry exists in Hosts File
  6. If not Found in any cache, Prepare to send UDP DNS query to DNS Server
  7. If DNS Server configured is in same Network Check MAC address in ARP Table
  8. If not found, send ARP for MAC Address
  9. Forward DNS Query to DNS Server and wait for reply containing IP address of Website
  10. If DNS server configured is not in same subnet, check Gateway config(IP & MAC address)
  11. If MAC address not found in ARP Table, send ARP request
  12. After getting reply, fwd the DNS query to gateway
  13. After getting DNS response, start TCP 3-way handshake S-SA-A.
  14. Start SSL Handshake if SSL/TLS configured
  15. Send GET Request
  16. Client sends ACK [200 OK] & Body containing HTML Data
  17. If HTTP 1.0, Server sends FIN & CLoses connection
  18. Client send FIN-ACK
  19. Server sends Ack


  • Complete Flow of DNS Traffic
  1. Check NW config
  2. DHCP if not configured
  3. Check Domain name in Browser Cache
  4. Check Domain name in OS Cache
  5. Check if an entry exists in Hosts File
  6. If not Found in any cache, Prepare to send UDP DNS query to DNS Server
  7. If DNS Server configured is in same Network Check MAC address in ARP Table
  8. If not found, send ARP for MAC Address
  9. Forward DNS Query to DNS Server and wait for reply containing IP address of Website
  10. If DNS server configured is not in same subnet, check Gateway config(IP & MAC address)
  11. If MAC address not found in ARP Table, send ARP request
  12. After getting reply, fwd the DNS query to gateway
  13. DNS Server ??
  14. DNS Server ?? Iterative? Recursive? TLD? Authoritative
  15. DNS Server ??
  16. After getting DNS response, start TCP 3-way handshake S-SA-A.



  • Complete Flow of Traffic passing through below scenario:
[PC1]-----[Hub]-----[Switch]-----[Router]------[Router]------[PC2]
  1. Check NW config
  2. DHCP if not configured
  3. Check if PC2 in same Subnet(not in this scenario as routers present)
  4. If in Same Subnet, check if MAC address is there in ARP Table
  5. Else send ARP Request
  6. Once MAC address is known, directly send Packet to PC2
  7. If PC2 is in Different Subnet(True for above scenario), Check Gateway IP address & MAC address
  8. If MAC address is not known, send an ARP request.
  9. Hub is directly connected, will receive & Flood packet on all Ports.
  10. Switch will receive packet and check its CAM Table for the MAC to Port bindings
  11. If MAC entry is not found in CAM table, Switch will Flood the ARP packet on all ports.
  12. Other destinations will drop the ARP Request packet as they do not have the IP address requested in ARP Header.
  13. Only Router will accept the packet as it has the requested IP address matching its own MAC address.
  14. It will reply with an ARP Reply message.
  15. Switch will add an entry of this MAC address & port number in its CAM Table once the reply packet pass through it.
  16. Hub will flood the packet through all ports.
  17. ARP Reply will reach PC1, it will add entry to its ARP Table
  18. Then send a packet destined to PC2 with destintion MAC address as Router's Interface's MAC address received in ARP reply.


Linux

Linux Booting

Source: technochords.com

The following are the 6 high level stages of a typical Linux boot process:

  1. BIOS
  2. MBR
  3. GRUB
  4. Kernel
  5. Init
  6. Runlevel programs
BIOS(Basic Input/Output System) - loads and executes the MBR boot loader.
  • Performs some system integrity checks (POST-Power On Self Test)
  • Searches, loads, and executes the boot loader program.
  • It looks for boot loader in floppy, cd-rom, or hard drive.
  • You can press a key (typically F12 of F2, but it depends on your system) during the BIOS startup to change the boot sequence.
  • Once the boot loader program is detected and loaded into the memory, BIOS gives the control to it.
MBR (Master Boot Record) - loads and executes the GRUB boot loader.
  • It is located in the 1st sector of the bootable disk.
  • Typically /dev/hda, or /dev/sda
  • MBR is less than 512 bytes in size.
  • This has three components:
  1. primary boot loader info in 1st 446 bytes,
  2. partition table info in next 64 bytes(16,16,16,16) 4 partitions,
  3. magic numbers as mbr validation check in last 2 bytes.
  • It contains information about GRUB (or LILO in old systems).
GRUB (Grand Unified Bootloader) - loads and executes Kernel and initrd images.
  • It is a Multiboot boot loader.
  • If you have multiple kernel images installed on your system, you can choose which one to be executed.
  • GRUB displays a splash screen, waits for few seconds, if you don’t enter anything, it loads the default kernel image as specified in the grub configuration file.
  • GRUB has the knowledge of the filesystem (the older Linux loader LILO didn’t understand filesystem).
  • Grub configuration file is /boot/grub/grub.conf (/etc/grub.conf is a link to this).
#boot=/dev/sda
default=0
timeout=5
splashimage=(hd0,0)/boot/grub/splash.xpm.gz
hiddenmenu
title CentOS (2.6.18-194.el5PAE)
          root (hd0,0)
          kernel /boot/vmlinuz-2.6.18-194.el5PAE ro root=LABEL=/
          initrd /boot/initrd-2.6.18-194.el5PAE.img
  • As you notice from the above info, it contains kernel and initrd image.
Kernel
  • Once the control is given to kernel which is the central part of all your OS and act as a mediator between hardware and software.
  • Kernel once loaded into to RAM it always resides on RAM until the machine is shutdown.
  • Once the Kernel starts its operations the first thing it do is executing INIT process.
Init (initialization)
  • Looks at the /etc/inittab file to decide the Linux run level.
  • Following are the available run levels
0 – halt
1 – Single user mode
2 – Multiuser, without NFS
3 – Full multiuser mode
4 – unused
5 – X11
6 – reboot
  • Init identifies the default initlevel from /etc/inittab and uses that to load all appropriate program.
  • Execute ‘grep initdefault /etc/inittab’ on your system to identify the default run level
  • Typically you would set the default run level to either 3 or 5.
Runlevel programs
  • When the Linux system is booting up, you might see various services getting started.
  • For example, it might say “starting sendmail …. OK”.
  • Those are the runlevel programs, executed from the run level directory as defined by your run level.
  • Depending on your default init level setting, the system will execute the programs from one of the following directories.
Run level 0 – /etc/rc.d/rc0.d/
Run level 1 – /etc/rc.d/rc1.d/
Run level 2 – /etc/rc.d/rc2.d/
Run level 3 – /etc/rc.d/rc3.d/
Run level 4 – /etc/rc.d/rc4.d/
Run level 5 – /etc/rc.d/rc5.d/
Run level 6 – /etc/rc.d/rc6.d/
  • Please note that there are also symbolic links available for these directory under /etc directly.
  • So, /etc/rc0.d is linked to /etc/rc.d/rc0.d.
  • Under the /etc/rc.d/rc*.d/ directories, you would see programs that start with S and K.
  1. Programs starts with S are used during startup. S for startup.
  2. Programs starts with K are used during shutdown. K for kill.
  3. There are numbers right next to S and K in the program names.
  4. Those are the sequence number in which the programs should be started or killed.
  5. For example, S12syslog is to start the syslog deamon, which has the sequence number of 12.
  6. S80sendmail is to start the sendmail daemon, which has the sequence number of 80.
  7. So, syslog program will be started before sendmail.

Manually Boot using Grub

  • Locate where the vmlinuz and initrd.* files are located:
grub> ls
(hd0) (hd0,msdos5) (hd1) (hd1,msdos0)
  • Boot the system:
grub> linux (hd1,msdos1)/install/vmlinuz root=/dev/sdb1
grub> initrd (hd1,msdos1)/install/initrd.gz
grub> boot

File system layout

/           – The Root Directory
/bin        – Essential command binaries
/boot       – Boot loader files
/dev        – Device Files
/etc        – Configuration Files
/home       – Home Directory
/lib        – Essential Libraries
/lost+found – Recovering Files
/media      – Removable Media Devices
/mnt        – Temporarily mounted filesystems
/opt        – Optional software packages
/proc       – Kernel & Process Information
/root       – Root Home Directory
/sbin       – System binaries
/selinux    – Security-Enhanced Linux
/srv        – Service Data
/sys        – virtual filesystem
/tmp        – Temporary files
/usr        – binaries, documentation, source code, libraries
/var        – Variable Files


CURL

curl -I http://domain.com                                   Get HTTP header information
curl -i http://domain.com                                   Get HTTP header + Body information
curl -L http://domain.com                                   Handle URL redirects
curl -v http://domain.com                                   Debug level details 		 		
curl -x proxy.sr.com:3128 http://domain.com                 Using proxy to download a file  		
curl -k https://domain.com                                  Ignoring the ssl certificate warning   		
curl -A "Mozilla/5.0" http://domain.com                     Spoofing user agent:
curl -L -H "user-agent: Mozilla/5.0" https://aman.info.tm   Custom Headers
curl smtp://example.com:2525
curl ftp://example.com
curl example.com:21
curl example.com:7822                                         Troubleshooting SSH:   SSH-2.0-OpenSSH_5.3
time curl google.com
curl -i https://site1.lab.com --cert /root/ca/domains/ubnsrv01-cert.pem --key /root/ca/domains/ubnsrv01-key.pem 
curl -v -X OPTIONS https://site3.lab.com
curl -v -X TRACE https://site3.lab.com
curl --sslv2 https://yoururl.com
curl --tlsv1 https://yoururl.com
curl -H 'X-My-Custom-Header: 123' https://httpbin.org/get   Using httpbin tool; shows header info
curl -e google.com yoururl.com                                Referrer
curl --data "name=bool&last=word" https://httpbin.org/post  Post data
curl -X POST https://httpbin.org/post                       Empty Post Request
curl -H 'Host: aman.info.tm' 128.199.139.216                If Server using Virtual Hosting


Post Json Data

curl --data '{"email":"test@example.com", "name": ["Boolean", "World"]}' -H 'Content-Type: application/json' https://httpbin.org/post

Time Breakdown

curl https://www.booleanworld.com/ -sSo /dev/null -w 'namelookup:\t%{time_namelookup}\nconnect:\t%{time_connect}\nappconnect:\t%{time_appconnect}\npretransfer:\t%{time_pretransfer}\nredirect:\t%{time_redirect}\nstarttransfer:\t%{time_starttransfer}\ntotal:\t\t%{time_total}\n'

IPtables

iptables -L                           ==>  List rules
iptables -F                           ==>  Stop iptables
iptables -nvL                         ==>  Check Stats
iptables --flush MYCHAIN              ==>  Flush Chain
iptables -X MYCHAIN                   ==>  Delete Empty Chain
iptables -A INPUT -p tcp --dport ssh -j ACCEPT           ==>  Allow SSH
iptables -A INPUT -p tcp --dport 80 -j ACCEPT            ==>  Allow incoming web traffic
iptables -A INPUT -j DROP                                ==>  Blocking Traffic
iptables -A INPUT -i ens160 -s 10.140.198.7  -j DROP     ==>  Blocking Traffic
iptables -I INPUT 1 -i lo -j ACCEPT                      ==>  Allow loopback
iptables -I INPUT 5 -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7   ==> Logging


TCPDump

sudo tcpdump -s 0 -i ens160 host 10.1.1.1 -v -w /tmp/packet_capture.cap
sudo tcpdump -s 0 -i ens160 host 10.1.1.1 and port 22 -v -w /tmp/packet_capture.cap
sudo tcpdump -s 0 -i ens160 host 10.1.1.1 and port not 22 and port not 80 -v -w /tmp/packet_capture.cap
sudo tcpdump -s 0 -i ens160 host 10.1.1.1 and tcp port not 22 and tcp port not 80 -v -w /tmp/packet_capture.cap
for i in `find . -type f | egrep "All.pcap"`; do echo $i; tcpdump -r $i '((host 1.1.1.1 or host 2.2.2.2) and host 3.3.3.3) and port 445' ; echo -e "\n"; done


MTR

Provides the functionality of both the ping and traceroute commands.
Prints information about the entire route.
mtr google.com
mtr -g google.com           Display Numeric IP addresses
mtr -b google.com           Both hostnames and numeric IP addresses
mtr --tcp google.com        Use TCP SYN packets
mtr --udp google.com        UDP datagrams

Traceroute

traceroute 4.2.2.2             ==> Uses UDP 
traceroute -n 4.2.2.2          ==> Do not resolve hostnames  
sudo traceroute -nI 4.2.2.2    ==> Use ICMP Packets
sudo traceroute -nT 4.2.2.2    ==> Use TCP Syn (Port 80)

Netstat

netstat -s
netstat -a     Listing all ports (both TCP and UDP) 
netstat -at    Listing TCP Ports connections
netstat -au    Listing UDP Ports connections
netstat -l     Listing all LISTENING Connections
netstat -lt    Listing all TCP Listening Ports
netstat -s     Showing Statistics by Protocol
netstat -st    Showing Statistics by TCP Protocol
netstat -tp    Displaying Service name with PID
netstat -r     Displaying Kernel IP routing
netstat -anp
netstat -ant

PS

ps -aux                                              Display all processes in BSD format
ps -eo pid,ppid,user,cmd
ps -e --forest                                       Print Process Tree
ps -eo pid,ppid,cmd,%mem,%cpu --sort=-%mem | head
ps -eo pid,ppid,cmd,%mem,%cpu --sort=-%cpu | head

LS

Append a character to each file name indicating the file type:

ls -F or ls --classify
   *   Executable files
   /   Directories
   @   Symbolic links
   |   FIFOs
   =   Sockets
   >   Doors
   Nothing for Regular Files

List Symoblic Links:

ls -la
lrwxrwxrwx   1 root       root                    11 Sep 13 14:57 mounts -> self/mounts
dr-xr-xr-x   3 root       root                     0 Sep 13 14:57 mpt
-rw-r--r--   1 root       root                     0 Sep 13 14:57 mtrr

Redirect Stderr

0   stdin  – Use to get input (keyboard)
1   stdout – Use to write information (screen)    1>    >
2   stderr – Use to write error message (screen)  2> 

Redirect Stderr into Stdout:

2>&1
ls > file.log 2>&1  OR  ls &> file.log
ls > file.log 2> /dev/null

Sorting Algorithms

Quicksort is a good default choice. 
                It tends to be fast in practice
                with some small tweaks its dreaded O(n2)O(n^2)O(n2) worst-case time complexity becomes very unlikely. 
                A tried and true favorite.
Heapsort is a good choice if you can't tolerate a worst-case time complexity of O(n2)O(n^2)O(n2) or need low space costs. 
               The Linux kernel uses heapsort instead of quicksort for both of those reasons.
Merge sort is a good choice if you want a stable sorting algorithm.
                 can easily be extended to handle data sets that can't fit in RAM
                 where the bottleneck cost is reading and writing the input on disk, not comparing and swapping individual items.
Radix sort looks fast, with its O(n)O(n)O(n) worst-case time complexity. 
                 if you're using it to sort binary numbers, then there's a hidden constant factor that's usually 32 or 64 (depending on how many bits your numbers are).
                 That's often way bigger than O(lg⁡(n))O(\lg(n))O(lg(n)), meaning radix sort tends to be slow in practice.
Counting sort is a good choice in scenarios where there are small number of distinct values to be sorted. 
                    This is pretty rare in practice, and counting sort doesn't get much use.
  • Which sorting algorithm has best asymptotic run time complexity?