Miscellaneous Network Hacks

Random Collection Of Network Hacks I Picked Up

3 min readSep 3, 2017

Private network file-sharing with python simple server

Share files between hosts on the same private network with python SimpleHTTPServer. On the host with the files, run iconfig and grep for en0 to find its private ip on the network.

Find the private ip address of the hosting computer on private network.

Now run the python simple http server in the directory with the files we want to share.

Every file in the `files_to_share` directory can be accessed by devices on the private network.

Now any other device on the private network can access these files by visiting 192.168.128.117:8000.

Fast file-sharing without email attachments or Dropbox.

Because the hosts are on the same private network, downloads should be much faster than email attachments or Dropbox.

See running network processes with `lsof`

lsof is a *nix command-line tool that shows the list of opened files and the processes that opened them. These opened files include disk files but also network sockets. Using the -i flag will show opened files that correspond with internet addresses, ie.

`lsof -i` shows the files opened by network processes. We only display some of the columns using `awk print` and collapsing them with `uniq`.

Zoom image will be displayed

We check out all the open files associated with networked processes belong to the Spotify application. We see they use ports 4370 and 4380 for their networking.

You can also use netstat to get the same information more or less.

See live network traffic with `tcpdump`

tcpdump will show live tcp traffic packets. It’s the command-line version to wireshark.

A web-server is running on port 8080 and a request made on the browser to localhost:8080. We can use `tcpdump` to inspect the raw HTTP request that server processes. The `-A` flag means to print the packets in ASCII. `-i lo0` means to filter by localhost to localhost traffic, since we made the request through localhost:8080, which we would not need if a remote client made the request.

You can specify specific ports too via tcpdump -A 'port 80'

Inspect raw server HTTP responses with `telnet`

telnet is an ancient tool (1969) for logging into a remote host. It’s the precursor to ssh . We can use it now to make requests to web servers and view raw http responses, among other things.

We use telnet to connect to a google web server. Because its an http server, its port 80 should be open, hence the successful connection. We make a raw http request using `GET / HTTP/1.1`, the command line analog to opening your web browser and typing www.google.com in the address bar. We see the raw http response from google, which is what your browser sees before interpreting and parsing it into a UI-friendly webpage.

Sending and listening for TCP and UDP connections with `nc`

netcat or nc is a utility for sending and listening to TCP/UDP connections. We can use nc to see raw HTTP requests and responses.

Use netcat to make a raw http request to google and see the raw http response, similar to the previous telnet example. Note we did not need to specify `Host: google.com` as a request header since they probably aren’t sharing their servers with other domains.

Use netcat to listen to port 3000 and make a request to localhost:3000 on the browser to see the raw http request.

Hackers can also use nc to scan for ports. nmap is another port-scanning tool.

The -z option means netcat will scan for daemons listening to these ports without sending any data to them (ie. won’t show up on the server logs). The 1–80 is a range of ports to scan, but we can also supply just the port.

Testing APIs With Curl

You’re building an API but the client hasn’t been developed yet. You can still use curl to sanity-check your API.

A GET request with authorization headers using the -H flag. The -v flag stands for verbose, since why not.

curl -v \
  -H "Accept: application/json" \
  -H "Cookie: remember_user_token=MxaQFJIiIkMmEkMTAkU1czUVVaMlN" \
  -H "App-Client-Id: Whitelisted-App-123" \
  localhost:13000/api/teemo/shrooms

A POST request. Note the -d stands for data, which automatically makes this a POST request .

curl \
   -d "name=Teemo&weapon=shrooms" \
   localhost:13000/api/champions

However, we can be explicit that it’s a POST request by using the -X flag, which can also be used to specify HEAD PUT DELETE requests. Here is a POST request with a JSON payload.

curl \
  -H "Content-Type: application/json" \
  -X POST \
  -d '{"name":"Teemo", "weapon":"shrooms"}' \
  localhost:13000/api/champions

We’re basically using the command-line version of Postman, except more L33T.