Process and network connection monitoring

Process and Network Monitoring (Linux)

I use this to monitor established connections on a machine whether my Kali, target machine or pivot machine.
This is to know new/established connections as well as lost ones
It will also let me know if certain traffic/connections is coming other people on the box (In case of CTF boxes)
I consider this improper and there are much better and more efficient ways of doing this

Connection check to VPN or network

Simple way that can be done in most Linux OS (ICMP)

Uses nping (from nmap) for TCP Ping

To know if you have:

been blocked by WAF, IPS, NAC
been disconnected from your VPN (i.e. ovpn)
oversaturated your connection (Lessen your threads)
TCP Ping for second verification or if host does not respond to ICMP

Make sure to change:

$hostORdomain
$destPort

Bash

cd ~
echo 'alias con_check_icmp="ping $hostORdomain |cut -d \"=\" -f 2,4"' >> .bashrc
echo "alias con_check_tcp=\"sudo nping --tcp --delay 1s -c 0 -H -p $destPort $hostORdomain | awk '/mss/ {print \\\$7,\\\$10,\\\$13,\\\$14}'\"" >> .bashrc
source .bashrc

ZSH

cd ~
echo 'alias con_check_icmp="ping $hostORdomain |cut -d \"=\" -f 2,4"' >> .zshrc
echo "alias con_check_tcp=\"sudo nping --tcp --delay 1s -c 0 -H -p $destPort $hostORdomain | awk '/mss/ {print \\\$7,\\\$10,\\\$13,\\\$14}'\"" >> .zshrc
source .zshrc

To Execute

# For ICMP
con_check_icmp
# For TCP
con_check_tcp
# On terminator "Watch for silence"

Monitor Network

Monitor newly opened/lost/closed connections

while true; do sleep 1 && sudo netstat -punt > /dev/shm/current && diff --old-line-format="[+] %L" --new-line-format="[-] %L" --unchanged-line-format="" /dev/shm/current /dev/shm/before;mv /dev/shm/current /dev/shm/before;done

Monitor if there are new listening connections
- Only difference is in the netstat command

while true; do sleep 1 && sudo netstat -plunt > /dev/shm/current && diff --old-line-format="[+] %L" --new-line-format="[-] %L" --unchanged-line-format="" /dev/shm/current /dev/shm/before;mv /dev/shm/current /dev/shm/before;done

* Remove known processes you do not want to see * Difference is the grep command after netstat. Make sure to change the s

while true; do sleep 1 && sudo netstat -punt|grep -v -e <PID> -e <PID> -e <PID> > /dev/shm/current && diff --old-line-format="[+] %L" --new-line-format="[-] %L" --unchanged-line-format="" /dev/shm/current /dev/shm/before;mv /dev/shm/current /dev/shm/before;done

Monitor new processes

journalctl -f

Tip

Use Terminator and its plugin InactivityWatch to watch if it stops pinging