Commands Flashcards
netstat
-a all active connections
-b show binaries
-n do not resolve names (just ips)
show network status and protocol statistics. You can display the status of TCP and UDP endpoints in table format, routing table information, and interface information.
traceroute/tracert
trace traffic from one destination to another
Uses ICMP and TTL
pathping
combines traceroute and ping
will give more accurate latency information than traceroute
arp -a
ip address and mac address for devices on the network that are in the local arp table
dig/nslookup
Information on DNS server
names and IP addresses (more info with dig)
route print/netstat -r
view device’s routing table
Find out which way the packets will go
allows you to make manual entries into the network routing tables with add flag
hping
ping that can send almost anything
can modify the port, ip, tcp, udp, icmp values
Easy to accidentally flood a server and cause DDoS
used to send large volumes of TCP traffic at a target while spoofing the source IP address, making it appear random or even originating from a specific user-defined source.
nmap
learn about network devices port scan to id open ports OS scan to discover without logging in What services running on device Can run additional scripts (NSE)
scanless
runs port scan from different host (from proxy)
dnsenum
finds host names in dns
FInds all hostnames that are associated with that address
Cuckoo
test a file in a safe environment (sandbox)
Can evaluate the file for malware
Nessus
Industry leader in vulnerability scanning
(not command code)
Provides vulnerabilities as well as suggested resolutions
Wireshark
Graphical packet analyzer
Grabs network traffic and stores for offline analysis
Grabs Ethernet, Bluetooth, Wireless (IEEE. 802.11, etc.
tcpdump
Displays packet on screen
command line version of wireshark
tcpreplay
Allows to replay packets
Can be useful to check if security would catch particular packets
dd
Linux
create a bit by bit copy of a drive or directory
memdump
Takes all information in system memory and send to file
WinHex
Able to view file information in hexadecimal form
Useful with disk cloning, data recovery, hardware cleaning
FTK imager
REad drive as a windows executable
Autopsy
view and recover data from storage devices
MITRE
Framework to look at potential attacks
Gives types, causes, and potential resolution and prevention
Diamond model
Developed by government
Used after an attack to identify parts of the attack as well as looking how to prevent in the future
Cyber Kill Chain
Defines different phases of a cyber attack
How it is done by an attacker
Logs
Network, System, application, security, web, DNS, Authentication, Dump files, VoIP and call managers, SIP traffic
Network- info from network devices (updates, auth issues, etc.)
System- auth details, monitor apps, file changes, may require filter
Application-specific to the application
Security- blocked and allowed traffic flows, exploited attempts, blocked URL, DNS sinkhole traffic, security devices
Web- Info firewall and web application attacks, IP address, Auth issues, server activity
DNS- IP address, hostname, malware sites
Authentication- who logged in or didn’t
Dump files- Read mem and DNS dump files
VOIP- inbound and outbound info, auth, audit trail
Session Initiation Protocol (SIP)- setup and teardown of VoIP, inbound and outbound calls, alerts on unusual numbers or country codes
