Network Tools Flashcards
The purpose of this lesson is to introduce some of the basic command-line tools used for networking and how to use these both as troubleshooting tools and how to use them in the context of cybersecurity. Helpful commands for both Windows and Linux will be highlighted, although only examples for the Linux commands will be shown.
Command Line Tools: IP and ipconfig
IP and ipconfig
IP, or ipconfig on Windows, is a command-line tool that shows the current network configuration of the device that you are on. This includes information such as the current private IP address of the device, the gateway address, and the DNS server. This tool is often used when a system is having connectivity issues and is a good place to start diagnosing those issues.
Some common examples of IP commands include:
ip a - Shows the IP addresses on the device
ip r list - Displays the current routing table on the device
ip link set dev [Device Name] [up|down] - This sets the network interface to either up (enabled) or down (disabled)
Command Line Tools: Tracert and Traceroute
Traceroute and Tracert
Traceroute, or tracert on Windows, is a command-line tool that allows you to see the path that network packets take when going from one host to another. This tool is often used to troubleshoot routing issues between two systems.
Some common examples of traceroute commands include:
traceroute [url] - Runs the basic traceroute to see the path it takes to get to a specified address
traceroute [url] -p [port number] - Allows the trace to be run with a specific port
Command Line Tools: Dig and Nslookup
Dig and Nslookup
Dig, or Nslookup on Windows (and Linux), is a command-line tool that is used to query DNS servers for information about a specific domain. This tool can often be helpful when you need to quickly search for the IP address of a malicious URL or if you need to find out what mail server a domain routes its emails through.
Some common examples of dig commands include:
dig [domain name] - Queries the DNS server for the A record for the specified domain
dig [domain name] MX - Queries the DNS server for mail (MX) records for the specified domain
dig [domain name] ANY +nocomments +noauthority +noadditional +nostats - Queries the DNS server for all DNS records for the specified domain and removes the extra information provided by dig
Network Tools: Netstat
Netstat
Netstat is a Linux and Windows-based command-line tool that monitors the TCP and UDP connections on your host system. This tool can often be used for application troubleshooting or if a computer is suspected of containing malware, to see if a system has open connections to remote servers, which could be a sign of it being controlled by a C2 Server
Some common examples of netstat commands include:
netstat -a - Displays all of the current connections and listening ports on the system
netstat -a -b - Displays all of the current connections and listening ports on the system, as well as their corresponding executable
netstat -s -p tcp -f - Displays the statistics for all connections using TCP and then displays them in an FQDN format
Tool: Nmap
Nmap, or Network Mapper, is most often the tool of choice for performing Network Discovery. It is capable of revealing ports, discovering devices on a network, revealing running services, identifying operating systems, and many other functions. All of these capabilities make Nmap an effective, easy-to-use, and versatile tool. Nmap is an open-source tool that comes pre-installed on the Kali operating system, among various other Linux distributions. However, there are also Windows, Mac OS, and other operating system versions on their website.
The Syntax for Nmap commands are fairly simple: nmap [Scan Type] [Options] {target specification}
There are multiple options that you can use with the Nmap tool:
If you would like more information on different commands, you can use these Nmap cheatsheets from SANS and StationX.
Nmap also has scripting capabilities through the Nmap Scripting Engine (NSE) and this allows for quick and easy scripting to allow tasks like network discovery, version detection, vulnerability detection, backdoor detection, and vulnerability exploitation to be more efficient. However, the NSE is out of scope for this lesson and BTL1, if you would like to learn more about NSE, you can go to its official chapter on the Nmap website.
Port Scanning Example
To demonstrate how ports and services function, we have conducted a port scan against “scanme.nmap.org” - it’s important to mention that you should not scan any website or IP address unless you have expressed permission to do so. The founders behind Nmap have stated you are legally allowed to scan “scanme.nmap.org” so feel free to practice against this site.
For this example, we used the following Nmap command to conduct a TCP Connect scan. on scanme.nmap.org: nmap -v -sT -sV scanme.nmap.org
In the Network Fundamentals lesson we covered the TCP three-way handshake, in this case, we are sending an SYN packet to ports on the webserver (step 1), the server is sending us back SYN-ACK packets (step 2), then we send an ACK packet (step 3) allowing us to connect and perform “banner grabbing” - the process of collecting information about running services from a system.
In the below screenshot you can see the output from Nmap, with a PORT column, STATE column, and SERVICE column.
PORT - The port number that is open and has a service running.
STATE - Whether Nmap was able to connect to the port (open) or not able to connect (filtered).
SERVICE - The service (program) that is running on that specific port number.
We can see that Port 80 TCP is open, running the HTTP service (hypertext transfer protocol). This is why we’re able to view a webpage if we go to www.scanme.nmap.org. As we have conducted a service version scan using Nmap, we can also see that this specific web server is running Apache. Port 22 TCP is also open, which is the standard port for secure shell (SSH) that allows remote sessions on the system.
