Section 4: Tools of the Trade Flashcards
What is “ping”?
A dns tool. It resolves web addresses to an IP address.
> ping www.website.com
How do you check IPV4 with ping?
> ping www.google.com -4
Use the -4 flag
How do you check if you have an intermittent connection?
> ping -t www.google.com
Windows only!! You do not need the -t flag for linux systems
What is netstat?
Shows what hosts you are currently connected to.
> netstat -n
Shows what you are connected to currently. Shows each tab you have open on a browser - addresses ending 443 are https.
What does this command do?
> netstat -a
Shows all open ports to see what ports are listening. Port 80 is okay!
What is “tracert”?
Trace Route - see what routers are being hit.
> tracert www.google.com
E.g.
First line is the internal router
Second is the comcast router.
If you can’t trace route someone you can confirm if the issue is internal if the issue fails on the first 2 lines.
What is “arp”?
ARP - Address Resolution Protocol
Can see if something is going wrong with switches. Can resolve an ethernet mac address from an IP address.
> arp -a
Shows the arp cache - dynamic and static addresses. Looking out for an “arp poisoner”. Can easily see if a nic is wrong.
What is “ipconfig”?
ipconfig (windows), ip (linux)
Shows IPV6 and IPV4 addresses on the Ethernet Adapter.
> ipconfig -all
Windows command with a bunch of info and shows the MAC Address.
> ip addr
Linux version of ipconfig - shows MAC Address
> nslookup www.google.com
Helps with dns issues. Use to query dns server and check things. Shows IP address for the queried website.
How do you change the dns server temporarily?
> nslookup
To enter the interactive mode
> server 8.8.8.8
Use the 8.8.8.8 server and see if the issue goes away.
What is “dig”?
Linux only. Shows any cached info too.
> dig www.google.com
Can also change the server
> dig @8.8.8.8
How to get an MX record?
> dig MX www.google.com
What is netcat?
Linux only. Can open and listen on ports AND act as a client - good for pen testing and vulnerability assessment.
E.g. Open up port 231:
> sudo netcat -l 231
What is a Network Scanner?
Useful to see open ports on all systems on your network.
What is nmap?
> nmap -v -sn subnetmask
> nmap -v -A scanme.nmap.org
Useful for hardware inventory.
“-A” shows the operating systems and what ports are open
What is zenmap?
GUI of nmap
What is Advanced Port Scanner?
GUI - Scans IPs and looks at the ports that are open.
What is wireshark SB Network Inventory?
Useful for looking for all devices on the network - iphones etc.
What is WireShark?
A protocol analyser!
Uses a sniffer and analyzer. Great to filter data by services or protocols. E.g. DHCP/http traffic.
What’s a sniffer?
“pcap” “winpcap”
Software that grabs all the data that goes through a particular interface. Can either go to a log or to a protocol analyzer.
What is wireshark good for?
A broadcast storm, or to isolate a rogue server.
Whats a downside to wireshark?
Sometimes misses incoming and outgoing packets. Instead use TCP dump - a better sniffer.
What is SNMP network?
Simple Network Management Protocol - used to administer and manage networks devices form a single source.
What is an SNMP network printer? How does it work?
A printer that has an AGENT that talks to the SNMP network. Uses UDP 161 or TLS 10161 (encrypted).
Becomes a MANAGED DEVICE.
Make one device an SNMP Manager, to communicate with all the devices. UDP 162 or TLS 10162 (encrypted).
NMS
Network Management Station
MIB
Management Information Base - kinda the SDK for each device.
What are the standard commands for SNMP?
GET - regular query.
TRAP - on the managed device and info is sent to NMS when there is an issue - printer on fire.
WALK - batch of GETS.
SNMP Versions
SNMPv1 is unencrypted
SNMPv2 has basic encrption
SNMPv3 is best and uses TLS encryption. Common to have different versions of SNMP in a network.
> snmp-server community totalhome RO
Command to turn on SNMP on a managed device.
Community - the organization of managed devices.
RO - read only or RW - read write
Non-network Events
Host starting, shutdown, OS updates, application installs/stalls/starts/stops
Security - system logons - failures/success
Each has the following info:
date time and process id/source, account, event number, event description
Non-network event logs
Host starting, shutdown, OS updates, application installs/stalls/starts/stops
Security - system logons - failures/success
Network event logs
- Things that happen to applications on a network
- Remote logins
- Activity on a firewall
Which is best - decentralized or centralized logging?
Decentralized is fine for small systems.
But centralized is better.
Best to use SNMP to centralize logs.
Common to use 3rd parties MaaS.
What is generally in a log
Each has the following info:
- date
- time
- process id/source
- account
- event number
- event description