Section 4: Tools of the Trade

Question 1

What is “ping”?

Answer 1

A dns tool. It resolves web addresses to an IP address.

> ping www.website.com

Question 2

How do you check IPV4 with ping?

Answer 2

> ping www.google.com -4

Use the -4 flag

Question 3

How do you check if you have an intermittent connection?

Answer 3

> ping -t www.google.com

Windows only!! You do not need the -t flag for linux systems

Question 4

What is netstat?

Answer 4

Shows what hosts you are currently connected to.

> netstat -n

Shows what you are connected to currently. Shows each tab you have open on a browser - addresses ending 443 are https.

Question 5

What does this command do?

> netstat -a

Answer 5

Shows all open ports to see what ports are listening. Port 80 is okay!

Question 6

What is “tracert”?

Answer 6

Trace Route - see what routers are being hit.

> tracert www.google.com

E.g.
First line is the internal router
Second is the comcast router.

If you can’t trace route someone you can confirm if the issue is internal if the issue fails on the first 2 lines.

Question 7

What is “arp”?

Answer 7

ARP - Address Resolution Protocol

Can see if something is going wrong with switches. Can resolve an ethernet mac address from an IP address.

Question 8

> arp -a

Answer 8

Shows the arp cache - dynamic and static addresses. Looking out for an “arp poisoner”. Can easily see if a nic is wrong.

Question 9

What is “ipconfig”?

Answer 9

ipconfig (windows), ip (linux)

Shows IPV6 and IPV4 addresses on the Ethernet Adapter.

Question 10

> ipconfig -all

Answer 10

Windows command with a bunch of info and shows the MAC Address.

Question 11

> ip addr

Answer 11

Linux version of ipconfig - shows MAC Address

Question 12

> nslookup www.google.com

Answer 12

Helps with dns issues. Use to query dns server and check things. Shows IP address for the queried website.

Question 13

How do you change the dns server temporarily?

Answer 13

> nslookup

To enter the interactive mode

> server 8.8.8.8

Use the 8.8.8.8 server and see if the issue goes away.

Question 14

What is “dig”?

Answer 14

Linux only. Shows any cached info too.
> dig www.google.com

Can also change the server
> dig @8.8.8.8

Question 15

How to get an MX record?

Answer 15

> dig MX www.google.com

Question 16

What is netcat?

Answer 16

Linux only. Can open and listen on ports AND act as a client - good for pen testing and vulnerability assessment.

E.g. Open up port 231:

> sudo netcat -l 231

Question 17

What is a Network Scanner?

Answer 17

Useful to see open ports on all systems on your network.

Question 18

What is nmap?
> nmap -v -sn subnetmask
> nmap -v -A scanme.nmap.org

Answer 18

Useful for hardware inventory.

“-A” shows the operating systems and what ports are open

Question 19

What is zenmap?

Answer 19

GUI of nmap

Question 20

What is Advanced Port Scanner?

Answer 20

GUI - Scans IPs and looks at the ports that are open.

Question 21

What is wireshark SB Network Inventory?

Answer 21

Useful for looking for all devices on the network - iphones etc.

Question 22

What is WireShark?

Answer 22

A protocol analyser!

Uses a sniffer and analyzer. Great to filter data by services or protocols. E.g. DHCP/http traffic.

Question 23

What’s a sniffer?

Answer 23

“pcap” “winpcap”

Software that grabs all the data that goes through a particular interface. Can either go to a log or to a protocol analyzer.

Question 24

What is wireshark good for?

Answer 24

A broadcast storm, or to isolate a rogue server.

Question 25

Whats a downside to wireshark?

Answer 25

Sometimes misses incoming and outgoing packets. Instead use TCP dump - a better sniffer.

Question 26

What is SNMP network?

Answer 26

Simple Network Management Protocol - used to administer and manage networks devices form a single source.

Question 27

What is an SNMP network printer? How does it work?

Answer 27

A printer that has an AGENT that talks to the SNMP network. Uses UDP 161 or TLS 10161 (encrypted).
Becomes a MANAGED DEVICE.

Make one device an SNMP Manager, to communicate with all the devices. UDP 162 or TLS 10162 (encrypted).

Question 28

NMS

Answer 28

Network Management Station

Question 29

MIB

Answer 29

Management Information Base - kinda the SDK for each device.

Question 30

What are the standard commands for SNMP?

Answer 30

GET - regular query.

TRAP - on the managed device and info is sent to NMS when there is an issue - printer on fire.

WALK - batch of GETS.

Question 31

SNMP Versions

Answer 31

SNMPv1 is unencrypted
SNMPv2 has basic encrption
SNMPv3 is best and uses TLS encryption. Common to have different versions of SNMP in a network.

Question 32

> snmp-server community totalhome RO

Answer 32

Command to turn on SNMP on a managed device.

Community - the organization of managed devices.

RO - read only or RW - read write

Question 33

Non-network Events

Answer 33

Host starting, shutdown, OS updates, application installs/stalls/starts/stops
Security - system logons - failures/success

Each has the following info:
date time and process id/source, account, event number, event description

Question 34

Non-network event logs

Answer 34

Host starting, shutdown, OS updates, application installs/stalls/starts/stops
Security - system logons - failures/success

Question 35

Network event logs

Answer 35

• Things that happen to applications on a network
• Remote logins
• Activity on a firewall

Question 36

Which is best - decentralized or centralized logging?

Answer 36

Decentralized is fine for small systems.
But centralized is better.
Best to use SNMP to centralize logs.
Common to use 3rd parties MaaS.

Question 37

What is generally in a log

Answer 37

Each has the following info:

• date
• time
• process id/source
• account
• event number
• event description