Network security

4 network utilities every security pro should know: Video walkthrough

Some command-line utilities are so ubiquitous that it can be challenging for beginners to identify the best scenarios to use them. Learn how and when you should use these four well-known command-line utilities in this episode of Cyber Work Applied with Infosec Skills author Mike Meyers.

 

Popular network command-line utilities

 

When can a certain network utility do the most good for you? Learn how and when you can use Ping, Netstat, Traceroute and ARP in this video.

Cyber Work listeners get free cybersecurity training resources. Click below to get your free courses and other materials.

Free Cybersecurity Training

 

Network utilities demo and walkthrough

 

Below is the edited transcript of Mike’s network utilities demo and walkthrough, along with a portion of the code he uses.

 

Common command-line utilities and scenarios

 

(0:00-0:21) This episode is dedicated to going through well-known command line utilities. We're going to be going through these utilities, but what we're really going to be doing is talking about scenarios more than anything else. We've got a lot of utilities to cover here, so let's go ahead and dive right in — and let's start with Ping.

 

How to use Ping for DNS

 

(0:22-1:26) Ping is a classic utility and hopefully one that you're already familiar with. What I want to do here is talk about the scenarios where we use Ping. The funny part is we use Ping so ubiquitously that a lot of times people don't think about what is the scenario that's causing me to turn to that tool. They're usually pretty simple scenarios. Let's run through a few right now.

Learn Network Security Fundamentals

Build your skills with seven hands-on courses covering network models and protocols, wireless and mobile security, network security best practices and more.

Start Learning

So, you can see I've got my command line up, and I'm going to do one of my absolute favorites. Is DNS working? People never think about this with Ping.

C:\Users\Mike>ping www.totalsem.com

As you can see, I'm just typing Ping and then some arbitrary website: my own. Now, you'll notice that it's resolved the www.totalsem.com. It says reply from 75.126 whatever it might be.

A lot of times, people will run a Ping, and they forget that it's a wonderful little quick and dirty DNS tool. It resolved, so whether I even get a good reply or not, the fact that it's resolving tells me my DNS is up and cooking.

 

Use Ping to test IPV4 and IPV6 connection

 

(1:27-2:26) The next thing I'm going to do is, can I connect to somebody? And this is really where we use Ping more than anything else. All I'm doing is typing Ping, and I want to connect. I want to see if I am getting to one person or another. I'm going to type in Ping. Let's do somebody who's always up, google.com.

C:\Users\Mike>ping www.google.com

Now, you can see that I'm getting a response. If you look really closely, you're going to see that I'm getting IPv6. So that's another thing we can do that's a lot of fun. I can Ping www.google.com just fine on IPv6, but what if I want to do it only with IPv4?

I can use a switch like -4, and you'll see that everything has changed over.

C:\Users\Mike>ping www.google.com -4

Now I'm getting a good response back, but this time I'm forcing it to use IPv4.

 

Use Ping to test intermittent connection

 

(2:27-3:22) A lot of problems we run into in the security world have to do with layer three issues, and what people aren't thinking about is IPv4 or IPv6. The Security+ exam is going to assume that you're comfortable with that, and Ping is a great way to separate those two.

The next thing I want to do is see if I have an intermittent connection. If you look at the screen again, you'll see that we've always got our time in milliseconds in terms of response. And that's a helpful tool, but a lot of times, especially if we're talking about a serious hardware intermittent issue in the Windows world, we have to do something a little bit funny. So, what I'm going to do is I'm going to Ping -t and again, let's pick somebody who's always up.

C:\Users\Mike>ping -t www.google.com

And now I want you to watch very, very closely. You'll see before we always had just four responses. In the Windows world, by running Ping with the -t, what we're giving ourselves is the ability to say, just keep running.

 

What is netstat?

 

(3:23-3:44)  If you need to know what sessions a particular host is running at any given moment, your go-to tool is netstat. Netstat can be absolutely terrifying in terms of the information that it gives you. When I go to netstat, there are two big questions, two scenarios that I'm always looking for and counting on netstat to help me out with.

 

Use Netstat to see who I'm connecting to

 

(3:45-5:57) The first and most obvious question is, who am I talking to? I'm going to run a netstat real quick here, and I almost never run netstat by itself. I will invariably run -n.

C:\Users\Mike>netstat -n

The problem is I'm so familiar with port numbers now that it's actually hard for me to look at output where it says stuff like HTTP and HTTPS. Just the numbers, please. So, let me run this, and we can see what we're connecting to right now.

If you take a close look — first of all, this is a Windows 10 system, and Windows 10 is notorious for this loopback 127.0.0.1 with these really ephemeral port numbers, 53,200 and something. These are just the telemetry of Windows 10 phoning home, and there are things we can do about it. I don't worry about that too much. What I'm more interested in is when we get below that.

You can see that on this particular test network, my internal network ID for this host is 192.168.4.34. And you can see I've got one, two, three, four, five connections on IPv4, and then I've got an IPv6 connection. They're all on 443s. So I instantly know that I'm talking on HTTPS.

Well, that's great. And I also know why they're there. That's primarily because I've got my web browser open and these are all the different individual tabs and what those connections are for. So, in this particular situation, I'm happy with what I see.

What makes me nervous is when I have, for example, all of my web browsers closed, and I'm still connecting on 443 — something's connected in there that I'm not authorizing. That's a classic sign of malware or something else.

In fact, I have an NVIDIA driver that actually connects and phones home on port 443. Now, NVIDIA looks at that as a feature. It scares me a little bit, but I had to do some research and figure out where it was. When I'm looking for scenarios where I'm not sure who's talking out of this particular host, NETSTAT with the -n option is the way to go.

 

Use Netstat to see who's connecting to me

 

(5:58-8:07) The other one is the exact opposite. Not so much who am I talking to, but who's trying to talk to me? In this particular situation, am I a server for something? What I'll do here is I'll run netstat. But what I'm going to do is I'm going to do netstat -a.

C:\Users\Mike>netstat -a

-a says, show me all opening ports, including those I'm not connected to. So, if I have a web server on here and I'm not connected to anybody, netstat normally wouldn't show that. By saying I don't care whether you're actually connected or not; if you're listening, show it. We should get quite a bit of information here.

Okay. As we scroll through here, what I'm looking for is on this side: what am I listening on? In this particular case, look right there, do you see that?

TCP [::]:80

Right there shows that I'm listening on port 80. This system right here is running a web server. Now, again, that could be a good thing.

A lot of times, little phone home utilities will use port 80 and be like their own little web server for driver updates and stuff. We're not doing as much as we used to, but what's important is I can take a look here, and I can quickly see that I'm a server. Do I want to be a server?

Now, something like port 80 is fairly innocuous. But because I know my port numbers well, certain other things would terrify me. If I saw open port 25 for email or something like that, I would start to panic a little bit.

The other problem as we look through this list is that there are a lot of listening ports. Do you see, it all says listening and listening there? If you don't know your ports, you're going to have to be doing a little bit of research here. Things like 135 and 443. I'm more familiar with those because they will be part of the Windows operating system. But I'm still going to take a moment to do some research.

Netstat is great for scenarios where you're worried about who you're talking to, or who's trying to talk to you.

Learn Network Security Fundamentals

Build your skills with seven hands-on courses covering network models and protocols, wireless and mobile security, network security best practices and more.

Start Learning

 

How does Traceroute work?

 

(8:08-10:16) Traceroute is a very interesting utility. The challenge that I run into with most people who say they don't like traceroute is that they don't think about scenarios where traceroute is going to do them the most good.

The bottom line is if you can't Ping somebody, going ahead and tracerouting them is questionable, with one exception.

Let me give you an example right here. I'm going to run traceroute. And let's again, pick good ol' Google because they never go down.

C:\Users\Mike>tracert www.google.com

What I want you to do is watch this very, very closely. As we're moving along here, it's going to take a few clicks before it gets to Google. What's not terribly important to me is all the gobbledegoo past the first two lines.

If you take a look at those first two lines, that is my internal router and the next line after that is my in-house interface to Comcast itself. As you can see, I'm running Comcast. What that's telling me is that I know the first two routers between my network and the rest of the world.

And this is where traceroute could come up in different scenarios that'll help you out. Let's say you can't traceroute somebody. If that traceroute fails on either the first or the second line, I now know I've got an in-house problem, and I'm going to grab a screwdriver and check my router or ISP interface.

If it happens three or four levels down, well that's Comcast's problem or somebody else's, and there's nothing I'm going to be able to do about it. So, the trick to traceroute is knowing your infrastructure. And if you get a failure on traceroute, know, is that something you can fix? Or are you going to have to make a phone call to your ISP?

That's the big secret. And those are the scenarios that are going to work best for you when it comes to traceroute.

 

What does ARP command do?

 

(10:17- 13:04) I seriously hope that you don't run into a scenario where you need to be running the ARP command. The main reason you're going to be running ARP (Address Resolution Protocol) is that you're afraid that somebody is doing something naughty within the world of your switches.

For those who don't recall, ARP, or address resolution protocol, is a tool by which we can resolve an ethernet Mac address from an IP address. So what I'm going to do is I'm just going to run ARP. Now, ARP by itself doesn't do anything. But what we normally do is we're going to run ARP -a.

C:\Users\Mike>arp -a

What you're looking at right here is the ARP cache. This is what your system picks up over time. Now, this is Windows. ARP on Linux and Macs is a little bit different, but you get the same basic result. Let's take a look at what we got here. Now, in this particular case, I've got two interfaces.

I want to concentrate on the one that you see here that says 192.168.4.34. That is my actual ethernet connection on this system. So as we take a look at this, you can see that we have both dynamic and we also have static addresses.

Windows generates static ARP cache entries that never change. If you take a look at what they are, it will make some sense to you. These are broadcast addresses. These are multicast addresses, and there is no reason for those to ever change.

Dynamic, on the other hand, are addresses that will change based on ARP commands that this host is picking up. Now, what you're panicking about in this type of scenario is that somebody has put in, for example, an ARP poisoner. And these can be incredibly difficult to diagnose.

Now, if you look at Total Seminars, you can see all of these different physical NICs I have here. And if you look at the first six letters, you can see they're all different for different ones. That's because we buy lots of different brands of NICs. But one of the things you'll see a lot of organizations do, is they're like, we will always buy Intel NICs. And the reason they're doing that is not that they're particularly hooked on Intel, although they usually are.

But what they're doing is that they always know that all of their NICs are always going to start with those first six values because they're all Intel OEM IDs. And that way, if an ARP poisoner sneaks in, unless it's a very good ARP poisoner who even knows how to mimic an Intel, which most of them don't, they will make it really easy to look on this list and suddenly see a number in there that the first six numbers are different from what they're usually established and counting on. And that can often be a clue that you've got an ARP poisoner out there.

ARP poisoners are a big problem. Now, good intrusion detection should catch this stuff. But if you need to see who's being the bad guy, you are reduced to running ARP and trying to find Mac addresses that you don't trust.

Learn Network Security Fundamentals

Build your skills with seven hands-on courses covering network models and protocols, wireless and mobile security, network security best practices and more.

Start Learning

 

More cybersecurity training resources

 

Want more free cybersecurity resources? Check out the weekly Cyber Work Podcast for in-depth conversations with cybersecurity practitioners and industry thought leaders.

Cyber Work listeners also get other free training resources. Check out the latest free cybersecurity courses and resources to keep learning!

Free Cybersecurity Training