Comptia Security+

Security+ Course – 2.6 Security Assessment Tools

Contents

2.6.1 Protocol Analysers

Protocol Analysers allow administrators to peer into the packets travelling on a network and inspect them in deep detail. This is very useful when trying to troubleshoot network issues or investigate security incidents. Wireshark intercepts traffic and converts that binary traffic into human-readable format. This makes it easy to identify what traffic is crossing your network, how much of it, how frequently, how much latency there is between certain hops, and so forth.

Wireshark is a protocol analyser/packet sniffer. It can be used to get in depth detail about the traffic on the network.

TCPDUMP is a command line packet sniffer.

Wireshark and TCPDUMP and both built on the libcap library

 


 

2.6.2 Network Scanning

Network scanning is used to detect active systems on the network.

Network Mapping

This provides an important glimpse of network activity. It is particularly useful at detecting rogue systems. One of the most popular network mapping tools is NMAP (short for network mapper). It is a free download from nmap.org.

NMAP can scan your network and find a lot information such a

  • Device names
  • OS version
  • Open ports

EXAM TIPS: get some hands on experience with NMAP

 


2.6.3 Exploitation frameworks

These are like hackers Swiss army knives. They contain the tools used to test vulnerabilities. They can be used for both evil and good.

Metasploit https://www.metasploit.com/

This is one of the most common Exploitation Frameworks. It began as an open source project but was purchased the security firm Rapid 7. The Metasploit Community Edition is free, but the Pro version is a commercial product with some extra features.

With This software you can scan your network for devices. It will then give you information about these. It will tell you what services are running and on what port. An example might be SSH running on port 22. You can then search Metasploit for a “SSH exploit” module, this could be a login attack. You give it a list of usernames and passwords and it loops through them trying to connect. This can return some useful information like if a username actually exists on the system. From there you could carry out a bruteforce attack.

The system has lots of different modules for many different services and programs.

Exam TIP: get some hands on experience with Metasploit

 


 

2.6.4 Command Line Network Tools

These are quick and easy way to view network configuration and troubleshooting information.

ICMP and Ping

Ping helps you check if another system is accessible. It uses the Internet Control Message Protocol (ICMP).

The system that initiates the ping sends an “Are you there?” message. If the destination system is accessible it will send an “Yes I am here” response.

Troubleshooting with Ping

Ping can be very useful for troubleshooting. EG: say you are having trouble hitting a web server. With you can:

  1. Try pinging the web server
  2. Try pinging another server on the internet. This will tell you if you can access the internet
  3. Ping a system on your local network
  4. Try the ping from a different computer

NOTE:  some systems have ping blocked on the firewall. This is worth noting because if a system doesn’t reply it doesn’t mean its offline, it just might not be responding to pings.

Trace Route

This command allow you to trace the path between two hosts on the network.

On Linux the command is: traceroute
On Windows the command is: tracert

Example of trace route on Windows:
tracert lynda.com
Tracing route to lynda.com [8.39.42.106]
over a maximum of 30 hops:

1 2 ms 1 ms 2 ms 192-168-1-1.tpgi.com.au [192.168.1.1]
2 12 ms 10 ms 9 ms syd-sot-ken2-bras5-lo-20.tpgi.com.au [10.20.22.62]
3 10 ms 12 ms 11 ms nme-sot-dry-wgw1-be-10.tpgi.com.au [203.219.155.8]
4 51 ms 26 ms 22 ms nme-sot-dry-crt1-be-50.tpgi.com.au [203.219.107.237]
5 24 ms 22 ms 23 ms nme-apt-bur-crt1-be-30.tpgi.com.au [202.7.173.21]
6 28 ms 30 ms 22 ms syd-gls-har-crt1-be-10.tpgi.com.au [202.7.171.173]
7 25 ms 22 ms 22 ms syd-gls-har-int2-be200.tpgi.com.au [203.221.3.68]
8 176 ms 177 ms 177 ms equinix-ix.sjc1.us.voxel.net [206.223.116.4]
9 219 ms 219 ms 225 ms bbr1.inapbb-dal-sje-1-2-4-6.dal006.pnap.net [64.95.158.182]
10 221 ms 222 ms 220 ms bbr2.ae7.dal006.pnap.net [64.95.158.202]
11 252 ms 254 ms 251 ms bbr1.xe-0-0-1.inapbb-wdc-dal-7.wdc002.pnap.net [64.95.158.210]
12 259 ms 258 ms 259 ms core2.be-3.inapvox-9.wdc002.pnap.net [64.95.158.245]
13 236 ms 238 ms 236 ms border12.xe-1-1-bbnet2.wdc002.pnap.net [216.52.127.67]
14 236 ms 236 ms 236 ms lynda-3.border11.wdc002.pnap.net [69.25.40.38]
15 239 ms 236 ms 241 ms 45-42-65-4.fwd.lynda.com [45.42.65.4]
16 236 ms 237 ms 237 ms www.lynda.com [8.39.42.106]

Trace complete.

You get a line for each system it hits on the way. If you get stars *** it means that system is not responding with information about itself.

IP Configuration

This gives information about the network interface configuration on the local computer. It gives you MAC address, ip, subnet, gateway etc…

Windows: ipconfig
Linux and Mac: ifconfig

You select a single interface by using the command  ifconfig en0

These commands can also modify the IP configuration, but we don’t need to know this for the exam.

ARP (Address Resolution Protocol)

This translates IP addresses used at the network layer and MAC addresses used at the ethernet layer. All operating systems in an IPv4 Ethernet network keep an ARP cache. Every time a host requests a MAC address in order to send a packet to another host in the LAN, it checks its ARP cache to see if the IP to MAC address translation already exists. If it does, then a new ARP request is unnecessary. If the translation does not already exist, then the request for network addresses is sent and ARP is performed.

You can view the systems ARP cache using the arp  command.

>arp -a

Interface: 192.168.1.13 — 0x9
Internet Address Physical Address Type
192.168.1.1 84-9f-b5-57-f2-47 dynamic
192.168.1.2 b0-2a-43-57-c3-64 dynamic
192.168.1.255 ff-ff-ff-ff-ff-ff static
224.0.0.22 01-00-5e-00-00-16 static
224.0.0.251 01-00-5e-00-00-fb static
224.0.0.252 01-00-5e-00-00-fc static
239.255.255.250 01-00-5e-7f-ff-fa static
255.255.255.255 ff-ff-ff-ff-ff-ff static

Netstat

This displays network statistic on Mac and Windows. It shows you what connections are open, what ports are being used, destination, state etc…

An example output:

>netstat

Active Connections

Proto Local Address Foreign Address State
TCP 192.168.1.13:2257 40.90.189.152:https ESTABLISHED
TCP 192.168.1.13:2293 52.109.116.4:https ESTABLISHED
TCP 192.168.1.13:2317 40.90.189.152:https ESTABLISHED
TCP 192.168.1.13:2321 172.217.194.188:5228 ESTABLISHED
TCP 192.168.1.13:2326 192-168-1-2:8009 ESTABLISHED
TCP 192.168.1.13:2404 a184-26-33-55:https CLOSE_WAIT
TCP 192.168.1.13:2405 a184-26-33-55:https CLOSE_WAIT
TCP 192.168.1.13:2406 a184-26-33-55:https CLOSE_WAIT
TCP 192.168.1.13:2411 a23-202-162-124:http CLOSE_WAIT
TCP 192.168.1.13:2412 a23-202-162-124:http CLOSE_WAIT
TCP 192.168.1.13:2413 a23-202-162-124:http CLOSE_WAIT
TCP 192.168.1.13:2414 a23-202-162-124:http CLOSE_WAIT
TCP 192.168.1.13:2415 a23-202-162-124:http CLOSE_WAIT
TCP 192.168.1.13:2416 a23-202-162-124:http CLOSE_WAIT
TCP 192.168.1.13:2417 nme-sot-dry-ak1-136:https CLOSE_WAIT
TCP 192.168.1.13:2418 a184-26-33-55:https CLOSE_WAIT
TCP 192.168.1.13:2419 a184-26-33-55:https CLOSE_WAIT
TCP 192.168.1.13:2420 a184-26-33-55:https CLOSE_WAIT
TCP 192.168.1.13:2426 a184-26-33-55:https CLOSE_WAIT
TCP 192.168.1.13:2427 mia04-011:http ESTABLISHED
TCP 192.168.1.13:2441 52.109.116.4:https ESTABLISHED
TCP 192.168.1.13:2577 151.101.80.133:https ESTABLISHED
TCP 192.168.1.13:2588 syd09s14-in-f14:https ESTABLISHED
TCP 192.168.1.13:2592 syd09s17-in-f10:https ESTABLISHED
TCP 192.168.1.13:2594 sin01s16-in-f4:https ESTABLISHED
TCP 192.168.1.13:2600 52.98.4.82:https ESTABLISHED
TCP 192.168.1.13:2609 syd09s13-in-f14:https ESTABLISHED
TCP 192.168.1.13:2610 syd15s01-in-f14:https ESTABLISHED
TCP 192.168.1.13:2611 syd15s03-in-f14:https ESTABLISHED
TCP 192.168.1.13:2612 syd15s06-in-f14:https ESTABLISHED
TCP 192.168.1.13:2613 searchsites:https ESTABLISHED
TCP 192.168.1.13:2615 syd15s02-in-f10:https ESTABLISHED
TCP 192.168.1.13:2618 server-52-85-45-50:https ESTABLISHED
TCP 192.168.1.13:2621 syd15s06-in-f3:https ESTABLISHED
TCP 192.168.1.13:2629 52.109.112.47:https ESTABLISHED
TCP 192.168.1.13:2630 52.109.112.47:https ESTABLISHED
TCP 192.168.1.13:2631 52.109.112.47:https ESTABLISHED
TCP 192.168.1.13:2635 r-57-41-234-77:http FIN_WAIT_1
TCP 192.168.1.13:2636 li1462-250:https ESTABLISHED

On Linux you use SS to get this information

NC (Net Cap)

This command allows you to send and receive raw text on a network connection on Mac and Linux. This can be useful for troubleshooting, but can also be used by attackers to send raw malicious commands to a server.

You can open a connection to a server by doing the following:

Nc lynda.com

Then you can send commands:

Get /

This will get the root and try and display the html

There is no NC equivalent on Windows.

Command Summary

 


2.6.5 DNS Harvesting

Doman Name Service translates between domain names and IP addresses.

Dig command

This is the primary command for looking up DNS on Mac and Linux systems.

NSLOOKUP

This is the Windows version of the dig command. It works on Mac and Linux too.

nslookup lynda.com
Server: UnKnown
Address: fe80::1

Non-authoritative answer:
Name: lynda.com
Address: 8.39.42.106

Whois Lookup

The Whois utility can help you learn more about the ownership of domain names and IP addresses. There are many websites that offer Whois Lookups. An example is http://whois.domaintools.com/ You can lookup a domain name here and it will give you lots of information like:

  • The registrar
  • How old it is
  • IP address
  • Name Servers
  • IP Location
  • Domain status
  • Server type
  • And more

You can also use Whois Lookup for an IP address.

Reverse Whois

https://viewdns.info/reversewhois/
With this you can enter an email address and it will return which domains are linked to this address. EG: if you put in hostmaster@linkedin.com it pulls up all the domains that have this address as the owner/contact.


Comptia Security+ (SY0-501) Study Notes Menu

Leave a Reply

Your email address will not be published. Required fields are marked *