- 2.6.1 Protocol Analysers
- 2.6.2 Network Scanning
- 2.6.3 Exploitation frameworks
- 2.6.4 Command Line Network Tools
- ARP (Address Resolution Protocol)
- 2.6.5 DNS Harvesting
2.6.1 Protocol Analysers
Protocol Analysers allow administrators to peer into the packets travelling on a network and inspect them in deep detail. This is very useful when trying to troubleshoot network issues or investigate security incidents. Wireshark intercepts traffic and converts that binary traffic into human-readable format. This makes it easy to identify what traffic is crossing your network, how much of it, how frequently, how much latency there is between certain hops, and so forth.
Wireshark is a protocol analyser/packet sniffer. It can be used to get in depth detail about the traffic on the network.
TCPDUMP is a command line packet sniffer.
Wireshark and TCPDUMP and both built on the libcap library
2.6.2 Network Scanning
Network scanning is used to detect active systems on the network.
This provides an important glimpse of network activity. It is particularly useful at detecting rogue systems. One of the most popular network mapping tools is NMAP (short for network mapper). It is a free download from nmap.org.
NMAP can scan your network and find a lot information such a
- Device names
- OS version
- Open ports
EXAM TIPS: get some hands on experience with NMAP
2.6.3 Exploitation frameworks
These are like hackers Swiss army knives. They contain the tools used to test vulnerabilities. They can be used for both evil and good.
This is one of the most common Exploitation Frameworks. It began as an open source project but was purchased the security firm Rapid 7. The Metasploit Community Edition is free, but the Pro version is a commercial product with some extra features.
With This software you can scan your network for devices. It will then give you information about these. It will tell you what services are running and on what port. An example might be SSH running on port 22. You can then search Metasploit for a “SSH exploit” module, this could be a login attack. You give it a list of usernames and passwords and it loops through them trying to connect. This can return some useful information like if a username actually exists on the system. From there you could carry out a bruteforce attack.
The system has lots of different modules for many different services and programs.
Exam TIP: get some hands on experience with Metasploit
2.6.4 Command Line Network Tools
These are quick and easy way to view network configuration and troubleshooting information.
ICMP and Ping
Ping helps you check if another system is accessible. It uses the Internet Control Message Protocol (ICMP).
The system that initiates the ping sends an “Are you there?” message. If the destination system is accessible it will send an “Yes I am here” response.
Troubleshooting with Ping
Ping can be very useful for troubleshooting. EG: say you are having trouble hitting a web server. With you can:
- Try pinging the web server
- Try pinging another server on the internet. This will tell you if you can access the internet
- Ping a system on your local network
- Try the ping from a different computer
NOTE: some systems have ping blocked on the firewall. This is worth noting because if a system doesn’t reply it doesn’t mean its offline, it just might not be responding to pings.
This command allow you to trace the path between two hosts on the network.
On Linux the command is: traceroute
On Windows the command is: tracert
Example of trace route on Windows:
Tracing route to lynda.com [188.8.131.52]
over a maximum of 30 hops:
1 2 ms 1 ms 2 ms 192-168-1-1.tpgi.com.au [192.168.1.1]
2 12 ms 10 ms 9 ms syd-sot-ken2-bras5-lo-20.tpgi.com.au [10.20.22.62]
3 10 ms 12 ms 11 ms nme-sot-dry-wgw1-be-10.tpgi.com.au [184.108.40.206]
4 51 ms 26 ms 22 ms nme-sot-dry-crt1-be-50.tpgi.com.au [220.127.116.11]
5 24 ms 22 ms 23 ms nme-apt-bur-crt1-be-30.tpgi.com.au [18.104.22.168]
6 28 ms 30 ms 22 ms syd-gls-har-crt1-be-10.tpgi.com.au [22.214.171.124]
7 25 ms 22 ms 22 ms syd-gls-har-int2-be200.tpgi.com.au [126.96.36.199]
8 176 ms 177 ms 177 ms equinix-ix.sjc1.us.voxel.net [188.8.131.52]
9 219 ms 219 ms 225 ms bbr1.inapbb-dal-sje-1-2-4-6.dal006.pnap.net [184.108.40.206]
10 221 ms 222 ms 220 ms bbr2.ae7.dal006.pnap.net [220.127.116.11]
11 252 ms 254 ms 251 ms bbr1.xe-0-0-1.inapbb-wdc-dal-7.wdc002.pnap.net [18.104.22.168]
12 259 ms 258 ms 259 ms core2.be-3.inapvox-9.wdc002.pnap.net [22.214.171.124]
13 236 ms 238 ms 236 ms border12.xe-1-1-bbnet2.wdc002.pnap.net [126.96.36.199]
14 236 ms 236 ms 236 ms lynda-3.border11.wdc002.pnap.net [188.8.131.52]
15 239 ms 236 ms 241 ms 45-42-65-4.fwd.lynda.com [184.108.40.206]
16 236 ms 237 ms 237 ms www.lynda.com [220.127.116.11]
You get a line for each system it hits on the way. If you get stars *** it means that system is not responding with information about itself.
This gives information about the network interface configuration on the local computer. It gives you MAC address, ip, subnet, gateway etc…
Linux and Mac: ifconfig
You select a single interface by using the command ifconfig en0
These commands can also modify the IP configuration, but we don’t need to know this for the exam.
ARP (Address Resolution Protocol)
This translates IP addresses used at the network layer and MAC addresses used at the ethernet layer. All operating systems in an IPv4 Ethernet network keep an ARP cache. Every time a host requests a MAC address in order to send a packet to another host in the LAN, it checks its ARP cache to see if the IP to MAC address translation already exists. If it does, then a new ARP request is unnecessary. If the translation does not already exist, then the request for network addresses is sent and ARP is performed.
You can view the systems ARP cache using the arp command.
Interface: 192.168.1.13 — 0x9
Internet Address Physical Address Type
192.168.1.1 84-9f-b5-57-f2-47 dynamic
192.168.1.2 b0-2a-43-57-c3-64 dynamic
192.168.1.255 ff-ff-ff-ff-ff-ff static
18.104.22.168 01-00-5e-00-00-16 static
22.214.171.124 01-00-5e-00-00-fb static
126.96.36.199 01-00-5e-00-00-fc static
188.8.131.52 01-00-5e-7f-ff-fa static
255.255.255.255 ff-ff-ff-ff-ff-ff static
This displays network statistic on Mac and Windows. It shows you what connections are open, what ports are being used, destination, state etc…
An example output:
Proto Local Address Foreign Address State
TCP 192.168.1.13:2257 184.108.40.206:https ESTABLISHED
TCP 192.168.1.13:2293 220.127.116.11:https ESTABLISHED
TCP 192.168.1.13:2317 18.104.22.168:https ESTABLISHED
TCP 192.168.1.13:2321 22.214.171.124:5228 ESTABLISHED
TCP 192.168.1.13:2326 192-168-1-2:8009 ESTABLISHED
TCP 192.168.1.13:2404 a184-26-33-55:https CLOSE_WAIT
TCP 192.168.1.13:2405 a184-26-33-55:https CLOSE_WAIT
TCP 192.168.1.13:2406 a184-26-33-55:https CLOSE_WAIT
TCP 192.168.1.13:2411 a23-202-162-124:http CLOSE_WAIT
TCP 192.168.1.13:2412 a23-202-162-124:http CLOSE_WAIT
TCP 192.168.1.13:2413 a23-202-162-124:http CLOSE_WAIT
TCP 192.168.1.13:2414 a23-202-162-124:http CLOSE_WAIT
TCP 192.168.1.13:2415 a23-202-162-124:http CLOSE_WAIT
TCP 192.168.1.13:2416 a23-202-162-124:http CLOSE_WAIT
TCP 192.168.1.13:2417 nme-sot-dry-ak1-136:https CLOSE_WAIT
TCP 192.168.1.13:2418 a184-26-33-55:https CLOSE_WAIT
TCP 192.168.1.13:2419 a184-26-33-55:https CLOSE_WAIT
TCP 192.168.1.13:2420 a184-26-33-55:https CLOSE_WAIT
TCP 192.168.1.13:2426 a184-26-33-55:https CLOSE_WAIT
TCP 192.168.1.13:2427 mia04-011:http ESTABLISHED
TCP 192.168.1.13:2441 126.96.36.199:https ESTABLISHED
TCP 192.168.1.13:2577 188.8.131.52:https ESTABLISHED
TCP 192.168.1.13:2588 syd09s14-in-f14:https ESTABLISHED
TCP 192.168.1.13:2592 syd09s17-in-f10:https ESTABLISHED
TCP 192.168.1.13:2594 sin01s16-in-f4:https ESTABLISHED
TCP 192.168.1.13:2600 184.108.40.206:https ESTABLISHED
TCP 192.168.1.13:2609 syd09s13-in-f14:https ESTABLISHED
TCP 192.168.1.13:2610 syd15s01-in-f14:https ESTABLISHED
TCP 192.168.1.13:2611 syd15s03-in-f14:https ESTABLISHED
TCP 192.168.1.13:2612 syd15s06-in-f14:https ESTABLISHED
TCP 192.168.1.13:2613 searchsites:https ESTABLISHED
TCP 192.168.1.13:2615 syd15s02-in-f10:https ESTABLISHED
TCP 192.168.1.13:2618 server-52-85-45-50:https ESTABLISHED
TCP 192.168.1.13:2621 syd15s06-in-f3:https ESTABLISHED
TCP 192.168.1.13:2629 220.127.116.11:https ESTABLISHED
TCP 192.168.1.13:2630 18.104.22.168:https ESTABLISHED
TCP 192.168.1.13:2631 22.214.171.124:https ESTABLISHED
TCP 192.168.1.13:2635 r-57-41-234-77:http FIN_WAIT_1
TCP 192.168.1.13:2636 li1462-250:https ESTABLISHED
On Linux you use SS to get this information
NC (Net Cap)
This command allows you to send and receive raw text on a network connection on Mac and Linux. This can be useful for troubleshooting, but can also be used by attackers to send raw malicious commands to a server.
You can open a connection to a server by doing the following:
Then you can send commands:
This will get the root and try and display the html
There is no NC equivalent on Windows.
2.6.5 DNS Harvesting
Doman Name Service translates between domain names and IP addresses.
This is the primary command for looking up DNS on Mac and Linux systems.
This is the Windows version of the dig command. It works on Mac and Linux too.
The Whois utility can help you learn more about the ownership of domain names and IP addresses. There are many websites that offer Whois Lookups. An example is http://whois.domaintools.com/ You can lookup a domain name here and it will give you lots of information like:
- The registrar
- How old it is
- IP address
- Name Servers
- IP Location
- Domain status
- Server type
- And more
You can also use Whois Lookup for an IP address.
With this you can enter an email address and it will return which domains are linked to this address. EG: if you put in email@example.com it pulls up all the domains that have this address as the owner/contact.