IFconfig/IPconfig

The first tool you need to be familiar with is either ifconfig or ipconfig, depending on your operating system. The former is used on Unix/Linux systems, while ipconfig accomplishes the same function on Windows systems.

This tool is used at the command line and presents you with the local system’s IP address and other basic network-configuration information. This tool is your first stop when you want to know the gateway’s IP address, where the system sends DNS queries, whether the system was served its IP address by DHCP or it was assigned statically, along with other useful information.

Whois

Frequently, you will need to know some information about a domain. As shown in Figure 23.1, you can go to the website of virtually any domain registrar and use their Whois search tool to find information concerning ownership, administrative and technical responsibility, and the name of the server responsible for providing host information. Whois is also a command-line utility in some operating systems.

These days many registrations are private, which means you can’t learn anything about ownership, administrative, or technical contacts; you can only obtain information about the name server. This information is subject to ICANN rules but may not always be accurate. Still, this can be a great place to learn something about a domain.

Many websites offer this service and all Unix-like operating systems offer this command-line tool. Not all Whois tools will access information for every top-level domain, however. In some instances, you may have to go to a specific registrar to fully query a particular top-level domain.

Nslookup

The nslookup command is a command-line DNS query tool that is typically the first tool used to gain DNS information about a website. The basic nslookup command returns the IP address information associated with a specified domain name.

The basic command can be modified by adding specific parameters to obtain other types of information, such as Name servers or Mail exchanges.

Although nslookup is a great tool for troubleshooting DNS hostname resolution problems, it is also one of the most commonly used tools in the information-gathering process of the enumeration phase of a cyber attack.

PING

PING is software utility used to evaluate the ability to reach any other IP host. The PING command will measure the round-trip time for packets sent from the originating host to the target host. The PING utility will send Internet Control Message Protocol (ICMP) request packets to the target host and wait for a response measuring the trip time and any packet loss.

PING and ping6 for IPv6 hosts are available as command-line tools in many operating systems, and a variety of software products will also offer this capability often packaged with traceroute features.

The PING command can be a great way to determine if a host is alive, as well as the quality of the connection between your network and a host. However, ICMP traffic is generally considered low-priority traffic; therefore, busy networks may ignore it. In addition, because it is possible to flood a network with PING requests (referred to as a ping flood), ICMP traffic is often blocked. Most firewall devices can be used to block ICMP traffic completely.

Some options available with the PING utility, such as adjusting the packet size or sending without waiting for a reply, which can be used to create a ping flood that results in a denial-of-service (DoS) attack. Such a ping flood would certainly consume incoming bandwidth. However, if the network replies to the ICMP requests, then outgoing bandwidth will be consumed as well.

Sadly, it is also possible to send malformed PING packets maliciously. Older systems, for example, could not handle a packet larger than 65,535 bytes, and any packet larger than that would crash the computer. Modern routers should examine these packets for size and fragmentation and enforce rules that prevent any problems from a “ping of death.”

While it is typically good practice to allow ICMP traffic on public networks for a variety of reasons, it is critical that your firewall block ICMP traffic, and for most networks, you may even want to set the firewall to not even reply to these requests itself. A PING request should look something like the one depicted in Figure 23.2:

• ping www.google.com

Traceroute

A TRACEROUTE utility will display the route (path) that packets will travel from one IP to another. As with PING, the round-trip time of the ICMP packets (also known as latency) is measured; however, with traceroute this time is measured between each successive host in the route.

Each segment of the route is known as a hop. Traceroute will send three packets and measure the time required to complete each hop. The cumulative latency at each hop is recorded, usually in milliseconds, along with the IP and host name (acquired through a reverse lookup) of each node.

This can be a great way to look at latency issues between hosts and evaluate the connection to determine where excessive latency exists or a route fails.

Traceroute is available in most operating system command-line interfaces. Windows uses the TRACERT utility. Some utilities, such as tcptraceroute, may use TCP packets.

A typical traceroute operation should look something like the one shown in Figure 23.3.

Telnet

Telnet is an application client-server protocol that can use Telnet client software to establish a connection between a computer (or device) and any remote Telnet server listening on port 23, typically. This is very much a text-based command-line interface that allows the remote user to perform operations as if they had logged into the server locally, as shown in Figure 23.4.

Many types of Telnet emulations are available via custom client software, but most have no encryption available; therefore, there is no guarantee that your communication will not be intercepted while in transit. Some older network devices may only support Telnet, but whenever possible you should use SSH instead.

Secure Shell

Secure Shell (SSH) is an encrypted network protocol for secure client-server connections. Designed to replace nonsecure shell protocols—such as Telnet—SSH employs public-key cryptographic authentication. Users can authenticate with a password as with Telnet, or they can use key pairs—or both. Administrators responsible for SSH connections should be well versed in SSH key management.

File transfer is also possible using the associated SSH File Transfer Protocol (SFTP) or Secure Copy Protocol (SCP). SSH supports tunneling and port forwarding, so it can be an important tool in some network security schemes. SSH is included in all Unix-like distributions but not with Windows, although you can obtain versions for most versions of Windows.

Even if you aren’t administering an SSH server, you will most likely use an SSH client at some point. Despite rumors of NSA decrypting SSH connections and some past vulnerabilities, SSH is considered to be a secure and reliable protocol that all but eliminates potential eavesdropping of your network traffic.

Nagios

Nagios is probably the most well-known network monitoring tool that still has a free version; however, it has grown and offers a full-featured commercial enterprise version as well. A fork of this project, Icinga, is an interesting open-source alternative that is more full-featured than the free version of Nagios. Both products have plenty of monitoring, reporting, and notification options that are best suited to uptime monitoring but can monitor performance as well.

SolarWinds

SolarWinds offers an incredibly powerful commercial network-performance-monitoring product. While this product is somewhat expensive, it is immensely powerful and can monitor uptime, performance, traffic flow, and utilization. It also offers a plethora of reporting, graphing, and notification options.

Microsoft Network Monitor

Microsoft Network Monitor is a packet analyzer that can help you view your traffic flows and troubleshoot network problems. As you might expect, this product does a wonderful job interacting with proprietary Microsoft protocols, but most common public protocols are supported as well.

Wireshark

Wireshark is a mature, open-source, and cross-platform network protocol analyzer. It is probably the most well-known protocol analyzer, and it supports just about every protocol and runs on nearly any platform. For more information about Wireshark, visit www.wireshark.org.

Wireshark, shown in Figure 23.6, is a valuable tool for capturing and subsequently analyzing traffic to discover, as well as for troubleshooting network issues. It can be used to learn more about the protocols used on a given network. This tool is easy to employ, but it requires experience and practice to accurately analyze the results it produces. However, every network admin should have this product in their arsenal.

Snort

Snort is an open-source, cross-platform intrusion-detection system that provides real-time traffic analysis, packet logging, and protocol analysis as well as active detection for worms, port scans, and vulnerability exploit attempts. This, of course, is useful in monitoring the network in real time. It is well suited to identifying probes and attacks, but it can act as a network sniffer as well. Snort, shown in Figure 23.7, is an excellent product for networks that feature public services. For more information about Snort, visit www.snort.org.

Perhaps more than any other tool listed here, Snort has many complementary products with which it can be used to extend its detecting and reporting capabilities.

As with any intrusion-detection/prevention system, Snort is effective only if properly “tuned” to the network on which it is being used. Without due diligence in tuning an IDS/IPS, administrators will battle both too many false negatives (wrongly accused alerts) and too many false positives (missed real concerns).

Nmap

Nmap, shown in Figure 23.8, is an open-source and cross-platform network-mapper utility for discovery and security-auditing performing network inventory, as well as monitoring and upgrade scheduling. This is a highly flexible tool used to examine, profile, and assess the systems in any network. It is particularly useful for discovering ports and service versions. For more information about Nmap, visit www.nmap.org.

As shown in Figure 23.8, Nmap can be used with both a command-line and a GUI interface.

Nikto

Nikto is an open-source web server scanner that can identify issues on a web server. For more information about Nikto, visit cirt.net/nikto2.

OpenVAS

OpenVAS is an open-source vulnerability scanner for Linux and Windows that is a fork of the last free version of the now-commercial Nessus. Built as a full vulnerability-management solution, this tool uses SCAP and can perform a number of network vulnerability tests (NVT); it can look for common vulnerabilities and exposures (CVE). This product has a bit of a learning curve, but it is a well-respected and powerful tool worth considering. For more information about OpenVAS, visit openvas.org.

Metasploit

Metasploit is one of the most popular open-source penetration-testing frameworks available. It is available for both Windows and Linux environments. It is commonly used to identify and validate network vulnerabilities, including simulating attacks that prey on human vulnerabilities, as shown in Figure 23.9. Metasploit can also be used to prioritize responses to any network vulnerabilities that are discovered. For more information about Metasploit, visit www.metasploit.com.

Metasploit is normally a command-line-based tool. However, as portrayed in Figure 23.9, there are also commercial tools that provide a GUI front end.

The Browser Exploitation Framework (BeEF)

The Browser Exploitation Framework (BeEF) is another notable open-source penetration-testing tool, but it focuses on web-borne attacks through a web browser. BeEF is available for MacOS, Windows, and Linux. For more information about BeEF, visit www.beefproject.com.

Other Products

Some other security products that are worth evaluating include Nessus, Core Impact, and Nexpose. There are also dedicated hardware solutions, such as Netscout from nGenius, that offer serious solutions for monitoring network services and performance. Every network should have some sort of monitoring enabled at all times, and every network administrator should have access to a dependable packet-sniffing tool as well.

Objectives

• Initiate a Wireshark Capture application on the wired Ethernet interface.
• Examine various protocols and traffic.
• Capture and analyze a PING sequence.
• Describe the ways in which analyzing packets could help detect malicious activity.

Resources

• Customer-supplied desktop/laptop hardware system
• Windows 10 Professional installed
• Wireshark packet analyzer installed
• An account with administrative access

Discussion

Packet analyzers are devices or software tools that can capture (intercept and log) data as it moves through a digital network. These tools are also known as packet sniffers, network analyzers, and protocol analyzers. As the analyzer examines the traffic moving through it, it unpacks the traffic into packets (such as the TCP/IP packet that moves across an Ethernet network) so that it can be analyzed. These tools have a wide range of applications in a networked environment. They are routinely used to diagnose network problems, identify configuration issues, and resolve network bottlenecks. Security specialists can also use packet analyzers to monitor networks for vulnerabilities, misuse, and attempted cyber attacks. Pentesters (legal or white hat hackers) and hackers (illegal or black hat hackers) also use packet analyzers to sniff networks trying to steal unencrypted data moving through a network, such as login credentials, financial information, or email messages. They may also use these tools to perform reconnaissance for setting up future attacks. Wireshark is a network-packet analysis tool that is commonly used to capture packets as they move across a network and display them in as great of detail as possible. Wireshark is a free and open-source program that is used for troubleshooting, analysis, debugging protocol implementations, and examining security concerns.

Procedures

In this procedure, you will explore the uses of Wireshark as it applies to cybersecurity. Analyzing traffic can give you great insight into the activity on your network. Wireshark is one of many tools you should employ to secure your network.

Capturing a PING

For this exercise, you will ping another IP address and attempt to locate its packet while running Wireshark.

1. Click on the search bar on your desktop taskbar.
2. Type cmd and press Enter. The command prompt will launch.
3. Using the IP address recorded earlier, type ping [IP address], but do not press Enter. This will produce a screen like the one shown in Figure 23.13.

   

4. Return to the Wireshark window. In the top-left corner of the window, you will notice a bright-green shark fin (Start icon). Click on it to Start a new live capture.
5. You will be prompted to save your captured packets. Select Continue Without Saving.
6. After the capture has begun, return to the command prompt and press Enter to initiate the PING process depicted in Figure 23.14.

   

7. When the PING process has completed, return to Wireshark and stop the live capture by selecting the red square located near the top-left corner of the window.

You will notice at least one new protocol present on the list. The ICMP protocol should be listed, as depicted in Figure 23.15. (You may have to scroll up depending on how much traffic your network is pushing.)

8. Select the Filter: field box. Type icmp and press Enter.

This filters all the traffic to that of only the ICMP protocol. Here you can view the PING much more easily, as illustrated in Figure 23.16.

Lab Questions

1. What three panes are in the Wireshark Capture window?
2. How many packets are involved with a PING?
3. Should you run Wireshark with an administrative account?

Lab Answers

1. What three panes are in the Wireshark Capture window?

   The Packet List pane, the Packet Details pane, and the Packet Bytes pane.

2. How many packets are involved with a PING?

   For every one PING, you will see two ICMP-related packets: Echo (PING) requests and Echo (PING) reply.

3. Should you run Wireshark with an administrative account?

   It is not generally recommended. Instead, run Wireshark with a lower privileged account and escalate when prompted.