Network administrators must be armed with a wide variety of software tools to monitor, diagnose, and control the network around them. In this chapter, you will learn the basic tools of this arsenal. Certain tools are known by slightly different names in different operating systems but essentially accomplish the same tasks. In this chapter, you will learn to:
There are certain basic administrative, troubleshooting-and-monitoring tools and utilities that every cybersecurity specialist should have in their toolbox. The following sections describe some prominent versions of the basic tools required. Some are tools already available through the installed operating system, while others are third-party tools for download or purchase.
The first tool you need to be familiar with is either ifconfig
or ipconfig
, depending on your operating system. The former is used on Unix/Linux systems, while ipconfig
accomplishes the same function on Windows systems.
This tool is used at the command line and presents you with the local system’s IP address and other basic network-configuration information. This tool is your first stop when you want to know the gateway’s IP address, where the system sends DNS queries, whether the system was served its IP address by DHCP or it was assigned statically, along with other useful information.
Frequently, you will need to know some information about a domain. As shown in Figure 23.1, you can go to the website of virtually any domain registrar and use their Whois search tool to find information concerning ownership, administrative and technical responsibility, and the name of the server responsible for providing host information. Whois
is also a command-line utility in some operating systems.
These days many registrations are private, which means you can’t learn anything about ownership, administrative, or technical contacts; you can only obtain information about the name server. This information is subject to ICANN rules but may not always be accurate. Still, this can be a great place to learn something about a domain.
Many websites offer this service and all Unix-like operating systems offer this command-line tool. Not all Whois tools will access information for every top-level domain, however. In some instances, you may have to go to a specific registrar to fully query a particular top-level domain.
The nslookup
command is a command-line DNS query tool that is typically the first tool used to gain DNS information about a website. The basic nslookup
command returns the IP address information associated with a specified domain name.
The basic command can be modified by adding specific parameters to obtain other types of information, such as Name servers or Mail exchanges.
Although nslookup
is a great tool for troubleshooting DNS hostname resolution problems, it is also one of the most commonly used tools in the information-gathering process of the enumeration phase of a cyber attack.
PING is software utility used to evaluate the ability to reach any other IP host. The PING
command will measure the round-trip time for packets sent from the originating host to the target host. The PING utility will send Internet Control Message Protocol (ICMP) request packets to the target host and wait for a response measuring the trip time and any packet loss.
PING
and ping6
for IPv6 hosts are available as command-line tools in many operating systems, and a variety of software products will also offer this capability often packaged with traceroute
features.
The PING
command can be a great way to determine if a host is alive, as well as the quality of the connection between your network and a host. However, ICMP traffic is generally considered low-priority traffic; therefore, busy networks may ignore it. In addition, because it is possible to flood a network with PING
requests (referred to as a ping flood), ICMP traffic is often blocked. Most firewall devices can be used to block ICMP traffic completely.
Some options available with the PING utility, such as adjusting the packet size or sending without waiting for a reply, which can be used to create a ping flood that results in a denial-of-service (DoS) attack. Such a ping flood would certainly consume incoming bandwidth. However, if the network replies to the ICMP requests, then outgoing bandwidth will be consumed as well.
Sadly, it is also possible to send malformed PING
packets maliciously. Older systems, for example, could not handle a packet larger than 65,535 bytes, and any packet larger than that would crash the computer. Modern routers should examine these packets for size and fragmentation and enforce rules that prevent any problems from a “ping of death.”
While it is typically good practice to allow ICMP traffic on public networks for a variety of reasons, it is critical that your firewall block ICMP traffic, and for most networks, you may even want to set the firewall to not even reply to these requests itself. A PING
request should look something like the one depicted in Figure 23.2:
ping
www.google.com
A TRACEROUTE utility will display the route (path) that packets will travel from one IP to another. As with PING
, the round-trip time of the ICMP packets (also known as latency) is measured; however, with traceroute
this time is measured between each successive host in the route.
Each segment of the route is known as a hop. Traceroute
will send three packets and measure the time required to complete each hop. The cumulative latency at each hop is recorded, usually in milliseconds, along with the IP and host name (acquired through a reverse lookup) of each node.
This can be a great way to look at latency issues between hosts and evaluate the connection to determine where excessive latency exists or a route fails.
Traceroute
is available in most operating system command-line interfaces. Windows uses the TRACERT utility. Some utilities, such as tcptraceroute
, may use TCP packets.
A typical traceroute
operation should look something like the one shown in Figure 23.3.
Telnet is an application client-server protocol that can use Telnet client software to establish a connection between a computer (or device) and any remote Telnet server listening on port 23, typically. This is very much a text-based command-line interface that allows the remote user to perform operations as if they had logged into the server locally, as shown in Figure 23.4.
Many types of Telnet emulations are available via custom client software, but most have no encryption available; therefore, there is no guarantee that your communication will not be intercepted while in transit. Some older network devices may only support Telnet, but whenever possible you should use SSH instead.
Secure Shell (SSH) is an encrypted network protocol for secure client-server connections. Designed to replace nonsecure shell protocols—such as Telnet—SSH employs public-key cryptographic authentication. Users can authenticate with a password as with Telnet, or they can use key pairs—or both. Administrators responsible for SSH connections should be well versed in SSH key management.
File transfer is also possible using the associated SSH File Transfer Protocol (SFTP) or Secure Copy Protocol (SCP). SSH supports tunneling and port forwarding, so it can be an important tool in some network security schemes. SSH is included in all Unix-like distributions but not with Windows, although you can obtain versions for most versions of Windows.
Even if you aren’t administering an SSH server, you will most likely use an SSH client at some point. Despite rumors of NSA decrypting SSH connections and some past vulnerabilities, SSH is considered to be a secure and reliable protocol that all but eliminates potential eavesdropping of your network traffic.
To truly secure a network, you must have some way of monitoring and testing it. Over time, increasingly powerful network monitoring tools and services have become available. These tools can be used to ensure that servers (or even specific services on those servers) are up and running, or they can be used to simply monitor data flow.
Typically, server- or service-monitoring products will send requests to that service (such as an HTTP request to a web server) and measure the response. If the request yields no reply or the reply is too slow, then a message may be sent to a network administrator via email, SMS, or some other alert methodology. It is important to have at least one monitor that is independent of the network being monitored to ensure that an alert will be generated when the network is down.
Much of this monitoring requires nothing more than sifting through logs to find errors or other issues, which can be a more-than-daunting task for network administrators. Software tools that summarize or even graph this log data can be tremendous productivity aids.
Network monitoring tools can be divided into two main types:
Just about any protocol can be monitored for uptime and performance, and the period that it is tested can be adjusted to match the importance of that service. From a single network location, you can monitor all local services and even remote services such as a distant web server or mail server.
A packet analyzer is typically inserted into the network so that network traffic flows through it allowing packets to be captured in real time, as shown in Figure 23.5. As the network traffic passes through the analyzer, it “sniffs” the packets looking for malicious activity or it just logs what’s going on.
Normally, only network traffic intended for a specific system is viewable on that system; therefore, to be able to view all traffic, the analyzing system is set to “promiscuous” mode in order to view traffic flowing on the attached network.
Packet and protocol analyzers require two network interfaces so they can examine the network activity as it flows through them.
Because they do not require tremendous CPU resources, an older laptop that can support two Ethernet interfaces can be ideal. Performance monitoring products can run on older hardware as well, and they can be a great way to use unwanted, aging computer hardware.
There are a number of free and commercial products, as well as a growing service industry, ready to provide these monitoring services. Free products are a great place to start because they are fairly easy to set up and don’t require a lot of resources.
The following sections discuss just a few of these products for you to consider. Using these and other network testing tools will enable you to more easily audit a network in order to understand its resources, evaluate its risks, assess its vulnerabilities, and create a plan for mitigating these risks and vulnerabilities.
Nagios is probably the most well-known network monitoring tool that still has a free version; however, it has grown and offers a full-featured commercial enterprise version as well. A fork of this project, Icinga, is an interesting open-source alternative that is more full-featured than the free version of Nagios. Both products have plenty of monitoring, reporting, and notification options that are best suited to uptime monitoring but can monitor performance as well.
SolarWinds offers an incredibly powerful commercial network-performance-monitoring product. While this product is somewhat expensive, it is immensely powerful and can monitor uptime, performance, traffic flow, and utilization. It also offers a plethora of reporting, graphing, and notification options.
Microsoft Network Monitor is a packet analyzer that can help you view your traffic flows and troubleshoot network problems. As you might expect, this product does a wonderful job interacting with proprietary Microsoft protocols, but most common public protocols are supported as well.
Wireshark is a mature, open-source, and cross-platform network protocol analyzer. It is probably the most well-known protocol analyzer, and it supports just about every protocol and runs on nearly any platform. For more information about Wireshark, visit www.wireshark.org
.
Wireshark, shown in Figure 23.6, is a valuable tool for capturing and subsequently analyzing traffic to discover, as well as for troubleshooting network issues. It can be used to learn more about the protocols used on a given network. This tool is easy to employ, but it requires experience and practice to accurately analyze the results it produces. However, every network admin should have this product in their arsenal.
Snort is an open-source, cross-platform intrusion-detection system that provides real-time traffic analysis, packet logging, and protocol analysis as well as active detection for worms, port scans, and vulnerability exploit attempts. This, of course, is useful in monitoring the network in real time. It is well suited to identifying probes and attacks, but it can act as a network sniffer as well. Snort, shown in Figure 23.7, is an excellent product for networks that feature public services. For more information about Snort, visit www.snort.org
.
Perhaps more than any other tool listed here, Snort has many complementary products with which it can be used to extend its detecting and reporting capabilities.
As with any intrusion-detection/prevention system, Snort is effective only if properly “tuned” to the network on which it is being used. Without due diligence in tuning an IDS/IPS, administrators will battle both too many false negatives (wrongly accused alerts) and too many false positives (missed real concerns).
Nmap, shown in Figure 23.8, is an open-source and cross-platform network-mapper utility for discovery and security-auditing performing network inventory, as well as monitoring and upgrade scheduling. This is a highly flexible tool used to examine, profile, and assess the systems in any network. It is particularly useful for discovering ports and service versions. For more information about Nmap, visit www.nmap.org
.
As shown in Figure 23.8, Nmap can be used with both a command-line and a GUI interface.
Nikto is an open-source web server scanner that can identify issues on a web server. For more information about Nikto, visit cirt.net/nikto2
.
OpenVAS is an open-source vulnerability scanner for Linux and Windows that is a fork of the last free version of the now-commercial Nessus. Built as a full vulnerability-management solution, this tool uses SCAP and can perform a number of network vulnerability tests (NVT); it can look for common vulnerabilities and exposures (CVE). This product has a bit of a learning curve, but it is a well-respected and powerful tool worth considering. For more information about OpenVAS, visit openvas.org
.
Metasploit is one of the most popular open-source penetration-testing frameworks available. It is available for both Windows and Linux environments. It is commonly used to identify and validate network vulnerabilities, including simulating attacks that prey on human vulnerabilities, as shown in Figure 23.9. Metasploit can also be used to prioritize responses to any network vulnerabilities that are discovered. For more information about Metasploit, visit www.metasploit.com
.
Metasploit is normally a command-line-based tool. However, as portrayed in Figure 23.9, there are also commercial tools that provide a GUI front end.
The Browser Exploitation Framework (BeEF) is another notable open-source penetration-testing tool, but it focuses on web-borne attacks through a web browser. BeEF is available for MacOS, Windows, and Linux. For more information about BeEF, visit www.beefproject.com
.
Some other security products that are worth evaluating include Nessus, Core Impact, and Nexpose. There are also dedicated hardware solutions, such as Netscout from nGenius, that offer serious solutions for monitoring network services and performance. Every network should have some sort of monitoring enabled at all times, and every network administrator should have access to a dependable packet-sniffing tool as well.
PING
sequence.
Packet analyzers are devices or software tools that can capture (intercept and log) data as it moves through a digital network. These tools are also known as packet sniffers, network analyzers, and protocol analyzers. As the analyzer examines the traffic moving through it, it unpacks the traffic into packets (such as the TCP/IP packet that moves across an Ethernet network) so that it can be analyzed. These tools have a wide range of applications in a networked environment. They are routinely used to diagnose network problems, identify configuration issues, and resolve network bottlenecks. Security specialists can also use packet analyzers to monitor networks for vulnerabilities, misuse, and attempted cyber attacks. Pentesters (legal or white hat hackers) and hackers (illegal or black hat hackers) also use packet analyzers to sniff networks trying to steal unencrypted data moving through a network, such as login credentials, financial information, or email messages. They may also use these tools to perform reconnaissance for setting up future attacks. Wireshark is a network-packet analysis tool that is commonly used to capture packets as they move across a network and display them in as great of detail as possible. Wireshark is a free and open-source program that is used for troubleshooting, analysis, debugging protocol implementations, and examining security concerns.
In this procedure, you will explore the uses of Wireshark as it applies to cybersecurity. Analyzing traffic can give you great insight into the activity on your network. Wireshark is one of many tools you should employ to secure your network.
You will begin by launching Wireshark and becoming familiar with the interface.
You should see that The NetGroup Packet Filter Driver service started successfully. You will need to restart Wireshark.
Generally, you should not run Wireshark with an administrative account. For this scenario, however, it will be fine; but in normal environments, you should run it with a lower privileged account and escalate when prompted.
The Capture window is divided into three main sections. The top-most section lists the captured packets in sequence, with the capture number and time associated with the packet in the left columns. This section is known as the Packet List pane.
The middle section, also known as the Packet Details pane, shows the analysis of the highlighted packet.
The bottom section, known as the Packet Bytes pane, provides the packet in its transmitted hexadecimal form.
TABLE 23.1 Defining Columns
No.
Time
Source
Destination
Protocol
Length
Info
By locating the Protocol column, you can get a general idea of what the packet contains. By looking at Figure 23.12, you can determine that the protocols include:
For this exercise, you will ping
another IP address and attempt to locate its packet while running Wireshark.
ping
[IP address]
, but do not press Enter. This will produce a screen like the one shown in Figure 23.13.
PING
process depicted in Figure 23.14.
PING
process has completed, return to Wireshark and stop the live capture by selecting the red square located near the top-left corner of the window.
You will notice at least one new protocol present on the list. The ICMP protocol should be listed, as depicted in Figure 23.15. (You may have to scroll up depending on how much traffic your network is pushing.)
This filters all the traffic to that of only the ICMP protocol. Here you can view the PING
much more easily, as illustrated in Figure 23.16.
Starting an attack just so that you can view the traffic in Wireshark would be unwise. Performing an attack at this stage could render your local machine unusable. Therefore, you will have to examine previously captured traffic that represents different attacks.
You can download some example attacks at: https://wiki.wireshark.org/SampleCaptures
. Store them in a Wireshark Examples folder on your desktop.
For the purposes of this lab, locate and download the following:
arp-storm.pcap
(https://wiki.wireshark.org/SampleCaptures#ARP.2FRARP
)teardrop.cap
(https://wiki.wireshark.org/SampleCaptures#Crack_Traces
)arp-storm.pcap
. Find and select Wireshark to open this file if prompted. Figure 23.18 shows the open file.
When broadcast or multicast traffic overwhelms a network, it is known as a broadcast storm or a network storm. Because broadcast traffic is rebroadcasted by every network device, continuous traffic can quickly overload switches and routers if they are not up to the task.
As with DoS attacks, it is important to monitor networks for broadcast storms. However, it is also important to make sure the network is properly configured and that it has hardware robust enough to move data quickly and learn routes fast enough to meet organizational needs.
teardrop
.cap
.
A teardrop attack is another type of DoS attack that involves sending fragmented packets to a targeted machine. The targeted machine will not be able to reassemble packets of this nature. This will cause packets to overlap one another and eventually crash the targeted network device.
Wireshark is a powerful and popular tool for analyzing traffic. This exercise was only an introduction to its basics; it has many more options, including I/O graphs, advanced filtering, and the ability to analyze traffic captured elsewhere. For more information, visit wireshark.org
.
PING
?
The Packet List pane, the Packet Details pane, and the Packet Bytes pane.
PING
?
For every one PING
, you will see two ICMP-related packets: Echo (PING
) requests and Echo (PING
) reply.
It is not generally recommended. Instead, run Wireshark with a lower privileged account and escalate when prompted.