The security plus exam really hits on a lot of classic command line utilities, not so much to test whether you know them or not, because the security plus kind of assumes that you do. But more importantly, it generates scenarios where you need to know what type of command line tool to use to be able to make some determination about a network. So this episode is dedicated to going through hopefully, for you a lot of well known command line utilities. And we're going to be going through these utilities. But what we're going to be doing is more talking about scenarios than anything else. So we've got a lot of utilities to cover here.
So let's go ahead and dive right in. And let's start with Ping. Ping is a classic utility and hopefully one that you're already familiar with. So what I want to do here is talk about the scenarios where we use Ping. The funny part is we use ping so ubiquitously, that a lot of times people don't think about what is the scenario that's causing me to turn to that tool. So usually pretty simple scenarios.
So let's run through a few right now. So you can see I've got my command line up. And I'm going to do one of my absolute favorite is DNS working people never think about this with Ping. So as you can see, I've just typing ping and then some arbitrary website, my own. Now, what you're looking at here is you'll notice that it's resolved the www dot total seven.com. So it actually says reply from 75 126, whatever it might be, a lot of times, people will run a ping.
And they don't think about that. It's actually a wonderful little quick and dirty DNS tool, it resolved. So whether I even get a good reply or not. The fact that it's resolving tells me my DNS is up and cooking. Now the next thing I want to do is, can I connect to somebody and this is really where we use ping more than anything else. So all I'm doing is I'm typing ping and I want to connect I want to see Am I getting to one person or another.
So what I'm going to do is I'm going to type in ping, let's do somebody who's always up google.com. Now, you can see that I'm getting a response. Now, if you look really, really closely, you're going to see that I'm getting ipv6. So another thing we can do, that's actually a lot of fun, is I can say, Okay, well, I can ping www.google.com just fine on ipv6, but what if I want to do it only with ipv4. So I can use a switch like minus four. And you'll see that everything is changed over So now, I'm getting a good response back, but this time I'm forcing it to use ipv4.
A lot of problems that we run into in the security world has to do with layer three issues and people aren't thinking about is that ipv4 or ipv6 and security plus is going to assume that you're comfortable with that and ping is a great way to be able to separate those two. Now the next thing I want to do is do I have Have an intermittent connection. Now, if you take a look at the screen again, you'll see that we've always got our time in milliseconds in terms of response. And that's a helpful tool. But a lot of times, especially if we're talking about a series in particular hardware intermittent issue on the windows world, we kind of have to do something a little bit funny. So what I'm going to do is I'm going to do a ping minus T. And again, let's pick somebody who's always up and not want you to watch very, very closely there, you'll see before we always had just four responses in the windows world.
By running ping with the minus T, what we're giving ourselves is the ability to say, just keep running. Now, this is actually kind of funny for you Linux people out there, you're like, well, that is the default behavior. And the security plus is actually going to challenge you and remind you, do I need to use a minus t? With a Linux system? The answer is simply no. Okay, so that was fun.
And everybody loves Ping, I think we should switch over to something even more common. Let's do Oh, I don't know, how about netstat. If you need to know what sessions a particular host is running at any given moment, your go to tool is netstat. netstat can be absolutely terrifying in terms of the information that it gives you. So when I go to netstat, there are two big questions, two scenarios that I'm always looking for, and counting on netstat to help me out with the first one. And the pretty obvious one is, who am I talking to?
So I'm going to run a netstat real quick here. Now, I almost never run netstat by itself, I will invariably run minus n. what the problem is, is I'm so familiar with port numbers now that it's actually hard for me to look at output where it says stuff like HTTP and HTTPS, just the numbers, please. So let me run this. And what we can take a look at, we can see what we're connecting to right now. Now, if you take a closer look, first of all, this is a Windows 10 system. And windows 10 is notorious for these loopback 127 dot zero dot zero dot one, with these really big fearful port numbers, 53,200 and something.
These are just the telemetry of Windows 10 phoning home. And there are things we can do about it. I don't worry about that too much. What I'm more interested in, is when we get below that, you can see that on this particular test network, my internal network ID for this host is 192 168 four dot 34. And you can see I've got 12345 connections on ipv4 and then I've got an ipv6 connection. They're all on 443.
So I instantaneously know that I'm talking on HTTPS. Well, that's great. And I also know why they're there. And that's primarily because I've got my web browser open. And these are all the different individual tabs and what those connections are for. So in this particular situation, I'm happy with what I see.
What makes me nervous, is when I have, for example, all of my web browsers closed, and I'm still connected on 443. Something's connected in there that I'm not authorizing. That's a classic sense of malware or something else. In fact, a lot of places I have an Nvidia driver that actually connects and phones home on port 443. Now Nvidia looks at that as a feature. It scares me a little bit, but I had to do some research and figure out where it was.
But when I'm looking for scenarios where I'm not sure who's talking out of this particular host, netstat with the minus n option is the way to go. Now, the other one is the exact opposite. Not so much, who am I talking to? But who's trying to talk to me. So in this particular situation, am I a server for something so what I'll do here is I'll run netstat. But what I'm going to do is I'm going to do netstat minus a minus A says, show me all opening ports, including the ones that I'm not actually connected to.
So if I have a web server on here, and I'm not connected to anybody, netstat normally wouldn't show that. But by putting in the minus a, I'm like, I don't care whether you're actually connected or not. If you're listening show, it should get quite a bit of information here. Okay. Now, as we scroll through here, what I'm looking for in this case is on this side, what am I listening on? So in this particular case, look right there.
Do you see that? Right there shows that I'm listening on port 80. This system right here is running a web server. Now, again, that could be a good thing. A lot of times, little phone, home utilities will actually use Port 80 and be like their own little web server for driver update and stuff. We're not Not doing as much as we used to.
But what's important is I can take a look here and I can quickly see, hey, I'm a server, do I want to be a server? Now something like Port 80 is fairly innocuous. But because I know my port numbers, well, certain other things would terrify me if I saw open port 25 for email or something like that. Now, I would start to panic a little bit. The other problem is we look through this list is that there's a lot of listening ports Do you see are there all says listening, listening there. If you don't know your ports, you're going to have to be doing a little bit of research here.
Things like 135 and 443. I'm more familiar with those because those are going to be part of the Windows operating system. But I'm still going to be taking a moment to do a little research. netstat is great for scenarios where you're worried about who you're talking to, or who's trying to talk to you Let's talk about trace route for a minute. Now, trace route is a very, very interesting utility. The challenge that I run into with most people who say they don't like trace route is because they don't think about scenarios where trace route is going to do them the most good.
Look, the bottom line is, if you can't ping somebody going ahead and trace routing them is a questionable thing to do with one exception. Let me give you an example right here. I'm going to run trace route. And let's again pick good old Google because they never go down. Knock on wood. What am I type in three W's.
All right. Now what I want you to do is watch this very, very closely. Now as we're moving along here. It's going to take a few clicks before it gets to Google. But what's actually not terribly important to me is all the Google he got past the first two lines. If you take a look Get those first two lines.
That is my internal router. And the next line after that is my in house interface to as you can see, I'm running Comcast to Comcast itself. what that's telling me is that I know the first two routers between my network and the rest of the world. And this is where trace route can really come up in different scenarios that will help you out. Let's say you can't trace route somebody. If that trace route fails on either the first or the second line.
I now know that I've got an in house problem. And I'm going to grab a screwdriver and go check my router or my ISP interface. Now if it happens, three or four levels down, well, that's Comcast problem or somebody else's, and there's nothing I'm going to be able to do about it. So the trick to trace route is knowing your infrastructure. And if you get a failure on tracer out No. Is it something you can fix?
Or are you going to have to make a phone call to your ISP That's the big secret. And those are the scenarios that are gonna work best for you when it comes to trace route. Now, trace routes a lot of fun, but let's go ahead and do one that's even more interesting to me. Good old ARP. I seriously hope that you don't run into a scenario where you need to be running the ARP command. The main reason you're going to be running ARP is because you're afraid that somebody is doing something naughty within the world of your switches.
Now, for those of you who don't recall, ARP or address resolution protocol is the tool by which we can resolve a Ethernet MAC address from an IP address. So what I'm going to do is I'm just going to run ARP. Now our by itself doesn't do anything. But what we normally do is we're going to run our minus a, what you're looking at right here is the ARP cache. So this is what your system picks up over time. Now.
This is when Those are on Linux and Macs a little bit different, but you get the same basic result. So let's take a look at what we got here. Now, in this particular case, I've got two interfaces, I want to concentrate on the one that you see here that says 192 168, four dot 34. That is my actual Ethernet connection on this system. So as we take a look at this, you can see that we have both dynamic. And we also have static addresses.
Windows generates static ARP cache entries that never change. If you take a look what they are, we'll make some sense to you. So these are broadcast addresses. These are multicast addresses, and there is no reason for those to ever change. Dynamic, on the other hand, are addresses that will change based on ARP commands that this host is picking up. Now.
What you're panicking about in this type of scenario is that somebody has put in for example, an ARP poisoner, and these can be incredibly difficult to diagnose. Now if you take a look here at total seminars, you can see all of these different physical NICs that I have here. And if you look at the first six letters, you can see they're all different for different ones. That's because we buy lots of different brands of NICs. But one of the things you'll see a lot of organizations do is they're like, we will always buy Intel NICs. The reason they're doing that is not because they're particularly hooked on Intel, although they usually are.
But what they're doing is that they always know that all of their NICs are always going to start with those first six values because they're all Intel OEM IDs. And that way if an art poisoner sneaks in unless it's a very good art poisoner who even knows how to mimic an Intel, which most of them don't, they will make it really easy to look on this list and suddenly see a number in there that the first six numbers are different from what they're usually established and counted on. And that can often be a clue that you've got an art poisoner out there. Art poisoners are a big problem now. Good intrusion detection should catch this stuff. But if you really need to see who's been the bad guy, you are reduced to running ARP and trying to find MAC addresses that you don't trust.
Okay, so we've gone through quite a few different OS utilities in this episode, but we've got a bunch more so go ahead, make sure you're comfortable with these and watch for other episodes that cover even more OS utilities.