Tools & Random Stuff

Question 1

ipconfig

Answer 1

ipconfig
Windows - config of NW interfaces

Things it can do:

• List of all network interfaces with IP info
• DHCP config and DNS server of interfaces

Ethernet adapter Ethernet:

Connection-specific DNS Suffix . : lmms.lmco.com
Link-local IPv6 Address . . . . . : fe80::50b0:902a:5a9f:d0cd%18
IPv4 Address. . . . . . . . . . . : 129.197.99.159
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 129.197.99.254

Question 2

ifconfig or ip

Answer 2

ifconfig or ip
linux - view and manipulate config of NW interfaces. Allows promiscuous mode

Some things it can do:

• Displays active interfaces
• activate/deactivate an interface
• Assign an IP address to an interface

eth0 Link encap:Ethernet HWaddr 09:00:12:90:e3:e5
inet addr:192.168.1.29 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::a00:27ff:fe70:e3f5/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:54071 errors:1 dropped:0 overruns:0 frame:0
TX packets:48515 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:22009423 (20.9 MiB) TX bytes:25690847 (24.5 MiB)
Interrupt:10 Base address:0xd020
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:83 errors:0 dropped:0 overruns:0 frame:0
TX packets:83 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:7766 (7.5 KiB) TX bytes:7766 (7.5 KiB)

Question 3

netstat

Answer 3

netstat

• stats for TCP/IP
• shows incoming/outgoing connections
• programs making connections
• how much data is being transmitted
• identifies listening ports

Switches

• a: Show connections
• n: addresses/ports of connections
• b: executable that created connectionTCP 127.0.0.1:7766 127.0.0.1:50050 ESTABLISHED
  TCP 127.0.0.1:50050 127.0.0.1:7766 ESTABLISHED
  TCP 127.0.0.1:50094 0.0.0.0:0 LISTENING

Question 4

tracert

Answer 4

tracert
lists routers (hops) between two systems; verify path has not changed
• Takes advantage of ICMP Time to Live Exceeded error
message
• The time in TTL refers to hops, not seconds or minutes
• TTL=1 is the first router, TTL=2 is the second router, etc.

Question 5

arp

Answer 5

arp

view and manipulate ARP cache

Question 6

dig

Answer 6

dig
Domain Information Groper
-Reverse lookup of IP address to determine owner

Question 7

Nmap

Answer 7

Nmap
-banner grabbing
• Network scanner
• Find and learn more about network devices
• Port scan
• Find devices and identify open ports
• Operating system scan
• Discover the OS without logging in to a device
• Service scan
• What service is available on a device?
Name, version, details
• Additional scripts
• Nmap Scripting Engine (NSE)
• Extend capabilities, vulnerability scans

Question 8

netcat (nc)

Answer 8

netcat
-banner grabbimg
• “Read” or “write” to the network
• Open a port and send or receive some traffic
• Listen on a port number
• Transfer data
• Port scan 
-send data to a port
• Become a backdoor
• Run a shell from a remote device
• Other alternatives and OSes - Ncat

Question 9

nslookup

Answer 9

nslookup
-Lookup DNS info
• Lookup names and IP addresses
-Microsoft
• Deprecated (use dig instead)

Question 10

CER

Answer 10

CER
Crossover Error Rate
-Biometrics
-False Alarm Rate (FAR) = False Rejection Rate (FRR)
-The smaller the better

Question 11

Incident Response Process

Answer 11

Incident Response Process

• Preparation
• Identification
• Containment
• Eradication
• Recovery
• Lessons Learned

Question 12

Volatility Of Data

Answer 12

Volatility Of Data

• CPU registers, CPU cache
• Router table, ARP cache, process table, kernel statistics, memory
• Temporary file system
• Disk
• Remote logging
• Physical configuration, network topology
• Archival media

Question 13

telnet

Answer 13

telnet

-banner grabbing