2.2.14 Security Command Line Tools

ping
1. Verifies IP connectivity to another TCP/IP computer by sending ICMP echo Request messages.
2. If successful, the receipt of corresponding ICMP echo Reply messages are displayed, along with round-trip times.
3. ping is the primary TCP/IP command used to troubleshoot connectivity, reachability, and name resolution.
4. Used without parameters, ping displays help.
5. https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/ping
netstat
1. Displays the following network information:
  1. Active TCP Connections
  2. Listening TCP/IP Ports
  3. IPv4/IPv6 TCP/IP Protocol Stack Statistics:
    1. TCP(v6)
    2. UDP(v6)
    3. IP(v6)
    4. ICMP(v6)
  4. Ethernet Statistics
  5. The IP Routing Table
2. Used without parameters, netstat displays active TCP connections.
3. https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/netstat
tracert
1. Determines the path taken to a destination by sending ICMP echo Request or ICMPv6 messages to the destination with incrementally increasing TTL field values.
2. The path displayed is the list of near/side router interfaces of the routers in the path between a source host and a destination.
3. The near/side interface is the interface of the router that is closest to the sending host in the path.
4. Used without parameters, tracert displays help.
5. https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/tracert
nslookup/dig
1. nslookup:
  1. Displays information that you can use to diagnose Domain Name System (DNS) infrastructure.
  2. Before using this tool, you should be familiar with how DNS works.
  3. https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/nslookup
2. dig:
  1. dig (domain information groper) is a Unix-like network administration command-line tool for querying Domain Name System (DNS) servers.
  2. dig is useful for network troubleshooting and for educational purposes.
arp
1. Displays and modifies entries in the Address Resolution Protocol (arp) cache, which contains one or more tables that are used to store IP addresses and their resolved Ethernet or Token Ring physical addresses.
2. There is a separate table for each Ethernet or Token Ring network adapter installed on your computer.
3. Used without parameters, arp displays help.
4. https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/arp
ipconfig/ip/ifconfig
1. Displays all current TCP/IP network configuration values and refreshes Dynamic Host Configuration Protocol (DHCP) and Domain Name System (DNS) settings.
2. Used without parameters, ipconfig displays Internet Protocol version 4 (IPv4) and IPv6 addresses, subnet mask, and default gateway for all adapters.
3. The command used is dependent upon the Operating System (OS):
  1. Windows:
    1. ipconfig
  2. Linux/UNIX:
    1. ifconfig
    2. ip
      1. A newer variant that acts as a swiss-army knife network configuration command line tool.
      2. The ip command, along with proper appended keyword arguments, can perform basic functions of nslookup, arp, ifconfig, and other common commands.
4. https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/ipconfig
tcpdump
1. dump traffic on a network
2. Syntax:
  1. Tcpdump prints out a description of the contents of packets on a network interface that match the boolean expression; the description is preceded by a time stamp, printed, by default, as hours, minutes, seconds, and fractions of a second since midnight.
  2. It can also be run with the -w flag, which causes it to save the packet data to a file for later analysis, and/or with the -r flag, which causes it to read from a saved packet file rather than to read packets from a network interface.
  3. It can also be run with the -V flag, which causes it to read a list of saved packet files.
  4. In all cases, only packets that match expression will be processed by tcpdump.
  5. Tcpdump will, if not run with the -c flag, continue capturing packets until it is interrupted by a SIGINT signal (generated, for example, by typing your interrupt character, typically control-C) or a SIGTERM signal (typically generated with the kill(1) command); if run with the -c flag, it will capture packets until it is interrupted by a SIGINT or SIGTERM signal or the specified number of packets have been processed.
3. When tcpdump finishes capturing packets, it will report counts of:
  1. Packets captured
  2. Packets received
  3. Packets dropped
4. http://www.tcpdump.org/manpages/tcpdump.1.html
nmap
1. Nmap ("Network Mapper") is a free and open source (license) utility for network discovery and security auditing.
2. Uses:
  1. network discovery
  2. security auditing
  3. network inventory
  4. managing service upgrade schedules
  5. monitoring host or service uptime
3. Variants:
  1. Nmap:
    1. The classic command-line executable tool
  2. Zenmap:
    1. An advanced GUI and results viewer
  3. Ncat:
    1. A flexible data transfer, redirection, and debugging tool
  4. Ndiff:
    1. A utility for comparing scan results
  5. Nping:
    1. A packet generation and response analysis tool
4. https://nmap.org/docs.html
netcat
1. nc — arbitrary TCP and UDP connections and listens
2. The nc (or netcat) utility is used for just about anything under the sun involving TCP, UDP, or UNIX-domain sockets.
3. It can open TCP connections, send UDP packets, listen on arbitrary TCP and UDP ports, do port scanning, and deal with both IPv4 and IPv6.
4. Unlike telnet, nc scripts nicely, and separates error messages onto standard error instead of sending them to standard output, as telnet does with some.
5. Common uses include:
  1. simple TCP proxies
  2. shell-script based HTTP clients and servers
  3. network daemon testing
  4. a SOCKS or HTTP ProxyCommand for ssh(1)
  5. and much, much more
6. https://man.openbsd.org/nc