Tools and Techniques

Ping command

Netstat

Netstat command allows you to view statistics for TCP/IP protocols on a system. Many attacks establish connections from an infected computer to a remote computer. If you suspect this, you can often identify these connections with netstat.

Windows:

netstat /? --> Get help
netstat -a --> All TCP/UDP ports that a system is listening on.
netstat -e --> Display details on network statistics, including how many bytes the system send and received
netstat -s --> Display statistics of packets send and received for specific protocols such as IP, ICMP, TCP and UDP
netstat -n --> Display addresses and port numbers in numerical order.
netstat -p protocol --> Statistics for a specific protocol. 'netstat -p tcp' shows only TCP statistics
netstat -b --> Displays the executable involved in creating each connection or listening port.
netstat -o --> Process ID

🧠 Imagine you want to see all the TCP connections with the port IDs and process IDs.

netstat -ponb tcp

You can see all the ESTABLISHED connections simply piping it:

Tracert

The Tracert command lists the routers between two systems. In this context, each router is referred to as a hop. Tracert identifies the IP address and sometimes the host name of each hop in addition to the round-trip times (RTTs) for each hop.

Windows -> Tracert,

Linux -> Traceroute

Scenario 1: Network administrators typically use tracert to identify faulty routers on the network. Ping tells them if they can reach a distant server. If the ping fails, they can use tracert to identify where the traffic stops. Some of the hops will succeed, but at some point, tracert will identify where packets are lost, giving them insight into where the problem has occurred. Other times, they will see where the RTTs increase as traffic is routed around a faulty router. Tracing a path is especially valuable when troubleshooting issues through a wide area network (WAN).

Scenario 2: From a security perspective, you can use tracert to identify modified paths. As an example, consider Figure 1.5. Users within the internal network normally access the Internet directly through Router 1. However, what if an attacker installed an unauthorized router between Router 1 and the Internet?

Tracing a path with tracert

Traffic will still go back and forth to the users. However, the attacker could capture the traffic with a protocol analyzer and view any data sent in clear-text.