IT-IAS02

INFORMATION ASSURANCE AND SECURITY 2

LEARNING OBJECTIVES
• At the of the lesson the students should be able to:

1. Learn on how to use tracert, netcat, arp, IP, ifconfig, DHCP DNS tools.
OPERATING SYSTEM UTILITIES
Ping
If you want to know that two TCP/IP systems share the same network, the go-
to tool is ping.

The ping utility takes advantage of the fact that by design all TCP/IP hosts
respond to ICMP requests. When one system successfully pings another hosts,
you automatically know that the other system is connected and is properly IP
addressed.
In windows, ping runs four times and stops automatically. In Linux, ping runs
continuously until you press ctrl-c. to get ping to run continuously in Windows,
use the –t switch.
The ping utility has uses beyond simply verifying connectivity. Running ping
using a DNS name, for example, is a great way to verify you have a good DNS
server. Look at figure 4-3. note that the ping is unsuccessful, but the ping
successfully resolves the DNS name to an IP address.
The ping utility offers many more features that IT security
professionals use all the time. Here is a list of some of the more
useful switches:
• -a Resolve addresses to hostnames
• -f set Don’t Fragment flag in packet (IPv4 only)
• -4 Force using IPv4
• -6 Force using IPv6
Ipconfig
The ipconfig command is the Windows-only reporting utility that shows
the current status of the network settings for a host system.

Typing ipconfig by itself gives some basic, but important, information,

ipconfig has the following six switches that are particularly useful.
Typing ipconfig /all, for example, lists virtually every IP and Ethernet
setting on the system.
• /all Exhaustive listing of virtually every IP and Ethernet setting
• /release Releases the DHCP IP address lease (see “About DHCP” later
in this module)
• /renew Renews the DCHP IP address lease
• /flushdns Clears the host’s DNS cache
• /displaydns Display the host’s DNS cache
Ifconfig (LINUX operating system)
The ifconfig command is the functional equivalent to ipconfig for
UNIX/Linux operating systems. Figure 4-5 show ipconfig running in
Ubuntu Linux. Unlike ipconfig, ifconfig goes beyond basic reporting,
enabling you to configure a system. The following examples sets the IP
address and the subnet mask for the Ethernet NIC eth0:

Sudo ifconfig eth0 192.168.0.1 netmask 255.255.255.0

 IP
If you are looking to do anything serious in term of IP and Ethernet
information on a Linux system, the cool kid is is the ip command. The ip
command replaces ifconfig, doing many of the same tasks, such as
viewing IP information on a system, checking status of network
connections, managing routing, and starting or stopping an Ethernet
interface.

The syntax differs from ipconfig and ifconfig, dropping a lot of the extra
non-alphanumeric characters and shortening switch names. To see all
the Ethernet and IP information for a system, for example , just type this:
(ip a)
 arp
Every host on a network keeps a cache of mapped IP-to-Ethernet
addresses for the local network. The arp command enables you to
observe and administer this cache. Interestingly , both the Windows
version and the Linux version use the almost same switches. If you
want to see the current cache, type the command as follows (Windows
version):
C:\>arp -a
Interface: 192.168.1.75---0x2
 neststat
The netstat command is the go-to tool in Windows and Linux to get
any information you might need on the host system’s TCP and UDP
connections, status of all open and listening ports , and a few other
items such as the host’s routing table.
 The preceding netstat output shows the open connections on this
system, mainly HTTPS connections for Web pages. In the State column on
the right, ESTABLISHED identifies active connections and CLOSE_WAIT
indicates connections that are closing.
Typing netstat in Linux gives the same information, but in a slightly
different format. At the very bottom are the associated UNIX sockets. A
sockets is an endpoint for connections. This data is very long and not very
useful. Figure 4-6 shows just the first few lines.
Typing netstat –a in Windows or Linux shows the same information as
netstat alone, but adds listening ports. This is very powerful tool for finding
hidden servers or malware on a host. Look carefully at the following
command. Notice that HTTP port 80 and HTTPS port 443 are listening. This
instantly tells you that the host is an HTTP/HTTPS server. You must then
answer the question: “Should this system be running a Web server?”
C:\Users\Mike>netstat -a
 DNS TOOLS
DNS security issues can create huge problems for IT security
professionals. Techniques such as spoofing or replacing a host’s DNS
server setting give an attacker tremendous insight as to whom the host
is communicating. There are two tools used to diagnose DNS
issues:nslookup and dig.
 nslookup
The nslookup tool, built into both Windows and Linux, has one
function: if you give nslookup a DNS server name or a DNS server’s IP
address , ns lookup will query that DNS server and (assuming the DNS
server is configured to respond) return incrediinbly detailed
information about any DNS domain. For example , you can run
nslookup to ask a DNS server for all the NS(name server) records for
any domain.
This power of nslookup has been used for evil supports nslookup
anymore for anything but the simplest queries. But there still good
reasons to use nslookup.
 NETWORK SCANNERS
Network scanners use protocols on a network, almost always a LAN ,
to determine as much information about the LAN as possible. In
essence , a scanner is an inventory tool. There is no single standard or
type of network scanner.Different network scanners use a variety of
protocols , standards , and methods to query the host on the LAN.
Given that virtually every network in existence uses the TCP/IP
protocol stack, it might be more accurate to use the term TCP/IP
nerwork scanner when describing these tools.
 SCANNING METHODS
Every scanner scans differently, but they try to find certain common
data. Here is a short list of some of the important items every network
scanner will inventory:
• Topology
• MAC addresses
• IP addresses
• Open ports
• Protocol information on open ports
• Operating system
 SCANNING TARGETS
Think of a baseline as a verification of the network assets. Security
professionals run baselines to make sure of exactly what is on the
network. This a great time to build an “official” inventory that defines
and details every computer, server, printer, router, switch, and WAP in
the network infrastructure.
 SCANNER TYPES
Network scanners tend to fit into one two categories: simple or
powerful. Simple scanners make quick, basic scans. They require little
or no skill and only provide essential information. Powerful network
scanners use many protocols to drill deeply into a network and return
an outrageous amount of information.
 Simple Network Scanner
Simple scanner are easy to use and invarialble have pretty graphical
user interfaces (GUI’s) to improve usability. The free and surprisingly
powerful Angry IP Scanner from Anton Keks (http://angryip.org) does a
good job using simple protocols, mainly ping, to query a single IP
address or an address range. If you just want to countless the systems
in a simple LAN and you have confidence that your internet network os
not blocking ICMP messages, Angry IP Scanner
 Protocol Analyzer
If network scanner collect and inventory the host on a network then
it is the job of protocol analyzer to collect and inventory the network
traffic on a network. The CompTIA Security+exam uses the term
protocol analyser, but that’s a fairly broad term The IT industry defines
protocol analyser as any type of hardware or software that analyses any
form of communication. In IP network, all data transmits via Ethernet
frames or IP packets contained in those frames, so the better term is
packet analyser (Figure 4-20).
 Wireshark
Wireshark is the Grand Old Man of packet analyser, original
development team that keeps this venerable tool sharp with a huge
number of updates. Wireshark is not only powerful but completely free
and works on all major operating system (and quite a few not so
common ones as well). It’s default GU is so common that even a few
competing protocol analyser copy it for theirs.
Let’s start with that interface,as shown in figure 4-22. The interface has
three main panes. At the top is all of the frames currently captured.
(Wireshark show each Ethernet frame, a feature that few other
protocol analyzer provide). In the middle are the gritty details of the
frame currently selected in the top frame. At the bottom is the raw
frame data in hexademical.
 Wireshark is just the protocol analyzer; it requires a sniffer for
capture. Capturing is handle by libcap in Linux or WinPcap on windows
system. Wireshark will install the proper sniffer during the installation
of wireshark will also start up the when you start wireshark
 In the situation in which a tech wants to capture all HTTP traffic
between 12 a.m and 4 a.m on a specific server, instead of running
wireshark all nigh, he or she will turn to a capture-only tool such as
Tshark saves the capture in format called pcap that can load into
Wireshark the next day for analysis.
Monitoring Network
Every organization with proper security includes continuous network
monitoring to recognize and address performance and security events. This
monitoring manifests as the collection of data from a wide variety of sources,
one being the standard device and logs inherent to every operating system.
Another source is data from device running protocols designed specifically for
network monitoring,such as the Simple Network Management Protocol
(SNMP). SNMP data collected for network monitoring includes intrusion
detection/prevention system alert’s firewall alert’s and logs, and real-time
network monitoring. Real-time network monitoring involves protocol and traffic
monitoring (also known as sniffering) using a protocol analyser, so that the data
may be collected and stored for later analysis.
 Log File Manager
Device and system logs are basically the files, or audit trails, that
exist on the device are generated through a logging service or facility
on the host.
 Decentralized vs. Centralized log
Managerment
In environment such as very small network that do not have large
infrastructures or in isolated network segments, decentralized log
management is usually the norm. This means that administrators
usually must visit every network host, collecting the logs manually and
reviewing them either there at the host or by manually offloading them
to a centralized storage area for later analysis.

Centralized log management means that the log files from different
machine are automatically sent to a centralized logging facility or
server, such as syslog server.
Security Information and Event Management
The traditional way to manage logging and monitoring in a network
was to sit down at a system and look at the log files generated by the
system, reviewing them for the events of interest. This is not the most
efficient way to manager network monitoring and analysis activities.
Logs Types

Events logs: as in the case of Microsoft windows operating system.

Linux systems refers to them as syslogs or system logs.

Audit logs: Operating system also store their log files in various location
and in various formats, some of which are not. In any event, security
personnel often refer to these logs as security or audit logs, or
sometimes as audit trails.
Log analysis
Log analysis usually means reviewing logs and looking for specific
information in the log files, such as security events; and then
correlating those individual events with an overall problem or issue
comprising a series of related events over a specific time frame.
Security events
Security events reveal potentially unauthorized activities or data access
happening on the network, and the can take a wide variety of forms.
Logs and events anomalies can provide a wealth of information for the
security professional; in such scenarios, you can fix many network
flaws.
QUESTIONS
1. What does nslookup do?
A. Retrieves the name space for the nework
B. Queries DNS for the IP address of the supplied host name
C. Performs a reverse IP lookup
D. List the current running network services on local host
2. What is wireshark?
A. Protocol analyser
B. Packet sniffer
C. Packet analyzer
D. All of the above
3. One of your users calls you with a complaint that he cannot reach the
site www.google.com. You try and access the site and discover you
cannot connect either but you can ping the site with its IP address
A. The workgroup switch is down.
B. Google is down.
C. The gateway is down.
D. The DNS server is down.
4. What command do you use to see the DNS
cache on a Windows system?
A. ping/showdns
B. Ipconfig/showdns
C. Ipconfig/displaydns
D. ping/displaydns
5. Which of the following display the correct
syntax to eliminate the DNS cache?
A. ipconfig
B. Ipconfig/all
C. Ipconfig/dns
D. Ipconfig/flushdns
6. Which tool enables you to query the
functions of a DNS server?
A. ipconfig
B. nslookup
C. ping
D. xdns
7. The windows tracert fails sometimes
because many routes block _____ packets.
A. ping
B. TCP
C. UDP
D. ICMP
8. Which tool can you (and hackers) use to
open ports on your network? (Choose three.)
A. Port scanner
B. Nmap
C. Angry IP Scanner
D. hostname
9. Which tools are used explicitly to monitor
and diagnose problems with DNS?
A. Nmap or Wireshark
B. Nslookup or dig
C. Ping or pathping
D. Tracert or pathping
10. Your manager wants you to institute log management and analysis on a small group of
workstation and servers that are not connected to the larger enterprise network for data sensitivity
reasons. Based upon the level of routine usage and logging, you decide not to implement a
management console but intend to examine each log separately on the individuals hosts. What type
of log management are you using in this scenario?

A. Centralized log management

B. Enterprise-level log management
C. Decentralized log management
D. Workgroup-level log management