Networking Tools

Tools
There are a number of tools available for you to use when it comes to diagnosing and
treating network issues.
These tools may exist in the computer’s operating system itself, as standalone software
applications or as hardware tools that you can use to troubleshoot a network. The
common ones include;
• ping — A TCP/IP utility that transmits a datagram to another host, specified in the
command. If the network is functioning properly, the receiving host returns the
datagram.
• tracert/traceroute —A TCP/IP utility that determines the route data takes to get to a
particular destination. This tool can help you to determine where you are losing packets
in the network, helping to identify problems.
• nslookup — A DNS utility that displays the IP address of a hostname or vice versa. This
tool is useful for identifying problems involving DNS name resolution.
• ipconfig — A Windows TCP/IP utility that verifies network settings and connections. It
can tell you a host’s IP address, subnet mask and default gateway, alongside other
important network information.
• ifconfig — A Linux or UNIX TCP/IP utility that displays the current network interface
configuration and enables you to assign an IP address to a network interface. Like
ipconfig on Windows, this command will tell you vital information about the network
and its status.
• iptables — A Linux firewall program that protects a network. You can use this tool if you
suspect that your firewall may be too restrictive or too lenient.
 Tools
• netstat — A utility that shows the status of each active network connection.
This tool is useful for finding out what services are running on a particular
system.
• tcpdump — A utility that is used to obtain packet information from a query
string sent to the network interface. It’s available for free on Linux but can be
downloaded as a command for Windows.
• pathping — A TCP/IP command that provides information about latency and
packet loss on a network. It can help you troubleshoot issues related to
network packet loss.
• nmap — A utility that can scan the entire network for various ports and the
services that are running on them. You can use it to monitor remote network
connections and get specific information about the network.
• route — A command that enables manual updating of the routing table. It can
be used to troubleshoot static routing problems in a network.
• arp — A utility that supports the Address Resolution Protocol (ARP) service of
the TCP/IP protocol suite. It lets the network admin view the ARP cache and
add or delete cache entries. It can be used to address problems having to do
with specific connections between a workstation and a host.
• dig — A Linux or UNIX command-line tool that will display name server
 Ping
• Ping sends ICMP echo requests to obtain an ICMP
echo response from a host.
• Some hosts may choose not to reply by security
policy. It may not mean that they’re down.
• Ping is used for troubleshooting, test network
connectivity, determine network response time
(latency or round trip time (RTT)) and host
availability.
• Multiple requests, four or five are send and the
results are displayed
• General ping syntax is ping ipaddress|
domainname
 Ping
Example

The display contains information that include host ip address, number of packets
send and received, each packet size, each packet RTT and average, and TTL details
Request timeout; indicates no response due to many different causes; the most
common include network congestion, failure of the ICMP request, packet filtering,
routing error, or a silent discard
Destination host unreachable; means the host does not exist (use of wrong/non
existing IP addresses) as a result of routing problems or the route is blocked due
security reasons
 IPCONFIG
• Aka Internet Protocol configuration (IPCONFIG)
• A Windows command that displays information about
network configurations and refresh DHCP and DNS
Settings (ifconfig is the ipconfig version for UNIX OS)
• IPCONFIG basic command displays a connected network
configurations (IP Address, Subnet Mask, and default
gateway ) as well as refresh DHCP and DNS settings
• In addition, IPCONFIG with /all switch command displays
hostname, MAC address, DNS server address and much
more information
• IPCONFIG is used to view IP information, troubleshoot, fix
DNS and IP issues, and more
 Uses of IPCONFIG
• Monitor network performance by displaying information about the IP
addresses and other network settings. It identifies network bottlenecks,
detect connectivity issues, troublesome trends and patterns and
troubleshoot other network-related problems
• Ipconfig works in scripts to automate network configuration tasks or to
gather information about network settings especially in large networks
• Ipconfig can be used to view the IP addresses and other network settings
of a computer when it is connected to a virtual private network (VPN)
• Ipconfig helps diagnose connectivity (troubleshoot) issues. If a computer
can’t connect to the Internet or other network resources, use ipconfig to
view the IP configuration and ensure that the correct IP addresses and
default gateway are being used
• It can replace an expired address or help if your current IP assignment is
causing problems (can renew DHCP leases).
• Frequently visited IP addresses are stored in DNS cache if when the IP
addresses changed (occupies space making DNS slow). You can use
ipconfig to solve this problem by flushing the DNS cache. Ipconfig clears
the cache thus resolving the error and improving connectivity
 Common ipconfig commands and
switches
• Ipconfig offers several options and switches that can be used to
customize the information displayed in the command or change the
actions performed. The basic syntax of the ipconfig command is
“ipconfig [options],” where “options” are the optional parameters
used to modify the command’s output. Some of these most used
options include:
• ipconfig /all: Displays detailed information about all adapters,
including the IP address, subnet mask, default gateway, DHCP server,
and DNS servers
• ipconfig /release: Releases the DHCP lease for the specified adapter
• ipconfig /renew: Requests a new DHCP lease for the specified adapter
• ipconfig /flushdns: Clears the DNS cache on the computer
• ipconfig /? or /help: Displays all the available options for the ipconfig
command
 NSLOOKUP
• Nslooup stands for “name server lookup” and is one of the best ways to
find a host’s IP address or domain name .

• With the nslookup command, you can get fundamental DNS

information much quicker. You can easily check if a domain name is
resolving correctly to an IP address, troubleshoot network issues, and
verify the correctness of your DNS configuration
• The above example is called non-interactive mode where users enter
the name server lookup command and the desired parameters, making
it easier for beginners getting to know the commands
• Interactive mode works better for more advanced users. The
parameters for lookup are added separately so they can be sent by
users
 Tracert/Traceroute
• The Traceroute command (Tracert on Windows) is a small
network diagnostic software built-in a device and servers
for tracing the route, hop by hop to a target
• It gives full route information that the packets take to their
destination (domain or IP address and the latency, the
time it takes for each device to receive and resend the data
• This command works by manipulating the packets time to
live value or TTL. The TTL is the number of times the
packet can be rebroadcast by the next host encountered
on the network or hops
• Tracert can display the gateway that discards data,
therefore can fix it
• The list of devices and information created can be helpful
for a penetration tester when determining what devices
are on a network
 How tracert Works

• When executed, a tracert sends an IP packet containing

the source and destination addresses and the time to live
(TTL) for each hop.
• TTL in packets decreases with each hop. This is to avoid
server looping issues.
• Furthermore, when the TTL is reached, the packet expires
and is discarded.
• When this occurs, tracert returns to the sender ICMP
Time Exceeded messages.
• Because small TTL settings cause packets to expire quickly,
tracert forces all routers in a packet’s path to produce
the ICMP messages that identify the router.
After running the tracert command, you’ll be presented with a list of hops, each showing the
time taken for your data to travel.
•IP Addresses: The series of numbers represents the routers your data passes through.
•Response Times: The time displayed (in milliseconds) indicates how long it took for your data
to reach each router. Higher times might indicate network congestion or other issues
 nmap and Ethical Hacking
• nmap or network mapper is the mostly used network
scanner tool. Other scanning tools include nikto, Advanced
IP Scanner and intruder.
• It is used to scan IP addresses and ports in a network and
to detect installed applications.
• Nmap allows network administrators, ethical hackers and
network security auditors to find which devices are running
on their network, discover open ports and services, and
detect vulnerabilities.
 Nmap Features
• Nmap helps to quickly map out a network without sophisticated
commands or configurations. It also supports simple commands (for
example, to check if a host is up) and complex scripting through the
Nmap scripting engine.
• Ability to quickly recognize all the devices including servers, routers,
switches, mobile devices, etc on single or multiple networks.
• Helps identify services running on a system including web servers, DNS
servers, and other common applications. Nmap can also detect
application versions with reasonable accuracy to help detect existing
vulnerabilities.
• Nmap can find information about the operating system running on
devices. It can provide detailed information like OS versions, making it
easier to plan additional approaches during penetration testing.
• During security auditing and vulnerability scanning, you can use Nmap to
attack systems using existing scripts from the Nmap Scripting Engine.
• Nmap has a graphical user interface called Zenmap. It helps you develop
visual mappings of a network for better usability and reporting.
Ethical Hacking Phases
 Phases of Ethical Hacking
• Reconnaissance: also called footprinting, this phase
gathers information about the target before launching at
attack. The hacker discovers useful information like old
passwords and critical employee names, and necessary
network data during this stage.
• Scanning: During this stage, hackers are likely looking for
information such as hostnames, IP addresses, and login
credentials. It uses dialers, port scanners, and network
mappers to scan data.
• Gaining Access: After exposing vulnerabilities in the first
and second hacking rounds, ethical hackers try to exploit
them for administrator access through attacks such as
spoofing, phishing, MITM, brute force and DoS sent to the
application through the network, a subnetwork, or a
connected device to gain system access.
 Phases of Ethical Hacking
• Maintaining Access: An ethical hacker keeps testing the
system for new flaws and increasing access to see how
much power attackers may get once beyond security
clearance. One method of eliminating traces of an assault
is to create a backdoor for future access.
• Clear Tracks: After gaining access and increasing privileges,
the hacker tries to hide the modifications. This includes
deleting sent emails, server logs, and temporary files. Also,
the hacker would check for alerts from the email provider
for probably unauthorized logins under their account.
 Nmap scanning
• Eg scan nmap.org

• Port status is either open, closed or filtered

 The 3 way TCP handshake
During communication with a TCP service, a single connection is established with
the TCP 3 way handshake. This involves a SYN sent to an TCP open port that has
a service bound to it, typical examples are HTTP (port 80), SMTP (port 25), POP3
(port 110) or SSH (port 22).
The server side will see the SYN and respond with SYN ACK, with the client
answering the SYN ACK with an ACK. This completes the set up and the data of
the service protocol can now be communicated.

In this example, the firewall passes the traffic to the web server (HTTP -> 80) and
the web server responds with the acknowledgement.
In all these examples a firewall could be a separate hardware device, or it could be
a local software firewall on the host computer.
 Open Ports
The open service could be a publicly accessible service that
is, by its nature, supposed to be accessible. It may be a
back-end service that does not need to be publicly
accessible, and therefore should be blocked by a firewall.

An interesting thing to notice in the wireshark capture is

the RST packet sent after accepting the SYN ACK from the web
server. The RST is sent by Nmap as the state of the port (open) has
been determined by the SYN ACK if we were looking for further
information such as the HTTP service version or to get the page, the
RST would not be sent. A full connection would be established
 Closed Port
• closed ports most commonly indicate there is no service running on
the port, but the firewall has allowed the connection to go through to
the server. It can also mean no firewall is present at all.
• Note that while we are discussing the most common scenarios, it is
possible to configure a firewall to reject packets rather than drop.
This would mean packets hitting the firewall would be seen as closed
(the firewall is responding with RST ACK).
• Pictured below is a case where a firewall rule allows the packet on
port 81 through even though there is no service listening on the port.
This is most likely because the firewall is poorly configured
 Filtered Ports
• The job of a firewall is to protect a system from unwanted
packets that could harm the system. In this simple example,
the port scan is conducted against port 81, as there is no
service running on this port, using a firewall to block access
to it is best practice.

A filtered port result from Nmap indicates that the port has not
responded at all. The SYN packet has simply been dropped by the
firewall. See the following Wireshark packet capture that shows the
initial packet with no response
 Comparing network troubleshooting tools
• Ping, a command-line utility that tests connectivity to a remote
host by sending ICMP echo request packets and waiting for a
response
• Tracert, a command-line utility that displays the path taken by
packets across an IP network
• Netstat, a command-line utility that displays active TCP/IP
connections and their status, including the local and remote IP
addresses and ports
• Netsh, a command-line utility that's used to update network
configuration settings
• Nslookup, a command-line utility that displays information about
a domain name, such as the IP address and the name servers
• Event Viewer, a graphical tool that displays system and
application log data, which then can be used to troubleshoot
issues related to network connectivity or other problems