If you’re planning to take the SY0-501 version of the Security+ exam, you should have a basic understanding of common commands that you can run on your primary computer or within a virtual machine. The CompTIA Security+ objectives list several command-line tools that you should know to help you assess the security posture of an organization.
For example, can you answer this question?
Q. You are considering rebooting a database server and want to identify if it has any active network connections. Which of the following commands will list active network connections?
A. arp
B. ipconfig
C. ping
D. netstat
More, do you know why the correct answer is correct and the incorrect answers are incorrect? The answer and explanation are available at the end of this post.
Ipconfig, ifconfig, and ip
The ipconfig command (short for Internet Protocol configuration) shows the Transmission Control Protocol/Internet Protocol (TCP/IP) configuration information for a system. This includes items such as the computer’s IP address, subnet mask, default gateway, MAC address, and the address of a Domain Name System (DNS) server. The command shows the configuration information for all network interface cards (NICs) on a system, including both wired and wireless NICs. Technicians often use ipconfig as a first step when troubleshooting network problems.
Linux-based systems use ifconfig (short for interface configuration) instead of ipconfig. A benefit is that ifconfig has more capabilities than ipconfig, allowing you to use it to configure the NIC in addition to listing the properties of the NIC.
The following list shows some common commands:
• ipconfig. Entered by itself, the command provides basic information about the NIC, such as the IP address, subnet mask, and default gateway.
• ipconfig /all. This command shows a comprehensive listing of TCP/IP configuration information for each NIC. It includes the media access control (MAC) address, the address of assigned DNS servers, and the address of a Dynamic Host Configuration Protocol (DHCP) server if the system is a DHCP client. You can use ifconfig -a on Linux systems.
• ipconfig /displaydns. Each time a system queries DNS to resolve a host name to an IP address, it stores the result in the DNS cache and this command shows the contents of the DNS cache. It also shows any host name to IP address mappings included in the hosts file.
• ipconfig /flushdns. You can erase the contents of the DNS cache with this command. Use this when the cache has incorrect information and you want to ensure that DNS is queried for up-to-date information.
The following commands are unique to Linux systems:
• ifconfig eth0. This command shows the configuration of the first Ethernet interface (NIC) on a Linux system. If the system has multiple NICs, you can use eth1, eth2, and so on. You can also use wlan0 to view information on the first wireless interface.
• ifconfig eth0 promisc. This command enables promiscuous mode on the first Ethernet interface. Promiscuous mode allows a NIC to process all traffic it receives. Normally, a NIC is in non-promiscuous mode and it ignores all packets not addressed to it. You can disable promiscuous mode with this command: ifconfig eth0 -promisc.
• ifconfig eth0 allmulti. This command enables multicast mode on the NIC. This allows the NIC to process all multicast traffic received by the NIC. Normally, a NIC will only process multicast traffic for multicast groups that it has joined. You can disable multicast mode with this command: ifconfig eth0 -allmulti.
Normally, a NIC uses non-promiscuous mode and only processes packets addressed directly to its IP address. However, when you put it in promiscuous mode, it processes all packets regardless of the IP address. This allows the protocol analyzer to capture all packets that reach the NIC.
The ifconfig command was deprecated in 2009 in Debian distributions of Linux. Deprecated means that its use is discouraged but tolerated. The ifconfig command is part of the net-tools package and Linux Debian developers are no longer maintaining that package. However, you’ll still see ifconfig and other tools in the net-tools package on most Linux systems, including Kali Linux.
Instead of using ifconfig, Linux developers recommend you use ip instead. Although the ip command can display information and configure network interfaces, it doesn’t use the same commands or have the same abilities. For example, it doesn’t have a command you can use to enable promiscuous mode on a NIC. Here are a few commands that you can use with ip:
• ip link show. Shows the interfaces along with some details on them
• ip link set eth0 up. Enables a network interface
• ip -s link. Shows statistics on the network interfaces
Netstat
The netstat command (short for network statistics) allows you to view statistics for TCP/IP protocols on a system. It also gives you the ability to view active TCP/IP network connections. Many attacks establish connections from an infected computer to a remote computer. If you suspect this, you can often identify these connections with netstat.
Some of the common commands you can use with netstat are:
• Netstat. Displays a listing of all open TCP connections.
• Netstat -a. Displays a listing of all TCP and User Datagram Protocol (UDP) ports that a system is listening on, in addition to all open connections. This listing includes the IP address followed by a colon and the port number, and you can use the port number to identify protocols. As an example, if you see an IP address followed by :80, it indicates the system is listening on the default port of 80 for HTTP. This indicates this system is likely a web server.
• Netstat –r. Displays the routing table.
• Netstat -e. Displays details on network statistics, including how many bytes the system sent and received.
• Netstat -s. Displays statistics of packets sent or received for specific protocols, such as IP, ICMP, TCP, and UDP.
• Netstat -n. Displays addresses and port numbers in numerical order. This can be useful if you’re looking for information related to a specific IP address or a specific port.
• Netstat -p protocol. Shows statistics on a specific protocol, such as TCP or UDP. For example, you could use netstat -p tcp to show only TCP statistics.
You can combine many of the netstat switches to show different types of information. For example, if you want to show a listing of ports that the system is listening on (-a), listed in numerical order (-n), for only the TCP protocol (-p tcp), you could use this command:
netstat -anp tcp
Netstat displays the state of a connection, such as ESTABLISHED to indicate an active connection. RFC 793 (https://tools.ietf.org/rfc/rfc793.txt) formally defines these states.
Q. You are considering rebooting a database server and want to identify if it has any active network connections. Which of the following commands will list active network connections?
A. arp
B. ipconfig
C. ping
D. netstat
Answer is D. The netstat command displays active connections on a system.
Arp displays information related to media access control (MAC) addresses.
Ipconfig displays TCP/IP configuration information for wired and wireless network interface cards.
Ping checks connectivity with remote systems.
See Chapter 1 of the CompTIA Security+: Get Certified Get Ahead: SY0-501 Study Guide for more information on using command-line tools.