If you’re planning to take the SY0-601 version of the Security+ exam, you should understand how several command-line tools can help you assess organizational security. Administrators (and attackers) use many commands for network reconnaissance and discovery. Administrators use them for legitimate purposes, such as when troubleshooting. Attackers use them to gain more information about a network and individual hosts as they try to extend their foothold in an attack.
For example, can you answer this practice test question?
Q. You suspect that traffic in your network is being rerouted to an unauthorized router within your network. Which of the following command-line tools would help you narrow down the problem?
A. ping
B. tracert
C. ipconfig
D. netstat
More, do you know why the correct answer is correct and the incorrect answers are incorrect? The answer and explanation are available at the end of this post.
Ping
Ping is a basic command used to test connectivity for remote systems. You can also use it to verify a system can resolve valid hostnames to IP addresses, test the NIC, and assess organizational security.
The ping command checks connectivity by sending Internet Control Message Protocol (ICMP) echo request packets. Remote systems answer with ICMP echo reply packets, and if you receive echo replies, you know that the remote system is operational. As a simple example, the following command verifies that your computer can connect with another computer on your network, assuming the other computer has the IP address of 192.168.1.1:
ping 192.168.1.1
On Windows systems, ping sends out four ICMP echo requests. Systems that receive the ICMP echo requests respond with ICMP echo replies. On Linux-based systems, ping continues until you press the Ctrl + C keys to stop it. You can mimic this behavior on Windows systems by using the -t switch like this:
ping -t 192.168.1.1
Similarly, you can mimic the behavior of a Windows ping on a Linux system using the -c switch (for count) like this:
ping -c 4 192.168.1.1
This example tested connectivity with an IP address in a local network, but you can just as easily test connectivity with any system. For example, if you knew the IP address of a system hosting a website on the Internet, you could ping its IP address.
Ipconfig and ifconfig
The ipconfig command (short for Internet Protocol configuration) shows the Transmission Control Protocol/ Internet Protocol (TCP/IP) configuration information for a Windows system. This includes items such as the computer’s IP address, subnet mask, default gateway, MAC address, and the address of a Domain Name System (DNS) server. The command shows the configuration information for all network interface cards (NICs) on a system, including wired and wireless NICs. Technicians often use ipconfig as a first step when troubleshooting network problems.
Linux-based systems use ifconfig (short for interface configuration) instead of ipconfig. The ifconfig command has more capabilities than ipconfig, allowing you to use it to configure the NIC in addition to listing the properties of the NIC.
Normally, a NIC uses non-promiscuous mode, and only processes packets addressed directly to its IP address. However, there are many times when you want the system to process all packets that reach the NIC. As an example, if you’re using a protocol analyzer application on a system, you would typically want to see all the traffic. Putting the NIC in promiscuous mode shows all the packets in the protocol analyzer application.
Tracert and traceroute
The tracert command lists all the routers between two systems. In this context, each router is referred to as a hop. Tracert identifies the IP address and sometimes the hostname of each hop in addition to the round-trip times (RTTs) for each hop. Windows-based systems use tracert and Linux-based systems use traceroute, but they both function similarly. I’m using the command name tracert in this section for simplicity, but this section applies to both equally.
Network administrators typically use tracert to identify faulty routers on the network. Ping tells them if they can reach a distant server. If the ping fails, they can use tracert to identify where the traffic stops. Some of the hops will succeed, but at some point, tracert will identify where packets are lost, giving them insight into where the problem has occurred. Other times, they will see where the RTTs increase as traffic is routed around a faulty router. From a security perspective, you can use tracert to identify modified paths. As an example, consider the figure below. Users within the internal network normally access the Internet directly through Router 1. However, what if an attacker installed an unauthorized router between Router 1 and the Internet?

Tracing a path with tracert
Traffic will still go back and forth to the users. However, the attacker could capture the traffic with a protocol analyzer and view any data sent in cleartext. The attacker may also launch other attacks, such as some of the attacks discussed in Chapter 7, “Protecting Against Advanced Attacks.”
From another perspective, you can identify if Internet paths have been modified. Imagine that you often connect to a server in New York from a New York location. Today, the connection seems abnormally slow. You could use tracert to verify the path. If you notice that traffic is now going through IP addresses in foreign countries, it indicates a problem.
Give it a try. Launch a command prompt and use the following commands to see some common uses and outputs from the tracert command:
- Type in tracert blogs.getcertifiedgetahead.com and press Enter. Identify how many hops are between your system and this web server. Identify if any RTTs are significantly longer than others.
- Type in tracert –d blogs.getcertifiedgetahead.com and press Enter. Notice that the -d switch forces tracert to not resolve IP addresses to hostnames, allowing the command to finish quicker.
Note that some of the switches are different between tracert and traceroute. As an example, to force traceroute to not resolve IP addresses to hostnames, you use the -n switch as in traceroute –n blogs.getcertifiedgetahead.com.
Q. You suspect that traffic in your network is being rerouted to an unauthorized router within your network. Which of the following command-line tools would help you narrow down the problem?
A. ping
B. tracert
C. ipconfig
D. netstat
Answer is B. You can use tracert to track packet flow through a network, and if an extra router has been added to your network, tracert will identify it.
You can use ping to check connectivity with a remote system, but it doesn’t show the route.
The ipconfig command shows the network settings on a Windows computer, but it doesn’t identify failed routers.
Netstat shows active connections and other network statistics on a local system, but it doesn’t identify network paths.
See Chapter 1 of the CompTIA Security+: Get Certified Get Ahead: SY0-601 Study Guide for more information on using command-line tools.