Chapter 16 - 02 - Learn Troubleshooting Basic Network Issues using Utilities and Tools - 04_ocred_fax_ocred.pdf

Full Transcript

Certified Cybersecurity Technician Exam 212-82
Network Troubleshooting

= speedtest.net

The website speedtest.net is used to determine the available bandwidth for a host at a
point of time. It provides free analysis of Internet access performance metrics. For
example, it provides metrics such as the connection data rate (speed) and latency
(connection delay). For enhanced test accuracy, it uses TCP sockets and a custom
protocol for communication between servers and users.
The time taken to upload and download a file can also be determined using this website.
All the tests performed by speedtest.net measure the data rate in the download
direction (from the server to the user) and that in the upload direction (the user to the
server).

Result IlI () RESULTS SETTINGS

3 BI04 RTAT,
VA 54219
%
& PING ms (®
(¥ DOWNLOAD Mbps (*) UPLOAD Mbps

ACT Fibernet
@

Figure 16.80: Working of “Speedtest.net”

= pathping
Source: https://docs.microsoft.com
The pathping utility provides detailed information about the path characteristics from a
specific host to a specific destination in a single picture by taking advantage of the ping
and tracert/traceroute commands. It helps diagnose packet loss and slow speed faults.
Initially, running pathping traces the route to a destination address and launches a 25-s
test for each hop to show the pathping statistics on the data loss to each hop.
pathping [/n] [/h ] [/g ] [/p ]
[/q
[/g [/w ] [/i ] [/4 ] [/6
] []

Options Description

/n Prevents the resolving of an IP address to a host name

Defines the maximum number of hops for reaching the target (30
/hh

/ HIATROPSZ | by default)
by default)
Defines a loose source route through a specified hostlist in the IP
/g
/g. gy
v header (maximum allowed list is 9)

Module 16 Page 1997 Certified Cybersecurity Technician Copyright © by EG-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Network Troubleshooting

/p Defines the wait time between pings (mostly in milliseconds)

/q Defines the number of ICMP queries for each hop (100 by default)

/w Defines the wait time for each ICMP reply (3000 ms, i.e., 3 s, by
default)
/i Defines the source address

/4 Forces pathping to use only IPv4

/6 Forces pathping to use only IPv6

Defines the target or destination address that can be identified by

the host name or IP address

/? Displays all the available options on the command-line interface

Table 16.3: pathping command options

Steps to Use pathping for Networking Troubleshooting

o Run the command pathping in Command Prompt. Interrupt
pathping at any time by holding down ctrl + C.

¥ Command Prompt - pathping £.8.2.2 — (| x
C:\ 1Ijpathping 8.8.8.8

Tracing route to dns.google [8.8.8
over a maximum of 3@ hops:
Windows1e [1©.10.10.10]
10.10.10.2
192.168.1.1
100.64.63.254
192.168.34.201
192.168.48.6
192.168.48.2
192.168.48.49
nsg-corporate-229.104.185.122.airtel.in [122.185.104.229]
182.79.198.6
72.14.208.234
1©8.170©.234.3
142.251.55.227
dns.google [8.8.8.8]

Computing statistics for 325 seconds...

Figure 16.81: Running the command “pathping”

Module 16 Page 1998 Certified Cybersecurity Technician Copyright © by EG-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Network Troubleshooting

o Use the command pathping -n to show numeric IP numbers instead of DNS host
names.

B Command Prompt - pathping -n www.googl... — O x
C:\u Trmimtandpathping -n www. 5

Tracing route to www.google.com [172.
over a maximum of 3© hops:
o 1©.106.10.10
1
2 192.1
3 100.
4 192.16
= 192.
6 192.16
7 192.:
8 122.1
9 182.
72.14.216.192
216.239.54.67
74.125.252.91
172.217.162.164

325 seconds...

Figure 16.82: Displaying IP numbers instead of domain names

route
Source: https://docs.microsoft.com
The route utility is used to show the ongoing status of and modifications to the routing
table on the Windows host. It is useful when the host has multiple IPs and multiple
hosts. Netmasks, network destinations, and gateways are displayed in the active routes
section of the route utility. In Unix/Linux, the route command can be used without any
command-line switches. The command shows similar outputs for both Windows and
Unix/Linux.
route [/f] [/p] [ [] [mask ]
[] [metric ]] [if ]]

Options Description

/£ Wipes off all entries in the routing table

/p Initializes the new routing table by adding a new route to the registry

Defines the command to run (e.g., add, change, delete, or run)

Defines the destination or target of the route

mask Defines the subnet masks associated with the target

Defines the next hop address or transmission

metric | Defines the integer cost metric for the route (between 0 and 9999)

Module 16 Page 1999 Certified Cybersecurity Technician Copyright © by EG-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Network Troubleshooting

if Defines the interface index for reaching the destination

/? Displays all the available options

Table 16.4: route command options

Steps to Use the route Command for Network Troubleshooting
o In Windows, use the command route print to view the routing table (IPv4 and IPv6).

‘ Select Command Prompt - [} x

Intel(R) 82574L Gigabit Network Connection
Ipcap Loopback Adapter
Software Loopback Interface !
00 00 00 ¢ 00 e® Microsoft ISATAP Adapter. 00 00 00 00 e® Teredo Tunneling Pseudo-Interface
00 00 00 00 00 e0® Microsoft ISATAP Adapter #2

IPv4 Route Table

Active Rou
Network De Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 10.10.10.2 10.10.10.10
10.10.10.0. Oon-1link 10.10.10.10
10,10.10.10 25 Oon-link 10.10.10.10
10.10.10,255 :.2.. 25 On-link 10.10.10.,10
127. o € Oon-1link 127. 0.1
5 Oon-link 127.0.0.1
Oon-link 127.0.0.1
Oon-link E.178.123
On-link 5 3.123
on-link 169. 78.123
On-link.0.0.1 3
224.0.0.0 240.0.0.0 Oon-1link 169.254,. 3 266
224. 240.0.0.0 On-1link 10.10.10.10 266
On-link.0.1 306
Oon-1link 169.254.178.123 266
Oon-1link.10.10.10 266

Active Rout
If Metric Netw < Destination
12 306 ::/ On-link 306 ::1/128 On-link
12 306 2001::/32 On-1link

Figure 16.83: Viewing the routing table

o To add, delete, or change a route entry, use the following command:
route [/p] command dest [mask subnet] gateway [if interface]

Example:
C:\>route /p add 192.168.5.0 mask 255.255.255.0 192.168.1.500
C:\>route change 192.168.5.0 mask 255.255.255.0 192.168.1.542
C:\>route delete 192.168.5.0

Nmap

Source: https://nmap.org
Nmap (“Network Mapper”) is a security scanner for network exploration and hacking. It
allows the discovery of hosts, ports, and services on a computer network, thus creating
a “map” of the network. It sends specially crafted packets to the target host and then
analyzes the responses to accomplish its goal. It scans vast networks of hundreds of

Module 16 Page 2000 Certified Cybersecurity Technician Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Network Troubleshooting

thousands of machines. Nmap includes many mechanisms for port scanning (TCP and
UDP), OS detection, version detection, ping sweeps, and so on.
Either a network administrator or an attacker can use this tool for their specific needs.
Network administrators can use Nmap for maintaining network inventory, managing
service upgrade schedules, and monitoring host or service uptime. Nmap can also be
used to extract information such as live hosts on the network, open ports, services
(application name and version), type of packet filters/firewalls, MAC details, and OSes,
along with their versions.

Syntax: # nmap

Host Discovery

o Perform an ARP ping scan for discovering live hosts in the network. Use the -PR
option to perform an ARP ping scan.
# nmap -sn -PR

“® Zenmaj

Scan Tools Profile Help

Target: | 10.10.10.13 ~ | Profile: ~ Scan Cancel

Command: Inmap -sn -PR 10.10.10.13I

Services_‘ Nmap Output Ports
/ Hosts Topology Host Details Scans

0S 4 Host ~ |nmap-sn-PR10.10.10.13 ~ Details
#4 10.10.10.13 Starting Nmap 7.80 ( https://nmap.org ) at 2021-06-28 12:27
Standard Time
map _scan _report for 10.10.10.13
(o.ees latency).
MAC
Address: ©00:0C:29:EB:CD:AF (VMware)
Nmap done: 1 IP address (1 host up) scanned in ©.61 seconds
Filter Hosts

Figure 16.84: Screenshot of Nmap host discovery using an ARP ping scan

o 0 Use the -PE option to perform the ICMP ECHO ping scan. Active hosts are
displayed as “Host is up,” as shown in screenshot.
# nmap -sn -PE

< Zenmag

Scan Tools Profile Help

Target: | 10.10.10.13 ‘.v Profile: \.v ‘ Scan Cancel

Command: [nmap -sn -PE 10.10.10.13 I

Services | Nmap Output Ports
/ Hosts Topology Host Details Scans

0S 4 Host - nmap -sn -PE 10.10.10.13 ~ Details
® 10.10.10.13 Starting Nmap 7.8@ ( https://nmap.org ) at 2021-06-28 12:31
Standard Time
Nmap scan report for 10.10.10.13
[Host
1z up](0.00s latency).
MAC
Address: ©00:0C:29:EB:CD:AF (VMware)
v

Nmap done: 1 IP address (1 host up) scanned in 0.25 seconds
Filter Hosts

Figure 16.85: Screenshot of Nmap host discovery using an ICMP ECHO ping scan

Module 16 Page 2001 Certified Cybersecurity Technician Copyright © by EG-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Network Troubleshooting

o Use the -PE option with a list of IP addresses to perform an ICMP ECHO ping sweep.
# nmap -sn -PR

< Zenmap - 0 x
Scan Tools Profile Help

Target: | 10.10.10.0-15 ~ | profite: ~| [Scan] |cancel
Command: [nmap -sn -PE 10.10.10.0-15I

Services Nmap Output Ports
/ Hosts Topology Host Details Scans
0S 4 Host ~ nmap -sn-PE 10.10.10.0-15 ~] Details
® 10.10.10.1 Starting Nmap 7.8@ ( https://nmap.org ) at 2021-06-28 12:37
e Standard Time
fes 10.10.10.2 map an_report for 10.10.10.1
® 10.10.10.10 (e.00s latency).
- MAC
_Address: ©0:50:56:C0:00:08 (VMware)
10.10.10.13 Nmap _scan report for 10.10.10.2
(e.ees latency).
MAC
Address: ©0:50:56:FC:26:81 (VMware)
Nmap scan report for 10.10.10.13
(e.00s latency).
MAC Add i ©0:©C:29:EB:CD:AF (VMware)
Nmap scan report for 10.10.10.10
Host is up.
Nmap done: 16 IP addresses (4 hosts up) scanned in 8.80©
seconds.
Filter Hosts

Figure 16.86: Screenshot of Nmap host discovery using an ICMP ECHO ping sweep

o To scan the given subnet, use the following command without any switches. This
command works similarly to the ping command in that it sends TCP ACK packets for
the ports 80 and 443 to check whether the target host is alive. It also performs an
ARP scan and neighbor discovery scan; if it finds that any host is alive, it starts
performing port scanning to detect running services.
# nmap

Service and Version Discovery
o Use the -p option to scan for specified ports numbers or a port range.
# nmap -p

- Zenmap - - x
Scan JTools Profile Help

Target: | 10.10.10.10 ~ | Profile: ~ Scan Cancel

Command: I nmap -p 80 10.10.10.1(1

Services Nmap Output Ports
/ Hosts Topology Host Details Scans
0S 4 Host - nmap-p 80 10.10.10.10 Vi | Details
#4 10.10.10.10 Starting Nmap 7.8@ ( https://nmap.org ) at 2021-06-28
12:49 Standard Time
4 10.10.10.13 Nmap scan report for 10.10.10.10
Host is up (€.€31s latency).

PORT STATE SERVICE
80/tcp open http

Nmap done: 1 IP address (1 host up) scanned in ©.25
seconds

Filter Hosts

Figure 16.87: Screenshot of Nmap service discovery using a scan for a specified port number

Module 16 Page 2002 Certified Cybersecurity Technician Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Network Troubleshooting

o Use the -sT option to scan for only TCP ports.
# nmap -sT

¥
- Zenmap it
- (=)
a x

Scan Jcols Profile Help

Torget: | 10.10.10.16 ~ | Profile:
~| ~| [scan] |cancel
Command: |nmap -sT -v 10.10.10.16 |
: Services Nmap Output Ports / Hosts Topology Host Details Scans

0S ¢4 iost
08 [Host ~-~ |nmop-sT-v 10101076
|nmop-sT-v102101076 ~| & [Details
12:59 Imim Standard Time ~
Initiating ARP Ping Scan at 12:59
Scanning 10.10.10.16 [1 port)
Completed ARP Ping Scan at 12:59, ©.06s elapsed (1
total hosts)
Initiating Parallel DNS resolution of 1 host. at 12:59
Completed Parallel DNS resolution of 1 host. at 12:59,
©.05s elapsed
Initiating Connect Scan at 12:59
Scanning 10.10.10.16 [1000 ports]
Discovered open port 80/tcp
80@/tcp on 10.10.10.16
Discovered open port 139/tcp on 10.10.10.16
Discovered open port 135/tcp on 10.10.10.16
Discovered
Dizcovered open port 3389/tcp on 10.10.10.16
Dizcovered open port 111/tcp on 10.10.10.16
Discovered open port 445/tcp on 10.10.10.16
Discovered open port S53/tcp on 10.10.10.16
53/tcp
Discovered open port 1069/tcp on 10.10.10.16
Discovered open port 1072/tcp on 10.10.10.16
;i About 15.60% done; ETC: 13:02
(©:02:48 remaining)
Discovered open port 88/tcp on 10.10.10.16
Discovered open port 636/tcp on 10.10.10.16
: About 30.50% done; ETC: 13:02
(0:02:19 remaining)
Discovered open port 2103/tcp on 10.10.10.16
- Discovered open port 389/tcp on 10.10.10.16 v
Filter Hosts -o C * weoo *®
*@ co co oo

Figure 16.88: Screenshot of Nmap service discovery using a TCP scan

“¥- Zenmap -_
— (] x

Scan Jools Profile Help

Torget: | 10.10.10.16 ~| Profite: '~| [scan]| [Concel
Command: Inmap -sT -v 10.10.10.16 ]

_ Services Nmap Output Ports
/ Hosts Topology Host Details Scans
05 ¢ Blost
0% Blogt ~ | nmap
nmap -sT -v 10.10.10.16 ~] Details.
® 10.10.10.16 PORT STATE SERVICE ~
S53/tcp open domain
B8O/tcp
BO/tcp open http
http
B88/tcp
B88/tcp open
open kerberos-sec
kerberos-sec
111/tcp open rpcbing
135/tcp open msrpc
139/tcp open netbios-ssn|
389/tcp open ldap
44S5/tcp open microsoft-ds
464/tcp open kpasswdS
593/tcp open http-rpc-epmap
636/tcp open ldapssl
1061/tcp open kiosk
1069/tcp open cognex-insight
1072/tcp open cardax
1801/tcp open msmq
2049/tcp open nfs
2103/tcp open zephyr-clt
2105/tcp open cklogin
2107/tcp open msmq-mgmt
2968/tcp open enpp
3268/tcp open globalcatLDAP
3269/tcp open globalcatlDAPssl
3389/tc ms-wbt -server
VMware)

i C:\Program Files (x86)\Nmap
i 1 IP address (1 host up) scanned in 228.66
Filter H seconds v

Figure 16.89: Screenshot of Nmap service discovery using a TCP scan

Module 16 Page 2003 Certified Cybersecurity Technician Copyright © by EG-Gouncil
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Network Troubleshooting

o Use the -sU option to scan for only UDP ports.

“¥
“* Zenmap = O >
Scan
Scan Jools
Jools Profile
Profile Help
Help

Target: || 10.10.10.10 ~|
| Profite:
Profile: | i~ [se Cancel
Command: [nmap 10.10.10.10 |
-sU -v 10.10.10.10]

\
1 Services | Nmap Output Ports / Hosts Topology Host Details Scans

OS 4¢ Host ~ nmap -sU -v 10.10.10.10 ~| ¢ |Details|
#4 10.10.10.10 Initiating Parallel DNS resolution of 1 host. at 13:27 A
Completed Parallel DNS resolution of 1 host. at 13:27,
©.42s elapsed
Initiating UDP Scan at 13:27
Scanning 10.10.10.10 [1e€@
[1ee@ ports]
Discovered open port 137/udp on 10.10.10.10
Completed UDP Scan at 13:27, 6.16s elapsed (10
(100 total
ports)
Nmap scan report for 10.10.10.10
Host is up (©.€0s
(@.€@s latency).

PORT STATE SERVICE
137 /udp open netbios-ns
138/udp
138/udp open|filtered netbios-dgm
50e/udp
See/udp open|filtered isakmp
19e@/udp
1900/udp open|filtered upnp
3389/udp
3389/udp open|filtered ms-wbt-server
ms-wbt-server
3702/udp open|filtered ws-discovery
4500/udp open|filtered nat-t-ike
5353/udp
$353/udp open|filtered zeroconf
$355/udp open|filtered llmnr
49173/udp open|filtered unknown

;: C:\Program Files (x86)\Nmap
: 1 IP address (1 host up) scanned in 6.72
seconds
Raw packets sent: 1319 (39.013KB) | Rcvd:
2363 (97.926KB)

Filter Hosts

Figure 16.90: Screenshot of Nmap service discovery using a UDP scan

Module 16 Page 2004 Certified Cybersecurity Technician Copyright © by EG-Gouncil
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Network Troubleshooting

o Use the -ss option to perform a stealth scan/TCP half-open scan.
# nmap -sS