Troubleshooting Basic Network Issues using Utilities and Tools 212-82 PDF
Document Details
Uploaded by barrejamesteacher
null
Tags
Related
Summary
This document is a chapter on troubleshooting basic network issues using various utilities and tools. It explores different techniques for diagnosing and resolving network problems. The document also covers ICMP scanning and ACK scanning for probing firewalls.
Full Transcript
Certified Cybersecurity Technician Exam 212-82 Network Troubleshooting ICMP Scanning A ping sweep or Internet Contro...
Certified Cybersecurity Technician Exam 212-82 Network Troubleshooting ICMP Scanning A ping sweep or Internet Control Message Protocol (ICMP) scanning is a process of sending an ICMP request or ping to all the hosts on the network to determine the ones that are up. o0 Parrot Terminal File Edit View Search Terminal Help t@parrot — /-1 #hping3 -1 10.10.10.10 HPING 10.10.10.10 (ethO 10.10.10.10): icmp mode set, 28 headers + 0 data bytes ip=10.10.10.10 ttl=128 id=46777 icmp_seq=0 rtt=4. ms HOMFMFEFNKFHWNW ip=10.10.10.10 ttl=128 id=46778 icmp seq=1 rtt=4. ms ip=10.10.10.10 ttl=128 id=46779 icmp_seq=2 rtt=3. ms ip=10.10.10.10 ttl=128 id=46780 icmp seq=3 rtt=3. ms ip=10.10.10.10 ttl=128 id=46781 icmp seq=4 rtt=2. ms ip=10.10.10.10 tt1=128 id=46782 icmp_seq=5 rtt=9. ms ip=10.10.10.10 tt1=128 id=46783 icmp seq=6 rtt=8. ms ip=10.10.10.10 ttl=128 id=46784 icmp_seq=7 rtt=8. ms ip=10.10.10.10 ttl1=128 id=46785 icmp seq=8 rtt=4. ms.10.10.10 hping statistic --- 9 packets transmitted, 9 packets received, 0% packet loss round-trip min/avg/max = 2.2/5.2/9.1 ms @parrot Figure 16.99: ICMP scanning using hping The OS, router, switch, and IP-based devices use this protocol via the ping command for echo request and echo response as a connectivity tester between different hosts. ACK Scanning on Port 80 This scanning technique can be used to probe the existence of a firewall and its rule sets. Simple packet filtering allows the establishment of a connection (packets with the ACK bit set), whereas a sophisticated stateful firewall does not allow the establishment of a connection. o0 Parrot Terminal File Edit View Search Terminal Help @parrot #hping3 -A 10.10.10.10 -p 80| HPING 10.10.10.10 (eth® 10.10.10.10): A set, 40 headers + 0 data bytes len=46 ip=10.10.10.10 ttl=128 1d=46786 sport=80 flags=R seq=0 win=0 ONOUVWONVY len=46 ip=10.10.10.10 ttl=128 id=46787 sport=80 flags=R seq=1 win=0 len=46 ip=10.10.10.10 ttl=128 1d=46788 sport=80 flags=R seq=2 win=0 len=46 ip=10.10.10.10 ttl=128 1d=46789 sport=80 flags=R seq=3 win=0 ip=10.10.10.10 ttl=128 id=46790 sport=80 flags=R seq=4 win=0 ip=10.10.10.10 ttl=128 1d=46791 sport=80 flags=R seq=5 win=0 ip=10.10.10.10 ttl=128 1d=46792 sport=80 flags=R seq=6 win=0 ip=10.10.10.10 ttl=128 1d=46793 sport=80 flags=R seq=7 win=0 ip=10.10.10.10 ttl=128 1d=46794 sport=80 flags=R seq=8 win=0 S.10.10.10 hping statistic --- 9 packets transmitted, 9 packets received, 0% packet loss round-trip min/avg/max = 2.0/5.1/8.4 ms @parrot |-~ Figure 16.100: ACK scanning on port 80 using hping Module 16 Page 2012 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Troubleshooting Hping Commands The various Hping commands are as follows: (0] ICMP ping Ex. hping3 -1 10.0.0.25 Hping performs an ICMP ping scan by specifying the argument -1 in the command line. You may use --ICMP or -1 as the argument in the command line. By issuing the above command, hping sends an ICMP echo request to 10.0.0.25 and receives an ICMP reply similarly to a ping utility. ACK scan on port 80 Ex. hping3 -A 10.0.0.25 -p 80 Hping can be configured to perform an ACK scan by specifying the argument -A in the command line. Here, you set the ACK flag in the probe packets and perform the scan. You perform this scan when a host does not respond to a ping request. By issuing this command, Hping checks if a host is alive on a network. If it finds a live host and an open port, it returns an RST response. o UDP scan on port 80 EX. hping3 -2 10.0.0.25 -p 80 Hping uses TCP as its default protocol. Using the argument -2 in the command line specifies that Hping operates in the UDP mode. You may use either --udp or -2 as the argument in the command line. By issuing the above command, Hping sends UDP packets to port 80 on the host (10.0.0.25). It returns an ICMP port unreachable message if it finds the port closed and does not return a message if the port is open. o Collecting Initial Sequence Number Ex. hping3 192.168.1.103 -Q -p 139 -s Using the argument -Q in the command line, Hping collects all the TCP sequence numbers generated by the target host (192.168.1.103). o Firewalls and Timestamps EX. hping3 -S 72.14.207.99 -p 80 --tcp-timestamp Many firewalls drop those TCP packets that do not have the TCP Timestamp option set. By adding the --tcp-timestamp argument in the command line, you can enable the TCP timestamp option in Hping and try to guess the timestamp update frequency and uptime of the target host (72.14.207.99). o SYN scan on port 50-60 EX. hping3 -8 50-60 -S 10.0.0.25 -V Module 16 Page 2013 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Troubleshooting Using the argument -8 or --scan in the command line, you are operating Hping in the scan mode to scan a range of ports on the target host. Adding the argument -S allows you to perform a SYN scan. Therefore, the above command performs a SYN scan on ports 50-60 on the target host. o FIN, PUSH and URG scan on port 80 Ex. hping3 -F -P -U 10.0.0.25 -p 80 By adding the arguments —F, =P, and —U in the command line, you are setting FIN, PUSH, and URG packets in the probe packets. By issuing this command, you are performing FIN, PUSH, and URG scans on port 80 on the target host (10.0.0.25). If port 80 is open, you will not receive a response. If the port is closed, Hping will return an RST response. o Scan entire subnet for live host Ex. hping3 -1 10.0.1.x --rand-dest —-I ethO By issuing this command, Hping performs an ICMP ping scan on the entire subnet 10.0.1.x; in other words, it sends an ICMP echo request randomly (--rand-dest) to all the hosts from 10.0.1.0 to 10.0.1.255 that are connected to the interface ethO. The hosts whose ports are open will respond with an ICMP reply. In this case, you have not set a port; hence, Hping sends packets to port 0 on all IP addresses by default. o Intercept all traffic containing HTTP signature Ex. hping3 -9 HTTP -I ethO The argument -9 will set the Hping to the listen mode. Hence, by issuing the command -9 HTTP, Hping starts listening on port 0 (of all the devices connected in the network to interface eth0), intercepts all the packets containing the HTTP signature, and dumps from the signature end to the packet's end. For example, on issuing the command hping2 -9 HTTP, if Hping reads a packet that contains data 234-09sdf1kjs45-HTTPhello world, it will display the result ashello_world. o SYN flooding a victim Ex. hping3 -S 192.168.1.1 -a 192.168.1.254 -p 22 --flood TCP SYN flooding techniques using spoofed IP addresses can be adopted to perform a DosS attack for testing the target system. = netcat netcat is a network utility used for testing network connections on both Windows- and Linux-based systems. It provides various commands that allow the thorough monitoring of traffic flow across a network. netcat can be used to establish and analyze TCP/UDP connections. Moreover, it can be used as a backdoor to read and write raw data over Module 16 Page 2014 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Troubleshooting network connections. It provides features such as port scanning, OS fingerprinting, file transferring, DNS checking, and source routing. netcat commands for network troubleshooting o Test the connectivity with a remote host using the following command: nc -w3 -4 -v Q ubuntu@ubuntu: ~ [+1 :~$ nc -w3 -4 -v www.google.com 80 Connection to www.google.com 80 port [tcp/http] succeeded! =S Figure 16.101: Screenshot of netcat o Perform port scanning on a given IP address or host name using the following command: nc -v -n Q ubuntu@ubuntu:~ M = Snc -v -n 10.10.10.10 21 Connection to 10.10.10.10 21 port [tcp/*] succeeded 220 Microsoft FTP Service Figure 16.102: Screenshot of netcat performing a port scan o Perform scan on a single port or given set of port numbers using the following command: nc -zv o Create a listener on a specified port number using the following command: nc -1 -p o Connect to a listening server using the following command: nc o Create a proxy to redirect traffic destined to a host using the following command: nc -1 | nc < port number> = dig dig, which stands for “Domain Information Groper,” is used by the network administrators for troubleshooting networks and DNS name servers. It is a command- line tool used to query a DNS server directly to retrieve any type of DNS record information and to check whether the records are different when querying from different locations. It is a part of the BIND software suite. The dig command can be used Module 16 Page 2015 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 212-82 Network Network Troubleshooting on Linux-based systems to query DNS name servers and retrieve information about the target host addresses, name servers, mail exchanges, etc. dig commands o Query any nameserver to retrieve DNS records using the following command: dig ubuntu@ubuntu: ~ 9 google.con dig | ; D1G DG 9.11.5-P1-1ubuntu2.6-Ubuntu google.com ;; global options: +cmd ;3 ; Got answer: ; ->>HEADER ANSWER SECTION: google.com. 142.2560.182.14 ;3 ;5 Query time: 57 msec 33 SERVER: 127.0.0.53#53(127.0.0.53) ;5 5> WHEN: Mon Jun 28 04:59:24 PDT 2021 ;3 MSG SIZE rcvd: 55 ui~$ I :~S I Figure 16.103: Screenshot of dig retrieving DNS records o Retrieve a specific type of DNS record of aa domain using the following command: dig Q ubuntu®@ubuntu: ~ ubuntu@ubuntu: :~$| dig :~$|/ ns certifiedhacker.conm ; D1G 9.11.5-P1-1ubuntu2.6-Ubuntu ns certifiedhacker.com ;3 ; global options: +cmd ;; ; Got answer: ; ->>HEADER _gateway.domain: 59922+ [1au ] PTR? 2.10.10.10.in-addr.arpa. 2.10.10.10.1in-addr.arpa. (52) 3 packets captured P9 packets received by filter 19 packets dropped by kernel oot@ubuntu: /home/ubuntu# l. Figure 16.108: Screenshot of tcpdump capturing network packets o Disable the name and port numbers from the captured network packets using the following command: tcpdump -i -c 10 -nn = tcpreplay tcpreplay is a GPLv3 licensed utility that supports Unix-like OSes for modifying and replaying previously sniffed traffic from tools such as Wireshark and tcpdump. It replays the.pcaps files to a monitoring interface containing firewalls, NIDS, or IPSes to identify any suspicious network traffic patterns and malicious activities in the pcap. It also allows performing modifications in the pcap file to make it suitable for analysis. tcpreplay commands o Replay a pcap file to an interface using the following command: tcpreplay -i ethO sample.pcap Here, -i specifies the interface to replay followed by the.pcap file name. [ X J Parrot Terminal Terminal File Edit View Search Terminal Help Il 1= @parrot!—I~/ _| #tcpreplay -i ethO mySample.pcapng Warning 1n send_packets.c:send_packets() line 644: Unable to send packet: Error with PF_PACKET send() : Message too long (errno = 90) Actual: 42 packets (9244 bytes) sent in 12.40 seconds Rated: 744.9 Bps, 0.005 Mbps, 3.38 pps Statistics for network device: eth® Successful packets: 42 Failed packets: 1 Truncated packets: 0 Retried packets (ENOBUFS): © Retried packets (EAGAIN): © Figure 16.109: Screenshot of tcpreplay replaying network packets Module 16 Page 2019 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Troubleshooting (@] Replay the same pcap file 10 times on the specified interface using the following command: tcpreplay --loop=10 -i eth0 sample.pcap Here, --1oop specifies how many times the packet has to be replayed. Replay the pcap file continuously until it is interrupted by pressing Ctrl + c. tcpreplay --loop=0 -i eth(0 sample.pcap Here, --1oop=0 indicates continuous replay. = dnsenum Source: https://github.com dnsenum is a Perl script that enumerates the DNS information of a domain to discover noncontiguous IP blocks. This tool performs the following operations: o Obtain the host’s address (A record) o Obtain the name servers (threaded) (@] Obtain the MX record (threaded) Perform axfr queries on name servers and obtain BIND VERSION (threaded) Obtain extra names and subdomains via Google scraping (Google query = “allinurl: - www site:domain”) Brute-force subdomains from a file and perform recursion on a subdomain that has NS records (all threaded) Calculate C class domain network ranges and perform Whois queries on them (threaded) o Perform reverse lookups on net ranges (C class or/and Whois net ranges) (threaded) o Write to the domain_ips.txt file ip-blocks dnsenum commands o Display DNS records including name servers, IP addresses, and email records using the following command: dnsenum o Display additional details about the site using the following command. It will also attempt to collect Whois information and employ Google to discover if any subdomains are available. dnsenum --enum Module 16 Page 2020 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Techn ician Certified Cybersecurity Technician Exam 212-82 Network Troubleshooting [N ) Parrot Terminal Terminal File Edit View Search Terminal Help @Aparrot gdnsenum ¥dnsenum --en --enum google,com Smartmatch is experimental experim ental at /usr/bin/dnsenum line 698. Smartmatch is experim ental experimental at /usr/bin/dnsenum line 698. G698. insenum VERSION:1.2.4 Warning: can't load N et::Whois::IP Net::Whois::IP module, whois queries disabled. Warning: can't W Wvi: :Mechanize load Www::Mechanize module, Google scraping desabled..193.174.193.174} 1s2.google.. 21414 OV w w W ww NNNN.google. 1sl.google. A 10366 4.google. 1s4.google.. 21599 1s3.google. 1s3.google. 3 21599 altd.aspmx 292 64.233.171.27 NNNNN alt3.aspmx 292 142.2560.115.27 altl.aspmx. altl.aspmx.l.google. 292 173.194.202.27 yspmx.1. google.com, yspmx.l.google.com. 292 74.125.200.27 alt2.aspmx,l.google. 292 142.250.141.27 Trying Zone Transfer for google.com on ns2.google ns2, AXFR record query fai led: failed: corrupt packet Trying Zone Transfer for google.com on nsd4.google ns4, AXFR record query failed: fai led: corrupt packet Trying Zone Transfer for google.com on nsl. AXFR record query fai led: corrupt packet failed: Trying Zone Transfer for google.com on ns3. AXFR record query failed: fai led: corrupt packet prute force file not specified, bay. @parrot Figure 16.110: Screenshot of dnsenum o Conduct brute forcing along with a custom text file to enumerate all the subdomains. dnsenum —-f subdomain.txt —-r Module 16 Page 2021 Cybersecurity Technician Copyright © by Certified Cybersecurity by EG-Gouncil EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.