Troubleshooting Basic Network Issues using Utilities and Tools 212-82 PDF

Summary

This document is a chapter on troubleshooting basic network issues using various utilities and tools. It explores different techniques for diagnosing and resolving network problems. The document also covers ICMP scanning and ACK scanning for probing firewalls.

Full Transcript

Certified Cybersecurity Technician Exam 212-82
Network Troubleshooting

ICMP Scanning

A ping sweep or Internet Control Message Protocol (ICMP) scanning is a process of
sending an ICMP request or ping to all the hosts on the network to determine the ones
that are up.

o0 Parrot Terminal
File Edit View Search Terminal Help

t@parrot — /-1
#hping3 -1 10.10.10.10
HPING 10.10.10.10 (ethO 10.10.10.10): icmp mode set, 28 headers + 0 data bytes
ip=10.10.10.10 ttl=128 id=46777 icmp_seq=0 rtt=4. ms

HOMFMFEFNKFHWNW
ip=10.10.10.10 ttl=128 id=46778 icmp seq=1 rtt=4. ms
ip=10.10.10.10 ttl=128 id=46779 icmp_seq=2 rtt=3. ms
ip=10.10.10.10 ttl=128 id=46780 icmp seq=3 rtt=3. ms
ip=10.10.10.10 ttl=128 id=46781 icmp seq=4 rtt=2. ms
ip=10.10.10.10 tt1=128 id=46782 icmp_seq=5 rtt=9. ms
ip=10.10.10.10 tt1=128 id=46783 icmp seq=6 rtt=8. ms
ip=10.10.10.10 ttl=128 id=46784 icmp_seq=7 rtt=8. ms
ip=10.10.10.10 ttl1=128 id=46785 icmp seq=8 rtt=4. ms.10.10.10 hping statistic ---
9 packets transmitted, 9 packets received, 0% packet loss
round-trip min/avg/max = 2.2/5.2/9.1 ms
@parrot

Figure 16.99: ICMP scanning using hping

The OS, router, switch, and IP-based devices use this protocol via the ping command for
echo request and echo response as a connectivity tester between different hosts.
ACK Scanning on Port 80

This scanning technique can be used to probe the existence of a firewall and its rule
sets. Simple packet filtering allows the establishment of a connection (packets with the
ACK bit set), whereas a sophisticated stateful firewall does not allow the establishment
of a connection.

o0 Parrot Terminal
File Edit View Search Terminal Help
@parrot
#hping3 -A 10.10.10.10 -p 80|
HPING 10.10.10.10 (eth® 10.10.10.10): A set, 40 headers + 0 data bytes
len=46 ip=10.10.10.10 ttl=128 1d=46786 sport=80 flags=R seq=0 win=0
ONOUVWONVY

len=46 ip=10.10.10.10 ttl=128 id=46787 sport=80 flags=R seq=1 win=0
len=46 ip=10.10.10.10 ttl=128 1d=46788 sport=80 flags=R seq=2 win=0
len=46 ip=10.10.10.10 ttl=128 1d=46789 sport=80 flags=R seq=3 win=0
ip=10.10.10.10 ttl=128 id=46790 sport=80 flags=R seq=4 win=0
ip=10.10.10.10 ttl=128 1d=46791 sport=80 flags=R seq=5 win=0
ip=10.10.10.10 ttl=128 1d=46792 sport=80 flags=R seq=6 win=0
ip=10.10.10.10 ttl=128 1d=46793 sport=80 flags=R seq=7 win=0
ip=10.10.10.10 ttl=128 1d=46794 sport=80 flags=R seq=8 win=0
S.10.10.10 hping statistic ---
9 packets transmitted, 9 packets received, 0% packet loss
round-trip min/avg/max = 2.0/5.1/8.4 ms
@parrot |-~

Figure 16.100: ACK scanning on port 80 using hping

Module 16 Page 2012 Certified Cybersecurity Technician Copyright © by EG-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Network Troubleshooting

Hping Commands
The various Hping commands are as follows:

(0] ICMP ping

Ex. hping3 -1 10.0.0.25

Hping performs an ICMP ping scan by specifying the argument -1 in the command
line. You may use --ICMP or -1 as the argument in the command line. By issuing the
above command, hping sends an ICMP echo request to 10.0.0.25 and receives an
ICMP reply similarly to a ping utility.
ACK scan on port 80

Ex. hping3 -A 10.0.0.25 -p 80

Hping can be configured to perform an ACK scan by specifying the argument -A in
the command line. Here, you set the ACK flag in the probe packets and perform the
scan. You perform this scan when a host does not respond to a ping request. By
issuing this command, Hping checks if a host is alive on a network. If it finds a live
host and an open port, it returns an RST response.

o UDP scan on port 80
EX. hping3 -2 10.0.0.25 -p 80
Hping uses TCP as its default protocol. Using the argument -2 in the command line
specifies that Hping operates in the UDP mode. You may use either --udp or -2 as the
argument in the command line.

By issuing the above command, Hping sends UDP packets to port 80 on the host
(10.0.0.25). It returns an ICMP port unreachable message if it finds the port closed
and does not return a message if the port is open.
o Collecting Initial Sequence Number
Ex. hping3 192.168.1.103 -Q -p 139 -s
Using the argument -Q in the command line, Hping collects all the TCP sequence
numbers generated by the target host (192.168.1.103).

o Firewalls and Timestamps

EX. hping3 -S 72.14.207.99 -p 80 --tcp-timestamp

Many firewalls drop those TCP packets that do not have the TCP Timestamp option
set. By adding the --tcp-timestamp argument in the command line, you can enable
the TCP timestamp option in Hping and try to guess the timestamp update frequency
and uptime of the target host (72.14.207.99).

o SYN scan on port 50-60
EX. hping3 -8 50-60 -S 10.0.0.25 -V

Module 16 Page 2013 Certified Cybersecurity Technician Copyright © by EG-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Network Troubleshooting

Using the argument -8 or --scan in the command line, you are operating Hping in the
scan mode to scan a range of ports on the target host. Adding the argument -S
allows you to perform a SYN scan.
Therefore, the above command performs a SYN scan on ports 50-60 on the target
host.

o FIN, PUSH and URG scan on port 80

Ex. hping3 -F -P -U 10.0.0.25 -p 80

By adding the arguments —F, =P, and —U in the command line, you are setting FIN,
PUSH, and URG packets in the probe packets. By issuing this command, you are
performing FIN, PUSH, and URG scans on port 80 on the target host (10.0.0.25). If
port 80 is open, you will not receive a response. If the port is closed, Hping will
return an RST response.

o Scan entire subnet for live host

Ex. hping3 -1 10.0.1.x --rand-dest —-I ethO

By issuing this command, Hping performs an ICMP ping scan on the entire subnet
10.0.1.x; in other words, it sends an ICMP echo request randomly (--rand-dest) to all
the hosts from 10.0.1.0 to 10.0.1.255 that are connected to the interface ethO. The
hosts whose ports are open will respond with an ICMP reply. In this case, you have
not set a port; hence, Hping sends packets to port 0 on all IP addresses by default.
o Intercept all traffic containing HTTP signature
Ex. hping3 -9 HTTP -I ethO

The argument -9 will set the Hping to the listen mode. Hence, by issuing the
command -9 HTTP, Hping starts listening on port 0 (of all the devices connected in
the network to interface eth0), intercepts all the packets containing the HTTP
signature, and dumps from the signature end to the packet's end.
For example, on issuing the command hping2 -9 HTTP, if Hping reads a packet
that contains data 234-09sdf1kjs45-HTTPhello
world, it will display the result
ashello_world.

o SYN flooding a victim

Ex. hping3 -S 192.168.1.1 -a 192.168.1.254 -p 22 --flood

TCP SYN flooding techniques using spoofed IP addresses can be adopted to perform
a DosS attack for testing the target system.
= netcat

netcat is a network utility used for testing network connections on both Windows- and
Linux-based systems. It provides various commands that allow the thorough monitoring
of traffic flow across a network. netcat can be used to establish and analyze TCP/UDP
connections. Moreover, it can be used as a backdoor to read and write raw data over

Module 16 Page 2014 Certified Cybersecurity Technician Copyright © by EG-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Network Troubleshooting

network connections. It provides features such as port scanning, OS fingerprinting, file
transferring, DNS checking, and source routing.

netcat commands for network troubleshooting
o Test the connectivity with a remote host using the following command:
nc -w3 -4 -v

Q ubuntu@ubuntu: ~ [+1

:~$ nc -w3 -4 -v www.google.com 80
Connection to www.google.com 80 port [tcp/http] succeeded!
=S

Figure 16.101: Screenshot of netcat

o Perform port scanning on a given IP address or host name using the following
command:
nc -v -n

Q ubuntu@ubuntu:~ M =

Snc -v -n 10.10.10.10 21
Connection to 10.10.10.10 21 port [tcp/*] succeeded
220 Microsoft FTP Service

Figure 16.102: Screenshot of netcat performing a port scan

o Perform scan on a single port or given set of port numbers using the following
command:
nc -zv

o Create a listener on a specified port number using the following command:
nc -1 -p

o Connect to a listening server using the following command:
nc

o Create a proxy to redirect traffic destined to a host using the following command:
nc -1 | nc < port number>

= dig
dig, which stands for “Domain Information Groper,” is used by the network
administrators for troubleshooting networks and DNS name servers. It is a command-
line tool used to query a DNS server directly to retrieve any type of DNS record
information and to check whether the records are different when querying from
different locations. It is a part of the BIND software suite. The dig command can be used

Module 16 Page 2015 Certified Cybersecurity Technician Copyright © by EG-Gouncil
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
212-82
Network
Network Troubleshooting

on Linux-based systems to query DNS name servers and retrieve information about the
target host addresses, name servers, mail exchanges, etc.
dig commands
o Query any nameserver to retrieve DNS records using the following command:
dig

ubuntu@ubuntu: ~

9 google.con
dig |
; D1G
DG 9.11.5-P1-1ubuntu2.6-Ubuntu google.com
;; global options: +cmd
;3
; Got answer:
; ->>HEADER ANSWER SECTION:
google.com. 142.2560.182.14

;3
;5 Query time: 57 msec
33 SERVER: 127.0.0.53#53(127.0.0.53)
;5
5> WHEN: Mon Jun 28 04:59:24 PDT 2021
;3 MSG SIZE rcvd: 55

ui~$ I
:~S I

Figure 16.103: Screenshot of dig retrieving DNS records

o Retrieve a specific type of DNS record of aa domain using the following command:
dig

Q ubuntu®@ubuntu: ~
ubuntu@ubuntu:

:~$| dig
:~$|/ ns certifiedhacker.conm

; D1G 9.11.5-P1-1ubuntu2.6-Ubuntu ns certifiedhacker.com
;3 ; global options: +cmd
;; ; Got answer:
; ->>HEADER _gateway.domain: 59922+ [1au
] PTR? 2.10.10.10.in-addr.arpa.
2.10.10.10.1in-addr.arpa. (52)
3 packets captured
P9 packets received by filter
19 packets dropped by kernel
oot@ubuntu: /home/ubuntu# l.

Figure 16.108: Screenshot of tcpdump capturing network packets

o Disable the name and port numbers from the captured network packets using the
following command:
tcpdump -i -c 10 -nn

= tcpreplay

tcpreplay is a GPLv3 licensed utility that supports Unix-like OSes for modifying and
replaying previously sniffed traffic from tools such as Wireshark and tcpdump. It replays
the.pcaps files to a monitoring interface containing firewalls, NIDS, or IPSes to identify
any suspicious network traffic patterns and malicious activities in the pcap. It also allows
performing modifications in the pcap file to make it suitable for analysis.
tcpreplay commands

o Replay a pcap file to an interface using the following command:
tcpreplay -i ethO sample.pcap

Here, -i specifies the interface to replay followed by the.pcap file name.

[ X J Parrot Terminal
Terminal
File Edit View Search Terminal Help

Il
1= @parrot!—I~/ _|
#tcpreplay -i ethO mySample.pcapng
Warning 1n send_packets.c:send_packets() line 644:
Unable to send packet: Error with PF_PACKET send() : Message
too long (errno = 90)
Actual: 42 packets (9244 bytes) sent in 12.40 seconds
Rated: 744.9 Bps, 0.005 Mbps, 3.38 pps
Statistics for network device: eth®
Successful packets: 42
Failed packets: 1
Truncated packets: 0
Retried packets (ENOBUFS): ©
Retried packets (EAGAIN): ©

Figure 16.109: Screenshot of tcpreplay replaying network packets

Module 16 Page 2019 Certified Cybersecurity Technician Copyright © by EG-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Network Troubleshooting

(@] Replay the same pcap file 10 times on the specified interface using the following
command:
tcpreplay --loop=10 -i eth0 sample.pcap

Here, --1oop specifies how many times the packet has to be replayed.

Replay the pcap file continuously until it is interrupted by pressing Ctrl + c.
tcpreplay --loop=0 -i eth(0 sample.pcap

Here, --1oop=0 indicates continuous replay.
= dnsenum

Source: https://github.com
dnsenum is a Perl script that enumerates the DNS information of a domain to discover
noncontiguous IP blocks. This tool performs the following operations:

o Obtain the host’s address (A record)

o Obtain the name servers (threaded)

(@] Obtain the MX record (threaded)
Perform axfr queries on name servers and obtain BIND VERSION (threaded)

Obtain extra names and subdomains via Google scraping (Google query = “allinurl: -
www site:domain”)

Brute-force subdomains from a file and perform recursion on a subdomain that has
NS records (all threaded)

Calculate C class domain network ranges and perform Whois queries on them
(threaded)

o Perform reverse lookups on net ranges (C class or/and Whois net ranges) (threaded)

o Write to the domain_ips.txt file ip-blocks
dnsenum commands

o Display DNS records including name servers, IP addresses, and email records using
the following command:
dnsenum

o Display additional details about the site using the following command. It will also
attempt to collect Whois information and employ Google to discover if any
subdomains are available.
dnsenum --enum

Module 16 Page 2020 Certified Cybersecurity Technician Copyright © by EG-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
 Techn ician
Certified Cybersecurity Technician Exam 212-82
Network Troubleshooting

[N ) Parrot Terminal
Terminal

File Edit View Search Terminal Help
@Aparrot
gdnsenum
¥dnsenum --en
--enum google,com

Smartmatch is experimental
experim ental at /usr/bin/dnsenum line 698.
Smartmatch is experim ental
experimental at /usr/bin/dnsenum line 698.
G698.
insenum VERSION:1.2.4
Warning: can't load N et::Whois::IP
Net::Whois::IP module, whois queries disabled.
Warning: can't W Wvi: :Mechanize
load Www::Mechanize module, Google scraping desabled..193.174.193.174}

1s2.google.. 21414

OV w
w W ww
NNNN.google.
1sl.google. A 10366
4.google.
1s4.google.. 21599
1s3.google.
1s3.google. 3 21599

altd.aspmx 292 64.233.171.27
NNNNN

alt3.aspmx 292 142.2560.115.27
altl.aspmx.
altl.aspmx.l.google. 292 173.194.202.27
yspmx.1. google.com,
yspmx.l.google.com. 292 74.125.200.27
alt2.aspmx,l.google. 292 142.250.141.27

Trying Zone Transfer for google.com on ns2.google
ns2,
AXFR record query fai led:
failed: corrupt packet

Trying Zone Transfer for google.com on nsd4.google
ns4,
AXFR record query failed:
fai led: corrupt packet

Trying Zone Transfer for google.com on nsl.
AXFR record query fai led: corrupt packet
failed:

Trying Zone Transfer for google.com on ns3.
AXFR record query failed:
fai led: corrupt packet

prute force file not specified, bay.
@parrot

Figure 16.110: Screenshot of dnsenum

o Conduct brute forcing along with a custom text file to enumerate all the
subdomains.
dnsenum —-f subdomain.txt —-r

Module 16 Page 2021 Cybersecurity Technician Copyright © by
Certified Cybersecurity by EG-Gouncil
EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.