Security+ Commands and Tools for Linux/Windows I. Networking Windows Linux tracert traceroute nslookup nslookup/dig ipconfig ifconfig ipconfig /all ifconfig -a Displays possible routes and measuring transit delays of packets. Determines the IP address associated with a domain name, obtain the mail server settings for a domain Displays all the network configurations of the currently connected network devices and cna modify the DHCP and DNS settings Shows comprehensive listing of TCP/IP configuration information for each NIC ipconfig /displaydns Each time a system queries DNS to resolve a hostname to an IP address, it stores the result in the DNS cache, and this command shows the contents of the DNS cache. Also shows any hostname to IP address mappings included in the hosts file ipconfig /flushdns You can erase the contents of the DNS cache with this command, use when the cache has incorrect information and want to ensure that the system queries DNS for up-to-date information ifconfig eth0 Shows the configuration of the first Ethernet interface (NIC) on a Linux system, if system has multiple NICS you can use eth1, eth2, etc. ifconfig eth0 promisc Enables promiscuous mode on the first Ethernet interface. Promiscuous mode allows a NIC to process all traffic it receives. Normally a NIC is in non-promiscuous mode and ignores all packets not addressed to it. Disable with ifconfig eth0 -promisc ifconfig eth0 allmulti Enables multicast mode on the NIC, allows the NIC to process all multicast traffic received by the NIC. Normally a NIC only processes multicast traffic for multicast groups that it has joined. Disable with ifconfig eth0 -allmulti nmap nmap Open-source network scanner that is used to discover hosts and services on a computer network by sending packets and analyzing their responses ping ping pathping Tests connectivity for remote systems Used to determine if a host is reachable, combines functions of ping and tracert hping hping Open-source packet generator and analyzer for the TCP/IP protocol that is used for security auditing and testing of firewalls and networks netstat netstat Displays network connections for TCP, routing tables, and a number of network interface and network protocol stats netstat -a netstat -r Displays a listing of all TCP and UDP ports a system is listening on along with all open connections netstat -r Displays the routing table netstat -e Displays details on network statistics (like how many bytes the system has sent and received) netstat -s Displays statistics of packets sent or received for specific protocols such as IP, ICMP, TCP, and UDP netstat -n Displays addresses and port numbers in numerical order, useful if looking for information related to a specific IP address netstat -p protocol Shows statistics on a specific protocol, such as TCP or UDP. For example, use netstat -p tcp to show only TCP statistics netstat -anp tcp Combine the netstat switches to show different types of information This command shows a listing of the ports the system is listening on (-a), in numerical order (-n), for only the TCP protocol (-p tcp) netcat For reading from and writing to network connections using TCP or UDP which is dependable back-end that can be used directly or easily driven by other programs and scripts arp arp Utility for viewing and modifying the local Address Resolution Protocol (ARP) cache on a given host or server arp -a arp Shows the ARP cache route route Used to view and manipulate the IP routing tables on a host or server curl curl Tool to transfer data to or from a server, using any of the supported protocol (HTTP, FTP. IMAP, POP3, SCP, SFTP, SMTP, TFTP, TELNET, LDAP, or FILE) the harvester the harvester Python script that is used to gather emails, subdomains, hosts, employee, names, open ports and banners from different public sources like search engines, PGP key servers and SHODAN database sn1per sn1per an automated scanner that can be used during a penetration test to enumerate and scan for vulnerabi‐ lities across a network scanless scanless used to create an exploitation website that can perform open port scans in a more stealth-like manner dnsenum dnsenum used for DNS enumeration to locate all DNS servers and DNS entries for a given organization II. Nessus Nessus proprietary vulnerability scanner that can remotely scan a computer or network for vulnerabilities Cuckoo Cuckoo open source software for automating analysis of suspicious files File Manipulation Linux head command-line utility for outputting the first ten lines of a file provided tail command-line utility for outputting the last ten lines of a file provided to it cat command-line utility for outputting the content of a file to the screen grep command-line utility for searching plain-text data sets for lines that match a regular expression or pattern chmod command-line utility used tochange the access permissions of file system objects journalctl logger III. IV. queries the Linux system logging utility and displays log entries from seversal sources, command by itself will display all journal entries utility that provides an easy way to add messages to the /var/log/syslog files from the command line or from other files Packet Capture Windows Linux windump tcpdump Wireshark Wireshark Exploitaiton A suite of free open source utilities for editing and replaying previously captured network traffic Network analysis tool to capture network packets and display them at a granular level for real-time or offline analysis Windows Linux Metasploit (msfco­nsole) Metasploit (msfco­nsole) A computer security tool that offers inform­ation about software vulner­abi­lities, IDS signature develo­pment, and improves penetr­ation test Browser Exploi­tation Framework (BeEF) Browser Exploi­tation Framework (BeEF) A tool that can hook one or more browsers and can use them as a beachhead of launching various direct commands and further attack against the system from within the browser Cain and Abel (cain) Cain and Abel A password recovery tool that can be used through (cain) sniffing the network, cracking encrypted passwords using dictio­nary, brute-­force and crypta­nalysis attack, recording VoIP conver­sat­ions, decoding scrambled passwords, revealing password boxes, and analyzing routing protocols John the Ripper (john) John the Ripper (john) V. An open source password security auditing and password recovery tool available for many operating systems Shells and Scripts Windows Linux SSH SSH Powershell utility that supports encrypted data transfer between two computers for secure logins, file transfers, or general purpose connectons a task automation and config­uration management framework from Microsoft, consisting of a comman­d-line shell and the associated scripting language Python Python OpenSSL OpenSSL An interp­reted, high-level and genera­l-p­urpose progra­mming language a software library for applic­ation that secure commun­ica­tions over computer networks against eavesd­ropping or need to identify the party at the other end VI. Forensics Windows FTK Imager VII. Linux dd a command line utility to copy disk images using a bit by bit copying process FTK Imager a data preview and imaging tool that lets you quickly assess electronic evidence to determine if further analysis with a forensic tool is needed memdump a command line utility to dump system memory to the standard output stream by skipping over holes in memory maps WinHex WinHex a commercial disk editor and universal hexade­cimal editor used for recovery and digital forensics Autopsy Autopsy a digital forensics platform and graphical interface to The Sleuth Kit and other digital forensics Notes A. Netstat displays the state of connection, such as ESTABLISHED to indicate an active connection, some common states are: ○ ESTABLISHED ■ normal state for the data transfer phase of a connection, indicates an active and open connection ○ LISTEN ■ indicates the system is waiting for a connection request, the well-known port a system is listening on indicates the protocol ○ CLOSE_WAIT ■ indicates the system is waiting for a connection termination request ○ TIME_WAIT ■ indicates the system is waiting for enough time to pass to be suere the remote system received a TCP-based acknowledgement of the connection ○ SYN_SENT ■ indicates the system sent a TCP SYN packet as the first part of the SYN (synchronize), SYN-ACK (synchronize-acknowledge), ACK (acknowledge) handshake process and is waiting for the SYN-ACK response ○ SYN_RECEIVED ■ indicates the system sent a TCP SYN-ACK packet after receiving a SYN packet as the first part of the SYN, SYN-ACK, ACK handshake process. It is waiting for the ACK response to establish the connection. An excessive number of SYN_RECEIVED states indicate a SYN attack with the attacker flooding a system with SYN packets buy never finalizes the connection with ACK packets