WEBVTT

00:00.760 --> 00:06.290
The security plus exam really hits on a lot of classic command line utilities.

00:06.290 --> 00:12.050
Not so much to test whether you know them or not because the security plussed kind of assumes that you

00:12.050 --> 00:12.320
do.

00:12.320 --> 00:19.100
But more importantly it generates scenarios where you would need to know what type of command line tool

00:19.100 --> 00:23.110
to use to be able to make some determination about a network.

00:23.120 --> 00:30.370
So this episode is dedicated to going through hopefully for you a lot of well known command line utilities

00:30.740 --> 00:32.310
and we're going to be going through these utilities.

00:32.330 --> 00:36.730
But what we're going to be doing is more talking about scenarios than anything else.

00:36.830 --> 00:41.090
So we've got a lot of utilities to cover here so let's go ahead and dive right in and let's start with

00:41.330 --> 00:46.400
Ping ping is a classic utility and hopefully one you're already familiar with.

00:46.400 --> 00:51.720
So what I want to do here is talk about the scenarios where we use ping.

00:51.740 --> 00:57.020
The funny part is we use pings so ubiquitously that a lot of times people don't think about what is

00:57.020 --> 01:00.210
the scenario that's causing me to turn to that tool.

01:00.230 --> 01:02.170
So usually pretty simple scenarios.

01:02.210 --> 01:07.010
So let's run through a few right now things here I've got my command line up and I'm going to do one

01:07.010 --> 01:14.740
of my absolute favorite is DNS working people never think about this with ping.

01:15.200 --> 01:20.350
So as you can see I'm just typing ping and then some arbitrary Web site my own.

01:20.360 --> 01:27.450
Now what you're looking at here is you'll notice that it's resolved the WWE that totals them com.

01:27.500 --> 01:31.380
So it actually says reply from 75 126 whatever it might be.

01:31.490 --> 01:38.420
A lot of times people will run a ping and they don't think about that it's actually a wonderful little

01:38.420 --> 01:41.330
quick and dirty DNS tool that resolved.

01:41.330 --> 01:47.490
So whether even get a good reply or not the fact that it's resolving tells me my DNS is up and cooking.

01:47.570 --> 01:54.020
Now the next thing I'm going to do is can I connect to somebody and this is really where we use paying

01:54.020 --> 01:55.570
more than anything else.

01:55.580 --> 02:02.150
So all I'm doing is I'm typing ping and I want to connect I want to see am I getting to one person or

02:02.150 --> 02:02.630
another.

02:02.630 --> 02:05.320
So what I'm going to do is I'm going to type in Ping.

02:05.330 --> 02:07.510
Let's do somebody who's always up.

02:07.820 --> 02:09.480
Who will dot com.

02:09.770 --> 02:11.500
You can see that I'm getting a response.

02:11.500 --> 02:16.380
Now if you look really really closely you're going to see that I'm getting IPV six.

02:16.400 --> 02:24.350
So another thing we can do that's actually a lot of fun is I can say OK I can ping www.youtube.com just

02:24.350 --> 02:31.920
fine on IP V-6 But what if I want to do it only with IPB for so I can use a switch like mine is for

02:32.810 --> 02:37.790
and you'll see that everything has changed over so now I'm getting a good response back but this time

02:37.820 --> 02:45.080
I'm forcing it to use IPV for a lot of problems that we run into in the security world has to do with

02:45.080 --> 02:52.100
Layer 3 issues and people aren't thinking about is it IPV 4 or IPV 6 and security plus is going to assume

02:52.400 --> 02:57.380
that you're comfortable with that and ping is the great way to be able to separate those two.

02:57.410 --> 03:02.470
Now the next thing I want to do is do I have an internet Mytton connection.

03:02.540 --> 03:08.360
Now if you take a look at the screen again you'll see that we've always got our time in milliseconds

03:08.360 --> 03:11.480
in terms of response and that's a helpful tool.

03:11.540 --> 03:15.530
But a lot of times especially if we're talking about a serious and particular hardware intermittent

03:15.530 --> 03:20.020
issue in the Windows world we kind of have to do something a little bit funny.

03:20.020 --> 03:23.520
So what I'm going to do is they're going to do a ping minus T.

03:23.660 --> 03:25.490
And again let's pick somebody who's always up

03:28.570 --> 03:31.260
and not want you to watch very very closely.

03:31.330 --> 03:38.110
You'll see before we always had just four responses in the Windows world by running ping with the minus

03:38.110 --> 03:43.260
T what we're getting ourselves is the ability to say just keep running.

03:43.270 --> 03:47.650
Now this is actually kind of funny for you Linux people out there you're like Well that is the default

03:47.650 --> 03:52.150
behavior and the security plus is actually going to challenge you and remind you.

03:52.150 --> 03:55.350
Do I need to use a minus T with a Linux system.

03:55.350 --> 03:57.340
The answer is simply no.

03:57.670 --> 03:58.120
OK.

03:58.120 --> 04:00.710
So that was fun and everybody loves paying.

04:00.880 --> 04:04.060
I think we should switch over to something even more common.

04:04.060 --> 04:04.640
Let's do.

04:04.690 --> 04:05.490
Oh I don't know.

04:05.530 --> 04:06.350
How about that

04:11.200 --> 04:18.970
if you need to know what sessions a particular host is running at any given moment your go to tool is

04:19.150 --> 04:25.240
net stat nets that can be absolutely terrifying in terms of the information that it gives you.

04:25.240 --> 04:28.210
So when I go to that stat there are two big questions.

04:28.210 --> 04:35.110
Two scenarios that I'm always looking for and counting on stat to help me out with the first one and

04:35.230 --> 04:37.800
the pretty obvious one is who am I talking to.

04:37.800 --> 04:40.820
So I'm going to run a net stat real quick care.

04:41.120 --> 04:44.240
Now I almost never run that stat by itself.

04:44.240 --> 04:47.810
I will in variably run minus N..

04:47.920 --> 04:54.140
What the problem is is I'm so familiar with port numbers now that it's actually hard for me to look

04:54.200 --> 04:57.630
at output where it says stuff like HTP and HDTV.

04:57.920 --> 05:00.100
Just the numbers please so let me run this.

05:00.350 --> 05:01.760
And what we can take a look at.

05:01.760 --> 05:05.000
We can see what we're connecting to right now.

05:05.000 --> 05:10.640
Now if you take a close look first of all this is a Windows 10 system and Windows 10 is notorious for

05:10.640 --> 05:18.050
these loopback $127 zero down 0.1 with these really big fear port numbers fifty three thousand two hundred

05:18.060 --> 05:19.280
and something.

05:19.370 --> 05:26.160
These are just the telemetry of Windows 10 phoning home and there are things we can do about it.

05:26.160 --> 05:31.490
I don't worry about that too much what I'm more interested in is when we get below that you can see

05:31.670 --> 05:40.310
that on this particular test network my internal network ID for this host is 192 168 4:34 and you can

05:40.310 --> 05:46.120
see I've got one two three four five connections on IPV four.

05:46.130 --> 05:50.020
And and I've got an IP V-6 connection they're all on 4:43.

05:50.030 --> 05:54.430
So I instantaneously know that I'm talking on HTP.

05:54.830 --> 05:56.230
Well that's great.

05:56.600 --> 06:02.060
And I also know why they're there and that's primarily because I've got my web browser open and these

06:02.060 --> 06:05.710
are all the different individual tabs and what those connections are for.

06:05.900 --> 06:08.870
So in this particular situation I'm happy with what I see.

06:09.020 --> 06:16.400
What makes me nervous is when I have for example all of my web browsers closed and I'm still connecting

06:16.400 --> 06:23.450
on 4:43 something's connecting in there that I'm not authorizing that's a classic sense of malware or

06:23.450 --> 06:24.080
something else.

06:24.080 --> 06:32.480
In fact a lot of places I have an Nvidia driver that actually connects and phones home on port 443 invidia

06:32.630 --> 06:34.250
looks at that as a feature.

06:34.250 --> 06:38.080
It scares me a little bit but I had to do some research and figure out where it was.

06:38.240 --> 06:43.940
But when I'm looking for scenarios where I'm not sure who's talking out of this particular host net

06:43.940 --> 06:47.360
step with the minus an option is the way to go.

06:47.360 --> 06:49.930
Now the other one is the exact opposite.

06:49.940 --> 06:53.870
Not so much who am I talking to but who's trying to talk to me.

06:53.870 --> 06:58.190
So in this particular situation am I a server or something.

06:58.190 --> 07:01.130
So what I'll do here is our ranit stat.

07:01.370 --> 07:03.080
But what I'm going to do is I'm going to do.

07:03.080 --> 07:11.240
NET step minus a minus a says show me all opening ports including the ones that I'm not actually connected

07:11.240 --> 07:11.690
to.

07:11.840 --> 07:17.240
So if I have a web server on here and I'm not connected to anybody that's that normally wouldn't show

07:17.240 --> 07:17.800
that.

07:17.870 --> 07:22.220
But by putting in the mine to say I'm like I don't care whether you're actually connected or not if

07:22.220 --> 07:25.600
you're listening show it should get quite a bit of information here.

07:25.700 --> 07:26.480
OK.

07:26.870 --> 07:33.620
Now as we scroll through here what I'm looking for in this case is on this side what am I listening

07:33.620 --> 07:34.230
on.

07:35.030 --> 07:43.890
So in this particular case look right there and you see that right there shows that I'm listening on

07:43.890 --> 07:49.100
port 80 this system right here is running a web server.

07:49.210 --> 07:51.690
Now again that could be a good thing.

07:51.720 --> 07:57.390
A lot of times little phone home utilities will actually use port 80 and be like their own little web

07:57.390 --> 07:59.830
server for driver update and stuff.

07:59.910 --> 08:01.780
We're not doing as much as we used to.

08:01.830 --> 08:06.930
But what's important is I can take a look here and I can quickly see hey I'm a server.

08:06.930 --> 08:08.830
Do I want to be a server now.

08:08.890 --> 08:14.910
Something like port 80 is fairly innocuous but because I know my port numbers well certain other things

08:14.910 --> 08:20.820
would terrify me if I saw open port 25 for e-mail or something like that.

08:20.850 --> 08:22.980
Now I would start to panic a little bit.

08:22.980 --> 08:28.260
The other problem is we look through this list is that there's a lot of listening ports you see are

08:28.340 --> 08:30.300
they all says listening and listening there.

08:30.570 --> 08:34.750
If you don't know your ports you're going to have to be doing a little bit of research here.

08:34.800 --> 08:42.210
Things like 135 and 4:43 I'm more familiar with those because those are going to be part of the Windows

08:42.210 --> 08:43.410
operating system.

08:43.680 --> 08:47.860
But I'm still going to be taking a moment to do a little research.

08:48.000 --> 08:55.140
Next step is great for scenarios where you're worried about who you're talking to or who's trying to

08:55.140 --> 08:56.300
talk to you.

09:00.620 --> 09:02.500
Let's talk about trace route for a minute.

09:03.270 --> 09:07.080
Now trace route is a very very interesting utility.

09:07.080 --> 09:12.510
The challenge that I run into with most people who say they don't like trace route is because they don't

09:12.510 --> 09:17.690
think about scenarios where trace route is going to do them the most good.

09:17.760 --> 09:24.900
Look the bottom line is if you can't ping somebody go ahead and trace routing them is a questionable

09:24.900 --> 09:27.380
thing to do with one exception.

09:27.390 --> 09:28.710
Let me give you an example right here.

09:28.710 --> 09:29.880
I'm going to run trace route

09:34.880 --> 09:37.970
and let's again pick good old Google because they never go down.

09:38.240 --> 09:43.050
Knock on wood and I type in three W's.

09:43.360 --> 09:43.660
All right.

09:43.690 --> 09:48.110
Now what I want you to do is watch this very very closely as we're moving along here.

09:49.400 --> 09:52.940
It's going to take a few clicks before it gets to Google.

09:53.000 --> 09:59.220
But what's actually not terribly important to me is all the gobbledygook got past the first two lines.

09:59.340 --> 10:06.240
If you take a look at those first two lines that is my internal router and the next line after that

10:06.540 --> 10:13.280
is my in-house interface too as you can see I'm running Comcast to Comcast itself.

10:14.120 --> 10:21.580
What that's telling me is that I know the first two routers between my network and the rest of the world.

10:21.860 --> 10:26.460
And this is where trace route can really come up in different scenarios that will help you out.

10:26.870 --> 10:34.490
Let's say you can't trace route somebody if that trace route fails on either the first or the second

10:34.490 --> 10:35.300
line.

10:35.300 --> 10:40.790
I now know that I've got an in-house problem and I'm going to grab a screwdriver and go check my router

10:40.970 --> 10:42.920
or my ISP interface.

10:42.920 --> 10:45.610
Now if it happens three or four levels down.

10:45.920 --> 10:47.940
Well that's Comcast problem or somebody else's.

10:47.960 --> 10:50.500
And there's nothing I'm going to be able to do about it.

10:50.510 --> 10:55.960
So the trick to trace route is knowing your infrastructure and if you get a failure on trace or out

10:55.970 --> 10:56.570
no.

10:56.600 --> 11:00.750
Is it something you can fix or are you going to have to make a phone call to your ISP.

11:00.770 --> 11:01.860
That's the big secret.

11:01.880 --> 11:06.540
And those are the scenarios that are going to work best for you when it comes to trace route.

11:06.680 --> 11:11.930
Now trace routes a lot of fun but let's go ahead and do one that's even more interesting to me.

11:11.960 --> 11:12.990
Good old arp.

11:18.460 --> 11:24.570
I seriously hope that you don't run into a scenario where you need to be running the command.

11:24.580 --> 11:30.880
The main reason you're going to be running ARP is because you're afraid that somebody is doing something

11:30.880 --> 11:33.570
naughty within the world of your switches.

11:33.600 --> 11:41.740
Now for those of you who don't recall our or address resolution protocol is a tool by which we can resolve

11:42.070 --> 11:45.100
a ethernet Mac address from an IP address.

11:45.110 --> 11:50.970
So what I'm going to do is I'm just going to run our are by itself doesn't do anything but what we normally

11:50.970 --> 11:56.970
do is we're going to run our mind it's a what you're looking at right here is the ARP cash.

11:56.970 --> 11:59.340
So this is what your system picks up over time.

11:59.340 --> 12:05.360
Now this is Windows arp on Linux and Macs a little bit different but you get the same basic result.

12:05.370 --> 12:07.290
So let's take a look at what we got here.

12:07.290 --> 12:11.910
Now in this particular case I've got two interfaces I want to concentrate on the one that you see here

12:11.910 --> 12:17.550
that says 192 168 for 34.

12:17.670 --> 12:22.800
That is my actual ethernet connection on this system so as we take a look at this you can see that we

12:22.800 --> 12:26.490
have both dynamic and we also have static addresses.

12:26.610 --> 12:31.790
Windows generate static arc cache entries that never change.

12:31.860 --> 12:34.640
If you take a look what they are it will make some sense to you.

12:34.830 --> 12:36.960
So these are broadcast addresses.

12:37.080 --> 12:39.130
These are multicast addresses.

12:39.360 --> 12:43.230
And there is no reason for those to ever change dynamic.

12:43.230 --> 12:49.440
On the other hand our addresses that will change based on ARP commands that this host is picking up.

12:49.440 --> 12:57.720
Now what you're panicking about in this type of scenario is that somebody has put in for example an

12:57.780 --> 12:59.250
ARP poisoner.

12:59.310 --> 13:02.780
And these can be incredibly difficult to diagnose.

13:02.790 --> 13:06.810
Now if you take a look here at total seminars you can see all of these different physical nics that

13:06.810 --> 13:07.690
I have here.

13:07.800 --> 13:12.230
And if you look at the first six letters you can see they're all different for different ones.

13:12.480 --> 13:15.840
That's because we buy lots of different brands of nics.

13:15.840 --> 13:21.330
But one of the things you'll see a lot of organizations do is they're like we will always buy Intel

13:21.330 --> 13:22.130
next.

13:22.160 --> 13:25.980
The reason they're doing that is not because they're particularly hooked on Intel although they usually

13:25.980 --> 13:26.580
are.

13:26.670 --> 13:31.560
But what they're doing is that they always know that all of their nics are always going to start with

13:31.560 --> 13:35.680
those first six values because they're all Intel OEM IDs.

13:35.930 --> 13:40.470
And that way if an art Poisoner's sneaks in unless it's a very good art Poizner who even knows how to

13:40.470 --> 13:43.240
mimic and Intel which most of them don't.

13:43.500 --> 13:49.080
They will make it really easy to look on this list and suddenly see a number in there that the first

13:49.080 --> 13:53.130
six numbers are different from what they're usually established and counting on.

13:53.220 --> 13:56.820
And that can often be a clue that you've got an art poisoner out there.

13:57.030 --> 14:00.030
Art poisoner's are a big problem now.

14:00.030 --> 14:02.580
Good intrusion detection should catch this stuff.

14:02.730 --> 14:08.250
But if you really need to see who's being the bad guy you are reduced to running ARP and trying to find

14:08.250 --> 14:10.760
MAC addresses that you don't trust.

14:11.040 --> 14:18.630
OK so we've gone through quite a few different OS utilities in this episode but we've got a bunch more

14:18.630 --> 14:24.000
so go ahead make sure you're comfortable with these and watch for other episodes that cover even more

14:24.170 --> 14:39.910
OS utilities.