WEBVTT

00:00.580 --> 00:04.320
We had so much fun in the other episode talking about OS utilities.

00:04.330 --> 00:06.490
I'm like why don't we just keep going.

00:06.490 --> 00:13.890
Now keep in mind I am going through the utilities that are specified in the comp t.a security plus x

00:13.900 --> 00:19.630
y 0 5 0 1 so I'm not saying this is all there is but these are definitely on the exam.

00:19.690 --> 00:26.350
So the next thing I think we should be talking about is really not just one utility but a bunch of different

00:26.350 --> 00:28.600
utilities that kind of work the same way.

00:28.600 --> 00:35.990
So I'm just going to call this IP config.

00:36.030 --> 00:42.060
There's a lot of scenarios in the I.T. security world where you have to answer one basic question who

00:42.060 --> 00:44.310
am I and how am I configured.

00:44.350 --> 00:49.200
So what I want to talk about real quick are really three different commands to do the same thing IP

00:49.200 --> 00:55.040
config the IP command and the deprecated I-F config.

00:55.040 --> 01:00.870
So actually I'm just going to talk about two commands IP config which is a Windows tool an IP which

01:00.870 --> 01:01.840
is a Linux tool.

01:02.070 --> 01:07.680
I have config is like I said deprecated although there are ways if you actually want to install it and

01:07.680 --> 01:09.300
use it you still can.

01:09.300 --> 01:14.130
The important thing is that the IP command does everything the IAF config command does and a little

01:14.130 --> 01:15.900
bit more so we'll just stick with that one.

01:16.020 --> 01:18.360
So let's go in and start with IP config.

01:18.390 --> 01:21.910
So I'm just going to go ahead and run IP config here on my Windows system.

01:21.930 --> 01:25.130
Now if I run it by itself it gives me a lot of great information.

01:25.260 --> 01:28.900
In particular I've got my IP V-6 address.

01:28.920 --> 01:31.710
Now when does this temporary IP D6 addresses.

01:31.710 --> 01:34.010
So those change very very quickly.

01:34.050 --> 01:40.450
I've got my link local IP V-6 address I got my IP address my subnet mask and my default gateway.

01:40.590 --> 01:45.960
The big deal here is not that IP config is that unique of a command.

01:45.960 --> 01:52.140
What gets people in trouble is that you have to know your network for the IP config command to do you

01:52.140 --> 01:53.040
any good.

01:53.040 --> 01:58.660
For example on the network ID that I'm doing this video shoot on is one day to 168 four.

01:58.730 --> 02:04.670
And if we take a look up here will see that I have 192 168 for address so life is good.

02:04.680 --> 02:10.230
Now I've also got a couple I've got a virtual machine on here and this is the trio tiling adapter which

02:10.230 --> 02:11.930
you'll still see in Windows 10.

02:11.940 --> 02:16.110
The only thing I'm really interested in right here is my Ethernet adapter.

02:16.330 --> 02:22.500
So IP config by itself is handy but if you really want to get some good information do an IP config

02:22.650 --> 02:29.640
slash hall and this is going to give you a lot of really detailed information I need to warn you Security

02:29.640 --> 02:36.420
plus Well Tia is a little bit notorious for taking questions from other types of certification and plopping

02:36.420 --> 02:43.290
them in one certification so a great example would be right here where you might see a a plus type question

02:43.290 --> 02:47.530
where it's like gee how can you determine what your MAC addresses.

02:47.610 --> 02:51.240
And the answer is that you have to type IP config slash all.

02:51.240 --> 02:57.030
And if you look right there there's my MAC address so any type of scenario where you need to ask a question

02:57.060 --> 03:01.230
who is my IP config is going to be your go to tool.

03:01.230 --> 03:06.030
Now the other thing I need to stress is that if you know your network you can get great information

03:06.030 --> 03:12.070
here like for example here's my IP address and it's 192 168 for not 34.

03:12.200 --> 03:14.820
What if it suddenly became 169 54.

03:14.940 --> 03:17.780
Well now you know I've got a DHC problem or one.

03:17.790 --> 03:21.380
Heaven forbid it becomes 10 11 not 13 or something like that.

03:21.520 --> 03:27.150
I'd have a rogue DHC server so the power of IP config is new in your network and being able to take

03:27.150 --> 03:31.470
a quick snapshot and look for situations that might be causing problems.

03:31.470 --> 03:37.470
So what I want to do now is let's do this all over again except this time let's use the Linux IP command.

03:37.470 --> 03:45.660
So I'm going to type the most famous version of the IP command IP a DDR.

03:45.860 --> 03:49.890
And when I type this you can see we've got a lot of great information and now you'll notice I've got

03:49.890 --> 03:51.130
two adapters on here.

03:51.300 --> 03:58.790
One of them is just the loop back EHLO and right here is my actual Ethernet right here.

03:59.190 --> 03:59.990
So we take a look.

03:59.990 --> 04:03.020
We've got examples we've got our mac address here.

04:03.090 --> 04:04.620
We've got our IP address.

04:04.620 --> 04:07.290
We've got our subnet mask as well 24.

04:07.290 --> 04:08.850
We can see it's dynamic.

04:08.850 --> 04:10.380
There's a ton of information in here.

04:10.380 --> 04:14.000
Here is our link local address for IP D6.

04:14.070 --> 04:20.460
So I can go in here and get a quick snapshot of what's going on with my system in particular my MAC

04:20.460 --> 04:22.710
address my IP configuration.

04:22.710 --> 04:26.820
So that's why we put IP config and the IP command together.

04:26.940 --> 04:30.890
It's different operating systems but they really do the same thing.

04:31.380 --> 04:36.000
OK that was fun but I think it's time to start moving into the world of DNS.

04:36.060 --> 04:38.250
Anybody feeling like a little N.S. look up

04:43.800 --> 04:46.970
DNS problems can drive you absolutely bonkers.

04:47.070 --> 04:52.260
And that's when we turn to tools like Gudel N.S. look up and the slightly better dig.

04:52.260 --> 04:58.200
Now before I get started here I need to warn you DNS has been a problem now for years in terms of bad

04:58.200 --> 04:59.500
guys doing things.

04:59.640 --> 05:06.020
So a lot of the query tools that we use like N.S. look up and deg have been kind to well shut down.

05:06.030 --> 05:11.790
It's not that the tools don't know how to query it just DNS servers have learned not to make responses

05:11.790 --> 05:13.440
to these types of tools.

05:13.440 --> 05:18.320
So a lot of the things we used to be able to do within is look up and dig are kind of gone.

05:18.330 --> 05:24.540
However if you need to make queries to DNS servers there are some things we can still do at these tools

05:24.810 --> 05:29.000
and probably the most important one is what is my DNS server.

05:29.010 --> 05:29.340
You know what.

05:29.360 --> 05:34.590
Let's make it the most important to what is my DNS server and then the other question you could ask

05:34.590 --> 05:38.240
is is this particular system a DNS server.

05:38.400 --> 05:42.290
So let's say you've got a scenario where your DNS simply isn't working.

05:42.350 --> 05:47.620
N.S. look what is going to be the tool to turn to to queer your DNS server and check things.

05:47.640 --> 05:53.700
Now I'm going to be using N.S. Look-Up in Windows but keep in mind that in this look up also works just

05:53.700 --> 05:55.240
fine in Linux as well.

05:55.590 --> 06:01.470
So N.S. look up now you can type it by itself and put it into interactive mode.

06:01.470 --> 06:09.400
I personally don't like that so I'm going to do stuff like this I can do this look up w w w dot total

06:09.400 --> 06:11.360
Sam dot com.

06:11.410 --> 06:19.890
So what I'm doing right here is I've made a query and I want to know what server am I using for DNS.

06:19.930 --> 06:23.520
And then what is the IP address for WW total so noncom.

06:23.620 --> 06:29.170
And if you take a look here you'll see that my DNS server is currently this machine called Total home

06:29.170 --> 06:30.870
DC to that total home.

06:31.000 --> 06:35.450
And then the address is an internal address so I know that I've got an internal DNS server.

06:35.530 --> 06:38.810
I'm just not using my Comcast DNS or whatever it might be.

06:38.950 --> 06:42.260
And it does a query for me and it tells me the IP address.

06:42.280 --> 06:45.160
Now that's handy but we can do a couple of other things too.

06:45.160 --> 06:48.220
For example I am going to go into interactive mode.

06:49.360 --> 06:50.760
Know watch what happens.

06:50.770 --> 06:54.790
So it's just going to sit here like this and I'm going to change my DNS server.

06:57.600 --> 07:01.880
So what I've done is I've said I don't care what my DNS server normally is.

07:01.950 --> 07:07.410
I want you to try a different one when you run into scenarios where you're worried that your DNS server

07:07.410 --> 07:09.800
might be the problem running in this look out.

07:09.810 --> 07:14.310
And just quickly just making a change you go well let's try this server and we can go ahead and see

07:14.310 --> 07:15.590
if things work better.

07:15.670 --> 07:23.340
Now I have famous public DNS servers like 8.8 that 8.8 memorized but I can go ahead and just do little

07:23.340 --> 07:26.490
queries right here and see if anything comes up.

07:26.510 --> 07:30.600
So.

07:30.770 --> 07:34.540
So you can see what I've done is I've queried total CENTCOM again.

07:34.640 --> 07:39.020
I got the same IP address as I should but you'll see that I'm using a different DNS server.

07:39.380 --> 07:41.300
N.S. look up is a great way.

07:41.420 --> 07:46.100
Instead of going into your system and actually changing your DNS settings you can just use atus look

07:46.100 --> 07:48.590
up and go Look my DNS server isn't working.

07:48.590 --> 07:51.750
Let me try another one and see if everything starts to suddenly work.

07:51.770 --> 07:53.930
So it does a really good job with that.

07:53.930 --> 07:59.150
Now it's look up used to be able to do a lot more but it's been pretty much shut down the DNS servers

07:59.150 --> 08:02.740
don't allow the types of queries that look up does.

08:02.750 --> 08:07.990
However there is one tool that's a little bit better than Enis look up and that tools called Dig.

08:08.000 --> 08:13.520
Now there is not a native Windows version of Digg that I know of there's third party tools that actually

08:13.520 --> 08:14.140
work great.

08:14.180 --> 08:15.610
Even some graphical ones.

08:15.770 --> 08:20.610
But if you really want to get into Digg we've got to go head over to Linux.

08:20.610 --> 08:24.930
All right so here I am in a Linux system and I'm just going to run a couple of big commands and get

08:24.930 --> 08:27.000
some idea of some of the power you can do.

08:27.000 --> 08:29.210
Now dig will work like an S look up.

08:29.370 --> 08:35.450
So if I've got a scenario where I'm worried about a particular system I can go ahead and run Digg and

08:35.460 --> 08:37.850
then whatever domain I want.

08:37.860 --> 08:39.690
Now there's a couple of things that are interesting here.

08:39.720 --> 08:43.800
You can see that it resolves total some com just fine right here.

08:44.010 --> 08:45.530
But notice what its server has.

08:45.540 --> 08:47.360
It's a local server.

08:47.400 --> 08:53.310
It's simply telling us that if there's a cache on this the system has been asking about W W W not total

08:53.310 --> 08:57.670
CENTCOM so much that it had it locally and it's ready to rock and roll.

08:57.690 --> 09:03.540
So just like with NSLookup if we want to change the DNS server it's no big deal.

09:03.540 --> 09:10.160
All we do is we type in an at sign and then the IP address of whatever server we want to use.

09:12.880 --> 09:18.150
And you'll see that I get the same response as I should but notice down here you'll see that the server

09:18.150 --> 09:21.940
has changed to reflect that I'm using a different box.

09:22.030 --> 09:26.220
Now there are a few small things you can do a dig that you cannot do with an s look up.

09:26.320 --> 09:31.420
One of the things that's kind of interesting is that you can queery certain records for example start

09:31.420 --> 09:33.240
of authority or MX records.

09:33.250 --> 09:34.900
So you're looking for a mail server.

09:34.960 --> 09:38.520
You can actually query a domain to determine things like that.

09:38.530 --> 09:48.250
So let's just do one example where I'm going to query total dot and find out what the mail server is.

09:48.540 --> 09:56.200
So I'll type Digg and then M-x and then whatever I'm interested in and you'll see what's happened here

09:56.380 --> 10:03.580
is that I now see the next record hey looks like total seminars is using Office 365.

10:03.590 --> 10:09.100
It says outlook dot com so you can see Digg has a little bit more power than N.S. look up in that it

10:09.100 --> 10:15.430
can query more public records like start of authority name server MX records things like that but you're

10:15.430 --> 10:23.380
not going to be able to use Digg to query things like a records where suddenly it discovers every host

10:23.380 --> 10:29.120
in your network because all your records pop up that stuff has been pretty well blocked off.

10:29.150 --> 10:29.690
All right.

10:29.830 --> 10:31.210
That stuff was fun.

10:31.330 --> 10:34.200
But I've got one more very very interesting too.

10:34.210 --> 10:41.270
I want to show you the netcat.

10:41.370 --> 10:50.220
I wish I could talk for two hours about this one utility netcat netcat is the Swiss Army knife.

10:50.220 --> 10:56.310
Does anything utility that runs on Linux systems that gives you the opportunity to do stuff.

10:56.310 --> 10:59.490
That's actually kind of fascinating.

10:59.490 --> 11:05.340
Netcat because it's a Swiss army knife does so very many things that it's almost hard to wrap it up.

11:05.370 --> 11:07.370
But let me get you through the security plus.

11:07.720 --> 11:15.870
Basically netcat can open and listen on ports and it can also open and act as a client on just about

11:15.900 --> 11:17.190
any port you want.

11:17.190 --> 11:19.760
So let me give you a quick example here.

11:24.190 --> 11:29.170
So I'm going to type sudo netcat I'm going to type in minus L and then I can just type in any arbitrary

11:29.170 --> 11:29.890
port that I want.

11:29.890 --> 11:37.360
Let's use something that's rare and weird and what I've just done is I've opened up port 2:31 on this

11:37.360 --> 11:39.910
system as a listening port.

11:39.910 --> 11:42.810
So what I'm going to need to do is open up another terminal here

11:47.160 --> 11:52.290
and on this terminal I'm going to to just run net stat just so we can see the results of this

11:55.380 --> 11:57.210
get back up towards the top.

11:57.440 --> 12:03.430
And if you see right there you can see that this system is now listening on port to 31.

12:03.680 --> 12:06.860
Now the downside to this is that it's just an open port.

12:06.890 --> 12:14.630
So if I open up a listening port on port 80 For example I would take input from clients who were querying

12:14.630 --> 12:15.050
it.

12:15.050 --> 12:18.740
Now it's not a real web server so it wouldn't be able to respond.

12:18.770 --> 12:23.240
But the important thing is is that with netcat This is the other part of netcat that's fun.

12:23.330 --> 12:30.110
I can open a port as a client and by opening as a client I can just take a text file it's got all kinds

12:30.110 --> 12:38.260
of evil testing stuff and start attacking a particular web server or I can do all kinds of strange queries.

12:38.330 --> 12:39.910
I can do all kinds of stuff.

12:40.100 --> 12:43.090
Netcat is a tool for aggressive action.

12:43.160 --> 12:48.290
You're using netcat because you're doing a vulnerability assessment or are you doing some form of Penn.

12:48.290 --> 12:52.340
testing and you want to do what's known as bannered grabbing where you're just trying to get a server

12:52.340 --> 12:57.360
to respond to go Oh hi I am the HDTV server and these types of situations.

12:57.380 --> 13:01.920
It gives you the ability to be able to do stuff like if you opened up a web browser.

13:02.120 --> 13:07.490
I mean things like chrome they're not going to let you type naughty things in because Google likes their

13:07.490 --> 13:12.530
product but with netcat you can do stuff like that that cat can be used for so much more and I'm just

13:12.530 --> 13:13.780
barely touching those.

13:13.790 --> 13:15.400
You can do file transfer with it.

13:15.400 --> 13:20.630
You can do just about anything but remember the most important thing about netcat is it is a tool for

13:20.690 --> 13:21.740
aggressive use.

13:21.740 --> 13:26.450
It's not something that your administrator is going to be running on a daily basis.

13:26.450 --> 13:26.890
All right.

13:26.910 --> 13:32.240
Well I think we have finally covered all of the different OS utilities and you're going to be seen on

13:32.240 --> 13:38.780
the comp security plus exam take some time play with these tools and most importantly understand the

13:38.780 --> 13:59.660
scenarios where you're going to be applying them because you're going to see it on the exam.