Cybersecurity Blue Team Toolkit E-Book

Table of Contents

Cover

Foreword

Introduction

CHAPTER 1: Fundamental Networking and Security Tools

Ping

IPConfig

NSLookup

Tracert

NetStat

PuTTY

CHAPTER 2: Troubleshooting Microsoft Windows

RELI

PSR

PathPing

MTR

Sysinternals

The Legendary God Mode

CHAPTER 3: Nmap—The Network Mapper

Network Mapping

Port Scanning

Services Running

Operating Systems

Zenmap

CHAPTER 4: Vulnerability Management

Managing Vulnerabilities

OpenVAS

Nexpose Community

CHAPTER 5: Monitoring with OSSEC

Log‐Based Intrusion Detection Systems

Agents

Log Analysis

CHAPTER 6: Protecting Wireless Communication

802.11

inSSIDer

Wireless Network Watcher

Hamachi

Tor

CHAPTER 7: Wireshark

Wireshark

OSI Model

Capture

Filters and Colors

Inspection

CHAPTER 8: Access Management

AAA

Least Privilege

Single Sign‐On

JumpCloud

CHAPTER 9: Managing Logs

Windows Event Viewer

Windows PowerShell

BareTail

Syslog

SolarWinds Kiwi

CHAPTER 10: Metasploit

Reconnaissance

Installation

Gaining Access

Metasploitable2

Vulnerable Web Services

Meterpreter

CHAPTER 11: Web Application Security

Web Development

Information Gathering

DNS

Defense in Depth

Burp Suite

CHAPTER 12: Patch and Configuration Management

Patch Management

Configuration Management

Clonezilla Live

CHAPTER 13: Securing OSI Layer 8

Human Nature

Human Attacks

Education

The Social Engineer Toolkit

CHAPTER 14: Kali Linux

Virtualization

Optimizing Kali Linux

Using Kali Linux Tools

CHAPTER 15: CISv7 Controls and Best Practices

CIS Basic Controls—The Top Six

In Conclusion

Index

End User License Agreement

List of Tables

Chapter 1

Table 1.1:

ping

command syntax

Chapter 3

Table 3.1: Top Ports Defined

Chapter 4

Table 4.1: CVSS v3.0 Ratings

Chapter 6

Table 6.1: IEEE 802.11 standards

Table 6.2: Wireless Network Watcher command‐line options

Chapter 7

Table 7.1: Keyboard shortcuts for Wireshark

Table 7.2: Filter operators

Table 7.3: Expert Info severity levels

Chapter 9

Table 9.1: Ports used by Kiwi Syslog Server

Chapter 14

Table 14.1: Resource requirements for Windows 10, Ubuntu, and Kali Linux

List of Illustrations

Chapter 1

Figure 1.1: Running a ping against a URL and IP address

Figure 1.2: Pinging a lookback address

Figure 1.3: Using

ipconfig /all

Figure 1.4: Using nslookup

Figure 1.5: Using nslookup on a URL

Figure 1.6: Using nslookup with ‐querytype=mx

Figure 1.7: Using

tracert

, counting hops

Figure 1.8: NetStat finding active connections

Figure 1.9: NetStat statistics

Figure 1.10: PuTTY Configuration window

Figure 1.11: PuTTY security alert

Chapter 2

Figure 2.1: Reliability Monitor graph

Figure 2.2: Steps Recorder menu

Figure 2.3: PathPing combining both traceroute and statistics of each hop

Figure 2.4: WinMTR combining ping with traceroute

Figure 2.5: Microsoft Sysinternals suite download

Figure 2.6: List of all Sysinternals tools

Figure 2.7: Sysinternals Process Explorer

Figure 2.8: God mode folder

Figure 2.9: Just a few of the 260+ tools in God mode

Chapter 3

Figure 3.1:

nmap

command

Figure 3.2: Nmap SYN scan

Figure 3.3: Nmap scan report

Figure 3.4:

nmap ‐O

Figure 3.5: Zenmap GUI scan

Figure 3.6: Zenmap host details

Figure 3.7: Downloading

nmap‐7.70‐setup.exe

Chapter 4

Figure 4.1: The vulnerability management lifecycle

Figure 4.2: The Greenbone Security Assistant login for OpenVAS

Figure 4.3: Greenbone Security Assistant welcome screen for OpenVAS

Figure 4.4: The default Localhost setup for launching a scan

Figure 4.5: Workflow for a scan of assets for vulnerabilities

Figure 4.6: Summary results of an asset

Figure 4.7: Installing Nexpose Community GUI

Figure 4.8: Nexpose Community Menu

Figure 4.9: List of Vulnerabilities found in Nexpose Community sorted by seve...

Figure 4.10: Document report menu in Nexpose Community

Figure 4.11: Top Remediations

Chapter 5

Figure 5.1: The collection of data from agents analyzed and possibly generati...

Figure 5.2: The OSSEC appliance

Figure 5.3: An OSSEC 1002 alert

Figure 5.4: The OSSEC dashboard

Figure 5.5: OSSEC agent manager

Figure 5.6: An example of a representative agent name

Figure 5.7: OSSEC individual agent alert

Figure 5.8: Kibana dashboard

Chapter 6

Figure 6.1: Simple star wireless topology

Figure 6.2: inSSIDer capture of Wi‐Fi

Figure 6.3: Wireless Network Watcher capture

Figure 6.4: Securing the transmission of data using a VPN

Figure 6.5: Hamachi VPN management console

Figure 6.6: Hamachi network type options

Figure 6.7: LogMeIn Hamachi client menu

Figure 6.8: Creating a new client network

Figure 6.9: Creating a managed network

Figure 6.10: Selecting the hub for your network

Figure 6.11: Adding users to your computer, granting access to files and fold...

Figure 6.12: Chrome in Incognito mode

Figure 6.13: Tor routing data for anonymity

Figure 6.14: DuckDuckGo browser

Chapter 7

Figure 7.1: Choosing a network interface card for capture

Figure 7.2: The OSI model sending and receiving data

Figure 7.3: Wireshark acknowledgment traffic

Figure 7.4: Showing conversation relationships

Figure 7.5: Right‐clicking a packet

Figure 7.6: Hexadecimal representation

Figure 7.7: Sorting packet capture based on TCP traffic

Figure 7.8: Wireshark conversations sorted by IPv4 protocol

Figure 7.9: Expert Info tool color‐coded “hints”

Figure 7.10: Graphing all packets versus just TCP errors

Chapter 8

Figure 8.1: CIA triad

Figure 8.2: Evaluating users' needs in your network

Figure 8.3: How to create a user in JumpCloud

Figure 8.4: The New User dialog box

Figure 8.5: Download the Windows Agent and use the connect key to complete th...

Figure 8.6: Configuring Windows policies

Figure 8.7: Windows Lock Screen policy

Chapter 9

Figure 9.1: Windows Event Viewer displaying logs

Figure 9.2: Security logs on a Windows machine

Figure 9.3: Critical warning on a Windows machine

Figure 9.4: Getting a list in PowerShell of available locations of logs

Figure 9.5: Retrieving the index, time, type, source, and message of the last...

Figure 9.6: Disk errors and warnings in system logs

Figure 9.7: Elevated command prompt turning on security audit logs

Figure 9.8: Opening a file location to view the log

Figure 9.9: Applying a filter to

nse.log

to find “vulnerable” assets

Figure 9.10: Choosing a service or application operating mode with Kiwi Syslo...

Figure 9.11: Successful test message on Kiwi Syslog Server

Figure 9.12: Anatomy of a syslog message

Figure 9.13: Syslog message being filtered by rules

Figure 9.14: Syslog message being filtered by rules and initiating an action ...

Figure 9.15: Creating a filter in Kiwi Syslog Server

Chapter 10

Figure 10.1: Select the correct version of Metasploit Community for your plat...

Figure 10.2: You must disable the antivirus function, or the install process ...

Figure 10.3: Waiting for Metasploit to start

Figure 10.4: Metasploit Community splash screen

Figure 10.5: Activating the Metasploit Community license

Figure 10.6: Exploring the default project in Metasploit Community

Figure 10.7: List of projects in Metasploit Community

Figure 10.8: Metasploit Community project overview

Figure 10.9: Task pane of the initial scan of MC1 completed with 7 new hosts ...

Figure 10.10: Overview after discovery of assets and services on a network

Figure 10.11: Finding open ports in the network

Figure 10.12: List of possible exploits to be launched sorted by starred rank...

Figure 10.13: Configuring a Metasploit auxiliary module for possible exploita...

Figure 10.14: Failure of an auxiliary module

Figure 10.15: Windows server, auxiliary, and post‐exploitation exploits...

Figure 10.16: VMware Workstation Pro download—Windows or Linux

Figure 10.17: Opening

Metasploitable.vmx

in VMware

Figure 10.18: Metasploitable2 welcome screen

Figure 10.19:

ifconfig

on the Metasploitable2 box

Figure 10.20: Successful Metasploitable2 scan

Figure 10.21: Using information acquired in Metasploit Community to use PuTTY...

Figure 10.22: Metasploitable2 web application home page

Figure 10.23: Purposefully vulnerable scripts of OWASP Top 10

Figure 10.24: DVWA home page

Chapter 11

Figure 11.1: The original

Facebook.com

in 2000 called

AboutFace.com

Figure 11.2: The software development lifecycle with security functions embed...

Figure 11.3: ICANN WHOIS for domain lookup

Figure 11.4: ICANN WHOIS domain lookup results for

www.example.com

Figure 11.5: DNS server reconnaissance and researching domains including host...

Figure 11.6: Top countries, services, and organizations that have a publicly ...

Figure 11.7: The domain namespace of

example.com

Figure 11.8: PortSwigger Web Security page for downloading Burp Suite Communi...

Figure 11.9: Creating a new project in Burp Suite

Figure 11.10: Configuring Burp Suite Community

Figure 11.11: Configuring your browser to listen for traffic over the Interne...

Figure 11.12: Mozilla Firefox settings for a Burp Suite network proxy

Figure 11.13:

http://burp

Figure 11.14: Loading the CA certificate into Firefox Preferences located und...

Figure 11.15: Web traffic captured over 127.0.0.1:8080 in the header view

Figure 11.16: The channels you can take in analyzing individual HTTP requests...

Chapter 12

Figure 12.1: The patch management lifecycle

Figure 12.2: Log in to DesktopCentral through a browser.

Figure 12.3: Patch management processes in DesktopCentral

Figure 12.4: Scope Of Management page in DesktopCentral

Figure 12.5: Downloading and installing the agent manually to a Windows syste...

Figure 12.6: The Dashboard page of Patch Management in Desktop Central

Figure 12.7: Install/Uninstall Windows Patch configuration

Figure 12.8: Deployment execution status for patch management of a Java vulne...

Figure 12.9: Building the Security Configuration And Analysis MMC

Figure 12.10: Saving the SecurityConfig MMC for future use

Figure 12.11: Configuring the test security template's Maximum Password Age p...

Figure 12.12: Microsoft explanation of password‐policy best practices

Figure 12.13: Opening or creating a new database

Figure 12.14: Opening the template created in Lab 12.3 with modifications

Figure 12.15: Microsoft Security Compliance Toolkit 1.0

Figure 12.16: Configuring Rufus with the Clonezilla .iso

Figure 12.17: Clonezilla Live boot menu

Figure 12.18: Preparing the Clonezilla Live environment

Figure 12.19: Assigning where the Clonezilla image will be saved or read from...

Figure 12.20: Saving the current disk to an image

Chapter 13

Figure 13.1: Creating unique credentials for web accounts

Figure 13.2: 70.22 percent of the planet runs Microsoft Windows.

Figure 13.3: Turning on the Windows feature of the Windows subsystem for Linu...

Figure 13.4: Finding Ubuntu 18.04 on Windows WSL

Figure 13.5: Details of Ubuntu 18.04 LTS

Figure 13.6: Ubuntu 18.04 successfully installed

Figure 13.7: Creating credentials on Ubuntu 18.04

Figure 13.8: Cloning SET to your

set

folder

Figure 13.9: SET welcome screen

Figure 13.10: Social engineering attacks

Figure 13.11: Phishing with SAT

Chapter 14

Figure 14.1: Download VM Workstation Player page

Figure 14.2: VMware UAC

Figure 14.3: Installing VMware Workstation 15 Player page

Figure 14.4: Accepting the free noncommercial license

Figure 14.5: VMware Workstation Player software updates

Figure 14.6: Downloading Kali Linux

Figure 14.7: Downloading and installing 7‐Zip

Figure 14.8: Opening Kali Linux VM

Figure 14.9: Editing VM settings

Figure 14.10: Default configuration for Kali Linux

Figure 14.11: Disabling shared folders

Figure 14.12: Running Kali Linux in Unity mode

Figure 14.13: Logging into Kali Linux

Figure 14.14: Kali Linux desktop

Figure 14.15: Updating Kali Linux through a terminal

Figure 14.16: Adding a nonroot username and password

Figure 14.17: Turning off the Blank screen saver

Figure 14.18: Configuring Automatic Screen Lock

Figure 14.19: Kali Favorites menu

Figure 14.20: Starting Maltego CE in Kali Linux

Figure 14.21: Data sources of Paterva, the owner of Maltego

Figure 14.22: Recon‐ng welcome prompt

Figure 14.23: Defining parameters in Sparta

Figure 14.24: Sparta data collected while running a scan

Figure 14.25: Spoofing your MAC address

Figure 14.26: Nikto vulnerability scanning of

http://webscantest.com

Figure 14.27: Kismet server options

Figure 14.28: WiFite options

Figure 14.29: John the Ripper password cracker

Figure 14.30: Hashcat wordlists

Figure 14.31: Hashes collected on Kali Linux

Figure 14.32: Kali Linux using Encrypt_Method SHA512

Chapter 15

Figure 15.1: Creating a restore point in Windows

Figure 15.2: Configuring system protection

Figure 15.3: Configuring File Explorer Options

Figure 15.4: Configuring file properties

Figure 15.5: Configuring system properties

Figure 15.6: Setting default application settings

Figure 15.7: Turning on Windows Defender

Figure 15.8: Removing unwanted programs

Figure 15.9: Turning off Location settings

Figure 15.10: Logging cheat sheets

Figure 15.11: CIS Controls

Guide

Cover

Table of Contents

Begin Reading

Pages

iii

iv

v

vii

ix

xi

xiii

xxi

xxii

xxiii

xxiv

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

31

32

33

34

35

36

37

38

39

40

41

43

44

45

46

47

48

49

50

51

52

53

54

55

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

83

84

85

86

87

88

89

90

91

92

93

94

95

96

97

98

99

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

260

261

262

263

Cybersecurity Blue Team Toolkit

Foreword

The year was 2012 and I took a big leap in my own career to move across the country. I filled a role to lead a three‐person team providing information technology and security training to Department of Defense personnel. This leadership role was new to me having worked for the past eight years in the intelligence and information security world for the most part as a trainer. While building out the team in the fall of 2012, I interviewed a wonderful candidate from Louisiana named Nadean Tanner. She was full of personality, charisma, knowledge, and most importantly, she had the ability to train. She proved this as part of her training demonstration in the interview process. I knew she was the right candidate and hired her almost immediately. Hiring Nadean is still one of the best decisions I made, and she is one of the greatest trainers I know. My philosophy is that a great trainer does not simply regurgitate what they know. Rather, they have the ability to explain a topic in different ways so that each learner can comprehend. Nadean embodies this philosophy.

Nadean has trained thousands of learners on topics from hardware to advanced security. In each class, she takes the time and effort to ensure every learner gets what they need. Whether learning a product for performing their job, building out their professional development, or advancing their career with a certification, Nadean covers it all. If you had the opportunity to attend one of her training classes, consider yourself blessed by a great trainer. If you have not, you picked up this book, which is the next best thing. I am glad to see her move to authorship, allowing everyone to experience her ability to explain complicated topics in simple ways.

In the world of cybersecurity we are constantly bombarded with new products, new tools, and new attack techniques. We are pulled daily in multiple directions on what to secure and how to secure it. In this book, Nadean will break down fundamental tools available to you. This includes general IT tools used for troubleshooting, but ones that can also help the security team understand the environment. She will cover tools attackers use, but also empower you and your team to use them to be proactive in your security. Specifically, you as the reader get to enjoy not only Nadean's ability to impart knowledge but her uncanny ability to explain why. Rather than being technical documentation focusing on the how, Nadean will delve into why use the tools and the specific use cases. For many users fresh to the cybersecurity world, this should be considered a getting started guide. For those in the middle of or more senior in their careers, this book will serve as a reference guide you want to have on your desk. It is not a book that makes it to your shelf and collects dust.

Throughout the years I have been Nadean's manager, colleague, peer, and most importantly dear friend. We have shared stories about how we learned, what we learned, and how we passed the information along to our learners. As the owner of this book, you are well on your way to enjoying Nadean's simple yet thorough explanations of advanced security topics. Rather than spending more of your time on reading this foreword, jump into the book to learn, refresh, or hone your cybersecurity skills.

Ryan Hendricks, CISSP

Training Manager, CarbonBlack

Introduction

If you have ever been a fisherman or been friends with or related to a fisherman, you know one of their favorite things is their tackle box … and telling stories. If you ask a question about anything in that tackle box, be prepared to be entertained while you listen to stories of past fishing expeditions, how big was the one that got away, the one that did get caught, and future plans to use certain hooks, feathers, and wiggly things. A great fisherman learns to adapt to the situation they are in, and it takes special knowledge of all the fun things in that tackle box—when and where and how to use them—to be successful in their endeavor.

In cybersecurity, we have our own form of a tackle box. We have our own versions of wiggly things. To be successful, we have to learn when and where and how to use our tools and adapt to the technical situation we find ourselves in. It can take time to develop the expertise to know when to use which tool, and what product to find vulnerabilities, fix them, and, when necessary, catch the bad guys.

There are so many philosophies, frameworks, compliances, and vendors. How do you know when to use which wiggly thing? Once you know which wiggly thing to use, how do you use it? This book will teach you how to apply best‐practice cybersecurity strategies and scenarios in a multitude of situations and which open source tools are most beneficial to protect our dynamic and multifaceted environments.

This book will take a simple and strategic look at best practices and readily available tools that are accessible to both cybersecurity management and hands‐on professionals—whether they be new to the industry or simply are looking to gain expertise.

CHAPTER 1Fundamental Networking and Security Tools

WHAT YOU WILL LEARN IN THIS CHAPTER:

Ping

IPConfig

Tracert

NSLookup

NetStat

PuTTY

Before heading off to the cybersecurity conference Black Hat in Las Vegas, a friend of mine, Douglas Brush, posted on his LinkedIn page a warning for other InfoSec professionals. He said, “Don't go to these events to buy curtains for the house when you don't have the concrete for the foundation poured yet.”

Too many times in the many years I've been in information technology (IT), I have seen people forget they need the basics in place before they try to use their shiny new tools. Before you can use any new tools, you must have a foundation to build upon. In IT, these tools are fundamental. They are a must for any computer/InfoSec/analyst to know how to use and when to use them. It's also rather impressive when a manager who you assumed was nontechnical asks you to ping that asset, run a tracert, and discover the physical and logical addresses of the web server that is down. Sometimes they do speak your language!

Ping

Ping will make you think one of two things. If it makes you think of irons and drivers and 18 holes of beautiful green fairway, then you are definitely CIO/CEO/CISO material. If it makes you think of submarines or bats, then you're probably geekier like me.

Packet InterNet Groper, or what we affectionately call ping, is a networking utility. It is used to test whether a host is “alive” on an Internet Protocol (IP) network. A host is a computer or other device that is connected to a network. It will measure the time it takes for a message sent from one host to reach another and echo back to the original host. Bats are able to use echo‐location, or bio sonar, to locate and identify objects. We do the same in our networked environments.

Ping will send an Internet Control Message Protocol (ICMP) echo request to the target and wait for a reply. This will report problems, trip time, and packet loss if the asset has a heartbeat. If the asset is not alive, you will get back an ICMP error. The command‐line option for ping is easy to use no matter what operating system you are using and comes with multiple options such as the size of the packet, how many requests, and time to live (TTL) in seconds. This field is decremented at each machine where data is processed. The value in this field will be at least as great as the number of gateways it has to hop. Once a connection is made between the two systems, this tool can test the latency or the delay between them.

Figure 1.1 shows a running ping on a Windows operating system sending four echo requests to www.google.com using both IPv4 and IPv6.

Figure 1.1: Running a ping against a URL and IP address

What this figure translates to is that my computer can reach through the network and touch a Google server. The www.google.com part of this request is called a uniform resource locator (URL). A URL is the address of a page on the World Wide Web (WWW). The numbers you see next to the URL is called an IP address. Every device on a network must have a unique IP network address. If you are attempting to echo‐locate another host, you could substitute the URL www.google.com for an IP address. We will do a deeper dive on IPv4 and IPv6 in Chapter 9, Log Management.

There are more granular ping commands. If you type ping along with an option or switch, you can troubleshoot issues that might be occurring in your network. Sometimes these issues are naturally occurring problems. Sometimes they could signal some type of attack.

Table 1.1 shows different options you can add to the base command ping.

Table 1.1:ping command syntax

OPTION

MEANING

/?

Lists command syntax options.

‐t

Pings the specified host until stopped with Ctrl+C.

ping

‐t

is also known as the

ping of death

. It can be used as a denial‐of‐service (DoS) attack to cause a target machine to crash.

‐a

Resolves address to hostname if possible.

‐n count

How many echo requests to send from 1 to 4.2 billion. (In Windows operating systems, 4 is the default.)

‐r count

Records route for count hops (IPv4 only). The maximum is 9, so if you need more than 9,

tracert

might work better (covered later in the chapter).

‐s count

Timestamp for count hops (IPv4 only).

‐i TTL

Time to live; maximum is 255.

Did you know that you could ping yourself? Figure 1.2 shows that 127.0.0.1 is a special reserved IP address. It is traditionally called a loopback address. When you ping this IP address, you are testing your own system to make sure it is working properly. If this IP doesn't return an appropriate response, you know the problem is with your system, not the network, the Internet service provider (ISP), or your target URL.

Figure 1.2: Pinging a lookback address

If you are experiencing network difficulties, this is the first tool to pull out of your toolkit. Go ping yourself and make sure everything is working as it should (see Lab 1.1).

LAB 1.1: PING

Open a command prompt or a terminal window.

Type

ping –t www.example.com

and then press Enter. (You can use another URL or hostname of your choice.)

After a few seconds, hold the Ctrl button and press C (abbreviated as Ctrl+C in subsequent instructions in this book).

When the command prompt returns, type

ping –a 127.0.0.1

and press Enter.

What is the name of your host? As you can see in Figure 1.2, mine is DESKTOP‐OU8N7VK. A hostname is comprised of alphanumeric characters and possibly a hyphen. There may be times in the future you know an IP address but not the hostname or you know a hostname but not the IP address. For certain troubleshooting steps, you will need to be able to resolve the two on a single machine.

IPConfig

The command ipconfig is usually the next tool you will pull out of your toolbox when you're networking a system. A lot of valuable knowledge can be gleaned from this tool.

Internet Protocol is a set of rules that govern how data is sent over the Internet or another network. This routing function essentially creates the Internet we know and love.

IP has the function of taking packets from the source host and delivering them to the proper destination host based solely on the IP addresses in a packet. The datagram that is being sent has two parts: a header and a payload. The header has the information needed to get the information where it should go. The payload is the stuff you want the other host to have.

In Lab 1.2, you'll use the ipconfig command.

LAB 1.2: IPCONFIG

Open a command prompt or a terminal window.

Type

ipconfig

and press Enter if you are on a Windows system. If you are on Linux, try

ifconfig

.

Scroll through your adapters and note the ones that are for Ethernet or Wi‐Fi or Bluetooth.

With the preceding steps, you can answer the following questions: Which adapters are connected with an IP address? Which ones are disconnected?

At the command prompt, type

ipconfig /all

and press Enter.

Now you have a wealth of information to begin your troubleshooting hypothesis. In Figure 1.3, you see the IP addresses and default gateways for each network adapter on the machine.

Figure 1.3: Using ipconfig /all

To find your router's private IP address, look for the default gateway. Think of this machine as a literal gateway that you will use to access the Internet or another network. What tool would you use to make sure that the router is alive? Why, ping of course!

THE INTERNET IS DOWN—NOW WHAT?

The Internet is down.

You ping yourself at 127.0.0.1, and everything is fine on your machine. You ping www.google.com, and it times out. You do an ipconfig /all on your host machine. What can you assume if your ipconfig /all command listed the default gateway as being 0.0.0.0? The router!

As an experienced IT person will tell you, the best thing to do is turn any device off and on again—first your host and then the router. Still not working? Expand your hypothesis to another host on your network—can it reach the Internet or the router? Does it pull an IP address from the router? When you are troubleshooting, it is all about the scientific method. Form a hypothesis, test, modify, and form a new hypothesis.

Here are two more acronyms to add to your IT vernacular: DHCP and DNS. DHCP stands for Dynamic Host Configuration Protocol. Let's isolate each word.

Dynamic

: Ever‐changing, fluid

Host

: Asset on a network

Configuration

: How the asset is supposed to work

Protocol

: Rules that allow two more assets to talk

DHCP is a network management tool. This is the tool that dynamically assigns an IP address to a host on a network that lets it talk to other hosts. Most simply, a router or a gateway can be used to act as a DHCP server. Most residential routers will get their unique public IP address from their ISP. This is who you write the check to each month.

In a large enterprise, DHCP is configured on servers to handle large networks' IP addressing. DHCP decides which machine gets what IP address and for how long. If your machine is using DHCP, did you notice in your ipconfig /all command how long your lease was? If you are not leasing, then you are using a static IP address.

Here are two more commands for you to use if you want a new IP address:

ipconfig /release

: This releases all IPv4 addresses.

ipconfig /renew

: This retrieves a new IP address, which may take a few moments.

DNS is an acronym for Domain Name System. This is a naming system for all hosts that are connected to the Internet or your private network. As you do what you do on the Internet or in a private network, DNS will remember domain names. It will store this data in something we call a cache (pronounced “cash”). This is done to speed up subsequent requests to the same host. Sometimes your DNS cache can get all wonky—sometimes by accident, sometimes by a hacker.

NOTE

Cache poisoning—sometimes called DNS spoofing—is an attack where a malicious party corrupts the DNS cache or table, causing the nameserver to return an incorrect IP address and network traffic to be diverted.

Here are two more commands to try:

ipconfig /displaydns

: This may scroll for a while because this is a record of all the domain names and their IP addresses you have visited on a host.

ipconfig /flushdns

: If you start encountering HTML 404 error codes, you may need to flush your cache clean. This will force your host to query nameservers for the latest and greatest information.

NSLookup

The main use of nslookup is to help with any DNS issues you may have. You can use it to find the IP address of a host, find the domain name of an IP address, or find mail servers on a domain. This tool can be used in an interactive and a noninteractive mode. In Lab 1.3, you'll use nslookup.

LAB 1.3: NSLOOKUP

Open a command prompt or a terminal window.

To work in interactive mode, type

nslookup

at the prompt and press Enter. You will get an

nslookup

prompt, as you see in

Figure 1.4

. To escape the prompt, press Ctrl+C.

Figure 1.4: Using nslookup

To work in noninteractive mode, type

nslookup www.example.com

at the prompt to acquire DNS information for the specific site such as

Figure 1.5

.

Figure 1.5: Using nslookup on a URL

Now try

nslookup

with one of the IP addresses displayed in your terminal window attributed to

www.wiley.com

. This will do a reverse lookup for the IP address and resolve to a domain name.

To find specific type assets, you can use

nslookup –querytype=mx www.example.com

. In

Figure 1.6

, you see the result of using

qureytype=mx

.

Figure 1.6: Using nslookup with ‐querytype=mx

Instead of –querytype=mx, you can use any of the following:

HINFO

Specifies a computer's CPU and type of operating system

UNIFO

Specifies the user information

MB

Specifies a mailbox domain name

MG

Specifies an email group member

MX

Specifies the email server

Tracert

So, now you know that all machines that are on a network need to have an IP address. I live in Denver, Colorado, and one of my best friends, Ryan, lives in Albuquerque, New Mexico. When I send him a message, it does not travel from my house through the wires directly to his house. It goes through “hops” (and not the beer kind, unfortunately for him). These hops are the routers between us.

Tracert is a cool diagnostic utility. It will determine the route the message takes from Denver to Albuquerque by using ICMP echo packets sent to the destination. You've seen ICMP in action before—with the ping command.

ICMP is one of the Internet's original protocols used by network devices to send operational information or error messages. ICMP is not usually used to send data between computers, with the exception of ping and traceroute. It is used to report errors in the processing of datagrams.

Each router along the path subtracts the packets TTL value by 1 and forwards the packet, giving you the time and the intermediate routers between you and the destination. Tracert will print the trace of the packet's travels.

Why is this an important part of your toolkit? This is how you find out where a packet gets stopped or blocked on the enterprise network. There may be a router with a configuration issue. Firewalls can be configured to filter packets. Perhaps your website is responding slowly. If packets are being dropped, this will be displayed in the tracert as an asterisk.

This is a good tool when you have many paths that lead to the same destination but several intermediary routers are involved.

One caveat before Lab 1.4: As I mentioned previously, most of my strengths lie in Windows machines. If you are on a Linux or Mac/Unix‐type operating system (OS), then you will want to use the tool traceroute. The commands tracert and traceroute are basically the same thing. The difference lies in which OS you are troubleshooting. If you want to get supremely technical, in Linux the command sends a UDP packet. In Windows, it sends an ICMP echo request.

LAB 1.4: TRACERT

Open a command prompt or a terminal window.

At the command prompt, type

tracert 8.8.8.8

and press Enter.

In Figure 1.7, you can see the hops my machine takes to reach that public Google DNS server. How many hops does yours take?

Figure 1.7: Using tracert, counting hops

Now try

tracert –d 8.8.4.4

.

This is another public Google DNS server, but now tracert will not try to resolve DNS while counting the hops.

For fun, try

tracert 127.0.0.1

. Why is it only one hop?

NetStat

Mathematical statistics is the collection, organization, and presentation of data to be used in solving problems. When you analyze statistics, you are going to use probability to fix issues. For example, in a room of 23 people, there is a 50 percent probability that two of those people share the same birthday. In cybersecurity, a birthday attack is a type of cryptographic attack that exploits the math behind the birthday statistic. This attack can be used to find collisions in a hash function. In our world of networking, learning your network statistics can be quite valuable.

NetStat is a network utility tool that displays networking connections (incoming and outgoing), routing tables, and some other details such as protocol statistics. It will help you gauge the amount of network traffic and diagnose slow network speeds. Sounds simple, yes? From a cybersecurity standpoint, how quickly can you tell which ports are open for incoming connections? What ports are currently in use? What is the current state of connections that already exist?

The output from the netstat command is used to display the current state of all the connections on the device. This is an important part of configuration and troubleshooting. NetStat also has many parameters to choose from to answer the questions presented in the previous paragraph. One thing to remember about the parameters discussed next is that when you type them into your cmd shell, you can literally squish them together. For example, when I am teaching my Metasploit Pro class, we launch a proxy pivot via a Meterpreter shell and scan another network segment. (That might sound like gibberish now, but just finish the book.) How do you know what is actually transpiring on the compromised system? Using the netstat command and the options –a for all and –n for addresses and ports, you will have a list of all active network conversations this machine is having, as shown in Figure 1.8.

Figure 1.8: NetStat finding active connections

To translate the figure, when running netstat on your host, you may see both 0.0.0.0 and 127.0.0.1 in this list. You already know what a loopback address is. A loopback address is accessible only from the machine you're running netstat on. The 0.0.0.0 is basically a “no particular address” placeholder. What you see after the 0.0.0.0 is called a port.

One of my favorite explanations of ports is that you have 65,536 windows and doors in your network ranging from 0 to 65,535. Computers start counting at 0. Network admins are constantly yelling, “Shut the windows and close the doors—you're letting the data out!” Ports can be TCP or UDP. Simply put, TCP means there is a connection made between the host and the destination. UDP doesn't worry about whether there is a connection made. Both TCP and UDP have 65,535 ports available to them. This was the highest number that could be represented by a 16‐bit, or 2‐byte, number. You may see this represented mathematically as 216 – 1.

The Internet Assigned Numbers Authority (IANA) maintains an official assignment of port numbers for specific uses. Sometimes this list becomes antiquated at the same time new technologies are becoming available. Some of the most common ones you might see are the “well‐known” ports, which are 0–1023. Looking at the list in the previous figure, you see this machine is listening on port 135. Port 135 is traditionally used for a service called epmap/loc‐srv. That should tell you, among other things in Figure 1.8, that this is a Windows host. When a Windows host wants to connect to an RPC service on a remote machine, it checks for port 135.

The next port that is listening is 443. Most IT professionals memorize this port early in their career. Port 443 is Hypertext Transfer Protocol over TLS/SSL—better known as HTTPS. HTTPS is the authentication of a website that is being accessed and protecting the confidentiality of the data being exchanged. Ports from 1023 all the way up to 49151 are “registered” ports. Above that, you have dynamic or private ports.

NetStat is an abbreviation for “network statistics.” If a host is not listening on the correct port for a specific service, then no communication can occur. Take another step in your network path, and these ports may be listening, but this does not mean that a firewall is allowing the traffic to get to the device. To test that hypothesis, you can temporarily disable your host‐based firewall causing the networking issue.

Among my favorite netstat commands are the statistics options shown in Figure 1.9. In Lab 1.5, you'll use the netstat command.

Figure 1.9: NetStat statistics

LAB 1.5: NETSTAT

Open a command prompt or a terminal window.

At the command prompt, type

netstat –help

.

When the prompt is available, use

netstat –an –p TCP

.

Next try

netstat –sp TCP

.

INVESTIGATING THE UNEXPECTED

You're sitting in your office, putting the final touches on a presentation that you're giving in an hour on cybersecurity trends that your specific industry is experiencing to the C‐level employees at your company. You're feeling confident with your data. You are hitting the Save button after every major change. You're concentrating on the agenda in your presentation when a balloon in your task pane from your antivirus software pops up and notifies you that an IP address will be blocked for 600 seconds.

As most end users do, you click the X with no hesitation and continue building your presentation. Then you notice you have mail in your inbox from your firewall. It is an alert notification. You start to worry less about your presentation and start thinking a possible breach is being attempted against your host.

You open a command shell and drop a netstat –nao. Not only will this give you the protocol, local/foreign address, and state but also the process identifier (PID) associated with that communication. You can easily get overwhelmed by the data displayed, but check your taskbar. Are there any network‐centric applications running? Close your browsers and try netstat –nao again.

Did anything change? Are there any foreign addresses or odd port numbers that you've never seen before?

Two ports to be wary of are 4444 and 31337. Port 4444 is the default port that Metasploit will use as a default listening port. Port 31337 spells eleet.

Leet speak originated in the 1980s when message boards discouraged the discussion of hacking. The purposeful misspelling of words and substitution of letters for numbers was a way to indicate you were knowledgeable about hackers and circumvent the message board police. When we substitute letters with numbers to enhance our passwords, we are using leet speak for good.

If either of these two ports shows up in your NetStat statistics, it's time for a procedure that has been previously agreed upon to kick in. Either pull the network cable on this machine or alert your incident response (IR) team so they can triage the situation and make the best decision on how to stop the attack. My own personal recommendation is that if you have an IR team, use it. If you pull the plug on an attacker, you lose valuable forensic information.

PuTTY

Up until now, all the tools discussed are embedded in your operating systems. This tool will require a little more effort on your part. PuTTY is a free, open‐source terminal emulation, serial console, and network file transfer program. Originally written for Windows, it has evolved to be used with other operating systems. PuTTY is an amazingly versatile tool that allows you to gain secure remote access to another computer and is most likely the most highly used SSH client for the Microsoft Windows platform.

I believe that many IT professionals who have been in the industry for a while lose track of where we have been. We keep adding knowledge and experience and expertise to our repertoire and think, “Everyone should know that.” As an educator, I am not allowed to do that. It's my job to show you how to use all these new shiny things in your toolbox. I can hear some people saying, “You had me until SSH!”

Secure Shell (SSH) is a network protocol for creating an encrypted channel over an unencrypted network. The Internet is way