Hands-On

avatar
Created by
GiganticAngonoka72710

Cards (20)

  • Ping:
    • The ping command is used when we want to test whether a connection to a remote resource is possible. Usually this will be a website on the internet, but it could also be for a computer on your home network if you want to check if it's configured correctly. Ping works using the ICMP protocol. The ICMP protocol works on the Network layer of the OSI Model, and thus the Internet layer of the TCP/IP model. The basic syntax for ping is ping <target>. In this example we are using ping to test whether a network connection to Google is possible:
  • Ping:
    • Notice that the ping command actually returned the IP address for the Google server that it connected to, rather than the URL that was requested. This is a handy secondary application for ping, as it can be used to determine the IP address of the server hosting a website. One of the big advantages of ping is that it's pretty much ubiquitous to any network enabled device. All operating systems support it out of the box, and even most embedded devices can use ping!
    • Any questions about syntax can be answered using the man page for ping (man pingonLinux).
  • Ping Command Flags:
    • -c count : Send a specified number of ping requests.
    • -F flowlabel : Set the flow label for IPv6 packets.
    • -i interval : Specify the interval between ping requests.
    • -I interface : Use a specific network interface for sending pings.
    • -l preload : Specify the number of packets to send in preload mode.
    • -m mark : Tag the packets with a specific mark for tracking.
    • -M pmtudisc_option : Set Path MTU Discovery options.
    • -N nodeinfo_option : Set ICMP Node Information options.
    • -w deadline : Specify a timeout deadline for ping requests.
  • Ping Command Flags:
    • -W timeout : Set the maximum time to wait for a response.
    • -p pattern : Specify a data pattern for payload in packets.
    • -Q tos : Set the Type of Service (TOS) for outgoing packets.
    • -s packetsize : Set the size of the packets to be sent.
    • -S sndbuf : Set the socket send buffer size.
    • -t ttl : Set the Time to Live (TTL) for the packet.
    • -T timestamp option : Set the ICMP timestamp option.
  • traceroute:
    • Traceroute can be used to map the path your request takes as it heads to the target machine.
    • The internet is made up of many, many different servers and end-points, all networked up to each other. This means that, in order to get to the content you actually want, you first need to go through a bunch of other servers.
    • Traceroute allows you to see each of these connections -- it allows you to see every intermediate step between your computer and the resource that you requested. The basic syntax for traceroute on Linux is this: traceroute <destination>
  • traceroute:
    • By default, the Windows traceroute utility (tracert) operates using the same ICMP protocol that ping utilises, and the Unix equivalent operates over UDP. This can be altered with switches in both instances.
    •  As with before, all questions about switches can be answered with the man page for traceroute(man traceroute).
  • traceroute flags:
    • -I: Use ICMP echo requests instead of UDP datagrams. This is useful when UDP packets are blocked. $ traceroute -I www.example.com
    • -U: Use UDP datagrams instead of ICMP echo requests. Some systems may not respond to ICMP, but they might respond to UDP. $ traceroute -U www.example.com
    • -n: Do not resolve IP addresses to hostnames. This speeds up the traceroute process by skipping DNS lookups. $ traceroute -n www.example.com
    • -q: Set the number of queries per hop. This allows you to specify how many times to probe each hop. $ traceroute -q 3 www.example.com
  • traceroute flags:
    • -m: Set the maximum TTL (Time To Live). This determines the maximum number of hops the traceroute will attempt. $ traceroute -m 15 www.example.com
    • -w: Set the timeout for receiving a reply. This controls how long traceroute waits for a response from each hop. $ traceroute -w 2 www.example.com
    • -p: Specify the destination port for UDP packets. This can be useful to bypass firewalls that allow specific ports. $ traceroute -U -p 80 www.example.com
    • -i: Specify the network interface. $ traceroute -i eth0 www.example.com
  • traceroute flags:
    • -T: Specify the use of TCP SYN requests. $ traceroute -T www.example.com
    • -f: Set the initial TTL (Time To Live). This allows you to start the trace from a specific hop. $ traceroute -f 5 www.example.com
    • -s: Use a specific source address. This can be useful in multi-homed environments. $ traceroute -s 192.168.1.2 www.example.com
  • traceroute flags:
    • -A: Print AS (Autonomous System) numbers in the output. $traceroute -A www.example.com
    • -a: Print both the hostname and IP address in the output. $ traceroute -a www.example.com
    • --sport: Specify the source port for UDP or TCP traceroute. $ traceroute --sport 1234 www.example.com
    • --mtu: Print the MTU (Maximum Transmission Unit) along with the hop information. $ traceroute --mtu www.example.com
  • WHOIS
    • Whois essentially allows you to query who a domain name is registered to. In Europe personal details are redacted; however, elsewhere you can potentially get a great deal of information from a whois search.
    • Note: You may need to install whois before using it. On Debian based systems this can be done with sudo apt update && sudo apt-get install whois
    • Whois lookups are very easy to perform. Just use whois <domain> to get a list of available information about the domain registration:
  • DNS:
    • You make a request to a website. The first thing that your computer does is check its local "Hosts File" to see if an explicit IP->Domain mapping has been created. This is an older system than DNS and much less commonly used in modern environments; however, it still takes precedence in the search order of most operating systems. If no mapping has been manually created, the computer then checks its local DNS cache to see if it already has an IP address stored for the website; if it does, great. If not, it goes to the next stage of the process.
  • DNS:
    • Assuming the address hasn't already been found, your computer will then send a request to what is known as a recursive DNS server. These will automatically be known to the router on your network. Many Internet Service Providers (ISPs) maintain their own recursive servers, but companies such as Google and OpenDNS also control recursive servers. This is how your computer automatically knows where to send the request for information
  • DNS:
    • Details for a recursive DNS server are stored in your router or computer. This server will also maintain a cache of results for popular domains; however, if the website you've requested isn't stored in the cache, the recursive server will pass the request on to a root name server.
  • DNS:
    • 13 root name DNS servers in the world. These days there are many more; however, they are still accessible using the same 13 IP addresses assigned to the original servers (balanced so that you get the closest server when you make a request). The root name servers essentially keep track of the DNS servers in the next level down, choosing an appropriate one to redirect your request to. These lower level servers are called Top-Level Domain servers.
  • DNS:
    • Top-Level Domain (TLD) servers are split up into extensions. So, for example, if you were searching for tryhackme.com your request would be redirected to a TLD server that handled .com domains. If you were searching for bbc.co.uk your request would be redirected to a TLD server that handles .co.uk domains. As with root name servers, TLD servers keep track of the next level down: Authoritative name servers. When a TLD server receives your request for information, the server passes it down to an appropriate Authoritative name server.
  • DNS:
    • Authoritative name servers are used to store DNS records for domains directly. In other words, every domain in the world will have its DNS records stored on an Authoritative name server somewhere or another; they are the source of the information. When your request reaches the authoritative name server for the domain you're querying, it will send the relevant information back to you, allowing your computer to connect to the IP address behind the domain you requested.
  • DNS Request Flow:
  • Dig:
    • Dig allows us to manually query recursive DNS servers of our choice for information about domains:dig <domain> @<dns-server-ip>
    • In summary, that information is telling us that we sent it one query and successfully (i.e. No Errors) received one full answer -- which, as expected, contains the IP address for the domain name that we queried.
  • Dig:
    • Another interesting piece of information that dig gives us is the TTL (Time To Live) of the queried DNS record. As mentioned previously, when your computer queries a domain name, it stores the results in its local cache. The TTL of the record tells your computer when to stop considering the record as being valid -- i.e. when it should request the data again, rather than relying on the cached copy.