Helpful commands for networks

Networks and ports are probably the first elements hackers enumerate. Let's see useful commands to analyze the situation.

netstat

netstat shows open ports and connections (network statistics):

netstat -ano

With the above command, you can list active connections, state of the sockets, IP addresses, process IDs. It's available on Windows too.

nmap

The ultimate enumerator and probably the most popular: light, powerful, Swiss knife. The only inconvenience is the extensive range of options and modes that can be overwhelming for beginners, but there are lots of blog posts and documentations available:

nmap -O -sS TARGETED_MACHINE

• -O will determine the operating system, which is often needed during analysis
• -sS is for TCP SYN Scan

arp

The command dumps the ARP cache, a dynamic list of IP and MAC addresses of the routers your computer communicated with recently:

arp -a

This cache is used by your machine to store information and prevent useless queries every time you communicate with other devices in the same network or external devices.

nslookup

nslookup can query a domain server and resolve associated IP addresses:

nslookup wikipedia.org

ssh

OpenSSH ssh allows you to connect to a remote host. It's said to be way more secure than the old telnet that transmits all information in plain text.

It checks if the target host is up and encrypts communications. It's quite straightforward:

ssh user@IP

If your SSH keys (ls ~/.ssh) are authorized on the remote host (cat ~/.ssh/authorized_keys), you can connect without your password:

ssh -i ~/.ssh/YOUR_PRIVATE_KEY user@IP

ping

ping uses ICMP (Internet Control Message Protocol) to send packets to a host and see if it replies:

ping -6 github.com 

The above ping command will ping github.com and force IPv6 instead of IPv4.

traceroute

traceroute is helpful to retrieve the whole path to a source server. It will also list all routers, also known as "hops," on the way.

Unlike ping, the purpose of traceroute is not to send a message to get an echo reply that confirms the host is up. Indeed, it's usually the command you use if ping fails and to determine where packets are lost.

In a security perspective, it can spot anomalies such as unauthorized routers installed by hackers:

traceroute mozilla.org

N.B: tracert is the equivalent in Windows.