1
00:00:00,000 --> 00:00:17,760
Hey guys and welcome back. So in the previous nugget we talked about port scanning and in

2
00:00:17,760 --> 00:00:22,960
this nugget we're going to explore some additional tools that we can use with respect to our

3
00:00:22,960 --> 00:00:29,719
network settings and configurations. Now when you want to be able to view and monitor the

4
00:00:29,719 --> 00:00:35,960
activity within your local area network there are some very useful commands that you can use.

5
00:00:35,960 --> 00:00:42,000
The first one is the netstat command. Now netstat happens to be one of those commands that are

6
00:00:42,000 --> 00:00:48,239
now deprecated but we do have to be aware of it. It has since been replaced by the SS command.

7
00:00:48,239 --> 00:00:54,920
Another command which is useful is the netcat command otherwise known as NC as well as the

8
00:00:55,240 --> 00:01:02,079
LSOF command. So how about we do a little bit of exploration into these commands and see what

9
00:01:02,079 --> 00:01:07,240
they can actually bring us. So let's first begin with the netstat command and so what we will do

10
00:01:07,240 --> 00:01:15,200
here the dash s flag this allows us to see a summary of all the packets traversing our network

11
00:01:15,200 --> 00:01:21,520
and have that sorted by the actual protocol in play. So if I hit enter check this out we can

12
00:01:21,560 --> 00:01:27,479
actually see information per protocol say for example here we have UDP we can see we have

13
00:01:27,479 --> 00:01:35,159
339 UDP packets received 40 packets to an unknown port and we can see information relating to the

14
00:01:35,159 --> 00:01:40,599
errors. If I scroll on up we can see the same thing for TCP we can see we have two active

15
00:01:40,599 --> 00:01:46,120
connection openings as well as a whole bunch of other information things like the segments

16
00:01:46,120 --> 00:01:51,399
received and the segments sent out. Scrolling up further we can see information relating to ICMP

17
00:01:51,440 --> 00:01:57,800
which is what we use for our PIN commands as well as our general IP packet information. So this

18
00:01:57,800 --> 00:02:02,480
information can be very very useful when we want to be able to neatly sort out our network

19
00:02:02,480 --> 00:02:08,960
traffic and view it on a per protocol basis try to remember this flag. Now if I happen to say

20
00:02:08,960 --> 00:02:17,280
netstat dash L we can see all of the listening sockets here remember a socket being an endpoint

21
00:02:17,400 --> 00:02:22,680
that is an IP address with a particular port number and as we can see here with respect to all

22
00:02:22,680 --> 00:02:29,800
of our data everything here is in the listening state as specified by that dash L flag. Now as

23
00:02:29,800 --> 00:02:35,960
opposed to seeing information such as SSH if you want to be able to see the numeric port value

24
00:02:35,960 --> 00:02:41,319
that is being used here what I could do here is actually change this and say dash N. If I scroll

25
00:02:41,439 --> 00:02:48,280
on up now instead we actually see port 22 for our SSH session and again this is an established

26
00:02:48,280 --> 00:02:54,039
connection. Similarly if we just want to be able to see particular information relating to maybe

27
00:02:54,039 --> 00:03:01,120
say TCP we can say dash AT to display only the TCP port information and you'll notice on the left

28
00:03:01,120 --> 00:03:10,120
hand side the protocol everyone is TCP or TCP6 and similarly if we change this to AU for UDP now

29
00:03:10,120 --> 00:03:15,920
we're only seeing information relating to our UDP connections. Now just like the root command which

30
00:03:15,920 --> 00:03:20,879
was deprecated which we can use to see the kernel IP routing table you can also retrieve this

31
00:03:20,879 --> 00:03:26,759
information directly via the netstat command by saying netstat dash R if we hit enter we get the

32
00:03:26,759 --> 00:03:33,360
exact same information the kernel IP routing table just via a different tool. Now like I say the

33
00:03:33,360 --> 00:03:39,640
netstat command has been replaced by the SS command the SS command if we go into the man page here

34
00:03:39,959 --> 00:03:45,879
we can see this is for socket statistics and again if we scroll on down we can see all of the

35
00:03:45,879 --> 00:03:51,959
different options that we have available to us a lot of similar information dash T for TCP sockets

36
00:03:51,959 --> 00:03:59,560
or dash dash TCP so on so forth so we could say SS dash T here is our established TCP connections

37
00:03:59,560 --> 00:04:06,839
again the server connecting on the SSH port and here is my Windows machine connecting in with its

38
00:04:06,840 --> 00:04:14,360
socket IP and port number we can also do dash S for a summary of our connections one of which is

39
00:04:14,360 --> 00:04:20,759
established this is my current SSH session so really the SS command and the netstat command going to

40
00:04:20,759 --> 00:04:26,519
give you very similar pieces of information relating to your network and socket statistics.

41
00:04:26,519 --> 00:04:32,920
Now another command we can use is the LSOF command if I just use the command on its own this is going

42
00:04:33,000 --> 00:04:39,240
to give you an absolute ton of information this is ultimately going to list all of the open files

43
00:04:39,240 --> 00:04:45,000
on your system now the reality is this is pretty much too verbose to have any real meaningful

44
00:04:45,000 --> 00:04:49,400
use you really have to be able to understand the different options available with this command

45
00:04:49,400 --> 00:04:55,160
to really yield any benefits so what I could do to shorten the output I could list the files

46
00:04:55,160 --> 00:05:02,200
opened by processes that belong to a specific user and I can do this using the dash U flag

47
00:05:02,279 --> 00:05:11,560
so I can say LSOF dash U and my username is IPv0 if I enter now we just see processes relating to

48
00:05:11,560 --> 00:05:20,360
IPv0 as we can see here on this column everyone IPv0 if I happen to specify the root user now we

49
00:05:20,360 --> 00:05:27,079
just see files that are opened by processes related to the root user now you happen to see here

50
00:05:27,079 --> 00:05:31,800
that being able to open this directory we have permission denied so we may perhaps want to do

51
00:05:31,800 --> 00:05:40,199
sudo lsof dash U root and now once I type in my password and hit enter now this information has

52
00:05:40,199 --> 00:05:45,720
been revealed so we can see here at the bottom a lot of these shared object files if I scroll on up

53
00:05:45,720 --> 00:05:51,080
notice that everyone is belonging to the root user now for the purposes of the lpik2 examination

54
00:05:51,080 --> 00:05:55,639
you don't have to be an expert in this output ultimately you just want to be aware of what

55
00:05:55,639 --> 00:06:01,240
this command is actually going to do for you i.e it can list the open files on the system and you

56
00:06:01,240 --> 00:06:06,680
have the ability to control this output with particular filters such as the dash U flag

57
00:06:06,680 --> 00:06:14,120
to specify a particular user what I could also do is I could say LSOF dash U and then if I use the

58
00:06:14,120 --> 00:06:21,879
carrots this ultimately inverts the logic so I can say not root i.e show me all the open files

59
00:06:21,879 --> 00:06:27,160
belonging to everyone except for the root user so I could hit enter now we're going to see all of

60
00:06:27,160 --> 00:06:33,640
these ipv0 processes now again the only user on the system happens to be ipv0 and the root user

61
00:06:33,640 --> 00:06:38,439
so all we're seeing here is ipv0 and on the right hand side the actual information that is being

62
00:06:38,439 --> 00:06:43,720
opened but if we happen to have multiple users on the system using this type of filtering can be

63
00:06:43,720 --> 00:06:49,320
very very useful so you can target a particular user or you could say for example exclude a

64
00:06:49,320 --> 00:06:55,320
particular user as well as combining this information if you want with the grep commands

65
00:06:55,319 --> 00:07:00,680
so what I could say is maybe you know grep for the word home so now we're actually filtering this

66
00:07:00,680 --> 00:07:06,920
output a little bit further we're now seeing users that are not the root user i.e in my case ipv0 but

67
00:07:06,920 --> 00:07:13,480
we're also filtering on open files associated with the home directory here if we scroll on up this

68
00:07:13,480 --> 00:07:19,639
is all home directory related and again you can just keep chaining this information together now

69
00:07:19,719 --> 00:07:25,560
one of the best tools that you could use to test and investigate issues relating to your network

70
00:07:25,560 --> 00:07:33,479
is the nc command if i say man nc it says nc otherwise known as netcat as we can see here

71
00:07:33,479 --> 00:07:41,319
is used for pretty much everything relating to tcp udp or unix based sockets so we can see here a

72
00:07:41,319 --> 00:07:47,000
nice little summary the common uses with this command is we can create simple tcp proxies we

73
00:07:47,000 --> 00:07:53,079
can create shell script based htp clients and servers we can test our network daemons as well as

74
00:07:53,079 --> 00:08:00,759
a whole bunch of other stuff now let's say that you wanted to test if a particular port was accessible

75
00:08:00,759 --> 00:08:05,720
maybe there was an issue with the firewall who knows where it may be well what you can do is you

76
00:08:05,720 --> 00:08:12,759
can set up a socket to listen on that particular port so you could say nc dash l for listen and then

77
00:08:12,759 --> 00:08:18,920
we can test the port so let's just try the port i don't know four five six seven and if i hit enter

78
00:08:18,920 --> 00:08:25,000
we are now just listening on that particular port so if we happen to actually engage this port from

79
00:08:25,000 --> 00:08:30,360
another computer we would be able to test if the connection has been allowed say for example through

80
00:08:30,360 --> 00:08:35,319
the firewall so what i have here is another linux machine effectively this is the windows

81
00:08:35,400 --> 00:08:44,040
subsystem for linux if i do an ip adder and i grep for 192 1680 and hit enter we can see here

82
00:08:44,040 --> 00:08:50,840
the ip address of this machine here is 039 so what i'll do is i'll try to ping my machine so i'll

83
00:08:50,840 --> 00:08:58,360
ping 0.65 we have connectivity let's now see if we can get through any supposed firewall and see if

84
00:08:58,360 --> 00:09:04,759
we can connect to this particular port here four five six seven so on this machine here i will say

85
00:09:04,759 --> 00:09:13,080
nc and i'll just type in the ip address 192 1680.65 and then i'll do a space and specify the port i

86
00:09:13,080 --> 00:09:18,600
want to connect to so say four five six seven and i hit enter and now i should have an established

87
00:09:18,600 --> 00:09:23,159
connection with this machine so what i could do is i could just say testing this connection

88
00:09:23,240 --> 00:09:29,079
and hit enter if i go and check my other machine here look what's actually happened the text has

89
00:09:29,079 --> 00:09:35,319
ultimately came through but able to shuttle this information through this open port so from my

90
00:09:35,319 --> 00:09:40,600
zubuntu machine i will send a message to the other computer and say looking good here in fact let me

91
00:09:40,600 --> 00:09:47,240
move this over so we can see the two machines at the same time let me send one to you and to enter

92
00:09:47,240 --> 00:09:53,079
look at the left hand side we can see here that indeed we have been able to establish a connection

93
00:09:53,160 --> 00:09:58,840
open up a socket and we do have this communication channel so we can see here indeed there is no

94
00:09:58,840 --> 00:10:05,000
firewall issues relating to being able to reach port four five six seven on our local machine and we're

95
00:10:05,000 --> 00:10:11,480
able to easily test this by spinning up a socket using netcat now honestly there is no way to cover

96
00:10:11,480 --> 00:10:17,480
all the things that we could actually possibly do with netcats it is a massive tool and if you happen

97
00:10:17,480 --> 00:10:23,240
to if i just press the control z if you go into man nc and run through the actual man page you

98
00:10:23,240 --> 00:10:27,480
will be able to see all the different potential options that you can use with this command but

99
00:10:27,480 --> 00:10:33,879
really for the purposes of the examination just understand that nc or netcat is going to allow

100
00:10:33,879 --> 00:10:40,279
you to open tcp connections send udp packets it's going to allow you to listen on particular ports

101
00:10:40,279 --> 00:10:46,200
to test connections it can even also do port scanning just like you can do with nmap albeit

102
00:10:46,200 --> 00:10:51,160
not quite as advanced as nmap cam so honestly we do have a lot of various

103
00:10:51,160 --> 00:10:55,240
utilities that we can use with respect to our network connections like i say we have the net

104
00:10:55,240 --> 00:11:01,160
stack command which was replaced by the ss command both do similar things if we want to list our open

105
00:11:01,160 --> 00:11:07,720
files this can also reveal to us open network connections via sockets since everything on linux

106
00:11:07,720 --> 00:11:13,879
is ultimately a file and we can see here with the nc command otherwise known as netcat command

107
00:11:13,879 --> 00:11:21,559
we have massive control and the ability to manipulate tcp udp and unix based sockets so really for

108
00:11:21,559 --> 00:11:26,600
the examination do not be overwhelmed or bogged down by all the details of these commands they are

109
00:11:26,600 --> 00:11:32,600
very expansive and 99 percent of what these commands can do are out with the scope of the

110
00:11:32,600 --> 00:11:39,159
examination just be able to identify these tools and have a good general awareness of their purpose

111
00:11:39,159 --> 00:11:44,759
and utility okay docks i hope this has been informative for you and i'd like to thank you for viewing