Scribd
Upload
11 views13 pages

Lab 2

The document provides an overview of network monitoring tools, specifically the `netstat` command and Nmap Security Scanner, detailing their functionalities and commonly used flags for network analysis. It explains how these tools can help identify active connections, troubleshoot network issues, and detect potential security threats. Additionally, it briefly mentions TCP host discovery methods and includes a homework question regarding stateful and stateless firewalls.

Uploaded by

يوسف محمد مغيمش
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
11 views13 pages

Lab 2

The document provides an overview of network monitoring tools, specifically the `netstat` command and Nmap Security Scanner, detailing their functionalities and commonly used flags for network analysis. It explains how these tools can help identify active connections, troubleshoot network issues, and detect potential security threats. Additionally, it briefly mentions TCP host discovery methods and includes a homework question regarding stateful and stateless firewalls.

Uploaded by

يوسف محمد مغيمش
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 13

Cybersecurity Attacks

and Detection

Lab 2
Netstat

• It can show a lot of information about the current state of


your host’s networking subsystem – such as routing-table
entries, active connections, ports and protocols, or statistics
for the active Network Interfaces
In Windows, the `netstat` command has several flags that you can use to get information about network
connections and listening ports. Here are some commonly used flags and their implications:
1. `-a`: Displays all connections and listening ports (both established and non-established connections).
2. `-n`: Displays addresses and port numbers in numerical form instead of attempting to determine host names.
3. `-o`: Displays the process ID (PID) associated with each connection or listening port.
4. `-b`: Displays the executable name or process name associated with each connection or listening port.
5. `-e`: Displays Ethernet statistics. This can be used in combination with the `-s` flag to display protocol
statistics.
6. `-r`: Displays the routing table.
7. `-s`: Displays per-protocol statistics. This can be used in combination with the `-p` flag to display statistics for a
specific protocol.
8. `-p`: Displays connections for the protocol specified by `proto`, where `proto` can be TCP, UDP, TCPv6, or
UDPv6. This can be used in combination with the `-s` flag to display statistics for a specific protocol.
Here are some common combinations of flags and their implications:
• netstat -an: Displays all connections and listening ports in numerical form.
• netstat -ano: Displays all connections and listening ports in numerical form, along
with the associated process ID (PID).
• netstat -anob: Displays all connections and listening ports in numerical form, along
with the associated process ID (PID) and the executable name or process name.
• netstat -anp TCP: Displays all TCP connections and listening ports in numerical form.
• netstat -sp TCP: Displays per-protocol statistics for the TCP protocol.
• netstat -anp UDP: Displays all UDP connections and listening ports in
numerical form.
• netstat -s: Displays per-protocol statistics for all protocols.
• netstat -sp UDP: Displays per-protocol statistics for the UDP protocol.
• netstat -r: Displays the routing table.
These combinations can help you identify which applications or services
are using specific ports, detect potential security issues (like
unexpected open ports), troubleshoot network connectivity problems,
and analyze network traffic statistics.
netstat -aon
Nmap
The Nmap Security Scanner is a free and open source utility used by millions of
people for network discovery, administration, inventory, and security auditing.
Nmap uses raw IP packets in novel ways to determine what hosts are available on a
network, what services (application name and version) those hosts are offering,
what operating systems they are running, what type of packet filters or firewalls
are in use, and more. Nmap was named “Information Security Product of the Year”
by Linux Journal and Info World. It was also used by hackers in seven movies,
including The Matrix Reloaded, Die Hard 4, and The Bourne Ultimatum. Nmap
runs on all major computer operating systems, plus the Amiga. A traditional
command-line interface and the Zenmap GUI are include
• `-sn`: Ping Scan - Determines which hosts on a network are up and
responding to ICMP echo requests.
• `-sP`: TCP Ping - Determines which hosts on a network are up and responding
to TCP packets.
• `-sV`: Version Detection - Probes open ports to determine service/version
information.
• `-sC`: Default Script Scan - Runs a collection of Nmap scripts to gather more
information about targets.
• `-p-`: Scan all ports - Scans all 65,535 TCP ports on the target.
• `-p <port ranges>`: Scan specific ports - Scans only the specified port ranges
(e.g., -p 22,80,443).
• `-sU`: UDP Scan - Scans for open UDP ports.

• `-sS`: SYN Scan - Performs a stealthy TCP SYN scan.

• `-sT`: TCP Connect Scan - Performs a full TCP connection scan.

• `-O`: OS Detection - Attempts to determine the operating system of the target.

• `-A`: Aggressive Scan - Enables OS detection, version detection, script scanning, and
traceroute.
• `-v`: Verbose - Increases the level of output detail.
TCP Host Discovery Methods (PS, PA)
• SYN packet discovery (PS)
– Best against stateful firewalls
• ACK packet discovery (PA)
– Best against stateless firewalls
• Both the -PS and -PA flags are used for host discovery and can be combined with
other flags to gather more information about the target systems. For example:
• nmap -PS22,80,443 192.168.1.0/24
• This command will perform a TCP SYN ping scan on ports 22 (SSH), 80 (HTTP), and 443 (HTTPS) across
the IP range 192.168.1.0/24 to discover which hosts are alive.
• nmap -PA -sV 192.168.1.10
• This command will perform a TCP ACK ping scan on the host 192.168.1.10 and then perform version
detection on any open ports that are discovered.

These flags are particularly useful when you want to be stealthy and avoid leaving a
full TCP connection footprint on the target systems.
Homework

Explain the differences between stateful and


stateless firewalls in your own words?

You might also like