Ay yo!

Last week we looked into how to open the Windows Command Prompt, how to launch it as an administrator and then we dove into some pretty neat tricks with PING and ARP.

If you missed that training session check it out here:

Understanding the Windows Command Prompt Basics

Today we're going to round out our series with:

• ipconfig including ipconfig /all, ipconfig /displaydns and ipconfig /flushdns.
• netstat including the awesome -naob flag.
• tracert
• BONUS! pathping

Alright, let's get into it.

Windows Command Prompt: ipconfig

Everyone knows what ipconfig is right? I think it was the first command I ever learned.

Let's open PowerShell and give it a whirl.

To open PowerShell in Windows 10 just hit the Windows Key and type:

powershell

The neat thing about Powershell is that all the normal Windows commands run just fine as well as the super leet Cmdlets which I'll share with you in a future lesson.

So let's type in ipconfig.  Type:

ipconfig

Look at the output:

We can see my IP address is 10.1.1.10, my subnet mask is 255.255.255.0 and my default gateway is 10.1.1.1

Don't worry if you're not sure what a subnet mask is or the default gateway. I promise you we will dig into all that in detail later.  For now I just want you to see that the output of ipconfig is identical to the output you see in your Network Connection Details.

For example, if you right click the little network connection icon in the bottom right corner of the screen and click "Open Network & Internet Settings" you can find your Wireless Adapter there.

I pick Wi-Fi, since I'm connected to Wi-Fi right now.

And then if you scroll down a little you'll see "Change adapter options"

When you click that you'll see your Wireless Adapter show up in Windows.  Now all you need to do is right-click that, go to Status and choose the "Details" button to see your IP address and all that other stuff we saw with ipconfig.

If we want to see more information we can use the mighty /all switch like this:

ipconfig /all

Now we can see the hostname, the domain my computer is joined to, as well as my network interface card name, MAC Address (that's the Physical Address shown below) and even my DNS Server.  I'm using 8.8.8.8 which is Google's free DNS server. (We'll talk about how DNS works and all that jazz in a future training)

If we want to see all the DNS answers that have been cached on the client (meaning, my local machine at 10.1.1.10) I can type:

ipconfig /displaydns

To flush everything from the cache I can type:

ipconfig /flushdns

Sometimes you'll want to do that if you're having problems browsing websites but other network aware applications work such as ping.  For example, if you can't visit securitypluspro.com but you can ping 8.8.8.8 then you most likely have a DNS issue.  The name isn't being resolved to an IP address and that might be because the DNS cache contains an invalid entry.

Getting nasty with netstat

Netstat shows network statistics.  I guess that's why it's called netstat haha.

Anyway, if we just type netstat by itself we'll see all the connections to and from our localhost.

netstat

Filtering netstat like a pro

I like to filter netstat to only show me the most important information.

By using the -anob flag I'm telling netstat to:

• a: display all connections and ports
• n: don't display the hostnames, just show me IP addresses.
• o: display the process ID responsible for the connection
• b: display the binary name associated with the initiating process ID.  For example, chrome.exe.

This is the pimped way to use netstat.

As an extra tough I pipe the output through the findstr command so I can only display "ESTABLISHED" connections.  These are the most interesting (and possibly worrisome).

Here's the full command:

netstat -anob | findstr "ESTABLISHED"

You can see I've got a ton of connections here!

The first column shows the protocol, TCP is being used.  

The next column shows the source IP and port.  10.1.1.10 is my source IP and that 49844 port number, in fact, all those 50,000 ish numbers after the IP are the ephemeral source ports.  These are numbers the operating system generated on demand so the connected resource knows how to send data back to my machine.

The next column shows the destination IP and port. I'm seeing a lot of stuff like this:

8.253.68.14:80

So this means I have an established connection to some sever at 8.253.68.14 over port 80 (which is the default port for HTTP, so it's probably a web browser - but doesn't have to be - it could be malware using port 80 as a communication channel so don't make assumptions so quickly!)

Then that last column shows the process ID: 1160.

To see the actually application mapped to that process ID I could type this:

tasklist /FI "PID eq 1160

Shhh... that's a secret not a lot of geeks know about.  Keep that one in your backpocket bro.

And one more thing: to get a full list of all the netstat options use the /? switch:

netstat /?

Tracert 

The last command we'll go over is tracert.

This shows you all the humble routers between your computer and host you want to trace a connection to.

For example, we can trace the route to google.com like so:

tracert google.com

You can see the first router I hit was 10.1.1.1 which is my Cisco router.  From there it hit 192.168.122.1 which is another router I have on my network. 

And it just keeps hopping along like a cute little packet bunny until it gets to the final destination.

If you see a * on some hops that's probably because you hit a firewall that's not responding to ICMP messages. 

We'll talk about all that jazz in a future training lesson.

Oh and one more thing: you can also use pathping to do the same thing as tracert.  It's a more modern alternative to tracert that actually combines ping and tracert to produce results that neither tool provides on its own.

pathping google.com

Use pathping /? to get more details there.

Coming Up

Alright, so that's all I have for your today.  As always you can watch a step-by-step video training on everything we covered on the SecurityPlusPro Youtube channel.  Check out the video below:

Next week you'll learn about the top Linux commands you need to know for the CompTIA Security+ exam.  It's going to be a lot of fun!

And if you enjoyed this  video don't forget to take the next step and join our mailing list.  You'll get more freebies, more downloads, more awesome stuff sent directly to your inbox so you can pass the exam.

See ya next week!