Basics

What are the basic commands every NetSec practitioner should know? If you ask ten analysts, you might get ten different lists, but here's mine, based on what I've used the most in my career.

1. tcpdump

2. nmap

3. dig

4. host

5. grep

That's a small list, and knowing just the basic syntax of each of those commands will help your work as an analyst. There are many, many others, of course, and every analyst could probably make a list of their top twenty-five. tcpdump has a Windows version as does nmap, but at some point along the way, you'll need to go beyond Windows to be able to use tools that don't run or have never been ported to Windows. Whether that's Linux or MacOS, either will serve you well. The vast majority of commands will be the same on either platform. 

Threat Hunting

 

Threat Hunting in a nutshell. No Big Red Easy button. Not something that can be automated. Need analysts, trained analysts. Not an automated process, not something ML can do, regardless of what vendor xyz tells you. Has some similarities to law enforcement. Sometimes discoveries come on a hunch... Something just doesn't look "right" though it doesn't trigger any alerts, uses institutional knowledge, experience, and lots of familiarity with normal activity and malicious activity. IMO, it's the most exciting silo of network/information security because success will be based on training and experience and not how much money is available to throw at a security vendor. What does the current security environment tell you an attacker would do that's already inside your network? Form a working hypothesis and go hunting for evidence, try to prove your hypothesis doesn't exist. But even if you do, the things you'll discover about what's really going on in your environment will increase your security posture every time you write that threat hunt report. No bird's eye view, this is the view from inside that automation can't know is anomalous because no one can write an engine and policies and rules to exactly fit your environment and the things your users, or an attacker presented with your environment, would do.

(Photo: SANS FOR572 Courseware. Phil Hagen, author)

Nmap Basics Part 3

 One of the most powerful aspects of nmap are the scripts written to extend it's functionality. These scripts have an .nse extension, meaning they are part of the Nmap Scripting Engine. The default location for nmap scripts is at /usr/share/nmap/scripts. 

Using them you can do a rather thorough vulnerability assessment with nothing more than nmap. The scripts are prepended with a classification, shuch as http- or dns- or smb-, which makes it easy to search for, or use bash's auto-complete. But, you can use an entire category of scripts with a wildcard. To use one script, use --script=<script_name>. If the script takes any arguments, use --script-args=<argument1,argument2>. To use an entire class of scripts, wildcard the parameter such as --script=http*. Youy can update the scripts anytime with the command nmap --script-update. 

Wireshark as a Teaching Tool

 

Wireshark is a nice tool for keeping your packet dissecting knowledge fresh and finding things you didn't know were there...you can play with the colorization settings and click through the fields in the packet dump and see which fields in the header and payloads they correspond to. Below I have the start of the IP header selected, which shows us the first nibble is the IP version field, and the other half of the first byte is the header length. We see the IP version is 4. Whatever is in the second nibble, the IP Header Length, multiply it by four to get the bytes in the header. So the value five means the header is twenty bytes, the minimum length of an IP header, which also means there are no IP options. IP options are (relatively) rare and almost always suspicious if not malicious, whereas TCP options are common, with things like padding, selective acknowledgment, etc being represented.

Note: In my haste, I switched the value and multiplier in the second nibble when I originally posted this. Sorry..

Nmap Basics Part 2

 Nmap Basics Part 2

Targets

Nmap can take a variety of different target ranges. CIDR notation is still supported as in 12.30.2.0/24. 

You can also specify a custom range, like 12.302.1-64. 

You can mix and match specifications, so 12.30.2.0/24 12.30.3.1-128 would be valid as well. 

You can also feed a file to nmap with a mix of IPs, ranges, and hostnames.

 Entries must be separated by spaces, tabs or newlines. I suggest the common one entry per line format for easy readability, for anyone looking at the scan and needing to see what the scope was. 

nmap has 6 built-in levels of scanning intensity, from Paranoid, -T0, to Insane, -T5. The default is -T3. Using -T4 should be acceptable if you have a good network connection between you and the target.

-T0 and -T1 are very stealthy and therefore very, very slow. Seeing most organizations don't have the bandwidth to even investigate port scanning, this level of IDS evasion probably isn't worth using. Running your scan through Tor is also usually effective unless the target has geo-blocking in place for whatever exit node you come from. -T5 is almost certain to get you noticed and unless your connection is very solid, runs the risk of dropped packets.