2. 1. “netstat” Command
The netstat command generates displays that show network status and protocol
statistics. You can display the status of TCP and UDP endpoints in table format,
routing table information, and interface information.
netstat displays various types of network data depending on the command line
option selected. These displays are the most useful for system administration. The
syntax for this form is:
netstat [-m] [-n] [-s] [-i | -r] [-f address family]
The most frequently used options for determining network status are: s, r, and i.
• The netstat -soption displays per protocol statistics for the UDP, TCP, ICMP, and IP protocols.
• The i option of netstat shows the state of the network interfaces that are configured with the machine
where you ran the command.
• The -r option of netstat displays the IP routing table.
3.
4. 2. “arp” Command
The ARP commands to view, display, or modify the details/information in
an ARP table/cache.
The ARP cache or table has the dynamic list of IP and MAC addresses of
those devices to which your computer has communicated recently in a
local network. The purpose of maintaining an ARP table is that when you
want to communicate with another device, your device does not need to
send the ARP request for the MAC address of that device.
The ARP commands also helps to find out the duplicate IP address and
invalid entries in an ARP table/cache.
• arp -a: This command is used to display the ARP table for a particular IP address. It also shows
all the entries of the ARP cache or table.
• arp -g: This command works the same as the arp -a command.
• arp -d: This command is used when you want to delete an entry from the ARP table for a
particular interface. To delete an entry, write arp -d command along with the IP address in a
command prompt you want to delete.
Some ARP commands are :
5.
6. 3. “ping” Command
Ping is a command-line utility, available on virtually any operating system with network connectivity, that
acts as a test to see if a networked device is reachable.
The ping command sends a request over the network to a specific device. A successful ping results in a
response from the computer that was pinged back to the originating computer.
What does Ping stand for?
According to the author, the name Ping comes from sonar terminology. In sonar, a ping is an audible
sound wave sent out to find an object. If the sound hits the object, the sound waves will reflect, or echo,
back to the source. The distance and location of the object can be determined by measuring the time and
direction of the returning sound wave.
Similarly, the ping command sends out an echo request. If it finds the target system, the remote host
sends back an echo reply. The distance (number of hops) to the remote system can be determined from
the reply, as well as the conditions in-between (packet loss and time to respond). While the author of the
ping utility said the name of the program was simply based on the sound of sonar, others sometimes say
that Ping is an acronym for Packet InterNet Groper.
7.
8. 4. “Pathping” Command
This command sends multiple echo Request messages to each
router between a source and destination, over a period of time,
and then computes results based on the packets returned from
each router. Because this command displays the degree of
packet loss at any given router or link, you can determine which
routers or subnets might be having network problems. Used
without parameters, this command displays help.
• This command is available only if the Internet Protocol (TCP/IP) protocol is installed as a component
in the properties of a network adapter in Network Connections.
• Additionally, this command identifies which routers are on the path, same as using the tracert
command. Howevever, this command also sends pings periodically to all of the routers over a
specified time period and computes statistics based on the number returned from each.
Note:-
9.
10. 5. “tracert” Command
The Traceroute command (tracert) is a utility designed for
displaying the time it takes for a packet of information to travel
between a local computer and a destination IP address or
domain. After running a traceroute command, the results
displayed are a list of the 'hops' that data packets take along
their path to the designated IP address or domain. This
command is commonly associated with the troubleshooting of
connection issues.
11. 6. “lookup” Command
Use the lookup command to enrich your source data with related
information that is in a lookup dataset. Field-value pairs in your
source data are matched with field-value pairs in a lookup dataset.
You can either append to or replace the values in the source data
with the values in the lookup dataset.
12. 7. “nslookup” Command
The nslookup command queries internet domain name servers in
two modes. Interactive mode allows you to query name servers for
information about various hosts and domains, or to print a list of
the hosts in a domain. In noninteractive mode, the names and
requested information are printed for a specified host or domain.
13. 8. “route” Command
The route command allows you to make manual entries into the network
routing tables. The route command distinguishes between routes to hosts
and routes to networks by interpreting the network address of
the Destination variable, which can be specified either by symbolic name
or numeric address. The route command resolves all symbolic names into
addresses, using either the /etc/hosts file or the network name server.
14. 9. “hostname” Command
The /usr/bin/hostname command displays the name of the
current host system. Only users with root user authority can
set the host name. The mkdev command and
the chdev commands also set the host name permanently.
Use the mkdev command when you are defining the TCP/IP
instance for the first time.
15. 10. “getmac” Command
getmac is a Windows command used to display the
Media Access Control (MAC) addresses for each
network adapter in the computer. These activities will
show you how to use the getmac command to
display MAC addresses.
16. 11. “tasklist” Command
Displays a list of currently running processes on the local computer
or on a remote computer. Tasklist replaces the tlist tool.
17. 12. “taskkill” Command
Ends one or more tasks or processes. Processes can be ended by process
ID or image name. You can use the tasklist command command to
determine the process ID (PID) for the process to be ended.
Note:- This command replaces the kill tool.
18. 13. “wmic” Command
The Windows Management Instrumentation (WMI) Command-Line Utility (WMIC) is a command-
line utility that allows users to perform WMI operations from a command prompt. WMI is an interface
providing a variety of Windows management functions. Applications and WMI scripts can be deployed
to automate administrative tasks on remote computers or interface with other Windows tools like
System Center Operations Manager (SCCM) or Windows Remote Management (WinRM).
Unfortunately for defenders, default WMIC logging is minimal and primarily runs directly in memory
without writing any files to disk. Due to WMI’s built-in capabilities and small forensic surface area,
attackers often weaponize WMI for all facets of the post-exploit attack chain.