Objective 3.2

Question 1

What is the primary function of the ping command?

Answer 1

ping is used to test the reachability of a host on an IP network.

It sends ICMP (Internet Control Message Protocol) “echo request” packets to a target host and waits for an ICMP “echo reply”.

On the Job: This is your fundamental “Is it on? Can I reach it?” tool.

It provides four key pieces of information:

1. Success/Failure: Whether the remote host is reachable.
2. Round-Trip Time (RTT): How long the request/reply took (measures latency).
3. TTL (Time to Live): Gives a rough idea of how many router hops are between you and the target.
4. Packet Loss: If some packets don’t return, it indicates a problem on the path.

Question 2

What do the ping options -t, -n, -f, and -l do in Windows?

Answer 2

• -t: “Ping continuously” until stopped with Ctrl+C. Useful for monitoring a connection over time.
• -n count: Specifies the number of echo requests to send (default is 4).
• -f: “Set Don’t Fragment flag” in the packet. This can be used to discover the MTU (Maximum Transmission Unit) of a path.
• -l size: “Set buffer size” of the packet. This allows you to send a larger or smaller packet than the default.

Question 3

What is the purpose of the tracert (Windows) or traceroute (Linux/macOS) command?

Answer 3

These commands map the path a packet takes through the network from your computer to a destination host.

It lists all the routers (hops) in between and measures the latency to each hop.

On the Job: When ping fails or is slow, tracert/traceroute is your next step.

It tells you where the connection is failing or slowing down.

If the trace stops at a particular router, you’ve found the source of the problem.

Question 4

What is the function of the nslookup and dig commands?

Answer 4

Both are command-line tools used to query the Domain Name System (DNS) to resolve hostnames to IP addresses and vice-versa.

• nslookup: Available on both Windows and Linux, but considered older or “deprecated” on Linux.
• dig (Domain Information Groper): The preferred, more powerful tool on Linux/macOS. Provides more detailed output.

On the Job: When you can ping an IP address (e.g., 8.8.8.8) but not a domain name (e.g., google.com), it points to a DNS problem.

You use these tools to check if the DNS server is working and returning the correct records (A, AAAA, MX, CNAME, etc.).

Question 5

What are the ipconfig, ifconfig, and ip commands used for?

Answer 5

These commands are used to view and manage the IP configuration of a host’s network interfaces.

• ipconfig (Windows): Displays the IP address, subnet mask, and default gateway. Use ipconfig /all for more detail, including MAC address and DNS servers. Use ipconfig /release and /renew to get a new IP from DHCP.
• ifconfig (older Linux/macOS): Displays and configures network interface details.
• ip (modern Linux): The current standard for showing and manipulating routing, devices, and interfaces. E.g., ip addr show.

Question 6

What is the purpose of the arp command?

Answer 6

The arp command is used to view and manipulate the** Address Resolution Protocol (ARP) cache**.

This cache maps known IP addresses (Layer 3) to their corresponding MAC addresses (Layer 2) for devices on the local network segment.

On the Job: If two devices on the same subnet can’t communicate despite correct IP settings, you can check the ARP cache with arp -a.

A missing or incorrect entry can indicate a connectivity problem.

This is a crucial tool for troubleshooting local network issues.

Question 7

What information does the netstat command provide?

Answer 7

netstat (network statistics) is a command-line tool that displays active network connections (both incoming and outgoing), routing tables, listening ports, and network interface statistics.

On the Job: As a SOC analyst, netstat -ano (on Windows) is invaluable.

It shows you all connections and listening ports (-a), displays addresses and port numbers numerically (-n), and shows the process ID (-o) responsible for each connection.

This is critical for finding malware or unauthorized services running on a machine.

Question 8

What is the function of the route command?

Answer 8

The route command is used to view and manipulate the local IP routing table on a host.

You can use route print (Windows) or route -n (Linux) to see exactly where your computer will send packets destined for different networks.

On the Job: While most hosts have a simple routing table (send everything to the default gateway), this command is essential for diagnosing complex routing issues on hosts with multiple network cards or VPN connections.

You can see if traffic is being sent down the wrong path.

Question 9

Compare and contrast telnet and ssh.

Answer 9

Both are protocols used for remote command-line access to a device.

• telnet: Insecure. Transmits all data, including usernames and passwords, in clear text.
• ssh (Secure Shell): Secure. Encrypts the entire session, protecting credentials and data from eavesdropping.

On the Job: You should never manage a device with Telnet. It is a massive security risk.

However, the telnet client is still sometimes used as a quick and easy tool to test if a specific TCP port is open on a remote server (e.g., telnet webserver.com 80).

SSH is the standard for all remote administration.

Question 10

What is nmap?

Answer 10

nmap (Network Mapper) is an extremely powerful, open-source command-line tool for network exploration and security auditing.

On the Job: Nmap is a cornerstone tool for both network administrators and security professionals (including ethical hackers).

Its primary uses for the exam include:

• Host Discovery: Finding live hosts on a network.
• Port Scanning: Identifying open TCP and UDP ports on those hosts.
• Service & Version Detection: Determining what software and version is running on an open port.
• OS Detection: Attempting to identify the operating system of the target host.

Question 11

What is the general purpose of a “network scanner”?

Answer 11

A network scanner is a tool designed to automatically discover all active devices on a network and gather information about them.

They are used to create an inventory of network assets and identify potential security vulnerabilities.

On the Job: Network scanners (like Nmap or commercial tools like Nessus) are used to perform vulnerability assessments.

As a SOC analyst, you would review scan reports to identify systems with open, vulnerable ports or unpatched software that an attacker could exploit.