At first I thought this was a joke. You know dude please show me how to be l33t. But then after a little bit of clarification our junior admin Adam in PA is troubleshooting a connectivity issue across his VPN to a single server and intermittently the network. Adam wants to do so from the command line.
Now doesn't that sound better already?
So we jump on a windows machine and hit the command prompt. Start - Run - 'CMD'
Ping, Tracert, and Netstat are three commands I use on a daily basis. They help me pinpoint problems. When these tools are coupled with a sniffer log file or some sort of jump off point for your issue and a little old fashioned network admin know how.
In other words find the IP Address of the effected equipment. In this case Adam couldn't get to a remote server over your VPN. He needs to find out the IP of the server, the VPN router and the default gateway on the other side. You know everything in between the equipment and the equipment itself. You should keep these addresses readily available in a excel or text file for easy referencing.
Now lets use ping to hit the server, or try to at least. From the command prompt we type:
'ping servername'
We Get Back:
Ping request could not find host hostname. Please check the name and try again.
'ping ip'
We Get Back:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for (ip):
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss)
tracert server name
We get back:
Tracing route to google.com [64.233.187.99]
over a maximum of 30 hops:
Hmmm its resolving the name to an address thats a good start. So we know DNS is still up.
Now we can see it is failing after the packets get into the remote network. Hmmm. Now we need to see if we can connect to a machine on that side of the VPN. I have a windows 2003 box there so I hit up
MSTC.exe to see if I can open a remote desktop to the machine.
Then boom I'm in. A little lag.
A lot of lag...Slow screen drawing and my processes are at 90%. This is very abnormal I usually let my machines idle around 5% and during heavy crunch time they are no higher than 69%. when they hit 70% its time to upgrade.
Next I was off to the command prompt on that server and Netstat -a and see hundreds of connections pending disconnecting. I terminate a few process running high with the TaskKill command and then use this technique to search the PC for all modified files in the last 48 hours.
What are these small text files? Scripts and folder upon folder in my ftp directories??!?
Shit we have been compromised.
I hit my McAfee EPO server and lock everything down on that side of the VPN. As a final precautionary measure I disable the NIC on the effected machine after dialing in through the modem and RAS.
Once I'm in I try to delete the directories and porn torrents in French.
Damn I hate the French!It feels like we are war. This is the second time in 4 years!
Some of the directories were fucked with and I could not delete the files normally using del.
Directories telling me that they are not empty files that show up - don't exist???
Time to hit up RD /s or in a more extreme situation DELTREE.
I stop the Utorrent service using Net Stop and delete the application. I then find the executables downloaded on the machine to do their installs. This was in a folder called AMERICAN_SUCKS - very subtle eh?
I connect the machine back to the network watching the processes through task manager.
Mother flucker.... Another process pops up and spawns two more. TaskKill it - delete the files. Hit my user manager with AddUsers.exe to get a list... I can't believe it they were able to add a local administrator! But after disabling him also from addusers I noticed that they couldn't touch the domain.
I give thanks for the small things. I then deleted the user, emptied the recycle bin and killed the restore files.
I removed the "Locked Down" Status from my EPO and scanned the whole network.
Clean as a whistle. And now you have some new commands to play with. PING, TRACERT, NETSTAT, TSKill, AddUsers.exe, RD and DelTree.
In case you didn't understand what they did in the above examples... Here it goes real simple like:
Ping (Hostname or IP Address) - hits the specified computers nic 5 times and returns the results. Use -t for continual pinging. Ping 192.168.1.1 -t
Test a network connection - if successful, ping returns the ip address.
Syntax
PING [options] destination_host
Options
-w timeout Timeout in milliseconds to wait for each reply.
-i TTL Time To Live.
-v TOS Type Of Service.
-a Resolve addresses to hostnames.
-n count Number of echo requests to send.
-t Ping the destination host until interrupted.
-l size Send buffer size.
-f Set Don't Fragment flag in packet.
-r count Record route for count hops.
-s count Timestamp for count hops.
-j host_list Loose source route along host_list.
-k host_list Strict source route along host_list.
destination_host The name of the remote host
Tracert (hostname or IP address) - shows you the path from a to b and the ping statistics along the way.
Syntax
TRACERT [options] target_name
Key
target_name The HTTP or UNC name of the host
Options:
-d Do not resolve addresses to hostnames.
(avoids performing a DNS lookup)
-h max_hops Maximum number of hops to search for target.(default=30)
-j host-list Trace route along given host-list.
up to 9 hosts in dotted decimal notation, separated by spaces.
-w timeout Wait timeout milliseconds for each reply.
Netstat When used with -a Shows what connections are opened, pending open or closing on your machine. Displays remote ip and local ip and status.
Display current TCP/IP network connections and protocol statistics.
Syntax
NETSTAT [options] [-p protocol] [interval]
Key
-a Display All connections and listening ports.
-e Display Ethernet statistics. (may be combined with -s)
-n Display addresses and port numbers in Numerical form.
-r Display the Routing table.
-o Display the Owning process ID associated with each connection.
-b Display the exe involved in creating each connection or listening port.*
-v Verbose - use in conjunction with -b, to display the sequence of
components involved for all executables.
-p protocol
Show only connections for the protocol specified;
may be any of: TCP, UDP, TCPv6 or UDPv6.
If used with the -s option then the following protocols
may also be specified: IP, IPv6, ICMP,or ICMPv6.
-s Display per-protocol statistics. By default, statistics are
shown for IP, IPv6, ICMP, ICMPv6, TCP, TCPv6, UDP, and UDPv6;
(The v6 protocols are not available under 2k and NT4)
The -p option may be used to display just a subset of these.
interval Redisplay statistics, pausing interval seconds between
each display. (default=once only) Press CTRL+C to stop.
TaskKill - Kills a running task.
The syntax for the command is
TSKILL processid | processname [/SERVER:servername] [/ID:sessionid | /A] [/V]RD - Remove Directory
Delete folder(s)
SyntaxPlace any long pathnames in double quotes.
RD pathname
RD /S pathname
RD /S /Q pathname
Key
/S : Delete all files and subfolders
in addition to the folder itself.
Use this to remove an entire folder tree.
/Q : Quiet - do not display YN confirmation
RD does not support wildcards but you can remove several folders in one command by listing the pathname to each.
Deltree - Deletes a directory and all the files and subdirectories that are in it.
SyntaxAddUsers.exe - Add or remove workgroup or domain users.
DELTREE [/Y] [drive:]path [[drive:]path[...]]
Parameter
drive:path
Specifies the name of the directory you want to delete. The DELTREE
command will delete all the files contained in the directory you
specify, as well as all subdirectories and files in the subdirectories
subordinate to this directory. You can specify more than one directory.
Switch
/Y
Carries out the DELTREE command without first prompting you to confirm
the deletion.
DDUSERS - Automate the creation of a large number of users
Syntax
Create Users:
AddUsers /c filename [/s:x] [/?] Domain Password_options
Dump to file:
AddUsers /d{:u} filename [/s:x] [/?] Domain Password_options
Erase Users:
AddUsers /e filename [/s:x] [/?] Domain Password_options
key
the command line!
