Network Analysis

Identify Private IP addresses

• Reserved ranges are defined in RFC 1918 for use in private networks.

• These addresses are not routable on the public internet.

• A quick way to recognize private IPv4 addresses is to just look at the first octets:

10.x.x.x	Large private networks
172.16 – 172.31.x.x	Medium-sized networks
192.168.x.x	Home/small office networks

ip

Bring interface up

sudo ip link set eth0 up

Display the Routing Table

ip route show

Add a route

sudo ip route add 192.168.2.0/24 via 192.168.1.254

Delete a Route

sudo ip route del 192.168.2.0/24

Add a Default Gateway

sudo ip route add default via 192.168.1.1

Use lft to trace hops in the network

sudo lft <IP:PORT>

• If you suspect that there is a VM or docker being hosted in a different port you can use lft and check if there are differences in the results.

Find the processes associated with a port

lsof -i -n -P <port_number>

Shows TCP open connections in the Listen state

lsof -wnP -iTCP -sTCP:LISTEN

Listening ports & services

ss -tuln

Listening ports + PID

ss -tulnp | grep PID

TTL Values and OS Fingerprinting

The TTL value in the ping response is a starting value decremented by one for each hop the packet takes; Values differ between operating systems:

• Linux/Unix -> 64

• Windows -> 128

• Cisco -> 255

ping -c 4 example.com

• It sends ICMP Echo Request packets to a target and waits for ICMP Echo Reply packets in return.

Output Example

PING 192.168.1.1 (192.168.1.1) 56(84) bytes of data.
64 bytes from 192.168.1.1: icmp_seq=1 ttl=64 time=0.123 ms
64 bytes from 192.168.1.1: icmp_seq=2 ttl=64 time=0.120 ms
64 bytes from 192.168.1.1: icmp_seq=3 ttl=64 time=0.122 ms

• TTL (Time to Live): The maximum number of hops a packet can traverse before being discarded.

• Time: The round-trip time (RTT) for the packet to reach the destination and return.

Trace the network path

traceroute example.com