Barry Cheevers

Before any engagement, whether it be a CTF, penetration test or red team activity, it is important to run a Pre-flight checklist. A Pre-flight checklist is a set of information finding commands that help ascertain:

• Who you are on the network.
• Where you are on the network.
• Basic information of how the network is structured.
• What other devices are on the network.

Date

It’s always good practie to date your work.

date

date will return the system’s date. E.g

Tue Aug 22 06:26:45 AM EDT 2023

Network Commands

You can use the ifconfig command to assign an address to a network interface and to configure or display the current network interface configuration information. 

ifconfig

This command tells you which interface you are connected to the network on, as well as your ip address and the network’s broadcast address.

Example Output

eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.0.0.175  netmask 255.255.255.0  broadcast 10.0.0.255
        inet6 fe80::74ed:ccde:2e9a:29b  prefixlen 64  scopeid 0x20<link>
        ether 08:00:27:b1:9d:67  txqueuelen 1000  (Ethernet)
        RX packets 5  bytes 396 (396.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 21  bytes 2728 (2.6 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 4  bytes 240 (240.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 4  bytes 240 (240.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

However ipconfig is now depreciated, and it is now advised to use the ip command instead.

The ip command is used to assign an address to a network interface and/or configure network interface parameters on Linux operating systems. 

To use the ip command you will need to supply it with a flag(s). For the Pre-flight check, two flags are required.

ip -r # tells you your default route/gateway.
ip -a # tells you your ip information.

Example output

┌──(kali㉿kali)-[~]
└─$ ip r
default via 10.0.0.254 dev eth0 proto static metric 100 
10.0.0.0/24 dev eth0 proto kernel scope link src 10.0.0.175 metric 100 
                                                                                                                                                     
┌──(kali㉿kali)-[~]
└─$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 08:00:27:b1:9d:67 brd ff:ff:ff:ff:ff:ff
    inet 10.0.0.175/24 brd 10.0.0.255 scope global noprefixroute eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::74ed:ccde:2e9a:29b/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever
                                                                                                                                                     

From the output we can see that the IP address for the default route/gateway for the network connected via eth0 is 10.0.0.254.

From the output we can se that my host machine’s IP address is 10.0.0.175.

DNS Commands

The /etc/resolv.conf file defines how the system uses DNS to resolve host names and IP addresses. This file usually contains a line specifying the search domains and up to three lines that specify the IP addresses of DNS server. The following entries from /etc/resolv.conf configure two search domains and three DNS servers

search us.mydomain.com mydomain.com
nameserver 192.168.154.3
nameserver 192.168.154.4
nameserver 10.216.106.3

(f the system obtains its IP address from a DHCP server, it is usual for the system to configure the contents of this file with information also obtained using DHCP. We can use this to our advantage by simply “cat”ing the resolv.conf file:

cat /etc/resolv.conf

Which will return our resolv.conf file, containg the IP address(es) of the DNS server(s)

The nslookup command is a tool used for querying DNS (Domain Name System) servers to obtain information about domain names, IP addresses, and other DNS-related information.

For our purposes, we need to confirm that the DNS is working, so we will simply pass the IP address of the DNS server in as an argument.

For example:

nslookup 8.8.8.8

Server:  dns.google
Address:  8.8.8.8

Name:    openai.org
Addresses:  69.171.224.37
          69.171.224.13

By performing an nslookup query with a DNS server’s IP address, you’re essentially testing whether the DNS server responds and provides DNS information correctly. This can be a simple way to check if your DNS server is operational and capable of resolving domain names.

Pinging Default Gateway

To ensure that the default gateway is alive/accessible, ping the default gateway IP address

ping DEFAULT_GATEWAY_ADDRESS

Example Output:

ping 143.117.204.1


Pinging 143.117.204.1 with 32 bytes of data:
Reply from 143.117.204.1: bytes=32 time=1ms TTL=255
Reply from 143.117.204.1: bytes=32 time<1ms TTL=255
Reply from 143.117.204.1: bytes=32 time<1ms TTL=255
Reply from 143.117.204.1: bytes=32 time=1ms TTL=255

 

Ping statistics for 143.117.204.1:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 1ms, Average = 0ms

Here we can see that the gateway 143.117.204.1 is alive

An interesting tidbit about the ping command is that you can tell the operating system (OS) of the device your pinging from the Time to Live (TTL) value:

Windows has a TTL value of 128 whilst Linux has a TTL value of 64.

NMap Ping Sweep

We will cover NMap in more detail in a later post. For now I will explain the the most essential command(s) for this stage

In order to ascertain what other devices are on the network, we will perform an NMap ping sweep.

nmap -sn 10.0.0.0/24 -oA Filename

-sn flag in Nmap stands for “Ping Scan” or “No Port Scan,” depending on the context.

-oA flag (output All)used to save scan results in three different formats simultaneously: normal, XML, and grepable.

However, some devices may have ICMP responses turned off, so it is also improtant you do a sanity check, and run a SYN Scan aswell.

nmap -sS 10.0.0./24 --top-ports 50 --open -oA Filename

-sS flag in Nmap stands for “SYN Scan”

–top-ports flag speifies the number of top-ports (most used) we want to scan. The higher the number, the more accurate, but longer the scan.

–open Return only open ports. We don’t care about closed ports.

Summary

It’s important to SAVE ALL OUTPUT(S) OF COMMANDS TO FILES, for accountability purposes.

# Pre-flight Checklist
# Verify System Date
date # Outputs the current system date.

# Network Commands
# Display Network Interface Information
ifconfig # Displays network interface configuration.

# ip Command (Alternative to ifconfig)
ip -r # Shows default route/gateway.
ip -a # Displays IP information.

# DNS Commands
# View DNS Configuration
cat /etc/resolv.conf # Displays DNS server IP addresses.

# Test DNS Resolution
nslookup 8.8.8.8 # Queries DNS server for information about a domain.

# Pinging Default Gateway
ping DEFAULT_GATEWAY_ADDRESS # Pings the default gateway to check accessibility.

# NMap Ping Sweep
# Ping Sweep to Discover Active Hosts
nmap -sn 10.0.0.0/24 -oA Filename # Conducts a ping sweep to find active hosts.

# Sanity Check with SYN Scan
nmap -sS 10.0.0./24 --top-ports 50 --open -oA Filename # Uses a SYN scan to check for open ports.

# Note: Always save output for reference and accountability.