Posts tagged Troubleshooting

At first I thought this was a joke. You know dude please show me how to be l33t. But then after a little bit of clarification our junior admin Adam in PA is troubleshooting a connectivity issue across his VPN to a single server and intermittently the network. Adam wants to do so from the command line.

Now doesn’t that sound better already?

So we jump on a windows machine and hit the command prompt. Start – Run – ‘CMD’

Ping, Tracert, and Netstat are three commands I use on a daily basis. They help me pinpoint problems. When these tools are coupled with a sniffer log file or some sort of jump off point for your issue and a little old fashioned network admin know how.

In other words find the IP Address of the effected equipment. In this case Adam couldn’t get to a remote server over your VPN. He needs to find out the IP of the server, the VPN router and the default gateway on the other side. You know everything in between the equipment and the equipment itself. You should keep these addresses readily available in a excel or text file for easy referencing.

Now lets use ping to hit the server, or try to at least. From the command prompt we type:

‘ping servername’

We Get Back:
Ping request could not find host hostname. Please check the name and try again.

‘ping ip’

We Get Back:
Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for (ip):
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss)

tracert server name

We get back:
Tracing route to google.com [64.233.187.99]
over a maximum of 30 hops:

Hmmm its resolving the name to an address thats a good start. So we know DNS is still up.
Now we can see it is failing after the packets get into the remote network. Hmmm. Now we need to see if we can connect to a machine on that side of the VPN. I have a windows 2003 box there so I hit up

MSTC.exe to see if I can open a remote desktop to the machine.

Then boom I’m in. A little lag.

A lot of lag…Slow screen drawing and my processes are at 90%. This is very abnormal I usually let my machines idle around 5% and during heavy crunch time they are no higher than 69%. when they hit 70% its time to upgrade.

Next I was off to the command prompt on that server and Netstat -a and see hundreds of connections pending disconnecting. I terminate a few process running high with the TaskKill command and then use this technique to search the PC for all modified files in the last 48 hours.

What are these small text files? Scripts and folder upon folder in my ftp directories??!?

Shit we have been compromised.

I hit my McAfee EPO server and lock everything down on that side of the VPN. As a final precautionary measure I disable the NIC on the effected machine after dialing in through the modem and RAS.

Once I’m in I try to delete the directories and porn torrents in French.

Damn I hate the French!It feels like we are war. This is the second time in 4 years!

Some of the directories were fucked with and I could not delete the files normally using del.

Directories telling me that they are not empty files that show up – don’t exist???

Time to hit up RD /s or in a more extreme situation DELTREE.

I stop the Utorrent service using Net Stop and delete the application. I then find the executables downloaded on the machine to do their installs. This was in a folder called AMERICAN_SUCKS – very subtle eh?

I connect the machine back to the network watching the processes through task manager.

Mother flucker…. Another process pops up and spawns two more. TaskKill it – delete the files. Hit my user manager with AddUsers.exe to get a list… I can’t believe it they were able to add a local administrator! But after disabling him also from addusers I noticed that they couldn’t touch the domain.

I give thanks for the small things. I then deleted the user, emptied the recycle bin and killed the restore files.

I removed the “Locked Down” Status from my EPO and scanned the whole network.

Clean as a whistle. And now you have some new commands to play with. PING, TRACERT, NETSTAT, TSKill, AddUsers.exe, RD and DelTree.

In case you didn’t understand what they did in the above examples… Here it goes real simple like:

Ping (Hostname or IP Address) – hits the specified computers nic 5 times and returns the results. Use -t for continual pinging. Ping 192.168.1.1 -t

Test a network connection – if successful, ping returns the ip address.

Syntax  PING [options] destination_host

Options-w timeout     Timeout in milliseconds to wait for each reply.-i TTL         Time To Live.-v TOS         Type Of Service.-a             Resolve addresses to hostnames.-n count       Number of echo requests to send.-t             Ping the destination host until interrupted.-l size        Send buffer size.-f             Set Don't Fragment flag in packet.-r count       Record route for count hops.-s count       Timestamp for count hops.-j host_list   Loose source route along host_list.-k host_list   Strict source route along host_list.destination_host  The name of the remote host

Tracert (hostname or IP address) – shows you the path from a to b and the ping statistics along the way.

Syntax

      TRACERT [options] target_name

Keytarget_name     The HTTP or UNC name of the host

Options:-d             Do not resolve addresses to hostnames.               (avoids performing a DNS lookup)

-h max_hops    Maximum number of hops to search for target.(default=30)

-j host-list   Trace route along given host-list.               up to 9 hosts in dotted decimal notation, separated by spaces.

-w timeout     Wait timeout milliseconds for each reply.

Netstat When used with -a Shows what connections are opened, pending open or closing on your machine. Displays remote ip and local ip and status.

Display current TCP/IP network connections and protocol statistics.

SyntaxNETSTAT [options] [-p protocol] [interval]

Key-a   Display All connections and listening ports.-e   Display Ethernet statistics. (may be combined with -s)-n   Display addresses and port numbers in Numerical form.-r   Display the Routing table.-o   Display the Owning process ID associated with each connection.

-b   Display the exe involved in creating each connection or listening port.*-v   Verbose - use in conjunction with -b, to display the sequence of    components involved for all executables.

-p protocol    Show only connections for the protocol specified;    may be any of: TCP, UDP, TCPv6 or UDPv6.    If used with the -s option then the following protocols    may also be specified: IP, IPv6, ICMP,or ICMPv6.

-s   Display per-protocol statistics.  By default, statistics are    shown for IP, IPv6, ICMP, ICMPv6, TCP, TCPv6, UDP, and UDPv6;    (The v6 protocols are not available under 2k and NT4)    The -p option may be used to display just a subset of these.

interval     Redisplay statistics, pausing interval seconds between            each display. (default=once only) Press CTRL+C to stop.

TaskKill – Kills a running task.

The syntax for the command is TSKILL processid | processname [/SERVER:servername] [/ID:sessionid | /A] [/V]

RD – Remove Directory

Delete folder(s)

Syntax  RD pathname  RD /S pathname  RD /S /Q pathname

Key/S  : Delete all files and subfolders     in addition to the folder itself.     Use this to remove an entire folder tree.

/Q  : Quiet - do not display YN confirmation

Place any long pathnames in double quotes.

RD does not support wildcards but you can remove several folders in one command by listing the pathname to each.

Deltree – Deletes a directory and all the files and subdirectories that are in it.

Syntax

DELTREE [/Y] [drive:]path [[drive:]path[...]]

Parameter

drive:pathSpecifies the name of the directory you want to delete. The DELTREEcommand will delete all the files contained in the directory youspecify, as well as all subdirectories and files in the subdirectoriessubordinate to this directory. You can specify more than one directory.

Switch

/YCarries out the DELTREE command without first prompting you to confirmthe deletion.

AddUsers.exe – Add or remove workgroup or domain users.

DDUSERS – Automate the creation of a large number of users

Syntax

Create Users:        AddUsers /c filename [/s:x] [/?] Domain Password_optionsDump to file:        AddUsers /d{:u} filename [/s:x] [/?] Domain Password_optionsErase Users:        AddUsers /e filename [/s:x] [/?] Domain Password_optionskey

_TheCommandLineAdmiN_