We might sometimes need to manually configure the routes in the routing table. To get a better understanding of the capabilities of the ROUTE command, its best to get started with the documentation. Hence, running a route command without any parameters gives us the syntax and documentation of this command as can be seen from the screen shot below and the examples below
Examples:
> route PRINT
> route ADD 157.0.0.0 MASK 255.0.0.0 157.55.80.1 METRIC 3 IF 2
where the parameters above in bold refer to
destination , mask , gateway , metric , InterfaceIf IF is not given, it tries to find the best interface for a given gateway
> route PRINT
> route PRINT 157* …. Only prints those matching 157*
> route CHANGE 157.0.0.0 MASK 255.0.0.0 157.55.80.5 METRIC 2 IF 2CHANGE is used to modify gateway and/or metric only.
> route PRINT
> route DELETE 157.0.0.0
> route PRINT
To get started we will print out the output of the current routing table
The output above of the route PRINT command firstly displays the list of interfaces that are present in the local system and the type of interface, manufacturer they belong to. Under that the list of Active and Persistent routes are displayed. We can very well see that the IP address 123.236.4.217 refers to our local systems IP address and theIP address 123.236.4.1 is the default gateway
Let us add an active route to the list of routes, we type the command
route ADD 123.17.17.0 MASK 255.255.255.0 123.236.4.1 METRIC 33 IF 196610
Note: 196610 is derived from the hex value 0×30002 which is the interface identifier of our Local Area Network
To verify that the route has been added with the dummy metric of 33, lets run a route PRINT
We see that the route has been added as can be viewed from the screenshot (red arrow)
The problem here is that when we reboot the pc the network 123.17.17.0 will not persist and will be removed. If we want the route to survive a reboot, we need to type in something like
route -p ADD 123.18.18.0 MASK 255.255.255.0 123.236.4.1 METRIC 44 IF 196610
The persistent route has been added (green arrow)
If we made an error and wanted to change the metric for this persistent route, we could run the command
route -p CHANGE 123.18.18.0 MASK 255.255.255.0 123.236.4.1 METRIC 55 IF 196610
The change in metric has been carried out below (yellow arrow)
To delete the persistent route we just added, we can run the command
route -p DELETE 123.18.18.0 MASK 255.255.255.0 123.236.4.1 METRIC 55 IF 196610
All symbolic names used for destination are looked up in the network database file NETWORKS. The symbolic names for gateway are looked up in the host name database file HOSTS
Lets take a better look at the default hosts file (the file doesn’t have an extension and needs to be opened in notepad)
Location: C:\WINDOWS\system32\drivers\etc\hosts
# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a ‘#’ symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host127.0.0.1 localhost
This file contains a list of all the hosts in the system, let us add a line to signify a dummy host, the line would look like
64.4.8.147 gotothebingwebsite
123.19.19.1 123dummygateway
To test if our newly added host is working, we can do a few things
1. Type the URL http://gotothebingwebsite in any browser and this should redirect us to the IP address 64.4.8.147 which is nothing but www.bing.com
2. Ping the host gotothebingwebsite would send a ping to 64.4.8.147 as can be seen from the output below
C:\>ping gotothebingwebsite
Pinging gotothebingwebsite [64.4.8.147] with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.Ping statistics for 64.4.8.147:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
Similarly lets look at the default networks file
C:\WINDOWS\system32\drivers\etc\hosts
# Copyright (c) 1993-1999 Microsoft Corp.
#
# This file contains network name/network number mappings for
# local networks. Network numbers are recognized in dotted decimal form.
#
# Format:
#
# <network name> <network number> [aliases...] [#<comment>]
#
# For example:
#
# loopback 127
# campus 284.122.107
# london 284.122.108loopback 127
The networks file as of now only contains a single network which is the localhost network starting with network number 127. Let us add another network starting with network number 123.19.19.0
Let us take a scenario where all traffic starting with 123.19.19.0 network, should be routed to the gateway we created earlier called 123dummygateway
To do that, we go back to the command prompt and type the command
C:\>route ADD 123.19.0.0 MASK 255.255.254.0 123dummygateway METRIC 7
The use of symbolic names is useful when adding many entries to the routing table and the networks and IP addresses have to be typed many times
We can also selective print output that we want instead of displaying the entire routing table. For example, the command below only displays routes starting with 123.18
route PRINT 123.18.*
Wildcards supported are * and ? where, the ‘*’ matches any string, and ‘?’ matches any one character
The last option is the -F option which is used to clear the routing tables of all gateway entries. If this is used in conjunction with one of the commands, the tables are cleared prior to running the command.
To summarize, we need to understand the route command and how the output is interpreted because it will help us in identifying any entries that are not supposed to be there or have been maliciously added to redirect traffic to specific interfaces. For example, if a malicious user is able to install a router/gateway with an IP address belonging to the same network that a company is running on and then makes an entry into a PC’s routing table (via a shell script, etc), the attacker can indirectly redirect traffic that is destined to another gateway to the gateway that is being run by him thereby creating a Man in the Middle (MIM) type attack where all the traffic of the victim passes through his gateway. This can have security implications and also hamper performance.
I had forgotten about the ROUTE command, good refresher