Thiago Teixeira
EN | PT

ipconfig / ip / ifconfig

Native commands to inspect and configure host network interfaces.

Network Recon & Monitoring Built-in OS CLI Practiced in lab Windows Linux macOS

Cyber Kill Chain & Defender Lifecycle

Attacker — Kill Chain
1 Reconnaissance
2 Weaponization
3 Delivery
4 Exploitation
5 Installation
6 Command & Control
7 Actions on Objectives
Defender — IR Lifecycle
8 Detection / Monitoring
9 Containment & Eradication
10 Post-incident Forensics

Description

The interface inspection family:

  • ipconfig (Windows) — IP, mask, gateway, DNS per adapter; ipconfig /all shows MAC and DHCP lease.
  • ip (modern Linux, from iproute2) — unified tool: ip addr, ip route, ip neigh, ip link.
  • ifconfig — legacy BSD/Linux/macOS, still common.

During DFIR these confirm the host's identity (IP, MAC), its routing decisions, and detect attacker-added secondary IPs or altered default routes.

Use cases

  • Documenting host identity at start of an incident
  • Spotting attacker-added IP aliases or routes
  • Verifying DHCP lease and DNS configuration

Example

ipconfig /all
ip addr show
ip route show