Analysis of networks and their management is a necessary component of the field of information security and network administration. Linux provides a rich set of tools and resources to accomplish these tasks. It has powerful utilities that allow you to analyze network traffic, detect vulnerabilities, configure network settings, and much more. One of the key aspects of network analysis is the collection and analysis of packets. Linux provides tools such as tcpdump and Wireshark that allow you to capture and analyze network traffic. You will be able to identify potential threats, analyze protocols and determine the cause of network problems. Network management is also an important task for Linux users.
You can configure network settings, configure network interfaces, configure routing, and control access to network resources. Tools such as ifconfig, ip, iptables, and others allow powerful command-line network management. Linux Network Analysis and Management provides comprehensive information on various aspects of Linux network analysis and management. You will learn about networking basics, monitoring tools, traffic analysis tools, configuring network interfaces, configuring routing, and much more. In addition, we provide practical examples and tips for implementing these skills in real-world scenarios. Gain the skills you need to effectively analyze and manage networks in Linux. Network Analysis and Management in Linux is your key to successfully mastering these important skills. Start learning Linux network analysis and management today and become a master in the field.
The ifconfig command is one of the most basic tools for studying and interacting with active network interfaces. You can use it to query your active network connections by simply typing ifconfig in a terminal. Try it yourself and you’ll see a result similar to Listing 31.
kali >ifconfig ➊eth0Linkencap:EthernetHWaddr 00:0c:29:ba:82:0f ➋inet addr:192.168.181.131 ➌Bcast:192.168.181.255 ➍Mask:255.255.255.0 snip History Topics Tutorials Offers & Deals Highlights Settings Support Sign Out ➎lo Linkencap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 snip ➏wlan0 Link encap:EthernetHWaddr 00:c0:ca:3f:ee:02 Listing 31: Using ifconfigto get network information
Listing 31: Using ifconfig to get network information
As you can see, the ifconfig command shows some useful information about the active network interfaces on the system. At the top of the output is the name of the first interface detected, eth0 ➊, short for Ethernet0 (Linux starts counting from 0, not 1). This is the first wired connection to the network. If there were more wired Ethernet interfaces, they would appear in the output in the same format (eth1, eth2, etc.).
Next is the type of network used (Ethernet), followed by the HWaddr and address; is a globally unique address stamped on each piece of network equipment—in this case, a network interface card (NIC), commonly referred to as a MAC address.
The second line contains information about the IP address currently assigned to this network interface (in this case, 192.168.181.131 ➋); Bcast ➌, or broadcast address, which is the address used to send information to all IP addresses on the subnet; and finally the netmask (mask ➍), which is used to determine which part of the IP address is connected to the local network. You’ll also find more technical information in this results section, but that’s beyond the scope of this section on Linux networking basics.
The next section of output shows another network connection called lo ➎, which is short for loopback address and is sometimes called localhost. This is a special software address that connects you to your own system. Software and services not running on your system cannot use it. You would use lo to test something on your system, such as your own web server. Localhost is usually represented by the IP address 127.0.0.1.
The third connection is the wlan0 interface ➏. This only appears if you have a wireless interface or adapter like I do here. Note that it also displays the MAC address of that device (HWaddr).
This information from ifconfig allows you to connect to and manipulate local area network (LAN) settings, an essential hacking skill.
If you have a wireless adapter, you can use the iwconfig command to collect important information for wireless hacking, such as the adapter’s IP address, its MAC address, operating mode, etc. The information you can get from this command is especially important when you use wireless cracking tools like aircrackng.
Using the terminal, let’s look at some wireless devices with iwconfig.
kali >iwconfig wlan0 IEEE 802.11bg ESSID:off/any Mode:Managed Access Point: Not Associated TxPower=20 dBm snip lo no wireless extensions eth0 no wireless extensions Listing 32: Using iwconfigto get information on wireless adapters
The output here tells us that the only network interface with wireless extensions is wlan0, which is what we expect. Neither lo nor eth0 have wireless extensions.
For wlan0, we find out what 802.11 IEEE wireless standards our device is capable of: b and g, two early wireless standards. Most wireless devices now also include n (n is the latest standard).
We also learn from iwconfig the wireless extension mode (in this case, Mode:Managed, as opposed to monitor or promiscuous mode). We will need messy mode to crack wireless passwords.
Next, we see that the wireless adapter is not connected (not associated) to the access point (AP) and that its power is 20 dBm, which represents the signal strength. We will spend more time on this information in Chapter 14.
Being able to change your IP address and other network information is a useful skill because it helps you gain access to other networks by appearing as a trusted device on those networks. For example, during a Denial of Service (DoS) attack, you can spoof your IP address to make the attack appear to originate from a different source, helping you avoid the IP address
seizure during forensic analysis. This is a relatively simple task in Linux and is done using the ifconfig command.
To change your IP address, type ifconfig, the interface you want to reassign, and the new IP address you want to assign to that interface. For example, to assign the IP address 192.168.181.115 to the eth0 interface, you would enter the following:
kali >ifconfig eth0 192.168.181.115 kali >
When you do it right, Linux will just return the command prompt and say nothing. It’s good! Then, when you check your network connections again with ifconfig, you should see that your IP address has changed to the new IP address you just assigned.
You can also change the netmask (netmask) and broadcast address using the ifconfig command. For example, if you want to assign the same eth0 interface with a netmask of 255.255.0.0 and a broadcast address of 192.168.1.255, you would enter the following:
kali >ifconfig eth0 192.168.181.115 маска мережі 255.255.0.0 трансляція 192.168.1.255 Калі >
Again, if you did everything right, Linux responds with a new command line. Now type ifconfig again to make sure each of the parameters have been changed accordingly.
You can also use ifconfig to change the MAC address (or HWaddr). A MAC address is globally unique and is often used as a security measure to protect or track hackers from networks. Changing the MAC address to spoof another MAC address is almost trivial and neutralizes these security measures. As such, it is a very useful technique for bypassing network access controls.
To spoof your MAC address, simply use the down option of the ifconfig command to remove the interface (eth0 in this case). Then enter the ifconfig command followed by the interface name (hw for hardware, ether for ethernet) and the new fake MAC address.
Finally, refresh the interface using the up option for the changes to take effect.
Here is an example:
kali >ifconfig eth0 вниз kali >ifconfig eth0 hw ether 00:11:22:33:44:55 kali >ifconfig eth0 up
Now when you check your settings with ifconfig you should see that the HWaddr has changed to your new spoofed IP address!
Linux has a Dynamic Host Configuration Protocol (DHCP) server that runs a daemon—a process that runs in the background—called dhcpd, or the dhcp daemon. A DHCP server assigns IP addresses to all systems on a subnet and keeps log files of which IP address is assigned to which machine at any given time. This makes it a great resource for forensics analysts to track down hackers after an attack. For this reason, it is useful to understand how a DHCP server works.
Normally, to connect to the Internet from a local network, you must have a DHCP IP assigned to you. Therefore, after setting a static IP address, it is necessary to return and get a new DHCP-assigned IP address. You can always reboot your system to do this, but I’ll show you how to get a new DHCP without having to shut down and reboot your system.
To request an IP address from DHCP, simply call the DHCP server with the dhclient command followed by the interface to which you want to assign an address. Different Linux distributions use different DHCP clients, but Kali is built on Debian, which uses dhclient.
Therefore, you can assign a new address as follows:
kali > dhclient eth0
The dhclient command sends a DHCPDISCOVER request from the specified network interface (here, eth0). It then receives an offer (DHCPOFFER) from the DHCP server (in this case 192.168.181.131) and confirms the IP assignment to the DHCP server with a dhcp request.
kali >ifconfig eth0Linkencap:EthernetHWaddr 00:0c:29:ba:82:0f inet addr:192.168.181.131 Bcast:192.168.181.131 Маска:255.255.255.0
Depending on the configuration of the DHCP server, the IP address assigned in each case may differ.
Now, when you type ifconfig, you should see that the DHCP server has assigned a new IP address, a new broadcast address, and a new netmask to your eth0 network interface.
Hackers can find a treasure trove of information about a target in their Domain Name System (DNS). DNS is a critical component of the Internet, and while it is designed to translate domain names to IP addresses, a hacker can use it to gather information about a target.
DNS is a service that translates a domain name, such as hackersarise.com, to a corresponding IP address; that way, your system knows how to get to it. Without DNS, we’d all have to remember thousands of IP addresses for our favorite websites—no small task, even for a savant.
One of the most useful commands for a novice hacker is dig, which provides a way to gather DNS information about a target domain. Cached DNS information can be a key piece of early intelligence to obtain before an attack. This information may include the IP address of the target’s name server (the server that translates the target’s name into an IP address), the target audience’s email server, and possibly any subdomains and IP addresses.
For example, type dig hackers-arise.com and add the ns parameter (short for nameserver).
The name server for hackersarise.com appears in the ANSWERS section of listing 33.
kali >dighackers-arise.comns snip ;; QUESTION SECTION: ;hackersarise.com. IN NS ;; ANSWER SECTION: hackersarise.com. 5 IN NS ns7.wixdns.net. hackersarise.com. 5 IN NS ns6.wixdns.net. ;; ADDITIONAL SECTION: ns6.wixdns.net. 5 IN A 126.96.36.199 snip Listing 33: Using digand its nsoption to get information on a domain nameserver
Also note in the ADDITIONAL section that this dig query reveals the IP address (188.8.131.52) of the DNS server serving hackersarise.com.
You can also use the dig command to get information about email servers connected to a domain by adding the mx parameter (mx is short for mail server). This information is critical for attacks on email systems.
For example, information about www.hackersarise.com email servers appears in the AUTHORIZATION section of listing 34.
kali >dighackers-arise.commx snip ;; QUESTION SECTION: ;hackersarise.com. IN MX ;; AUTHORITY SECTION: hackersarise.com. 5 IN SOA ns6.wixdns.net. support.wix.com 2016052216 10800 3600 604 800 3600 snip Listing 34: Using digand its mxoption to get information on a domain mail exchange server
The most common Linux DNS server is Berkeley Internet Name Domain (BIND). In some cases, Linux users will refer to DNS as BIND, but don’t get confused: DNS and BIND map individual domain names to IP addresses.
In some cases, you may need to use a different DNS server. To do this, you will edit an open text file named /etc/resolv.conf on the system. Open this file in a text editor – I use Leafpad. Then, enter the exact name of the editor, the file location, and the file name at the command line.
kali >leafpad /etc/resolv.conf will open the resolv.conf file in the /etc directory in the specified Leafpad graphical text editor.
The file should look something like Figure 31.
As you can see in line 3, my nameserver is set to the local DNS server at 192.168.181.2. This works fine, but if I want to add or replace this DNS server with, say, Google’s public DNS server at 184.108.40.206, I would add the following line to the /etc/resolv.conf file to specify the name server:
DNS server 220.127.116.11
Then I would just need to save the file. However, you can achieve the same result exclusively from the command line by entering the following:
kali >echo “nameserver 18.104.22.168”> /etc/resolv.conf
This command duplicates the 22.214.171.124 nameserver string and redirects it (>) to the /etc/resolv.conf file, replacing the current contents. Your /etc/resolv.conf file should now look like Figure 32.
If you open the /etc/resolv.conf file now, you’ll see that it directs DNS queries to Google’s DNS server instead of your local DNS server. Your system will now access Google’s public DNS server to resolve domain names to IP addresses. This may mean that it takes a bit longer (probably milliseconds) to resolve domain names. So to keep the speed but still be able to use the public server, you can save
local DNS server in the resolv.conf file and follow it with a public DNS server. The operating system queries each DNS server listed in the order it appears in /etc/resolv.conf, so the system will only refer to the public DNS server if the domain name cannot be found on the local DNS server .
A special file on your system called the hosts file also performs domain name to IP address translation. The hosts file is located at /etc/hosts and, as with DNS, you can use it to determine your own IP address and domain name mapping. In other words, you can determine which IP address your browser goes to when you type www.microsoft.com (or any other domain) into the browser, rather than letting the DNS server decide. As a hacker, this can be useful for hijacking a TCP connection on your local network to direct traffic to a malicious web server using a tool like dnsspoof.
In the command line, enter the following command (you can replace your preferred text editor with leafpad):
kali >leafpad /etc/hosts
You should now see a hosts file that looks something like Figure 33.
By default, the hosts file only contains a mapping for your localhost, at 127.0.0.1, and the hostname of your system (Kali in this case, 127.0.1.1). But you can add any IP address mapped to any domain you want. As an example of how this could be used, you could map www.bankofamerica.com to your local website at 192.168.181.131.
127.0.0.1 localhost 127.0.1.1 kali 192.168.181.131 bankofamerica.com # The following lines are desirable for IPv6 capable hosts ::1 localhost ip6localhost ip6loopback ff02::1 ip6allnodes ff02::2 ip6allrouters
Be sure to press the tab key between the IP address and the domain key, not the spacebar.
As you get more involved in your hacking endeavors and learn about tools like dnsspoof and Ettercap, you can use the hosts file to direct any traffic on your local network that visits www.bankofamerica.com to your web server at 192.168.181.131. Pretty easy, right?
Any hacker needs basic Linux networking skills to connect, analyze and manage networks. As you progress, these skills will become increasingly useful for spying, tampering, and connecting to target systems.
We used materials from the book “LINUX BASICS FOR HACKERS” written by William Pollock