Understanding networking is crucial for any aspiring hacker. In many situations, you’ll be hacking something over a network, and a good hacker needs to know how to connect to and interact with that network. For example, you may need to connect to a computer with your Internet Protocol (IP) address hidden from view, or you may need to redirect a target’s Domain Name System (DNS) queries to your system; these kinds of tasks are relatively simple but require a little Linux network know-how. This chapter shows you some essential Linux tools for analyzing and managing networks during your network-hacking adventures.
The ifconfig command is one of the most basic tools for examining and interacting with active network interfaces. You can use it to query your active network connections by simply entering ifconfig in the terminal. Try it yourself, and you should see output similar to Listing 3-1.
kali >ifconfig
➊eth0Linkencap:EthernetHWaddr 00:0c:29:ba:82:0f
➋inet addr:192.168.181.131 ➌Bcast:192.168.181.255 ➍Mask:255.255.255.0
--snip--
➎lo Linkencap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
--snip--
➏wlan0 Link encap:EthernetHWaddr 00:c0:ca:3f:ee:02
Listing 3-1: Using ifconfig to get network information
As you can see, the command ifconfig shows some useful information about the active network interfaces on the system. At the top of the output is the name of the first detected interface, eth0 ➊, which is short for Ethernet0 (Linux starts counting at 0 rather than 1). This is the first wired network connection. If there were more wired Ethernet interfaces, they would show up in the output using the same format (eth1, eth2, and so on).
The type of network being used (Ethernet) is listed next, followed by HWaddr and an address; this is the globally unique address stamped on every piece of network hardware—in this case, the network interface card (NIC), usually referred to as the media access control (MAC) address.
The second line contains information on the IP address currently assigned to that network interface (in this case, 192.168.181.131 ➋); the Bcast ➌, or broadcast address, which is the address used to send out information to all IPs on the subnet; and finally the network mask (Mask ➍), which is used to determine what part of the IP address is connected to the local network. You’ll also find more technical info in this section of the output, but it’s beyond the scope of this Linux networking basics chapter.
The next section of the output shows another network connection called lo ➎, which is short for loopback address and is sometimes called localhost. This is a special software address that connects you to your own system. Software and services not running on your system can’t use it. You would use lo to test something on your system, such as your own web server. The localhost is generally represented with the IP address 127.0.0.1.
The third connection is the interface wlan0 ➏. This appears only if you have a wireless interface or adapter, as I do here. Note that it also displays the MAC address of that device (HWaddr).
This information from ifconfig enables you to connect to and manipulate your local area network (LAN) settings, an essential skill for hacking.
If you have a wireless adapter, you can use the iwconfig command to gather crucial information for wireless hacking such as the adapter’s IP address, its MAC address, what mode it’s in, and more. The information you can glean from this command is particularly important when you’re using wireless hacking tools like aircrack-ng.
Using the terminal, let’s take a look at some wireless devices with iwconfig (see Listing 3-2).
kali >iwconfig
wlan0 IEEE 802.11bg ESSID:off/any
Mode:Managed Access Point: Not Associated Tx-Power=20 dBm
--snip--
lo no wireless extensions
eth0 no wireless extensions
Listing 3-2: Using iwconfig to get information on wireless adapters
The output here tells us that the only network interface with wireless extensions is wlan0, which is what we would expect. Neither lo nor eth0 has any wireless extensions.
For wlan0, we learn what 802.11 IEEE wireless standards our device is capable of: b and g, two early wireless communication standards. Most wireless devices now include n as well (n is the latest standard).
We also learn from iwconfig the mode of the wireless extension (in this case, Mode:Managed, in contrast to monitor or promiscuous mode). We’ll need promiscuous mode for cracking wireless passwords.
Next, we can see that the wireless adapter is not connected (Not Associated) to an access point (AP) and that its power is 20 dBm, which represents the strength of signal. We’ll spend more time with this information in Chapter 14.
Being able to change your IP address and other network information is a useful skill because it will help you access other networks while appearing as a trusted device on those networks. For example, in a denial-of-service (DoS) attack, you can spoof your IP so that that the attack appears to come from another source, thus helping you evade IP capture during forensic analysis. This is a relatively simple task in Linux, and it’s done with the ifconfig command.
To change your IP address, enter ifconfig followed by the interface you want to reassign and the new IP address you want assigned to that interface. For example, to assign the IP address 192.168.181.115 to interface eth0, you would enter the following:
kali >ifconfig eth0 192.168.181.115
kali >
When you do this correctly, Linux will simply return the command prompt and say nothing. This is a good thing!
Then, when you again check your network connections with ifconfig, you should see that your IP address has changed to the new IP address you just assigned.
You can also change your network mask (netmask) and broadcast address with the ifconfig command. For instance, if you want to assign that same eth0 interface with a netmask of 255.255.0.0 and a broadcast address of 192.168.1.255, you would enter the following:
kali >ifconfig eth0 192.168.181.115 netmask 255.255.0.0 broadcast 192.168.1.255
kali >
Once again, if you’ve done everything correctly, Linux responds with a new command prompt. Now enter ifconfig again to verify that each of the parameters has been changed accordingly.
You can also use ifconfig to change your MAC address (or HWaddr). The MAC address is globally unique and is often used as a security measure to keep hackers out of networks—or to trace them. Changing your MAC address to spoof a different MAC address is almost trivial and neutralizes those security measures. Thus, it’s a very useful technique for bypassing network access controls.
To spoof your MAC address, simply use the ifconfig command’s down option to take down the interface (eth0 in this case). Then enter the ifconfig command followed by the interface name (hw for hardware, ether for Ethernet) and the new spoofed MAC address. Finally, bring the interface back up with the up option for the change to take place. Here’s an example:
kali >ifconfig eth0 down
kali >ifconfig eth0 hw ether 00:11:22:33:44:55
kali >ifconfig eth0 up
Now, when you check your settings with ifconfig, you should see that HWaddr has changed to your new spoofed IP address!
Linux has a Dynamic Host Configuration Protocol (DHCP) server that runs a daemon—a process that runs in the background—called dhcpd, or the dhcp daemon. The DHCP server assigns IP addresses to all the systems on the subnet and keeps log files of which IP address is allocated to which machine at any one time. This makes it a great resource for forensic analysts to trace hackers with after an attack. For that reason, it’s useful to understand how the DHCP server works.
Usually, to connect to the internet from a LAN, you must have a DHCP-assigned IP. Therefore, after setting a static IP address, you must return and get a new DHCP-assigned IP address. To do this, you can always reboot your system, but I’ll show you how to retrieve a new DHCP without having to shut your system down and restart it.
To request an IP address from DHCP, simply call the DHCP server with the command dhclient followed by the interface you want the address assigned to. Different Linux distributions use different DHCP clients, but Kali is built on Debian, which uses dhclient. Therefore, you can assign a new address like this:
kali >dhclient eth0
The dhclient command sends a DHCPDISCOVER request from the network interface specified (here, eth0). It then receives an offer (DHCPOFFER) from the DHCP server (192.168.181.131 in this case) and confirms the IP assignment to the DHCP server with a dhcp request.
kali >ifconfig
eth0Linkencap:EthernetHWaddr 00:0c:29:ba:82:0f
inet addr:192.168.181.131 Bcast:192.168.181.131 Mask:255.255.255.0
Depending on the configuration of the DHCP server, the IP address assigned in each case might be different.
Now when you enter ifconfig, you should see that the DHCP server has assigned a new IP address, a new broadcast address, and new netmask to your network interface eth0.
Hackers can find a treasure trove of information on a target in its Domain Name System (DNS). DNS is a critical component of the internet, and although it’s designed to translate domain names to IP addresses, a hacker can use it to garner information on the target.
DNS is the service that translates a domain name like hackers-arise.com to the appropriate IP address; that way, your system knows how to get to it. Without DNS, we would all have to remember thousands of IP addresses for our favorite websites—no small task even for a savant.
One of the most useful commands for the aspiring hacker is dig, which offers a way to gather DNS information about a target domain. The stored DNS information can be a key piece of early reconnaissance to obtain before attacking. This information could include the IP address of the target’s nameserver (the server that translates the target’s name to an IP address), the target’s email server, and potentially any subdomains and IP addresses.
For instance, enter dig hackers-arise.com and add the ns option (short for nameserver). The nameserver for hackers-arise.com is displayed in the ANSWER SECTION of Listing 3-3.
kali >dig hackers-arise.com ns
--snip--
;; QUESTION SECTION:
;hackers-arise.com. IN NS
;; ANSWER SECTION:
hackers-arise.com. 5 IN NS ns7.wixdns.net.
hackers-arise.com. 5 IN NS ns6.wixdns.net.
;; ADDITIONAL SECTION:
ns6.wixdns.net. 5 IN A 216.239.32.100
--snip--
Listing 3-3: Using dig and its ns option to get information on a domain nameserver
Also note in the ADDITIONAL SECTION that this dig query reveals the IP address (216.239.32.100) of the DNS server serving hackers-arise.com.
You can also use the dig command to get information on email servers connected to a domain by adding the mx option (mx is short for mail exchange server). This information is critical for attacks on email systems. For example, info on the www.hackers-arise.com email servers is shown in the AUTHORITY SECTION of Listing 3-4.
kali >dig hackers-arise.com mx
--snip--
;; QUESTION SECTION:
;hackers-arise.com. IN MX
;; AUTHORITY SECTION:
hackers-arise.com. 5 IN SOA ns6.wixdns.net. support.wix.com 2016052216 10800 3600 604 800 3600
--snip--
Listing 3-4: Using dig and its mx option to get information on a domain mail exchange server
The most common Linux DNS server is the Berkeley Internet Name Domain (BIND). In some cases, Linux users will refer to DNS as BIND, but don’t be confused: DNS and BIND both map individual domain names to IP addresses.
In some cases, you may want to use another DNS server. To do so, you’ll edit a plaintext file named /etc/resolv.conf on the system. Open that file in a text editor—I’m using Leafpad. Then, on your command line, enter the precise name of your editor followed by the location of the file and the filename. For example,
kali >leafpad /etc/resolv.conf
will open the resolv.conf file in the /etc directory in my specified graphical text editor, Leafpad. The file should look something like Figure 3-1.
Figure 3-1: A typical resolv.conf file in a text editor
As you can see on line 3, my nameserver is set to a local DNS server at 192.168.181.2. That works fine, but if I want to add or replace that DNS server with, say, Google’s public DNS server at 8.8.8.8, I’d add the following line in the /etc/resolv.conf file to specify the nameserver:
nameserver 8.8.8.8
Then I would just need to save the file. However, you can also achieve the same result exclusively from the command line by entering the following:
kali >echo "nameserver 8.8.8.8"> /etc/resolv.conf
This command echoes the string nameserver 8.8.8.8 and redirects it (>) to the file /etc/resolv.conf, replacing the current content. Your /etc/resolv.conf file should now look like Figure 3-2.
Figure 3-2: Changing the resolv.conf file to specify Google’s DNS server
If you open the /etc/resolv.conf file now, you should see that it points the DNS requests to Google’s DNS server rather than your local DNS server. Your system will now go out to the Google public DNS server to resolve domain names to IP addresses. This can mean domain names take a little longer to resolve (probably milliseconds). Therefore, to maintain speed but keep the option of using a public server, you might want to retain the local DNS server in the resolv.conf file and follow it with a public DNS server. The operating system queries each DNS server listed in the order it appears in /etc/resolv.conf, so the system will only refer to the public DNS server if the domain name can’t be found in the local DNS server.
NOTE
If you’re using a DHCP address and the DHCP server provides a DNS setting, the DHCP server will replace the contents of the file when it renews the DHCP address.
A special file on your system called the hosts file also performs domain name–IP address translation. The hosts file is located at /etc/hosts, and kind of as with DNS, you can use it to specify your own IP address–domain name mapping. In other words, you can determine which IP address your browser goes to when you enter www.microsoft.com (or any other domain) into the browser, rather than let the DNS server decide. As a hacker, this can be useful for hijacking a TCP connection on your local area network to direct traffic to a malicious web server with a tool such as dnsspoof.
From the command line, type in the following command (you can substitute your preferred text editor for leafpad):
kali >leafpad /etc/hosts
You should now see your hosts file, which will look something like Figure 3-3.
Figure 3-3: A default Kali Linux hosts file
By default, the hosts file contains only a mapping for your localhost, at 127.0.0.1, and your system’s hostname (in this case, Kali, at 127.0.1.1). But you can add any IP address mapped to any domain you’d like. As an example of how this might be used, you could map www.bankofamerica.com to your local website, at 192.168.181.131.
127.0.0.1 localhost
127.0.1.1 kali
192.168.181.131 bankofamerica.com
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
Make certain you press TAB between the IP address and the domain key—not the spacebar.
As you get more involved in your hacking endeavors and learn about tools like dnsspoof and Ettercap, you’ll be able to use the hosts file to direct any traffic on your LAN that visits www.bankofamerica.com to your web server at 192.168.181.131.
Pretty easy, right?
Any hacker needs some basic Linux networking skills to connect, analyze, and manage networks. As you progress, these skills will become more and more useful for doing reconnaissance, spoofing, and connecting to target systems.
