From working with thousands of aspiring hackers, I have found that very often the greatest hurdle to getting started in hacking is unfamiliarity with Linux. After years of working with the GUI's of MAC and Windows, newbies in this field get scared away by the command line and Linux. Overcoming that hurdle is primary motivation for this series, to make aspiring hackers familiar, comfortable and proficient in Linux.
As a hacker, networking is critical. We need to manage and manipulate our ability to connect with other computers to optimize our ability to compromise another machine. In some cases, you will need to connect, but hide your IP address and other information. In this tutorial, I will attempt to show you the basics of networking in Linux.
Step 1: Analyzing Networks and network Interfaces
The most basic Linux command for analyzing networks is ifconfig. It's very similar to the Windows command, ipconfig. Let's take a look at it.
kali > ifconfig
As you can see in this screenshot, ifconfig conveys a significant amount of information to the user. In the very first line, we see to the far left eth0. This is the first wired network connection, Ethernet 0 (Linux usually starts counting at 0 rather than 1. Get used to it, if you are using Linux).
Following this, we see the type of network being used (Ethernet) and the Hwaddr (this is the globally unique address stamped on every piece of network hardware, in this case the network interface card or NIC). As you know, this is usually referred as the MAC address.
The second line then contains information of the IP address, in this case, 192.168.181.131, the broadcast address (the address to send out information to all IPs on the subnet), and finally the network mask (this is the info on what part of the IP address is network and which part is hosts). There is a lot more technical info there, but it's beyond the scope of a Linux basics tutorial.
If we look down below to what appears to be a second stanza or paragraph, we see the start of another paragraph with lo to the far left. This is the loopback address or localhost. This is the address of the machine you're working on. You would use it, if you simply wanted to test something like your own web server. It generally is represented with the IP address 127.0.0.1.
Finally, in the third paragraph or stanza, we see and interface wlan0. This will only appear if you have a wireless interface or network adapter. In my case here, I obviously have a wireless adapter. Note that it also displays the MAC address of that device (Hwaddr).
When we have a wireless adapter, we can gather information on it with the command, iwconfig. This will be particularly important in wireless hacking.
Let's take a look at our wireless devices with iwconfig.
As you can see above, this command gives considerable information on our wireless devices. The only network interface with wireless extensions, as we would expect, is wlan0. Within that paragraph we learn what 801.11 standard our device is capable of (bg), that it is in Mode:Magaged (this contrasts with a monitor or promiscous mode we will need for most wireless hacks), that it is Not-Associated with an Access Point(AP) and it's power is 20dBm. We will spend more time with this information in the wireless hacking section.
Network interfaces can be activated or de-activated by using the ifup (activate) and the ifdown (de-activate) command. These commands are simply followed by the name of the interface we want to activate/deactivate, such as;
kali > ifdown eth0
When we deactivate the eth0 interface and then type the ifconfig command, we can see that the eth0 is no longer active and does not appear.
Step 2: Changing IP Addresses
Changing IP addresses can be fairly simple in Linux, I think must simpler than in the Windows GUI that requires multiple clicks.. Remember that in most cases, you're going to have a dynamically assigned address from a DHCP server (see below in section 3). In some cases, you may need to reassign the address, especially if you're hacking. This can be useful in spoofing your IP address--making network forensics more challenging--but certainly not impossible.
We can do this by using the ifconfig command again with the interface we want to assign the IP to and the new IP address we want to assign to the interface. Such as:
kali > ifconfig eth0 192.168.181.115
Now, when we type ifconfig, we can see that our IP address has changed to the new IP address.
We can also change the netmask and broadcast address, if necessary, such as:
kali > ifconfig eth0 192.168.181.115 netmask 255.255.0.0 broadcast 192.168.1.255
Step 3: DHCP (Dynamic Host Configuration Server)
Linux has a DHCP server that runs a daemon (daemon is simply a process that runs in the background in Linux) called dhcpd or dhcp daemon. It's this DHCP server that assigns IP addresses to all the systems on the subnet. It also keeps logs files of which machines had which IP addresses at which time. It's this log that is often used to trace hackers in a forensic analysis after an attack.
When I want my machine to be assigned a new address from the DHCP server, I can simply call the server with the command dhclient followed by the interface (different Linux distros use different DHCP clients, but Kali is built on Ubuntu which uses dhclient), like this:
kali > dhclient eth0
The dhclient command sends out DHCPDISCOVER request from the default NIC. It then gets an offer (DHCPOFFER) of 192.168.181.131 from the DHCP server, then confirms the IP assignment to the DHCP server. Now, if we type ifconfig, we can see that the DHCP server has assigned a new IP address.
Step 4: DNS (Domain Name Service)
DNS, or Domain Name Services, is the service that enables us to type in a domain name like hackers-arise.com, which it then translates to the appropriate IP address. Without it, we would all have to remember thousands of IP addresses of our favorite websites (no small task even for a savant).
One of the most useful commands for the aspiring hacker is dig, which is the equivalent of nslookup in Windows, but offers us much more information on the domain. For instance, if we dig hackers-arise.com and by adding the ns option, it will display the nameserver for hackers-arise.com.
kali > dig hackers-arise.com ns
By using the dig command with the mx option, we can get info on www.hackers-arise.com email servers.
kali > dig hackers-arise.com mx
As a hacker, the dig command and using DNS to obtain information on our potential target can be key piece of early reconnaissance before attacking.
The most common Linux DNS server is the Berkeley Internet Name Domain, or BIND. In some cases, Linux users will often refer to DNS as BIND, so don't be confused. DNS or BIND simply maps individual domain names to IP addresses.
On our Kali system, we can point our DNS services to a local DNS server or a public DNS server. This pointing takes place in the a plain text file named /etc/resolv.conf file. Let's open it with leafpad:
As you can see in Line 3, the nameserver is set to a local DNS server at 192.168.181.2. That works fine, but if I wanted to add or replace that DNS server with say Google's public DNS server at 220.127.116.11, we can either add a line in the /etc/resolv.conf to read;
Maybe more simply, we can use the command line to do the same by typing;
kali > echo "nameserver 18.104.22.168" > /etc/resolv.conf
As you can see above, our /etc/resolv.conf file points our DNS requests to Google's DNS server now
With this change, your system will now go out to the Google public DNS server to resolve domain names to IP addresses, rather than our local DNS server. This might take a bit more time, so to remedy this, you might keep your local DNS server followed by a public DNS server and the system will only go to the public DNS server, if the domain name can not be found in the local DNS server.
In addition to the DNS servers, there is hosts file in your Linux operating system. This hosts file enables us to put in our own IP address-domain name mapping, kind of like a static DNS service. In other words, we can determine where our browser/system goes when we type in Microsoft.com (or any other domain) rather the DNS server. This can be useful as a hacker if we want to hijack a TCP connection on our local area network to direct traffic to our malicious web server with a tool such as dnspoof.
By default, this file only has our localhost at 127.0.0.1 and Kali at 127.0.1.1. We can add any IP/domain mapping we would like. For instance in my dnsspoof tutorial we mapped the bankofamerica.com to our local website, say 192.168.181.131. This would then direct our traffic intended for bankofamerica.com to our web server, and if we are using dnspoof, it would direct anyone on our LAN to our web server at 192.168.181.131.
In my next Linux tutorial, we will look at adding and removing software, so keep coming back. If you haven't already, make sure to check out the first three parts of this series.
For more on using Linux for hacking, check out my book "Linux Basics for Hackers" now available here on Amazon.