PArt IV DeteCtIoN AND reSPoNSe: HoW Do We DeteCt
Lab 1.1l: Linux Client Configuration
You will need the following: BackTrack
•
Metasploitable
•
Chapter 1: Workstation Network Configuration and Connectivity 12
Lab Manual / Principles of Computer Security CompTIA Security+ and Beyond Lab Manual, Second Edition / Nestler / 174856-3 / Chapter 1
Lab Steps at a Glance
Step 1: Start the BackTrack and Metasploitable PCs. Only log on to the BackTrack PC. Step 2: View the network card configuration using ifconfig.
Step 3: Use the cat command to view the file resolv.conf to determine the DNS address. Step 4: Use the netstat –nr command to determine the gateway router address.
Step 5: Use the ifconfig command to change the network configuration for a machine. Step 6: View the ARP table.
Step 7: Ping the Metasploitable machine by IP address and view the cache. Step 8: Modify the ARP cache and view the ARP cache again.
Step 9: Log off from the BackTrack PC.
Lab Steps
Step 1: Start the BackTrack and Metasploitable PCs. Only log on to the BackTrack PC.
To log on to the BackTrack PC:
1. At the login prompt, type root and press enter.
2. At the password prompt, type toor and press enter.
➜ Note
You will not see any characters as you type the password.
Step 2: View the network card configuration using ifconfig.
1. At the command line, type ifconfig –h and press enter. (The information may scroll off the
screen. To see the text, hold the shift key down and press pageup.)
2. Observe how this command was used.
✔ Tip
For many commands in Linux, you can type the command and the –h option (help) to get information about the command. To get more detailed information, you can use the manual command by typing man and pressing enter. To get out of the man program, type q.
Let us examine how we can utilize this command:
3. At the command line, type man ifconfig and press enter.
4. Use the up and downarrow keys to scroll through the man page.
5. When you are done looking at the man page, press q to exit. ✔ Tip
When you need to type the same command several times with only slight changes, pressing the uparrow key will show the previous command you just typed. You can then modify the
command easily with the new options.
6. At the command line, type ifconfig and press enter.
Observe the information displayed.
a.
How does Linux refer to the IP address? What is your IP address?
b.
How does Linux refer to the subnet mask? What is your subnet mask?
c.
Step 3: Use the cat command to view the file resolv.conf to determine the DNS address.
At the command line, type cat /etc/resolv.conf and press enter.
Observe the information displayed.
a.
What is your DNS server (Domain Name Service) address?
b.
Step 4: Use the netstat –nr command to determine the gateway router address.
At the command line, type netstat –nr and press enter.
Observe the information displayed.
a.
Note that a default gateway is not configured.
b.
Step 5: Use the ifconfig command to change the networkconfiguration for a machine.
1. At the command line, type ifconfig eth0 192.168.100.210 and press enter.
2. At the command line, type ifconfig and press enter.
Chapter 1: Workstation Network Configuration and Connectivity 14
Lab Manual / Principles of Computer Security CompTIA Security+ and Beyond Lab Manual, Second Edition / Nestler / 174856-3 / Chapter 1
3. At the command line, type ifconfig eth0 192.168.100.201 and press enter.
4. At the command line, type ifconfig and press enter.
Did your IP address change?
a.
What did you just do?
b.
Step 6: View the ARP table.
Working at the BackTrack machine, you are now going to view the ARP table, using the arp utility.
1. At the command line, type arp –h and press enter.
2. Observe the options for this command.
3. At the command line, type arp –an and press enter.
What do the options a and n do?
a.
Do you have any entries?
b.
Step 7: Ping the Metasploitable machine by IP address and view the cache.
From the BackTrack PC, you are going to use the ping utility to communicate with the Metasploitable server machine.
1. At the command line, type ping 192.168.100.202 and press enter.
Notice that the ping replies will continue until you stop them. Press
a. ctrl-c to stop the
replies, as shown in Figure 1-5. Observe the information displayed.
b.
What is
c. icmp_seq?
Notice the time the first reply took compared with the rest of the replies. Was there a
d.
significant difference? If so, why?
How can you be sure that this response is actually coming from the correct computer?
e.
2. At the command line, type arp –an and press enter.
3. Observe the entry. Notice that the MAC address for the Metasploitable machine is listed.
Step 8: Modify the ARP cache and view the ARP cache again.
1. At the command line, type arp –d 192.168.100.202 and press enter.
2. Observe the entries. (If you do not see an entry, do not worry; we are simply deleting what is in the ARP cache.)
3. At the command line, type arp –an and press enter, as shown in Figure 1-6.
4. Observe that the ARP cache now has no MAC addresses.
5. At the command line, type ping 192.168.100.202 and press enter. Press ctrl-c to stop the replies.
6. At the command line, type arp –an and press enter.
Observe the entry. Notice that the MAC address is once again listed.
a.
How does pinging the machine cause its MAC address to be populated in the ARP cache?
b.
(This is explored in “Lab 2.1, Network Communication Analysis,” in the next chapter.) How can you be sure that this is actually the correct MAC address for the computer?
c.
Step 9: Log off from the BackTrack PC.
At the command line, type exit and press enter.
Figure 1-6 The arp command in Linux Figure 1-5 The ping command in Linux
Chapter 1: Workstation Network Configuration and Connectivity 16
Lab Manual / Principles of Computer Security CompTIA Security+ and Beyond Lab Manual, Second Edition / Nestler / 174856-3 / Chapter 1
➜ Note
The ARP protocol and implementation is based on a simple trusting characteristic. This aids in the implementation but adds a problematic weakness: ARP is totally trusting and believes everything even if it never requested it.