Network:Workshop

From Juneday education
Jump to: navigation, search

Preparations

Study the following material


Install required software

nmap

To install nmap follow the instructions for your OS:

  • Windows: Go nmap's download page and click the link Latest stable release self-installer: nmap-7.70-setup.exe (the version may have changed, choose the latest)
  • MacOS
    • Homebrew: brew install nmap
    • MacPorts: ports install nmap
  • GNU/Linux
    • Fedora and RedHat: sudo dnf install nmap
    • Debian and Ubuntu: sudo apt-get install nmap

traceroute

To use (or fake) traceroute follow the instructions for your OS:

  • Windows: Create an alias like this in bash: alias traceroute='tracert'
  • MacOS: no action required
  • GNU/Linux
    • Fedora and RedHat: sudo dnf install tracerute
    • Debian and Ubuntu: sudo apt-get install traceroute

dig

  • Windows: install the cygwin package called bind

Misc fixes

  • Windows:
    • Create an alias like this in bash: alias ifconfig='ipconfig'

Workshop 1 - network tools

IP of a host

Let's find the IP address of some sites using nslookup and dig.

nslookup

$ nslookup www.sunet.se
Server:		130.241.151.41
Address:	130.241.151.41#53

Non-authoritative answer:
www.sunet.se	canonical name = webc.sunet.se.
Name:	webc.sunet.se
Address: 192.36.171.231
Name:	webc.sunet.se
Address: 2001:6b0:8:2::232
Name:	webc.sunet.se
Address: 2001:6b0:8:2::233

dig:

$ dig www.sunet.se

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-3.P2.fc27 <<>> www.sunet.se
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: FORMERR, id: 31045
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: e8d214601b944f76 (echoed)
;; QUESTION SECTION:
;www.sunet.se.			IN	A

;; Query time: 0 msec
;; SERVER: 130.241.151.41#53(130.241.151.41)
;; WHEN: Thu Dec 13 13:25:05 CET 2018
;; MSG SIZE  rcvd: 53

Mail server of a domain

Let's use Google's DNS (8.8.8.8) to find the mail server(s) of Gothemburg University (gu.se):

$ dig @8.8.8.8 gu.se MX

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-3.P2.fc27 <<>> @8.8.8.8 gu.se MX
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38951
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;gu.se.				IN	MX

;; ANSWER SECTION:
gu.se.			899	IN	MX	11 e-mailfilter04.sunet.se.
gu.se.			899	IN	MX	10 v-mailfilter03.sunet.se.
gu.se.			899	IN	MX	11 e-mailfilter03.sunet.se.

;; Query time: 41 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Thu Dec 13 13:30:58 CET 2018
;; MSG SIZE  rcvd: 133

So the university uses 3 mail serves (if one goes down, two are up ...).

My IP

What's your ip address?

$ ifconfig 
eno1: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        ether 94:c6:91:19:bc:4c  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
        device interrupt 16  memory 0xdc300000-dc320000  

enp0s20f0u4: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 130.241.23.146  netmask 255.255.255.192  broadcast 130.241.23.191
        inet6 fe80::e7e:1882:ee32:4254  prefixlen 64  scopeid 0x20<link>
        ether 00:50:b6:5c:43:75  txqueuelen 1000  (Ethernet)
        RX packets 24689352  bytes 21655307616 (20.1 GiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 8187351  bytes 1547942704 (1.4 GiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 229896  bytes 137355907 (130.9 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 229896  bytes 137355907 (130.9 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

What IP does a web serer on the internet see when I access it? Point your browser to whatsmyip. Did it differ? Why?

Is a host alive

Even though some sites/hosts block ping we can still give it a try. Let's ping www.sunet.se. To interrupt the program you need to press Ctrl-c

$ ping www.sunet.se
PING webc.sunet.se (192.36.171.231) 56(84) bytes of data.
64 bytes from webc.sunet.se (192.36.171.231): icmp_seq=1 ttl=55 time=8.27 ms
64 bytes from webc.sunet.se (192.36.171.231): icmp_seq=2 ttl=55 time=8.22 ms
64 bytes from webc.sunet.se (192.36.171.231): icmp_seq=3 ttl=55 time=8.21 ms
64 bytes from webc.sunet.se (192.36.171.231): icmp_seq=4 ttl=55 time=10.2 ms
64 bytes from webc.sunet.se (192.36.171.231): icmp_seq=5 ttl=55 time=8.25 ms
64 bytes from webc.sunet.se (192.36.171.231): icmp_seq=6 ttl=55 time=8.24 ms
^C
--- webc.sunet.se ping statistics ---
6 packets transmitted, 6 received, 0% packet loss, time 5007ms
rtt min/avg/max/mdev = 8.212/8.567/10.202/0.735 ms

How do I get from here to there?

Using traceroute we can find how a package travels from your computer to a host. Even though some sites/hosts block traceroute (ICMP packages) we can still give it a try. Let's traceroute www.sunet.se. To interrupt if it takes ages to finish the program press Ctrl-c. Let's traceroute [www.gnu.org GNU's homepage]:

$ traceroute www.gnu.org
traceroute to www.gnu.org (208.118.235.148), 30 hops max, 60 byte packets
 1  gu23c-gw.gu.se (130.241.23.129)  0.692 ms  0.556 ms  0.481 ms
 2  gu-sunetc-lyk-gw.net.gu.se (130.241.1.145)  0.413 ms  0.462 ms  0.418 ms
 3  gbg7-r2-gu-r2.net.gu.se (130.241.1.164)  2.696 ms  2.625 ms  2.560 ms
 4  goteborg-gbg7-r1.sunet.se (130.242.4.44)  0.843 ms  0.774 ms  0.706 ms
 5  halmstad-hsd1-r1.sunet.se (130.242.4.49)  2.550 ms  2.444 ms  2.368 ms
 6  lund-lnd88-r1.sunet.se (130.242.4.73)  4.222 ms  4.167 ms  4.122 ms
 7  malmo-mcen1-r1.sunet.se (130.242.4.71)  4.500 ms  4.435 ms  4.404 ms
 8  dk-ore.nordu.net (109.105.102.122)  15.778 ms  10.958 ms  10.774 ms
 9  kbn-b4-link.telia.net (62.115.11.77)  17.121 ms  17.041 ms  16.901 ms
10  kbn-bb3-link.telia.net (62.115.123.176)  17.240 ms kbn-bb4-link.telia.net (62.115.123.194)  17.157 ms kbn-bb3-link.telia.net (62.115.123.174)  17.081 ms
11  hbg-bb1-link.telia.net (213.155.130.100)  16.998 ms  16.806 ms  16.692 ms
12  ffm-bb3-link.telia.net (62.115.123.76)  23.695 ms  23.495 ms ffm-bb4-link.telia.net (62.115.138.172)  24.590 ms
13  ffm-b4-link.telia.net (62.115.120.6)  23.037 ms ffm-b4-link.telia.net (62.115.120.0)  25.373 ms ffm-b4-link.telia.net (62.115.120.6)  23.367 ms
14  ntt-ic-323130-ffm-b4.c.telia.net (62.115.147.65)  23.880 ms  23.393 ms  24.385 ms
15  ae-4.r25.frnkge08.de.bb.gin.ntt.net (129.250.5.144)  25.379 ms  26.320 ms  25.298 ms
16  ae-8.r22.asbnva02.us.bb.gin.ntt.net (129.250.4.96)  111.823 ms  111.751 ms  110.141 ms
17  ae-1.r05.asbnva02.us.bb.gin.ntt.net (129.250.2.20)  104.747 ms  102.690 ms  102.051 ms
18  192.80.17.94 (192.80.17.94)  110.776 ms  107.312 ms  110.948 ms
19  * * *
20  wildebeest.gnu.org (208.118.235.148)  111.440 ms  114.073 ms  111.163 ms

Ports

In the networking introduction material we mentioned ports. Let's explore some of them using the command telnet.

25:mail server

Let's connext to gu.se's mail server (currently v-mailfilter03.sunet.se.. The command you need to type are highlighted. We're endiong the "session" by pressing ctrl-d:

nc v-mailfilter03.sunet.se 25
220 v-mailfilter3.sunet.se ESMTP CanIt-Appliance
EHLO www.tmp.com
250-v-mailfilter3.sunet.se Hello dhcp146.itit.gu.se [130.241.23.146], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE 52428800
250-DSN
250-ETRN
250-AUTH DIGEST-MD5 CRAM-MD5
250-STARTTLS
250-DELIVERBY
250 HELP

By typing EHLO www.tmp.com we're saying we are from www.tmp.com and would like to enter a deep and fruitful conversation with the email server.

How about trying to send an email? Let's do that ;)

$ nc v-mailfilter03.sunet.se 25
220 v-mailfilter5.sunet.se ESMTP CanIt-Appliance
EHLO www.tmp.com
250-v-mailfilter5.sunet.se Hello dhcp146.itit.gu.se [130.241.23.146], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE 52428800
250-DSN
250-ETRN
250-AUTH DIGEST-MD5 CRAM-MD5
250-STARTTLS
250-DELIVERBY
250 HELP
mail from: username@example.com
250 2.1.0 username@example.com... Sender ok
rcpt to: user@gu.se
550 5.1.1 user@gu.se... User unknown

Ah ok, so the user is unknown. Try to enter a valid email address to a mail server (don't use gu.se) you know. If you get further in the discussion with the mail server you can try to enter the following commands:

data
Subject: My very first email from nc

Hello, it's me. Really this is me


.

quit

What ports are open on a host

We can use nmap to check a computer for open ports (a port with a service listening). Using nmap is not something you should do on a computer you don't know - chances are you're going to be blocked for a while or forever.

bloch.juneday.se

$ nmap -sT bloch.juneday.se

Starting Nmap 7.60 ( https://nmap.org ) at 2018-12-13 14:14 CET
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 0.07 seconds

No ports are open.

wiki.juneday.se

$ nmap -sT bloch.juneday.se

Starting Nmap 7.60 ( https://nmap.org ) at 2018-12-13 14:14 CET
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 0.07 seconds
[hesa@scarlatti ~]$ nmap -sT wiki.juneday.se

Starting Nmap 7.60 ( https://nmap.org ) at 2018-12-13 14:15 CET
Nmap scan report for wiki.juneday.se (130.241.135.117)
Host is up (0.0019s latency).
rDNS record for 130.241.135.117: juneday.ait.gu.se
Not shown: 998 filtered ports
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 4.20 seconds

Ok, two ports are open. 22 is the standard port for the ssh protocol. More on ssh later on. Port 80 is the web port (actually nowadays port 443 is used .... and juneday staff need to make their wiki use a proper certificate).

What OS is running on a host

We could try to find this out using nmap and the -A option. We need to have root privileges to do this (hence sudo):

$ sudo nmap -A4  bloch.juneday.se

Starting Nmap 7.60 ( https://nmap.org ) at 2018-12-13 14:23 CET
Nmap scan report for bloch.juneday.se (130.241.23.147)
Host is up (0.00047s latency).
rDNS record for 130.241.23.147: remote.juneday.se
Not shown: 847 closed ports, 152 filtered ports
PORT   STATE SERVICE VERSION
26/tcp open  ssh     OpenSSH 7.5 (protocol 2.0)
| ssh-hostkey: 
|   2048 04:a8:dc:80:28:53:72:f4:21:7c:f0:d6:93:74:be:d9 (RSA)
|   256 c9:20:d1:5d:c4:98:c3:04:44:2e:86:c8:18:b9:b0:3b (ECDSA)
|_  256 25:f6:1d:51:8c:30:b6:5e:16:ba:6f:c5:b3:90:f9:cf (EdDSA)
MAC Address: B8:AE:ED:75:D1:F9 (Elitegroup Computer Systems)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.10 - 4.8
Network Distance: 1 hop

TRACEROUTE
HOP RTT     ADDRESS
1   0.47 ms remote.juneday.se (130.241.23.147)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 108.04 seconds

Workshop 2 - internal network

  • nmap
  • winstone.jar
  • DOS attack

DOS attack the systemet server

Find the IP of the server and store this in an environment variable called SERVER. If the IP is 192.168.0.1 then you should type like this (in bash):

$ SERVER="192.168.0.1"

.. and then execute a query:

$ curl "http://$SERVER:8080/search/products/all?product_name=Zubr&min_price=5&max_price=15"

Note: do not forget to quote the url with two ". This should give you a list of Zubr (nice beer by the way!). Let's increase the tention a bit and fire away more requests.

$ while (true); do curl "http://$SERVER:8080/search/products/all?product_name=Zubr&min_price=5&max_price=15"; done

This fires away queries one by one (in sequence). What if we were to try to fire them away as quick as we can (using & to put the command in the background andexecute the next command without waiting for the previoues to finish). But let's limit the amount of queries to send to 100.

$ for i in $(seq 1 100) ; do eval "curl \"http://$SERVER:8080/search/products/all?product_name=Zubr&min_price=5&max_price=15\" &" ; done

If we want to go bananas we can all squeeze up the limit to 10000 instead. Shall we give it a try?

Workshop 3 - Remote logins and more

SSH

Let's log in to another machine using SSH with password. We have prepared an account for you on a RaspberryPI. Here's the information about the server:

  • hostname: bloch.juneday.se
  • ssh port: 22101
  • user: tig167
  • password: no we will not show it here ;)

Log in

So an SSH command line to login to the server will look like:

$ ssh -p 22101 tig167@bloch.juneday.se
student@bloch.juneday.se's password:

Now enter the password (and press Enter) and you should see something like this:

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Thu Dec 13 22:11:28 2018 from 10.0.2.2

student@raspberrypi:~ $

Execute a command

Now you can execute commands on the remote machine (the RaspberryPi). If you want to try the command uname (with some options) you'd write:

$ uname -a
Linux raspberrypi 4.4.34+ #3 Thu Dec 1 14:44:23 IST 2016 armv6l GNU/Linux

Try the same command in bash on your own computer - not logged in to the RaspberryPi. Should give you a different printout, unless you're sitting on a RaspberryPI of course.

Execute a command non interactively

First of all we need you to log out of the RaspberryPI. To do this type exit (and press Enter) or type Ctrl-d.

Now, log in again on the remote machine (the RaspberryPi) AND execute uname command:

$ ssh -p 22101 student@bloch.juneday.se uname -a
student@bloch.juneday.se's password: 
Linux raspberrypi 4.4.34+ #3 Thu Dec 1 14:44:23 IST 2016 armv6l GNU/Linux
$

You should now "be" back on your own computer. verify this by typing hostname and make sure that the name of your computer is printed.

Log in using keys

If you don't have any SSH keys, follow the instructions here: Create a key pair.

Transfer the public key to the remote host (RaspberryPI):

$ ssh-copy-id -p 22101 student@bloch.juneday.se
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 2 key(s) remain to be installed -- if you are prompted now it is to install the new keys
student@bloch.juneday.se's password: 
Permission denied, please try again.
student@bloch.juneday.se's password: 

Number of key(s) added: 2

Now try logging into the machine, with:   "ssh -p '22101' 'student@bloch.juneday.se'"
and check to make sure that only the key(s) you wanted were added.

Your public key should now have been copied. Verify this by logging in again and make sure you don't have to supply the password.

$ ssh -p 22101 student@bloch.juneday.se

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Thu Dec 13 22:55:21 2018 from .....

Execute a command non interactively

First of all we need you to log out of the RaspberryPI. To do this type exit (and press Enter) or type Ctrl-d.

Now, log in again on the remote machine (the RaspberryPi) AND execute uname command:

$ ssh -p 22101 student@bloch.juneday.se uname -a
Linux raspberrypi 4.4.34+ #3 Thu Dec 1 14:44:23 IST 2016 armv6l GNU/Linux
$

You should now "be" back on your own computer. verify this by typing hostname and make sure that the name of your computer is printed. Did you notice that you din't have to supply the passwords.

Using keys like this can ease up tasks on remote machine a LOT to say the least.

Compiling and cross compiling

  • file on your computer
  • file on the remote host
  • compile a program written in c
    • run it on your computer
    • run it on the RaspberryPi
  • cross compile (for RaspberryPi, linux) a program written in c
    • run it on your computer
    • run it on the RaspberryPi
  • compile a program written in Java
    • run it on your computer
    • run it on the RaspberryPi

OPTIONAL | Crack password