Teaching Cyber Security (Part 15)

in linux •  2 years ago  (edited)

This is the 15th post of a series for teaching cyber-security in a coding-club. Read [part 14].

Host & whois

Information gathering

When hackers want to attack a target they will have an initial phase of information gathering. For example:

  • Who owns the website?
  • Where are the servers? (Country, IP Address)
  • What technology does it use?
  • How do the owners log into it?
  • Does it have good protection and security?

As security experts we need to make sure that only the minimal information is exposed and that only authorized users can enter the server.

Finding a server

Let's start with this website. Could we find out the IP behind our website? Of course, there is a command for it:

host steemit.com

If it doesn't work straight away you may need to install the host software with sudo apt install host.

Note that it is perfectly legal and allowed to ask for the IP of a website. This is public information and anybody can ask for it.

Who owns the server?

Another useful command is whois. Remember whoami? This is the similar but for a website on the internet. For example:

whois nytimes.com

Was that too much information? Let's keep only the first 10 lines about the Registrar, or the company which manages the website. We'll use the command head which prints only the first 10 lines.

whois nytimes.com | head

(remember we are using a pipe to give head all the information, and then head prints only the first 10 lines).

Can you do the same for google.com? twitter.com?
Does this give any interesting information?

It is also legal to ask for the whois information for a website. This is public information.

whois google.com | head -n 20

What do you think the option -n 20 does? Experiment with other numbers to find out.

Traceroute

Hop, hop, hop

When you visit a website, send a ping or ask for host information your information jumps from one computer to another until it reaches the destination. It then jumps back from computer to computer until it gets back.

Could we look under the hood and see this process in real time? Of course we can! We are at the powerful shell!

The command is called traceroute, which simply means: track the route taken by this information. Let's try it out:

traceroute web.mit.edu

The output was the list of all the computers you had to hop over between your own computer and the MIT website. Let's tidy up the output a little. Try:

traceroute -n web.mit.edu | awk '{ print $2}'

Try it and don't worry too much about awk. It is just cleaning up the output so it's easier to read.

Isn't it fascinating? Try other places, like websites in Japan or Spain. If you see stars ** **, it could just not find the IP.

But where in the world are all these computers? Glad you asked! For this we have another amazing command called geoiplookup. First let's install the necessary tools:

sudo apt install geoip-bin

Let's pipe the output (list of IPs) to the geoiplookup:

traceroute -n elpais.es | awk '{ print $2}' | xargs -n 1 geoiplookup { }

This is already a pretty advanced command. Don't worry if you don't understand most of it. You won't need to build commands as complex as this. In essence, it says: Which computers do I need to jump to get to elpais.es > keep only the IPs in that list > Check the country of those IP.

Try websites in different countries and find out what other countries your pings jump through before you get the website.

Secure shell

Connecting to a server

ATTENT03-60px.pngWARNING: The commands you are about to learn can ONLY be used if you are EXPLICITLY authorized to do so. Using them without permission could mean breaking the law and could have very serious consequences.

Once we know the IP of a server, how do we get in?

Typically we use a Secure Shell. This establishes a connection between our shell here and the shell on the server we want to access. Once connected we can control that computer remotely.

We will access a remote computer like this:

ssh [email protected]

Where ssh means Secure Shell. Another format is:

ssh [email protected]

and the connection is made. This can only be done if we have been invited to use the IP address or the server. ANY OTHER USE IS ILLEGAL.

Fortunately, there is a server which provides free access for learners. We are going to establish a connection with it, create a user and do stuff on that computer. Once inside, it will ask for your details (don't give any identifying information, just write some fake details). Following that, I would like you to:

  • Create a new directory with mkdir
  • create a file with touch
  • list the files in that server, and cat the content of the files
  • logout with the exit command.

Ok, let's connect to that server:

ssh [email protected]

Did it work? You can ask in the comments if it didn't.

Conclusion

What have we learnt?

________________________________________
/ write down all the information you may \
\ need about the XYZ secret server       /
 ----------------------------------------
        \   ^__^
         \  (oo)\_______
            (__)\       )\/\
                ||----w |
                ||     ||

Here's what we have learnt:

  • ping (to test if a website is up and running)
  • ifconfig (to find our own IP)
  • host (to find the IP of a website)
  • whois (fo find who owns/manages a website)
  • traceroute & geoiplookup (to track information traveling through the internet)

And last but not least, how to get inside and control a remote server with ssh. This tool is used all the time by software developers to manage their websites and apps. However it can only be used if we are allowed inside the server.

ssh_small.png To learn more about ssh and small shell programs, visit [Part 16]

Authors get paid when people like you upvote their post.
If you enjoyed what you read here, create your account today and start earning FREE STEEM!