CAPÍTULO II: MARCO METODOLÓGICO
3.2 Desarrollo del plan de acción
Just what the heck is Knoppix STD anyway?
Knoppix is a slimmed-down version of Linux that has incorporated a bunch of security tools (hence the comedic name STD: Security Tools Distribution). Linux started about 15 years or so ago although it doesn’t seem like that long ago. Linus Benedict Torvalds was not too keen on the free operating systems available in the early 1990’s so he wrote one himself: Linux.
This operating system was designed with a much better stock “kernel” (think of it like the brain of the operating system) to place other applications and programs on top of (think of those like the senses and extremities) than the existing ones of the day. But, unlike other operating sytems he decided to only put into the operating system the bare minimum requirements. Users could then later customize their systems to contain exactly what they needed. This made for a more stable operating system and less, or even no, “blue screens of death.” Later on an even better advantage surfaced: Linux was immune to the viruses of the day.
From this kernel spawned many versions, also known as “flavors”, of the Linux operating system: Red Hat, Caldera, Mandrake and others. Each one with different abilities and functions. Recently a new flavor has been added called Knoppix and its more customized version “STD.” A difference here is that STD can be self-contained on a CD-rom and placed into any machine, rebooted, and the Knoppix/STD operating system comes up on the machine. When the machine is rebooted to the hard drive the next time the regular operating system comes back. No harm, no foul.
To use Knoppix STD you need at least a 486 CPU with a minimum of 20 MB of RAM. You can probably find these everywhere in garage sales and thrift shops. I do, however, recommend using 128 MB of RAM to get the full range of tools in graphic mode. To load Knoppix STD first switch your BIOS settings to boot from CD. Don’t know how to do this? Ask your instructor or go look it up in your books or on the web.
Get used to not knowing how to do things in the computer world…you just have to take one step at a time and do not get discouraged. There are other ways to boot up Knoppix like using a floppy disk/CD combination. Look out on the web for how to do that. Once you get Knoppix up you should see the desktop (and maybe an internet window):
Yeah, I know, it really, really looks similar to Windows, but believe me it does not work like Windows. Along the bottom you will see a taskbar with a bunch of options:
Programs and menus Open Windows Dates and Times Now let’s look at each of programs and menus separately.
This represents the “Start Applications.” It is similar to the “Start” button in Windows. Why a K? No, not directly to represent Knoppix but the KDE or “Kool Desktop Environment.” Clicking on this gives you the bulk of the stuff in Knoppix.
We’ll come back to that in a bit.
This icon represents “window list.” It does just what it sounds like…it gives you a listing of all open windows in the KDE.
This will show you the desktop…which you can already see. Use it later to toggle back in forth between windows.
This is the “home icon.” Clicking on it will bring up file://home/knoppix Then you will be seeing the home directory, the desktop, GNUstep, a folder for the tmp directory and some other stuff. Not much to worry about right now.
This icon will bring up the KDE control center. From here you can make all your settings and stuff. Think of this as being similar to the control panel in
Windows.
This is the Konsole Shell. Think of this as similar to the DOS prompt in Windows. From here you will do several labs with Knoppix STD.
The first thing you should do is click on the “Start Applications” button and just explore:
Lot’s of good stuff here to explore and play with. Later I will point out some more useful stuff for you to use in Knoppix STD during your Cisco studies. Notice the little “help”
icon that looks like a life buoy. Hmmm…you might want to look at that.
Good reading (I hope the links stay good for you)
http://www.knoppix.net (you can download Knoppix here too) or
http://www.knoppix.net/docs/index.php/KnoppixForNewbies From the above document:
“With Knoppix you have an ideal introductory package which includes the most of the best known applications (in Linux)…Knoppix is also ideal for other reasons. Trying out Knoppix is a zero investment and zero risk proposition: you do not need any dedicated computers and you cannot no matter how hard you try, crash your computer or lose data by playing around with Knoppix.” (p.1)
DOS-like Stuff in Knoppix Konsole Objective:
This lab is designed to help you become familiar with various commands in the Knoppix Konsole screen.
Tools and Materials:
Windows-based computer Knoppix STD CD
Step-by-Step Instructions:
1. Re-boot the machine into the Knoppix environment from the CD. Boot to a user mode, not the root mode.
2. Open a Konsole session. Along the bottom taskbar you will see a picture of a monitor with a yellow shell superimposed on it.
Click on the Konsole Shell icon.
There is a command called host that you can use to find out a bunch of information. Let’s start off with looking at the help for host:
knoppix@star10616121:~$ host
Usage: host [-v][-a][-t querytype][options] name [server]
Listing:host[-v][-a][-t querytype][options]-l zone [server]
Hostcount: host [-v] [options] -H [-D] [-E] [-G] zone Check soa: host [-v] [options] -C zone
Addrcheck: host [-v] [options] -A host
Listing options:[-L level][-S][-A][-p][-P prefserver]
Special options: [-O srcaddr] [-j minport] [-J maxport]
Extended usage: [-x [name ...]] [-X server [name ...]]
You can verify your hostname with the command hostname.
knoppix@star10616121:~$ hostname star10616121
3. Next let’s look at the tcp/ip settings on your workstation. As you will see we have considerably more commands and options in Knoppix than we did under Windows and DOS (remember using ipconfig and winipcfg from the
command prompt?). First let’s just for the heck of it type in ip:
knoppix@star10616121:~$ ip
So, let’s go ahead and pick the object equal to addr for address information:
knoppix@star10616121:~$ ip addr
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:c0:4f:14:39:04 brd ff:ff:ff:ff:ff:ff inet 192.168.151.60/24 brd 192.168.151.255 scope global eth0
Keep in mind I highlighted some stuff to illustrate the step. In the above output we can see the ip address of the workstation I used is 192.168.151.60 with a subnet mask of 255.255.255.0 (aka “/24”). But, unlike in
Windows/DOS, we also have the MAC address of 00:c0:4f:14:39:04 and a broadcast address of ff:ff:ff:ff:ff:ff. But wait! We are seeing that things may look the same but we have differences. We can use another command that is similar to ipconfig in DOS. In Knoppix we can use the
ifconfig command.
4. Ok, so now we know who we are let’s find out what is our path to the Internet
Just a few more options here than we had in DOS. For example, if we had more than one NIC we could specify from which interface (iface) we wanted to start our trace route. Let’s take a guess, based upon our ip address that we already found, that the gateway for ip address 192.168.151.60 is
192.168.151.1 and doublecheck it with traceroute:
knoppix@star10616121:~$ traceroute 192.168.151.1
traceroute to 192.168.151.1 (192.168.151.1), 30 hops max, 38 byte packets
1 192.168.151.1 (192.168.151.1) 0.905 ms 0.863 ms 0.841 ms
From this we can see our default trace route packet size is 38 bytes and our gateway is only one stop away. We can also see trace route will only work up to 30 hops maximum. We have good evidence that 192.168.151.1 is our gateway but we can really be sure by using traceroute to hit something on the Internet, like yahoo.com (I took out some spaces to make this read better):
knoppix@star10616121:~$ traceroute www.yahoo.com
traceroute: Warning: www.yahoo.com has multiple addresses;
using 216.109.118.76
traceroute to www.yahoo.akadns.net (216.109.118.76), 30 hops max, 38 byte packets
1 192.168.151.1(192.168.151.1)0.952 ms 0.913 ms 0.918 ms 2 192.168.154.1(192.168.154.1)4.197 ms 3.984 ms 3.982 ms 3 do-esr5000 (172.23.1.1)4.039 ms 3.911 ms 3.892 ms 4 192.168.100.27(192.168.100.27)4.787 ms 4.564 ms4.542 ms 5 192.168.255.4(192.168.255.4)5.644 ms 5.261 ms 5.173 ms 6 66.194.104.14(66.194.104.14)5.797 ms 6.124 ms 6.019 ms 7 64-132-156-189.gen.twtelecom.net(64.132.156.189)8.253 ms 7.829 ms 8.340 ms 8 64-132-156-225.gen.twtelecom.net (64.132.156.225) 7.716 ms 26.618 ms 8.976 ms 9 66.192.243.224(66.192.243.224)8.064 ms 8.107 ms7.885 ms 10 dist-02-ge-2-3-0-0.tamq.twtelecom.net (66.192.243.102) 9.296 ms 20.089 ms 8.348 ms 11 dist-01-so-0-0-0-0.mtld.twtelecom.net (66.192.243.6) 23.822 ms 12.032 ms 11.627 ms 12 dist-02-ge-3-3-0-0.mtld.twtelecom.net (66.192.243.130) 11.597 ms 11.604 ms 14.049 ms 13 66.192.243.14(66.192.243.14)20.470 ms21.330 ms21.074 ms 14 core-01-so-0-0-0-0.asbn.twtelecom.net (66.192.255.27) 35.953 ms 38.449 ms 36.380 ms 15 66.192.255.229(66.192.255.229)110.49ms35.555ms35.515 ms 16 g2-12-bas2.dce.yahoo.com (206.223.115.2) 35.732 ms 36.434 ms 36.207 ms 17 vlan201-msr1.dcn.yahoo.com(216.115.96.163)37.052 ms 36.930 ms 36.045 ms 18 vl30.bas1-m.dcn.yahoo.com (216.109.120.142) 36.136 ms vl47.bas1-m.dcn.yahoo.com (216.109.120.218) 39.633 ms vl30.bas1-m.dcn.yahoo.com (216.109.120.142) 37.084 ms 19 p13.www.dcn.yahoo.com(216.109.118.76)37.740ms 36.807 ms 38.488 ms
Here we can see some distinctive differences between DOS tracert and Knoppix traceroute. First and foremost Knoppix is way quicker than DOS. This is because it does not have to wade through tons of stuff on its way out of the machine and ditto on the return trip. Next, if you are
comparing this to the DOS output earlier, you will also see that most of the packets did not timeout and we actually got the information back on the actual routes used. With knowledge comes power (Scientia es gravis), but that will be covered a bit more in the Script Kiddie Cookbook and what to do with this information. So, once again, we have found really good evidence that our gateway is 192.168.151.1 but you would think that Knoppix would have an iron-clad way of letting us know this information, right? Right! I was just stalling a bit. We have a command for address resolution that will not only tell us the gateway, but the MAC address of it as well:
knoppix@star10616121:~$ arp
Address HWtype HWaddress Flags Mask Iface 192.168.151.1 ether 08:00:02:1D:FC:B7 C eth0
Ok, so now we have found out a bunch of stuff about our own ip address, MAC address, gateway ip address, and gateway MAC address. Let’s turn next to some other icmp-related commands. One last tool for us is to “see” a routing table for the workstation. Yeah, I said it…a routing table for the workstation. Here we can the same information only this time we see our subnet mask of 24 bits too:
knoppix@star10616121:~$ route
5. Let’s first look at the icmp implementation, better known as ping and its options in Knoppix (notice how Knoppix uses 64 bytes instead of 32 in DOS):
knoppix@star10616121:~$ ping
usage: ping [-LRdfnqrv] [-c count] [-i wait] [-l preload]
[-p pattern] [-s packetsize] [-t ttl] [-I interface address] host
You will have to use the break sequence (Control+C) to stop the icmp on-slaught.
By default Knoppix uses a continuous ping (so does Linux). In DOS you had to add the –t option to do that. You can see here I only let it run for three packets.
This too is much quicker than in DOS under Windows. Take a second and play with those options if you wish.
6. We have seen many similarities between Knoppix and the DOS commands that you used under Windows. One distinct difference that you will find in Knoppix and not in DOS in the ability to get help or similar commands related to other commands. Let’s burn up a few pages on getting “manuals” in Knoppix for commands. First, in case you cannot remember the specific Knoppix command you can just rely on the old DOS standby and ask for help:
knoppix@star10616121:~$ help arp
bash: help: no help topics match `arp'. Try `help help' or
`man -k arp' or `info arp'.
So I went ahead and did the man –k arp command just like it said to (aren’t computers great…they don’t do anything you don’t tell them too…see also the
“Hacker Manifesto” for more details)
dmassagevendor (8) - convert the ethernet vendor codes master list to arpwatch format in.telnetd (8) - DARPA telnet protocol server
massagevendor (8) - convert the ethernet vendor codes master list to arpwatch format
nemesis-arp (1) - ARP/RARP Protocol (The Nemesis Project) portmap (8) - DARPA port to RPC program number mapper arp-related commands that can be used and a brief description. Unfortunately most of these arp-related commands don’t work with Knoppix.
Let’s move on to looking at another manual for a command:
knoppix@star10616121:~$ man -k ifconfig
ifconfig (8) - configure a network interface
Nice. Simple and to the point. Not much confusion there. Another one:
knoppix@star10616121:~$ man -k traceroute
paratrace (1)- Parasitic Traceroute via Established TCP Flows & IPID Hopcount
traceroute (8) - print the route packets take to network host traceroute.lbl(8)-print the route packets take to network host
knoppix@star10616121:~$ man -k ping
con2fbmap (8) - hows and set mapping between consoles and framebuffer devices.
devdump (8) - Utility programs for dumping and verifying iso9660 images.
getkeycodes (8) - print kernel scancode-to-keycode mapping table
setkeycodes (8) - load kernel scancode-to-keycode mapping table entries
normalized device coordinates to window coordinates
glGetClipPlane (3x) - return the coefficients of the specified clipping plane
XChangeDeviceKeyMapping (3x) - query or change device key mappings
XChangeKeyboardMapping(3x) -manipulate keyboard encoding and keyboard encoding structure
XGetDeviceButtonMapping(3x)-query or change device button mappings
XGetDeviceKeyMapping (3x) -query or change device key mappings
XGetDeviceModifierMapping(3x)- query or change device modifier mappings
XGetKeyboardMapping (3x) - manipulate keyboard encoding and keyboard encoding structure
XGetModifierMapping (3x) - manipulate keyboard encoding and keyboard encoding structure
XGetPointerMapping (3x) - manipulate pointer settings
XMapEvent (3x) - MapNotify and MappingNotify event
XRefreshKeyboardMapping(3x) - handle keyboard input events in Latin-1
XSetDeviceButtonMapping(3x) -query or change device button mappings
XSetDeviceModifierMapping(3x)-query or change device modifier mappings
XSetModifierMapping (3x) - manipulate keyboard encoding and keyboard encoding structure
XSetPointerMapping (3x) - manipulate pointer settings
Let’s finish off this lab with some DHCP with Knoppix. You will need to know how to do this if you keep using Knoppix with the Cisco labs. First, open up a Konsole Shell session and look at your current settings:
Now in DOS we did the ipconfig /release and ipconfig /renew commands to release and renew dynamic ip addresses. In Knoppix we just need to shut down the interface and bring it back up to do the same thing (you may have to change to superuser first before bringing it down):
Knoppix@star10616121:~$ifconfig eth0 down
RX packets:123769 errors: dropped:0 overruns:0 frame:0 TX packets:123769 errors: dropped:0 overruns:0 carrier:0 collisions:0
RX bytes:34349148 (32.7 MiB) TX bytes:34349148 (32.7 MiB) Knoppix@star10616121:~$
Notice how the eth0 interface has disappeared from our ifconfig output. Now that the ip address is gone we need to statically add one in (or if you want to get technical we could revert to dynamic again, but what is the point at this time?).
You will also notice that even though we did not put in the broadcast address Knoppix figured it out for us from our netmask and ip address.
Knoppix@star10616121:~$ifconfig eth0 192.168.151.169 netmask 255.255.255.0
Knoppix@star10616121:~$ifconfig
Eth0 Link encap:Ethernet Hwaddr 00:C0:4F:14:39:04 Inet addr:192.168.151.169 Bcast:192.168.151.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:73817 errors: dropped:0 overruns:0 frame:0 TX packets:25193 errors: dropped:0 overruns:0 carrier:0 collisions:0
RX bytes:9538284 (9.0 MiB) TX bytes:21162759 (20.1 MiB)
Now, to get our ip address back to automatic addressing we just need to take the interface down again (which essentially wipes out the static address for the moment), and re-enable dhcp:
Knoppix@star10616121:~$ifdown eth0 Knoppix@star10616121:~$ifup eth0
I know it looks silly but it makes sense in Knoppix language. This all refers to a file you can look at in /etc/network/interfaces (notice it is plural)…if you want to look at that file the easiest way (and most reliable) is to type this at the Konsole prompt:
Knoppix@star10616121:~$kwrite /etc/network/interfaces
This will bring up the default script file for your interface configuration. It is this one that is used for your dhcp and other settings when the machine boots up.
# /etc/network/interfaces -- configuration file for ifup(8), ifdown(8)
The pound sign (#) in front of the lines is ignored by the computer and just signifies a “remark” or “comment” that is inserted by the programmer for ease of reading and understanding later. You get a lot more out of this file than you would if this was the file:
auto lo eth0
iface lo inet loopback iface eth0 inet dhcp
So, these little comments are great. We can double check to see if our dhcp is working correctly by going back to the Konsole shell and typing ifconfig again and see if it went back to the original ip address of 192.168.151.68. Sometimes that ip address may have been re-administered to another machine that requested a dhcp address during its period of non-use so if it doesn’t come back exactly then you know why. Most of the times you should get it back though.
Knoppix@star10616121:~$ifconfig
Eth0 Link encap:Ethernet Hwaddr 00:C0:4F:14:39:04 Inet addr:192.168.151.68 Bcast:192.168.151.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:73817 errors: dropped:0 overruns:0 frame:0 TX packets:25193 errors: dropped:0 overruns:0 carrier:0 collisions:0
RX bytes:9538284 (9.0 MiB) TX bytes:21162759 (20.1 MiB) lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:123769 errors: dropped:0 overruns:0 frame:0 TX packets:123769 errors: dropped:0 overruns:0 carrier:0 collisions:0
RX bytes:34349148 (32.7 MiB) TX bytes:34349148 (32.7 MiB) Knoppix@star10616121:~$
Are you enjoying the materials? Well be on the lookout for some other manuals and textbooks on http://www.lulu.com/learningbydoing and
http://www.spcollege.edu/star/cisco