ITP 270 – Programming for Cybersecurity

Term: Spring 2023

Assignment 1.3 – Linux Networking and Command Line Tools

Due Date: Check Canvas

Points Possible: 100

1. Overview

This laboratory exercise will expand your understanding of the Linux Terminal (sometimes called the
“shell”, command-line, or CLI [1]) and introduction to a powerful set of tools all cyber security
professionals should fully embrace. Linux and UN*X based operating systems are comprised of
thousands of “many small tools that do one thing well,” as the saying goes – a realization that only more
seasoned experts fully appreciate. This “many small tools” concept is the foundation of the UN*X
philosophy, and if fully embraced, greatly amplifies the user's ability to perform very complex
operations. It represents much of the hidden power Linux users have access to.

For the purposes of this lab, we will be focusing on learning more Linux command line tools and how
they work together to provide simple yet powerful functionality.

2. Resources required

Recommend using the latest Cyber Range: Cyber Basics environment, or in the very least, a Kali- Linux
environment with multiple machines to scan (e.g. target.example.com).

3. Initial Setup

This exercise requires a Kali Linux VM running in the Cyber Range. Login to your Kali Linux virtual
machine with (assumes you are using the latest Cyber Basics environment).

Once logged in to the Kali desktop, open a terminal window. You can launch a terminal window by
accessing it through the Applications menu at the top left and selecting Terminal Emulator.

[1] Wikipedia “Command-Line Interface” - https://en.wikipedia.org/wiki/Command-line_interface

“Command-line interfaces are often preferred by more advanced computer users, as they often provide a more concise and
powerful means to control a program or operating system.”

© 2023 Virginia Cyber Range. Created by T.Weeks (CC BY-NC-SA 4.0)

1
ITP 270 – Programming for Cybersecurity
Term: Spring 2023

4. Tasks

Task 1: Some basics of networking, IPv4 addresses and subnet masks

When working in network security, graphical/mouse/window or “GUI” apps can't always accomplish
everything you need, and the power of text-based command-line tools is often required, especially if
you have very specific technical needs or the graphical application you need is not, or cannot be,
installed.

For example, before you can scan your local network, you need to be able to tell what network you are
on and how large it is. You can quickly get your network card's public IP address with the hostname,
ifconfig or ip command-line tools. Getting your main public IP address is most easily done using the
hostname command:

$ hostname -I
172.31.107.239

QUESTION-1.1: What is your IPv4 IP address (four numbers separated by a “.”)?

That last command provided your machine's primary (non-localhost) IP address; however, before you
can scan your network, you still need to know how large (how many IPs) are on your local area network
(i.e. where to start and stop scanning). This information is defined by your LAN (Local Area Network)
netmask number (e.g. 255.255.255.0) or CIDR (/24) network mask size. The ifconfig or ip
commands can show you the size of your network.

Run the following commands and write down the size of your eth0 device's LAN size in netmask (255 or
VLSM) notation and in CIDR (or “slash”) notation:

$ ifconfig eth0 # look for the number starting with 255

…
$ ip addr show eth0 # look for the 1-2 digit # after the “/”
…
32
DEEP DIVE: Understanding subnets is important in the network security profession. IPv4 IP addressing offers 32 bits (2 ) or
4.2Billion+ addressable IPs on the planet, represented by four 8-bit numbers (e.g. your IP). Each 8-bit section or octet of an IP
is represented by a number between 0-255. Your network's netmask number (that 255#) and “/” CIDR notation, masks or
breaks-out your LAN or subnet's network size from that 32-bit global address space like a phone area code. Since each octet of
your IP address represents 8 bits of address space, a netmask of 255.255.255.0 masks off your 8-bit (or 255 IPs) network size.
In CIDR notation, this is represented as /24 (from 32 - 24 = yields 8 bits of IPs). Thus, a network mask of 255.255.255.0 or /24 =
8
8 free bits (or 2 ) of IP space, or 255 possible addresses on such a network.

For more information on subnets and CIDR addressing, see https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing

QUESTION-1.2: What is your eth0 netmask size (the 255 number)?

© 2023 Virginia Cyber Range. Created by T.Weeks (CC BY-NC-SA 4.0)

2
ITP 270 – Programming for Cybersecurity
Term: Spring 2023

QUESTION-1.3: What is your eth0 CIDR notation (/ number) size?

EXTRA CREDIT: Calculate the number of IPs your network can handle.
EXTRA CREDIT HINT: (calculate 2(32 – your CIDR#) )

Commands/concepts: hostname, ifconfig, ip, netmask & CIDR notation.

Task 2: Using Nmap scanning, file redirection and piped output

Now that you have your IP address, and your “/” CIDR network size, you can correctly use the nmap
command to ping-scan (-sP) your local network.

Run the following command where IP is the IP address of your machine and CIDR is the network size
you previously found when you executed the ip addr show eth0 command in the above
example:

$ nmap -sP IP/CIDR

On my network, my IP address is 172.31.107.239and my network size is 20, so I get this when I run
the following:

$ nmap -sP 172.31.107.239/20

Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-02 22:23 UTC
Nmap scan report for ip-172-31-102-150.ec2.internal
(172.31.102.150)
Host is up (0.00077s latency).
Nmap scan report for ip-172-31-107-82.ec2.internal
(172.31.107.82)
Host is up (0.00084s latency).
Nmap scan report for ip-172-31-107-239.ec2.internal
(172.31.107.239)
Host is up (0.00024s latency).
Nmap scan report for ip-172-31-110-8.ec2.internal (172.31.110.8)
Host is up (0.00048s latency).
Nmap done: 4096 IP addresses (4 hosts up) scanned in 62.29
seconds
$

It will take a minute or so to scan every IP on your network. Be patient.

NOTE: You may see only one IP address (yourself), a couple of IPs (you and one other machine) or a
number of IPs (four in the example above). In this example, my machine is on a /20 sized network (4096
IPs max) along with three other machines, i.e. it tells me there are four (4) hosts up.

WARNING: Ping or port scanning is often used by hackers to enumerate all the machines on a network,
and as such can be seen as a prelude to an attack. So, if it's not your network, always ask the network

© 2023 Virginia Cyber Range. Created by T.Weeks (CC BY-NC-SA 4.0)

3
ITP 270 – Programming for Cybersecurity
Term: Spring 2023

admin, system or network owner if it's okay before doing something as potentially proactive as a network
host scan.

QUESTION-2.1: Including yourself, how many IPs did your scan find?

If you wanted to harvest and record this information for auditing or later use, you can easily record this
info to a file called network-scan.txt by using the command line file re-direction “>” operator, like this:

$ nmap -sP 172.31.107.239/20 > network-scan.txt

LINUX TIP: If nmap or any other command-line process locks up or gets stuck, use CTRL-C to
break out of most command-line processes.

This command line file re-direction “>” operator sends the standard output (called stdout) of nmap
into the .txt file. Now you can examine this information over and over using cat (short for
concatenate), which just prints a file to the screen's standard output (stdout):

$ cat network-scan.txt
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-02 22:23 UTC
Nmap scan report for ip-172-31-102-150.ec2.internal (172.31.102.150)
Host is up (0.00077s latency).
Nmap scan report for ip-172-31-107-82.ec2.internal (172.31.107.82)
Host is up (0.00084s latency).
Nmap scan report for ip-172-31-107-239.ec2.internal (172.31.107.239)
Host is up (0.00024s latency).
Nmap scan report for ip-172-31-110-8.ec2.internal (172.31.110.8)
Host is up (0.00048s latency).
Nmap done: 4096 IP addresses (4 hosts up) scanned in 62.29 seconds

To filter this information down to something more useful, you can pipe the stdout using the pipe“|”
(see below) to direct the stdout of cat into another program (grep) to get back or filter out only what
we're interested in. The program called grep (global regular expression print) filters the output to look
for patterns and filters out everything else, as shown below:

$ cat network-scan.txt | grep "^Nmap scan"

Nmap scan report for ip-172-31-102-150.ec2.internal (172.31.102.150)
Nmap scan report for ip-172-31-107-82.ec2.internal (172.31.107.82)
Nmap scan report for ip-172-31-107-239.ec2.internal (172.31.107.239)
Nmap scan report for ip-172-31-110-8.ec2.internal (172.31.110.8)

In this example, grep filtered down only the lines that start “ ^” with "Nmap scan". When you pipe
(using “|”) one command's standard output is channeled into the next command's standard input (or
stdin), and the output of the first command serves as the data input to the second. In the above
example, the output from cat serves as the input to the grep command. The ^ is just a “regular
expression” anchor that tells grep it should only match starting from the beginning of each line.

NOTE: The grep command is a very powerful Linux command line tool that only does one thing. It
searches for strings in a stdout stream (or within a file name, if provided). Combined with other single-
purpose tools, the command line becomes very simple and elegantly powerful.

© 2023 Virginia Cyber Range. Created by T.Weeks (CC BY-NC-SA 4.0)

4
ITP 270 – Programming for Cybersecurity
Term: Spring 2023

Once you have “grepped” the information you're looking for (just the lines starting with “Nmap”) for
example), you could even try piping that output (for example) through to the command line email
program called mail like this:

$ cat network-scan.txt | grep "^Nmap scan" \

| mail -s "nmap scan from $HOST on $(date +%Y-%m-%d)" \
me@example.com

NOTE: This command “one liner” (with the “mail” tool) may not work in the Cyber Range, as the range
prevents you from sending data out of the range except via http/https web traffic.

This will pipe the output of your command and email it to the email address me@example.com.

Dissecting that last command:

grep "^..."— grep pattern “^” begins matching from the start of the line

\ — Putting \ as the last character a line allows you to hit the Enter key
to keep typing very long commands (not required; if you keep typing, the
command will wrap to the next line)

mail -s — send an email from standard-input (normally from the

keyboard) or piped from the previous command, with
the “-s”ubject of the “stuff in quotes” to the email address
at the end of this command.

$HOST — the OS environment variable for your hostname.

(try typing the command echo $HOSTNAME )

$(date…) — Any command put in the $(command) structure will substitute

that command's output within our command line.

QUESTION-2.2: What do you get when you type the following command (do not type question mark):

echo "Today's date is $(date +%Y-%m-%d)" ?

See the man date command for more date output format options.

NOTE: You cannot actually send email from a Cyber Range VM, as you are walled off from the Internet,
except for web traffic through our web proxy. Try using the set command and piping it through grep
looking for the string PROXY to discover our proxy URL. Could you find it?

This illustrates that you can really do a lot of very powerful things from the command line and just piping
commands together. Just imagine how complicated writing a graphical tool or “App” to do a network
scan, filter down the output, and then email it to you would be. Learning and embracing this UN*X
philosophy of “many small tools that do one thing well” (and work together) puts a ton of power at your
fingertips, if you're willing to learn even just a dozen or so common command line interface (CLI)
commands.

© 2023 Virginia Cyber Range. Created by T.Weeks (CC BY-NC-SA 4.0)

5
ITP 270 – Programming for Cybersecurity
Term: Spring 2023

QUESTION-2.3: Instead of using “>” to re-direct nmap's output to a text file, and then using cat to print
into | grep … | mail …, what one-liner command could have done the nmap + grep + mail
command all at once without going out to a text file first?

Commands/concepts: nmap, grep, mail, stdout, $HOST, $(embedded commands).

Task 3: Fine tuning your command line skills

Extracting even more useful actionable output from tools like nmap requires a bit of automated
copying/pasting. In the command-line world there are several ways to auto copy more targeted, useful
data out of stdout data streams. One popular, easy-to-use tool is the cut command. From the nmap
man page, we find that using the “-oG -” option will give us “greppable” output to stdout like this:

$ nmap -sP -oG - 172.31.107.239/20

# Nmap 7.70 scan initiated Fri Aug 3 20:16:45 2018 as: nmap -sP -oG -
172.31.107.239/20
Host: 172.31.102.150 (ip-172-31-102-150.ec2.internal) Status: Up
Host: 172.31.107.82 (ip-172-31-107-82.ec2.internal) Status: Up
Host: 172.31.107.239 (ip-172-31-107-239.ec2.internal) Status: Up
Host: 172.31.110.8 (ip-172-31-110-8.ec2.internal) Status: Up
# Nmap done at Fri Aug 3 20:17:39 2018 -- 4096 IP addresses (4 hosts
up) scanned in 54.43 seconds

NOTE: The following nmap output formats are:

-oN <file> # Normally formatted output to <file> + normal to stdout
-oX <file> # XML formatted output to <file> + normal out to stdout
-oS <file> # s|<rIpt kIddi3 (hacker speak) <file> + normal to stdout
-oG <file> # Greppable format output to <file> + normal to stdout
-oG - # Greppabe format output to stdout (console), no file written

This -oG - or “greppable” formatted stdout output is much more useful for shell scripting (as we'll see
in a moment), while the -oX is well suited for more formal programming in languages like python or
ruby (getting XML or XML to Json), while the -oS is great for impressing friends with your “mad hacker
skills.”

QUESTION-3.1: Using the -oG (greppable) output with nmap, but only focusing only on the grep part, if
we want to just grab the lines of output that contain IP addresses, what would we need to grep for?

$ nmap -oG -sP … | grep

HINT: If all you want are lines with usable IP addresses, then one way to get this info might be to
only return lines that begin with the string “Host:”.

Assuming you answered the previous question, your output should look something like this:
…
Host: 172.31.102.150 (ip-172-31-102-150.ec2.internal) Status: Up
Host: 172.31.107.82 (ip-172-31-107-82.ec2.internal) Status: Up

© 2023 Virginia Cyber Range. Created by T.Weeks (CC BY-NC-SA 4.0)

6
ITP 270 – Programming for Cybersecurity
Term: Spring 2023

Host: 172.31.107.239 (ip-172-31-107-239.ec2.internal) Status: Up

Host: 172.31.110.8 (ip-172-31-110-8.ec2.internal)Status: Up

Now that we've grepped the more useful lines, the cut command allows you to treat the stdout stream
kind of like a spreadsheet, where you tell cut what the “field delimiters” (or special characters that
separate fields or cells) are.

For example, piping that last grep command's stdout into …| cut -f3 -d":", would cut out “field
3” with a “:” delimiter, resulting in the following output:

Up
Up
Up
Up

NOTE: In many raw text data files, delimiters are usually either commas, tab-characters, or spaces.
Which “field” and “delimiter” settings should we probably use to cut out only the IPs from of those
“Host:” output lines?

QUESTION-3.2: What x & y values for the -fx and -d"y" will return only the list of target IP addresses
from the nmap IP scan? Use the man cut manual if needed. What's the full nmap …| grep …|cut
… command you would use?

If you got that last question, then your output should look something like this:

172.31.102.150
172.31.107.82
172.31.107.239
172.31.110.8

The usage pattern nmap | grep | mail … or usage nmap | grep | cut … commands are
very useful, but there's even much more powerful things you can do here. Once you have a list of
machine IPs on your network, you can feed this list of IP addresses into all sorts of automation scripts to
act on that list of IPs:

$ nmap … | grep … | cut … | virus-scan.sh

$ nmap … | grep … | cut … | reboot-servers.sh

$ nmap … | grep … | cut … | server-backup.sh

NOTE: In the examples above, for these to work assumes that someone provided you the *.sh
script files, and that you have login access to and administrative permissions on those machine
IPs on your network.

While the examples above are beyond the scope of this exercise, you can see how building on the 3-4
little command line tools you just learned, the output of your commands can pass your network's
desktop and server IP addresses into automation scripts such as virus scanners, server reboot scripts, or

© 2023 Virginia Cyber Range. Created by T.Weeks (CC BY-NC-SA 4.0)

7
ITP 270 – Programming for Cybersecurity
Term: Spring 2023

even network backup scripts, which is very powerful. All this power comes from just learning a handful
of command line commands.

As you can see, using standard-out and piping command's output to other small commands input, you
can do a great many and powerful things to systems all across your network, all without getting out of
your chair, or even touching a mouse.

Commands/concepts: nmap -oG, scripting automation

QUESTIONS:

1.1 What is your IPv4 (four digit) IP address?

1.2 What is your eth0 netmask size (the 255 number)?

1.3 What is your eth0 CIDR notation (/ number) size?

Extra Credit: Calculate the number of IPs your network can handle.

2.1 Including yourself, how many IPs did your scan find?

2.2 What do you get when you type the command

echo "Today's date is $(date +%Y-%m-%d)" ?

2.3 Instead of using “>” to send nmap's output to a text file, and then using cat to print it into |
grep … | mail …, what single piped commands could have done it all at once without going out to
a text file first?

3.1 Focusing only on the grep part of the one-liner, if we want to grep out just the lines of output that
contain IP addresses, what would we need to grep for?
nmap -sP -oG - … | grep _________

3.2 Building on the last nmap … | grep … command, what x & y values for the -fx and -d"y" will return
only the list of target IP addresses from the nmap IP scan? Use the man cut manual if needed. What's
the full nmap …| grep …|cut … command you would use?

5. References

[1] Wikipedia “Command-Line Interface” - https://en.wikipedia.org/wiki/Command-line_interface

© 2023 Virginia Cyber Range. Created by T.Weeks (CC BY-NC-SA 4.0)

8