Linux Basic Network Management

Linux administration commands to manage network interfaces, analyze sockets using tools like ifconfig, ip, systemctl.

Krit Karnjanakrajang

Krit Karnjanakrajang

|
Krit Karnjanakrajang

Krit Karnjanakrajang

Founder

A visionary leader with a passion for technology, He expertise in Business Analyst and AI integration helps the team deliver exceptional results on time, he leads the team towards transformative results.

Learn Linux Basic Network Management
#Fundamental Concepts #Cybersecurity #Ethical Hacking #Network Interface #Linux Commands

Linux Basic Network Management

As a pentester (or aspiring pentester), you’ll often find yourself working with Linux systems in various capacities. Whether you’re targeting them during an engagement, or simply using them as your main operating system for offensive security tools, a firm grasp of basic Linux administration skills is crucial. Understanding how to manage network interfaces, inspect connections, and control services ensures you can both configure your testing environment properly and identify potential vulnerabilities or misconfigurations in a target system. Let’s dive in.

1. Network Interface Management

1.1 ifconfig and ip Usage

Historically, the ifconfig command was the go-to tool for network interface configuration and management on Unix-like systems. Although ifconfig is still present on many distributions, the newer ip command has largely replaced it. Pentesters should become familiar with both, because you may encounter older systems that rely on ifconfig, and newer ones that favor ip.

ifconfig

  • Syntax: ifconfig [interface] [options]

  • Example:

# View information for all interfaces 
ifconfig 

# View information for a specific interface 
ifconfig eth0 

# Assign an IP address and netmask to eth0 
sudo ifconfig eth0 192.168.1.10 netmask 255.255.255.0 

# Bring an interface up or down 
sudo ifconfig eth0 up
sudo ifconfig eth0 down

When you run ifconfig without any arguments, it lists all active interfaces and displays their corresponding IP addresses, netmasks, and other details. When you specify an interface (like eth0 or wlan0), you can inspect or modify its configuration.

ip

  • Syntax: ip [object] [command]

  • Example:

# Show all network interfaces and their IP addresses 
ip addr show 

# Assign an IP address to an interface 
sudo ip addr add 192.168.1.10/24 dev eth0 

# Bring an interface up or down 
sudo ip link  set eth0 up
sudo ip link  set eth0 down 

# Show routing table 
ip route show

The ip command is more modern and flexible. Unlike ifconfig, it splits responsibilities into objects like addr, link, and route. For pentesters, one advantage of using ip is its ability to handle multiple IP addresses on a single interface, which can be useful in certain engagement scenarios where you might simulate multiple hosts from a single machine.

1.2 Viewing and Configuring IP Addresses, Network Masks, and Gateways

  • Viewing IPs:

    • With ifconfig, simply type ifconfig.

    • With ip, type ip addr show.

  • Configuring IP and Netmask:

    • Using ifconfig:
    sudo ifconfig eth0 192.168.1.10 netmask 255.255.255.0
    • Using ip:
    sudo ip addr add 192.168.1.10/24 dev eth0

    Note that /24 denotes a netmask of 255.255.255.0.

  • Configuring Gateways (Default Routes):

    • With ifconfig and route:
    sudo route add default gw 192.168.1.1
    • With ip:
    sudo ip route add default via 192.168.1.1

Ensuring you have the correct gateway is critical—without it, your system won’t know how to send traffic beyond your local subnet. This is often relevant in internal pentests where you need to pivot through different network segments.

1.3 Verifying Network Connectivity

After configuring your interface, you’ll want to verify network connectivity. The most common tools for this are:

  • ping: Tests reachability by sending ICMP echo requests. For example:

    ping 8.8.8.8

    If you see replies, it generally means you can reach that IP address. Lack of a reply might indicate a network or firewall issue.

  • traceroute (or tracepath): Diagnoses path to a specific host. It shows each hop your packet goes through. Example:

    traceroute 8.8.8.8

    This can reveal potential routing issues or identify network segments blocking traffic.

  • curl or wget: Tests HTTP connectivity to a specific URL. For instance:

    curl https://example.com

    This is often helpful if you suspect only certain ports/protocols are allowed on a network.

2 Network Socket and Connection Analysis

2.1 netstat vs. ss Commands

Knowing which ports are open and how data flows in and out of your system can be crucial for pentesters. Historically, netstat was the standard command-line tool for examining active connections, listening ports, and more. However, ss (socket statistics) is a newer, faster, and more powerful tool that replaces netstat on many modern systems.

netstat

  • Common Usage:

    netstat -tulpn

    This command displays:

    • -t: TCP ports

    • -u: UDP ports

    • -l: Listening sockets

    • -p: Process name/PID

    • -n: Numeric output (rather than resolving hostnames)

  • What You Learn:

    • The port numbers in use

    • The processes (by PID) that opened the ports

    • Whether those ports are listening or in active use

ss

  • Common Usage:

    ss -tulpn

    ss uses a similar syntax to netstat but is typically faster and offers more robust filtering options. For example, if you want to see only listening TCP sockets on port 80, you could do:

    ss -tln sport = :80

While netstat remains widely used and recognized, many modern Linux distributions recommend ss for lower overhead and better performance. As a pentester, being proficient in both helps you adapt to whichever tool is installed on the target system.

2.2 Checking Open Ports and Listening Services

Open ports are essential in pentesting: they are entry points to a system. You might use external tools like nmap to scan targets, but if you’re on the system itself (e.g., after a successful SSH login to a box you’re testing), you can use netstat or ss to determine what the system is exposing.

For instance:

ss -tulpn

will reveal a list of listening TCP and UDP sockets, along with the processes bound to them. This information can help you spot services you might not expect—like a hidden web server or a random database instance.

2.3 Diagnosing Suspicious Connections or Unusual Traffic

Once you have a baseline understanding of what’s normally running on a system, you can spot anomalies—perhaps an unexpected process is listening on a high-numbered port, or there are inbound connections from unknown IP ranges. When you see something suspicious:

  1. Check the process: Use a combination of ps aux, top, or htop to see what the process is doing.

  2. Examine configuration files: If it’s an HTTP-based service, examine its config to see if it’s serving hidden endpoints.

  3. Analyze traffic: Use tools like tcpdump or wireshark for deeper packet-level analysis. You might discover malicious traffic or data exfiltration attempts.

3 Service and Process Control

3.1 systemctl Basics (start, stop, enable, disable Services)

Modern Linux distributions rely heavily on systemd, which manages services via systemctl. If you’re on an older system, you might deal with SysV init scripts (using commands like service and chkconfig), but for most current distributions, systemctl is the standard.

  • Check status:

    systemctl status sshd

    This shows whether sshd (the OpenSSH daemon) is running, enabled, or inactive.

  • Start a service:

    sudo systemctl start sshd

  • Stop a service:

    sudo systemctl stop sshd

  • Enable (auto-start on boot):

    sudo systemctl enable sshd

  • Disable (no auto-start on boot):

    sudo systemctl disable sshd

3.2 Common Linux Services (e.g., sshd, apache2)

Some of the most common services you’ll interact with on Linux include:

  • sshd: The SSH server daemon. Allows remote shell login using the SSH protocol. If you’re pentesting a machine, you may attempt to brute force or guess credentials for SSH if it’s exposed. As an admin, you might need to manage SSH availability or configuration for security (e.g., disabling root login).

  • apache2 or httpd: The Apache web server. Common in hosting environments. As a pentester, you’ll want to check what version is running, search for known vulnerabilities, or attempt to exploit misconfigurations. As an admin, you might tune its modules or secure the configuration file (e.g., remove default pages, disable directory listing).

  • mysql or mariadb: Common database services. Again, from a pentester standpoint, open database ports can be a goldmine for vulnerabilities or misconfigurations, especially if remote root logins are allowed without proper access controls.

  • cron: While not exactly a “service” in the typical sense, it’s a background job scheduler. Malicious cron entries can be used for persistence by attackers, and from a pentest perspective, you might add or modify cron jobs as part of post-exploitation. As an admin, you should regularly review cron jobs to ensure they’re legitimate.

3.3 Security Considerations (Ensuring Minimal Necessary Services Are Running)

From a pentester’s perspective, every open port is a potential doorway. Therefore, you want to enforce the principle of least privilege and minimal services:

  1. Disable or uninstall what you don’t need: If you’re not serving web pages, you probably don’t need Apache running.

  2. Restrict service usage: If a service must run, configure it to listen only on the necessary interfaces. For example, if you only need local DB access, configure the database to listen on 127.0.0.1 (localhost) instead of 0.0.0.0.

  3. Keep services up to date: Old versions of services can be riddled with known exploits. Regular patching helps avoid easy compromises.

Suggested Learning Path

  1. Start with Admin Commands: As recommended, begin by mastering commands like ifconfig, ip, netstat, ss, and systemctl. These will form your foundational skill set for any pentesting activities on Linux.

  2. Deep Dive into Networking: Practice configuring multiple IPs on a single interface, route traffic through a custom gateway, and experiment with bridging or NAT setups if you have access to advanced lab environments. Understanding how traffic is routed and how to manipulate it will be invaluable when pivoting across multiple network segments during a pentest.

  3. Service Hardening: Once comfortable with managing processes and services, explore how to harden them:

    • Configure firewalls (e.g., ufw or iptables).

    • Use SSH key-based authentication instead of passwords.

    • Disable unnecessary services and remove default configurations.

  4. Monitoring and Logging: Learn to use log files (e.g., /var/log/syslog, /var/log/auth.log) to detect suspicious behavior. Tools like journalctl (for systemd-based systems) allow you to filter logs for specific services or time ranges.

  5. Scripting for Automation: As your final step, start integrating what you’ve learned into simple Bash scripts to automate tasks like scanning open ports on your local machine, archiving log files, or quickly configuring new interfaces. Automation skills free up time for more advanced pentesting tasks (like vulnerability research or exploit development).

Putting It All Together in a Pentesting Context

Let’s imagine a scenario where you’ve gained shell access to a Linux target during an internal penetration test. Your next steps might involve:

  1. Check Network Configuration:

    • ip addr show or ifconfig to see which interface(s) you have access to. Maybe you discover a second interface on a private range—this could be gold for lateral movement.

  2. Analyze Running Services:

    • ss -tulpn or netstat -tulpn to list active connections. Possibly you’ll find an instance of mysql listening on a private IP. If it’s older or misconfigured, that’s a potential pivot point or data exfiltration channel.

  3. Control Services:

    • If you have root or sudo privileges, you might start, stop, or reconfigure certain services for privilege escalation or to maintain persistence. For instance, you could enable remote root login in sshd_config if you’re simulating advanced persistent threat (APT)-style activity.

  4. Lock Down Unnecessary Services:

    • As a consultant who also provides recommendations, you might advise the client to stop or disable services that shouldn’t be running. For example, if ftp is installed and listening but not actively in use, disabling it helps minimize the attack surface.

These real-world applications underscore why it’s important to not just memorize commands, but to understand when and why to use them in different scenarios.

Conclusion

A solid understanding of Linux administration commands is indispensable for any pentester. Whether it’s reconnoitering a newly compromised box, securely configuring your own testing environment, or advising a client on best practices, these tools form the backbone of your day-to-day operations. By learning to configure network interfaces, inspect sockets, manage services, and maintain minimal exposure, you’re building the skill set that lets you tackle more advanced pentesting tasks with confidence.

Here’s a quick recap:

  • Network Interface Management: Use ifconfig or the more modern ip to view and configure IP addresses. Always verify connectivity with ping or curl.

  • Network Socket & Connection Analysis: netstat and ss help you discover open ports, listening services, and suspicious traffic patterns.

  • Service & Process Control: systemctl is the modern way to start, stop, enable, or disable services. Tightly controlling which services run is a key part of securing (and pentesting) any Linux machine.

  • Security Mindset: In pentesting, every open port or running service is a possible entry vector. Minimize services, patch them, and keep configurations tight.

By starting with these fundamentals and then layering in further knowledge (automation, advanced networking, logging, etc.), you’ll be on a clear path to becoming both a competent Linux administrator and an effective penetration tester.

The ability to quickly inspect and secure systems—or compromise them if you have permission—depends on how well you understand these core administration concepts.

Test Your Knowledge

  • Why is it important for pentesters to know which services are running on a system?

  • After gaining shell access to a target, which command would best help identify potentially vulnerable services running?

  • You find that the mysql service is listening on 0.0.0.0:3306. What does this indicate?

  • You want to check if a suspicious external IP is maintaining a persistent connection to the server. What command is most appropriate?

  • If a Linux system is only used for local scripting and testing, what’s a good security hardening step?
Share:
Tweet or X? Share on Facebook Share via WhatsApp Share via Telegram Share via email

← Previous Post

Linux Basics for Penetration Testing

Latest Posts

See all posts