Unix Comp-145 LECTURE 11: UNIX’S NETWORKING TOOLS BASED ON: S. DAS, “YOUR UNIX: THE ULTIMATE GUIDE”, 2ND EDITION, MCGRAW HILL, 2006 CHAPT 14 12/09/2009 rwj BROOKDALE COMMUNITY COLLEGE 1 NETWORKING TOOLS • INTRO TO TCP/IP • MAPPING DOMAIN NAMES TO IP ADDRESSES: /etc/hosts & DNS • COMMUNICATION ACROSS SYSTEMS: CLIENT/SERVER • TESTING CONNECTIVITY USING ping • USE OF telnet FOR REMOTE LOGIN • USE OF SECURE SHELL (ssh) FOR REMOTE LOGIN • WHY NEED CRYPTOGRAPHY? • USE AND LIMITS OF ftp 12/09/2009 rwj BROOKDALE COMMUNITY COLLEGE 2 Intro to TCP/IP • TRANSFER CONTROL PROTOCOL OVER INTERNET PROTOCOL – Initially developed on and for UNIX platform – AROUND SINCE 1983 – A PACKET SWITCHING SYSTEM, NO DEDICATED CONNECTIONS BETWEEN – – SENDER AND RECEIVER TCP’S STANDARD = IETF’S RFC 793 (+RFC1323, RFC2581, ETC.) IP’S STANDARD = IETF’S RFC 791 (+RFC 1826, 1853, 2549, 3768, ETC) • PACKETS – EACH PACKET CONTAINS A PACKET SEQUENCE NUMBER, A CHECKSUM, PLUS A HEADER THAT CONTAINS AT LEAST A SENDER ADDRESS & ONE OR MORE RECIPIENT ADDRESSES. – TRANSFERRED THROUGH NETWORK VIA ROUTERS – INTELLIGENT DEVICES THAT INSPECT EACH PACKET AND DECIDE WHAT TO DO NEXT (DELIVER PACKET LOCALLY OR FORWARD IT TO ANOTHER ROUTER.) 12/09/2009 rwj BROOKDALE COMMUNITY COLLEGE 3 Intro to TCP/IP (Cont’d) • HOST NAMES AND IP ADDRESSES – HOST = COMPUTER IN NETWORK – HOST IDENTIFIED BY hostname VALUE – 2 FORMS OF HOST NAME: o SIMPLE sodapop o FULLY QUALIFIED DOMAIN NAME (FQDN) sodapop.brookdalecc.edu – hostname COMMAND REVEALS THE HOST NAME OF THE COMPUTER 12/09/2009 rwj BROOKDALE COMMUNITY COLLEGE 4 Intro to TCP/IP (Cont’d) • HOST NAMES AND IP ADDRESSES (CONT’D) – EACH NETWORKED HOST ASSIGNED A NETWORK UNIQUE IP ADDRESS. o SET OF 4 DOT DELIMITED OCTETS, I.E., EACH OCTET REPRESENTS A SEQUENCE OF 8 BITS OR 1 BYTE. o MAX VALUE OF EACH OCTET IS 255 o FOR ROUTING EFFICIENCY, EACH IP ADDRESS IS DIVIDED INTO A PREFIX AND A SUFFIX PREFIX IDENTIFIES NETWORK TO WHICH COMPUTER IS ATTACHED SUFFIX IDENTIFIES NETWORK COMPUTER IS WITHIN 12/09/2009 rwj BROOKDALE COMMUNITY COLLEGE 5 Intro to TCP/IP (Cont’d) • HOST NAMES AND IP ADDRESSES (CONT’D) – LIKE FQDN’S AN IP ADDRESS IS HIERARCHICAL – ONLY IP ADDRESSES ARE CONSIDERED ROUTABLE. – FULLY QUALIFIED DOMAIN NAMES MUST BE CONVERTED TO IP ADDRESSES FOR A ROUTER TO EVALUATE. – RESOLUTION OF FQDNS TO IP ADDRESSES PERFORMED BY “RESOLVER” 12/09/2009 rwj BROOKDALE COMMUNITY COLLEGE 6 MAPPING DOMAIN NAMES TO/FROM IP ADDRESSES • /etc/host – HOLDS NAME TO ADDRESS MAPPINGS IN SMALL NETWORKS. – FILE OFTEN CALLED HOST FILE. – SYNTAX: IP_ADDRESS $ cat /etc/host ::1 localhost 127.0.0.1 localhost localhost.brookdalecc.edu localhost.brookdalecc.edu – 127.0.0.1 = LOCAL (LOOP-BACK) ADDRESS. • SOMETIMES USED BY SYSTEM ADMINISTRATORS TO STOP SITES THAT ATTEMPT TO REDIRECT THEIR REQUESTS. • CONSIDERED A DEAD-END ADDRESS, BUT SOME MALICIOUS CODE CAN RUN SERVICES ON THE LOOPBACK ADDRESS 12/09/2009 rwj BROOKDALE COMMUNITY COLLEGE 7 MAPPING DOMAIN NAMES TO/FROM IP ADDRESSES DNS: DOMAIN NAME SYSTEM – – – – USED IN LARGER NETWORKS, DB THAT PROVIDES NAME TO ADDRESS MAPPING SERVICE. HOSTNAMES ORGANIZED HIERARCHICALLY. DISTRIBUTED DB COMPRISED OF VARIOUS HOSTS ON THE INTERNET AND VARIOUS DOMAINS – DELEGATION OF AUTHORITY AT INDIVIDUAL LEVELS IN HIERARCHY. – THREE MAIN COMPONENTS OF DNS • RESOLVER (MAPS A NAME TO AN IP ADDRESS) • NAME SERVER • DATABASE OF RESOURCE RECORDS (RRS) 12/09/2009 rwj BROOKDALE COMMUNITY COLLEGE 8 MAPPING DOMAIN NAMES TO/FROM IP ADDRESSES Partial DNS Hierarchy int 12/09/2009 rwj fr BROOKDALE COMMUNITY COLLEGE 9 MAPPING DOMAIN NAMES TO/FROM IP ADDRESSES DOMAINS EXPLAINED – – – – TOP LEVEL DOMAINS: IMMEDIATELY SUBORDINATE TO ITS “.” ROOT DOMAIN IS A LABEL OF THE DNS TREE. EACH NODE ON THE DNS TREE REPRESENTS A DOMAIN. DOMAIN NAME REPRESENTS AN ENTITY'S POSITION WITHIN THE STRUCTURE OF THE DNS HIERARCHY – DOMAINS UNDER THE TOP-LEVEL DOMAINS REPRESENT INDIVIDUAL ORGANIZATIONS OR ENTITIES 12/09/2009 rwj BROOKDALE COMMUNITY COLLEGE 10 MAPPING DOMAIN NAMES TO/FROM IP ADDRESSES DOMAINS EXPLAINED – DELEGATION OF AUTHORITY TO INDIVIDUAL LEVELS IN HIERARCHY, FALLS TO ORGANIZATION’S NETWORK ADMIN. – ZONE = GROUP OF DOMAINS AND SUB-DOMAINS FOR WHICH AN ORGANIZATION HAS AUTHORITY 12/09/2009 rwj BROOKDALE COMMUNITY COLLEGE 11 COMMUNICATION ACROSS SYSTEMS CLIENT-SERVER PARADIGM – ONE ENTITY MAKES A REQUEST, ANOTHER PARTY SERVICES THE REQUEST Request Server Client Response 12/09/2009 rwj BROOKDALE COMMUNITY COLLEGE 12 COMMUNICATION ACROSS SYSTEMS CLIENT-SERVER PARADIGM IN UNIX – SERVER PROGRAMS IN UNIX CALLED DAEMONS. • RUN IN BACKGROUND • LISTEN FOR INPUT FROM CLIENTS • EXAMPLES: – httpd – LISTENS FOR REQUESTS FOR WEB-PAGES – sendmail – HANDLES E-MAIL – inetd – HANDLES FTP AND TELNET REQUESTS – ping – DOES NOT NEED A SERVER. 12/09/2009 rwj BROOKDALE COMMUNITY COLLEGE 13 COMMUNICATION ACROSS SYSTEMS (cont’d) • SERVERS COMMUNICATE VIA PORTS o PORT IDs (numbers) DIVIDED INTO 3 RANGES: FROM 0 THROUGH 1023 = WELL KNOWN PORTS FROM 1024 THROUGH 49151 = REGISTERED PORTS FROM 49152 THROUGH 65535 = DYNAMIC AND/OR PRIVATE PORTS o “PORTS ARE USED IN THE TCP [RFC793] TO NAME THE ENDS • OF LOGICAL CONNECTIONS WHICH CARRY LONG TERM CONVERSATIONS. FOR THE PURPOSE OF PROVIDING SERVICES TO UNKNOWN CALLERS, A SERVICE CONTACT PORT IS DEFINED.” THE LIST PUBLISHED BY IANA “SPECIFIES THE PORT USED BY THE SERVER PROCESS AS ITS CONTACT PORT. THE CONTACT PORT IS SOMETIMES CALLED THE "WELL-KNOWN PORT".” 1 PORT TYPES: TCP AND UDP (UNIVERSAL DATAGRAM PROTOCOL) 1: HTTP://WWW.IANA.ORG/ASSIGNMENTS/PORT-NUMBERS, LAST UPDATED 12/8/09 12/09/2009 rwj BROOKDALE COMMUNITY COLLEGE 14 COMMUNICATION ACROSS SYSTEMS (cont’d) • “WELL-KNOWN” SERVER PORTS SERVICE FTP SSH TELNET SMTP HTTP POP3 CLIENT PROGRAM SERVER PORT # ftp ssh, scp, sftp, slogin telnet mailx, netscape netscape, mozila, firefox, opera, konqueror fetchmail 21 22 23 25 80 110 A COMPLETE LIST PORTS THAT UNIX LISTENS ON FOUND IN /etc/services 12/09/2009 rwj BROOKDALE COMMUNITY COLLEGE 15 COMMUNICATION ACROSS SYSTEMS (cont’d) • CONNECTS TO NETWORK VIA NIC CARD (NETWORK INTERFACE CARD) – OFTEN CALLED “NIC CARD” • CARD ASSIGNED AN IP ADDRESS. 12/09/2009 rwj BROOKDALE COMMUNITY COLLEGE 16 TESTING CONNECTIVITY USING PING (cont’d) • USED TO TEST CONNECTIVITY • PING SENDS 56 BYTE PACKETS TO REMOTE HOST WHOSE NIC CARD ANSWERS BACK $ ping sodapop PING sodapop: 56 data bytes 64 bytes from sodapop.brookdalecc.edu (172.17.1.243): icmp_seq=0. time=0. ms 64 bytes from sodapop.brookdalecc.edu (172.17.1.243): icmp_seq=. time=0. ms 64 bytes from sodapop.brookdalecc.edu (172.17.1.243): icmp_seq=. time=0. ms 64 bytes from sodapop.brookdalecc.edu (172.17.1.243): icmp_seq=. time=0. ms ^C --- sodapop PING statistics --4 packets transmitted, 4 packets received, 0% packet loss round trip (ms) min/avg/max/stddev = 0.010/0.031/0.006 12/09/2009 rwj BROOKDALE COMMUNITY COLLEGE 17 USE OF telnet FOR REMOTE LOGIN • LOG IN TO A REMOTE MACHINE OVER AN IP NETWORK [telnet <ip_address>] • USER ID AND PASSWORD TRANSMITTED IN CLEAR TEXT • LOCAL MACHINE ACTS LIKE A DUMB TERMINAL: ECHOES TO TERMINAL WHAT IS SENT AND WHAT IS RECEIVED. • “ESC_KEY” OR “CTL ]” – TEMPORARILY TRANSFERS USER TO LOCAL MACHINE. PROMPT CHANGES telnet > $ telnet 127.0.0.1 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. Trying SRA secure login: User (rjesmajian): 12/09/2009 rwj BROOKDALE COMMUNITY COLLEGE 18 USE OF telnet FOR REMOTE LOGIN (cont’d) • “esc_key” OR “ctl +]” – TEMPORARILY ENABLES USER TO RUN COMMANDS ON LOCAL MACHINE. PROMPT CHANGES telnet > • USE “!” TO RUN COMMANDS ON LOCAL SYSTEM telnet > !ls –l *.sh 12/09/2009 rwj BROOKDALE COMMUNITY COLLEGE 19 USE OF telnet FOR REMOTE LOGIN (cont’d) Microsoft telnet> Microsoft Telnet> ctl+] Welcome to Microsoft Telnet Client Escape Character is 'CTRL+]' Microsoft Telnet> ?/help Commands may be abbreviated. Supported commands are: c - close close current connection d - display display operating parameters o - open hostname [port] connect to hostname (default port 23). q - quit exit telnet set - set set options (type 'set ?' for a list) sen - send send strings to server st - status print status information u - unset unset options (type 'unset ?' for a list) ?/h - help print help information Microsoft Telnet> !ls –l ~/*.sh 12/09/2009 rwj BROOKDALE COMMUNITY COLLEGE 20 USE OF SECURE SHELL (ssh) FOR REMOTE LOGIN • SECURELY LOG IN TO A REMOTE MACHINE OVER AN IP NETWORK [ssh <RemoteMachineName>] • DEVELOPED TO REPLACE telnet • USES PUBLIC KEY (ASYMMETRIC) CRYPTOGRAPHIC ALGORITHMS TO GENERATE A MATHEMATICALLY RELATED PUBLIC-PRIVATE KEY PAIR • KEY PAIR IS USED TO — ESTABLISH TRUST, I.E., AUTHENTICATE USER & HOST — ENCRYPT/DECRYPT PASSWORDS & DATA. 12/09/2009 rwj BROOKDALE COMMUNITY COLLEGE 21 WHY NEED CRYPTOGRAPHY? • ENCRYPTION/DECRYPTION PROVIDES DATA CONFIDENTIALITY AND DATA INTEGRITY OVER AN INSECURE NETWORK o DATA EXCHANGED IS ENCRYPTED BY SENDER, AND DECRYPTED BY RECIPIENT USING SESSION KEY. • MESSAGES & TRANSACTIONS CAN BE DIGITALLY SIGNED BY ORIGINATOR TO PROVIDE DATA INTEGRITY AND AUTHENTICATION o POPULAR ALGORITHMS USED TO GENERATE DIGITAL SIGNATURES: 12/09/2009 rwj RSA (INVENTED BY RIVEST, SHAMIR AND ADLEMEN) DSA (DIGITAL SIGNATURE ALGORITHM) BROOKDALE COMMUNITY COLLEGE 22 WHY NEED CRYPTOGRAPHY? (cont’d) • 2 FORMS OF CRYPTOGRAPHY o SYMMETRIC – 1 SECRET KEY ADVANTAGE: SIMPLE MATHEMATICAL ALGORITHM KEY DETERMINED BETWEEN 2 PARTIES DISADVANTAGE: KEY MANAGEMENT USE: MILITARY AND MOST MAJOR FIRMS FOR INTERNAL COMMUNICATIONS o ASYMMETRIC – 1 PUBLIC KEY AND 1 PRIVATE KEY ADVANTAGE: KEY MANAGEMENT DISADVANTAGE: COMPLEX MATHEMATICAL ALGORITHM MUST SUBSCRIBE TO PUBLIC KEY ADMINISTRATOR SERVICE USE: TELECOMS AND MOST MAJOR FIRMS FOR EXTERNAL COMMUNICATIONS 12/09/2009 rwj BROOKDALE COMMUNITY COLLEGE 23 WHY NEED CRYPTOGRAPHY? (SYMMETRIC CRYPTOGRAPHY) • DATA PROTECTION (VIA SYMMETRIC ENCRYPTION). Sender’s Secret Key 12/09/2009 rwj Sender’s Secret Key BROOKDALE COMMUNITY COLLEGE 24 WHY NEED CRYPTOGRAPHY? (ASYMMETRIC CRYPTOGRAPHY) • DATA PROTECTION (VIA ASYMMETRIC ENCRYPTION). THE RECIPIENT’S SECRET KEY IS THE MATHEMATICAL INVERSE FUNCTION OF SENDER’S PUBLIC KEY. 12/09/2009 rwj BROOKDALE COMMUNITY COLLEGE 25 WHY NEED CRYPTOGRAPHY? (DIGITAL SIGNATURES)(cont’d) • MESSAGE AUTHENTICATION (VIA DIGITAL SIGNATURE). 12/09/2009 rwj BROOKDALE COMMUNITY COLLEGE 26 WHY NEED CRYPTOGRAPHY? (DIGITAL SIGNATURES)(cont’d) • ORIGINATING A DIGITAL SIGNATURE o A MESSAGE DIGEST (MD) IS GENERATED USING THE SENDER’S PRIVATE KEY AND A MD CREATION ALGORITHM, I.E., A SET OF HASHING ALGORITHMS. • MESSAGE DIGEST = “SUMMARY” OF THE MESSAGE TO BE TRANSMITTED. • MD’S MAIN PROPERTIES: 1. 2. ALWAYS SMALLER THAN THE MESSAGE ITSELF THE SLIGHTEST CHANGE IN THE MESSAGE PRODUCES A DIFFERENT DIGEST. • THE MESSAGE DIGEST IS ENCRYPTED USING THE SENDER'S ASYMMETRIC PRIVATE KEY. THE RESULTING ENCRYPTED MD = THE DIGITAL SIGNATURE. o ATTACH THE COMPUTED DIGITAL SIGNATURE TO THE MESSAGE & SEND. 12/09/2009 rwj BROOKDALE COMMUNITY COLLEGE 27 WHY NEED CRYPTOGRAPHY? (DIGITAL SIGNATURES)(cont’d) • VALIDATING A DIGITAL SIGNATURE ON RECEIPT o USE THE SENDER'S PUBLIC KEY TO DECRYPT THE DIGITAL SIGNATURE TO OBTAIN THE RECEIVED MD ASSUMED TO BE GENERATED BY THE KNOWN SENDER. o USE THE SAME MD ALGORITHM USED BY THE SENDER TO GENERATE YOUR OWN MD OF THE RECEIVED MESSAGE. o COMPARE THE 2 MD 1. IF EQUAL THEN MESSAGE IS UNALTERED & NOT FROM AN IMPOSTER. 2. IF NOT EQUAL, DISCARD MESSAGE AS UNTRUSTWORTHY, THE MESSAGE HAS BEEN TAMPERED WITH BY A THIRD PARTY. 12/09/2009 rwj BROOKDALE COMMUNITY COLLEGE 28 FILE TRANSFER PROTOCOL (FTP) • LOG IN TO A REMOTE MACHINE OVER AN IP NETWORK TO TRANSFER FILES [ftp <remoteMachineName>] • AUTHORIZED REMOTE USER (USER’S SIGN-ON CREDENTIALS (USERID/PWD) KNOWN BY REMOTE SYSTEM) • ANONYMOUS USER (USERID= anonymous, PWD=USER E-MAIL ADDRESS) 11/19/2009 rwj BROOKDALE COMMUNITY COLLEGE 29 FILE TRANSFER PROTOCOL (FTP) • UPLOADS & DOWNLOADS 2 TYPES OF FILES: ASCII (TEXT) & BINARY (ALL OTHER FILE ENCODINGS) ftp> binary 200 Type set to I ftp> put photo1.gif • PREFACE COMMANDS WITH “!” TO RUN COMMAND ON LOCAL MACHINE ftp> !pwd 12/09/2009 rwj BROOKDALE COMMUNITY COLLEGE 30 FILE TRANSFER PROTOCOL (FTP)(CONT’D) • FTP COMMANDS FOR USE ON REMOTE SYSTEM: ! cr get $ debug glob Account delete hash append dir help ascii disconnect idle bell edit image binary epsv4 lcd bye exit less case features lpage cd fget lpwd cdup form ls chmod ftp macdef close gate mdelete 12/09/2009 rwj mdir nlist mget nmap mkdir ntrans mls open mlsd page mlst passive mode pdir modtime pls more pmlsd mput preserve mreget progress msend prompt newer proxy BROOKDALE COMMUNITY COLLEGE put pwd quit quote rate rcvbuf recv reget remopts rename reset restart rhelp rmdir rstatus runique send sendport set site size sndbuf status struct sunique system tenex throttle trace type umask unset usage user verbose xferbuf ? 31 FILE TRANSFER PROTOCOL (FTP)(CONT’D) • TO UPLOAD FILES ONTO REMOTE SYSTEM USE put OR mput o put - UPLOADS ONE FILE AT A TIME ftp> binary 200 Type set to I. ftp> put photo1.gif o mput - UPLOADS ONE OR MORE FILES AT A TIME ftp> binary 200 Type set to I. ftp> mput photo*.gif ftp> ascii 200 Type set to A. ftp> mput mo*.sh 12/09/2009 rwj BROOKDALE COMMUNITY COLLEGE 32 FILE TRANSFER PROTOCOL (FTP)(CONT’D) • TO DOWNLOAD FILES FROM A REMOTE SYSTEM USE get OR mget. o get COMMAND DOWNLOADS ONE FILE AT A TIME ftp> binary 200 Type set to I. ftp> get photo1.gif o mget DOWNLOADS ONE OR MORE FILES AT A TIME ftp> binary 200 Type set to I. ftp> mget photo*.gif 12/09/2009 rwj BROOKDALE COMMUNITY COLLEGE 33 FILE TRANSFER PROTOCOL (FTP)(CONT’D) • NORMALLY, prompt AND hash ARE INVOKED IMMEDIATELY BEFORE get AND mget o prompt MAKES get AND mget BEHAVE NON-INTERACTIVELY, IF THE INTERACTIVE MODE WAS ACTIVE. ftp> prompt Interactive mode off. ftp> o hash EACH TIME A BLOCK OF DATA IS TRANSFERRED A “#” TO BE PRINTED. ftp> hash Hash mark printed on (1024 bytes/hash mark). ftp> 12/09/2009 rwj BROOKDALE COMMUNITY COLLEGE 34