Configuring the Network

Topic Progress:

5.1. Configuring the Network

5.1.1. On the Desktop with NetworkManager

In a typical desktop installation, you'll have NetworkManager already installed and it can be controlled and configured through GNOME's control center and through the top-right menu as shown in Figure 5.1, "Network Configuration Screen".

Network Configuration Screen
Figure 5.1. Network Configuration Screen

The default network configuration relies on DHCP to obtain an IP address, DNS server, and gateway, but you can use the gear icon in the lower-left corner to alter the configuration in many ways (for example: set the MAC address, switch to a static setup, enable or disable IPv6, and add additional routes). You can create profiles to save multiple wired network configurations and easily switch between them. For wireless networks, their settings are automatically tied to their public identifier (SSID).

NetworkManager also handles connections by mobile broadband (Wireless Wide Area Network WWAN) and by modems using point-to-point protocol over ethernet (PPPoE). Last but not least, it provides integration with many types of virtual private networks (VPN) through dedicated plugins: SSH, OpenVPN, Cisco's VPNC, PPTP, Strongswan. Check out the network-manager-* packages; most of them are not installed by default.

5.1.2. On the Command Line with Ifupdown

Alternatively, when you prefer not to use (or don't have access to) a graphical desktop, you can configure the network with the already-installed ifupdown package, which includes the ifup and ifdown tools. These tools read definitions from the /etc/network/interfaces configuration file and are at the heart of the /etc/init.d/networking init script that configures the network at boot time.

Using sudo to access Administrative Privileges

The sudo (super user do) command allows privileged users to run commands with administrative permissions. This gives full access to items that may be restricted to only the root user, such as programs in /sbin/ or access to network options that are useful for common penetration testing tools.

The command takes one argument, being the subsequent command that will be run with administrative permissions. One useful use case when dealing with services is to elevate to the root user account. To elevate to root user, we will use the command su (substitute user) to create a shell under the root user. The substitute user command takes a user account as an argument. Additionally, the su command has a useful flag ( --login, or -l, or -) to use the substituted user's login environment. Multiple commands in the following chapter require the use of sudo, as such we will elevate to the root user to seamlessly execute these commands.

$ sudo su --login
[sudo] password for kali:

Each network device managed by ifupdown can be deconfigured at any time with ifdown network-device. You can then modify /etc/network/interfaces and bring the network back up (with the new configuration) with ifup network-device.

Let's take a look at what we can put in ifupdown's configuration file. There are two main directives: auto network-device, which tells ifupdown to automatically configure the network interface once it is available, and iface network-device inet/inet6 type to configure a given interface. For example, a plain DHCP configuration looks like this:

auto lo
iface lo inet loopback

auto eth0
iface eth0 inet dhcp

Note that the special configuration for the loopback device should always be present in this file. For a fixed IP address configuration, you have to provide more details such as the IP address, the network, and the IP of the gateway:

auto eth0
iface eth0 inet static

For wireless interfaces, you must have the wpasupplicant package (included in Kali by default), which provides many wpa-* options that can be used in /etc/network/interfaces. Have a look at /usr/share/doc/wpasupplicant/README.Debian.gz for examples and explanations. The most common options are wpa-ssid (which defines the name of the wireless network to join) and wpa-psk (which defines the passphrase or the key protecting the network).

iface wlan0 inet dhcp
wpa-ssid MyNetWork
wpa-psk plaintextsecret

5.1.3. On the Command Line with systemd-networkd

While ifupdown is the historical tool used by Debian and Kali, and while it is still the default for minimal installations, there is a newer tool worth considering: systemd-networkd. Its integration with the systemd init system makes it a very attractive choice. It is not specific to Debian-based distributions (contrary to ifupdown) and has been designed to be very small, efficient, and relatively easy to configure if you understand the syntax of systemd unit files. This is an especially attractive choice if you consider NetworkManager bloated and hard to configure.

You configure systemd-networkd by placing .network files into the /etc/systemd/network/ directory. Alternatively, you can use /lib/systemd/network/ for packaged files or /run/systemd/network/ for files generated at run-time. The format of those files is documented in (see Section 6.1.1, “Manual Pages”). The [Match] section indicates the network interfaces the configuration applies to. You can specify the interface in many ways, including by media access control (MAC) address or device type. The [Network] section defines the network configuration.

Example 5.1. Static Configuration in /etc/systemd/network/



Example 5.2. DHCP-based Configuration in /etc/systemd/network/



Note that system-networkd is disabled by default, so if you want to use it, you should enable it. It also depends on systemd-resolved for proper integration of DNS resolution, which in turn requires you to replace /etc/resolv.conf with a symlink to /run/systemd/resolve/resolv.conf, which is managed by systemd-resolved.

systemctl enable systemd-networkd
systemctl enable systemd-resolved
systemctl start systemd-networkd
systemctl start systemd-resolved
ln -sf /run/systemd/resolve/resolv.conf /etc/resolv.conf

Although systemd-networkd suffers from some limitations, like the lack of integrated support for wireless networks, you can rely on a pre-existing external wpa_supplicant configuration for wireless support. However, it is particularly useful in containers and virtual machines, and was originally developed for environments in which a container's network configuration depended on its host's network configuration. In this scenario, systemd-networkd makes it easier to manage both sides in a consistent manner while still supporting all sorts of virtual network devices that you might need in this type of scenario (see systemd.netdev(5) in Section 6.1.1, “Manual Pages”).