# You Check how your computer connects to the net: > ip address show ``` 1: lo: mtu 65536 qdisc noqueue state UP group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 3: wlp3s0: mtu 1500 qdisc mq state UP group default qlen 1000 link/ether 84:3a:4b:ca:5c:24 brd ff:ff:ff:ff:ff:ff inet 192.168.0.13/24 brd 192.168.0.255 scope global dynamic noprefixroute wlp3s0 valid_lft 199143sec preferred_lft 172143sec inet6 fe80::22:5eb9:8a3a:95b2/64 scope link valid_lft forever preferred_lft forever 4: wwp0s20u4i6: mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 link/ether fa:cd:4d:28:ec:dc brd ff:ff:ff:ff:ff:ff inet 169.254.104.159/16 brd 169.254.255.255 scope global noprefixroute wwp0s20u4i6 valid_lft forever preferred_lft forever inet6 fe80::e9d3:506c:c0a9:6679/64 scope link valid_lft forever preferred_lft forever ``` That's too much output to read, so try: > ip address show | grep inet ``` inet 127.0.0.1/8 scope host lo inet6 ::1/128 scope host inet 192.168.0.13/24 brd 192.168.0.255 scope global dynamic noprefixroute wlp3s0 inet6 fe80::22:5eb9:8a3a:95b2/64 scope link inet 169.254.104.159/16 brd 169.254.255.255 scope global noprefixroute wwp0s20u4i6 inet6 fe80::e9d3:506c:c0a9:6679/64 scope link ``` The starting numbers tell you about the address. You just have to memorize the meanings: | Address Prefix | Meaning | |:---:|:---:| | 127.X | The computer's name for itself, for when you want to ssh into your own machine | | ::1/128 | Same thing, with ipv6 | | 192.168.X | A small network address, given by a DHCP server (possibly your router) | | 169.X | The interface to the internet wasn't given an ip address, so it's made up its own | # `arp-scan` Look around your local network with `arp-scan`. > sudo arp-scan -l ``` Interface: wlp3s0, type: EN10MB, MAC: 84:3a:4b:ca:5c:24, IPv4: 192.168.0.13 Starting arp-scan 1.9.7 with 256 hosts (https://github.com/royhills/arp-scan) 192.168.0.1 0c:02:27:bc:aa:a1 Technicolor CH USA Inc. 192.168.0.15 b8:27:eb:4a:cd:d9 Raspberry Pi Foundation 192.168.0.10 dc:0b:34:94:5c:c4 LG Electronics (Mobile Communications) 3 packets received by filter, 0 packets dropped by kernel Ending arp-scan 1.9.7: 256 hosts scanned in 1.937 seconds (132.16 hosts/sec). 3 responded ``` The interface here was `wlp3s0`. It starts with 'w', so it's a wifi card. Each internet adapter has a name, called a 'MAC address' in order to identify itself to outsiders. The first three parts of a MAC address are given by the manufacturer (like a family name), and the rest are just for that one device. The '192.168.0.1' address ends in '.1', so it's probably a router. The manufacturer is 'Technicolor' (`arp-scan` has identified this from the first digits of the MAC: '0c:02:27'). Next is 192.168.0.15, which is labelled as a 'raspberry pi'. Finally, the '.10' address is a mobille phone. Mac addresses are easy to fake, so don't trust this output to keep you safe. # `nmap` Look around your entire network from 192.168.0.1 to 192.168.0.255: > sudo nmap -F 192.168.0.1/24 The `-F` means 'do this fast, by only scanning normal traffic' (ports below 1000). ``` Starting Nmap 7.80 ( https://nmap.org ) at 2020-01-09 13:52 CET Nmap scan report for 192.168.0.1 Host is up (0.011s latency). Not shown: 99 closed ports PORT STATE SERVICE 80/tcp open http MAC Address: 0C:02:27:BC:AA:A1 (Technicolor CH USA) Nmap scan report for 192.168.0.10 Host is up (0.0040s latency). All 100 scanned ports on 192.168.0.10 are closed MAC Address: DC:0B:34:94:7C:C4 (LG Electronics (Mobile Communications)) Nmap scan report for belgradecats (192.168.0.15) Host is up (0.0096s latency). Not shown: 98 closed ports PORT STATE SERVICE 22/tcp open ssh 53/tcp open domain MAC Address: B8:27:EB:4A:CD:D9 (Raspberry Pi Foundation) Nmap scan report for 192.168.0.13 Host is up (0.0000080s latency). Not shown: 99 closed ports PORT STATE SERVICE 22/tcp open ssh Nmap done: 256 IP addresses (4 hosts up) scanned in 5.34 seconds ``` Network traffic is split into different types of information. Each one gets a number called a 'port'. Most of this information is dead, so only a few ports are used nowadays. The first one shows port 80, so you can visit it on a web browser. The next shows 53 (so it's handing out names of local computers) and 22 (so you can access it via ssh). You can scan outside addresses with: > sudo nmap facebook.com However, when you scan something, that machine will see you, and you may set off alerts, which then have to bother whoever's looking after that address. So if you want to try out nmap from outside, find a place you have permission to scan (like your own external IP address), or try: > sudo nmap hack.me The hack.me website doesn't mind people scanning.