Network Services and Protocols Part III: Understanding Remote Access Configurations

source: cybrary.it

What are we doing?

Part III of this lab consists of 6 exercises that guides us through the configuration of sharing files, of monitoring network-attached devices, as well as configuration of remote access through our network. We’ll first go through a remote access method called FTP, then move onto a monitoring process called SNMP. Next we’ll progress to a remote access method called telnet before moving onto SMB. Finally, we’ll conclude our lab by configuring more modern and secure processes for remote access, called VNC and SSH.

Why would we want to do this?

The tools we’ve learned in Part I and Part II of this lab have been great, but sometimes we need to access devices within our network remotely in order to handle any issues that might arise and can’t be handled locally.

Remember, this lab helps us better understand how we can better utilize the tools readily available for us to use, and sometimes remote access is our most effective approach at accomplishing our task.

Who would use this?

Before, I stated in Part I and Part II of this lab that these tools should be understood and utilized by just about anyone with basic knowledge in computer use. Part III of this lab, however, should not be utilized by everyone but should at least be understood at a basic level.

Reasons for this is that allowing your computer to have remote access enabled can be dangerous and promotes itself to staying vulnerable to cyber attacks. So, these tools should be used only by those who are confident in knowing what they’re doing — or at least have a safe and isolated environment to experiment with.

Thoughts?

Most of these tools seem out of date and should no longer be used, I don’t know maybe I’m crazy, you tell me.

• Telnet, for one, was made back in the 60’s and there’s just no way a tool like Telnet could handle such complex network infrastructures in common use today, especially since nothing is encrypted when using Telnet.
• Although SNMP is still used today, I’m not sure it’s a widely accepted tool for modern networks. Sure there’s SNMPv3 that can authenticate and encrypt but it seems like SNMP as a tool has little use in cloud network infrastructure. Even John Lawitzke has something to say about this:

SNMP did its job a long time ago, but it isn’t really relevant today except for legacy systems that were designed around it. Network monitoring professionals are looking at streaming telemetry as the future of their networks. This is just another reason why we can say SNMP is dead and has no future.¹

• FTP is just not secure and when it comes to sharing files, using FTP instead of SFTP just feels irresponsible.
• And with RDP and VNC, an open port always needs to be open through the firewall in order to function, which isn’t something I would ever recommend. (Maybe we could place a VPN in front of an RDP gateway and hopefully solve this vulnerability issue?)
• SMB, and SSH seem to be the only tools we could still somewhat safely use in today’s network infrastructure and that’s only because SMBv1 is fully decommissioned and can no longer be used.² I understand RDP is a great tool that seems to work really well with Windows servers(managers) and computers(agents), but it still seems really limited in compatibility of more diverse networks and doesn’t seem be a secure tool without the aide of other tools.

Note (Primarily applies to administrators and techs):

In 2017, the US National Security Agency (NSA) found a vulnerability in the SMBv1 protocol. It allowed an attacker to execute their code without the user noticing anything. When just one of the devices got infected, the hacker could gain access to the whole network and every device connected to it.³

So, ensure your network isn’t using any network-attached devices designed for SMBv1 only and ensure that every device is enabled for SMBv3.1.1. If just one device is still using SMBv1, having SMBv3 on every other device would make no difference — an attacker can still access your entire network. We need to continually update our infrastructure in order to stay protected.

Vendor

Practice Labs

Lab

1.6 — Network Services and Protocols Part III

Learning Outcomes

• Exercise 1 — Configuring Port 21 for FTP
• Exercise 2 — Configuring Port 161 for SNMP
• Exercise 3 — Configuring Port 23 for Telnet
• Exercise 4 — Configuring Port 445 for SMB
• Exercise 5 — Configuring Port 3389 for RDP
• Exercise 6 — Using VNC and SSH

After completing this lab, we will be able to:

• Configure port 21 for FTP
• Configure port 161 for SNMP
• Configure port 23 for Telnet
• Configure port 445 for SMB
• Configure port 3389 for RDP
• Configure VNC and SSH

CompTIA Network+ Exam Objectives

N10–007 1.1 — Explain the purposes and uses of ports and protocols:

• SSH 22
• SNMP 161
• FTP 20/21
• TELNET 23
• RDP 3389
• SMB 445

N10–007 3.3 — Explain common scanning, monitoring, and patching processes and summarize their expected output (SNMP monitors, MIB)

N10–007 3.4 — Given a scenario, use remote access methods:

• VPN, RDP
• VPN, SSH
• VPN, VNC
• VPN, Telnet
• Remote file access, FTP/FTPS

N10–007 5.2 — Given a scenario, use the appropriate tool (Command line: ifconfig, Command line: netstat)

Source: Practice Labs

Exercise 1

Configuring Port 21 for FTP

The File Transfer Protocol (FTP) is a way to transfer computer files from a server to a computer/client,⁴ and uses port 20 for data transfer and port 21(also known as the command and control center) for communication.

Go ahead and scan through this useful Wikipedia page to get a little more insight on how FTP uses two different modes of transfer:

File Transfer Protocol

Learning objective

Know how to configure port 21 for FTP within our network

Task 1 — Install Web Server (IIS) Role

In this task, we’ll install a Web Server (IIS) Role with an FTP feature and confirm that it’s using port 21 on our network.

Step 1: Connect to the PLABSA01 device. On the Server Manager interface, click Add roles and features.

Step 2: On the Before You Begin page, read the information and click Next. On the Select installation type page, click Next. On the Select destination server page, click Next.

Step 3: On the Select Server Roles page, select Web Server (IIS) from the Roles list. When the Add features that are required for Web Server (IIS) box appears, click Add Features.

Step 4: On the Select server roles page, click Next. On the Select features page, click Next. On the Web Server Role (IIS) page, click Next.

Step 5: On the Select Role Services page, keep the default selections. Scroll down to select the FTP Server option at the bottom of the list.

Select the FTP Server option. Make sure that both the FTP service and the FTP Extensibility sub-options are selected as well.

(Sub-options for the individual roles are given to enable you to select individual server roles if required)

Click Next.

Step 6: On the Confirm Installation Selections page, check the specifications for installation and click Install.

The Installation Progress page displays the progress of installation of the Web Server (IIS) role.

Once the installation is complete, click Close.

Task 1 Complete!

Task 2 — Setup an FTP Site

We need to setup an FTP Site in order to start an FTP session. In this task, we’ll configure one of our systems to act as an FTP Server so that we can have our FTP Site

Step 1: On the PLABSA01 device, click Start and find the Windows Administrative Tools folder. Click on it and find the Internet Information Services (IIS) Manager. Click on this item.

Step 2: Expand the PLABSA01 (PLABSA01\Administrator) option from the console tree under Connections pane on the left. Right-click Sites and select the Add FTP Site option.

Step 3: On the Site Information page, specify the following information:

• FTP site name: plabsftp
• Physical path: C: \Inetpub\ftproot

click Next

Step 4: On the Bindings and SSL Settings page, go to SSL section and select No SSL.

Notice that the default port assigned for FTP is port 21. Click Next.

Step 5: On the Authentication and Authorization Information page, use these settings:

• Authentication: Select the Anonymous and Basic check boxes.
• Authorization: Set to All Users
• Permissions: Enable the Read and Write check boxes.

Click Finish.

Step 6: On the Internet Information Services (IIS) Manager window, click Sites item.

Find plabsftp listed as an FTP site. In addition, notice that under the Bindings column, port 21 is listed for FTP.

Step 7: Launch the File Explorer from the taskbar. Expand This PC. Navigate to Local Disk C > inetpub > ftproot folder.

Right-click the details pane and choose New > Text Document. Name newly created text document “memo”

Step 8: Click the Reboot button under the PLABSA01 device in the Practice Labs application.

The Device will reboot. Please wait for the device to show as on again before continuing.

Note: After installing FTP service on Windows Server 2019, the machine needs to be restarted to fix an FTP connection issue.

Task 2 Complete!

We now officially have an FTP Site on our network!

Task 3 — Verify FTP access from PLABWIN10

In this task, we’ll attempt to access the FTP site from our Windows 10 workstation.

Step 1: Connect to PLABWIN10 and open the Command Prompt terminal

Step 2: On the Command Prompt window, input the following to access our FTP server:

ftp

open PLABSA01

anonymous

For the password, enter:

Passw0rd

The screen shows that the FTP user anonymous is now signed in.

Step 3: Let’s see if the text file we created earlier, memo.txt, is listed by entering:

ls

Step 4: Let’s download the file:

get memo.txt

The system indicates that a successful transfer occurred.

Step 6: To log out of the FTP server, input:

bye

Exercise 1 Complete!

Now we know how to setup and run a real basic FTP environment and can confirm its port 21 usage within our network!

Exercise 2

Configuring port 161 for SNMP

The Simple Network Management Protocol (SNMP) is a network management tool meant to monitor the health and status of each network-attached device. For example, with SNMP, the administrator can be alerted if the router fails or be alerted when disk space on a server is running out.⁵

SNMP operates in the application layer (Layer 4/Layer 7), uses UDP port 161, and utilizes a client-server model:

• Managers (servers) collects and processes the data
• Agents (clients) are any type of device or device component connected to the network⁶

To get more familiar with SNMP and its use of MIB data trees, give Dana Oros’s article a read:

Network Basics: What is SNMP and how does it work?

Learning Objective

Know how to configure port 161 for SNMP within our network

Task 1 — Install SNMP agent

In this task, we’ll configure SNMP on a Server 2019 device. To configure SNMP, we must first activate the feature. To activate and configure SNMP, perform the following steps.

Step 1: Connect to the PLABSA01 device.

On Server Manager and click Add roles and features

Step 2:On the Before you begin page click Next. On the Installation Type Accept the defaults and click Next. On the Server Selection Accept defaults and click Next. On the Server Roles page click Next.

Step 3:On the Features page scroll down and click SNMP Service and click Add Features.

Click Install.

Once the installation has completed click Close.

Task 1 Complete!

Task 2 — Configure SNMP Properties

In this task, we’ll configure the host and network specifications for an SNMP agent on our Windows Server 2019 device.

Step 1: In PLABSA01, click Start, and start typing Computer Management. When the Computer Management app appears, click it.

Step 2: Expand the Services and Applications option under Computer Management (Local) in the left pane. Select Services.

Step 3: On the Services pane, scroll down the list and locate SNMP Service.

Right-click on SNMP Service and select Properties.

Note: Make sure not to accidentally click on the SNMP Trap service.

Step 4: The SNMP Service Properties (Local Computer) dialog box appears.

On the Agent tab, add the following information:

• Contact: Admin
• Location: London, UK

Keep the other default selections.

Step 5: Click Apply then go to Security tab.

On the Security tab, click Add in the Accepted community names panel.

Step 6:The SNMP Service Configuration dialog box appears.

Add the Community Name as ROC. Keep the Community rights as READ ONLY.

Click Add.

Step 7:We’re navigated back to the SNMP Service Properties (Local Computer) dialog box.

Notice that ROC appears as an accepted community name, with the READ ONLY rights.

Click Add on the Accept SNMP packets from these hosts radio button-panel.

Step 8: The SNMP Service Configuration dialog box appears.

Type the IP address: 192.168.0.3

Click Add…

Step 9: We’re navigated back to the SNMP Service Properties (Local Computer) dialog box.

Notice that 192.168.0.3 appears in the Accept SNMP packets from these hosts panel.

Click Apply and then click OK.

The SNMP service is now activated on our machine. The SNMP agent receives requests on port 161, by default.

An SNMP Management software is required, though. This will act as the administrator console for monitoring the status of different devices that have the SNMP agent installed.

Exercise 2 Complete!

Now we know how to configure port 161 for SNMP on our network!

Exercise 3

Configuring port 23 for Telnet

I feel like this excerpt from ssh.com sums up Telnet better than I could explain it:

Telnet is one of the earliest remote login protocols on the Internet. It was initially released in the early days of IP networking in 1969, and was for a long time the default way to access remote networked computers. It is a client-server protocol that provides the user a terminal session to the remote host from the telnet client application. Since the protocol provides no built-in security measures, it suffers from serious security issues that have limited its usefulness in environments where the network cannot be fully trusted. The use of Telnet over the public Internet should be avoided due to the risk of eavesdropping.⁷

Learning Objective

Know how to configure port 23 for Telnet within our network

Alert: In this exercise, we will be accessing a Linux device. If we are accessing the labs using the Java client, we will not be able to connect to the device directly. It is recommended that we use the HTML client to complete this exercise, as the content has been written using this client.

Task 1 — Install Telnet Client in PLABWIN10

In this task, we’ll configure Telnet client on our Windows 10 device. To configure Telnet on our Windows 10 device, we must first activate this feature.

Step 1: From PLABWIN10 device, ensure that Control Panel is displayed.

Select Programs.

Step 2: On the Programs window, select the Turn Windows features on or off option under the Programs and Features section.

The Windows Features dialog box appears.

Scroll down to check Telnet Client box and click OK.

A Windows Features dialog box appears confirming that Windows is configuring the selected service on the machine.

The Windows Features window will indicate once the configuration is complete. Click Close.

Close the Programs window to return to the desktop.

Task 1 Complete!

Task 2 — Install Telnet Server on PLABRTR01

In this task, we’ll install the Telnet Server on our Ubuntu Linux device(PLABRTR01) to allow it to be remotely administered with a command line interface from PLABWIN10 via Telnet.

Note that the Ubuntu Linux device is the one labeled as PLABRTR01. Its primary purpose in the labs is to function as a router, however, in this lab, it will also function as a Telnet server.

Step 1: Connect to PLABRTR01.

Click on the Terminal icon on the left to open a terminal window.

Step 2: In the terminal window, type the following command to install the Telnet server on this device:

sudo apt-get install xinetd telnetd

When prompted enter the following password and press Enter:

Passw0rd

As the installation process continues, we are informed of the actions being taken. Once it is complete, we’ll be presented with a command prompt once again.

Step 3: The Telnet server has been successfully installed. To make sure that it is running, we can reload the service by entering the following command:

sudo /etc/init.d/xinetd restart

Task 2 Complete!

Task 3 — Use Telnet Client to remote administer PLABRTR01

In this task, we’ll verify that our Telnet client is running on our Windows 10 device(PLABWIN10)

Step 1: Connect once again to our PLABWIN10 device. Ensure that the Command Prompt window is displayed.

To start a Telnet session with PLABRTR01, input at the Command Prompt:

telnet plabrtr01 23

Note: Telnet servers listen on TCP port 23 for incoming connections.

Step 3: The Ubuntu Telnet prompt is displayed, and we are asked for login information. Input administrator at the login prompt.

Remember: we’re connecting to a Linux server, and unlike Windows, the username is case sensitive.

Enter the following password and press Enter.

Passw0rd

Note: if we take longer than 60 seconds to input username and password information, the system will close the connection, and we’ll have to reconnect.

Once we have successfully logged in, we’re given information about our Telnet server, including documentation and support information from the developer. We’re then provided with a prompt identical to that provided by the terminal window on our PLABRTR01 device.

Note: we may see an error message indicating a failure to connect to a Ubuntu resource. We can safely ignore this message.

Step 4: From this command prompt, we’re able to initiate any commands that you would if you were connected to a Terminal window on the desktop of our PLABRTR01 device.

Type the following command and see the results in the output:

ifconfig

Note: The network card information of the PLABRTR01 device is displayed. Try typing the same command on the Terminal window on the desktop of the device and compare the output. The output is exactly the same.

Step 5: To log out of the Telnet session, type exit. The session exits and we are once again given the command prompt of the local computer.

Exercise 3 Complete!

Now we know how to configure port 23 for Telnet on our network!

Exercise 4

Configuring 445 for SMB

The Server Message Block (SMB) is a tool that allows users on a network to communicate remotely and use each other’s resources and files. I like to consider SMB as the precursor to cloud storage as SMB and cloud storage both use a server/client model allowing data to appear as if it were stored locally on every device on the network:

Imagine your team is working on a large project that involves a lot of back and forth. You might want to be able to share and edit files that are stored in one place. The SMB protocol will allow your team members to use these shared files as if they were on their own hard drives. Even if one of them is on a business trip half a world away, they can still access and use the data.³

Some might argue that SMB does more than what most cloud infrastructures can provide, given that SMB can allow someone to even access any printer connected to the LAN they’re remotely connecting to, but it appears cloud networks can even do that as well now:

Introducing Google Cloud Print

And it also seems like the most recent version of SMB (SMBv3.1.1) has become just as vulnerable to cyber attacks as it’s precursors:

Microsoft Issues Security Advisory on ‘Critical’ SMB 3 Flaw in Windows Systems

Which makes me wonder if the SMB protocol should be discontinued entirely… for any matter, let’s move onto the lab and setup an SMB on our network

Learning Objective

Know how to configure port 445 for SMB on our network

Task 1 — Share a Folder from PLABDC01

In this task, we’ll share a folder using SMB on a Windows Server 2016 device.

Step 1: Connect to PLABDC01 and click the File Explorer on the taskbar.

Navigate to the Local Disk C and create a folder called CompanyData.

Step 2: Right-click CompanyData and select Properties.

Step 3: The CompanyData Properties dialog box appears.

On the Sharing tab of the dialog box, click the Advanced Sharing button on the Advanced Sharing panel.

Step 4: On the Advanced Sharing dialog box, check the Share this folder checkbox.

Notice that CompanyData appears as the name of the folder to share.

Keep the other default values and click Permissions.

Step 5: On the Permissions for CompanyData dialog box, review the default settings. Keep these settings and click OK.

On the Advanced Sharing dialog box, click OK to save the changes.

On the CompanyData Properties dialog box, notice that the sharing status of the CompanyData folder is now changed to Shared.

Close the dialog box.

Task 1 Complete!

Task 2 — Authenticate the SMB Share

In this task, we’ll authenticate our connection to the SMB share.

Step 1: Connect to our PLABWIN10 device. Launch the File Explorer from the taskbar.

Right-click on This PC and choose Map Network Drive…

Step 2: In the Folder box, type:

\\plabdc01\companydata

Keep the default selection of Z: as the drive letter and of Reconnect at sign-in. In addition, check Connect using different credentials and click Finish.

Step 3: The Windows Security dialog box is displayed. Use the following credentials:

• Username: Administrator
• Password: Passw0rd

The companydata (\\plabdc01)(Z:) window appears.

SMB is now setup and functioning on the device, and it uses authentication to add security. SMB uses port 445 by default.

Close the companydata (\\plabdc01)(Z:) window.

Notice that a new Network Location item has appeared under the This PC selection in the File Explorer. The folder that you created in the PLABDC01 device is being perceived by the PLABWIN10 device as a network drive with the drive letter Z: Any files placed in this drive will appear in the folder on PLABDC01.

Exercise 4 complete!

Now we know how to set up port 445 for SMB on our network!

Exercise 5

Configuring port 3389 for RDP

The Remote Desktop Protocol (RDP) allows users to control their remote Windows machine as if they were working on it locally.⁸ RDP works exclusively with Windows operating systems.

Go ahead and give one of Shaked Reiner’s articles a read in order to get a more in depth overview of RDP:

Explain Like I’m 5: Remote Desktop Protocol (RDP)

Learning Objective

Know how to configure port 3389 for RDP on our network

Task 1 — Configure Remote Desktop Protocol properties

In this task, we’ll configure an RDP connection on a Windows 2016 server.

Step 1: Connect to our PLABSA01 device and open the File Explorer from the Taskbar.

Right click on This PC and click Properties.

Step 2: On the System window, select the Remote tab on the left side.

The System Properties dialog box is displayed.

Step 3: Select Allow connections only from computer running Remote Desktop with Network Level Authentication (recommended) on the Remote Desktop panel.

Click Select Users.

Step 4: On the Remote Desktop Users dialog box, click Add.

Note: Just for this lab example, we allowed everyone to sign on to PLABSA01 via RDP. In a production environment, we should limit the users that have access to RDP on specific devices.

Clicking on Check Names validates the name of the object and gives it the complete path reference.

Click OK.

We are brought back to the Remote Desktop Users dialog box.

Click OK.

Close the System and File Explorer windows.

Step 5: Click Start and begin to type Computer Management. When the Computer Management app appears in the menu, click it.

Expand Local Users and Groups and click Users.

Right-click on Guest and choose Set password….

Note: The Guest user account has a blank password by default.

Click Proceed when warned about making this password change.

Step 6: Type the following in the New password and Confirm password boxes:

Passw0rd

Click OK.

You are informed that the password has been set. Click OK.

Step 7: We need to enable the Guest account so it can be used for logging in.

Right-click on Guest and choose Properties.

From Guest Properties dialogue box in the General tab, clear Account is disabled.

Click OK.

Close the Computer Management window.

Task 1 Complete!

Task 2 — Setup an RDP Connection

Now we need to setup an RDP connection from our PLABWIN10 device

Step 1: Connect to PLABWIN10R, and open Remote Desktop Connection.

Step 2: When the Remote Desktop Connection dialog box is displayed, input plabsa01 in the Computer text box and click the Show Options down arrow.

Step 3: In the Logon settings panel, type guest as the User name and click the Allow me to save credentials checkbox.

Click Connect.

Step 4: For the password, input:

Passw0rd

Press Enter.

You get a message that the identity of the remote computer could not be identified.

Click Yes to continue.

Wait several seconds while Remote Desktop Connection displays the progress of the connection.

Note: It may take over a minute for the connection to be fully established. During this time we may see a black screen. We’ll just be patient.

Once the connection is established, the PLABSA01 remote desktop is displayed.

Note: The desktop of the PLABSA01 device that we connect to remotely will not be the same as that seen on the desktop of the PLABSA01. Because we have logged in with a different username, a new instance of a desktop is created with its own background, icons, and selections.

Exercise 5 Complete!

Now we know how to set up port 3389 for RDP on our network!

Exercise 6

Using VNC and SSH

The Virtual Network Client (VNC) is basically the non-Windows version of RDP that can be implemented on UNIX systems like Linux and MacOS, although some are optimized for Windows as well. The main difference between the two, though, is that RDP tends to work in the background of the remotely accessed machine when VNC tends to just take over the machine entirely. VNC uses port 5900 as its default, but can sometimes be using port 5800.

Many VNC variants are available for free public download, and for this exercise, we’ll be using TightVNC⁹ for our VNC Server and TigerVNC¹⁰ for our VNC Client.

Note that the VNC server and viewer are from two different providers. However, VNC is an open protocol, and this allows for the seamless interoperation between software packages of different vendors.

Secure Shell Protocol (SSH) is our go-to weapon for secure remote login from one computer to another. It provides several alternative options for strong authentication, and it protects the communications security and integrity with strong encryption. It’s the secure alternative to the non-protected login protocols (such as Telnet, rlogin) and insecure file transfer methods (such as FTP).¹¹

There are several free SSH clients out there, but for this lab, we’ll be using a free client called PuTTY to administer the PLABDC01 and the PLABRTR01 devices respectively remotely.

Alert! (For Lab Purposes Only) Before beginning this exercise, we must reset all devices to their default settings. In order to do this, click on the rotating arrow icon at the bottom of the device bar.

Task 1 — Configure the VNC Server on PLABDC01

In this task, we’ll configure our VNC server on our PLABDC01 device to receive connection requests and to serve them appropriately.

Step 1: Connect to our PLABDC01 device. At the far right of the taskbar, click the up arrow beside the Network status icon. You will see the TightVNC icon.

Right click on this icon and choose Configuration…

Step 2: On the TightVNC Control Authentication window, enter the following password and click OK:

Passw0rd

Step 3: The TightVNC Service Configuration window appears. Let’s verify the following settings:

• The Accept incoming connections checkbox is checked
• The Main server port is set to 5900
• The Require VNC authentication checkbox is checked

Once verified, click on the Change… button in the Primary password… section.

Step 4: In the Enter new password and Re-type password for verification fields, enter the following and click OK:

Passw0rd

Step 5: On the TightVNC Service Configuration dialog box, click OK

At the far right of the taskbar, click the up arrow beside the Network status icon once again. You will see the TightVNC icon. Hover the mouse over the icon and verify that the service is running. If a note pops up indicating the IP address of the server, the service has been enabled successfully.

Task 1 Complete!

Task 2 — Connect to the PLABDC01 server using VNC

In this task, we’ll connect to PLABDC01 from our PLABWIN10 device using TigerVNC as our VNC client.

Step 1: Connect to PLABWIN10. Click the TigerVNC Viewer on the taskbar to open the VNC client.

Step 2: The VNC Viewer: Connection Details window appears. Enter the following in the VNC Server field:

plabdc01

Click Connect.

Step 3: You are then prompted for a password. Enter the following and click OK:

Passw0rd

A new window opens within which the login screen of the PLABDC01 device is being displayed. In order to log in, we’ll have to send a Ctrl+Alt+Delete command.

However, if you do so, the PLABWIN10 device will intercept it and give you the Windows lock options menu.

Step 5: In order to send a Ctrl+Alt+Delete sequence to the PLABDC01 device, first press F8. The TigerVNC shortcut menu appears.

When we press F8, make sure the TigerVNC window is in focus, or active. To make sure it is active, just click on it before pressing F8. Otherwise, the F8 command will be ignored.

Find the Send Ctrl-Alt-Del menu item and click it.

Step 6: The password field appears. Enter the following password and press Enter.

Passw0rd

We have successfully logged in to the PLABDC01 device using VNC!

Step 7: Open the Internet Explorer web browser on the PLABDC01 device via VNC.

Go to the “real” desktop of PLABDC01. Notice that the browser window that you opened is also open on this device.

Note: Unlike RDP, VNC provides a remote desktop connection to the current active user environment on the PLABDC01 device in real-time. RDP, on the other hand, provides a separate instance of a desktop that does not affect what the local user sees. This is a fundamental difference between RDP and VNC.

Step 8: At the far right of the taskbar, click the up arrow beside the Network status icon. You will see the TightVNC icon once again. However, it has a different color. This indicates that someone is currently connected to this computer via VNC.

Task 2 Complete!

Task 3 — Verify the Details of the VNC Session

In this task, we’ll examine and verify the details of the VNC session in progress between PLABDC01 and PLABWIN10.

Step 1: Return our PLABWIN10 device and minimize the VNC window connected to PLABDC01.

Click Start and type cmd. Once the Command Prompt appears in the menu, click it.

Step 2: Using the command netstat, we’ll generate a text file which indicates all of the active Transport Layer sessions on our PLABWIN10 device. To create this text file, input the following command:

netstat -a -o -n > ports1.txt

Step 3: To view the output of the command found in the ports1.txt file, input the following command:

notepad ports1.txt

Press Enter.

A Notepad window appears with the contents of the ports1.txt file.

Step 4: On the Foreign address column, locate the instance of 5900. This instance indicates the VNC session established between PLABDC01 and PLABWIN10. 5900 is the default port for VNC.

Corresponding to this entry, locate 192.168.0.5:xxxxx entry under the Local Address column. Here 192.168.0.5 is the PLABWIN10 IP address.

The xxxxx is the dynamic port number (any unused port number) assigned to the VNC session to enable the server to connect to the PLABDC01 device. This entry gives the details of the VNC session setup among the two servers.

Close the Notepad and the command prompt windows.

Task 3 Complete!

Now we know how to set up a VNC Server and a VNC Client on our network!

Task 4 — Verify that SSH is running on PLABRTR01

To setup an SSH session, we first need to ensure SSH is running as a service on our PLABRTR01 device.

Note: Ubuntu devices usually have SSH enabled by default.

Step 1: Connect to PLABRTR01 and click the Terminal icon on the left to open a Terminal window.

Step 2: Input the following command to determine which servers are running and on which ports these services are listening for incoming sessions:

netstat -at

Notice in the output that there is an entry with the port number 3389 — the Remote Desktop access port. Notice that this port is in the LISTEN state. This means that the RDP is currently active and is listening on the default port for incoming sessions.

Task 4 Complete!

Task 5 — Initiate an RDP session

To initiate an RDP session, an RDP client must be used on the host initiating the session.

In this task, we’ll use PuTTY as our RDP client to setup an SSH session between PLABSA01 and the PLABRTR01 Ubuntu device.

Step 1: Connect to the PLABSA01 device. Minimize the Server Manager and double-click the Putty icon on the desktop.

Step 2: The Putty Configuration dialog box appears.

In the Host Name (or IP address) field type the following:

plabrtr01

Make sure that the Connection type is set to SSH. Notice that the port indicated is 22 which is the default port for SSH.

Click Open.

Step 3: A PuTTY Security Alert appears. This alert shows up the first time that we connect via SSH. It gives the opportunity for the server to send the encryption key to the client and have it saved for future use (this exchange is necessary for the encrypted communication between the two devices).

Click Yes to accept the key.

Note: All subsequent connections to this device will not ask for the key again since it has been saved into PuTTY’s cache.

Step 4: The remote device now asks for login credentials. Enter administrator as the username and press Enter.

Remember: we’re connecting to a Linux server and unlike Windows, the username is case sensitive.

Wait for a couple of seconds to allow the password prompt to appear.

Step 5: For the password, input:

Passw0rd

Note: We won’t see the password being typed as characters are masked. We cannot forget to press Enter after we finish typing the password.

When we log in successfully, we’ll be provided with a command prompt.

Note: this is the same command prompt that we would see on the PLABRTR01 device if we connected directly to a Terminal window.

Task 5 Complete!

Now we know how to setup an SSH Client on our network!

Task 6 — Perform basic administrative work via SSH

In this task, it will be demonstrated how administration tasks can be implemented on a remote device as if we were directly connected to the Terminal window on the desktop.

To do this, we’ll create a user and a group, and we’ll make the user a member of this group. Please note that commands in Linux are case-sensitive. Therefore, be on the lookout for the proper case of the commands.

Note: In order to implement these tasks, we’ll need administrator privileges. For this reason, we’ll precede each command with the command sudo. Whenever necessary, the system will ask for the administrator password.

Step 1:While in the Putty window, to create a user and create the user’s home directory, type:

sudo useradd -m johnsmith

When asked to enter a password, input the following:

Passw0rd

Step 2: The user johnsmith is now created.

Note that in the previous step and even in the next ones, when a Linux command is successfully executed, we won’t get a confirmation. The next prompt simply appears. However, if a command is not recognized or is inputted incorrectly, an error message will be displayed.

To set johnsmith’s password, input:

sudo passwd johnsmith

Step 3: When asked for johnsmith’s new password, type:

Passw0rd

When asked to retype new password, type:

Passw0rd

Note that if the passwords entered do not match, you will be given an error message and no new password will have been set. In order to try again, enter the same command.

Step 4: User johnsmith’s password has been successfully set.

To give John Smith the capability to install the software we need to add him to the sudo group.

Input:

sudo usermod -a -G sudo johnsmith

Here’s an explanation of the format used for this command:

• -a means to append the user to target security group.
• -G indicates the name of the target security group
• sudo (sometimes called SuperUser Do) is a security group that has rights to add or install programs in Linux. This also refers to an application for Unix-like operating systems that allows users to run programs with security privileges of a superuser.

Step 5: The command to add johnsmith to the sudo group is successfully implemented.

To create a security group called Helpdesk, input:

sudo groupadd Helpdesk

The group Helpdesk is successfully created.

Step 6: To add johnsmith as a member of Helpdesk security group, input:

sudo usermod -a -G sudo johsmith

Step 7: In a later task, we’ll test johnsmith’s user account by attempting to login to the PLABRTR01 device, but first, we’ll need to change the login shell or interface of the johnsmith user. To do this input:

sudo chsh -s /bin/bash johnsmith

This indicates the following:

• -s means shell
• /bin/bash is the path to the shell

Step 8: To sign out of the user, type

logout

Press Enter. The Putty window closes automatically.

Task 6 Complete!

Task 7 — Login as another user

To login as johnsmith, the user we created earlier, follow these steps:

Step 1: Double-click the Putty icon on the desktop.

The Putty Configuration dialog box appears.

In the Host Name (or IP address) field type the following:

plabrtr01

Make sure that the Connection type is set to SSH. Notice that the port indicated is 22 which is the default port for SSH.

Click Open.

Step 2: The remote device now asks for login credentials. Enter johnsmith as the username and press Enter.

When password prompt appears, input:

Passw0rd

User johnsmith has been successfully logged in when we see the johnsmith@PLABRTR01:~$ prompt.

Step 3: To verify the identity of the currently logged in user, input:

whoami

Step 4: Notice that johnsmith is the logged in user.

To find out the users available on this computer, input:

users

Step 5: Notice that user johnsmith is listed.

To find out the groups on this computer, input:

groups

Notice the groups johnsmith, sudo and Helpdesk are now available.

Task 7 Complete!

Task 8 — Switch to root account

root is the user name or account that by default has access to all commands and files on a Linux or other Unix-like operating system. It is also referred to as the root account, root user, and the superuser.

To switch to the root account while logged in as johnsmith, follow these steps:

Step 1: Input the following command:

sudo su -

Step 2: On the [sudo] password for johnsmith prompt, input:

Passw0rd

Notice that the prompt has changed to root@PLABRTR01:~#

Step 3: To sign out, input:

logout

We are now logged out of the root account. We are still logged in however as johnsmith. To log out as johnsmith, input:

logout

Exercise 6 Complete!

Now we know how to use SSH to add a member to our existing sudo group, as well as create a new group called Helpdesk!

[1]: Is SNMP Dead? 2020

Is SNMP Dead? Network Programmability Proves It Is.

[2]: Long Live SMB 2020

SMB is Dead, Long Live SMB!

[3]: What is SMB 2020

What is SMB and how does it work?

[4]: Wiki: FTP

File Transfer Protocol - Wikipedia

[5]: Practice Labs 1.6 Part III 2021

Practice Labs | Hands-on Learning for Digital & IT Skills

[6]: What is SNMP 2016

What is SNMP? Explained in Less Than 5 Minutes | Auvik

[7]: Telnet

Countering Password Stealing Attacks - Replace telnet with SSH.

[8]: RDP — Explain Like I’m a 5 Year Old

Explain Like I'm 5: Remote Desktop Protocol (RDP)

[9]: TightVNC

TightVNC: VNC-Compatible Free Remote Control / Remote Desktop Software

[10]: TigerVNC

TigerVNC

[11]: SSH Protocol

SSH protocol is the standard for strong authentication, secure connection, and encrypted file…