Post on 18-Nov-2014
description
Hands-On Ethical Hands-On Ethical Hacking and Network Hacking and Network
DefenseDefense Chapter 2Chapter 2
TCP/IP Concepts ReviewTCP/IP Concepts Review
2
ObjectivesObjectives Describe the TCP/IP protocol stackDescribe the TCP/IP protocol stack Explain the basic concepts of IP Explain the basic concepts of IP
addressingaddressing Explain the binary, octal, and hexadecimal Explain the binary, octal, and hexadecimal
numbering systemnumbering system
3
Overview of TCP/IPOverview of TCP/IP ProtocolProtocol
Common language used by computers for speakingCommon language used by computers for speaking Transmission Control Protocol/Internet Protocol Transmission Control Protocol/Internet Protocol
(TCP/IP)(TCP/IP) Most widely used protocolMost widely used protocol
TCP/IP stackTCP/IP stack Contains four different layersContains four different layers
NetworkNetwork InternetInternet TransportTransport ApplicationApplication
4
5
The Application LayerThe Application Layer Front end to the lower-layer protocolsFront end to the lower-layer protocols What you can see and touch – closest to What you can see and touch – closest to
the user at the keyboardthe user at the keyboard HTTP, FTP, SMTP, SNMP, SSH, IRC and HTTP, FTP, SMTP, SNMP, SSH, IRC and
TELNET all operate in the Application TELNET all operate in the Application LayerLayer
6
7
The Transport LayerThe Transport Layer Encapsulates data into segmentsEncapsulates data into segments Segments can use TCP or UDP to reach a Segments can use TCP or UDP to reach a
destination hostdestination host TCP is a connection-oriented protocolTCP is a connection-oriented protocol
TCP three-way handshakeTCP three-way handshake Computer A sends a SYN packetComputer A sends a SYN packet Computer B replies with a SYN-ACK packetComputer B replies with a SYN-ACK packet Computer A replies with an ACK packetComputer A replies with an ACK packet
TCP Header FormatTCP Header Format 0 1 2 3 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Source Port | Destination Port || Source Port | Destination Port | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Sequence Number || Sequence Number | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Acknowledgment Number || Acknowledgment Number | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Data | |U|A|P|R|S|F| || Data | |U|A|P|R|S|F| | | Offset| Reserved |R|C|S|S|Y|I| Window || Offset| Reserved |R|C|S|S|Y|I| Window | | | |G|K|H|T|N|N| || | |G|K|H|T|N|N| | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Checksum | Urgent Pointer || Checksum | Urgent Pointer | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Options | Padding || Options | Padding | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | data || data | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
8
9
TCP Segment HeadersTCP Segment Headers Critical components:Critical components:
TCP flagsTCP flags Initial Sequence Number (ISN)Initial Sequence Number (ISN) Source and destination portSource and destination port
Abused by hackers finding vulnerabilitiesAbused by hackers finding vulnerabilities
10
TCP FlagsTCP Flags Each flag occupies one bitEach flag occupies one bit Can be set to 0 (off) or 1 (on)Can be set to 0 (off) or 1 (on) Six flagsSix flags
SYN: synchronize, (not synthesis) flagSYN: synchronize, (not synthesis) flag ACK: acknowledge flagACK: acknowledge flag PSH: push flagPSH: push flag URG: urgent flagURG: urgent flag RST: reset flagRST: reset flag FIN: finish flagFIN: finish flag
Error in textbook on page 22: SYNchronize, not Error in textbook on page 22: SYNchronize, not SYNthesis (link Ch 2a, RFC 793)SYNthesis (link Ch 2a, RFC 793)
11
Initial Sequence Number (ISN)Initial Sequence Number (ISN) 32-bit number32-bit number Tracks packets receivedTracks packets received Enables reassembly of large packetsEnables reassembly of large packets Sent on steps 1 and 2 of the TCP three-Sent on steps 1 and 2 of the TCP three-
way handshakeway handshake By guessing ISN values, a hacker can hijack By guessing ISN values, a hacker can hijack
a TCP session, gaining access to a server a TCP session, gaining access to a server without logging inwithout logging in
12
TCP PortsTCP Ports PortPort
Logical, not physical, component of a TCP Logical, not physical, component of a TCP connectionconnection
Identifies the service that is runningIdentifies the service that is running Example: HTTP uses port 80Example: HTTP uses port 80
A 16-bit number – 65,536 portsA 16-bit number – 65,536 ports Each TCP packet has a source and Each TCP packet has a source and
destination portdestination port
Blocking PortsBlocking Ports Helps you stop or disable services that are Helps you stop or disable services that are
not needednot needed Open ports are an invitation for an attackOpen ports are an invitation for an attack
You can’t block all the portsYou can’t block all the ports That would stop all networkingThat would stop all networking At a minimum, ports 25 and 80 are usually At a minimum, ports 25 and 80 are usually
open on a server, so it can send out Email open on a server, so it can send out Email and Web pagesand Web pages
13
14
TCP Ports (continued)TCP Ports (continued) Only the first 1023 ports are considered well-Only the first 1023 ports are considered well-
knownknown List of well-known portsList of well-known ports
Available at the Internet Assigned Numbers Authority Available at the Internet Assigned Numbers Authority (IANA) Web site ((IANA) Web site (www.iana.orgwww.iana.org))
Ports 20 and 21Ports 20 and 21 File Transfer Protocol (FTP)File Transfer Protocol (FTP) Use for sharing files over the InternetUse for sharing files over the Internet Requires a logon name and passwordRequires a logon name and password More secure than Trivial File Transfer Protocol (TFTP)More secure than Trivial File Transfer Protocol (TFTP)
15
16
TCP Ports (continued)TCP Ports (continued) Port 25Port 25
Simple Mail Transfer Protocol (SMTP)Simple Mail Transfer Protocol (SMTP) E-mail servers listen on this portE-mail servers listen on this port
Port 53Port 53 Domain Name Service (DNS)Domain Name Service (DNS) Helps users connect to Web sites using URLs Helps users connect to Web sites using URLs
instead of IP addressesinstead of IP addresses Port 69Port 69
Trivial File Transfer ProtocolTrivial File Transfer Protocol Used for transferring router configurationsUsed for transferring router configurations
17
TCP Ports (continued)TCP Ports (continued) Port 80Port 80
Hypertext Transfer Protocol (HTTP)Hypertext Transfer Protocol (HTTP) Used when connecting to a Web serverUsed when connecting to a Web server
Port 110Port 110 Post Office Protocol 3 (POP3)Post Office Protocol 3 (POP3) Used for retrieving e-mailUsed for retrieving e-mail
Port 119Port 119 Network News Transfer ProtocolNetwork News Transfer Protocol For use with newsgroupsFor use with newsgroups
18
TCP Ports (continued)TCP Ports (continued) Port 135Port 135
Remote Procedure Call (RPC)Remote Procedure Call (RPC) Critical for the operation of Microsoft Critical for the operation of Microsoft
Exchange Server and Active DirectoryExchange Server and Active Directory Port 139Port 139
NetBIOSNetBIOS Used by Microsoft’s NetBIOS Session ServiceUsed by Microsoft’s NetBIOS Session Service File and printer sharingFile and printer sharing
19
TCP Ports (continued)TCP Ports (continued) Port 143Port 143
Internet Message Access Protocol 4 (IMAP4)Internet Message Access Protocol 4 (IMAP4) Used for retrieving e-mailUsed for retrieving e-mail More features than POP3More features than POP3
DemonstrationDemonstration Telnet to hills.ccsf.edu and netstat to see Telnet to hills.ccsf.edu and netstat to see
the connectionsthe connections Port 23 (usual Telnet)Port 23 (usual Telnet) Port 25 blocked off campus, but 110 connectsPort 25 blocked off campus, but 110 connects Port 21 works, but needs a username and Port 21 works, but needs a username and
passwordpassword
DemonstrationDemonstration Wireshark Packet SnifferWireshark Packet Sniffer
TCP Handshake: SYN, SYN/ACK, ACKTCP Handshake: SYN, SYN/ACK, ACK TCPTCP
Ports Ports TCPTCP
StatusStatusFlagsFlags
22
User Datagram Protocol User Datagram Protocol (UDP)(UDP)
Fast but unreliable protocolFast but unreliable protocol Operates on transport layerOperates on transport layer Does not need to verify whether the Does not need to verify whether the
receiver is listeningreceiver is listening Higher layers of the TCP/IP stack handle Higher layers of the TCP/IP stack handle
reliability problemsreliability problems Connectionless protocolConnectionless protocol
23
The Internet LayerThe Internet Layer Responsible for routing packets to their Responsible for routing packets to their
destination addressdestination address Uses a logical address, called an IP Uses a logical address, called an IP
addressaddress IP addressing packet delivery is IP addressing packet delivery is
connectionlessconnectionless
Internet Control Message Internet Control Message Protocol (ICMP)Protocol (ICMP)
Operates in the Internet layer of the Operates in the Internet layer of the TCP/IP stackTCP/IP stack
Used to send messages related to network Used to send messages related to network operationsoperations
Helps in troubleshooting a networkHelps in troubleshooting a network Some commands includeSome commands include
PingPing TracerouteTraceroute
25
ICMP Type CodesICMP Type Codes
26
Wireshark Capture of a PINGWireshark Capture of a PING
Warriors of the NetWarriors of the Net Network+ MovieNetwork+ Movie Warriorsofthe.net (link Ch 2d)Warriorsofthe.net (link Ch 2d)
28
IP AddressingIP Addressing Consists of four bytes, like 147.144.20.1Consists of four bytes, like 147.144.20.1 Two componentsTwo components
Network addressNetwork address Host addressHost address
Neither portion may be all 1s or all 0sNeither portion may be all 1s or all 0s ClassesClasses
Class AClass A Class BClass B Class CClass C
29
30
IP Addressing (continued)IP Addressing (continued) Class AClass A
First byte is reserved for network addressFirst byte is reserved for network address Last three bytes are for host addressLast three bytes are for host address Supports more than 16 million host computersSupports more than 16 million host computers Limited number of Class A networksLimited number of Class A networks Reserved for large corporations and Reserved for large corporations and
governments (see link Ch 2b)governments (see link Ch 2b) Format: Format: network.node.node.node network.node.node.node
31
IP Addressing (continued)IP Addressing (continued) Class BClass B
First two bytes are reserved for network First two bytes are reserved for network addressaddress
Last two bytes are for host addressLast two bytes are for host address Supports more than 65,000 host computersSupports more than 65,000 host computers Assigned to large corporations and Internet Assigned to large corporations and Internet
Service Providers (ISPs)Service Providers (ISPs) Format: Format: network.network.node.node network.network.node.node
CCSF has 147.144.0.0 – 147.144.255.255CCSF has 147.144.0.0 – 147.144.255.255
32
IP Addressing (continued)IP Addressing (continued) Class CClass C
First three bytes are reserved for network First three bytes are reserved for network addressaddress
Last byte is for host addressLast byte is for host address Supports up to 254 host computersSupports up to 254 host computers Usually available for small business and home Usually available for small business and home
networksnetworks Format: Format: network.network.network.nodenetwork.network.network.node
33
IP Addressing (continued)IP Addressing (continued) SubnettingSubnetting
Each network can be assigned a subnet maskEach network can be assigned a subnet mask Helps identify the network address bits from the host Helps identify the network address bits from the host
address bitsaddress bits Class A uses a subnet mask of 255.0.0.0Class A uses a subnet mask of 255.0.0.0
Also called /8Also called /8 Class B uses a subnet mask of 255.255.0.0Class B uses a subnet mask of 255.255.0.0
Also called /16Also called /16 Class C uses a subnet mask of 255.255.255.0Class C uses a subnet mask of 255.255.255.0
Also called /24Also called /24
34
Planning IP Address Planning IP Address AssignmentsAssignments
Each network segment must have a Each network segment must have a unique network addressunique network address
Address cannot contain all 0s or all 1sAddress cannot contain all 0s or all 1s To access computers on other networksTo access computers on other networks
Each computer needs IP address of Each computer needs IP address of gatewaygateway
35
Planning IP Address Planning IP Address AssignmentsAssignments
TCP/IP uses subnet mask to determine if TCP/IP uses subnet mask to determine if the destination computer is on the same the destination computer is on the same network or a different networknetwork or a different network If destination is on a different network, it If destination is on a different network, it
relays packet to gatewayrelays packet to gateway Gateway forwards packet to its next Gateway forwards packet to its next
destination (routing)destination (routing) Packet eventually reaches destinationPacket eventually reaches destination
In-Class ExercisesIn-Class Exercises
These aren’t in the handout, These aren’t in the handout, but you can practice them by but you can practice them by
doing project X1 for extra doing project X1 for extra credit.credit.
Good NetworkGood Network
192.168.1.101
255.255.255.0
192.168.1.1
192.168.1.102
255.255.255.0
192.168.1.1
192.168.1.103
255.255.255.0
192.168.1.1
192.168.1.1
255.255.255.0
147.144.51.1
IP Address
Subnet Mask
Default Gateway
Hub
To the Internet
Duplicate IP AddressDuplicate IP Address
192.168.1.101
255.255.255.0
192.168.1.1
192.168.1.101
255.255.255.0
192.168.1.1
192.168.1.103
255.255.255.0
192.168.1.1
192.168.1.1
255.255.255.0
147.144.51.1
IP Address
Subnet Mask
Default Gateway
Hub
To the Internet
IP Address IP Address Outside Outside SubnetSubnet
192.168.1.101
255.255.255.0
192.168.1.1
192.168.2.102
255.255.255.0
192.168.1.1
192.168.1.103
255.255.255.0
192.168.1.1
192.168.1.1
255.255.255.0
147.144.51.1
IP Address
Subnet Mask
Default Gateway
Hub
To the Internet
Wrong Wrong Subnet MaskSubnet Mask
192.168.1.101
255.255.255.0
192.168.1.1
192.168.1.102
255.255.0.0
192.168.1.1
192.168.1.103
255.255.255.0
192.168.1.1
192.168.1.1
255.255.255.0
147.144.51.1
IP Address
Subnet Mask
Default Gateway
Hub
To the Internet
Wrong Wrong Default Default GatewayGateway
192.168.1.101
255.255.255.0
192.168.1.1
192.168.1.102
255.255.255.0
192.168.1.101
192.168.1.103
255.255.255.0
192.168.1.1
192.168.1.1
255.255.255.0
147.144.51.1
IP Address
Subnet Mask
Default Gateway
Hub
To the Internet
Find the Problem #1Find the Problem #1
192.168.2.101
255.255.255.0
192.168.2.1
192.168.2.102
255.255.255.0
192.168.2.1
192.169.2.103
255.255.255.0
192.168.2.1
192.168.2.1
255.255.255.0
147.144.51.1
IP Address
Subnet Mask
Default Gateway
Hub
To the Internet
Find the Problem #2Find the Problem #2
192.168.1.101
255.255.255.255
192.168.1.1
192.168.1.102
255.255.255.0
192.168.1.1
192.168.1.103
255.255.255.0
192.168.1.1
192.168.1.1
255.255.255.0
147.144.51.1
IP Address
Subnet Mask
Default Gateway
Hub
To the Internet
Find the Problem #3Find the Problem #3
192.168.2.101
255.255.255.0
192.168.2.1
192.168.2.102
255.255.255.0
192.168.2.1
192.168.2.102
255.255.255.0
192.168.2.1
192.168.2.1
255.255.255.0
147.144.51.1
IP Address
Subnet Mask
Default Gateway
Hub
To the Internet
Find the Problem #4Find the Problem #4
192.168.0.101
255.255.255.0
192.168.2.1
192.168.0.102
255.255.255.0
192.168.0.1
192.168.0.103
255.255.255.0
192.168.0.1
192.168.0.1
255.255.255.0
147.144.51.1
IP Address
Subnet Mask
Default Gateway
Hub
To the Internet
Find the Problem #5Find the Problem #5
192.168.1.101
255.255.255.0
192.168.1.1
192.168.1.102
255.255.255.0
192.168.1.1
192.168.1.103
255.255.255.0
192.168.1.1
192.168.1.4
255.255.255.0
147.144.51.1
IP Address
Subnet Mask
Default Gateway
Hub
To the Internet
AnswersAnswers
#1: IP address out of subnet on rightmost #1: IP address out of subnet on rightmost machinemachine
#2: Bad subnet mask on leftmost machine#2: Bad subnet mask on leftmost machine #3: Duplicate IP address on rightmost #3: Duplicate IP address on rightmost
machinemachine #4: Bad default gateway on leftmost #4: Bad default gateway on leftmost
machinemachine #5: All the default gateways are wrong (or #5: All the default gateways are wrong (or
the top machine’s IP address is wrong)the top machine’s IP address is wrong)
48
Overview of Numbering Overview of Numbering SystemsSystems
BinaryBinary OctalOctal HexadecimalHexadecimal
49
Reviewing the Binary Reviewing the Binary Numbering SystemNumbering System
Uses the number 2 as its baseUses the number 2 as its base Binary digits (bits): 0 and 1Binary digits (bits): 0 and 1 ByteByte
Group of 8 bitsGroup of 8 bits Can represent 2Can represent 288 = 256 different values = 256 different values
UNIX and Linux PermissionsUNIX and Linux Permissions UNIX and Linux File permissions are UNIX and Linux File permissions are
represented with bitsrepresented with bits 0 means removing the permission0 means removing the permission 1 means granting the permission1 means granting the permission 111 (rwx) means all permissions apply111 (rwx) means all permissions apply
51
Examples of Determining Examples of Determining Binary ValuesBinary Values
Each position represents a power of 2 valueEach position represents a power of 2 value Usually the bit on the right is the less significant Usually the bit on the right is the less significant
bitbit Converting 1011 to decimalConverting 1011 to decimal
1 x 21 x 200 = 1 = 1 1 x 21 x 211 = 2 = 2 0 x 20 x 222 = 0 = 0 1 x 21 x 233 = 8 = 8
1 + 2 + 8 = 11 (decimal value)1 + 2 + 8 = 11 (decimal value)
52
Understanding NibblesUnderstanding Nibbles Half a byte or four bitsHalf a byte or four bits Helps with reading the number by Helps with reading the number by
separating the byteseparating the byte 1111 10101111 1010
ComponentsComponents High-order nibble (left side)High-order nibble (left side) Low-order nibble (right side)Low-order nibble (right side)
53
Understanding Nibbles Understanding Nibbles (continued)(continued)
Converting 1010 1010 to decimalConverting 1010 1010 to decimal Low-order nibbleLow-order nibble
1010 = 10 (base 10)1010 = 10 (base 10) Multiply high-order nibble by 16Multiply high-order nibble by 16
1010 = 10 x 16 = 160 (base 10)1010 = 10 x 16 = 160 (base 10) 160 + 10 = 170 (base 10)160 + 10 = 170 (base 10)
54
Reviewing the Octal Reviewing the Octal Numbering SystemNumbering System
Uses 8 as its baseUses 8 as its base Supports digits from 0 to 7Supports digits from 0 to 7
Octal digits can be represented with three bitsOctal digits can be represented with three bits Permissions on UNIXPermissions on UNIX
Owner permissions (rwx)Owner permissions (rwx) Group permissions (rwx)Group permissions (rwx) Other permissions (rwx)Other permissions (rwx) Example: 111 101 001Example: 111 101 001
Octal representation 751Octal representation 751
55
Reviewing the Hexadecimal Reviewing the Hexadecimal Numbering SystemNumbering System
Uses 16 as its baseUses 16 as its base Support numbers from 0 to 15Support numbers from 0 to 15
Hex number consists of two charactersHex number consists of two characters Each character represents a nibbleEach character represents a nibble Value contains alphabetic letters (A … F)Value contains alphabetic letters (A … F)
A representing 10 and F representing 15A representing 10 and F representing 15 Sometimes expressed with “0x” in frontSometimes expressed with “0x” in front If you want more about binary, see Link Ch 2cIf you want more about binary, see Link Ch 2c