Networking
Last updated
Last updated
IP protocol header is 160bits (20Bytes):
First 4 bits: IP version.
Source Address: 32 bits (starting at position 96).
Destination Address: just right after.
During encapsulation, every protocol adds its own header to the packet, treating it as a payload.
The receiving host does the same operation in reverse order. Using this method, the application does not need to worry about how the transport, network and link layers work. It just hands in the packet to the transport layer.
Application Transport Network Physical
Application Presentation Session Transport Network Link Physical
Internet Protocol is the protocol that runs on the Internet layer of the Internet Protocol Suite, also known as TCP/IP.
IP delivers datagrams (IP packets) to rest of hosts, using IP addresses to identify them.
IPv4 addresses = 4 bytes.
To fully identify a host, you also need to know its network: IP address + Subnet Mask.
To fully identify the network part you have to perform a bitwise AND operation between the netmask and the IP address.
0.0.0.0 - 0.255.255.255
This network
127.0.0.0 - 127.255.255.255
Local host
192.168.0.0 - 192.168.255.255
Private Networks
Example:
Host IP Address
192.168.33.12
11000000.10101000.00100001.00001100
Mask
255.255.224.0
11111111.11111111.11100000.00000000
Network
192.168.32.0(/19)
11000000.10101000.00100000.00000000
NOT Mask
255.255.224.0
00000000.00000000.00011111.11111111
Host Part 'IP' AND 'NOT Mask'
0.0.1.12
00000000.00000000.00000001.00001100
13 bits to represent hosts => 2^13 = 8192 different addresses - 2 (network and broadcast)
Network: one with the host part made by all zeros
Broadcast: another with the host part made by all ones
16bit hexadecimal numbers separated by a colon (:).
Regular Form: 2001:0db8:0020:130F:0000:0000:097C:130B.
Compressed Form: FF01:0:0:0:0:0:0:43 => FF01::43.
IP v4-compatible: 0:0:0:0:0:0:13.1.68.3 => ::13.1.68.3.
Reserved addresses:
Loopback: ::1/128.
IPv4 mapped addresses: ::FFFF:0:0/96.
IPv6 addresses can be split in half (64bits/each part).
Network part: Last 16 bits can be used only for specifying a subnet.
Device part: or Interface ID.
IPv6 Scope
Global Unicast Address: scope internet - routed on internet
Unique Local: scope internal network or VPN - internally routable but not routed on Internet
Link Local: scope network link - not routed internally nor externally
IPv6 Subnetting:
Internet Global Addressing (48bits) + Subnets (16 bits)
Device/Interface ID
Routers are devices connected to different networks at the same time, forwarding IP datagrams from one network to another.
Routing protocols are used to determine the best path to reach a network. They behave like a postman who tries to use the shortest path possible to deliver a letter.
A router inspects the destination address of every incoming packet and then forwards it through one of its interfaces.
Routing Table:
To choose the right forwarding interface, a router performs a lookup in the routing table, where it finds an IP-to-interface binding.
The table can also contain an entry with the default address (0.0.0.0). This entry is used when the router receives a packet whose destination is an unknown network.
Metrics:
Routing protocols also assign a metric to each link.
This ensures that, if two paths have the same number of hops, the fastest route is selected.
The metric is selected according to the channel's estimated bandwidth and congestion.
Checking the routing table:
Linux
ip route
Windows
route print
Mac OS X
netstat -r
Hubs/Switches are network devices that forward frames on a local network.
They work with link layer network addresses: MAC addresses.
Link layer protocols and devices only deal with the next hop.
Uniquely identify a network card on the Layer 2.
It's also known as physical address.
48 bits = 6 bytes, expressed in hexadecimal (Ex: 00:11:AA:22:EE:FF).
Every host has a MAC and an IP address.
Discovery of MAC addresses:
Windows
ipconfig /all
*nix/Mac OS X
ipconfig
Linux
ip addr
The router will not change the source and destination IP addresses.
Whenever a device sends a packet:
Destination MAC address = MAC address of the next hop (this ensures the network knows where to forward the packet).
Destination IP address = Destination Host address (this is global info and remains the same along the packet trip).
Broadcast MAC address: FF:FF:FF:FF:FF:FF (a frame with this address is delivered to all the hosts in the local network).
Field
Workstation A
Router
Destination IP address
Workstation B
Workstation B
Destination MAC address
Router
Workstation B
Source IP address
Workstation A
Workstation A
Source MAC address
Workstation A
Router
Predecessor of switches, same purpose, different functionality.
Repeaters and do not check any header.
They simply forward packets by repeating same electric signals on every port.
Every host receives the same packets.
Routers work with IP addresses. Switches work with MAC addresses:
They can have multiple interfaces.
Different speeds: from 10Mbps to 10Gbps, being 1Gbps the standard.
Stored in the device's RAM.
Binds MAC addresses to interfaces.
Contains: MAC address, Interface & TTL.
TTL determines how long an entry will stay in the table, CAM table has a finite size, as soon as an entry expires it is removed from the table.
There might be multiple hosts on the same interface and interfaces without any host attached.
Switches learn new MAC addresses dynamically, inspecting the header of every packet they receive, thus identifying new hosts.
While routers use complex routing protocols to update their routing rules, switches just use the source MAC address of the packets they process to decide which interface to use when forwarding a packet.
CAM Table Population, the source MAC address is compared to the CAM table:
If the MAC address is not in the table, the switch will add a new MAC-interface binding to the table.
If the MAC is already in the table, its TTL gets updated.
If the MAC is in the table but bound to another interface, the switch will update the table.
To forward a packet:
The switch reads the destination MAC address of the frame.
Performs a look-up in the CAM table.
It forwards the packet to the corresponding interface.
If there's no entry for that MAC address, the switch will forward the frame to all its interfaces.
Example of a CAM Table:
MAC#1
1
30
A single host is attached to Interface 1.
MAC#2
2
5
Two hosts are attached to Interface 2, probably via another switch.
MAC#3
2
5
Two hosts are attached to Interface 2, probably via another switch.
MAC#4
3
7
A single host is attached to Interface 3.
Interface 4 has no hosts attached.
ARP: Host#A sends a packet Host#B
Host#A needs to know IP/MAC addresses of Host#B. If Host#A knows Host#B's IP but not MAC:
Host#A builds an ARP request containing the Host#B's IP and FF:FF:FF:FF:FF:FF as destination MAC address.
Every host will receive the request. A host discards an entry at the power off or when the entry's TTL expires.
Only Host#B will ARP reply to it, telling Host#A its MAC address.
Host#A will save the IP-MAC binding in its ARP cache.
arp -a
Windows
arp
*nix OS
ip neighbour
Linux
Guarantees packet delivery
Does not guarantee packet delivery
Connection oriented
It's connectionless
Vast majority of applications use it
Faster that TCP, better throughput
Lower throughput than UDP
Multimedia applications
<IP>:<Port>: identify a single network process on a machine.
Server and Clients know what port to use as it's expressed in the source/destination ports in the TCP/UDP header.
There are 1024 well-known ports: 0-1023.
SMTP
25
SFTP
115
SSH
22
Telnet
23
POP3
110
FTP
21
IMAP
143
RDP
3389
HTTP
80
MySQL
3306
HTTPS
443
MS SQL Server
1433
NetBIOS
137, 138, 139
Check listening ports and current TCP connections as information about the processes listening on the machine and processes connecting to remote servers:
Windows
netstat -ano
Linux
netstat -tunp
Mac OS X
netstat -p tcp -p udp together with lsof -n -i4TCP -i4UDP
TCP is connection oriented. The header fields involved in the handshake are:
Sequence number
Acknowledgement numbers
SYN & ACK flags
Host -> SYN -> Server
SYN flag enabled
Random sequence number
Host <- SYN-ACK <- Server
SYN & ACK flags enabled
Random sequence number
Host -> ACK -> Server
Client completes the synchronization by sending an ACK packet
Firewalls functions:
Filter packets coming in and out of a network:
Headers are inspected, but they don't give any information on the actual packet content.
Admin can crate rules according to certain characteristics: Source IP / Destination IP, Source Port / Destination Port, Protocol.
Packet inspection actions: Allow, Drop, Deny (same as drop but notifying the source host)
Packet filtering isn't enough to stop layer 7 attacks (application layer, as XSS, BoF, SQL injection or much more)
Access Control to network resources and services (network 2 network too):
NAT (Network Address Translations): rewrites source IP addresses of every packet.
IP Masquerading: masquerading the original client's IP address.
Can work on different layers of the OSI model, filter unwanted traffic inspecting content (not just headers).
They inspect the application payload trying to detect any potential attack.
They detect ongoing intrusions, attack vectors, ping sweeps, port scans, SQL injections, BoFs, etc.
Can also identify traffic generated by a virus or worm by means of signatures.
IDS cannot detect something if it doesn't already know before hand.
False positive: legit traffic is flagged as malicious.
Detection is performed by a multitude of sensors.
IDS Manager: software is in charge of maintaining policies and providing a management console to the sysadmin.
IDS is not a firewall substitute.
NIDS: network
- Inspects network traffic with sensors - Usually placed on a router or in a network with high intrusion risk (as DMZ)
HIDS: host
- Monitors app logs, file-system changes or OS changes
IDS can detect, activity is logged but the activity isn't blocked
IPS drops malicious requests when a threat has a risk classification above a pre-define threshold
When an environmental constraint (FW/IDS/other device) is in place:
TCP SYN are sent, but there's no TCP SYN/ACK reply
TCP SYN are sent, but a TCP RST/ACK is received
The is to configure your VPN lab environment in order to reach every webserver. Given you are connected through VPN to a target organization where:
10.175.34.0/24 is the VPN network for your PC.
172.16.88.81 is a webserver inside the 172.16.88.0/24 network.
192.168.241.12 is a webserver inside the 192.168.241.0/24 network.
192.168.222.199 is a webserver inside the 192.168.222.0/24 network.
Knowing the info above, we just need to add one more route in order to access the 192.168.222.0/24 network. We'll do that through our gateway 10.175.34.1:
SSL/TLS certifications validation relies on DNS.
DNS is an application layer protocol
Structure/Hierarchy of a DNS Name (www.sub.domain.com).
www
sub
domain
com
Resolvers are DNS servers provided by your ISP or publicly available: they convert a DNS name into an IP address.
The resolver contacts one of the root name servers, these serves contain information about the top-level domains.
It asks the TLD name server what's the name server that can give information (authoritative name server) about the domain the resolver is looking for.
If there are one or more subdomains, step 2 is performed again on the authoritative DNS server for every subdomain.
The resolver asks for the name resolution of the host part.
IP addresses of the root servers are hardcoded in the configuration of the resolver.
Sysadmins keep the list updated, otherwise, the resolver would not be able to contact a root server.
DNS can perform the inverse operation: convert an IP into a DNS name.
The admin of a domain must enable this feature for a domain to make it work.
ping utility performs a reverse DNS query after receiving every response from the target.
Can capture all the traffic seen by the network card of the computer running it.
NIC (Network Interface Cards) need to work in promiscuous or monitor mode.
Instead of discarding any packet addressed to another NIC, in promiscuous mode a network card will accept and process any packet.
Just like it would happen in a hub network.
In switched networks, you have to perform an attack such as ARP poisoning or MAC flooding in order to do that.
WiFi medium is broadcast by nature.
No ARP and no DNS: not arp and !(udp.port == 53).
Only ICMP: icmp.
All HTTP GET request: http.request.method == GET.
tcp.stream eq 1
Filter one protocol
Identify 3 way handshake
Filter http traffic
Filter ICMP
