Академический Документы
Профессиональный Документы
Культура Документы
TCP/IP Overview
Copyright SecureNinja.com 2000-2011 All rights Reserved
The De Facto standard for Internetworking Also called Internet Protocol (IP) Internet was ARPANET designed by DARPA
Initially mostly friendly groups connected together Universities, Government, researchers, etc Now millions of computer worldwide
4/23/2013
OSI
Application Presentation Session
RFC 1122 (in bold) Application Transport / Host to Host Internet / Network Access Link Layer
Routing Datagrams
Host A1
Copyright SecureNinja.com 2000-2011 All rights Reserved
Network A
Network B
Network C
4/23/2013
Data Encapsulation
Application Layer
Copyright SecureNinja.com 2000-2011 All rights Reserved
Data
Data
Header
Data
Header
Header
Data
Data Structures (1 of 2)
Application Layer
Copyright SecureNinja.com 2000-2011 All rights Reserved
TCP stream
UDP message
Link Layer
frame
frame
4/23/2013
Data Structures (2 of 2)
Copyright SecureNinja.com 2000-2011 All rights Reserved
Transmission Methods
Unicast From one station to another station
Copyright SecureNinja.com 2000-2011 All rights Reserved
Broadcast From one station to all the stations on the same LAN Multicast From one station to multiple selected locations Information sent only once over the networks Routers must be configured appropriately
4/23/2013
A Media Access Control (MAC) address has 48 bits 24 bits is the OUI OUI specifies the vendor name OUI specifies the mode Unicast Multicast MAC address are globally unique Could be spoofed or fake
Ethernet Overview
Copyright SecureNinja.com 2000-2011 All rights Reserved
4/23/2013
Commonly called ARP Station on Ethernet network communicate using MAC You know the IP address but not the MAC address You must query using ARP to find the destination MAC A broadcast will be use for that purpose The intended recipient will reply back with MAC MAC is kept in cache for a short period of time As mentioned they should be unique
Gratuitous ARP
Requests that are NOT normally needed
Copyright SecureNinja.com 2000-2011 All rights Reserved
Could be a gratuitous ARP Request or an ARP reply Gratuitous Arp Request Has both the source and destination IP set to the IP address of the machine that issued the packet. A gratuitous ARP is a reply to which no request has been made They have many legitimate usage (see notes) However Gratuitous ARP can be used for offensive purpose We will see later on in the lesson all the details of ARP poisoning
4/23/2013
Same as doors within a building Ease communication between entities A 16 bit field within the TCP and UDP packets IANA Internet Assigned Numbers Authority Well Known ports are from 0-1023 (0 is not used on IPV4) Registered ports are from 1024 to 49151 Dynamic and/or Private Ports are from 49152 to 65535 Ephemeral ports (short live connections) Some OS dare to be different, see the notes Windows Server 2003 is from 1025 to 5000
http://www.iana.org
4/23/2013
HTTP
110 POP3 119 NNTP 123 NTP 143 IMAP 161 SNMP Monitoring
500 IKE 1701 L2TP 1723 PPTP 1812 RADIUS AUTH 1813 RADIUS ACCNT 2049 NFS 4000 ICQ 5000 Yahoo Messenger
Kerberos 162 SNMP Trap/Alert DNS SSH TFTP 389 LDAP 636 LDAP SSL 520 RIP
Protocol Numbers
Copyright SecureNinja.com 2000-2011 All rights Reserved
# /etc/protocols # Internet (IP) protocols # ip 0 IP # internet protocol icmp 1 ICMP # internet control message protocol ggp 3 GGP # gateway-gateway protocol tcp 6 TCP # transmission control protocol egp 8 EGP # exterior gateway protocol pup 12 PUP # PARC universal packet protocol udp 17 UDP # user datagram protocol hmp 20 HMP # host monitoring protocol xns-idp NSIDP # Xerox NS IDP rdp 27 RDP # "reliable datagram" protocol
4/23/2013
IP (Internet Protocol)
Copyright SecureNinja.com 2000-2011 All rights Reserved
IP provides the basic packet delivery service on which TCP/IP networks are built. All TCP/IP data flows through IP, incoming and outgoing, regardless of its final destination The Internet Protocol functions include: Defines the datagram, which is the basic unit of transmission on the internet Defines the Internet addressing scheme Moving data between the Network Access Layer and the Transport Layer Routing of datagrams to remote hosts Performs fragmentation and re-assembly of datagrams.
4/23/2013
IP Datagram
The datagram is the packet format defined by IP
Copyright SecureNinja.com 2000-2011 All rights Reserved
A packet is a block of data The packet carries the information necessary to deliver it Similar to your postal letter which has an address The first five or six 32-bit words, (default is 5) of the datagram are control information called header. The header contains all the information necessary to deliver the packet. No error detection or recovery
IP Datagram Format
Copyright SecureNinja.com 2000-2011 All rights Reserved
10
4/23/2013
Connection-oriented data management Reliable data transfer Stream-oriented data transfer Push functions Resequencing Flow control ( sliding windows ) Multiplexing Full-duplex transmission Precedence and security Graceful close
3044,23 SYN
11
4/23/2013
12
16
20
24
28
31
1 2
Destination Port
Words
3 4 5 6
Acknowledgment Number Offset Reserved Checksum Options data begins here ... Flags Window Urgent Pointer Padding
UDP Protocol
User Datagram Protocol
Copyright SecureNinja.com 2000-2011 All rights Reserved
A connectionless protocol Uses best effort A lot less overhead than TCP Has no reliability and no acknowledgement Good for application where some packets can be lost Streaming media and Voice over IP are examples DNS makes use of UDP Often used by attackers as well, i:e port 53 UDP
Header
12
4/23/2013
Bits
12
16
20
24
28
31
Each address has four integers separated by periods Each integers represents 8 bits of the 32 bits address Values are from 0 (network) to 255 (broadcast) 0 and 255 are reserved and cannot be use An IP address could be 10.10.5.2 for example One portion is the network the other is the hosts Subnetwork masks uses Decimal Dot notation as well An example for a Class C address is 255.255.255.0
13
4/23/2013
IP Addressing
140.179.220.200
Copyright SecureNinja.com 2000-2011 All rights Reserved
We see the address in the decimal form Your computer sees it in the binary form Lets decode the first octet (140) on the next slide
2 64
3 32
4 16
5 8
6 4
7 2
8 1
26 0 64 0
25 0 32 0
24 0 16 0
23 1 8 8 8
22 1 4 4 4
21 0 2 0
20 0 1 0 = 140
14
4/23/2013
Classes of IP addresses
As mentioned previously, all IP addresses are 32 bit
Copyright SecureNinja.com 2000-2011 All rights Reserved
They are expressed in dot notation ( 4 octets of 8 bits) All IPs have a Network ID and a Host ID
It may have a Subnetwork ID if subnetting is being use
Belong to one of five classes: A, B, C, D, E Each address has a corresponding subnetwork mask
Most of the time referred to as Subnet Mask
Classes of IP addresses
Copyright SecureNinja.com 2000-2011 All rights Reserved
15
4/23/2013
Class A IP addresses
Has an 8 bits network ID starting with 0
Copyright SecureNinja.com 2000-2011 All rights Reserved
24 bits host ID, up to 22 bits may be used for subnetwork ID Class supports network numbers 1 to 126
Class B IP addresses
Has 16 bits network ID starting with 1-0
Copyright SecureNinja.com 2000-2011 All rights Reserved
16 bits host ID, up to 14 bits may be used for subnetwork ID Class supports network numbers from 128.1 to 191.254
16
4/23/2013
Class C IP addresses
Has 24 bits network ID starting with 1-1-0
Copyright SecureNinja.com 2000-2011 All rights Reserved
8 bits host ID, up to 6 bits may be used for subnetwork ID Class supports network numbers from 192.1 to 223.254
Resume of classes
Copyright SecureNinja.com 2000-2011 All rights Reserved
The number of addresses usable for addressing specific hosts in each network is always 2N 2 Classful versus Classless Inter-Domain Routing (CIDR)
17
4/23/2013
Classfull IP addressing Classless IP Addressing (has 3 categories) Subnetting VLSM (Variable Length Subnet Mask) No longer dependent of 8, 16, 24 network numbers Prefix length or Netmask is used for routing
CIDR (Classless Inter-Domain Routing) Used with Supernetting Supernetting allows route aggregation CIDR introduces prefix notation or CIDR notation (i:e /24 for class c) Reduces the size of routing tables
What is subnetting
It is making use of the host portion of the address
Copyright SecureNinja.com 2000-2011 All rights Reserved
You borrow bits on the host portion Allow you to add more networks within your own range 2n 2 >= Number of subnets required A subnet is a single LAN segment Each LAN has a unique subnet number For the purpose of the exam you must know what it is You do not need to know all of the details
18
4/23/2013
SubNetwork Mask
They are also expressed in decimal dot notation Tells which bits are the Network ID and Subnetwork ID A bit marked as a 1 means it is part of the network or subnet A bit marked as a 0 means it is part of the host ID
NNNNNNNN.NNNNNNNN.NNNNNNNN.NNNHHHHH
11111111.11111111.11111111.11100000
Subnetting Scenario
So we have 1 Class C Network (206.15.143.0) We have 254 host address available (1 to 254)
Copyright SecureNinja.com 2000-2011 All rights Reserved
But what if we need 5 different networks Each network has no more than 30 hosts each Do we apply for 4 more Class C licenses?
one for each network
Your ISP might no longer love you and may tell you to get smart! You would be wasting 224 addresses on each network, a total of 1120 addresses would be wasted ! Not good Are you out of luck? Subnetting is coming to the rescue
19
4/23/2013
Our needs
Copyright SecureNinja.com 2000-2011 All rights Reserved
We know we need at least 5 subnets We are on a class C network with 8 bits for the hosts We need to borrow some bits from the host portion So 23 - 2 will give us 6 subnet, 3 bits would be sufficient (8 2 = 6) The -2 is to deduct the reserved network and broadcast address We also know we need at least 30 hosts per network So with 5 (25 - 2) bits left it will give us 30 hosts per subnet (network). This will work, because we can steal the first 3 bits from the hosts portion of the current address to give to the subnetwork portion and still have 5 bits (8-3) remaining for the host portion Lets take a look at how this is done on the next slide
Borrowing bits
Lets review what portion is what: We have a Class C address:
Copyright SecureNinja.com 2000-2011 All rights Reserved
We steal/borrow 3 bits from the host portion (in green below): NNNNNNNN.NNNNNNNN.NNNNNNNN.NNNHHHHH
20
4/23/2013
Above is how the computer will see our new subnet mask, but we need to express it in decimal form as well: 255.255.255.224 (128+64+32=224)
Subnet addresses
Remember our values:
Copyright SecureNinja.com 2000-2011 All rights Reserved
128
64
32
16
Equals
21
Finger Chargen & Echo Daytime Telnet FTP SNMP SMTP POP3
Antiquated Protocols
4/23/2013
22
4/23/2013
IP Version 6 aka IPng (Next Generation) The differences are in five major areas:
Addressing and routing Security Network address translation Administrative workload, and Mobile Computing
IP Version 6 Migration
Copyright SecureNinja.com 2000-2011 All rights Reserved
Over 30 IPv6 RFCs written since 1994 Migration from V4 to V6 will take time
Standard and Procedures for coexistence of both Tunneling IPv6 within IPv4 Tunneling IPv4 within IPv6 Double stacks used at the same time
23
4/23/2013
IPv6 Advantages (1 of 2)
Copyright SecureNinja.com 2000-2011 All rights Reserved
Huge address space (2128) Makes NAT and it issues no longer necessary Reduces Configuration and Management
Support Stateless Auto Configuration Creates a guaranteed unique IP address
Combines LAN MAC with prefix provided by router DHCP is no longer needed, DHCPV6 can still be used
IPv6 Advantages (2 of 2)
Quality of Service (QoS) on VPNs
Copyright SecureNinja.com 2000-2011 All rights Reserved
IPSEC is required and built-in Router dont fragment packets, only host ICMPv6 Router Solicitation and Advertisement
Determine the IP address of the best gateway It is a requirement
24
4/23/2013
25
4/23/2013
Multicast (a requirement in IPv6) From one station to multiple selected stations Information sent only once over the networks Anycast Sent to a group of nodes/stations Needs to be delivered to at least one node and not all of them
Mobile nodes can change their location and addresses without loosing existing connections through which the nodes are communicating Supported at Internet Level Thus transparent Use two types of IP addresses: The IPv6 address; and The Mobile IP Address
26
4/23/2013
Neighbor Discovery prevent it remotely on IPv6 Could be possible if tunneling IPv6 over IPv4 Flooding and Scanning are possible attacks Vendor of security tools are catching up
They claim to be compliant, but are they?
Stateless Autoconfiguration Gives IP address away to anyone Could be turned on by default Network Intrusion Detection will be hard to perform Key management is still necessary
27
4/23/2013
Rogue devices could be setup to assign IPv6 addresses ICMP6 redirect attacks (See next slide) Type 0 Routing Header Attack
Packet bounces between two or more router Amplification Attack, up to 88 fold amplification
1. 2. 3.
A attacker with access to the network sends an Echo Request with the source address as User 2 and the destination as the User 1. The victim receives this echo request and sends an Echo Reply to User 2. The attacker then creates a redirect packet with the Echo Reply attached. The packet is constructed with the source as the router and the destination as User 1 and in this packet tells User 1 to redirect all traffic for User 2 to the attacker. The Hacker then receives packets from User 1 and can spoof User 2.
28
4/23/2013
Questions?
Copyright SecureNinja.com 2000-2011 All rights Reserved
29