tcp/ip fundamentals a quick and easy way to understand tcp/ip v4
TRANSCRIPT
TCP/IP FundamentalsTCP/IP Fundamentals
A quick and easy way to A quick and easy way to understand TCP/IP v4.understand TCP/IP v4.
22
ObjectivesObjectives
Review the OSI & DoD ModelsReview the OSI & DoD Models
Review TCP, UDP, & ICMP Protocols & Review TCP, UDP, & ICMP Protocols & Packet StructuresPacket Structures
Learn about Packet Communication Learn about Packet Communication ProcessesProcesses
TCP/IP Commands on LinuxTCP/IP Commands on Linux
Open DiscussionOpen Discussion
33
OSI and TCP/IP ModelsOSI and TCP/IP Models
ApplicationApplication
PresentationPresentation
SessionSession
TransportTransport
NetworkNetwork
Data LinkData Link
PhysicalPhysical
ApplicationApplication
Host to HostHost to Host
InternetInternet
PhysicalPhysical
44
IP AddressingIP Addressing
Dotted DecimalDotted Decimal 192.168.20.59192.168.20.59
BinaryBinary 11000000.10101000.00010100.0011101111000000.10101000.00010100.00111011
DecimalDecimal 32322406993232240699
HexadecimalHexadecimal 0xC0.0xA8.0x14.0x3B0xC0.0xA8.0x14.0x3B
55
Ports and ServicesPorts and Services
A port is a memory address space A port is a memory address space Ports are numbered between 0 and 65535Ports are numbered between 0 and 65535 UDP and TCP have separate spaces from 1 - 65535UDP and TCP have separate spaces from 1 - 65535 0 is reserved and used only in IPv60 is reserved and used only in IPv6 Traffic on port 0 is never a good signTraffic on port 0 is never a good sign
Each port may be assigned a specific serviceEach port may be assigned a specific service Services wait and “listen” for specific requestsServices wait and “listen” for specific requests Ports from 1 - 1024 are reserved for specific servicesPorts from 1 - 1024 are reserved for specific services Services using ports 1 - 1024 can only be assigned by root Services using ports 1 - 1024 can only be assigned by root
(see the list in Linux under directory /etc/services)(see the list in Linux under directory /etc/services) The requests are delivered to the service in the form of packetsThe requests are delivered to the service in the form of packets
http://www.iana.org/assignments/port-numbershttp://www.iana.org/assignments/port-numbers http://www.bekkoame.ne.jp/~s_ita/port/port1-99.htmlhttp://www.bekkoame.ne.jp/~s_ita/port/port1-99.html
IANA list with known exploits listed with port servicesIANA list with known exploits listed with port services
66
Popular Ports and ServicesPopular Ports and Services
2121 FTPFTP UDPUDP TCPTCP
2222 SSHSSH UDPUDP TCPTCP
2323 TELNETTELNET UDPUDP TCPTCP
2525 SMTPSMTP UDPUDP TCPTCP
5353 DNSDNS UDPUDP TCPTCP
8080 HTTPHTTP TCPTCP
110110 POPPOP TCPTCP
161161 SNMPSNMP UDPUDP TCPTCP
162162 SNMP SNMP
TRAPSTRAPSUDPUDP TCPTCP
77
How does this help us?How does this help us?
Services are Identified by their responsesServices are Identified by their responsesAll services exist in one of three states:All services exist in one of three states:
• open - responds with SYN/ACK, Connect(), or in open - responds with SYN/ACK, Connect(), or in some cases, nothing as opposed to a RSTsome cases, nothing as opposed to a RST
• closed - responds with RSTclosed - responds with RST• filtered - no response because the router or firewall filtered - no response because the router or firewall
will not allow for any response (only possible when will not allow for any response (only possible when using TCP Connect or SYN scans)using TCP Connect or SYN scans)
• Remember, the only GOOD service is a filtered Remember, the only GOOD service is a filtered service. (Except when there is a Business service. (Except when there is a Business Justification for it)Justification for it)
88
IP ProtocolsIP Protocols
IP – Network Addressing ProtocolIP – Network Addressing Protocol
TCPTCP
UDPUDP
ICMPICMP
Routing ProtocolsRouting Protocols BGP,OPSF, etc.BGP,OPSF, etc.
OthersOthers GRE, ISAKMP, IPSECGRE, ISAKMP, IPSEC
99
TCP vs. UDPTCP vs. UDP
TCPTCP
Connection-OrientedConnection-Oriented
Three Way Three Way HandshakeHandshake
Reliability more Reliability more important than speedimportant than speed
UDPUDP
ConnectionlessConnectionless
No HandshakeNo Handshake
Speed more Speed more important than important than ReliabilityReliability
1010
The TCP PacketThe TCP Packet
Thanks to Skullbox.net
1111
FlagsFlags
SYN – New connectionSYN – New connection
ACK – Acknowledging a connection or packet ACK – Acknowledging a connection or packet arrival.arrival.
URG – Urgent DataURG – Urgent Data
PSH – Push the Data Thru (Don’t buffer)PSH – Push the Data Thru (Don’t buffer)
FIN – Finish the connection (Goodbye)FIN – Finish the connection (Goodbye)
RST – Reset (I didn’t want to talk to them RST – Reset (I didn’t want to talk to them anyway! [slam!])anyway! [slam!])
1212
The TCP Three Way HandshakeThe TCP Three Way Handshake
1.1. The Sending Host sends a SYN packet The Sending Host sends a SYN packet to the Receiving host. (Phone Rings)to the Receiving host. (Phone Rings)
2.2. The Receiving host response with a The Receiving host response with a SYN-ACK. (Hello?)SYN-ACK. (Hello?)
3.3. The Sending Host then responds with an The Sending Host then responds with an ACK. (HI!!)ACK. (HI!!)
4.4. The Connection is now up.The Connection is now up.
1313
The TCP Three Way HandshakeThe TCP Three Way Handshake
SYN
SYN/ACK
ACK
1414
Hacker’s Use of TCPHacker’s Use of TCP
Hackers will mangle packets to confuse target systems.Hackers will mangle packets to confuse target systems.A confused system can give up information, provide A confused system can give up information, provide access or even stop responding.access or even stop responding.Some of the common Tricks:Some of the common Tricks:
Setting no flags or all flagsSetting no flags or all flags Attempt to connect using the handshake but not complete it. Attempt to connect using the handshake but not complete it.
This will provide a fast way to enumerate ports.This will provide a fast way to enumerate ports. Setting strange combos of Flags may reveal what OS we are Setting strange combos of Flags may reveal what OS we are
dealing with. (Fingerprinting)dealing with. (Fingerprinting) Send a packet with the ACK flag set can get past some simple Send a packet with the ACK flag set can get past some simple
firewall systems.firewall systems.
1515
TCP ScansTCP Scans
Name of ScanName of Scan Flags Set During ScanFlags Set During Scan
SYN ScanSYN Scan SS
FIN ScanFIN Scan FF
Null ScanNull Scan NothingNothing
Xmas ScanXmas Scan UPFUPF
SYN-FIN ScanSYN-FIN Scan SFSF
Nmap Fingerprint AttemptNmap Fingerprint Attempt UPSFUPSF
1616
SYN ScanSYN ScanIf Port is Open
If Port is Closed
SYN
SYN/ACK
RST
SYN
RST
No need to send back a RST
1717
FIN ScanFIN ScanIf Port is Open
If Port is Closed
FIN
FIN
RST
No need to send back a RST
No Answer
1818
Nmap XMAS ScanNmap XMAS ScanIf Port is Open
If Port is Closed
URG/PSH/FIN
URG/PSH/FIN
RST
No need to send back a RST
No Answer
1919
Null ScanNull ScanIf Port is Open
If Port is Closed
No Flags Sent
No Flags Sent
RST
No need to send back a RST
No Answer
2020
TCP Scan ComparisonTCP Scan Comparison
Type of ScanType of Scan
(Flags Set)(Flags Set)
Port is OpenPort is Open Port is ClosedPort is Closed
SYN -SSYN -S SYN/ACKSYN/ACK RSTRST
FIN - FFIN - F (NOTHING)(NOTHING) RSTRST
XMAS - UPFXMAS - UPF (NOTHING)(NOTHING) RSTRST
NULL – (None)NULL – (None) (NOTHING)(NOTHING) RSTRST
2121
The UDP PacketThe UDP Packet
The sending host send the UDP packetThe sending host send the UDP packet
The receiving host checks to see if the The receiving host checks to see if the port is open and the protocol matchesport is open and the protocol matches
YES – Service action begins (sometimes YES – Service action begins (sometimes not visible)not visible)
NO – ICMP Type 3 error message is sent NO – ICMP Type 3 error message is sent to the Sending Host.to the Sending Host.
2222
UDP Packet StructureUDP Packet Structure
Thanks to Skullbox.net for use of the Thanks to Skullbox.net for use of the graphics. For more info on TCP/IP graphics. For more info on TCP/IP checkout this informative site.checkout this informative site.
2323
Scanning UDP ProtocolsScanning UDP Protocols
Scanning UDP can be Frustrating.Scanning UDP can be Frustrating. A UDP packet that reaches a server port which is open replies with A UDP packet that reaches a server port which is open replies with
nothingnothing A UDP packet that reaches a server port which is closed replies with an A UDP packet that reaches a server port which is closed replies with an
ICMP type 3 message that the service is not reachableICMP type 3 message that the service is not reachable A UDP packet that gets lost or dropped on the way to the server port (it A UDP packet that gets lost or dropped on the way to the server port (it
happens) returns no responsehappens) returns no response A UDP packet that reaches a server port which is open and the protocol A UDP packet that reaches a server port which is open and the protocol
matches, replies with servicematches, replies with service A UDP packet that reaches a server port which is closed and the firewall A UDP packet that reaches a server port which is closed and the firewall
is configured to disallow ICMP replies, returns nothing or may return a is configured to disallow ICMP replies, returns nothing or may return a packet which says this is not allowed by the administratorpacket which says this is not allowed by the administrator
So Why scan UDP?So Why scan UDP? It is a nice place to hide for attackersIt is a nice place to hide for attackers Most companies do not worry about UDP portsMost companies do not worry about UDP ports
2424
The ICMP PacketThe ICMP Packet
Connectionless ProtocolConnectionless Protocol Used for finding the best route across a network or the InternetUsed for finding the best route across a network or the Internet Influences routersInfluences routers Used for error control messagesUsed for error control messages
ProcessProcess The sending computer sends an ICMP packet to a systemThe sending computer sends an ICMP packet to a system The receiving computer evaluates what service the packet is The receiving computer evaluates what service the packet is
requesting and sends the proper responserequesting and sends the proper response NOTE: Sometimes the service action is not visible NOTE: Sometimes the service action is not visible If the service request is not allowed, a message is returnedIf the service request is not allowed, a message is returned
2525
ICMP Packet StructureICMP Packet Structure
TypeTypeCodeCodeChecksumChecksumDataData
2626
ICMP Packet TypesICMP Packet Types
2727
ICMP Packet CodesICMP Packet Codes
Type 3 Destination Unreachable [RFC792] Type 3 Destination Unreachable [RFC792] Codes Codes
0 Net Unreachable 0 Net Unreachable 1 Host Unreachable 1 Host Unreachable 2 Protocol Unreachable 2 Protocol Unreachable 3 Port Unreachable 3 Port Unreachable 4 Fragmentation Needed and Don't Fragment was Set 4 Fragmentation Needed and Don't Fragment was Set 5 Source Route Failed 5 Source Route Failed 6 Destination Network Unknown 6 Destination Network Unknown 7 Destination Host Unknown 7 Destination Host Unknown 9 Communication with Destination Network is Administratively Prohibited 9 Communication with Destination Network is Administratively Prohibited 10 Communication with Destination Host is Administratively Prohibited10 Communication with Destination Host is Administratively Prohibited
http://www.faqs.org/rfcs/rfc792.htmlhttp://www.faqs.org/rfcs/rfc792.html
2828
Linux Networking CommandsLinux Networking Commands
IfconfigIfconfig
DhclientDhclient
PingPing
TracerouteTraceroute
2929
ifconfigifconfig
Command line configuration for interfacesCommand line configuration for interfaces
ifconfig –i eth0 address 192.168.1.1 ifconfig –i eth0 address 192.168.1.1 netmask 255.255.255.0netmask 255.255.255.0
3030
dhclientdhclient
Easy command used to configure your Easy command used to configure your interface for use with DHCP.interface for use with DHCP.
dhclient eth0dhclient eth0
Next run ifconfig to view the interface Next run ifconfig to view the interface configuration.configuration.
3131
Other CommandsOther Commands
Ping – Detect if another host is reachablePing – Detect if another host is reachable
Traceroute – Determine the path to Traceroute – Determine the path to another hostanother host
Dig – Utility for checking DNS resolutionDig – Utility for checking DNS resolution
3232
Other Fun Networking UtilsOther Fun Networking Utils
Nmap – Network Port ScannerNmap – Network Port Scanner
Nessus – De Facto Standard in Network Nessus – De Facto Standard in Network Vulnerability Scanning.Vulnerability Scanning.
Wireshark – (a.k.a Ethereal) Network Wireshark – (a.k.a Ethereal) Network SnifferSniffer
Many other tools!Many other tools!
3333
One Last NoteOne Last Note
A big part of using TCP/IP is subnetting.A big part of using TCP/IP is subnetting.
The best way to learn is to practice!The best way to learn is to practice!
Many books and Online sources for Many books and Online sources for learning how to Subnet.learning how to Subnet.
3434
Questions?Questions?