TCP/IP basics

Hands-On Ethical Hands-On Ethical Hacking and Network Hacking and Network

DefenseDefense Chapter 2Chapter 2

TCP/IP Concepts ReviewTCP/IP Concepts Review

2

ObjectivesObjectives Describe the TCP/IP protocol stackDescribe the TCP/IP protocol stack Explain the basic concepts of IP Explain the basic concepts of IP

addressingaddressing Explain the binary, octal, and hexadecimal Explain the binary, octal, and hexadecimal

numbering systemnumbering system

3

Overview of TCP/IPOverview of TCP/IP ProtocolProtocol

Common language used by computers for speakingCommon language used by computers for speaking Transmission Control Protocol/Internet Protocol Transmission Control Protocol/Internet Protocol

(TCP/IP)(TCP/IP) Most widely used protocolMost widely used protocol

TCP/IP stackTCP/IP stack Contains four different layersContains four different layers

NetworkNetwork InternetInternet TransportTransport ApplicationApplication

5

The Application LayerThe Application Layer Front end to the lower-layer protocolsFront end to the lower-layer protocols What you can see and touch – closest to What you can see and touch – closest to

the user at the keyboardthe user at the keyboard HTTP, FTP, SMTP, SNMP, SSH, IRC and HTTP, FTP, SMTP, SNMP, SSH, IRC and

TELNET all operate in the Application TELNET all operate in the Application LayerLayer

7

The Transport LayerThe Transport Layer Encapsulates data into segmentsEncapsulates data into segments Segments can use TCP or UDP to reach a Segments can use TCP or UDP to reach a

destination hostdestination host TCP is a connection-oriented protocolTCP is a connection-oriented protocol

TCP three-way handshakeTCP three-way handshake Computer A sends a SYN packetComputer A sends a SYN packet Computer B replies with a SYN-ACK packetComputer B replies with a SYN-ACK packet Computer A replies with an ACK packetComputer A replies with an ACK packet

TCP Header FormatTCP Header Format 0 1 2 3 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Source Port | Destination Port || Source Port | Destination Port | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Sequence Number || Sequence Number | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Acknowledgment Number || Acknowledgment Number | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Data | |U|A|P|R|S|F| || Data | |U|A|P|R|S|F| | | Offset| Reserved |R|C|S|S|Y|I| Window || Offset| Reserved |R|C|S|S|Y|I| Window | | | |G|K|H|T|N|N| || | |G|K|H|T|N|N| | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Checksum | Urgent Pointer || Checksum | Urgent Pointer | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Options | Padding || Options | Padding | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | data || data | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

8

9

TCP Segment HeadersTCP Segment Headers Critical components:Critical components:

TCP flagsTCP flags Initial Sequence Number (ISN)Initial Sequence Number (ISN) Source and destination portSource and destination port

Abused by hackers finding vulnerabilitiesAbused by hackers finding vulnerabilities

10

TCP FlagsTCP Flags Each flag occupies one bitEach flag occupies one bit Can be set to 0 (off) or 1 (on)Can be set to 0 (off) or 1 (on) Six flagsSix flags

SYN: synchronize, (not synthesis) flagSYN: synchronize, (not synthesis) flag ACK: acknowledge flagACK: acknowledge flag PSH: push flagPSH: push flag URG: urgent flagURG: urgent flag RST: reset flagRST: reset flag FIN: finish flagFIN: finish flag

Error in textbook on page 22: SYNchronize, not Error in textbook on page 22: SYNchronize, not SYNthesis (link Ch 2a, RFC 793)SYNthesis (link Ch 2a, RFC 793)

11

Initial Sequence Number (ISN)Initial Sequence Number (ISN) 32-bit number32-bit number Tracks packets receivedTracks packets received Enables reassembly of large packetsEnables reassembly of large packets Sent on steps 1 and 2 of the TCP three-Sent on steps 1 and 2 of the TCP three-

way handshakeway handshake By guessing ISN values, a hacker can hijack By guessing ISN values, a hacker can hijack

a TCP session, gaining access to a server a TCP session, gaining access to a server without logging inwithout logging in

12

TCP PortsTCP Ports PortPort

Logical, not physical, component of a TCP Logical, not physical, component of a TCP connectionconnection

Identifies the service that is runningIdentifies the service that is running Example: HTTP uses port 80Example: HTTP uses port 80

A 16-bit number – 65,536 portsA 16-bit number – 65,536 ports Each TCP packet has a source and Each TCP packet has a source and

destination portdestination port

Blocking PortsBlocking Ports Helps you stop or disable services that are Helps you stop or disable services that are

not needednot needed Open ports are an invitation for an attackOpen ports are an invitation for an attack

You can’t block all the portsYou can’t block all the ports That would stop all networkingThat would stop all networking At a minimum, ports 25 and 80 are usually At a minimum, ports 25 and 80 are usually

open on a server, so it can send out Email open on a server, so it can send out Email and Web pagesand Web pages

13

14

TCP Ports (continued)TCP Ports (continued) Only the first 1023 ports are considered well-Only the first 1023 ports are considered well-

knownknown List of well-known portsList of well-known ports

Available at the Internet Assigned Numbers Authority Available at the Internet Assigned Numbers Authority (IANA) Web site ((IANA) Web site (www.iana.orgwww.iana.org))

Ports 20 and 21Ports 20 and 21 File Transfer Protocol (FTP)File Transfer Protocol (FTP) Use for sharing files over the InternetUse for sharing files over the Internet Requires a logon name and passwordRequires a logon name and password More secure than Trivial File Transfer Protocol (TFTP)More secure than Trivial File Transfer Protocol (TFTP)

16

TCP Ports (continued)TCP Ports (continued) Port 25Port 25

Simple Mail Transfer Protocol (SMTP)Simple Mail Transfer Protocol (SMTP) E-mail servers listen on this portE-mail servers listen on this port

Port 53Port 53 Domain Name Service (DNS)Domain Name Service (DNS) Helps users connect to Web sites using URLs Helps users connect to Web sites using URLs

instead of IP addressesinstead of IP addresses Port 69Port 69

Trivial File Transfer ProtocolTrivial File Transfer Protocol Used for transferring router configurationsUsed for transferring router configurations

17


Hypertext Transfer Protocol (HTTP)Hypertext Transfer Protocol (HTTP) Used when connecting to a Web serverUsed when connecting to a Web server

Port 110Port 110 Post Office Protocol 3 (POP3)Post Office Protocol 3 (POP3) Used for retrieving e-mailUsed for retrieving e-mail

Port 119Port 119 Network News Transfer ProtocolNetwork News Transfer Protocol For use with newsgroupsFor use with newsgroups

18


Remote Procedure Call (RPC)Remote Procedure Call (RPC) Critical for the operation of Microsoft Critical for the operation of Microsoft

Exchange Server and Active DirectoryExchange Server and Active Directory Port 139Port 139

NetBIOSNetBIOS Used by Microsoft’s NetBIOS Session ServiceUsed by Microsoft’s NetBIOS Session Service File and printer sharingFile and printer sharing

19


Internet Message Access Protocol 4 (IMAP4)Internet Message Access Protocol 4 (IMAP4) Used for retrieving e-mailUsed for retrieving e-mail More features than POP3More features than POP3

DemonstrationDemonstration Telnet to hills.ccsf.edu and netstat to see Telnet to hills.ccsf.edu and netstat to see

the connectionsthe connections Port 23 (usual Telnet)Port 23 (usual Telnet) Port 25 blocked off campus, but 110 connectsPort 25 blocked off campus, but 110 connects Port 21 works, but needs a username and Port 21 works, but needs a username and

passwordpassword

DemonstrationDemonstration Wireshark Packet SnifferWireshark Packet Sniffer

TCP Handshake: SYN, SYN/ACK, ACKTCP Handshake: SYN, SYN/ACK, ACK TCPTCP

Ports Ports TCPTCP

StatusStatusFlagsFlags

22

User Datagram Protocol User Datagram Protocol (UDP)(UDP)

Fast but unreliable protocolFast but unreliable protocol Operates on transport layerOperates on transport layer Does not need to verify whether the Does not need to verify whether the

receiver is listeningreceiver is listening Higher layers of the TCP/IP stack handle Higher layers of the TCP/IP stack handle

reliability problemsreliability problems Connectionless protocolConnectionless protocol

23

The Internet LayerThe Internet Layer Responsible for routing packets to their Responsible for routing packets to their

destination addressdestination address Uses a logical address, called an IP Uses a logical address, called an IP

addressaddress IP addressing packet delivery is IP addressing packet delivery is

connectionlessconnectionless

Internet Control Message Internet Control Message Protocol (ICMP)Protocol (ICMP)

Operates in the Internet layer of the Operates in the Internet layer of the TCP/IP stackTCP/IP stack

Used to send messages related to network Used to send messages related to network operationsoperations

Helps in troubleshooting a networkHelps in troubleshooting a network Some commands includeSome commands include

PingPing TracerouteTraceroute

25

ICMP Type CodesICMP Type Codes

26

Wireshark Capture of a PINGWireshark Capture of a PING

Warriors of the NetWarriors of the Net Network+ MovieNetwork+ Movie Warriorsofthe.net (link Ch 2d)Warriorsofthe.net (link Ch 2d)

28

IP AddressingIP Addressing Consists of four bytes, like 147.144.20.1Consists of four bytes, like 147.144.20.1 Two componentsTwo components

Network addressNetwork address Host addressHost address

Neither portion may be all 1s or all 0sNeither portion may be all 1s or all 0s ClassesClasses

Class AClass A Class BClass B Class CClass C

30

IP Addressing (continued)IP Addressing (continued) Class AClass A

First byte is reserved for network addressFirst byte is reserved for network address Last three bytes are for host addressLast three bytes are for host address Supports more than 16 million host computersSupports more than 16 million host computers Limited number of Class A networksLimited number of Class A networks Reserved for large corporations and Reserved for large corporations and

governments (see link Ch 2b)governments (see link Ch 2b) Format: Format: network.node.node.node network.node.node.node

31

IP Addressing (continued)IP Addressing (continued) Class BClass B

First two bytes are reserved for network First two bytes are reserved for network addressaddress

Last two bytes are for host addressLast two bytes are for host address Supports more than 65,000 host computersSupports more than 65,000 host computers Assigned to large corporations and Internet Assigned to large corporations and Internet

Service Providers (ISPs)Service Providers (ISPs) Format: Format: network.network.node.node network.network.node.node

CCSF has 147.144.0.0 – 147.144.255.255CCSF has 147.144.0.0 – 147.144.255.255

32

IP Addressing (continued)IP Addressing (continued) Class CClass C

First three bytes are reserved for network First three bytes are reserved for network addressaddress

Last byte is for host addressLast byte is for host address Supports up to 254 host computersSupports up to 254 host computers Usually available for small business and home Usually available for small business and home

networksnetworks Format: Format: network.network.network.nodenetwork.network.network.node

33

IP Addressing (continued)IP Addressing (continued) SubnettingSubnetting

Each network can be assigned a subnet maskEach network can be assigned a subnet mask Helps identify the network address bits from the host Helps identify the network address bits from the host

address bitsaddress bits Class A uses a subnet mask of 255.0.0.0Class A uses a subnet mask of 255.0.0.0

Also called /8Also called /8 Class B uses a subnet mask of 255.255.0.0Class B uses a subnet mask of 255.255.0.0

Also called /16Also called /16 Class C uses a subnet mask of 255.255.255.0Class C uses a subnet mask of 255.255.255.0

Also called /24Also called /24

34

Planning IP Address Planning IP Address AssignmentsAssignments

Each network segment must have a Each network segment must have a unique network addressunique network address

Address cannot contain all 0s or all 1sAddress cannot contain all 0s or all 1s To access computers on other networksTo access computers on other networks

Each computer needs IP address of Each computer needs IP address of gatewaygateway

35

Planning IP Address Planning IP Address AssignmentsAssignments

TCP/IP uses subnet mask to determine if TCP/IP uses subnet mask to determine if the destination computer is on the same the destination computer is on the same network or a different networknetwork or a different network If destination is on a different network, it If destination is on a different network, it

relays packet to gatewayrelays packet to gateway Gateway forwards packet to its next Gateway forwards packet to its next

destination (routing)destination (routing) Packet eventually reaches destinationPacket eventually reaches destination

In-Class ExercisesIn-Class Exercises

These aren’t in the handout, These aren’t in the handout, but you can practice them by but you can practice them by

doing project X1 for extra doing project X1 for extra credit.credit.

Good NetworkGood Network

192.168.1.101

255.255.255.0

192.168.1.1

192.168.1.102

255.255.255.0

192.168.1.1

192.168.1.103

255.255.255.0

192.168.1.1

192.168.1.1

255.255.255.0

147.144.51.1

IP Address

Subnet Mask

Default Gateway

Hub

To the Internet

Duplicate IP AddressDuplicate IP Address

192.168.1.101

255.255.255.0

192.168.1.1

192.168.1.101

255.255.255.0

192.168.1.1

192.168.1.103

255.255.255.0

192.168.1.1

192.168.1.1

255.255.255.0

147.144.51.1

IP Address

Subnet Mask

Default Gateway

Hub

To the Internet

IP Address IP Address Outside Outside SubnetSubnet

192.168.1.101

255.255.255.0

192.168.1.1

192.168.2.102

255.255.255.0

192.168.1.1

192.168.1.103

255.255.255.0

192.168.1.1

192.168.1.1

255.255.255.0

147.144.51.1

IP Address

Subnet Mask

Default Gateway

Hub

To the Internet

Wrong Wrong Subnet MaskSubnet Mask

192.168.1.101

255.255.255.0

192.168.1.1

192.168.1.102

255.255.0.0

192.168.1.1

192.168.1.103

255.255.255.0

192.168.1.1

192.168.1.1

255.255.255.0

147.144.51.1

IP Address

Subnet Mask

Default Gateway

Hub

To the Internet

Wrong Wrong Default Default GatewayGateway

192.168.1.101

255.255.255.0

192.168.1.1

192.168.1.102

255.255.255.0

192.168.1.101

192.168.1.103

255.255.255.0

192.168.1.1

192.168.1.1

255.255.255.0

147.144.51.1

IP Address

Subnet Mask

Default Gateway

Hub

To the Internet

Find the Problem #1Find the Problem #1

192.168.2.101

255.255.255.0

192.168.2.1

192.168.2.102

255.255.255.0

192.168.2.1

192.169.2.103

255.255.255.0

192.168.2.1

192.168.2.1

255.255.255.0

147.144.51.1

IP Address

Subnet Mask

Default Gateway

Hub

To the Internet


192.168.1.101

255.255.255.255

192.168.1.1

192.168.1.102

255.255.255.0

192.168.1.1

192.168.1.103

255.255.255.0

192.168.1.1

192.168.1.1

255.255.255.0

147.144.51.1

IP Address

Subnet Mask

Default Gateway

Hub

To the Internet


192.168.2.101

255.255.255.0

192.168.2.1

192.168.2.102

255.255.255.0

192.168.2.1

192.168.2.102

255.255.255.0

192.168.2.1

192.168.2.1

255.255.255.0

147.144.51.1

IP Address

Subnet Mask

Default Gateway

Hub

To the Internet


192.168.0.101

255.255.255.0

192.168.2.1

192.168.0.102

255.255.255.0

192.168.0.1

192.168.0.103

255.255.255.0

192.168.0.1

192.168.0.1

255.255.255.0

147.144.51.1

IP Address

Subnet Mask

Default Gateway

Hub

To the Internet


192.168.1.101

255.255.255.0

192.168.1.1

192.168.1.102

255.255.255.0

192.168.1.1

192.168.1.103

255.255.255.0

192.168.1.1

192.168.1.4

255.255.255.0

147.144.51.1

IP Address

Subnet Mask

Default Gateway

Hub

To the Internet

AnswersAnswers

#1: IP address out of subnet on rightmost #1: IP address out of subnet on rightmost machinemachine

#2: Bad subnet mask on leftmost machine#2: Bad subnet mask on leftmost machine #3: Duplicate IP address on rightmost #3: Duplicate IP address on rightmost

machinemachine #4: Bad default gateway on leftmost #4: Bad default gateway on leftmost

machinemachine #5: All the default gateways are wrong (or #5: All the default gateways are wrong (or

the top machine’s IP address is wrong)the top machine’s IP address is wrong)

48

Overview of Numbering Overview of Numbering SystemsSystems

BinaryBinary OctalOctal HexadecimalHexadecimal

49

Reviewing the Binary Reviewing the Binary Numbering SystemNumbering System

Uses the number 2 as its baseUses the number 2 as its base Binary digits (bits): 0 and 1Binary digits (bits): 0 and 1 ByteByte

Group of 8 bitsGroup of 8 bits Can represent 2Can represent 288 = 256 different values = 256 different values

UNIX and Linux PermissionsUNIX and Linux Permissions UNIX and Linux File permissions are UNIX and Linux File permissions are

represented with bitsrepresented with bits 0 means removing the permission0 means removing the permission 1 means granting the permission1 means granting the permission 111 (rwx) means all permissions apply111 (rwx) means all permissions apply

51

Examples of Determining Examples of Determining Binary ValuesBinary Values

Each position represents a power of 2 valueEach position represents a power of 2 value Usually the bit on the right is the less significant Usually the bit on the right is the less significant

bitbit Converting 1011 to decimalConverting 1011 to decimal

1 x 21 x 200 = 1 = 1 1 x 21 x 211 = 2 = 2 0 x 20 x 222 = 0 = 0 1 x 21 x 233 = 8 = 8

1 + 2 + 8 = 11 (decimal value)1 + 2 + 8 = 11 (decimal value)

52

Understanding NibblesUnderstanding Nibbles Half a byte or four bitsHalf a byte or four bits Helps with reading the number by Helps with reading the number by

separating the byteseparating the byte 1111 10101111 1010

ComponentsComponents High-order nibble (left side)High-order nibble (left side) Low-order nibble (right side)Low-order nibble (right side)

53

Understanding Nibbles Understanding Nibbles (continued)(continued)

Converting 1010 1010 to decimalConverting 1010 1010 to decimal Low-order nibbleLow-order nibble

1010 = 10 (base 10)1010 = 10 (base 10) Multiply high-order nibble by 16Multiply high-order nibble by 16

1010 = 10 x 16 = 160 (base 10)1010 = 10 x 16 = 160 (base 10) 160 + 10 = 170 (base 10)160 + 10 = 170 (base 10)

54

Reviewing the Octal Reviewing the Octal Numbering SystemNumbering System

Uses 8 as its baseUses 8 as its base Supports digits from 0 to 7Supports digits from 0 to 7

Octal digits can be represented with three bitsOctal digits can be represented with three bits Permissions on UNIXPermissions on UNIX

Owner permissions (rwx)Owner permissions (rwx) Group permissions (rwx)Group permissions (rwx) Other permissions (rwx)Other permissions (rwx) Example: 111 101 001Example: 111 101 001

Octal representation 751Octal representation 751

55

Reviewing the Hexadecimal Reviewing the Hexadecimal Numbering SystemNumbering System

Uses 16 as its baseUses 16 as its base Support numbers from 0 to 15Support numbers from 0 to 15

Hex number consists of two charactersHex number consists of two characters Each character represents a nibbleEach character represents a nibble Value contains alphabetic letters (A … F)Value contains alphabetic letters (A … F)

A representing 10 and F representing 15A representing 10 and F representing 15 Sometimes expressed with “0x” in frontSometimes expressed with “0x” in front If you want more about binary, see Link Ch 2cIf you want more about binary, see Link Ch 2c

TCP/IP basics

Design

Transcript of TCP/IP basics