Download as PPT, PDF, TXT or read online from Scribd
Download as ppt, pdf, or txt
You are on page 1/ 59
Tactical Perimeter Defense
Lesson 2 Advanced TCP/IP Objectives
2A Define the core concepts of TCP/IP.
2B Analyze sessions of TCP. 2C Analyze IP. 2D Analyze ICMP. 2E Analyze TCP. 2F Analyze UDP. 2G Analyze Packet Fragmentation. 2H Analyze an Entire Session. Topic 2A TCP/IP Concepts
The TCP/IP Model
– 4 Layers
The OSI Model
– 7 Layers A web request moving along the TCP/IP model OSI Model Layers
Layer 7, The Application layer Up
Layer 6, The Presentation layer The notion of Layer 5, The Session layer ‘up’ or ‘down’ Layer 4, The Transport layer simply relates to Layer 3, The Network layer data flow over a Layer 2, The Datalink layer time period. Layer 1, The Physical layer
Down A comparison of the OSI vs TCP/IP (DOD) models Headers and the encapsulation process as data moves down the stack. RFCs (Requests for Comments) – Industry standard – Freely available – www.rfc-editor.org
The key RFCs you will study:
• The Internet Protocol (IP): RFC 791 • The Internet Control Messaging Protocol (ICMP): RFC 792 • The Transmission Control Protocol (TCP): RFC 793 • The User Datagram Protocol (UDP): RFC 768 The function of IP • Identifies every host with a unique IP address • Identifies every packet with source and destination IP addresses • Manages routing • Does not deal with ordered delivery or packet loss/corruption IP Addressing Binary (bit math), decimal, HEX (0xh)
One Byte (or Octet) = 8 bits
Decimal value of a Byte ranges from 0 to 255 (all
0s to all 1s) – Binary 11000000 is decimal 192 or 128 + 64 + 0 + 0 + 0 + 0 + 0 + 0 – Binary 10000000 is decimal 128 or 128 + 0 + 0 + 0 + 0 + 0 + 0 + 0 – Binary 10000010 is decimal 130 or 128 + 0 + 0 + 0 + 0 + 0 + 2 + 0 – Binary 01011010 is decimal 90 or 0 + 64 + 0 + 16 + 8 + 0 + 2 + 0
IP Address Classes Five classes defined: A: Decimal 1-126 (127 reserved), first bit is 0 B: Decimal 128-191, first two bits are 10 C: Decimal 192-223, first three bits are 110 Classes A, B & C are used for addressing individual hosts D: Decimal 224-239, first four bits are 1110 Reserved for Multicasting E: Decimal 240-247, first five bits are 11110 Class E is experimental. For additional info on Class E and its future implementation see RFC 1365 Chart – IP Address Classes Private IP Address Ranges (RFC1918) Class A: 10. 0.0.0 – 10.255.255.255 Class B: 172. 16.0.0 – 172. 31.255.255 Class C: 192.168.0.0 – 192.168.255.255
The 169.254.0.0 network is used by Microsoft for APIPA
(Automatic Private IP Addressing).
The above addresses are not route-able over the internet.
Also, the 127.0.0.0 network ID is used for diagnostics
The Subnet Mask
• A number that matches the length of the IP
address that masks the host bits to reveal only the network ID • The ‘AND’ing process • Default masks: – Class A: 11111111.00000000.00000000.00000000 – 255.0.0.0 – Class B: 11111111.11111111.00000000.00000000 – 255.255.0.0 – Class C: 11111111.11111111.11111111.00000000 – 255.255.255.0 Subnetting Example
A 10.0.0.0 network has a default subnet mask of 255.0.0.0
i.e., • 00001010.yyyyyyyy.yyyyyyyy.yyyyyyyy = IP address • 11111111.00000000.00000000.00000000 = Subnet mask • To divide this network into 12 networks, you need to ‘borrow’ 4 bits from the host portion of the mask to the network portion, i.e., • 11111111.11110000.00000000.00000000 = Subnet mask • Which is = 255.240.0.0 Subnetting Example cont’d Now that the mask is 255.240.0.0, you have 16 networks: • 00001010.0000 0000.00000000.00000000 = 10. 0.0.0 (first possible network) • 00001010.0001 0000.00000000.00000000 = 10. 16.0.0 (second network) • 00001010.0010 0000.00000000.00000000 = 10. 32.0.0 (third network) • 00001010.0011 0000.00000000.00000000 = 10. 48.0.0 (fourth network) • 00001010.0100 0000.00000000.00000000 = 10. 64.0.0 (fifth network) • 00001010.0101 0000.00000000.00000000 = 10. 80.0.0 (sixth network) • 00001010.0110 0000.00000000.00000000 = 10. 96.0.0 (seventh network) • 00001010.0111 0000.00000000.00000000 = 10.112.0.0 (eighth network) • 00001010.1000 0000.00000000.00000000 = 10.128.0.0 (ninth network) • 00001010.1001 0000.00000000.00000000 = 10.144.0.0 (tenth network) • 00001010.1010 0000.00000000.00000000 = 10.160.0.0 (eleventh network) • 00001010.1011 0000.00000000.00000000 = 10.176.0.0 (twelfth network) • 00001010.1100 0000.00000000.00000000 = 10.192.0.0 (thirteenth network) • 00001010.1101 0000.00000000.00000000 = 10.208.0.0 (fourteenth network) • 00001010.1110 0000.00000000.00000000 = 10.224.0.0 (fifteenth network) • 00001010.1111 0000.00000000.00000000 = 10.240.0.0 (sixteenth network) TASK 2A-1: Address Conversions Routing • Communications from one network to another • Packets are sent to a default ‘Gateway’ (router) • The router ‘routes’ the packet to the appropriate interface, by looking at the destination IP address and its routing table • The destination network may or may not be attached to that interface. If the destination is not attached to that interface, the packet is sent to the next router. VLSM and CIDR Variable Length Subnet Masking (VLSM)
Classless Inter-Domain Routing (CIDR)
These two terms are sometimes used interchangeably, but they are different: VLSM allows you to create logical addressing schemes to match existing or planned physical networks. CIDR simply ignores classes (i.e., it does not worry about the first bits being 0, 10 or 110.) The implementation of CIDR is left to the vendor. For example, an older Cisco router will treat a 10.x.x.x address as belonging to a Class A network and a 192.168.x.x address as belonging to a Class C network, and there’s not much you can do about it. You may end up having issues if you’re subnetting a 10.x.x.x network into many networks using a 24 bit mask. ‘Slash’ notation
• 10.48.0.0 (IP address)
• 255.240.0.0 (Subnet mask) • Since the mask is 11111111.1111 0000.00000000.00000000 we can express the same IP/subnet mask as 10.48.0.0/12 (where 12 represents the twelve contiguous ‘1’ bits reading from left to right). Breaking up a Network Further From 10.48.0.0/12 to 10.48.0.0/15 gives us eight networks, each with 1/8th the number of hosts: • 00001010.0011000 0.00000000.00000000 = 10.48.0.0 (first network) • 00001010.0011001 0.00000000.00000000 = 10.50.0.0 (second network) • 00001010.0011010 0.00000000.00000000 = 10.52.0.0 (third network) • 00001010.0011011 0.00000000.00000000 = 10.54.0.0 (fourth network) • 00001010.0011100 0.00000000.00000000 = 10.56.0.0 (fifth network) • 00001010.0011101 0.00000000.00000000 = 10.58.0.0 (sixth network) • 00001010.0011110 0.00000000.00000000 = 10.60.0.0 (seventh network) • 00001010.0011111 0.00000000.00000000 = 10.62.0.0 (eighth network)
Now, say you want to break up the third network further into two smaller networks, simply ‘borrow’ one more bit just for network 10.52.0.0 and create 10.52.0.0/16 and 10.53.0.0/16. You have now subnetted your 10.48.0.0/12 network ‘variably’. X-casting
Unicast: One to One
Broadcast: One to Everyone
Multicast: One to Group
TASK 2A-2: Routers and Subnetting Topic 2B Analyze the 3-Way handshake Transport Layer Concepts
TCP UDP
Connection-oriented Connectionless
Slower Faster communications communications Considered reliable Considered unreliable
Transport layer Transport layer
TCP Control Flags URGENT (Urg)—Represents that this data should take precedence over other data transmissions.
ACK (Ack)—Represents acknowledgment of receipt of data
from the sending host. This is sent during the second part of establishing a connection in response to the sending host’s SYN request.
PUSH (P)—Used when the sending host requires data to be
pushed directly to the receiving application, and not fill in a buffer. TCP Control Flags RESET (R)—Represents the sender’s intentions to reset the communication.
SYN (S)—Represents the first part of establishing a
connection. The synchronizing of communication will generally be in the first packet of communication.
FIN (F)—Represents the sender’s intentions of terminating
the communication in what is known as a graceful manner. Sequence and Acknowledgment Numbers
• When initiating a new connection, an Initial
Sequence Number (ISN) is generated • The ISN is a 32-bit number that increments by one every 4 microseconds • Acknowledgment Numbers are also 32-bit numbers, in response to a sequence number • After the handshake sets up a session, further sequence numbers within that session are based on the number of octets involved • Reliable delivery by TCP Connection Establishment Active vs Passive Open
Connection Establishment: 3-Way handshake
(SYN, SYN/ACK, ACK) and sequence numbers Connection Termination: TCP is a full duplex communication protocol Active vs Passive Close FIN, ACK followed by another FIN, ACK Ports • Port numbers are located in the TCP (or UDP) header, and they are 16-bit values, ranging from 0 to 65,535. • Port numbers can be assigned to specific functions, or applications. • Ports also can be left open for dynamic use by two hosts during communication. • There are three main categories of ports: Well Known, Registered, and Dynamic. • www.iana.org/assignments/port-numbers. IANA assignments
The combination of the IP address and port is often
referred to as a socket. Port numbers and associated services Port 23 - Telnet Port 80 - HTTP (standard Web pages) Port 443 - Secure HTTP (secure Web pages) Ports 20 and 21 - FTP Port 53 - DNS Port 25 - SMTP Port 119 - NNTP Trojan associated Port numbers
Port 12345 - NetBus
Port 1243 - Sub Seven Port 27374 - Sub Seven 2.1 Port 31337 - Back Orifice Port 54320 (TCP) - Back Orifice 2000 Port 54321 (UDP) - Back Orifice 2000 Note: High port numbers have gained enough notoriety in the past that most administrators know to watch out for them. Hackers nowadays will craft sophisticated attacks via well used ports such as 80 or 110 that must be kept open for the normal functioning of a network.. Network Monitor
• Monitor real-time network traffic
• Analyze network traffic • Filter specific protocols to capture • The default view of Network Monitor • Displaying captures • Network Monitor Filters Task 2B-1: Using Network Monitor Wireshark
• Very versatile third party tool - will run on many
versions of Unix/Linux and Windows. • Requires libpcap (Unix) or WinPcap 2.3 (Windows) • Can read data off the wire, or from files of various formats. • Can also save file to various formats. • Freely available at www.wireshark.org. • Formerly called Ethereal, name changed in 2006. TASK 2B-2: Installing and Starting Wireshark Wireshark Overview
• GUI/Menu bar • Ctrl+K > Promiscuous mode • Capture options • Save options TASK 2B-3: Using Wireshark TCP Connections
Use Network Monitor to view the 3-way
handshake and connection teardown, packet by packet. First need to start Telnet to have a service to analyze. TASKs 2B-4 and 2B-5
Analyze the 3-way handshake and
connection teardown, packet by packet. Topic 2C Capture and Identify IP datagrams
An IP datagram, with all fields shown
Fields in the IP header • Version (4 bits) [4=IPv4, 6=IPv6] • IHL (4 bits) [no. of 32 bit words in header, normally 5] • TOS (8 bits) [3 bits for Precedence, 1 bit each for Delay, Throughput, Reliability, Monetary cost, last bit is a 0] • Total Length (16 bits) [Length of datagram in Bytes] • Identification (16 bits) [increment for every datagram sent between two hosts] • Flags (3 bits) [0, Don’t Frag, More Frag] • Fragment Offset (13 bits) [First fragment will have an offset of 0] • Time to Live (8 bits) [If TTL decrements to 0, discard packet] • Protocol (8 bits) [Protocol ID, i.e., ICMP=1, TCP=6, UDP=17] • Header Checksum (16 bits) [One’s complement of the header+options] • Source Address (32 bits) [Source IP address] • Destination Address (32 bits) [Destination IP address] • Options + Padding (32 bits) [For more info. on security options see RFC 1108] • Data TASK 2C-1: Capture and Identify IP Datagrams Topic 2D Capture and Identify ICMP Messages
ICMP Header Fields
– Type (8 bits) [identifies the message type] – Code (8 bits) [details based on Type, above] – Checksum (16 bits) [integrity check] – Message (not fixed) [depends on Type and Code, above] TASK 2D-1: Capture and Identify ICMP messages Topic 2E Capture and Identify TCP headers
A TCP Header, with all fields shown.
(Control flag bits circled.) Fields in the TCP header
• Source port (16 bits) [upper layer protocol on source]
• Destination port (16 bits) [upper layer protocol on destination] • Sequence number (32 bits) [Starting with the Active Open ISN if SYN flag is set] • Acknowledgement number (32 bits) [Value if Ack flag is set] • IHL or offset (4 bits) [Number of 32 bit words in the TCP header] • Reserved (6 bits) [always 0, for more info. see RFC 3168] • Flags (6 bits) [Control flags Urg, Ack, Psh, Rst, SYN, Fin] • Window Size (16 bits) [No. of data bytes the sender of this segment is willing to accept] • TCP Checksum (16 bits) [integrity check] • Urgent Pointer (16 bits) [If Urg flag is set, point to sequence no. of last byte in sequence] • Options + Padding (32 bits) [often used to define the MSS] • Data TASK 2E-1: Capture and Identify TCP Headers Topic 2F: The UDP Header
A UDP header, with all fields shown.
UDP Header Fields
• Source port (16 bits) [upper layer protocol on source]
• Destination port (16 bits) [upper layer protocol on destination] • UDP length (16 bits) [Length of UDP header and data] • UDP Checksum (16 bits) [integrity check] • Data Task 2F-1: Working with UDP Headers Topic 2G Analyze Packet Fragmentation
• Packet switched networks
• Fragmentation concepts • Max. Transmission Unit (depends on network) • IP – Max. Datagram Size • TCP – Max. Segment Size MTUs for various media Task 2G-1: Analyzing Fragmentation Topic 2H: Analyze an Entire Session
