Networking
Last updated
Last updated
⚡ P.T. Usage:
Know how protocols work in order to learn how to exploit them
Computers have to use a wide variety of networking protocols, to ensure that different types of hardware and software can communicate between each other.
Packets carry the information exchanged in networking.
Streams of bits, electric signals running on media such as a wire in a LAN network or the air in a wireless connection.
Interpreted as bits (0,1).
A packet's structure consists of a header and a payload.
The header have a protocol specific structure, ensuring that the payload is correctly interpreted.
The payload is the data, the content, the body of a packet.
IP (Internet Protocol) header (IPv4) is 160 bits (20 Bytes) long.
First 4 bits - version of IP protocol.
Source Address - 32 bits (4 Bytes), in position 96.
Destination Address - 32 bits (4 Bytes) after Source Address.
A protocol provides various features like:
making an application work (emails, VoIP calls, FTP, browser)
connecting a server and a client, transporting data between them
identifying and internetworking computers/hosts on a network
transmitting data over physical media
These features are structured as a protocol stack, in a series of layers.
TCP/IP is a real world implementation of a networking stack.
| TCP/IP Protocol Stack |
|---|
Application |
Transport |
Network / Internet |
Physical Interface |
📕 Each layer has its own protocol and serves the one above it.
The Open System Interconnection (OSI) is a logical and conceptual model published by the International Organization for Standardization (ISO) in 1984, used as reference.
| ISO/OSI Protocol Stack |
|---|
Application |
Presentation |
Session |
Transport |
Network |
Data Link |
Physical |
TCP/IP vs ISO/OSI model:
During the process of encapsulation, a lower-layer protocol places the entire upper protocol packet (header + payload) in its payload portion and adds its own header to the packet.
Every packet sent by a host is encapsulated.
The same operation is done in reverse order by the receiving host.
⚡ P.T. Usage:
Understand network attacks and use network attack tools
Studying other networking protocols
The Internet Protocol (IP) runs on the Internet layer of the TCP/IP stack, by delivering the datagrams (IP packets) to the hosts participating in the communication.
Every host is identified by a unique IP address.
IP version 4 is widely used in networking and is considered the primary Internet Protocol.
An IPv4 address is a 32 bits address, consisting of 4 Bytes/octets, separated by a dot (.) .
There are some IPv4 addresses with reserved intervals:
Refer to the RFC 5735 for more examples and details.
The network of a host is identified using a netmask (subnet mask) paired with the IP.
The network part of the IP is found with a bitwise AND operation between the IP and the Mask.
The address/host part of the IP is found with a bitwise AND between the IP and the inverse of the Netmask.
For example 192.168.44.22 with 255.255.224.0 subnet mask is part of the 192.168.32.0/19 network.
CIDR notation = Classless Inter-Domain Routing notation
📌 Practice with an Online IP Subnet Calculator.
An IPv6 address is a 128 bits address, consisting of 16 bits hexadecimal numbers (case insensitive) grouped in 8 segments, separated by a colon (:).
Zeros can be skipped.
The first half of an address is the network part, the other half is the device part:
The first 3 segments (upper 48 bits) are used for the Internet global network addresses.
The 4th segment of 16 bits is the Subnet Id, defining subnets.
The last 4 segments of 64 bits are the Interface/Device Id.
Reserved addresses:
Types of IPv6 address formats:
Global Unicast - start with "2001:", routable on the Internet (equivalent of IPv4 public addresses).
Unique Local - used inside an internal network, routed only internally.
Link Local - start with "fe80:", used inside an internal network, not routed, self assigned (no DHCP server).
The number of bits used for the prefix is the prefix length, like the IPv4 subnet mask.
Refer to the RFC 3513 for more examples and details.
📌 Practice with an IPv6 Subnet Calculator.
⚡ P.T. Usage:
Perform network traffic inspection
Understand routing protocol attacks
The forwarding policy of the IP datagrams through routers is base on routing protocols which determine the best path to reach a network.
The destination address of every incoming packet is inspected and forwarded through a router interface.
IP-to-interface bindings are written in the routing table.
A router performs a lookup in the routing table and choose the right interface to forward the packets.
When the destination is an unknown network, the default address is used for the forwarding (0.0.0.0). This entry is contained in the routing table.
Let's have 3 different interfaces on a router with this routing table as a result:
| IP (CIDR) | Netmask | Interface # |
|---|---|---|
210.95.0.0/16 | 255.255.0.0 | 1 |
192.168.15.0/24 | 255.255.255.0 | 2 |
0.0.0.0/0 | 0.0.0.0 | 3 "default route" |
A packet arriving on interface #3 for 192.168.15.100 is forwarded on the Interface #2, since it matches the second entry in the table.
A packet arriving on interface #1 for 2.215.47.3 is routed through Interface #3, the default route.
During path discovery a metric is assigned to each link, to make sure the fastest route is selected in case of the same number of hops in two or more paths, according to the channel's estimated bandwidth and congestion.
💻 Routing tables are stored by every host. Commands below are used to check the routing table on different operating systems:
| Command | Operating System |
|---|---|
| Linux |
| Windows |
| Mac OS X / Linux |
Linux OS
Windows OS
Mac OS X / Linux
⚡ P.T. Usage:
MAC Spoofing
Sniffing techniques
MITM (Man in the middle) attacks
Testing switches security
Link layer devices and protocols only deal with the next-hop, in the link layer of the TCP/IP stack, working with frames (layer 2 packets).
Hubs/Switches forward frames on a local network.
They work with MAC addresses.
While IP addresses are the Layer 3 (Network layer) addressing scheme, MAC addresses uniquely identify a network card on the Layer 2.
MAC (Media Access Control) address is known as the physical address.
A MAC Address is 48 bits (6 bytes) long, expressed in hexadecimal form - 00:0C:AA:4F:79:6E
Every host on a network has a MAC and an IP address.
💻 Discover network cards MAC address with the commands below:
| Command | Operating System |
|---|---|
| Linux |
| Windows |
| *nix / Mac OS X |
| Linux - useful for fast finding IP interface |
Linux OS
The router has two interfaces, each with its own IP and MAC addresses.
Every host has an IP and MAC address.
The router will not change the source and destination IP addresses.
When a device sends a packet:
Destination IP address = Destination host IP address (remains the same, global information)
Destination MAC address = Next hop MAC address (the network knows where to forward the packet)
Broadcast MAC address: FF:FF:FF:FF:FF:FF
A frame with this address is delivered to all the hosts in the local network.
Hubs are repeaters that simply forward packets (repeating the electric signals) on all the ports.
Do not check any header.
Every host receives the same packets.
Very rare nowadays and replaced by switches.
Layer 2 Switches work with MAC addresses.
Switches can have multiple interfaces (4 ports for "home switches", 64 ports for "corporate switches")
Different packet forwarding speed: 10 Mbps (megabits per second) to 10 Gbps.
Corporate networks use to have a multi-switch network to accommodate more hosts.
by using switches without VLANs, networks are not segmented.
routers do the segmentation in those cases, since every interface is attached to different subnets.
Switches need to keep a forwarding table that binds MAC addresses to interfaces, called CAM table (Content Addressable Memory table).
Contains: MAC addresses, interface used for delivery, TTL (time to live).
Stored in the device's RAM.
Constantly refreshed with new info.
Multiple hosts might be connected on the same interface (via another switch).
Interfaces without any host attached might be present.
Since the CAM table has a finite size, the TTL determines how long an entry will stay in the table.
When an entry expires, it's automatically removed from the table.
Switches learn new MAC address dynamically, inspecting the header of every packet they receive, populating the CAM table. They just use the source MAC address to decide the interface to use for the forwarding.
CAM Table Population - The source MAC address is compared to the CAM table:
if the MAC address is not in the table, it will be added as a new MAC-Interface binding to the switch table.
if the MAC is already in the table, its TTL gets updated.
if the MAC is in the table, but not bound to another interface, the switch will update the table.
To forward a packet, the switch:
reads the destination MAC address of the frame.
performs a look-up in the CAM table.
forwards the packet to the corresponding interface.
if no entry is found with that MAC address, the switch will forward the frame to all its interfaces.
ARP (Address Resolution Protocol) is used to build the correct IP Address - MAC Address binding when a host do not know the MAC address of the other network nodes.
For example, when HostA wants to send traffic to HostB and it only knows the HostB IP address:
HostA builds an ARP request with the HostB IP address and FF:FF:FF:FF:FF:FF as destination MAC address.
The switch will forward the packet to every host on the network.
HostB replies with an ARP reply, containing its MAC address.
HostA will save the IP - MAC binding of HostB in its ARP cache.
No new ARP resolution round will be needed for further traffic from HostA to HostB.
ARP cache entries have a TTL too. Entries are discarded by a host at the power off or when entry's TTL expires.
💻 Check the ARP cache on a host with the commands below:
| Command | Operating System |
|---|---|
| Linux |
| Windows |
| *nix / Mac OS X |
Linux
Windows
⚡ P.T. Usage:
TCP Session attacks
Advanced DoS (Denial of Service) attacks
Network scanning
TCP (Transport Control Protocol) and UDP (User Datagram Protocol) are the most common transport layer protocols used on the Internet.
📕 Considerations:
Computer networks can be unreliable.
Network congestion, loss of connection and other technical issues can cause a packet loss during the communication.
Key differences:
| TCP | UDP |
|---|---|
Connection-oriented protocol | Connectionless protocol |
Reliable, guarantees packet delivery | Delivery of data is not guaranteed |
Slower speed, lower throughput, heavy-weight | Faster than TCP, better throughput, lightweight |
Delays when network congested | Less delay, possibility of data loss |
Acknowledgment segments | No acknowledgment segments |
Used by majority of applications (Email client, Web browsers, Ftp clients) | Used by multimedia applications (VoIP, Audio/Video streaming) |
Ports are used to identify a single network process, to make sure the transport layer know what the destination process is.
<IP>:<Port> pair identifies a process on a network. For example: 192.168.13.2:80
1024 well-known ports are used for the most common services: 0-1023. They are assigned by IANA in this registry.
A daemon is a program that runs a service. Its configuration can be changed, so the service listening port can be changed in order to make recognition harder.
Server-Client applications know which port to use because the TCP/UDP header contains two fields for the source/destination ports.
Common ports:
| Port | Service |
|---|---|
21 | FTP |
22 | SSH |
23 | Telnet |
25 | SMTP |
80 | HTTP |
110 | POP3 |
137, 138, 139 | NetBIOS |
143 | IMAP |
443 | HTTPS (HTTP over SSL) |
1433-1434 | Microsoft Sql Server |
3306 | MySQL |
3389 | RDP (Terminal Server) |
💻 Check listening ports and TCP connections on a host with the commands below:
| Command | Operating System |
|---|---|
| Linux |
| Windows |
| *nix / Mac OS X |
Linux
Windows
TCPView tool from Microsoft Sysinternals shows detailed listings of all TCP and UDP connections.
A three-way handshake process is necessary to establish a connection between two hosts running TCP (server/client).
The TCP header fields involved in the handshake are:
Sequence number
Acknowledgment number
ACK flag
SYN flag
The 3 steps in the handshake synchronize the sequence and acknowledgment numbers between the server and the client:
Client sends a TCP packet (SYN segment) to the server with:
SYN=1 (flag enabled) - request to establish connection and data synchronization with server
ACK=0 (flag disabled) - no acknowledgment of request
ISN=7001 - Random initial sequence number set
ACK # = NULL - acknowledgment number set to null
Server replies by sending a TCP packet (SYN/ACK segment) with:
SYN=1 (flag enabled) - request to establish connection and data synchronization with client
ACK=1 (flag enabled) - acknowledgment of request
ISN=3001 - Random initial sequence number set
ACK # = [client ISN + 1] = 7002 - adding 1 to the client's ISN and acknowledge the client's request
Client replies with a TCP packet (ACK segment) with:
SYN=0 (flag disabled) - no more requests
ACK=1 (flag enabled) - acknowledgment of request
ISN=7002 - Server's sequence number received
ACK # = [server ISN + 1] = 3002 - adding 1 to the server's ISN and acknowledge the server's request
📌 By performing the above 3-way handshake, the client-server connection is fully established and the data transfer process can begin. TCP automatically terminates the connection after the data transmission process is over.
⚡ P.T. Usage:
Firewall evasion
Advanced stealth scanning
Filtering evasion
There exists different appliances/devices used to protect the network with different techniques (access control, attack detection, attack prevention).
A Firewall is a specialized software module running on a computer or a dedicated hardware device.
Access control to network resources and services.
Can work on different layers of the OSI model (different features and protections).
Firewalls monitor and filter all the traffic and data coming in and out of a network.
System administrators can create rules with specific filter on the packets: Source / Destination IP, Source / Destination Port, Protocol.
Packet filters inspect the header of every packet, but not the packet content.
Packet inspections common actions are:
Allow: allow the packet to pass
Drop: drops the packet, with no diagnostic message to the source host
Deny: do not let the packet pass, but notify the source host
📌 Any kind of application layer traffic will pass, so packet filtering is not enough to stop layer 7 attacks like:
XSS exploit
Buffer overflow
SQL injection
others...
Application firewalls checks all the OSI 7 layers and provide a more comprehensive protection.
Control of the execution of files or code by specific applications.
Content of a packet inspection.
Filter unwanted traffic and protect a network from external attacks.
IDS (Intrusion Detection Systems) inspect the application payload trying to detect any potential attack.
Detect ongoing intrusions, attack vectors (ping sweeps, port scans, SQL injections, BoF ...)
Detection is performed by lots of sensors, inspecting the network activity.
Identify traffic generated by a work or a virus, by means of signatures patterns (like an antivirus) frequently updated by the vendor.
IDS cannot detect intrusions if it does not already know them.
False positives are presented when legit traffic is flagged as malicious.
Intercepted intrusions are communicated to the IDS manager, a software in charge of maintaining policies, with a management console for the sysadmin.
📕 IDS do not substitute firewalls!
They support firewall with a further layer of security, monitoring the traffic and reporting well-known malicious activity.
Suspicious activity is logged for future analysis, but it is not blocked.
| IDS Category | Description |
|---|---|
| Identifies intrusions by examining network traffic and monitors multiple hosts. Uses sensors placed on a router or on a high intrusion risk network (DMZ). Example: Snort |
| Identifies intrusions by analyzing system calls, application logs, file-system changes, host activities. Uses sensors/agent installed on a host. Example: OSSEC |
IPS (Intrusion Prevention Systems) detect malicious activity and block it by not allowing the traffic to gain access to its target network.
IPS drop malicious requests when a threat has a risk classification above a pre-defined threshold.
Detective and preventive technology.
IPS inspect real time traffic, detect and classify it, and prevent the attacks on detection.
The presence of a firewall-like mechanism in the environment can be checked by looking at the the TCP 3-way handshake.
An environmental constraint (FW, IPS, IDS, etc) may be in place, when:
TCP SYN are sent, but there are no TCP SYN/ACK replies.
TCP SYN are sent, but a TCP RST/ACK reply is received.
Firewalls can be used to implement NAT (Network Address Translation) and IP masquerading.
Take a machine inside a private network, that is using the NAT device as its default gateway. The machine can access the Internet if the NAT device allows the traffic to pass.
NAT rewrites the source IP address of every packet, setting it to the default gateway public IP (for example) and masquerading the original client's IP address.
📌 A machine on the Internet will never know the original client's IP address. Take a home router as an example.
🔬 Check Find the Secret Server lab.
⚡ P.T. Usage:
SSL/TLS certificates validation relies on DNS
Mounting spoofing attacks
Performing information gathering
The DNS (Domain Name System) is an application layer protocol.
It is a service which translates human-readable resource names/URLs to their corresponding IP addresses - name resolution.
It is a very important service and the Internet security relies upon DNS.
The global domain names and IPs database forms the DNS network hierarchy of DNS servers.
The FQDN (Fully Qualified Domain Name) is the domain name that specifies its location in the DNS hierarchy and it consists of the following parts:
TLD (Top Level Domain)
Domain part (Second level domains)
Sub-Domain part (when present)
Host Name
For example: my.ine.com
| Host Name | Domain Name | Top Level Domain |
|---|---|---|
my | ine | com |
DNS queries use UDP protocol.
A resolver server must be contacted by the client O.S. to perform the DNS resolution. These servers are public or provided by the ISP, and they convert the DNS name into an IP address:
The resolver contacts one of the root name servers, which contains information about the top-level domains.
The root server returns the IP address for the TLD nameservers.
The resolver asks the TLD nameserver for the IP address of the Authoritative Name Server, that can give information about the domain.
For every subdomain, step 3 is performed again on the authoritative DNS server.
The resolver finally asks for the host name resolution, caches the response and returns it back to the client.
📌 The 13 DNS Root servers IP addresses are hardcoded in the configuration of the resolver and publicly available.
DNS can also convert an IP into a DNS name - Reverse DNS lookup (rDNS)
This feature have to be manually enabled and configured by the administrator of the domain.
Many tools use the reverse DNS when available, like ping utility.
📌 Check more advanced explanation at the Cloudflare DNS Glossary.
Wireshark is a network sniffer tool and protocol analyzer.
It can capture and analyze all the traffic seen by network interfaces of the computer running it.
Most NIC (Network Interface Cards) can work in promiscuous or monitor mode.
In promiscuous mode a network card will accept and process any packet it receives (hub network for example), instead of discarding any packet addressed to another NIC (normal operation).
Sniffing other machines traffic in switched networks is harder than in hub-based networks. An ARP poisoning or a MAC flooding attack has to be performed in order to do that.
WiFi medium (the air) is broadcast by nature, so it is possible to detect traffic destined to a different host.
Open wireshark as admin/root user.
Select the capture interface from the main page and start capturing with double-click on it:
To check for the capture options before starting it, click "Capture" in the menu, in the window that opens, there are some useful informations:
used interface
NIC in promiscuous mode
capture filtering
Captured traffic can be saved in a PCAP files, that can be opened with wireshark, resulting in this view:
Upper pane: useful information like Source, Destination, Protocol, Info (protocol specific).
Center pane: packet layer by layer with all the protocols used by the packet.
Bottom pane: packet payload
Wireshark can filter traffic at capture or at display time.
Capture filters can be set before starting the capture and Wireshark will capture only packets matching the filters.
Pro: They downsize the amount of traffic gathered, with the final capture smaller.
Con: Cannot tune filter during capture, must restart capture from scratch.
Display filters allow to inspect and apply granular filters to every field of the packets.
Pro: Can always remove or tune a display filter. Might catch interesting traffic.
Cons: larger PCAP file.
Display filters and captures examples:
arp request example:
ping my.ine.com / DNS query example:
TCP 3-way handshake:
First package has SYN flag set
Second package has SYN + ACK flags set
Third package has ACK flag set
📌 Refer to the Wireshark User's Guide for more in depth information.
🔬 Check Data-Exfiltration lab.
