TCP/IP Concepts (Part 1)

dingdongboomNetworking and Communications

Oct 27, 2013 (3 years and 7 months ago)

51 views

TCP/IP Concepts (Part 1)


January 14 and 19, 2010

MIS 4600
-

©
Abdou

Illia

Objectives


Describe the TCP/IP protocol set


Explain how TCP/IP knowledge helps in hacking
& countermeasure.


Use TCP/IP commands/utilities


2

Overview of TCP/IP


Transmission Control Protocol/Internet Protocol
(TCP/IP)


Most widely used protocol set


TCP/IP is a protocol set with 4 layers
*


Protocol


Common language used by computers for
“speaking”



IPX/SPX is another protocol set used in Novell
networks.


Some company protect their network by using
IPX/SPX internally.


“poor man’s firewall”

3

Layer 1

Layer 2

Layer 3

Layer 4

Computer 1

Computer 2

TCP/IP
network

IPX/SPX LAN

* A layer can be seen as a group of tasks/activities/jobs

Layer 1

Layer 2

Layer 3

Layer 4

4

4

Network interface layer

TCP/IP protocol set

Application layer

Transport layer

Internet layer

Interface layer

Application layer

Transport layer

Internet layer

Interface layer

Computer 1

Computer 2


TCP/IP is implemented as
software and hardware that
work together to create
messages that could be
“understood” by each computer

The Application Layer


Front end to the lower
-
layer protocols


Many Application layer protocols: HTTP, FTP, ARP, etc.


Includes network services and client software


Examples: Web (HTTP service), Web browser

5


Commands/utilities for connecting & using
Application layer network services:


ftp:
used to transfer files between clients and servers


telnet
servername

[port number]
: to log on to a server

Application layer

Transport layer

Internet layer

Interface layer

Computer 1

Using the ftp utility

6


Help
command
: give info about the
command


Open
ftp.eiu.edu

should open an ftp session with the
ftp.eiu.edu

server.


Some public anonymous ftp servers: ftp.arsc.edu, ftp.ussg.iu.edu,
ftp.loc.gov/pub. Detailed list at
http://www.ftp
-
sites.org/


[Instructor will show how to use ftp]


Unlike SFTP, FTP is not secure because it allows anonymous logins.


Most companies do not allow FTP connection to their servers.


If user has an account, they can use it to connect using SFTP
-
based
client program.

Questions

7

1)
Based on your knowledge of the ftp utility and ftp
-
based client
programs, what do you think a hacker needs in order to connect to a
specific
secure

ftp server? Name three things that are absolutely
required.


________________________, ______________________, ___________________


2)
Which of the three things you have mentioned is the hardest to get?



_________________________

3)
Once connected to an ftp server, a hacker can upload/download files
only based on the permissions associated with the user account
he/she has used to connect. Imagine that the only permissions
associated with the user account are
see

and
download

files that are
in the default ftp directory. Name two things that must occur to make
it possible for the hacker to go beyond just seeing and downloading
files that are in the default directory and be able to browse through
the entire directory structure and upload files to the server for
instance?


______________________________, _______________________________

The Transport Layer


Prepares Application layer messages for proper
“transportation” to a receiving device


Main protocol used:


The
TCP

protocol for
connection
-
oriented

“dialog”


The User Datagram Protocol or
UDP

for
connectionless

transmissions


Makes sure messages arrive at destination
exactly as they left source (in case of
connection
-
oriented communication)


TCP opens connections using 3
-
way handshake


Computer 1 sends a Synchronization SYN request


Computer 2 replies with a Sync
-
Acknowledgement SYN
-
ACK packet


Computer 1 replies with an ACK packet

8

Application layer

Transport layer

Internet layer

Interface layer

Application layer

Transport layer

Internet layer

Interface layer

Computer 1

Computer 2

SYN

SYN/ACK

SYN

Application layer

Transport layer

Internet layer

Interface layer

Computer 1

The Internet Layer


Responsible for routing packets to their destination
address


Uses a logical address, called an IP address


Main protocols used: IP and ICMP


Internet Control Message Protocol (ICMP)


Used to send messages related to network operations


Helps in troubleshooting a network


Some Internet layer commands/utilities for
troubleshooting network connections. More complex
versions included in hacking tools:


Ping
: determines whether a computer is connected


Traceroute

and
tracert
: determine route to get to a computer

9

Application layer

Transport layer

Internet layer

Interface layer

Computer 1

10

ICMP codes are used internally by
network administrators to
troubleshoot network connectivity
(code 0 and 8) using PING
command, track IP packets’ route
(code 30) using TRACERT or
TRACEROUTE command, etc.
Appropriate ICMP codes could be
used to configure firewalls to
prevent network attacks by
outsiders.

Using the ping utility

11


Most companies do not allow “pinging” their computers from outside.

Pinging under Widows OS

Pinging under Linux


Later, we will see how
some of these pinging
options may be used in
security attacks.

Using tracert and traceroute

12


As a Network [Internet] layer tool,
Tracert

and
Traceroute

generate a
network map, showing how to get to a target computer.


Some of these
options may be
abused by
hackers as we
will see later.


This is likely a firewall
or a router in EIU’s
network which real IP
address is hidden using
Network Address
Translation.

Questions

13

Pinging under Widows OS


Based on your knowledge of the PING command, what possible damage may be
done when it is used with the

l option?

The Network Interface Layer


Represents the network pathway (i.e. transmission
media)


Implemented through Network Interface Cards (NIC)


Includes Medium Access Control (MAC) address


MAC is a physical address recorded on NICs)


Breaks messages into short frames and adds MAC to
each


Converts messages into signal for transmission

14

Application layer

Transport layer

Internet layer

Interface layer

Computer 1

NI
-
T

Sending message using TCP/IP


Generating message at the Application layer


Encapsulation: Adding protocols headers (H)
and trailers (T) to pack the message.

HTTP req.

Transmission medium

User PC

15

Application

Transport

Internet

Network Interface

HTTP req.

HTTP req.

TCP
-
H

IP
-
H

HTTP req.

TCP
-
H

IP
-
H

NI
-
H

TCP
-
H

HTTP request

Example: http://www.eiu.edu

TCP segment

IP Packet

Frames

NI
-
T

Receiving a TCP/IP message


Frames arrive through the network interface


De
-
encapsulation: Removing protocols
headers (H) and trailers (T) to access request

HTTP req.

Transmission medium

User PC

16

Application

Transport

Internet

Network Interface

HTTP req.

HTTP req.

TCP
-
H

IP
-
H

HTTP req.

TCP
-
H

IP
-
H

NI
-
H

TCP
-
H

HTTP request

Example: http://www.eiu.edu

TCP segment

IP Packet

Frames

TCP Segment

17

0
-
3

4
-
7

8
-
15

16
-
31

Source port

Destination port

Sequence number

Acknowledgment number

Data
offset

Reserved

C

W

R

E

C

E

U

R

G

A

C

K

P

S

H

R

S

T

S

Y

N

F

I

N

Wi ndow Size

Checksum

Ur gent pointer

Options (if Data Offset > 5
)

Data Field (should contain HTTP Request based on our previous example)


Source port
(16 bits)


a number that identifies the Application layer program used to send the message.


Destination port
(16 bits)


a number that identifies the Application layer program the message is destined to.


Sequence number
(32 bits)


Tracks packets received. Helps reassemble packets
.
Hackers may guest SN to
hijack


conversations
. Has a dual role


If the SYN flag is set, then this is the initial sequence number. The sequence number of the actual first data


byte (and the acknowledged number in the corresponding ACK) will then be this sequence number plus 1.


If the SYN flag is clear, then this is the sequence number of the first data byte


Acknowledgment number (32 bits)


if the ACK flag is set then the value of this field is the next sequence number


that the receiver is expecting. This acknowledges receipt of all prior bytes (if any). The first ACK sent by each end


acknowledges the other end's initial sequence number itself, but no data.


Data offset (4 bits)


specifies the size of the TCP header in 32
-
bit words. The minimum size header is 5 words and


the maximum is 15 words thus giving the minimum size of 20 bytes and maximum of 60 bytes, allowing for up to


40 bytes of options in the header. This field gets its name from the fact that it is also the offset from the start of the


TCP segment to the actual data.

TCP Segment (cont.)

18


Flags (8 bits) (aka Control bits)


contains 8 1
-
bit flags


CWR (1 bit)


Congestion Window Reduced (CWR) flag is set by the sending host to indicate that it received


a TCP segment with the ECE flag set and had responded in congestion control mechanism (added to header


by RFC 3168).


ECE (1 bit)


E
xplicit
C
ongestion Notification
-
E
cho indicates


If the SYN flag is set, that the TCP peer is ECN capable.


If the SYN flag is clear, that a packet with Congestion Experienced flag in IP header set is received


during normal transmission (added to header by RFC 3168).


URG

(1 bit)


indicates that the Urgent pointer field is significant


ACK

(1 bit)


indicates that the Acknowledgment field is significant. All packets after the initial SYN packet


sent by the client should have this flag set.


PSH (1 bit)


Push function


RST (1 bit)


Reset the connection


SYN

(1 bit)


Synchronize sequence numbers. Only the first packet sent from each end should have this flag


set. Some other flags change meaning based on this flag, and some are only valid for when it is set, and others


when it is clear.


FIN (1 bit)


No more data from sender

0
-
3

4
-
7

8
-
15

16
-
31

Source port

Destination port

Sequence number

Acknowledgment number

Data
of fset

Reserved

C

W

R

E

C

E

U

R

G

A

C

K

P

S

H

R

S

T

S

Y

N

F

I

N

Wi ndow Size

Checksum

Ur gent pointer

Options (if Data Of fset > 5
)

Data Field (should contain HTTP Request based on our previous example)

TCP Segment (cont.)

19


Window size

(16 bits)


the size of the
receive window
, which specifies the number of


bytes (beyond the sequence number in the acknowledgment field) that the receiver is


currently willing to receive.



Checksum (16 bits)


Used for error
-
checking of the header and data



Urgent pointer (16 bits)


if the URG flag is set, then this field is an offset from the


sequence number indicating the last urgent data byte.

0
-
3

4
-
7

8
-
15

16
-
31

Source port

Destination port

Sequence number

Acknowledgment number

Data
offset

Reserved

C

W

R

E

C

E

U

R

G

A

C

K

P

S

H

R

S

T

S

Y

N

F

I

N

Window Size

Checksum

Urgent pointer

Options (if Data Offset > 5
)

Data Field (should contain HTTP Request based on our previous example)

TCP Ports


Identifies the service that is running


Helps you stop or disable services that are not
needed


Open ports are an invitation for an attack


Only the first 1023 ports are considered well
-
known


List of well
-
known ports


Available at the Internet Assigned Numbers Authority
(IANA) Web site (
www.iana.org
)


20

Port

Service

Explanation

20 and 21

File Transfer Protocol (FTP)

Used for sharing files over the
Internet. Requires a logon name and
password. More secure than Trivial
File Transfer Protocol (TFTP)

25

Simple Mail Transfer
Protocol (SMTP) email

E
-
mail servers listen on this port

53

Domain Name Service


DNS

Helps users connect to Web sites
using URLs instead of IP addresses

TCP Ports (continued)

21

Port

Service

Explanation

20 and 21

File Transfer Protocol (FTP)

Used for sharing files over the Internet.
Requires a logon name and password. More
secure than Trivial File Transfer Protocol
(TFTP)

25

Simple Mail Transfer Protocol
(SMTP) email

E
-
mail servers listen on this port

53

Domain Name Service


DNS

Helps users connect to Web sites using URLs
instead of IP addresses

69

Trivial File Transfer Protocol

-

Could be implemented using a very small


amount of memory.

-

Implemented on top of the User Datagram


Protocol (UDP) using port number 69.

-

Used for transferring router configurations

-

TFTP only reads and writes files from/to a


remote server. It cannot list directories,

-

Currently has no provisions for user


authentication

80

Hypertext Transfer Protocol
(HTTP)

-

Used when connecting to a Web server

TCP Ports (continued)

22

Port

Service

Explanation

110

Post Office Protocol 3 (POP3)

Used for retrieving e
-
mails from server

119

Network News Transfer Protocol

For use
with newsgroups

135

Remote Procedure Call (RPC)

Critical for the operation of Microsoft
Exchange Server and Active Directory.

139

NetBIOS

Used by Microsoft’s NetBIOS Session Service
=
ㄴN
=
fnternet=Message=Access=
mrotocol=㐠EfMAm㐩
=
rsed=景r=retrieving=e
-
mail⸠Better
=
than=mlm㌮P
Could=maintain=mails=on=servers⸠Allows=
searchesⰠetc.
=

Netstat

command line



displays open ports on a computer indicating
what services/applications are running.

IP Header

23


Version


-

indicates the version of IP in four
-
bit . Should be 0100 for IPv4


Internet Header Length (IHL)
-

tells the number of 32
-
bit words in the IP
header.


TOS


Indicates the quality of service for delivering the packet: Normal
delay, high reliability, normal cost, high cost, etc.


Total Length


defines entire packet size (header +data) in bytes. The
minimum
-
length is 20 bytes (20
-
byte header + 0 bytes data) and the
maximum is 65,535.
Subnetworks

may impose restrictions on the size, in
which case packets must be fragmented
. Fragmentation is
handled in either
the host or the router.

0

3

4

7

8

15

16

18

19

31

Version

Header
length

Type Of Service

Total Length

Identification

Flags

Fragment Offset

Time to Live

Protocol

Header Checksum

Source Address

Destination Address

Options


Data

IP Header

24


Identification


-

Primarily used for uniquely identifying fragments of an
original IP packet.


Flags
-

A three
-
bit field used to control or identify fragments. They are (in
order, from high order to low order):


Reserved, must be zero.


Don't Fragment (DF)
: If the DF flag is set and fragmentation is required to route
the packet then the packet will be dropped


More Fragments (MF)
: When a packet is fragmented all fragments have the MF
flag set except the last fragment,

0

3

4

7

8

15

16

18

19

31

Version

Header
length

Type Of Service

Total Length

Identification

Flags

Fragment Offset

Time to Live

Protocol

Header Checksum

Source Address

Destination Address

Options


Data

IP Header

25


Fragment Offset


-

Specifies the offset of a particular fragment relative to the
beginning of the original unfragmented IP packet. The first fragment has an offset of
zero.


TTL

-

Helps
prevent packets from persisting

(e.g. going in circles) on an Internet.
Time specified in seconds, but time intervals less than 1 second are rounded up to 1.
Also in number of hop counts.


Protocol
-

Defines the protocol used in the data portion of the IP packet. Common
protocols and their codes are: 1: Internet Control Message Protocol (ICMP), 2:
Internet Group Management Protocol (IGMP), 6: Transmission Control Protocol
(TCP), 17: User Datagram Protocol (UDP), 89: Open Shortest Path First (OSPF), 132:
Stream Control Transmission Protocol (SCTP).

0

3

4

7

8

15

16

18

19

31

Version

Header
length

Type Of Service

Total Length

Identification

Flags

Fragment Offset

Time to
Live (TTL)

Protocol

Header Checksum

Source Address

Destination Address

Options


Data

IP Header

26


Header Checksum


-

used for error
-
checking of the header. At each hop, the checksum
of the header must be compared to the value of this field. If a header checksum is
found to be mismatched, then the packet is discarded. Note that errors in the data field
are up to the encapsulated protocol to handle .



0

3

4

7

8

15

16

18

19

31

Version

Header
length

Type Of Service

Total Length

Identification

Flags

Fragment Offset

Time to Live (TTL)

Protocol

Header Checksum

Source Address

Destination Address

Options


Data

ICMP Packet

27


.

Header (in blue):

Protocol

set to 1 (i.e. the number for ICMP)

Payload (in red):


Type of ICMP message (8 bits)


Code (8 bits)


Checksum (16 bits), calculated with the ICMP part of the packet (the header is not used)


The ICMP 'Quench' (32 bits) field, which in this case (ICMP echo request and replies), will be composed of identifier (16 bit
s)
and sequence number
(16 bits).


Data load for the different kind of answers (Can be an arbitrary length, left to implementation detail. However must be less
tha
n the maximum MTU
of the network

Displaying email headers

Received:

from hotmail.com (bay103
-
f21.bay103.hotmail.com [
65.54.174.31
])



by barracuda1.eiu.edu (Spam Firewall) with ESMTP id B10BA1F52DC



for <
aillia@eiu.edu
>; Wed, 8 Feb 2008 18:14:59
-
0600 (CST)

Received:

from mail pickup service by hotmail.com with Microsoft SMTPSVC;



Wed, 8 Feb 2008 16:14:58
-
0800

Message
-
ID:

<BAY103
-
F2195A2F82610991D56FEC0B1030@phx.gbl>

Received:

from 65.54.174.200 by by103fd.bay103.hotmail.msn.com with HTTP;



Thu, 09 Feb 2008 00:14:58 GMT

X
-
Originating
-
IP:

[
192.30.202.14
]

X
-
Originating
-
Email:

[
macolas@hotmail.com
]

X
-
Sender:

macolas@hotmail.com

In
-
Reply
-
To:

<10E30E5174081747AF9452F4411465410C5BB560@excma01.cmamdm.enterprise.corp>

X
-
PH:

V4.4@ux1

From:

<
macolas@hotmail.com
>

To:

aillia@eiu.edu

X
-
ASG
-
Orig
-
Subj:

RE: FW: Same cell#

Subject:

RE: FW: Same cell#

Date:

Thu, 09 Feb 2008 00:14:58 +0000

Mime
-
Version:

1.0

Content
-
Type:

text/plain; format=flowed

X
-
OriginalArrivalTime:

09 Feb 2008 00:14:58.0614 (UTC) FILETIME=[DCA31D60:01C62D0D]

X
-
Virus
-
Scanned:

by Barracuda Spam Firewall at eiu.edu

X
-
Barracuda
-
Spam
-
Score:

0.00

IP Address Locator:
http://www.geobytes.com/IpLocator.htm

Display email headers in Gmail, Yahoo!, Hotmail:
http://aruljohn.com/info/howtofindipaddress/

Source IP Address

28

Displaying email headers

Transmission Control Protocol. Src Port http (80). Dst Port 1958). Seq: 3043958669. Ack: 937013559. Len:0


Source port: http (80)


Destination port: 1958 (1958)


Sequence number: 3043958669


Acknowledgment number: 937013559


header length: 24 bytes

Flags_0xx0012 (SYN, ACK)


0………. = Congestion window reduced (CWR): not set


..0…….. = ECN
-
Echo: not set


…0……..= Urgent: Not set


….1…….= Acknowledgment: Set


……0…..= Push: Not set


…….0….= Reset: Not set


……..1…= Syn: Set


………0..= Fin: Not set


Window size: 5840


Checksum: 0x206a (correct)

Options: (4 bytes


Maximum segment size: 1460 byte

Short Case


After performing a test on ABC Inc.’s network, a
penetration tester discovered that outsiders are
able to test internal hosts connectivity. He also
discovered that outsiders are able to “map” ABC
Inc.’s network which allows them to determine
the names and IP addresses of internal routers
and firewalls.

1)
What commands the outsiders could possibly use in their
attempts?

2)
What would you recommend doing in order make it
impossible for outsiders to (a) successfully test internal
hosts’ connectivity, and (b) map ABC Inc.’s network? Be
very specific in naming the actions that needed to be
taken to address the problem.

30