Download TCP/IP Concepts (Part 1)

TCP/IP Concepts (Part 1)
January 14 and 19, 2010
MIS 4600 - © Abdou Illia
Objectives
 Describe the TCP/IP protocol set
 Explain how TCP/IP knowledge helps in hacking
& countermeasure.
 Use TCP/IP commands/utilities
2
Overview of TCP/IP
Computer 1
Computer 2
Layer 1
Layer 2
Layer 3
Layer 4
Layer 1
Layer 2
Layer 3
Layer 4
 Transmission Control Protocol/Internet Protocol
(TCP/IP)
Most widely used protocol set
 TCP/IP is a protocol set with 4 layers*
 Protocol
Common language used by computers for
“speaking”
 IPX/SPX is another protocol set used in Novell
networks.
 Some company protect their network by using
IPX/SPX internally.
IPX/SPX LAN
3
“poor man’s firewall”
* A layer can be seen as a group of tasks/activities/jobs
TCP/IP
network
TCP/IP protocol set
Computer 1
Network interface layer
44
Application layer
Transport layer
Internet layer
Interface layer
Computer 2
Application layer
Transport layer
Internet layer
Interface layer
 TCP/IP is implemented as
software and hardware that
work together to create
messages that could be
“understood” by each computer
The Application Layer
 Front end to the lower-layer protocols
Computer 1
Application layer
Transport layer
Internet layer
Interface layer
 Many Application layer protocols: HTTP, FTP, ARP, etc.
 Includes network services and client software
 Examples: Web (HTTP service), Web browser
 Commands/utilities for connecting & using
Application layer network services:
5
 ftp: used to transfer files between clients and servers
 telnet servername [port number]: to log on to a server
Using the ftp utility
 Unlike SFTP, FTP is not secure because it allows anonymous logins.
 Most companies do not allow FTP connection to their servers.
 If user has an account, they can use it to connect using SFTP-based
client program.
command: give info about the command
 Open ftp.eiu.edu should open an ftp session with the ftp.eiu.edu
 Help
server.
 Some public anonymous ftp servers: ftp.arsc.edu, ftp.ussg.iu.edu,
6
ftp.loc.gov/pub. Detailed list at http://www.ftp-sites.org/
[Instructor will show how to use ftp]
Questions
1) Based on your knowledge of the ftp utility and ftp-based client
programs, what do you think a hacker needs in order to connect to a
specific secure ftp server? Name three things that are absolutely
required.
________________________, ______________________, ___________________
2) Which of the three things you have mentioned is the hardest to get?
_________________________
3) Once connected to an ftp server, a hacker can upload/download files
only based on the permissions associated with the user account
he/she has used to connect. Imagine that the only permissions
associated with the user account are see and download files that are
in the default ftp directory. Name two things that must occur to make
it possible for the hacker to go beyond just seeing and downloading
files that are in the default directory and be able to browse through
the entire directory structure and upload files to the server for
instance?
7
______________________________, _______________________________
Computer 1
Application layer
Transport layer
Internet layer
Interface layer
The Transport Layer
 Prepares Application layer messages for proper
“transportation” to a receiving device
 Main protocol used:
 The TCP protocol for connection-oriented “dialog”
 The User Datagram Protocol or UDP for connectionless transmissions
Makes sure messages arrive at destination
exactly as they left source (in case of
connection-oriented communication)
 TCP opens connections using 3-way handshake
 Computer 1 sends a Synchronization SYN request
 Computer 2 replies with a Sync-Acknowledgement SYN-ACK packet
 Computer 1 replies with an ACK packet
Computer 1
Transport layer
8
Computer 2
Application layer
Internet layer
Interface layer
Application layer
SYN
SYN/ACK
SYN
Transport layer
Internet layer
Interface layer
The Internet Layer
Computer 1
Application layer
Transport layer
Internet layer
Interface layer
 Responsible for routing packets to their destination
address
 Uses a logical address, called an IP address
 Main protocols used: IP and ICMP
 Internet Control Message Protocol (ICMP)
Used to send messages related to network operations
Helps in troubleshooting a network
Some Internet layer commands/utilities for
troubleshooting network connections. More complex
versions included in hacking tools:
 Ping: determines whether a computer is connected
9
 Traceroute and tracert: determine route to get to a computer
ICMP codes are used internally by
network administrators to
troubleshoot network connectivity
(code 0 and 8) using PING
command, track IP packets’ route
(code 30) using TRACERT or
TRACEROUTE command, etc.
Appropriate ICMP codes could be
used to configure firewalls to
prevent network attacks by
outsiders.
10
Using the ping utility
 Most companies do not allow “pinging” their computers from outside.
 Later, we will see how
some of these pinging
options may be used in
security attacks.
11
Pinging under Linux
Pinging under Widows OS
Using tracert and traceroute
 As a Network [Internet] layer tool, Tracert and Traceroute generate a
network map, showing how to get to a target computer.
 Some of these
options may be
abused by
hackers as we
will see later.

12
This is likely a firewall
or a router in EIU’s
network which real IP
address is hidden using
Network Address
Translation.
Questions
Pinging under Widows OS
 Based on your knowledge of the PING command, what possible damage may be
done when it is used with the –l option?
13
Computer 1
The Network Interface Layer
Application layer
Transport layer
Internet layer
Interface layer
 Represents the network pathway (i.e. transmission
media)
 Implemented through Network Interface Cards (NIC)
 Includes Medium Access Control (MAC) address
MAC is a physical address recorded on NICs)
 Breaks messages into short frames and adds MAC to
each
 Converts messages into signal for transmission
14
Sending message using TCP/IP
 Generating message at the Application layer
 Encapsulation: Adding protocols headers (H)
and trailers (T) to pack the message.
HTTP request
Application
HTTP req.
Transport
HTTP req. TCP-H
TCP segment
Internet
HTTP req. TCP-H IP-H
IP Packet
Network Interface NI-T
HTTP req. TCP-H IP-H NI-H
Frames
15
User PC
Transmission medium
Example: http://www.eiu.edu
Receiving a TCP/IP message
 Frames arrive through the network interface
 De-encapsulation: Removing protocols
headers (H) and trailers (T) to access request
HTTP request
HTTP req.
Example: http://www.eiu.edu
Application
TCP segment
HTTP req. TCP-H
Transport
IP Packet
HTTP req. TCP-H IP-H
Internet
HTTP req. TCP-H IP-H NI-H
Network Interface
Frames
16
NI-T
User PC
Transmission medium
TCP Segment
0-3
Data
offset
4-7
8-15
Source port
16-31
Destination port
Sequence number
Acknowledgment number
C E U A P R S F
Reserved W C R C S S Y I
R E G K H T N N
Checksum
Window Size
Urgent pointer
Options (if Data Offset > 5)
Data Field (should contain HTTP Request based on our previous example)
Source port (16 bits) – a number that identifies the Application layer program used to send the message.
Destination port (16 bits) – a number that identifies the Application layer program the message is destined to.
Sequence number (32 bits) – Tracks packets received. Helps reassemble packets. Hackers may guest SN to hijack
conversations. Has a dual role
If the SYN flag is set, then this is the initial sequence number. The sequence number of the actual first data
byte (and the acknowledged number in the corresponding ACK) will then be this sequence number plus 1.
If the SYN flag is clear, then this is the sequence number of the first data byte
Acknowledgment number (32 bits) – if the ACK flag is set then the value of this field is the next sequence number
that the receiver is expecting. This acknowledges receipt of all prior bytes (if any). The first ACK sent by each end
acknowledges the other end's initial sequence number itself, but no data.
Data offset (4 bits) – specifies the size of the TCP header in 32-bit words. The minimum size header is 5 words and
the maximum is 15 words thus giving the minimum size of 20 bytes and maximum of 60 bytes, allowing for up to
40 bytes of options in the header. This field gets its name from the fact that it is also the offset from the start of the
TCP segment to the actual data.
17
TCP Segment (cont.)
0-3
Data
offset
4-7
8-15
Source port
16-31
Destination port
Sequence number
Acknowledgment number
C E U A P R S F
Reserved W C R C S S Y I
R E G K H T N N
Checksum
Window Size
Urgent pointer
Options (if Data Offset > 5)
Data Field (should contain HTTP Request based on our previous example)
Flags (8 bits) (aka Control bits) – contains 8 1-bit flags
CWR (1 bit) – Congestion Window Reduced (CWR) flag is set by the sending host to indicate that it received
a TCP segment with the ECE flag set and had responded in congestion control mechanism (added to header
by RFC 3168).
ECE (1 bit) – Explicit Congestion Notification-Echo indicates
If the SYN flag is set, that the TCP peer is ECN capable.
If the SYN flag is clear, that a packet with Congestion Experienced flag in IP header set is received
during normal transmission (added to header by RFC 3168).
URG (1 bit) – indicates that the Urgent pointer field is significant
ACK (1 bit) – indicates that the Acknowledgment field is significant. All packets after the initial SYN packet
sent by the client should have this flag set.
PSH (1 bit) – Push function
RST (1 bit) – Reset the connection
SYN (1 bit) – Synchronize sequence numbers. Only the first packet sent from each end should have this flag
set. Some other flags change meaning based on this flag, and some are only valid for when it is set, and others
when it is clear.
18
FIN (1 bit) – No more data from sender
TCP Segment (cont.)
0-3
Data
offset
4-7
8-15
Source port
16-31
Destination port
Sequence number
Acknowledgment number
C E U A P R S F
Reserved W C R C S S Y I
Window Size
R E G K H T N N
Checksum
Urgent pointer
Options (if Data Offset > 5)
Data Field (should contain HTTP Request based on our previous example)
Window size (16 bits) – the size of the receive window, which specifies the number of
bytes (beyond the sequence number in the acknowledgment field) that the receiver is
currently willing to receive.
 Checksum (16 bits) – Used for error-checking of the header and data
 Urgent pointer (16 bits) – if the URG flag is set, then this field is an offset from the
sequence number indicating the last urgent data byte.
19
TCP Ports
 Identifies the service that is running
 Helps you stop or disable services that are not
needed
 Open ports are an invitation for an attack
 Only the first 1023 ports are considered well-
known
 List of well-known ports
 Available at the Internet Assigned Numbers Authority
(IANA) Web site (www.iana.org)
20
Port
Service
Explanation
20 and 21
File Transfer Protocol (FTP)
Used for sharing files over the
Internet. Requires a logon name and
password. More secure than Trivial
File Transfer Protocol (TFTP)
25
Simple Mail Transfer
Protocol (SMTP) email
E-mail servers listen on this port
53
Domain Name Service – DNS
Helps users connect to Web sites
using URLs instead of IP addresses
TCP Ports (continued)
Port
Service
Explanation
20 and 21
File Transfer Protocol (FTP)
Used for sharing files over the Internet.
Requires a logon name and password. More
secure than Trivial File Transfer Protocol
(TFTP)
25
Simple Mail Transfer Protocol E-mail servers listen on this port
(SMTP) email
53
Domain Name Service – DNS
Helps users connect to Web sites using URLs
instead of IP addresses
69
Trivial File Transfer Protocol
- Could be implemented using a very small
amount of memory.
- Implemented on top of the User Datagram
Protocol (UDP) using port number 69.
- Used for transferring router configurations
- TFTP only reads and writes files from/to a
remote server. It cannot list directories,
- Currently has no provisions for user
authentication
80
Hypertext Transfer Protocol
(HTTP)
- Used when connecting to a Web server
21
TCP Ports (continued)
Port
Service
Explanation
110
Post Office Protocol 3 (POP3)
Used for retrieving e-mails from server
119
Network News Transfer Protocol
For use with newsgroups
135
Remote Procedure Call (RPC)
Critical for the operation of Microsoft
Exchange Server and Active Directory.
139
NetBIOS
Used by Microsoft’s NetBIOS Session Service
143
Internet Message Access
Protocol 4 (IMAP4)
Used for retrieving e-mail. Better than POP3.
Could maintain mails on servers. Allows
searches, etc.
 Netstat command line
 displays open ports on a computer indicating
what services/applications are running.
22
IP Header
0–3
4–7
8–15
16–18
Version
Header
length
Type Of Service
Identification
Time to Live
19–31
Total Length
Flags
Protocol
Fragment Offset
Header Checksum
Source Address
Destination Address
Options
Data
 Version - indicates the version of IP in four-bit . Should be 0100 for IPv4
 Internet Header Length (IHL) - tells the number of 32-bit words in the IP
header.
 TOS – Indicates the quality of service for delivering the packet: Normal
delay, high reliability, normal cost, high cost, etc.
 Total Length – defines entire packet size (header +data) in bytes. The
minimum-length is 20 bytes (20-byte header + 0 bytes data) and the
maximum is 65,535. Subnetworks may impose restrictions on the size, in
23 which case packets must be fragmented. Fragmentation is handled in either
the host or the router.
IP Header
0–3
4–7
8–15
16–18
Version
Header
length
Type Of Service
Identification
Time to Live
19–31
Total Length
Flags
Protocol
Fragment Offset
Header Checksum
Source Address
Destination Address
Options
Data
 Identification - Primarily used for uniquely identifying fragments of an
original IP packet.
 Flags - A three-bit field used to control or identify fragments. They are (in
order, from high order to low order):
 Reserved, must be zero.
 Don't Fragment (DF): If the DF flag is set and fragmentation is required to route
24
the packet then the packet will be dropped
 More Fragments (MF): When a packet is fragmented all fragments have the MF
flag set except the last fragment,
IP Header
0–3
4–7
8–15
16–18
Version
Header
length
Type Of Service
Identification
Time to Live (TTL)
19–31
Total Length
Flags
Protocol
Fragment Offset
Header Checksum
Source Address
Destination Address
Options
Data
 Fragment Offset - Specifies the offset of a particular fragment relative to the
beginning of the original unfragmented IP packet. The first fragment has an offset of
zero.
 TTL - Helps prevent packets from persisting (e.g. going in circles) on an Internet.
Time specified in seconds, but time intervals less than 1 second are rounded up to 1.
Also in number of hop counts.
 Protocol - Defines the protocol used in the data portion of the IP packet. Common
protocols and their codes are: 1: Internet Control Message Protocol (ICMP), 2:
Internet Group Management Protocol (IGMP), 6: Transmission Control Protocol
(TCP), 17: User Datagram Protocol (UDP), 89: Open Shortest Path First (OSPF), 132:
25 Stream Control Transmission Protocol (SCTP).
IP Header
0–3
4–7
8–15
16–18
Version
Header
length
Type Of Service
Identification
Time to Live (TTL)
19–31
Total Length
Flags
Protocol
Fragment Offset
Header Checksum
Source Address
Destination Address
Options
Data
 Header Checksum - used for error-checking of the header. At each hop, the checksum
of the header must be compared to the value of this field. If a header checksum is
found to be mismatched, then the packet is discarded. Note that errors in the data field
are up to the encapsulated protocol to handle .
26
ICMP Packet
Header (in blue):
Protocol set to 1 (i.e. the number for ICMP)
Payload (in red):
•Type of ICMP message (8 bits)
•Code (8 bits)
•Checksum (16 bits), calculated with the ICMP part of the packet (the header is not used)
•The ICMP 'Quench' (32 bits) field, which in this case (ICMP echo request and replies), will be composed of identifier (16 bits) and sequence number
(16 bits).
•Data load for the different kind of answers (Can be an arbitrary length, left to implementation detail. However must be less than the maximum MTU
of the network
.
27
Displaying email headers
Received: from hotmail.com (bay103-f21.bay103.hotmail.com [65.54.174.31])
by barracuda1.eiu.edu (Spam Firewall) with ESMTP id B10BA1F52DC
for <[email protected]>; Wed, 8 Feb 2008 18:14:59 -0600 (CST)
Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC;
Wed, 8 Feb 2008 16:14:58 -0800
Message-ID: <[email protected]>
Received: from 65.54.174.200 by by103fd.bay103.hotmail.msn.com with HTTP;
Thu, 09 Feb 2008 00:14:58 GMT
X-Originating-IP: [192.30.202.14]
Source IP Address
X-Originating-Email: [[email protected]]
X-Sender: [email protected]
In-Reply-To: <10E30E5174081747AF9452F4411465410C5BB560@excma01.cmamdm.enterprise.corp>
X-PH: V4.4@ux1
From: <[email protected]>
To: [email protected]
X-ASG-Orig-Subj: RE: FW: Same cell#
Subject: RE: FW: Same cell#
Date: Thu, 09 Feb 2008 00:14:58 +0000
Mime-Version: 1.0
Content-Type: text/plain; format=flowed
X-OriginalArrivalTime: 09 Feb 2008 00:14:58.0614 (UTC) FILETIME=[DCA31D60:01C62D0D]
X-Virus-Scanned: by Barracuda Spam Firewall at eiu.edu
X-Barracuda-Spam-Score: 0.00
IP Address Locator: http://www.geobytes.com/IpLocator.htm
28 Display email headers in Gmail, Yahoo!, Hotmail: http://aruljohn.com/info/howtofindipaddress/
Displaying email headers
Transmission Control Protocol. Src Port http (80). Dst Port 1958). Seq: 3043958669. Ack: 937013559. Len:0
Source port: http (80)
Destination port: 1958 (1958)
Sequence number: 3043958669
Acknowledgment number: 937013559
header length: 24 bytes
Flags_0xx0012 (SYN, ACK)
0………. = Congestion window reduced (CWR): not set
..0…….. = ECN-Echo: not set
…0……..= Urgent: Not set
….1…….= Acknowledgment: Set
……0…..= Push: Not set
…….0….= Reset: Not set
……..1…= Syn: Set
………0..= Fin: Not set
Window size: 5840
Checksum: 0x206a (correct)
Options: (4 bytes
Maximum segment size: 1460 byte
Short Case
 After performing a test on ABC Inc.’s network, a
penetration tester discovered that outsiders are
able to test internal hosts connectivity. He also
discovered that outsiders are able to “map” ABC
Inc.’s network which allows them to determine
the names and IP addresses of internal routers
and firewalls.
What commands the outsiders could possibly use in their
attempts?
2) What would you recommend doing in order make it
impossible for outsiders to (a) successfully test internal
hosts’ connectivity, and (b) map ABC Inc.’s network? Be
very specific in naming the actions that needed to be
taken to address the problem.
1)
30