Hands-On Ethical
Hacking and Network
Defense
Chapter 2
TCP/IP Concepts Review
Objectives
Describe the TCP/IP protocol stack
Explain the basic concepts of IP
addressing
Explain the binary, octal, and hexadecimal
numbering system
2
Overview of TCP/IP
Protocol
Common language used by computers for
speaking
Transmission Control Protocol/Internet
Protocol (TCP/IP)
Most widely used protocol
TCP/IP stack
Contains four different layers
Network
Internet
Transport
Application
3
4
The Application Layer
Front end to the lower-layer protocols
What you can see and touch – closest to
the user at the keyboard
HTTP, FTP, SMTP, SNMP, SSH, IRC and
TELNET all operate in the Application
Layer
5
6
The Transport Layer
Encapsulates data into segments
Segments can use TCP or UDP to reach a
destination host
TCP is a connection-oriented protocol
TCP three-way handshake
Computer A sends a SYN packet
Computer B replies with a SYN-ACK packet
Computer A replies with an ACK packet
7
TCP Header Format
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Source Port | Destination Port |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Sequence Number |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Acknowledgment Number |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Data | |U|A|P|R|S|F| |
| Offset| Reserved |R|C|S|S|Y|I| Window |
| | |G|K|H|T|N|N| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Checksum | Urgent Pointer |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Options | Padding |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| data |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 8
TCP Segment Headers
Critical components:
TCP flags
Initial Sequence Number (ISN)
Source and destination port
Abused by hackers finding vulnerabilities
9
TCP Flags
Each flag occupies one bit
Can be set to 0 (off) or 1 (on)
Six flags
SYN: synchronize, (not synthesis) flag
ACK: acknowledge flag
PSH: push flag
URG: urgent flag
RST: reset flag
FIN: finish flag
Error in textbook on page 22: SYNchronize, not
SYNthesis (link Ch 2a, RFC 793) 10
Initial Sequence Number (ISN)
32-bit number
Tracks packets received
Enables reassembly of large packets
Sent on steps 1 and 2 of the TCP three-
way handshake
By guessing ISN values, a hacker can hijack a
TCP session, gaining access to a server
without logging in
11
TCP Ports
Port
Logical, not physical, component of a TCP
connection
Identifies the service that is running
Example: HTTP uses port 80
A 16-bit number – 65,536 ports
Each TCP packet has a source and
destination port
12
Blocking Ports
Helps you stop or disable services that are
not needed
Open ports are an invitation for an attack
You can’t block all the ports
That would stop all networking
At a minimum, ports 25 and 80 are usually
open on a server, so it can send out Email
and Web pages
13
TCP Ports (continued)
Only the first 1023 ports are considered
well-known
List of well-known ports
Available at the Internet Assigned Numbers
Authority (IANA) Web site (www.iana.org)
Ports 20 and 21
File Transfer Protocol (FTP)
Use for sharing files over the Internet
Requires a logon name and password
More secure than Trivial File Transfer
Protocol (TFTP) 14
15
TCP Ports (continued)
Port 25
Simple Mail Transfer Protocol (SMTP)
E-mail servers listen on this port
Port 53
Domain Name Service (DNS)
Helps users connect to Web sites using URLs
instead of IP addresses
Port 69
Trivial File Transfer Protocol
Used for transferring router configurations
16
TCP Ports (continued)
Port 80
Hypertext Transfer Protocol (HTTP)
Used when connecting to a Web server
Port 110
Post Office Protocol 3 (POP3)
Used for retrieving e-mail
Port 119
Network News Transfer Protocol
For use with newsgroups
17
TCP Ports (continued)
Port 135
Remote Procedure Call (RPC)
Critical for the operation of Microsoft
Exchange Server and Active Directory
Port 139
NetBIOS
Used by Microsoft’s NetBIOS Session Service
File and printer sharing
18
TCP Ports (continued)
Port 143
Internet Message Access Protocol 4 (IMAP4)
Used for retrieving e-mail
More features than POP3
19
Demonstration
Telnet to hills.ccsf.edu and netstat to see
the connections
Port 23 (usual Telnet)
Port 25 blocked off campus, but 110 connects
Port 21 works, but needs a username and
password
Demonstration
Wireshark Packet Sniffer
TCP Handshake: SYN, SYN/ACK, ACK
TCP
Ports
TCP
Status
Flags
User Datagram Protocol
(UDP)
Fast but unreliable protocol
Operates on transport layer
Does not need to verify whether the
receiver is listening
Higher layers of the TCP/IP stack handle
reliability problems
Connectionless protocol
22
The Internet Layer
Responsible for routing packets to their
destination address
Uses a logical address, called an IP
address
IP addressing packet delivery is
connectionless
23
Internet Control Message
Protocol (ICMP)
Operates in the Internet layer of the
TCP/IP stack
Used to send messages related to network
operations
Helps in troubleshooting a network
Some commands include
Ping
Traceroute
ICMP Type Codes
25
Wireshark Capture of a PING
26
Warriors of the Net
Network+ Movie
Warriorsofthe.net (link Ch 2d)
IP Addressing
Consists of four bytes, like 147.144.20.1
Two components
Network address
Host address
Neither portion may be all 1s or all 0s
Classes
Class A
Class B
Class C
28
29
IP Addressing (continued)
Class A
First byte is reserved for network address
Last three bytes are for host address
Supports more than 16 million host computers
Limited number of Class A networks
Reserved for large corporations and
governments (see link Ch 2b)
Format: network.node.node.node
30
IP Addressing (continued)
Class B
First two bytes are reserved for network
address
Last two bytes are for host address
Supports more than 65,000 host computers
Assigned to large corporations and Internet
Service Providers (ISPs)
Format: network.network.node.node
CCSF has 147.144.0.0 – 147.144.255.255
31
IP Addressing (continued)
Class C
First three bytes are reserved for network
address
Last byte is for host address
Supports up to 254 host computers
Usually available for small business and home
networks
Format: network.network.network.node
32
IP Addressing (continued)
Subnetting
Each network can be assigned a subnet mask
Helps identify the network address bits from the host
address bits
Class A uses a subnet mask of 255.0.0.0
Also called /8
Class B uses a subnet mask of 255.255.0.0
Also called /16
Class C uses a subnet mask of 255.255.255.0
Also called /24
33
Planning IP Address
Assignments
Each network segment must have a
unique network address
Address cannot contain all 0s or all 1s
To access computers on other networks
Each computer needs IP address of gateway
34
Planning IP Address
Assignments
TCP/IP uses subnet mask to determine if
the destination computer is on the same
network or a different network
If destination is on a different network, it
relays packet to gateway
Gateway forwards packet to its next
destination (routing)
Packet eventually reaches destination
35
In-Class Exercises
These aren’t in the handout, but you
can practice them by doing project X1
for extra credit.
Good Network To the Internet
IP Address
Subnet Mask
Default Gateway
192.168.1.1
Hub
255.255.255.0
147.144.51.1
192.168.1.101 192.168.1.102 192.168.1.103
255.255.255.0 255.255.255.0 255.255.255.0
192.168.1.1 192.168.1.1 192.168.1.1
Duplicate IP Address To the Internet
IP Address
Subnet Mask
Default Gateway
192.168.1.1
Hub
255.255.255.0
147.144.51.1
192.168.1.101 192.168.1.101 192.168.1.103
255.255.255.0 255.255.255.0 255.255.255.0
192.168.1.1 192.168.1.1 192.168.1.1
IP Address To the Internet
Outside IP Address
Subnet Subnet Mask
Default Gateway
192.168.1.1
Hub
255.255.255.0
147.144.51.1
192.168.1.101 192.168.2.102 192.168.1.103
255.255.255.0 255.255.255.0 255.255.255.0
192.168.1.1 192.168.1.1 192.168.1.1
Wrong Subnet To the Internet
Mask
IP Address
Subnet Mask
Default Gateway
192.168.1.1
Hub
255.255.255.0
147.144.51.1
192.168.1.101 192.168.1.102 192.168.1.103
255.255.255.0 255.255.0.0 255.255.255.0
192.168.1.1 192.168.1.1 192.168.1.1
Wrong Default To the Internet
Gateway
IP Address
Subnet Mask
Default Gateway
192.168.1.1
Hub
255.255.255.0
147.144.51.1
192.168.1.101 192.168.1.102 192.168.1.103
255.255.255.0 255.255.255.0 255.255.255.0
192.168.1.1 192.168.1.101 192.168.1.1
Find the Problem #1 To the Internet
IP Address
Subnet Mask
Default Gateway
192.168.2.1
Hub
255.255.255.0
147.144.51.1
192.168.2.101 192.168.2.102 192.169.2.103
255.255.255.0 255.255.255.0 255.255.255.0
192.168.2.1 192.168.2.1 192.168.2.1
Find the Problem #2 To the Internet
IP Address
Subnet Mask
Default Gateway
192.168.1.1
Hub
255.255.255.0
147.144.51.1
192.168.1.101 192.168.1.102 192.168.1.103
255.255.255.255 255.255.255.0 255.255.255.0
192.168.1.1 192.168.1.1 192.168.1.1
Find the Problem #3 To the Internet
IP Address
Subnet Mask
Default Gateway
192.168.2.1
Hub
255.255.255.0
147.144.51.1
192.168.2.101 192.168.2.102 192.168.2.102
255.255.255.0 255.255.255.0 255.255.255.0
192.168.2.1 192.168.2.1 192.168.2.1
Find the Problem #4 To the Internet
IP Address
Subnet Mask
Default Gateway
192.168.0.1
Hub
255.255.255.0
147.144.51.1
192.168.0.101 192.168.0.102 192.168.0.103
255.255.255.0 255.255.255.0 255.255.255.0
192.168.2.1 192.168.0.1 192.168.0.1
Find the Problem #5 To the Internet
IP Address
Subnet Mask
Default Gateway
192.168.1.4
Hub
255.255.255.0
147.144.51.1
192.168.1.101 192.168.1.102 192.168.1.103
255.255.255.0 255.255.255.0 255.255.255.0
192.168.1.1 192.168.1.1 192.168.1.1
Answers
#1: IP address out of subnet on rightmost machine
#2: Bad subnet mask on leftmost machine
#3: Duplicate IP address on rightmost machine
#4: Bad default gateway on leftmost machine
#5: All the default gateways are wrong (or the top
machine’s IP address is wrong)
Overview of Numbering
Systems
Binary
Octal
Hexadecimal
48
Reviewing the Binary
Numbering System
Uses the number 2 as its base
Binary digits (bits): 0 and 1
Byte
Group of 8 bits
Can represent 28 = 256 different values
49
UNIX and Linux Permissions
UNIX and Linux File permissions are
represented with bits
0 means removing the permission
1 means granting the permission
111 (rwx) means all permissions apply
Examples of Determining
Binary Values
Each position represents a power of 2
value
Usually the bit on the right is the less
significant bit
Converting 1011 to decimal
1 x 20 = 1
1 x 21 = 2
0 x 22 = 0
1 x 23 = 8
1 + 2 + 8 = 11 (decimal value) 51
Understanding Nibbles
Half a byte or four bits
Helps with reading the number by
separating the byte
1111 1010
Components
High-order nibble (left side)
Low-order nibble (right side)
52
Understanding Nibbles
(continued)
Converting 1010 1010 to decimal
Low-order nibble
1010 = 10 (base 10)
Multiply high-order nibble by 16
1010 = 10 x 16 = 160 (base 10)
160 + 10 = 170 (base 10)
53
Reviewing the Octal
Numbering System
Uses 8 as its base
Supports digits from 0 to 7
Octal digits can be represented with three
bits
Permissions on UNIX
Owner permissions (rwx)
Group permissions (rwx)
Other permissions (rwx)
Example: 111 101 001
Octal representation 751 54
Reviewing the Hexadecimal
Numbering System
Uses 16 as its base
Support numbers from 0 to 15
Hex number consists of two characters
Each character represents a nibble
Value contains alphabetic letters (A … F)
A representing 10 and F representing 15
Sometimes expressed with “0x” in front
If you want more about binary, see Link
Ch 2c
55