CYBR 7200: Securing Enterprise Infrastructure Module 2 TCP/IP Concepts In this module, you will review major concepts and aspects of the TCP/IP protocol, including each of the four layers of the protocol stack: Application, Transport, Internet, and Network. You will also review the IP addressing schemes and how they relate to TCP/IP protocol and security This module directly supports highlighted course outcome(s) • Evaluate security threats and vulnerabilities. • Assess potential risk in the infrastructure including network, operating systems, and applications. • Configure network security devices to protect systems from cyber-attacks. • Apply the common tools and techniques for penetration testing Assigned Reading 1. TCP state diagram 2. TCP/IP security 3. SOA 4. Video of WireShark: https://www.youtube.com/watch?v=TkCSr30UojM https://www.youtube.com/watch?v=jvuiI1Leg6w 1 Contents Overview of TCP/IP.........................................................................................................2 TCP/IP protocol suit.....................................................................................................2 TCP Protocol ............................................................................................................4 User Datagram Protocol (UDP) ...............................................................................6 Internet Control Message Protocol ..........................................................................6 Simple Mail Transfer Protocol .................................................................................6 Part I HTTP Protocol ...................................................................................................7 Part II Network Capture ............................................................................................. 12 Overview of TCP/IP Compare the TCP/IP stack with the OSI Model stack, which is composed of seven layers: Physical, Data Link, Network, Session, Transport, Presentation, and Application. For more information about the OSI Model, check out here. 7 - Application: protocols and functions needed by applications 6 - Presentation: data with the common syntax and semantic 5 - Session: authentication and authorization two-way communication 4 - Transport: ensure reliable end-to-end delivery of packets 3 - Network: packet routing. 2 - Data Link: transmit and receive packets. Node-to-node connection 1 - Physical: The physical connection or cable itself. Transmit bits. OSI and TCP/IP differences TCP/IP application layer = 5,6, and 7 in the OSI model. TCP/IP transport layer not always guarantee reliable delivery of packets Transmission Control Protocol/Internet Protocol (TCP/IP) TCP/IP protocol suit The layers in the TCP/IP protocol suite do not exactly match those in the OSI model. The original TCP/IP protocol suite was defined as having four layers: host-to-network, internet, transport, and application. However, when TCP/IP is compared to OSI, we can say that the TCP/IP protocol suite is made of five layers: physical, data link, network, transport, and application. Original TCP/IP model ▪ Layer 4 - Process Layer or Application Layer protocols SMTP, FTP, SSH, HTTP, etc. 2 ▪ Layer 3 - Host-To-Host (Transport) Layer flow-control and connection protocols like TCP ▪ Layer 2 - Internet or Internetworking Layer defines logical addresses and routing ▪ Layer 1 - Network Access Layer getting data across a specific type of physical network Five-layer TCP/IP model ▪ Layer 5 - Application layer DHCP, DNS, FTP, etc ▪ Layer 4 - Transport layer TCP, UDP, etc ▪ Layer 3 - Internet Layer IPv4, IPv6, ICMP, RIP, etc ▪ Layer 2 - Data link layer Token Ring, Ethernet, etc ▪ Layer 1 - Physical layer Optical Fiber, Coaxial Cable, Twisted Pair, etc Network Layer: ▪ Internetworking Protocol IP – best effort delivery (no error checking). IP transports data in packets called datagrams. ▪ Address Resolution Protocol ARP in IPv4 Neighbor Discovery Protocol NDP in IPv6 physical address based on logical address (MAC IP) ▪ Internet Control Message Protocol (ICMP) or ICMPv6 notification datagrams ▪ Internet Group Message Protocol IGMP message to group of recipients Transport Layer: User Datagram Protocol (UDP) is a minimal message-oriented transport layer protocol ▪ unreliable ▪ not ordered ▪ datagrams Transmission Control Protocol (TCP) is a full transport service to applications ▪ reliable ▪ ordered ▪ streaming Stream Control Transmission Protocol (SCTP) can transport multiple message-streams Addressing: Four levels of addresses are used in an internet employing the TCP/IP protocols: ▪ physical (e.g. MAC address) belongs to data link layer ▪ logical (e.g. IP address) belongs to network layer ▪ port (e.g. port 80 – default port for http/www) belongs to transport layer ▪ specific (e.g. URL) belongs to application layer o Universal Resource Locator URL webapp.spsu.edu translates to 192.168.43.25:80 o Email address 3 Physical address will change from hop to hop, but logical address usually remains the same. TCP Protocol TCP is a connection-oriented protocol. It creates a virtual connection between two processes to send data and uses flow and error control mechanisms at the transport level provides reliable, in-order delivery of a stream of bytes. It is optimized for error free delivery rather than timely delivery. • Full-duplex service • Connection-oriented – connection established – data in both directions – connection terminated • Reliability is achieved by acknowledgement mechanism • The bytes of data being transferred in each connection are numbered by TCP • The numbering starts with a randomly generated number • For each segment – sequence number – acknowledgement number Sequence and acknowledgement numbers The value in the sequence number field of a segment defines the number of the first data byte contained in that segment. The value of the acknowledgment field in a segment defines the number of the next byte a party expects to receive. The acknowledgment number is cumulative. Three-way Handshake 4 ● A SYN segment cannot carry data, but it consumes one sequence number ● A SYN + ACK segment cannot carry data, but does consume one sequence number. ● An ACK segment, if carrying no data, consumes no sequence number ● SYN flood attack (not acknowledging connection) A TCP packet has two 16-bit fields containing the source and destination port numbers. A port is the logical, not physical component, of a TCP connection. The port identifies the service that is running. Ports also help network administrators to stop or disable services that are not needed. As a network administrator or security professional, you should be familiar with ports and control their use. Open ports are invitations for potential attacks. Port numbers can go up to 65,535 but only the first 1023 ports are considered wellknown. Check www.iana.org for a list of well-known ports. Some of the most important or frequently used ports and the services they represent. These ports include: a. Ports 20 and 21 for FTP b. Port 25 for SMTP c. Port 53 for DNS d. Port 69 for TFTP e. Port 80 for HTTP f. Port 110 for POP3 5 g. h. i. j. Port 119 for NNTP Port 135 for RPC Port 139 for NetBIOS Port 143 for IMAP4 User Datagram Protocol (UDP) UDP is a fast but unreliable protocol that also operates on the Transport layer of the TCP/IP stack. UDP is unreliable because it does not verify whether the receiver is listening or ready to receive. This is the reason why UDP is also known as a connectionless protocol. Although unreliable, UDP is widely used on the Internet because of its speed. Higher layers of the TCP/IP stack are responsible for providing reliability. Internet Control Message Protocol Introduce the Internet Control Message Protocol (ICMP) and the major commands that help network administrators troubleshoot network connectivity problems. These commands include: a. Ping b. Traceroute ICMP type codes that can be used by network administrators and security professionals to block ICMP packets from entering or leaving the network. Several attacks can be avoided by blocking ICMP traffic. Read about the Ping of Death attack here. Simple Mail Transfer Protocol The objective of Simple Mail Transfer Protocol (SMTP) is to transfer mail reliably and efficiently. SMTP is independent of the particular transmission subsystem and requires only a reliable ordered data stream channel. 6 Lab TCP/IP Concepts Prelab 1. Review IP commands for Linux systems. Use this common command link for reference 2. What is SSH and why is it used? 3. What are some HTTP methods and why should we be concerned with them? Use HTTP protocol link as reference 4. What is Telnet and why is it used? Part I HTTP Protocol 1. Start Kali. Check that it is connected to network (see module 1). 2. Hypertext Transfer Protocol (HTTP) is a communications protocol for the transfer of information on the Internet. It supports several methods of retrieving information from web server. To name a few: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE. Not all HTTP methods are safe see for example, see more details. Generally, HEAD, GET, OPTIONS, and TRACE are considered safe. Later in the course we will talk about hacking web servers. Today we just see how http methods work. First, we will use HEAD method. It gets information about specified resource. HEAD / HTTP/1.1 Slash (/) is the resource indicator. In this case root index of the default website. Then we will use OPTIONS method to find what options are supported by web server. 3. Start Wireshark (Applications – 09- Sniffing and Spoofing – wireshark) 4. Ignore security warnings, double click any. The Wireshark starts capturing traffic. 7 Capture packet using eth0 interface. 5. Use netcat to connect to KSU webserver on port 80: open new terminal window and type: nc www.kennesaw.edu 80 8 6. Do not type underscores. They emphasize where you need to use a space. Substitute _ with one space. Type: HEAD_/_HTTP/1.1 7. Hit enter 8. You should receive HTTP/1.1 200 OK. If you received BAD REQUEST or METHOD NOT IMPLEMENTED, try again. 9. Stop Wireshark and apply http filter. You should see your request and server response. 10. Change filter to ip.addr==IP address of the web server. 9 11. You should see similar screen Describe first three packets (hints: three way handshake?) [1 point] To search for a string in "packet details" or "packet bytes": a) On Wireshark Menu choose Edit – Find Packet … b) On the find packet tool bar choose string, either packet details or packet bytes (depending where you’d like to find the information) and type your string in the green box (where Al is shown on the screen capture below). 10 Click Find. The first packet that matches your criteria will be selected. 12. Now connect to port 80 www.tappware.com 1. send HEAD request HEAD / HTTP/1.1 Host: www.tappware.com You have to specify host because it is possible to run multiple websites on the same host and the same port. The webserver will distinguish between them based on the host name. Means that www.tappware.com will resolve to the IP 167.114.185.34 13. What type of Web server software is running on www.tappware.com? [1 point] 14. We used HEAD method, now use OPTIONS method for www.tappware.com 11 screenshot of your results [1 point] 15. Find how many bits is the server public key used by cseview.kennesaw.edu. [1 point] You can't telnet to port 443 (secure http), you will have to use ssl client openssl s_client -connect cseview.kennesaw.edu:443 screenshot of your results 16. Why OPTIONS and the length of the key are important for penetration testing? [1 point] Part II Network Capture Download the capture file (test2.pcap) available in the D2L content of Module 2 and open it with Wireshark. Analyze the capture and answer the following questions [5 points] 1. The web page that the user at 10.10.10.3 visited required a username and password. What was the password that the user supplied? 2. According to DNS records, what is IP address of fiscal.target.tgt? 12 3. Which web browser is the user at 10.10.10.3 using? 4. Is port 22 opened on 10.10.10.1? How do you know it? 5. What is primary domain prefix for 10.10.10.2 ? 6. What is the source IP for sidenav.gif? 7. What is IP address of the NIC 00:0c:29:b0:f9:31? 8. What is the username used to connect to 10.10.10.2 from host 10.10.10.4? Feedback: Difficulty (-2 - too easy ... 0 - just right ... 2 - too hard) Interest level (-2 - low interest ... 0 - just right ... 2 - high interest) Time to complete (min) Make a suggestion to improve What to submit: ONE report file that includes answers to above questions. Provide code and screenshots of successful execution where applicable. 13
Purchase answer to see full attachment