YOU MUST POSSESS a number of skills to conduct a successful and complete penetration test. Among the skills that are critical is an understanding of Transmission Control Protocol/Internet Protocol (TCP/IP) and its components. Because the Internet and most major networks employ the IP protocol, an understanding of the suite becomes necessary.
The IP protocol has become the most widely deployed and utilized networking protocol because of the power and flexibility it offers. The IP protocol has been used in larger deployments and more diverse environments than were ever envisioned by the protocol designers. Although the IP protocol is flexible and scalable, it was not designed to be secure.
Prior to any discussion of TCP/IP, it is important to understand a model that is commonly known as Open Systems Interconnection (OSI). The OSI reference model was originally conceived as a mechanism for facilitating consistent communication and interoperability between networked systems.
This chapter takes a look at the fundamental concepts, technologies, and other items related to networking. Included in this chapter is a closer examination of the TCP/IP networking protocol and its components. This look at the TCP/IP protocol helps you perform tests later on and provides a valuable foundation for understanding various security vulnerabilities and attacks.
This section explores the Open Systems Interconnection (OSI) reference model. In 1977, the Open Systems Interconnection Committee was created with the goal of creating a new communication standard for networking. Based on a number of proposals, the OSI reference model was developed and is still used today. The OSI reference model is used mainly in today's networking environment as both a reference model and an effective means of teaching distributed communication.
Note
The OSI reference model is not a law or rule; it is a recommendation that manufacturers of hardware and software can choose to adhere to or not. Although there is no penalty for not following OSI, vendors risk introducing compatibility problems if their product deviates too far from the model.
OSI functions in a predictable and structured fashion designed to ensure compatibility and reliability. If you examine the OSI reference model, you quickly notice that it is made up of seven complementary but distinctly different layers, each tasked with carrying out a discrete group of operations. From the top down, these seven layers are the application, presentation, session, transport, network, data link, and physical layers. These layers are also referred to by number (seven is the application layer, and one is the physical layer.) The OSI reference model is also implemented in two areas: hardware and software. The bottom two layers are implemented in hardware, and the top five are implemented through software.
The layers of the OSI reference model are shown in Figure 2-1.
In the world of networking, the term "protocol" is sometimes misused. Protocols are a set of agreed-upon rules through which communication takes place. Protocols can be thought of in the same way as rules for communicating in a given language—certain words and phrases are understood to convey meaning such as "hello" and "goodbye." Through the use of protocols, dissimilar systems can communicate quickly, easily, and efficiently without any confusion. Ensuring that a standard is in place and every system or service uses it makes for almost guaranteed interoperability. For example, think of the problems that would arise if the electrical outlets that home appliances are plugged into were all different shapes and sizes. You could never be sure whether the product would work.
Rules are established in the OSI reference model through specific orders and hierarchies, best represented by the use of layers. Each of the seven layers performs a given purpose by receiving data from the layer above or below it and then sending the results on to the next appropriate layer after processing takes place. These seven layers can also be thought of as individual modules with manufacturers of hardware or software writing their respective products with a specific layer or purpose in mind. Such modularity allows for much easier design and management of networking technologies for all parties involved.
Note
When you look at the interaction between layers in the OSI reference model, note that moving from Layer 1 to Layer 7 shows more "intelligence." As you get closer to Layer 7 and move further away from Layer 1, the network components have more "understanding" of the information being handled.
At the bottom of the hierarchy of layers in the OSI reference model is the physical layer, also known as Layer 1. This lowest layer defines the electrical and mechanical requirements used to transmit information to and from systems across a given transmission medium (such as cable, fiber, or radio waves). This physical layer deals only with electrical and mechanical characteristics. Examining the physical layer will reveal "how much" and "how long" information is sent, but will not reveal any understanding of the information being transmitted.
Physical layer characteristics include the following:
Voltage levels
Data rates
Maximum transmission distances
Timing of voltage changes
Physical connectors and adaptors
Topology or physical layout of the network
The physical layer also dictates how the information is to be sent. For example, it specifies digital or analog signaling methods, base or broadband, and synchronous or asynchronous transmission.
Consider for a moment the types of attacks that could occur at the physical layer, particularly that of an individual getting direct access to transmission media. At the physical layer, the potential for an attack exists in many forms, including someone gaining direct access to physical media, connectivity hardware, computers, or other hardware. Additionally, an attacker accessing the physical layer can place devices on the network that can then be used to capture and/or analyze network traffic. A security engineer should remember these issues and take steps to secure physical devices and network media and, if possible, encrypt network traffic as needed to prevent unauthorized disclosure.
One step above the physical layer is Layer 2, also known as the data link layer. As the information moves up from the physical layer to the data link layer, the ability to handle physical addresses, framing, and error handling and messaging are added. The data link layer adds the ability to provide the initial framing, formatting, and general organization of data prior to handing it off to the physical layer for transmission. More important, the data link layer includes two items that will be important later on: logical link control (LLC) and media access control (MAC).
To understand the actions and activities that occur at the data link layer, one of the structures that must be understood is a frame. A frame can be visualized as a container that the data to be transmitted can be placed into for delivery. Through the use of framing, which is set by the network itself, a standard format for sending and receiving data is established, allowing for mutual understanding of the data being handled. The sending station packages the information into frames, and the receiving station unpacks the information from the frames and moves it along to the next layer for further processing.
The frame is a vital structure because it dictates just how a network works at a fundamental level. There are many types of frames that can be discussed, but the most common type of network and the frames that come with it is Ethernet. Ethernet, also known as Institute of Electrical and Electronics Engineers (IEEE) 802.3, is used by the majority of data networks.
Note
Frame types are specific to a network and cannot be understood by a different network type because the frames would be incompatible. Although Ethernet is the most common type of network, other common networks include Token Ring (IEEE 802.5) and wireless (IEEE 802.11), each with its own unique and incompatible frame type.
Another important function of the data link is flow control, which is the mechanism that performs data management. Flow control is responsible for ensuring that what is being sent does not overwhelm or exceed the capabilities of a given physical connection. If flow control did not exist, it might be possible under the right conditions to overwhelm a connection with enough traffic to cause an attack similar to a denial of service (DoS) attack.
The data link layer has a mechanism known as the Address Resolution Protocol (ARP), which is responsible for translating IP addresses to a previously unknown MAC address. Security is not something that the IP protocol does well, and the ARP is a great example. This feature does not include any ability to authenticate the systems that use it.
Layer 3 (the network layer) is the entity that handles the logical addressing and routing of traffic. One of the most visible items that appear at this layer is the well-known IP address present in the IP protocol. IP addresses represent what is known as logical addresses, which are nonpersistent addresses assigned via software that are changed as needed or dictated by the network. Logical addresses are used to route traffic as well as assist in the division of a network into logical segments.
Note
The network layer is the first of the layers within OSI that are implemented in software. Starting at Layer 3 and moving up to Layer 7, each layer is now implemented within the software being used, specifically the operating system.
To get an idea of what a logical network looks like, take a moment to review a network subdivided by different IP subnets, as shown in Figure 2-2.
At the network layer, security needs to be considered because manipulation of information can occur at this level.
Just above the network layer is the transport layer (Layer 4). The transport layer provides a valuable service in network communication: the ability to ensure that data is sent completely and correctly through the use of error recovery and flow control techniques. On the surface, the transport layer and its function might seem similar to the data link layer because it also ensures reliability of communication. However, the transport layer not only guarantees the link between stations; it also guarantees the actual delivery of data.
From a high-level perspective, the transport layer is responsible for communication between host computers and verifying that both the sender and receiver are ready to initiate the data transfer. The two most widely known protocols found at the transport layer are Transmission Control Protocol (TCP) and User Datagram Protocol (UDP). TCP is connection-oriented, whereas UDP is connectionless. TCP provides reliable communication through the use of handshaking, acknowledgments, error detection, and session teardown. UDP is a connectionless protocol that offers speed and low overhead as its primary advantage.
Above the transport layer is the session layer (Layer 5), which is responsible for the creation, termination, and management of a given connection. When a connection is required between two points using the TCP protocol, the session layer takes the responsibility for making sure that creation and destruction of the connection occurs properly. Session layer protocols include items such as Remote Procedure Calls (RPCs) and Structured Query Language (SQL).
At the presentation layer (Layer 6), data is put into a format that programs residing at the application layer can understand. Prior to arriving at Layer 6, information is not in a format that application layer programs will be able to process fully and therefore must be put into a format that can be understood.
Note
Examples of these formats include American Standard Code for Information Interchange (ASCII) and Extended Binary Coded Decimal Interchange Code (EBCDIC).
Specific examples of services that are present at the presentation layer include gateway services. Gateway services allow for sending or transmission of data between different points that possess different characteristics that would otherwise make them incompatible. The session layer also manages data compression so that the actual number of bits that must be transmitted on the network can be reduced.
Other vital services at the presentation layer are encryption and decryption services. From a security perspective, encryption is important because it provides the ability to keep information confidential.
Capping off the OSI reference model is the application layer (Layer 7). The application layer hosts several application services that are used by applications and other services running on the system. For example, Web browsers that would be classified as a user-level application run on a system and access the network by "plugging" into the services at this layer to use the network. This layer includes network monitoring, management, file sharing, RPC, and other services used by applications.
The application layer is one that most users are familiar with because it is the home of e-mail programs, file transfer protocol (FTP), Telnet, Web browsers, office productivity suites, and many other applications. It is also the home of many malicious programs such as viruses, worms, Trojan horse programs, and other malevolent applications.
In the OSI framework, the concept of encapsulation is the process of "packaging" information prior to transmitting it from one location to another. When transmitted across the network, it moves down from the application layer to the physical layer and then through the physical medium. As the data moves from the application layer down, the information is packaged and manipulated along the way until it becomes a collection of bits that race down the wire to the receiving station, where the process is reversed as the data moves back up the model.
Although this chapter is meant to serve only as a primer or introduction to the OSI reference model and TCP/IP protocol, and the concepts introduced here will be explored in depth later, it still is important to understand some details now. Note that later on in this text several attacks will be discussed. Figure 2-4 will help to provide context for that later discussion.
Although TCP/IP is the dominant networking model, the OSI reference model remains important. It has served as an invaluable tool or reference model that can be used to map the location of various services. Table 2-1 illustrates each layer of the OSI reference model and some of the various services found at each layer. The OSI reference model protocols at the application layer handle file transfer, virtual terminals, and network management, and fulfill networking requests of applications. A few of the protocols are shown in Table 2-1.
Table 2-1. OSI layers and common protocols.
OSI REFERENCE MODEL LAYER | COMMON PROTOCOLS AND APPLICATIONS |
|---|---|
Application | FTP, TFTP, SNMP, Telnet, HTTP, DNS, and POP3 |
Presentation | ASCII, EBCDIC, TIFF, JPEG, MPEG, and MIDI |
Session | NetBIOS, SQL, RPC, and NFS |
Transport | TCP, UDP, SSL, and SPX |
Network | IP, ICMP, IGMP, BGP, OSPF, and IPX |
Data Link | ARP, RARP, PPP, SLIP, TLS, L2TP, and LTTP |
Physical | HSSI, X.21, and EIA/TIA-232 |
Having explored the OSI reference model and looked at examples of each layer, let's turn our attention to TCP/IP.
It is important to envision TCP/IP as a suite of protocols that controls the way information travels from location to location, and to realize early on that TCP/IP is a collection of protocols that perform a wide array of functions. This is the reason why TCP/IP is known more accurately as the TCP/IP protocol suite. When individuals refer to the TCP/IP protocol they are generally referring to the IP role of the suite, which is the one responsible for addressing and routing information.
Out of the fairly large suite of TCP/IP protocols there are four protocols that generally serve as the foundation of the TCP/IP suite: IP, TCP, UDP, and ICMP. These protocols are so vital to normal network functioning that no device will exist on a TCP/IP network without supporting all of them. Each of the four main protocols provides some vital service or purpose that will be explored later in this text. It is possible to tie in at least a few of the items that have been mentioned so far (such as encapsulation) because each of these protocols in some way prepares the data to be moved on the network as it leaves Layer 7 and moves down. An example of the TCP/IP stack can be seen in Figure 2-5.
Although TCP/IP is has proven to be a flexible and robust network protocol, it was impossible for the designers of the protocol to anticipate every eventuality that could have arisen. A more trusting environment existed when TCP/IP was designed. As such, the protocol lacks significant security capabilities. In fact, several components of TCP/IP are insecure. Although IPv6 is quickly emerging as the replacement for IPv4 and will include security measures designed to address the problems, it is far from being in widespread usage.
Pay special attention to the security concerns associated with each layer and its specific protocols. The four layers of TCP/IP include the following:
Application layer
Host-to-host layer
Internet layer
Network access layer
The physical/network access layer, which resides at the lowest layer of the TCP/IP model, is the point at which the higher-layer protocols interface with the network transport media. When comparing to the OSI reference model, this layer corresponds to OSI Layers 1 and 2.
Physical/network equipment located at this layer of the TCP/IP model usually includes the following devices:
Repeaters—A device that amplifies, reshapes, or regenerates signals during retransmission. Typically these devices are used when long distances need to be covered and the distance exceeds the supported length of the medium.
Hubs—A hub receives a signal on one port and retransmits it to every other port on the hub. It does not alter the transmission in any way. Although common in networks that were smaller in nature, hubs are not nearly as common today. Hubs possess several ports.
Bridges—Whereas hubs receive a signal on one port and retransmit it to every other port indiscriminately, a bridge does not do so. Bridges direct information based on MAC addresses and as such can control the flow of traffic much better than hubs can. These devices only send information to ports that actually are the intended recipients of the information. They initially saw increased popularity due to their ability to overcome problems associated with hubs.
Switches—Devices that add additional intelligence to what already exists in bridges by providing the following:
Extremely low latency
Switches can operate in half duplex or full duplex modes.
All forwarding decisions are based on a destination MAC address.
Each port is a separate collision domain.
Although low-end consumer switches have limited functionality, more expensive switches that are found in large networks provide greater functionality. These higher-end switches typically provide the following:
A command line interface via Telnet or console port to configure remotely
A browser-based interface for configuration
All switches work in similar ways with vendors adding additional value-added features to make their product easier than, or different from, a competitor's. Even with this functionality, all devices connected to a switch are thought to be part of the same broadcast domain; that is, each port on a switch is a separate collision domain. A broadcast frame sent by any particular device on a switch is automatically forwarded to all other devices connected to the switch.
Protocols found at this layer include ARP, Reverse Address Resolution Protocol (RARP), Transport Layer Security (TLS), Layer 2 Tunneling Protocol (L2TP), LTTP, Point-to-Point Protocol (PPP), and Serial Line Interface Protocol (SLIP). One of the most important services is ARP.
ARP's role is to provide the ability to resolve IP addresses to an unknown MAC address. ARP works by using a two-step process to perform resolution. First, it uses a broadcast requesting a physical address from a target. Each device processes the request, and if the station with the address requested is reached, it responds with its physical or MAC address. Requests that are returned are cached on the local system for later reference if needed.
The ARP cache on a system can be viewed at any time by using the ARP—a command at the command line on a system. An example of this command is shown here:
C:>arp -a
Interface: 192.168.123.114 --- 0x4
Internet Address Physical Address Type
192.168.123.121 00-01-55-12-26-b6 dynamic
192.168.123.130 00-23-4d-70-af-20 dynamic
192.168.123.254 00-1c-10-f5-61-9c dynamic
Note
You can permanently maintain or statically add an ARP entry by using the arp -s <ip address> <MAC address> command. By permanently adding an entry, the future request will speed up because the broadcast process does not have to occur due to the request being cached. Add the string "pub" to the end of the command, and the system will act as an ARP server, answering ARP requests even for an IP that it does not possess.
You can use ARP to bypass the features in a switch. For example, an attacker can provide falsified ARP responses that are accepted as valid. The switch then "thinks" that the attacker is really the other system, and redirects traffic to that address.
Also included at this layer are legacy protocols known as Serial Line Interface Protocol (SLIP) and Point-to-Point Protocol (PPP). Although both provide the ability to transmit data over serial links, PPP is more robust than SLIP and has therefore displaced SLIP in many implementations. For the most part, SLIP is seen only in very specific environments and deployments, such as older networks.
Several security threats exist at this layer. Before security professionals can understand how to defend against them, they must first understand the attacks. Some common threats found at this layer include the following:
Spoofing MAC addresses—Hackers can use a wide variety of programs to spoof MAC addresses or even use the features built into an operating system to change their MAC. By spoofing MAC addresses, attackers can bypass 802.11 wireless controls or when switches are used to control traffic, by locking ports to specific MAC addresses.
Wiretapping—The act of monitoring Internet and telephone conversations covertly by a third party. In essence, this attack requires you to tap into a cable for a wired network, but can involve listening in on a wireless network.
Interception—Packet sniffers are one of the primary means of intercepting network traffic.
Eavesdropping—The unauthorized capture and reading of network traffic.
In order to protect against physical layer attacks some simple countermeasures can be employed:
Fiber cable—Choice of transmission media can make a tremendous difference in the types of attacks that can be carried out and how difficult said attacks may be. For example, fiber is more secure than the wired alternatives and also more secure than wireless transmission methods.
Wired Equivalent Privacy (WEP)—WEP was an early attempt to add security to wireless networking. Although it is true that wireless networks can offer a level of security, this security is considered to be weak by today's standards. WEP has been largely replaced in favor of WPA and WPA2. In practice it should be used only in noncritical deployments, if at all.
Wi-Fi Protected Access (WPA)—WPA was introduced as a more secure and more robust overall alternative to WEP and has proven to be more secure than WEP in practice.
Wi-Fi Protected Access 2 (WPA2)—WPA2 is an upgrade that adds several improvements over WPA, including encryption protocols such as Advanced Encryption Standard (AES) and Temporal Key Integrity Protocol (TKIP) as well as better key management over WPA.
Point-to-Point Tunneling Protocol (PPTP)—PPTP is widely used for virtual private networks (VPNs). PPTP is composed of two components: the transport that maintains the virtual connection and the encryption that ensures confidentiality.
Challenge Handshake Authentication Protocol (CHAP)—CHAP is an improvement over previous authentication protocols such as Password Authentication Protocol (PAP), in which passwords were sent in cleartext.
The next layer is the internetworking layer, which maps to Layer 3 of the OSI reference model.
The primary piece of equipment located at the internetwork layer is the router. Routers differ from switches found at the lower layers in that they direct traffic using logical addresses as opposed to the physical addresses used by switches. Furthermore, routers are meant to move traffic between different networks to form paths to direct traffic between multiple networks. Routers allow packets to flow from the source device's network to the destination device's network. Points to remember about routers include the following:
Routers are also known as edge devices because of their placement at the point where multiple networks come together. Routers rely on items known as routing protocols to ensure that traffic gets to the correct location.
The aforementioned routing protocols determine the best path to send traffic at a point in time. The two best examples of routing protocols are Routing Information Protocol (RIP) and Open Shortest Path First (OSPF). Routers are optimized to perform the vital function of routing traffic between networks and ensuring that traffic reaches its intended destination. When receiving a packet, a router examines the header of the packet (see Figure 2-6) with specific emphasis on the address the packet is addressed to. Once this is located, the router can consult a routing table to determine where to send the information.
Note
Routing tables contain information that allows a router to quickly look up the best path that can be used to send the information. Routing tables are updated on a regular schedule in order to ensure that information contained within them is accurate and accounts for changing network conditions.
A router can be configured either statically or dynamically, depending on the requirements in a given situation. Static routing is a routing table that has been created by a network administrator who is knowledgeable about the layout of the network and enters this information manually into the routing table. Static routing is used mainly on small networks; it quickly loses its utility on larger networks because the manual updates would take increasing amounts of effort to keep up to date.
Dynamic routing represents the more commonly used option in networks and routing tables. Dynamic routing uses a combination of factors to update it automatically and the same factors to determine at any time where to send the information in question. Dynamic routing protocols include: RIP, Border Gateway Protocol (BGP), Interior Gateway Routing Protocol (IGRP), and OSPF. Within the protocols marked as dynamic routing are two subcategories known as distance vector and link-state routing.
The basic methodology of a distance vector protocol is to make a decision on what is the best route by determining the shortest path. The shortest path is commonly calculated by what are known as hops. RIP is an example of a distance vector routing protocol. RIP has several issues from a security standpoint:
Broadcasts all data
Is subject to route poisoning
Has no authentication
Might not choose the best path
Link state calculates the best path to a target network by one or more metrics such as delay, speed, or bandwidth. Once this path has been determined, the router will inform other routers what it has discovered. Link state routing is considered more flexible and robust than distance vector routing protocols. OSPF is the most common link state routing protocol and is used as a replacement for RIP in most large-scale deployments.
OSPF was developed in the mid-1980s to overcome the problems associated with RIP. Although RIP works well when networks are small in size, it rapidly loses its advantages when the network scales up in size. OSPF has several built-in advantages over RIP that include the following:
Security
The use of IP multicasts to send out router updates
Unlimited hop count
Better support for load balancing
Fast convergence
The most important protocol in the TCP/IP suite is IP because of its central role in addresses and routing. It is a routable protocol that has the role of making a best effort at delivering information. IP organizes data into a packet, prepares it for delivery, and places a source and destination address on the packet. Additionally, IP is responsible for adding information known as the Time to Live (TTL) to a packet. The goal of a TTL is to keep packets from traversing the network forever. If the recipient cannot be found, rather than traveling the network forever, the packet can eventually be discarded.
Taking a closer look at the important IP address, there are some details that start to emerge that reveal how routing and other functions take place. One part of the IP address refers to the network, and the other refers to the host. In layman's terms, the network is equivalent to the street in a postal address, and the host is the house number on a given street. Combined, they allow you to communicate with any network and any host in the world that is connected to the Internet.
IP addresses are laid out in a dotted decimal notation format that divides the address up into four groups of numbers representing 8 bits apiece. IPv4 lays out addresses into a four-decimal number format that is separated by decimal points. Each of these decimal numbers is 1 byte long to allow numbers to range from 0-255. You can tell the class of an IP address by looking at the first octet. An example of IPv4 addressing is shown here:
Class | IP address begins with |
|---|---|
A | 1-126 |
B | 127-191 |
C | 192-223 |
D | 224-239 |
E | 240-255 |
Each of the classes is designed to divide up the number of networks and hosts with larger or smaller networks being possible depending on the class. A class A network offered the fewest networks with the greatest number of hosts with Class C offering the opposite. Class D and E are used for different purposes that this chapter will not discuss.
Note
Each section of an IP address separated by a decimal is commonly known as an octet, which comes from the binary notation used to represent it. Any number present in an IP address (0-255) can be represented by a sequence of eight ones and zeros.
Note
A good example of an attack against an IP is what is known as a teardrop attack. Malformed fragments can crash or hang older operating systems that have not been patched. Specifically in this attack, a packet is transmitted to a system that is larger than the system can handle, resulting in a crash.
A number of addresses have been reserved for private use. These addresses are nonroutable, which means that manufactures of routers program them not to propagate network traffic from these address ranges onto the Internet. Traffic within these address ranges routes normally. Address ranges set aside as nonroutable, private addresses, including their respective subnet mask, are:
Class | Address range | Default subnet mask |
|---|---|---|
A | 10.0.0.0-10.255.255.255.255 | 255.0.0.0 |
B | 172.16.0.0-172.31.255.255 | 255.255.0.0 |
C | 192.168.0.0-192.168.255.255 | 255.255.255.0 |
Many home routers use a default address of 192.168.0.1 or 192.168.1.1. This means that a home network is nonroutable "right out of the box," which is a very desirable security feature.
Also located at the internetwork layer is the Internet Control Message Protocol (ICMP), which was designed for network diagnostics and to report logical errors. TCP/IP environments must support ICMP because it is an essential service for network management. ICMP provides error reporting and diagnostics, and ICMP messages follow a basic format. The first byte of an ICMP header indicates the type of ICMP message. The byte following contains the code for each particular type of ICMP. Eight of the most common ICMP types are shown here:
Code | Function | |
|---|---|---|
0/8 | 0 | Echo Response/Request (Ping) |
3 | 0-15 | Destination Unreachable |
4 | 0 | Source Quench |
5 | 0-3 | Redirect |
11 | 0-1 | Time Exceeded |
12 | 0 | Parameter Fault |
13/14 | 0 | Timestamp Request/Response |
17/18 | 0 | Subnet Mask Request/Response |
The most common tool used by network administrators associated with ICMP is a ping, which is useful in determining whether a host is up. It is also useful for attackers because they can use it to enumerate a system (it can help the hacker determine whether a computer is online).
Note
Ping gets its name from the distinctive "pinging" noise made by sonar in ships and submarines to locate other vessels that may be lurking nearby. A ping from a sonar device bounces a sound off a hull of a ship as an echo, letting the sender know where the lurker happens to be.
One threat that will be discussed more in depth later in this text is known as a sniffer (also commonly referred to as a protocol analyzer). Sniffers are hardware- or software-based devices that are used to view and/or record traffic that flows over the network.
Sniffers are useful and problematic at the same time because network traffic that might include sensitive data can be viewed through the use of a sniffer. It is not uncommon for corporate IT departments to specifically deny the use of sniffers except by those specifically authorized to use them. Sniffers pose a real risk in that a less-than-ethical individual might intercept a password or other sensitive information in cleartext and use it later for some unauthorized purpose.
In order to realize the full potential of a sniffer, certain conditions have to be in place; most important is the ability for a network card to be put into promiscuous mode. In other words, the card can view all traffic moving past it rather than just the traffic destined for it. There are programs to accomplish this for Linux and Windows users. Linux users can download libpcap at http://sourceforge.net/projects/libpcap/. Windows users need to install the winpcap library, available at http://www.winpcap.org. Just remember that promiscuous mode allows a sniffer to capture any packet it can see, not just packets addressed to the device. Next, you have to install a sniffer.
The most widely used sniffer is known as Wireshark. Wireshark has gained popularity because it is free, easy to use, and it works as well as or better than most commercial sniffing tools. Wireshark, just like other sniffers, comprises three displays or windows. To get an idea of what the display looks like, look at Figure 2-7.
At the top of the figure, you can see a number of packets that have been captured. In the middle of the figure, you can see the one packet that has been highlighted for review. At the bottom of the figure, you can see the contents of the individual frame. If you want to learn more about sniffers, Wireshark is a good place to start. It can be downloaded from www.wireshark.org.
Moving up the TCP/IP stack, the following controls are useful at the internetwork layer.
IPSec—The most widely used standard for protecting IP datagrams is IPSec. IPSec can be at or above the internetwork layer. IPSec can be used by applications and is transparent to end users. IPSec addresses two important security problems with data in transit: keeping the data confidential and maintaining its integrity.
Packet filters—Packet filtering is configured through access control lists (ACLs). ACLs enable rule sets to be built that will allow or block traffic based on header information. As traffic passes through the router, each packet is compared with the rule set, and a decision is made as to whether the packet will be permitted or denied.
Network address translation (NAT)—Originally developed to address the growing need for IP addresses (discussed in Request for Comments [RFC] 1631), NAT can be used to translate between private and public addresses. Private IP addresses are those that are considered unroutable. Being unroutable means that public Internet routers will not route traffic to or from addresses in these ranges. A small measure of security is added by using NAT.
The host-to-host layer provides end-to-end delivery. This layer segments the data and adds a checksum in order to properly validate data to ensure that it has not been corrupted. A decision must be made here to send the data with TCP or UDP, depending on the specific application.
This primary job of the host-to-host transport layer is to facilitate end-to-end communication. This layer is often referred to as the transport layer. The following sections describe the two protocols at this layer:
TCP
UDP
TCP provides reliable data delivery services and is a connection-oriented protocol. TCP provides reliable data delivery, flow control, sequencing, and a means to handle startups and shutdowns. TCP also uses a three-step handshake to start a session. During the data-transmission process, TCP guarantees delivery of data by using sequence and acknowledgment numbers. At the completion of the data-transmission process, TCP performs a four-step shutdown that gracefully concludes the session. The startup sequence is shown in Figure 2-8.
TCP has a fixed packet structure (see Figure 2-9). Port scanners can tweak TCP flags and send them in packets that should not normally exist in an attempt to elicit a response from a targeted server.
Like TCP, UDP belongs to the host-to-host layer. Unlike TCP, UDP is a connectionless transport service. UDP does not have startup, shutdown, or any handshaking processes like those performed by TCP. Because there is no handshake with UDP, it is harder to scan and enumerate. Although this makes it less reliable, it does offer the benefit of speed. UDP is optimized for applications that require fast delivery and are not sensitive to packet loss. UDP is used by services such as Domain Name Service (DNS).
Some of the most common host-to-host layer attacks are shown here:
Port scanning—A technique in which a message is sent to each port, one at a time. By examining the response, the attacker can determine weaknesses in the applications being probed and determine what to attack.
Session hijack—A type of attack in which the attacker places himself between the victim and the server. The attack is made possible because authentication typically is done only at the start of a TCP session.
SYN attack—A SYN attack is a distributed denial of service (DDoS) attack in which the attacker sends a succession of SYN packets with a spoofed return address to a targeted destination IP device, but does not send the last ACK packet to acknowledge and confirm receipt. Eventually, the target system runs out of open connections and cannot accept any new legitimate connection requests.
Although the host-to-host layer is where you find TCP and UDP, you need to remember that these protocols are not designed for security. Their goal is reliable or fast delivery. Listed here are some host-to-host security protocols:
Secure Sockets Layer (SSL)—SSL is considered application independent and can be used with Hypertext Transfer Protocol (HTTP), File Transfer Protocol (FTP), and Telnet to run on top of it transparently. SSL uses RSA public key cryptography.
Transport Layer Security (TLS)—TLS is an upgrade to SSL and is backward compatible, but they do not interoperate. TLS, much like SSL, is designed to be application independent.
SOCKS—Another security protocol developed and established by Internet standard RFC 1928. It allows client-server applications to work behind a firewall and utilize their security features.
Secure RPC (S/RPC)—Adds an additional layer of security onto the RPC process by adding Data Encryption Standard (DES) encryption
This section examines the application layer, which maps to OSI Layers 5, 6, and 7. The application layer interacts with applications that need to gain access to network services.
There are many application layer services present at this layer; however, not all are of importance to the security professional. Focus on the services that have the greatest potential for abuse and misuse and therefore represent the greatest threat. Services are assigned a port number. There are 65,535 ports; they are divided into well-known ports (0-1023), registered ports (1024-49151), and dynamic ports (49152-65535). Although there are hundreds of ports and corresponding applications in practice, fewer than 100 are in common use and of these only a handful will be encountered on a regular basis. The most common of these are shown in Table 2-2. These are some of the ports that a hacker would first look for on a victim's computer systems.
You should practice the deny-all principle and enable just those ports that are needed instead of memorizing each port and deciding whether to block it or not. Simply put, you should block everything and allow only what is needed. If a port is not being used, and deny-all is the practice, it will already be closed.
Note
Every firewall is different in respect to configuration, but by default most firewalls have most if not all their default ports and services disabled. It is up to you, as the security professional, to determine what you need enabled to make the network usable and enable just those features you need to function.
Going back to the earlier issue of TCP/IP being designed when more trust was given to networks, all applications are not created equally. Although some, such as Secure Shell (SSH), are designed to be secure alternatives to Telnet, you might encounter the less secure options in practice. The following list discusses the operation and security issues of some of the common applications:
DNS—DNS operates on port 53 and performs address translation. DNS serves a critical function in that it converts fully qualified domain names (FQDNs) into numeric IP addresses or IP addresses into FQDNs. DNS uses UDP and TCP.
FTP—FTP is a TCP service that operates on ports 20 and 21. This application is used to move files from one computer to another. Port 20 is used for the data stream and transfers the data between the client and the server. Port 21 is the control stream and is used to pass commands between the client and the FTP server.
HTTP—HTTP is a TCP service that operates on port 80. HTTP uses a request response protocol in which a client sends a request and a server sends a response. Because HTTP is generally on Web servers, and Web servers are a very public and exposed asset, the protocol is very commonly exploited by all sorts of threats, including malware.
Simple Network Management Protocol (SNMP)—SNMP is a UDP service and operates on ports 161 and 162. Some of the security problems that plague SNMP are caused because community strings (which act as a pseudo-password) can be passed as cleartext and the default community strings (public/private) are well known. SNMP version 3 is the most current and it offers encryption.
Telnet—Telnet is a TCP service that operates on port 23. Telnet enables a client at one site to establish a session with a host at another site. The program passes the information typed at the client's keyboard to the host computer system. Telnet sends data in the clear.
Table 2-2. Computer ports, services, and protocols.
PORT
SERVICE
PROTOCOL
21
FTP
TCP
22
SSH
TCP
23
Telnet
TCP
25
SMTP
TCP
53
DNS
TCP/UDP
67/68
DHCP
UDP
69
TFTP
UDP
79
Finger
TCP
80
HTTP
TCP
88
Kerberos
UDP
110
POP3
TCP
111
SUNRPC
TCP/UDP
135
MS RPC
TCP/UDP
139
NB Session
TCP/UDP
161
SNMP
UDP
162
SNMP Trap
UDP
389
LDAP
TCP
443
SSL
TCP
445
SMB over IP
TCP/UDP
1433
MS-SQL
TCP
Simple Mail Transfer Protocol (SMTP)—This application is a TCP service that operates on port 25. It is designed for the exchange of electronic mail between networked systems. Spoofing and spamming are two of the vulnerabilities associated with SMTP.
Trivial File Transfer Protocol (TFTP)—TFTP operates on port 69. It also requires no authentication, which could pose a big security risk. It is used to transfer router configuration files and by cable companies to configure cable modems.
Although numerous application layer threats exist, listing all of them is unnecessary. Some of the more common are briefly listed here to serve as an introduction to in-depth discussions in later chapters:
Malware—Software developed for the purpose of doing harm. Examples of malware include the following:
Trojan—A program that does something undocumented that the programmer or designer intended, but the end user would not approve of if he or she knew about it
Spyware—Any software application that covertly gathers information about a user's activity and reports such to a third party
Virus—A computer program with the capability to generate copies of itself and spread file-to-file. Because viruses usually require the interaction of an individual, they spread very slowly. Viruses can have a wide range of effects, including irritating the user or destroying data.
Worm—A self-replicating program that spreads by inserting copies of itself into other executable codes, programs, or documents. Worms replicate from system to system (instead of file-to-file), and thus spread much more rapidly than viruses. Some worms can flood a network with traffic and result in a DoS attack by consuming bandwidth and other resources.
DoS—Occurs when an attacker consumes the resources on a target computer for things it was not intended to be doing, thus preventing normal use of network resources for legitimate purposes Examples of DoS attacks include the following:
DoS attack—Although these attacks are known by different names (for example, smurf, SYN flood, local area network denial [LAND], and fraggle), each is designed only to disrupt service.
DDoS attack—Similar to DoS, except the attack is launched from multiple distributed agent IP devices. Examples of DDoS programs include Tribal Flood Network (TFN), TFN2K, Shaft, and Trinoo.
Botnets—A term used to describe robot-controlled workstations that are part of a collection of other robot-controlled workstations. These devices can be used for DoS or to flood systems with spam.
Following are some examples of application layer controls. An overview of the controls discussed for each layer of the TCP/IP model can be seen in Figure 2-10.
Some application layer software controls include the following:
Malware scanners—Anti-malware programs can use one or more techniques to check files and applications for viruses. These programs use a variety of techniques to scan and detect viruses. Malware detection software has changed from an add-on tool to a must-have system requirement.
SSH—A secure application layer program that has security features built in. SSH sends no data in cleartext. Username/passwords are encrypted. SSHv2 offers even greater protection.
Pretty Good Privacy (PGP)—PGP uses a public-private key system and offers strong protection for e-mail.
Secure/Multipurpose Internet Mail Extension (S/MIME)—Secures e-mail by using X.509 certificates for authentication. S/MIME works in one of two modes: signed and enveloped.
This chapter examined some of the more commonly used applications and protocols used by TCP/IP. The purpose of this review was to better understand how the protocols work. Understanding the underlying mechanics and functioning of a protocol allows the security professional to better defend against attacks. Knowing the mechanics of a protocol also assists in the understanding of the attacks themselves.
As a security professional, it is of vital importance to be not just reactive, but proactive. Thinking about how an attacker could leverage or exploit holes present in systems is an invaluable tool in your toolbox. The knowledge presented in this chapter will emerge in different forms and in different places throughout the rest of this text.
Address Resolution Protocol (ARP)
Deny-all principle
Domain Name Service (DNS)
Encapsulation
Firewall
Flow control
Frame
Institute of Electrical and Electronics Engineers (IEEE)
Layer 2 Tunneling Protocol (L2TP)
Media access control (MAC) address
Physical/network equipment
Reverse Address Resolution Protocol (RARP)
Router
Serial Line Interface Protocol (SLIP)
Sniffer
Subnet mask
SYN attack
Transport Layer Security (TLS)
User Datagram Protocol (UDP)
What is the networking layer of the OSI reference model responsible for?
Physical layer connectivity
Routing and delivery of IP packets
Formatting the data
Physical framing
None of the above
Which of the following is not an attribute of OSPF?
Security
The use of IP multicasts to send out router updates
No limitation for hop count
Subject to route poisoning
Which of the following makes UDP harder to scan for?
Low overhead
Lack of startup and shutdown
Speed
Versatility
Which of the following best describes how ICMP is used?
Packet delivery
Error detection and correction
Logical errors and diagnostics
IP packet delivery
The most common type of ICMP message is _______.
Which of the following statements most closely expresses the difference in routing and routable protocols?
IP is a routing protocol, whereas RIP is a routable protocol.
OSPF is a routing protocol, whereas IP is a routable protocol.
BGP is used as a routable protocol, whereas RIP is a routing protocol.
Routable protocols are used to define the best path from point A to point B, while routing protocols are used to transport the data.
What is another way used to describe Ethernet?
Collision detection
Sends traffic to all nodes on a hub
CSMA/CD
All of the above
Botnets are used to bypass the functionality of a switch.
True
False
What is a security vulnerability found in RIP?
Slow convergence
Travels only 56 hops
No authentication
Distance vector
Which of the following best describes the role of IP?
Guaranteed delivery
Best effort at delivery
Establishes sessions by means of a handshake process
Is considered an OSI Layer 2 protocol