#networking #dns #nslookup #dig #cname #aircrackng #UofTBootcamp

Follow-Up Questions from Homework9

Q2 – does it matter that we are getting non-authoritative answers from a recursive resolver (8.8.8.8) vs getting an authoritative one? – what is the difference between using this: nslookup -type=cname www.theforce.net And getting: Non-authoritative answer: www.theforce.net canonical name = theforce.net.

VS.

nslookup -type=cname theforce.net and getting: Non-authoritative answer: *** Can't find theforce.net: No answer

Authoritative answers can be found from: theforce.net origin = WebPublish_Othe mail addr = hostmaster serial = 2017110901 refresh = 900 retry = 600 expire = 86400 minimum = 3600

https://stackoverflow.com/questions/66014432/how-to-find-the-canonical-name-with-nslookup

Q3: – what does NX DOMAIN tell us for sure? https://bluecatnetworks.com/blog/what-you-can-learn-from-an-nxdomain-response/ – follow-up on conclusion

---

Networking Fundamentals: Homework 9

Your task is a crucial one: Restore the Resistance's core DNS infrastructure and verify that traffic is routing as expected.

Mission 1:

Network Issue:

The Resistence has taken down their primary DNS and email servers in order to a build and deply a new DNS and mail server but they are not currently receiving emails because they have no configured MX Records for the new email servers.

DNS record type found:

We want to check the MX records (mail exchanger records) which specify which mail servers can accept email that's sent to our domain with: starwars.com: nslookup -type=mx starwars.com

DNS records that can explain the reasons for existing network issue:

According to our nslookup results, the new mail servers are not listed. The primary mail server for starwars.com should be asltx.l.google.com and the secondary email should be asltx.2.google.com.

`Server: 192.168.2.1 Address: 192.168.2.1#53

Non-authoritative answer: starwars.com mail exchanger = 5 alt2.aspmx.l.google.com. starwars.com mail exchanger = 1 aspmx.l.google.com. starwars.com mail exchanger = 10 aspmx2.googlemail.com. starwars.com mail exchanger = 10 aspmx3.googlemail.com. starwars.com mail exchanger = 5 alt1.aspx.l.google.com.`

Instead, the primary server (indicated by the numeric value of 1 before the server address) is: aspmx.l.google.com. The secondary server is either: aspmx.l.google.com. or alt1.aspx.l.google.com. as both addresses have the next priority value of 5.

It's likely that these are the old servers and someone has forgotten to change the MX record configuration to the new servers at: asltx.l.google.com and asltx.2.google.com.

Recommended fixes to save the Galaxy!

The corrected MX record should be:

starwars.com mail exchanger = 1 asltx.l.google.com starwars.com mail exhanger = 2 asltx.2.google.com

Mission 2:

Network Issue:

Official emails are going into spam or being blocked because the SPF record has not been updated to reflect the new IP address of their mail server. Since the SPF record is used to indicate which mail servers are allowed to send emails on behalf of a domain, emails from the IP address of the new mail server (missing from the current SPF record) is likely to be filtered out as spam.

DNS record type found:

Looking up the SPF (Sender Policy Framework) record using nslookup -type=txt theforce.net | grep spf to find the following SPF record::

theforce.net text = "v=spf1 a mx mx:smtp.secureserver.net include:aspmx.googlemail.com ip4:104.156.250.80 ip4:45.63.15.159 ip4:45.63.4.215"

Alternatively, we can also use the dig DNS lookup utility: dig theforce.net txt | grep spf which confirms the same SPF record:

theforce.net. 3498 IN TXT "v=spf1 a mx mx:smtp.secureserver.net include:aspmx.googlemail.com ip4:104.156.250.80 ip4:45.63.15.159 ip4:45.63.4.215"

DNS records that can explain the reasons for existing network issues:

The servers currently configured to be allowed to send emails for the domain are from the following IPv4 hosts: 104.156.250.80, 45.63.15.159, and 45.63.4.215. The new one (45.23.176.21) has not beed added. It is likely that similar to Mission 1, someone has forgotten to update changes made while the network was down.

Recommended fixes to save the Galaxy!

We have not been given data regarding the other mail server IP addresses — if we assume that those are still correct and do not need to removed, we only need to add the missing IP so that the corrected record should be:

theforce.net. 3498 IN TXT "v=spf1 a mx mx:smtp.secureserver.net include:aspmx.googlemail.com ip4:104.156.250.80 ip4:45.63.15.159 ip4:45.63.4.215 ip4:45.23.176.21

Mission 3:

Network Issue:

DNS record type found:

We need to check the CNAME record of the resistance.theforce.net domain in order to see why it is not redirecting to theforce.net. A CNAME record is used to point one domain to another so if we want the resistance.theforce.net subdomain to point to theforce.net, we need to have the CNAME configured to do so.

DNS records that can explain the reasons for existing network issues:

Looking up the CNAME (Canonical Name) of www.theforce.net with nslookup in interactive mode in order to examine a correct CNAME configuration where www.theforce.net will be redirected to theforce.net:

nslookup to enter into interactive mode

> set query=CNAME to set the query type to CNAME > www.theforce.net to set the domain to query

This gives the following (relevant) output:

www.theforce.net canonical name = theforce.net.

Alternatively, we can also use single line command nslookup -type=CNAME www.theforce.net or dig www.theforce.net | grep CNAME if we like to confirm things in multiple ways before moving forward:

www.theforce.net. 2321 IN CNAME theforce.net. is the output from dig indicating the correct configuration.

Looking up why our resistance.theforce.net is not redirecting to theforce.net:

Using nslookup -type=CNAME resistance.theforce.net we get:** server can't find resistance.theforce.net: NXDOMAIN which is an error message indicating the DNS query failed because the domain name queried (resistance.theforce.net does not exist or that the query could not “know” that it exists.

This could mean (if we assume we have not made a user error in our query, i.e. mistyping the address): – the domain is currently offline or is having server issues – a security control blocking the domain – domain could be compromised or that malware exists

To follow-up, we can first check if the domain is offline using https://isitup.org/resistance.theforce.net which indicates that the domain is down. This makes sense because we are supposed to be redirecting resistance.theforce.net to the CNAME domain theforce.net so the subdomain should not exist on its own.

Recommended fixes to save the Galaxy!

To fix this, we need to correct the CNAME record configuration to have this line:

resistance.theforce.net canonical name = theforce.net.

Mission 4

Network Issue: DNS record type found: DNS records that can explain the reasons for existing network issues: Recommended fixes to save the Galaxy!

Mission 5:

Network Issue:

Slow network traffic from the planet of Batuu to Jedha due to an attack on Planet N.

The routing protocol in use is OSPF Open Shortest Path First.

Recommended fixes to save the Galaxy!

The new path to use is:

Mission 6:

Your Mission:

• Figure out the Dark Side's secret wireless key by using Aircrack-ng.

Results from running Aircrack-ng with the password list downloaded from: https://github.com/danielmiessler/SecLists/blob/master/Passwords/WiFi-WPA/probable-v2-wpa-top4800.txt

`[00:00:00] 3432/4800 keys tested (10349.88 k/s)

Time left: 0 seconds 71.67%

KEY FOUND! [ dictionary ]

Master Key : B3 52 50 D0 9F 8E AB BD 0D 9E 3D D3 A3 62 12 82 9E FA 89 FC 19 1D A4 4A 3E 7A 40 9C D4 DF 68 DC

Transient Key : DF 26 D4 B0 47 58 E5 AB 33 66 35 14 87 70 7E 46 9E 93 3F 48 3A AE BE F5 0A 58 81 82 B1 59 56 A4 05 C4 04 F4 F0 E2 27 45 49 3D 51 9C A0 E0 AA 83 5F 63 D5 35 A5 56 52 24 35 70 31 08 BE 99 F6 15

EAPOL HMAC : 3E B9 D6 B8 63 69 A7 8B 83 EA 2A 3A 71 ED CF 59`

The password is: dictionary. We use this password to decrypt the WPA traffic via Wireshark.

• Once you have decrypted the traffic, figure out the following Dark Side information:

  • Host IP Addresses and MAC Addresses by looking at the decrypted ARP traffic.

Host: Sender MAC address: IntelCor_55:98:ef (00:13:ce:55:98:ef) Sender IP address: 172.16.0.101 (172.16.0.101)

Looking for: Sender MAC address: Cisco-Li_e3:e4:01 (00:0f:66:e3:e4:01) Sender IP address: 172.16.0.1 (172.16.0.1)

Mission 7:

Viewing the DNS record from Mission #4, specifically looking for a hidden message in the TXT record:

nslookup -type=txt princessleia.site to find this message:

princessleia.site text = "Run the following in a command line: telnet towel.blinkenlights.nl or as a backup access in a browser: www.asciimation.co.nz"

Take a screen shot of the results:

Note: This was the coolest last homework question ever! And thank you for reading.

#wireshark #networking #ip #tcp #udp #arp #http #dns #aircrack #nslookup #cheatsheet #UofTBootCamp

---

General

!(arp or icmp or dns) filter out whatever udp contains xx:xx:xx filter for certain HEX values at any offset

Search by string/regex/hex value: Edit > Find Next > Select your Filter/Search Input

---

802.11

Wireshark Beacon Filter: wlan.fc.type_subtype = 0x08 Wireshark broadcast filter: eth.dst == ff:ff:ff:ff:ff:ff Wireshark multicast filter: (eth.dst[0] & 1)

---

ARP

arp.opcode == 1 for requests arp.opcode == 2 for responses

Operation code params: https://www.iana.org/assignments/arp-parameters/arp-parameters.xhtml#arp-parameters-1

---

DNS

queries: dns.flags.response == 0 responses: dns.flags.response == 1

errors: dns.flags.rcode == 0 no error dns.flags.rcode != 0 dns requests couldn't be correctly resolved. dns.flags.rcode == 3 no such name

examples dns.a dns.cname dns.qry.name == example.com dns.resp.name == example.com dns.resp.name == example.com and dns.time > 0.01

---

HTTP

http.request.method==GET http.request.method==POST. ip.addr==93.184.216.34 and http.request.method==GET

---

IP

ip.addr == < ip > ip.dest == < ip > ip.src == < ip > !(ip.addr == <ip>) range: ip.addr >= 10.10.50.1 and ip.addr <= 10.10.50.100 multiple: ip.addr == <ip> and ip.addr == <ip> subnet: ip.addr == 10.10.50.1/24 port: tcp.port == 25 or tcp.dstport == 23 ip and port: ip.addr == <ip> and Tcp.port == 25

---

TCP

handshake: SYN, SYN/ACK, ACK tcp.flags.syn ==1 && tcp.flags.ack == 0 to view only SYN tcp.flags.syn ==1 && tcp.flags.ack == 1 to view only SYN/ACK requests tcp.flags.syn == 0 && tcp.flags.ack == 1 to view only ACK

termination packets: tcp.flags.fin == 1

look for open port: (since it will respond with SYN/ACK) tcp.flags.syn == 1 && tcp.flags.ack == 1

display all TCP resets: (connection killed) tcp.flags.reset==1

packets that contain a certain term in packet: tcp contains xxx

Follow a tcp stream: tcp.stream eq X

Filter by seq num: tcp.seq == x

Detects push events for troubleshooting: tcp.flags.push == 1

---

nslookup

Syntax: nslookup -type=[NS record type] [domain] look up name server records

nslookup Option Description -domain=[domain-name] Change the default DNS name. -debug Show debugging information. -port=[port-number] Specify the port for queries. The default port number is 53. -timeout=[seconds] Specify the time allowed for the server to respond. -type=a View information about the DNS A address records. -type=any View all available records. -type=hinfo View hardware-related information about the host. -type=mx View Mail Exchange server information. -type=ns View Name Server records. -type=ptr View Pointer records. Used in reverse DNS lookups. -type=soa View Start of Authority records.

nslookup -type=txt <domain> for spf records

---

Aircrack-ng

• syntax: Aircrack-ng [.pcap file name]
• Note: the Wireless Toolbar no longer exists in view > it is now in: Wireshark > Preferences > Protocols > IEEE 802.11 for putting in relevant key

Word lists for WPA https://www.aircrack-ng.org/doku.php?id=faq#where_can_i_find_good_wordlists

#networking #OSI #wireshark #dns #nslookup #tcp #ip #80211 #email #UofTBootcamp #arp

Follow-Up Questions from Class Activities

• Activity 9.2.09 on Email Security: missing emails? Why is SPF failing – can't see the email Networking Review Activity:
  
• What networking devices use these values for mac addresses- don't they all?
• What is the original source IP? 0.0.0.0??
• CIDR & ip range review!! Network Attacks Review Activity:
• if this is the only data, how can you know for sure which is good/which is mac address of hacker's device? [Duplicate IP address detected for 192.168.47.254 (00:0c:29:1d:b3:b1) - also in use by 00:50:56:f9:f5:54 (frame 2013)]

DNS

• translates URI into IP address
• DNS zone file: actual file containing all the DNS records for a particular domain
• lives in DNS server
• contains a TTL indicating how long a DNS cache will remember the information

DNS Record Types: CONTAINED IN DNS ZONE FILE

• A Record: Translates domain to IP address
• PTR Record: Translates IP into domain
• CNAME Record: Alias record used to point one domain to another domain
• SOA record: Contains administrative details about a domain, such as: email address of the administrator, TTL value, when the domain was last updated

MX Record: mail exchange: directs emails to specific mail server; if multiple, can be set with preferences

TXT Record: created to include human-readable notes

SPF record: Sender Policy Framework: determines if email is from a trusted server

• type of TXT Record
• indicates which mail servers are allowed to send emails on behalf of a domain by checking:
• Check the sending mail server's IP address, 12.54.54.23.
• Validate the DNS record of widget.com's SPF record to confirm the sending mail server's IP address is either 23.43.54.235 or 23.43.54.236 (the valid mail server IPs)
• Since the sender's IP is 12.54.54.23 (not 23.43.54.235 or 23.43.54.236), gadgets.com's mail server can identify the email as spam and potentially reject it or send it to the recipient's spam folder.

nslookup

nslookup -type=[NS record type] [domain] look up name server records

To look up the MX record: nslookup -type=MX gadget.com

To look up the A record: nslookup -type=A gadget.com

To look up the SOA record: nslookup -type=SOA gadget.com

nslookup Option Description -domain=[domain-name] Change the default DNS name. -debug Show debugging information. -port=[port-number] Specify the port for queries. The default port number is 53. -timeout=[seconds] Specify the time allowed for the server to respond. -type=a View information about the DNS A address records. -type=any View all available records. -type=hinfo View hardware-related information about the host. -type=mx View Mail Exchange server information. -type=ns View Name Server records. -type=ptr View Pointer records. Used in reverse DNS lookups. -type=soa View Start of Authority records.

Email Headers

Some of the most important fields in this raw email are: – Return-Path: Specifies the sender's return email. – Delivered-To: Specifies the recipients email. – Received: Shows a list of mail servers, illustrating the path taken by the email from its source to destination. – Message-ID: A unique string created by the sending mail server as an identifier of the email. – Received SPF: The SPF verification field, which we will cover in more detail in the next activity.

Security Concerns for Emails

__ SPAM__: mitigate with using SPF records, matching list of known spam senders, and keyword identification Sending Confidential Emails across encrypted channels: – emails are typically routed across multiple mail servers – encryption tools: PGP: Pretty Good Privacy or S/MIME: Secure/Multipurpose Internet Mail Extensions – Email Spoofing

Detecting Email Spoofing:

(1) Check the From email header (2) Check the Received-SPF email header – Received-SPF uses the IP address from the Received field and determines if it's an IP of an authorized sender with pass/fail (3) Check the Received Email Header – look up the source IP of the mail server that sent the email – For example, the ARIN Whois/RDAP tool.

---

Class Activities

Analyzing DNS Records:

MX Record: splunk.com mail exchanger = 20 mx1.splunk.iphmx.com. splunk.com mail exchanger = 20 mx2.splunk.iphmx.com. Type A Record: Non-authoritative answer: Name: splunk.com Address: 52.5.196.118 Name Server Non-authoritative answer: splunk.com nameserver = ha2.markmonitor.zone. splunk.com nameserver = ha1.markmonitor.zone. splunk.com nameserver = ha4.markmonitor.zone. splunk.com nameserver = ha3.markmonitor.zone.

Bonus: dig nmap.org txt | grep "spf" gives us 3 servers authorized to send mail from:

nmap.org. 3600 IN TXT "v=spf1 a mx ptr ip4:45.33.49.119 ip6:2600:3c01::f03c:91ff:fe98:ff4e ip6:2600:3c01:e000:3e6::6d4e:7061 `include:_spf.google.com ~all"

Analyzing Email Headers Activity:

determine the following data points: Email 1: – Delivered-To: juliejones@acme.com – Return-Path: jonathanthomas@microsoft.com – IP address of source domain: 40.76.4.15 from: Received-SPF: pass (google.com: domain of jonathanthomas@microsoft.com designates 40.76.4.15 as permitted sender) client-ip=40.76.4.15; – Message-ID: 1689837351.2998569.1568044304435@mail.microsoft.com

Email 2: permitted by SPF but clearly spam – Delivered-To: juliejones@acme.com – Return-Path: xzvvvret34344@yahoo.com – IP address of source domain: 74.6.130.41 from: Received-SPF: pass (google.com: domain of xzvvvret34344@yahoo.com designates 74.6.130.41 as permitted sender) client-ip=74.6.130.41; – Message-ID: 1689837351.2998569.1568044304435@mail.yahoo.com

Email 3: – Delivered-To: juliejones@acme.com – Return-Path: timmytom@widgets.com – IP address of source domain: 34.86.130.4 from: Received-SPF: fail (google.com: domain of timmytom@widgets.com does not designate 34.86.130.49 as permitted sender) client-ip=34.86.130.49 ; – Message-ID: 1gytrdd9837351.987987abs9.1568044304435@mail.widgets.com

Networking Review Activity

A. Answer the following questions on HTTP: 7. What is the the port number range that this port is part of? 58424 or 62412 There are 49,152 – 65,535 dynamic and/or private ports.

• Under Ethernet II is a value of Destination: Technico_65:1a:36 (88:f7:c7:65:1a:36)
  1. What does this value represent? MAC address of physical device where this is going
  2. Which OSI layer does this exist in? Datalink (2)
  3. What networking devices use these values? Don't all devices?

Part Two: ARP

1. What type of networking request does ARP first make? Broadcast

B. Use a filter to find the count of ARP responses, and answer the following questions:

arp.opcode 0 Reserved [RFC5494] 1 REQUEST [RFC826][RFC5227] 2 REPLY [RFC826][RFC5227]

arp.opcode == 1 for requests arp.opcode == 2 for responses

1. What is the IP of the device that is responding? Sender MAC address: IntelCor_10:ac:c0 (a0:a4:c5:10:ac:c0) Sender IP address: 10.0.0.32 (10.0.0.32)

2. To what IP is the device responding to? Target IP address: c66251b0-093d Target MAC address: c66251b0-093d-7d9c-4f7c-c2fc9df7c3ca.local (e4:f0:42:3b:7a:de) -7d9c-4f7c-c2fc9df7c3ca.local (10.0.0.10)

3. Write out in simple terms what has taken place, describing the request and response. Host makes a broadcast to find the MAC address of the IP = request. Response = information locating the MAC address.

DHCP B. Use a filter to view the DHCP Discover, and answer the following questions on that packet:

###1. What is the original source IP? 0.0.0.0????###

1. Why does it have that value? Unknown IP – usually to indicate that the local IP address is not assigned.

2. What is the original destination IP? Internet Protocol Version 4, Src: 0.0.0.0 (0.0.0.0), Dst: 255.255.255.255 (255.255.255.255)

3. What does that value signify? broadcast

C. Use a filter to view the DHCP ACK, and answer the following questions on that packet. dhcp.option.dhcp == 5

### 1. Explain in simple terms what is happening in this packet.

• DHCP Ack server which received the DHCP request message fro client checks if the IP address shown in the DHCP Server Identifier matches its own

• broadcasts a DHCP Ack message ensuring client can receive the message -transfer net config data to client including:

  • IP address
  • Subnet mask
  • Default gateway IP address
  • DNS server IP address
  • Lease time (during which a client can use the IP address allocated/leased by a DHCP server)

  1. Define the term “DHCP lease.” Amount of time in minutes or seconds a network device can use an IP address in a network. IP is reserved for that device until expiration.

  2. What is the DHCP lease time provided in this packet? IP Address Lease Time: (604800s) 7 days

  3. What are the steps in a TCP connection? SYN, SYN-ACK, ACK

  4. What are the steps in a TCP termination? FIN. ACK, FIN, ACK

  5. What steps appear in the packets displayed? the handshake steps

  6. What type of activity/protocol is TCP establishing a connection for? in this case http – TCP is generally used to provide reliable stream delivery service, i.e. delivering data as a stream of bytes and deceiving data as a stream of bytes.

  7. What is the website name being accessed after the TCP connection? Host: sportingnews.com\r\n

Topologies

1. What are the Topologies for A, B, C? Tree, Hybrid of Bus and Tree, Disconnected ring?

2. What are the advantages and disadvantages for each?

   • Network Devices
     

3. In the network devices illustration, what are numbers one through four? Internet, Firewall, router, Switch

4. What does the dashed line represent in number five? firewall security?

5. What is a load balancer? distributes traffic across multiple servers to improve application availability and responsiveness and prevent server overload

4. Where would you place a load balancer? Between access and servers? Internet || servers or switch || servers?

• Network Routing
• Which routing protocols use distance as criteria? Distance Vector Routing Protocols:
• RIP (Routing Information protocol)
• EIGRP (Enhanced Interior Gateway Routing Protocol)

1. Which routing protocols use speed as criteria? Link-State Routing Protocols
2. OSPF: Open Shortest Path First

Part Six: Network Addressing:

1. Define binary. base-2 number system (0 and 1s) used to write machine code

2. What are IP addresses used for? network interface identification and location addressing

3. What are the two primary versions of IP addresses? IPv4 and IPv6

4. How many octets are in a IPV4 address? IPv4 – 32 bits – 4 octects IPv6 – 128 bits – 16 octets

5. What is the difference between primary and public IP addresses? private is within a network or subnet, public is on the internet and unique.

8. What is CIDR? “Classless Inter-Domain routing”

• allocating IP addesses and IP routing

9. What is the range of IP addresses in: 192.18.65.0/24?

---

Network Attacks Review Activity

• ARP spoof attack – redirects traffic
• DHCP starvation attack – floods with DHCP requests so runs out of IP, type of denial of service
• TCP packets show port scanning,
• Wireless Attacks:
• What are the different security types available for Wireless communications? List them in order from least to most secure. WEP – WPA – WPA2

1. What is 802.11? Wifi Standard (protocol)

2. What is an SSID? a more recognizable format of how a networking hardware device identifies itself as broadcasting a wireless signal beacon

3. What is the name of the the signal a WAP sends out identifying its SSID? beacon

4. If a user has WEP encrypted wireless, what is a potential negative outcome? it's old and hackable easily with aircrack-ng

#networking #dhcp #nat #bridgemode #tcpip #OSI #mask #subnet #gateway # definitions #wireshark #aircrackng #80211

Follow-Up Questions

• the Wireless Toolbar no longer exists in view > it is now in Wireshark > Preferences > Protocols > IEEE 802.11
• DHCP attack bonus question
• Analyzing Wireless Security activity follow-up on beacon = WAP?
• Final activity: no WPA version = no security? + meaning of all the 802.11 info terms

Self-Learning Notes

DHCP is an extension of BOOTP mechanism: DHCP uses BOOTP as its transport protocol

Activity 9.04 on DHCP Attacks

These employees are receiving error messages saying no local IP addresses are available, indicating a potential issue with DHCP:

• no local IP addresses available = likely a starvation attack

1. Create a filter to determine the count for each DHCP activity:
   • DHCP Discover: dhcp.option.dhcp == 1 – @150
   • DHCP Offer: dhcp.option.dhcp == 2 –@32
   • DHCP Request: dhcp.option.dhcp == 3 @1

QUESTION: Why does the Request say *REF*?

1. Based on these results, summarize what type of attack may have occurred, and why you believe Acme Corp's employees are having network issues.
2. there were 150 DHCP Discover requests and 32 DHCP Offer responses so it is likely that most of these requests were fraudulent and made the DHCP server run out of IPs.

Bonus

• Analyze the source MAC addresses of the DHCP activities and summarize what the attacker is doing.

QUESTION: What does this mean?

[Expert Info (Warning/Protocol): Source MAC must not be a group address: IEEE 802.3-2002, Section 3.2.3(b)]

Activity: Analyzing Wireless Security

• all the beacons are wireless routers, yes? 45
• 44 using WPA1, 1 using nothing?

Aircrack-ng Practice Activity:

KEY FOUND! [ 1F:1F:1F:1F:1F ] – ARP flood attack clearly happening – 802.11 has a lot of: Acknowledgement, Association Response, Authentication, Clear-to-Send, Disassociate – 1 x 802.11 Beacon frame from SSID Appart,BSS Id: Arcadyan_12:32:29 (00:12:bf:12:32:29), with no security??? - There areIGMPv2` packets: IGMP (Internet Group Management Protocol) is a Host-Router Multicast Signalling Protocol that provides dynamically registration of the hosts to the desired Multicast Groups.

---

9.1 CLASS NOTES:

NAT Pathway:

(1) connecting to internet: – outbound packet's destination port is standard, i.e. 80 or 443 – source port is randomly generated and unique for each connection – when website replies, it sends packets back to you with source/destination IPs reversed

In detail: Loading Reddit: – client sends packet to router to Reddit's IP + port 80/443 with source data of aka TRANSPORT LAYER encapuslates this data – computer checks its subnet mask adn compares its own IP and the destination IP for computer to determine if a destination is beyond teh same router or if it'll need routing services: ARP Resolution Request

Example: [192.168.0.2] [255.255.255.255] [ Who has router IP 192.168.0.1? ] Broadcasted on LAN

[192.168.0.1] [192.169.0.2] [ I have the Router IP, and you can reach me via MAC Address ffff ]

Your computer now knows how to reach the router, so now it fires the porn browsing packet to the router:

[192.168.0.2] [1.2.3.4] [ open connection ]

The router, upon receiving this packet, is smart enough to know that it's a connection request, so first it adds the source, destination and port to something called a NAT table, which looks like this:

Source Port Destination Port Local IP Remote IP 96354 80 192.168.0.2 1.2.3.4 88965 22 192.168.0.3 4.5.6.7 12345 8888 192.168.0.99 9.9.3.9

• router then forwards packet out to internet, changing source IP from to its own unique IP

• can also change source port in order to avoid conflict since multiple machines could be attempting to reach reddit.com at same time and could be using the same source port numbers

• NAT: is the table that the router keeps that maps the original internal ip/port to the translated ip/port number that the router changed the packet to

• when reddit replies, router looks up received destination port numbers (the destination IP will always be the router's IP)

• translation destination of incoming packets to original IP/port

• since TCP has an explicit connection handshake/termination process, router is able to see when connections are terminated adn clear those from table

• UDP is trickier because it's “stateless” so the router basically has use a timeout that resets every time a new packet is seen.

PUBLIC IP & NAT:

Every device on the internet has an IP address. This address must be unique, there can be no two devices with the same IP. The number of IP addresses is limited, and mostly used up. There is a group of addresses that have been reserved for use only in internal networks. This works because the devices sharing an address cannot see each other – they are on different networks with no route between them.

Nat is implemented by a device (a computer, a router, or a firewall) that has two network connections, one to the internal network, one to the internet. When a device on the internal network wants to connect outside, it sends its messages (packets) to the NAT device. The NAT device strips the address of the original device and substitutes its own, then sends it out to the internet.

When the reply comes back, the NAT device then strips its own address, substitutes the address of the original device, and sends it to the internal network.

In this way, many devices can share one IP address.

LAN: local area network

• will have: a network address (unusable), a mask (how mnay IP addresses are usable minus the network and broadcast, and a broadcast address (unusable)
• default gateway/default route is usually network+1 or broadcast+1

Gateway:

• in networking: the “default-gateway” on a single egress-point network (which is typically how a lot of networks are put together)
• but “gateway address” or “gateway device” or “gateway” can mean different things
• traffic needing to go from private to public networks and public to private networks or even private to private needs to go through gateway

Mask: defines how many IP addresses are usable minu the network and broadcast addrsses

• how a device (computer, router, etc) determines if a destination IP is local to an interface or not.

NAT: Network Address Translation (PUBLIC IP)

• “Speaking of IP, there aren't enough to go around so let me take that 1 public address your ISP gave you and “split it up” into many private ones for your devices”
• router maintains address book where it maps all your devices internally
• useful in IPV4 because you only get 1 external IP so to the outside world, your devices all appear to come from just 1 source
• 1-to-many relationship like a company where there are many employees but you only see the company name

DHCP: Dynamic Host Configuration Protocol (PRIVATE IP)

• “You don't have to manually assign IP addresses to your devices, let me do it fo r you”
• probably running on router at home
• will ask DHCP server “hey can I get an IP”, DHCP says “ok, let me check for one not currently used to give to you” —> automates process of assigning IP yourself
• often run by default with NAT but it's not a requirement, can turn it off but will have to do IP assignments and avoid collision yourself
  • DHCP is a Layer 7: Application layer protocol, that uses two UDP ports:
• Port 67 is used by the server
• Port 68 is used by the client.

Bridge Mode

• whatever device you have in a middleman who doesn't care about the traffic rule; it only hands things from one end to the other

DHCP (Dynamic Host Configuration Protocol)

Four-Step Process

1. DHCP Discover: find the DHCP server

2. sends out message to everyone on local network: “I need a DHCP server”

3. DHCP Offer: Find available IP addresses

4. DHCP server finds and selects an available IP address and sends it out to network: “Here is your IP address, DHCP client”

5. DHCP Request: DHCP client returns message of receipt

6. “Thanks for IP address, I will take it”

7. DHCP ACK: DHCP server acknowledges that IP is taken + issues DHCP lease which upon expiry, IP can be given to another device

To view specific DHCP steps:

DHCP Discover filter: dhcp.option.dhcp == 1 DHCP Offer filter: dhcp.option.dhcp == 2 DHCP Request filter: dhcp.option.dhcp == 3 DHCP ACK filter : dhcp.option.dhcp == 5

• Clarify that dhcp.option.dhcp == 4 is used for DHCP Decline. This is why DHCP ACK is dhcp.option.dhcp == 5.

DHCP Attacks

DHCP Starvation: a type of DDoS

• attacker accesses LAN, sends large volume of fraudulent DHCP messages over the network requesting IPs from server. If large enough, server may run out of IPs.

Mitigation of DHCP starvation:

• set a maximum threshold aka number of DHCP requests per second that can be accepted by server

DHCP Spoofing: AFTER starvation

• after DHCP Starvation attack, attacker can set up fraudulent DHCP server
• send out spoof messages to DHCP clients, identifying malicious router that clients should direct traffic to
• Once DHCP clients make this change, traffic is redirected

Mitigation of DHCP spoofing with DHCP Snooping:

• process implemented on a network switch that inspects packets to confirm they're legitimate DHCP offers + block the unauthorized

Routing Schemes and Protocols

Routing: The act of choosing the path that traffic takes in or across networks

Routing Schemes: 1. Unicast: Single device delivers a message to another single specific device, i.e. a phone call 2. Broadcast: Single device broadcasts to all devices on same network, i.e. DHCP broadcast, ARP broadcast 3. Multicast: Single device sends message to devices that have expressed interest in receiving message, i.e. subscription

Static Routing Vs Dynamic Routing

Static: manual configuration of a network route, usually by net admin – smaller networks or less changes – PRO: lower CPU on router, net admin has full control of their net's routing behaviour – CON: fault tolerance; router can't be adjusted

Dynamic routing: network acts on its own to avoid network blockages – network is adaptive – primary routing techniques – uses Routing Protocols

Dynamic Routing Protocols: 2 Primary Criteria

(1) Distance: amount of devices/hops used to get data from source to destination –> chooses least hops – “Distance-Vector Routing Protocols” include: -RIP: Routing Information Protocol: Uses hop count as main criteria – EIGRP: Enhanced Interior Gateway Routing Protocol: Better than RIP because it only sends incremental updates, reducing workload on router and amount of data being transmitted – More on comparison: https://community.fs.com/blog/eigrp-vs-ospf-differences.html

(2) Speed: Route is determined by time taken to move from source to destination – just because a path has more hops does not make it slower – “Link-State Routing Protocols include: – OSPF: Open Shortest Path First:

Wireless Networking

• Wifi Standard: 802.11

WAP: Wireless Access Point: networking hardware device that connects a wireless network to a wired network by broadcasting a wireless signal called a beacon.

• must identify itself
• uses BSSID: Basic Service Set Identifier to identify its MAC address in a beacon signal in six hexadecimal octets
• also broadcasts SSID: Service Set Identifier using a more recognizable format that is easier to recognize for humans
• Wifi Security: WPA2 replaced WPA replaced WEP

Wifi in Wireshark: Detect Security Protection Manually:

• click “Wireless” in toolbar + “WLAN Traffic”
• will show SSIDs, BSSID, and wireless security protection

• If unable to detect security protection, the manual approach:

• to add the different SSIDs as a column: ]

• to add the security: IEEE 802.11 wireless LAN > Tagged parameters > Tag: Vendor Specific: Microsoft Corp.: WPA Information Element

• Right-click on WPA Version: 1 then select Apply as Column.

Decrypting with Aircrack-NG

• syntax is: Aircrack-ng [.pcap file name]
• Aircrack-NG needs a certain amount of wireless packets to figure out key, typically min 10k
• the Wireless Toolbar no longer exists in view > it is now in: Wireshark > Preferences > Protocols > IEEE 802.11

Wifi Security Vulnerabilities

Wardriving: driving/walking around with wireless-enabled device looking for unsecured wireless LANs Warchalking: using chalk markings to show presence and vulnerabilities of wireless networks nearby Warflying: Using drones Evil Twin: Make a fake SSID to trick users to connecting to attacker's WAP

#networking #UofTBootcamp #classwork #dns #binary #OSI #wireshark

Follow-UpQuestions

Layer 2: data link From class slides: – class covers arp here which yes, tracks MAC so layer 2 but isn't ARP itself a layer 3 (network) protocol? – what does “primary vendor for the MAC addresses” mean? in Activity 8.3.1 on ARP packets – do we need to know the details of TTL columns? – STILL CONFUSED ABOUT LAYER 1-2!!!!!

Layer 3: network

Layer 4: transport – asynchronous response > does this count as one request/response cycle? From class TCP demo: – Where is the flag set to 1 or 0 in the tcp packets for Wireshark?

Layer 7: application From homework: – authoritative vs non-authoritative DNS & usage/security implications? – DNS vulnerabilities question: why was hacker able to access server as root to create ARP spoof and is there evidence of this?

NOTES ON TROUBLE-SHOOTING FROM MIRZA @ END

---

Subnetting Basics

• flat networking = everyone on the same network
• the use of subnetting to create segmentation bc otherwise it becomes congested – router in between networks, switch within a network

• subnetting also called “broadcast domains”

• as soon as you fire up a machine, it starts broadcasting

Layer 2: Data Link

enumeration: the process of gathering data for a specific network, usually for the purpose of finding new ways to gain access into that network

ARP: Address resolution protocol: find the MAC address of a device from an IP address

• communication between devices on a local network
• example: ethernet network that requires physical addresses to be known before sending packets

ARP request and reply process: (1) device sends ARP request message containing the IP address of the receiving device (2) all devices on a local network segment see the message but only the device that has the IP address response with ARP reply containing its MAC address

ARP cache: – mapping of MAC address to IP address that is added to the ARP cache — called dynamic ARP entry of the – ARP cache timeout: record is removed from ARP cache so any future requests for hosts require a new ARP request

Wireshark + ARP:

arp.code == 1 shows only ARP requests arp.code == 2 shows only the ARP responses

SECURITY IMPLICATIONS of ARP:

ARP cache poisoning or ARP spoofing – terms used interchangeable though poisoning is corrupting and spoofy is impersonation – Any device on the network can answer an ARP request regardless of whether the original message was intended for it or not. F – example: If Computer A asks for the MAC address of Computer B, an attacker at Computer C can respond and Computer A would accept this response as authentic.

DETECT ARP ATTACK:

arp -a will check your current mapping

Boot Camp Example:

The good host's address is <example ip> and the good host's correct MAC address is <example MAC address> – the hacker will send a spoof ARP message so that all future traffic intended for the good MAC address will instead to the hacker's MAC address. It will look like this when detected with WireShark:

Duplicate IP address detected for 192.168.47.2 (00:0c:29:1d:b3:b1) - also in use by 00:50:56:fd:2f:16 (frame 301)

ARP Poisoning Attack Steps According to Self-Study: 1. Attacker Selects a Victim Machine/Machines: – select a target such as a specific endpoint, a group of endpoints, or a network device like a router. – routers are attractive targets because a successful ARP poisoning attack against a router can disrupt traffic for an entire subnet

1. Attacker Launches Tools and Begins the Attack:

2. arpspoof or driftnet

3. Attacker does something with the steered traffic:

4. inpsect, alter, blackhole it, etc.

TWO general types of ARP Poisoning Attacks 1. wait to see ARP requests for a particular target and issue a response 2. send out an unsolicited broadcast message known as a gratuitous ARP

Man-in-the-Middle (MiTN) Attack: – attacker sends out falsified ARP responses for a given IP, typically the default gateway for a subnet – victim machines populate their ARP cache with the MAC of attacker's machine instead of local router's MAC address – Victim machines now forward network traffic to the attacker – tools like Ettercap allow attacker to act as proxy for viewing or modifying info before sending to intended destination – victim will never notice

Denial of Service (DOS) Attack: – denying one or more victims access to network resources – attacker sends out ARP Response messages that falsely map hundreds or even thousands of IP addresses to a single MAC address, potentially overwhelming the target machine – type of attack, such as ARP flooding, can also be used to target switches, impacting performance of entire network

Session Hijacking – similar to MiTM except attacker does not directly forward traffic from victim machine to intended destination but instead captures a genuine TCP sequence number or web cookie from the victim to use it to assume the victim's identity – can be used to login anywhere!!!

Consequences of ARP poisoning attack?

• ARP caches are deleted in anywhere from a few minutes to several hours so no permanent infection
• can be chained in larger campaign

MITIGATION:

(1) Static ARP Tables: – highly effective but huge admin burden bc changes require manual updates of ARP tables across all hosts, making static ARP tables unfeasible for most larger orgs – can carve out separate network segment for static ARP tables where sec is crucial

(2) Switch Security: – Business-grade ethernet switches have __Dynamic ARP Inspection (DAI) used to eval validity of ARP messages, drop suspicious/malicious. Config rate of ARP messages to prevent DOS.

(3) Physical Security: – ARP messages are not routed beyond the boundaries of the local network so would-be attackers must be in physical proximity to vitim network or already have control of a machine on network

(4) Network isolation: – ARP messages don't travel beyond local subnet. therefore, well-segmented network will be less susceptible to ARP cache poisoning

(5) Encryption: – mitigate potential damage, i.e. SSL/TLS encryption on web makes MiTM attacks to capture login credentials a lot harder.

—-Who has 192.168.47.1? Tell 192.168.47.171

ESP: Encapsulating Security Payload (ESP) protocol: – provides data confidentiality, and also optionally provides data origin authentication, data integrity checking, and replay protection.

ESP vs Authentication Header (AH) protocol is that ESP provides encryption, while both protocols provide authentication, integrity checking, and replay protection. With ESP, both communicating systems use a shared key for encrypting and decrypting the data they exchange.

---

Layer 3

ICMP: Internet Control Message Protocol echo request = ping

• a protocl that network devices use to send error messages and operational info about whether a requested service or host can be reached
• not usually used to exchange data
• devices can block this

traceroute: like ping but with time taken to travel across each hop from source to destination

TTL: Time to Live: Prevents data from being stuck in infinite loop

• how long a data packet can exist in a network
• decrementing hop counter – every router that forwards the packet decrements (reduces) the TTL value by one
• once TTL hits zero, will send a “time exceeded” error
• different OS have different default TTL so an easy way to figure out what server you are working with if pentesting is to ping and check that: https://ostechnix.com/identify-operating-system-ttl-ping/

• *** means time out

Layer 4: TCP

TCP: Connection-Oriented Protocol

• used for: HTTP/S, FTP, SSH, SMTP

The Three-Way-Handshake

(1) **SYN** (Synchronize) – client to server – client sends SYN data packet to the server to determine if it is ready to open a connection (2) **SYN/ACK** (Synchronize/Acknowledge) – server to client – sever acknowledges or confirms receipt of the SYN packet (3) **ACK** (Acknowledge) – client to server – client acknowledges receipt of the SYN/ACK packet

Four-Way Termination

(1) **FIN** (Finish) – client to server – client sends a FIN packet to server to close the connection (2) **ACK** (Acknowledge) – server to client – server acknowledges receipt of FIN packet (3) **FIN** (Finish) – server to client – server terminates connection, sends a FIN (4) **ACK** (Acknowledge) – client to server – client acknowledges the termiantion

UDP: Connectionless

• reducing latency versus transmitting all data
• used for ping and traceroute or VoIP

WIRESHARK: Syn Packets

tcp.flags.syn ==1 && tcp.flags.ack == 0 to view only SYN

tcp.flags.syn ==1 && tcp.flags.ack == 1 to view only SYN/ACK requests

tcp.flags.syn == 0 && tcp.flags.ack == 1 to view only ACK

tcp.flags.fin == 1 to view FIN flag set to 1

WIRESHARK + PORTS

• “The important takeaway is that in this SYN scan, the behavior of a closed port is one packet in a conversation.” ???

Wireshark Open Port Behaviour: – how to look for an open port? An open for TCP would be one where the initial synchronization step of the 3 step handshake has been acknowledged so your filter is: tcp.flags.syn == 1 && tcp.flags.ack == 1 – behaviour of open TCP port is as expected: 3 packets in a conversation: ] – TAKEAWAY: OPEN TCP = 3 PACKETS

Wireshark Filtered Port Behaviour: – A filter port indicates that a firewall, filter, or other network issue is blocking the port – can be created by a server or network firewall, router, or security device – servers typically do not respond to filtered ports – TAKEAWAY: FILTERED = 1 PACKET

Wireshark Closed Port Behaviour: – for closed ports, server's firewall will often respond with RST flag to indicate that they are not accepting connections. – configurable in firewall's settings – TAKEAWAY: CLOSED = 2 PACKETS

Wireshark View STATES of all ports:

• Statistics —> Conversations

Security Implications

• use firewall to block source IP of suspicious activity

Syn Analysis Activity:

3 ports have 5 packets: 53, 80, and 22 – Following port 53 shows that there was an initial request from 36050 to 53, a response back, and then 3 x TCP Retransmissions from 53 to 36050 meaning that “the TCP sender is not seeing ACKs that cover earlier transmitted packets in a timely manner.” – same with other ports

---

Week 8.1

1. A hacker logged into Microsoft Outlook with the stolen username and password of Acme's CFO. The hacker sent an email to the head of accounting asking them to wire $10,000 to a foreign account owned by the hacker.

• logging in means sending a request for a session
• sending an email in TCP/IP terms means:

(1) APPLICATION LAYER: write email in email client > message data is sent to a a port for the relevant service, likely 25 for SMTP?

(2) TRANSPORT LAYER: encapsulates the data with TCP or UDP header with destination and source ports —–> segment is sent to...

(3) NETWORK LAYER: encapsulates the segment inside IP packet with source and destination IP —–> packet is sent to...

(4) LINK LAYER: packet reaches physical hardware, encapsulates into frame with source and destination MAC addresses —–> frame is received by the link layer on the other end.

• the receiver of the email has to make a request to the email server to retrieve the email before they can read it. the retrieved email is the response.
  

1. A hacker used Firefox to visit the administrative website of Acme Corp, where they attempted to log into the CFO's account multiple times, until they correctly guessed the password.

visiting the website: (1) DNS look-up so that the URL can be translated into the IP address of the server containing the resources for the site. Checking – browser cache – OS system cache – Router cache – ISP DNS cache (2) browser sends an http request to the server (3) server responds (4) browser renders server's response (5) this can be synchronous or asychronous

• each time the hacker tries to log into the account, a session request is made to the server from browser

1. A hacker stole the Acme CFO's mobile phone. Login credentials were saved on the phone, allowing the hacker to log into Acme Corp's mobile admin application.
2. same idea?

—

1. Design the office with the following computer and network devices:

   • (6) Employee computers
   • (2) Switches
   • (1) Router
   • (2) Load balancers
   • (1) Firewall
   • (1) Representation of the internet
   • (1) Server
   • (1) Wireless access point with (1) firewall to protect it
     

2. DMZ

3. add the server and load balancers to the DMZ

• internet || firewall || router –> everything else?
• load balancer between server and client
• DMZ switch between firewall and public-access servers?

—

1. Convert the following binary representations into numeric IP addresses:

   1. 11000000101010000100010110010001 > 192.168.69.145 (private)
   2. 00001010000000000000000000101010 > 10.0.0.42 (public?)
   3. 11000000101011000100010110010001 > 192.172.69.145 (private)
   4. 00101001001011011011011000100000 > 41.45.182.32 (public?)
   5. 00001010000000000000000001001100 > 10.0.0.76 (public?)

2. Compare the numeric IP addresses to the Acme server list and determine which server the IPs belong to.

3. Summarize your findings to determine what resources the hacker is trying to access.

Your security manager also found the following binary data in the hacker's logs:

• 100010001111011111000111011001010001101000110110
  

Determine what this binary data represents.

---

spoofing a DNS on linux

/etc/hosts is where the DNS translation occurs on Linux The syntax for adding a DNS look up is: [ip] [domain] For example: 137.74.187.102 krebsonsecurity.com – only works on root though

Week 8.2

Translating raw binary into readable format

Log file 1 GET / HTTP/1.1 Host: widgets.com Connection: keep-alive Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.117 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9,nb;q=0.8

Log file 2 File Transfer Protocol (FTP) 230 Login successful.\r\n Response code: User logged in, proceed (230) Response arg: Login successful.

Log file 3 TLSv1.2 Record Layer: Application Data Protocol: http-over-tls Content Type: Application Data (23) Version: TLS 1.2 (0x0303) Length: 56 Encrypted Application Data: d03ff41452da9e9c3ec76cbeb35e8ffc1f64bf80f512924a?

Log file 4 Domain Name System (query) Transaction ID: 0x18b6 Flags: 0x0100 Standard query 0... .... .... .... = Response: Message is a query .000 0... .... .... = Opcode: Standard query (0) .... ..0. .... .... = Truncated: Message is not truncated .... ...1 .... .... = Recursion desired: Do query recursively .... .... .0.. .... = Z: reserved (0) .... .... ...0 .... = Non-authenticated data: Unacceptable Questions: 1 Answer RRs: 0 Authority RRs: 0 Additional RRs: 0 Queries applegate.com: type A, class IN [Response In: 623]

Log file 5

Address Resolution Protocol (request) Hardware type: Ethernet (1) Protocol type: IPv4 (0x0800) Hardware size: 6 Protocol size: 4 Opcode: request (1) Sender MAC address: Technico_65:1a:36 (88:f7:c7:65:1a:36) Sender IP address: 10.0.0.1 Target MAC address: 00:00:00_00:00:00 (00:00:00:00:00:00) Target IP address: 10.0.0.6

Log file 6

HCI H4 [Direction: Unspecified (0xffffffff)] HCI Packet Type: HCI Command (0x01) HCI Command – Read Local Supported Features Command Opcode: Read Local Supported Features (0x1003) Parameter Total Length: 0 [Response in frame: 4] [Command-Response Delta: 4.181ms]`

Determining source and destination ports, protocol, and summarize findings for each request in logfile:

Log file 1 Source: 192.168.1.9:50152 Destination: 192.124.249.168:80 Protocol: TCP 6 Summary: stealing of accessing data?

Log file 2 Source: 10.0.0.42:53367 Destination: 35.186.241.40:443 Protocol: TCP 6

Third one is also TCP. So exciting. I'm enthralled.

OSI Modeling

LINK: https://write.as/effyverse/networking-basics-47md

Review the list of 10 suspicious activities and determine which of the seven OSI layers each falls under:

1) A networking cable was cut in the Data Center and now no traffic can go out. Layer 1: Physical

2) A code injection was submitted from an administrative website, and it's possible that an attacker can now see unauthorized directories from your Linux server. Layer 7 Application for the code inject and layer 3 for the server?

3) The MAC address of one of your network interface cards has been spoofed and is preventing some traffic from reaching its destination. Layer 2: data link

4) Your encrypted web traffic is now using a weak encryption cipher and the web traffic is now vulnerable to decryption. Layer 6: Presentation

5) The destination IP address has been modified and traffic is being routed to an unauthorized location. Layer 3: Network

6) A flood of TCP requests is causing performance issues. Layer 4: Transport

7) A SQL injection attack has been detected by the SOC. This SQL injection may have deleted several database tables. Layer 5: Session

8) A switch suddenly stopped working and local machines aren't receiving any traffic. Layer 2: Datalink

9) An ethernet cable was disconnected and the machine connected isn't able to receive any external traffic. Layer 1: Physical

10) Traffic within the network is now being directed from the switch to a suspicious device. Layer 3: Network

HOW TO APPLY THE OSI TO TROUBLE-SHOOT?

Question: How would one trouble-shooting an unreachable IP given only the information available from ping?

THE GOAL: is to narrow down your problem domain methodically

• server admin/team –> check ilo connection (console connection) to narrow down network vs server problem, if connected, validates that server is good. if not, check server itself

layer 1-2 – check hardware: beyond server, check switch – enterprise switches are smart – if you know the NIC, you can find the ARP translation to trace the MAC address – once you have the MAC, you check its switch: from the switch perspective, are you seeing the server? if yes, you have validated that physical layer is good – if layer two is good, you should be able to find the mac address

layer 3 – layer 3: is this an IP problem or does it affect all the servers on this subnet? – if you can ping the other IPs, recheck the hardware because every other IP is working so it's a problem with localhost not network aka it is the specific machine pinging from and not necessarily the machine we are pinging to – reverse the ping direction to check – VLAN – opnet/tcp dump – track the packet

#networking #dmx #portforwarding #UPnP #questions

Questions

Ask Class:

• hardening approach for UPnP & does it have a usage case that justifies its high security risks? (Other than as a commodification of convenience and the very human desire to optimize for short-term profits and immediate convenience over the future stakes like security or the planet.)
• dynamic ports

DMZ vs port-forwarding vs UPnP

DMZ: Demilitarized Zone

• How does a new printer, camera, coffee pot or toy know how to attach to your network and then configure your router to allow for port access?

Port-Forwarding:

• forward some ports of the router to allow external traffic
• grant external devices access to host systems on home or LAN networks

Step-By-Step of Port-Forwarding:

Sending request from source:

(1) connection req sent from device to router with details of device's IP address and an associated port for the request. The device is the host or source for the connection.

(2) Router then reads the request and maps the device's IP address and port with the router's public facing IP and a relevant port. This is stored in the Network Address Translation (NAT) table.

Response from destination: – destination makes a connection request back to router with the router IP address and a specific port – router checks NAT table for the specific IP address/port combo for an open connection – if found, request is passed to the device/port – once connection closes, entry on table is deleted

Port-Forwarding Usages:

• backups: makes it easy to access
• virtual desktops
• CCTV / security
• game servers

Types of Port-Forwarding:__

• local port forwarding: bypass firewall in network so you can access other computers or services on same network. Secure file transfer tunneling or connecting to a remote file share over internet.

• Remote Port Forwarding: allows anyone from remote end to connect to remote server in local network on TCP port 8080. Connection will be tunneled to host computer to port 80.. Shares internal web app on public platform.

• Dynamic Port Forwarding: client is securely connected using ssh or SOCKS proxy server for data transmission on untrusted network.

UPnP: Universal Plug and Play

• a protocol that lets networked devices automatically open a port on the router to let you communicate with your gadget remotely
• zero config
• Usage: IoT, VoIP, p2p
• can be used for NAT traversal or Firewall punching??? – basically any device, including malware, can issue a UPnP request to the router to open a public port???

UPnP Risks:

• no authentication or authorization
• no official implementation so every router has its own; some routers are discoverably by WAN
• any malicious program on network can use UPnP
• can use router as a proxy to spread malware, steal CC info, perform phishing attacks, DDoS attacks, etc
• Mirai botnet brute force approach to scan for exposed telnet ports likely added by UPnP + trying default passwords, loaded Mirai software, transforming device into bot spewing out UDP packets targeted at Dyn

From this: https://www.upguard.com/blog/what-is-upnp

UPnP exploitation can result in more than just the connection of an infected device. Here are just a few examples of the malicious actions that are possible with UPnP:

• Connecting internal ports to the router's external-facing side to create gateways ('poking holes') through firewalls.
• Port forwarding the router web administration details
• Port forwarding to any external server located on either their surface or dark web.
• Changing DNS server settings so that a decoy credential stealing website is loaded instead of legitimate banking websites.
• Modifying administrative credentials
• Modifying PPP settings
• Modifying IP settings for all interfaces
• Modifying the WiFi settings
• Modifying or terminate internal connections

#networking #OSI #tcpip

• takes both software and hardware to move packets: MAC (hardware) and IP (software)

Packets: header + payload

• payload = data being transferred
• as packet traverses the network, each layer adds info to header
• different layers use different terms for our “packet”
• transport layer: used to encapsulate data in a “segment”
• link layer: we refer to this as a “frame”

Sending an email example

1. APPLICATION LAYER (in OSI application, presentation, session) will encapsulate the data from our email client

2. application layer talks to transport layer through specific port (25 for SMTP)

3. Data goes to Transport layer to be encapsulated into segments

Transport Layer

• breaks data into chunks (known as “segments”) in a way networks can read and transport

**TCP handshake: – client sends a SYN segment to server requesting connection – server sends the client a SYN-ACK segment to acknowledge the client's connection request – client sense an ACK to server to acknowledge the server's connection request

092119-0753-TCP3-Way-Hand1.webp

Network layer

• routing of packets from source host to destination host
• “subnets” = smaller networks making up the Internet
• IP addresses define the rules to ravel to different subnets

**Coming from Transport layer: – receives “segment” and encapsulates this segment in an IP packet – attaches source host IP + destination host IP to the packet header – sends to physical hardware layer

Link Layer: hardware specific layer

• receives “segment”, encapsulates into “frame”
• attaches source and destination MAC addresses of hosts, checksums, packet separators so that receiver can tell when packet ends

ARP: Address Resolution Protocol to find MAC address of IP

• used within same network

DHCP: Dynamic Host Configuration Protocol

• assigns IP addresses, subnet masks, gateways

#linux #networking #router #automation #bash #python #ruby

The suggest from my tutor was to “write an automation script that goes into my router and pulls the logs from the router logs to system logs and then scans them for any occurrences of nmap and sends the results to me in an email. Possibly filtering by priority?

To Research

Router Access

• does my router have logs accessible
• can my router easily transfer those logs to my system logs or do I have to manually do that?

System logs

• where is the appropriate place to put them?

Cron job

• set it up where?

Email server

• can I send it directly to my thundermail client or does it have to go through gmail?

Additional Practice

• redo this assignment using my linux machine?
• redo in py?

#networking #ifconfig #ip #loopback #nic

• Use the -v verbose flag to provide type info on some interfaces: ifconfig -v en6

Relevant terms

NIC: Network Interface Cards:

• circuit board required for computer to connect over a network.
• wired/wireless, across LAN or large-scale network via IP
• physical layer + data link layer device
• internal/external:

LAN vs WAN vs The Internet

LAN: Local Area Network – communications between consecutive devices such as in schools, hospitals, institutions

WAN: Wide Area Network – interconnects multiple LAN to allow shared access to apps, services, other centrally located resources, i.e. connecting between enterprise headquarters, branch offices, facilities, cloud, etc. Eliminates need to install the same application server, firewall, or etc. resource in multiple locations.

The Internet: global communication system, including hardware and infrastructure, using TCP/IP to transmit data via various media types between networks. Connected by guided, wireless, fire-optic tech.

World Wide Web is one of the services communicated over the internet.

Internet Services: include communication services (mail, mailing list, telnet, IM), information retrieval services (FTP, Gopher, Archie, VERONICA), Web services (app interaction), Video Conferencing.

---

lo0 = loopback interface: allows server/client processes on a single system to communicate with each other w/o interference of NIC. Also known as 127.0.0.1 or localhost.

Using ifconfig lo0 to examine this gives me:

lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384 options=1203<RXCSUM,TXCSUM,TXSTATUS,SW_TIMESTAMP> inet 127.0.0.1 netmask 0xff000000 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1 nd6 options=201<PERFORMNUD,DAD>

So I tried to ping 127.00.01 and it was successful, implying that the TCP/IP software stack on my machine is successfully loaded and working.

The loopback is used for troubleshooting or when “a server offering a resource you need is running on your own machine”, i.e. running a webserver.

gif0

is a “generic tunnelling device for IPv4 and IPv6”. Virtual.

stf0

interface supporting 6to4, an internet transition mechanism for migrating from IPv4 to IPv6 via encapsulation (can tunnel IPv6 traffic over IPv4).

enX where X is a num

refers to physical network interfaces. en0 is the first device to start — your wifi. The rest are (likely) Thunderbolt interfaces on a MacOS.

ap1

???

awdl0

is the Apple Wireless Direct Link, typically used for Hotspot functionality

llw0

brdige0

Thunderbolt bridge for transferring files over cable between two Macs.

utunX where X is a num

are related to sharing info between devices on the same iCloud account, also created by any VPN interfaces.

---

Follow-Up Questions

• what is the scopeid?
• why is the mac address written in hex?
• what is the Skywalk system?

#bash #scripting #nc #networking #ports

What we know:

• There is an open and listening port (30002) that will send back the password if it receives the current lv password + correct pin

What to do with this knowledge:

Attempt 1: I tried writing a script that iterates through 0000-9999, combines each number with the current level's password, and then send each line to the port:

#!/bin/bash start=0000 count=9999

while [ $start -lt $count ] do echo "current password $start" | nc localhost 30002 ((start++)) done

Mistakes Made:

Unfortunately, my loop never stopped looping...

I am the pincode checker for user bandit25. Please enter the password for user bandit24 and the secret pincode on a single line, separated by a space. Wrong! Please enter the correct current password. Try again. Timeout. Exiting. I am the pincode checker for user bandit25. Please enter the password for user bandit24 and the secret pincode on a single line, separated by a space. Wrong! Please enter the correct current password. Try again.

FOLLOW UP ON WHY

Attempt 2: Breaking it down more

This time I decided to separate the problem into two parts:

Script 1: Create a list of possible password + pin combos

#!/bin/bash touch list.txt

for i in {0000..9999} do echo “UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ $i”>> list.txt done`

Script 2: Iterate through my list.txt and send each one to the listening daemon with nc

#!/bin/bash for line in list.txt do nc localhost 30002 $line done

And viola!