MD SAQUIB NASIR KHANDIGITAL EVIDENCE ANALYST

DATA64 | CIALFOR

NETWORKING FUNDAMENTAL

www.malc0de.org

Contain HUB, Switch, Router MAC IP Packet Forwarding Internet Protection WLAN Packet switching And Circuit switching DNS IDS & IPS VPN

www.malc0de.org

HUB VS Switch VS Router

www.malc0de.org

HUB No real understanding about transmit

data between system Only Broadcast packets Number of system increase speed will

decrease

www.malc0de.org

Switch Switch Does not broadcast Packets its

share the packet with the system for whom packets was sent

Does not consume Speed like HUB for packet Sharing

www.malc0de.org

Router Router deals with broadcasting as well

as Individual Message deliver Act As firewall APR table

www.malc0de.org

MAC Media Access Control Only for Network Adapter Depends on ARP to communicate with

others Ipconfig/ifconfig arp -a

www.malc0de.org

IP Unique Address given to MAC address

124. 224. 224.100

01111100 11100000 11100000 01100100

www.malc0de.org

Classes OF IP Class Range A 1-126 /8 B 127-191 /16 C 192-223 /24 D 224-239 Multicast E 240-255 Experimental 0 & 127

General Use

www.malc0de.org

Classes of Private IP Class Range A /8 10.0.0.0-

10.255.255.255 B /12 172.16.0.0-172.31.255.255 C /16 192.168.0.0-

192.168.255.255

www.malc0de.org

IP (INTERNET PROTO-COL)

www.malc0de.org

Network & Host Address Class N/w + Host A N+H+H+H B N+N+H+H C N+N+N+H

www.malc0de.org

Class Less Inter Domain Routing

128,64,32,16,8,4,2,1--------.--------.--------.--------CIDR/2828 ON 4 OFFSUBNET FOR 100 SYSTEM?300 subnet host number?

www.malc0de.org

192.168.100.97/27 Find host address, network address,

number of host gateways and broadcast address.

www.malc0de.org

192.168.100.97/27 X.X.X.11100000 1110000> INCREMENT

NUMBER(32{128,64,32}) X.X.X.32 X.X.X.64 X.X.X.96 SUBNET :96 Host: 00000 :31(16+8+4+2+1)Broadcast : 96+31=127Range: 97-126

www.malc0de.org

Type of IP Address Static address Dynamic address

Public Private

www.malc0de.org

DHCP VS BOOTP

Class A - large organizations , governments

Class B - medium sized organizations Class C - small organizations

www.malc0de.org

Networking Mode Network Address Translation or NAT Bridge Mode

www.malc0de.org

APPLICATION

• HTTP, SMTP• FTP, DNS, TELNET

TRANSPORT

• TCP• UDP

NETWORK

• IP, ARP• ICMP, IGMP

HOST-TO-NETWORK

• ETHERNET• TOKEN RING

TCP/IP

www.malc0de.org

Packet forwarding

It is a process that is by default enable in router. The router will perform packet forwarding only if route is available in the routing table.

www.malc0de.org

Metric of Dynamic Routing Hop Count Band Width Load Reliability Delay MTU

www.malc0de.org

Internet Protection Internet Key Exchange (IKE or IKEv2) Internet Protocol Security (IPsec) Kerberos  Point-to-Point Protocol (PPP) Transport Layer Security (TLS) Secure Sockets Layer (SSL),

www.malc0de.org

WLAN A wireless LAN or WLAN is a wireless

local area network that uses radio waves as its carrier.

The last link with the users is wireless, to give a network connection to all users in a building or campus.

The backbone network usually uses cables

www.malc0de.org

1. WEP (Wired Equivalency Privacy/ Wireless Encryption

Protocol)

2. WPA (Wi-Fi Protected Access)

3. WPA 2 (Wi-Fi Protected Access 2)

WIRELESS NETWORKING

www.malc0de.org

WEP ( RC4 40bits to 128bits) Wired Equivalent Privacy (WEP) – A protocol to

protect link-level data during wireless transmission between clients and access points.

Services: Authentication: provides access control to the

network by denying access to client stations that fail to authenticate properly.

Confidentiality: intends to prevent information compromise from casual eavesdropping

Integrity: prevents messages from being modified while in transit between the wireless client and the access point

www.malc0de.org

Authentication

CRC (Cyclic Redundant Check)

www.malc0de.org

WPA 48 bit IV 128 Bit key TKIP (Temporal Key Integrity

Protocol ) A Message Integrity Code (MIC) called Michael

www.malc0de.org

WAP 2 Uses the Advanced Encryption Standard

(AES) Symmetric-key block cipher using 128-bit

keys. Generates CCM Protocol (CCMP):

CCMP = CTR + CBC + MAC CTR = Counter Mode Encryption CBC/MAC = Cipher Block Chaining/Message

Authentication Code

Protocol Release date Op. Frequency Data rate

(Max)Range

(indoor)Range

(outdoor)Legacy 1997 2.5~2.5 GHz 2 Mbit/s

802.11a 19995.15~5.35/5.47~5.725/5.725~5.875

GHz54 Mbit/s ~25 m ~75 m

802.11b 1999 2.4~2.5GHz 11 Mbit/s ~35 m ~100 m802.11g 2003 2.4~2.5GHz 54 Mbit/s ~25 m ~75 m802.11n 2007 2.4GHz or 5GHz 540 Mbit/s ~50 m ~125 m

802.11

802.11 802.11a 802.11b 802.11g 802.11n

802.11 Wireless LAN Working Group

www.malc0de.org

www.malc0de.org

Packet Switching Vs Circuit Switching

www.malc0de.org

DOMAIN NAME SYSTEM DNS is directory Service. Provides Name to IP address Maps IP to Domain name and reverse DNS runs on port 53 Runs on UDP A –Address record name to 32 bit address AAAA – Address Record name to 128 bit

IPV6 address

www.malc0de.org

DNS Caching

www.malc0de.org

DNS Cache Poisoning Attack Exploit DNS poisoning attack

Change IP addresses to redirect URLs to fraudulent sites Potentially more dangerous than phishing attacks No email solicitation is required

DNS poisoning attacks have occurred: January 2005, the domain name for a large New York ISP,

Panix, was hijacked to a site in Australia. In November 2004, Google and Amazon users were sent

to Med Network Inc., an online pharmacy In March 2003, a group dubbed the "Freedom Cyber Force

Militia" hijacked visitors to the Al-Jazeera Web site and presented them with the message "God Bless Our Troops"

www.malc0de.org

DNS Spoofing Tools

Dsniff dnsspoof Example

abc.com IP address is 10.0.0.1 Make it spoof to respond 100.0.1.1 In the text file dnssniff.txt write 100.0.1.1 abc.com [gateway]# dnsspoof -i eth0 -f /etc/dnssniff.txt [bash]# host abc.com abc.com has address of 100.0.1.1

www.malc0de.org

INTRUSION DETECTION SYSTEM Intrusion Detection Systems look for

attack signatures, which are specific patterns that usually indicate malicious or suspicious intent.

www.malc0de.org

Intrusion Detection Systems (IDS) Different ways of classifying an IDS

IDS based on anomaly detection signature based misuse host based network based

www.malc0de.org

Anomaly based IDS This IDS models the normal usage of the

network as a noise characterization. Anything distinct from the noise is

assumed to be an intrusion activity. E.g flooding a host with lots of packet.

The primary strength is its ability to recognize novel attacks.

www.malc0de.org

Signature based IDS This IDS possess an attacked description

that can be matched to sensed attack manifestations.

The question of what information is relevant to an IDS depends upon what it is trying to detect. E.g DNS, FTP etc.

www.malc0de.org

Network based IDS This IDS looks for attack signatures in

network traffic via a promiscuous interface.

A filter is usually applied to determine which traffic will be discarded or passed on to an attack recognition module. This helps to filter out known un-malicious traffic.

www.malc0de.org

INTRUSION PREVENTION SYSTEM

www.malc0de.org

Host Based IPS

www.malc0de.org

Network Based IPS

www.malc0de.org

VIRTUAL PRIVATE NETWORK A virtual private network (VPN) is a

technology that creates an encrypted connection over a less secure network. The benefit of using a VPN is that it ensures the appropriate level of security to the connected systems when the underlying network infrastructure alone cannot provide it.

www.malc0de.org

VIRTUAL PRIVATE NET-WORK

www.malc0de.org

Any Q?

www.malc0de.org

Thank you