networking fundamentals
TRANSCRIPT
MD SAQUIB NASIR KHANDIGITAL EVIDENCE ANALYST
DATA64 | CIALFOR
NETWORKING FUNDAMENTAL
www.malc0de.org
Contain HUB, Switch, Router MAC IP Packet Forwarding Internet Protection WLAN Packet switching And Circuit switching DNS IDS & IPS VPN
www.malc0de.org
HUB VS Switch VS Router
www.malc0de.org
HUB No real understanding about transmit
data between system Only Broadcast packets Number of system increase speed will
decrease
www.malc0de.org
Switch Switch Does not broadcast Packets its
share the packet with the system for whom packets was sent
Does not consume Speed like HUB for packet Sharing
www.malc0de.org
Router Router deals with broadcasting as well
as Individual Message deliver Act As firewall APR table
www.malc0de.org
MAC Media Access Control Only for Network Adapter Depends on ARP to communicate with
others Ipconfig/ifconfig arp -a
www.malc0de.org
IP Unique Address given to MAC address
124. 224. 224.100
01111100 11100000 11100000 01100100
www.malc0de.org
Classes OF IP Class Range A 1-126 /8 B 127-191 /16 C 192-223 /24 D 224-239 Multicast E 240-255 Experimental 0 & 127
General Use
www.malc0de.org
Classes of Private IP Class Range A /8 10.0.0.0-
10.255.255.255 B /12 172.16.0.0-172.31.255.255 C /16 192.168.0.0-
192.168.255.255
www.malc0de.org
IP (INTERNET PROTO-COL)
www.malc0de.org
Network & Host Address Class N/w + Host A N+H+H+H B N+N+H+H C N+N+N+H
www.malc0de.org
Class Less Inter Domain Routing
128,64,32,16,8,4,2,1--------.--------.--------.--------CIDR/2828 ON 4 OFFSUBNET FOR 100 SYSTEM?300 subnet host number?
www.malc0de.org
192.168.100.97/27 Find host address, network address,
number of host gateways and broadcast address.
www.malc0de.org
192.168.100.97/27 X.X.X.11100000 1110000> INCREMENT
NUMBER(32{128,64,32}) X.X.X.32 X.X.X.64 X.X.X.96 SUBNET :96 Host: 00000 :31(16+8+4+2+1)Broadcast : 96+31=127Range: 97-126
www.malc0de.org
Type of IP Address Static address Dynamic address
Public Private
www.malc0de.org
DHCP VS BOOTP
Class A - large organizations , governments
Class B - medium sized organizations Class C - small organizations
www.malc0de.org
Networking Mode Network Address Translation or NAT Bridge Mode
www.malc0de.org
APPLICATION
• HTTP, SMTP• FTP, DNS, TELNET
TRANSPORT
• TCP• UDP
NETWORK
• IP, ARP• ICMP, IGMP
HOST-TO-NETWORK
• ETHERNET• TOKEN RING
TCP/IP
www.malc0de.org
Packet forwarding
It is a process that is by default enable in router. The router will perform packet forwarding only if route is available in the routing table.
www.malc0de.org
Metric of Dynamic Routing Hop Count Band Width Load Reliability Delay MTU
www.malc0de.org
Internet Protection Internet Key Exchange (IKE or IKEv2) Internet Protocol Security (IPsec) Kerberos Point-to-Point Protocol (PPP) Transport Layer Security (TLS) Secure Sockets Layer (SSL),
www.malc0de.org
WLAN A wireless LAN or WLAN is a wireless
local area network that uses radio waves as its carrier.
The last link with the users is wireless, to give a network connection to all users in a building or campus.
The backbone network usually uses cables
www.malc0de.org
1. WEP (Wired Equivalency Privacy/ Wireless Encryption
Protocol)
2. WPA (Wi-Fi Protected Access)
3. WPA 2 (Wi-Fi Protected Access 2)
WIRELESS NETWORKING
www.malc0de.org
WEP ( RC4 40bits to 128bits) Wired Equivalent Privacy (WEP) – A protocol to
protect link-level data during wireless transmission between clients and access points.
Services: Authentication: provides access control to the
network by denying access to client stations that fail to authenticate properly.
Confidentiality: intends to prevent information compromise from casual eavesdropping
Integrity: prevents messages from being modified while in transit between the wireless client and the access point
www.malc0de.org
Authentication
CRC (Cyclic Redundant Check)
www.malc0de.org
WPA 48 bit IV 128 Bit key TKIP (Temporal Key Integrity
Protocol ) A Message Integrity Code (MIC) called Michael
www.malc0de.org
WAP 2 Uses the Advanced Encryption Standard
(AES) Symmetric-key block cipher using 128-bit
keys. Generates CCM Protocol (CCMP):
CCMP = CTR + CBC + MAC CTR = Counter Mode Encryption CBC/MAC = Cipher Block Chaining/Message
Authentication Code
Protocol Release date Op. Frequency Data rate
(Max)Range
(indoor)Range
(outdoor)Legacy 1997 2.5~2.5 GHz 2 Mbit/s
802.11a 19995.15~5.35/5.47~5.725/5.725~5.875
GHz54 Mbit/s ~25 m ~75 m
802.11b 1999 2.4~2.5GHz 11 Mbit/s ~35 m ~100 m802.11g 2003 2.4~2.5GHz 54 Mbit/s ~25 m ~75 m802.11n 2007 2.4GHz or 5GHz 540 Mbit/s ~50 m ~125 m
802.11
802.11 802.11a 802.11b 802.11g 802.11n
802.11 Wireless LAN Working Group
www.malc0de.org
www.malc0de.org
Packet Switching Vs Circuit Switching
www.malc0de.org
DOMAIN NAME SYSTEM DNS is directory Service. Provides Name to IP address Maps IP to Domain name and reverse DNS runs on port 53 Runs on UDP A –Address record name to 32 bit address AAAA – Address Record name to 128 bit
IPV6 address
www.malc0de.org
DNS Caching
www.malc0de.org
DNS Cache Poisoning Attack Exploit DNS poisoning attack
Change IP addresses to redirect URLs to fraudulent sites Potentially more dangerous than phishing attacks No email solicitation is required
DNS poisoning attacks have occurred: January 2005, the domain name for a large New York ISP,
Panix, was hijacked to a site in Australia. In November 2004, Google and Amazon users were sent
to Med Network Inc., an online pharmacy In March 2003, a group dubbed the "Freedom Cyber Force
Militia" hijacked visitors to the Al-Jazeera Web site and presented them with the message "God Bless Our Troops"
www.malc0de.org
DNS Spoofing Tools
Dsniff dnsspoof Example
abc.com IP address is 10.0.0.1 Make it spoof to respond 100.0.1.1 In the text file dnssniff.txt write 100.0.1.1 abc.com [gateway]# dnsspoof -i eth0 -f /etc/dnssniff.txt [bash]# host abc.com abc.com has address of 100.0.1.1
www.malc0de.org
INTRUSION DETECTION SYSTEM Intrusion Detection Systems look for
attack signatures, which are specific patterns that usually indicate malicious or suspicious intent.
www.malc0de.org
Intrusion Detection Systems (IDS) Different ways of classifying an IDS
IDS based on anomaly detection signature based misuse host based network based
www.malc0de.org
Anomaly based IDS This IDS models the normal usage of the
network as a noise characterization. Anything distinct from the noise is
assumed to be an intrusion activity. E.g flooding a host with lots of packet.
The primary strength is its ability to recognize novel attacks.
www.malc0de.org
Signature based IDS This IDS possess an attacked description
that can be matched to sensed attack manifestations.
The question of what information is relevant to an IDS depends upon what it is trying to detect. E.g DNS, FTP etc.
www.malc0de.org
Network based IDS This IDS looks for attack signatures in
network traffic via a promiscuous interface.
A filter is usually applied to determine which traffic will be discarded or passed on to an attack recognition module. This helps to filter out known un-malicious traffic.
www.malc0de.org
INTRUSION PREVENTION SYSTEM
www.malc0de.org
Host Based IPS
www.malc0de.org
Network Based IPS
www.malc0de.org
VIRTUAL PRIVATE NETWORK A virtual private network (VPN) is a
technology that creates an encrypted connection over a less secure network. The benefit of using a VPN is that it ensures the appropriate level of security to the connected systems when the underlying network infrastructure alone cannot provide it.
www.malc0de.org
VIRTUAL PRIVATE NET-WORK
www.malc0de.org
Any Q?
www.malc0de.org
Thank you