Networking Basics

Introduction

Network is a term used for a group of the systems.

To make 2 or more system communicate with each other, we have to

establish the networking between them.

If all the systems are in network, they can send and receive the data.
 Need of Networking

File sharing.

Hardware sharing.

Application sharing.

User communication.

Network gaming.
 Types of Network
We can make systems to communicate with each other in wired or wireless
network but these networking methodologies can be divided into 3 types.

LAN Local Area Network LAN can establish the communication within a lab,
or within a building.

MAN Metropolitan Area Network MAN can establish the communication

between two or more LANs.

WAN Wide Area Network WAN can establish the communication globally.
 IP Address
IP Address is known as,
Logical Address, and
Unique Identity address.

It is used to identify the systems. Whenever any computer connects itself with the
internet or with LAN, it gets one IP address.

That IP address is always unique in the network. That means, once an IP address
assigned to any system in the network, cannot be assigned to any other system.
The same in the internet, if one IP address has been assigned to one system, it
cannot be assigned to anyone else.
 IP Versions

There are two versions of IP available.

IPv4 Internet Protocol Version-4 IPv4 is a 32 bit addressing protocol.

The range of this IP starts from 0.0.0.0 to 255.255.255.255.

IPv6 Internet Protocol Version-6 IPv6 is a 128 bit addressing protocol.

IPv6 addresses are written in eight groups of four hexadecimal digits
separated by colons.

i.e. - 2001:0db8:85a3:0000:0000:8a2e:0370:7334
 IP Types
An IP Address can be divided into 2 types.

Internal IP Whenever a computer connects itself with an Internal Network

(LAN) , it gets an Internal IP. This ip will be the identity of the particular computer in
the network.

External IP Whenever a computer connects itself with the internet , it gets an IP

address by ISP . This ip will be the identity of the particular computer over the
internet.
Types of Network Attacks
There are numerous types of attacks possible which could
completely cause severe damage to the network.
The following are the major types of attacks/ threats to a
network:
Packet Sniffing
IP Spoofing
ARP Spoofing
Session Hijacking
Eavesdropping
Attacks
Types of Cyber Attacks
Denial-of-Service (DoS) Attacks - are a type of network attack. A DoS attack results in some sort of interruption of
network services to users, devices, or applications. DoS attacks are a major risk because they can easily interrupt
communication and cause significant loss of time and money. These attacks are relatively simple to conduct, even by an
unskilled attacker.

Sniffing - Sniffing is similar to eavesdropping on someone. It occurs when attackers examine all network traffic as it
passes through their NIC, independent of whether or not the traffic is addressed to them or not. Criminals accomplish
network sniffing with a software application, hardware device, or a combination of the two.

Spoofing - Spoofing is an impersonation attack, and it takes advantage of a trusted relationship between two systems. If
two systems accept the authentication accomplished by each other, an individual logged onto one system might not go
through an authentication process again to access the other system.
Attacks
Types of Cyber Attacks
Man-in-the-middle - A criminal performs a man-in-the-middle (MitM) attack by intercepting
communications between computers to steal information crossing the network. The criminal
can also choose to manipulate messages and relay false information between hosts since
the hosts are unaware that a modification to the messages occurred. MitM allows the
criminal to take control over a device without the users knowledge.

Zero-Day Attacks - A zero-day attack, sometimes referred to as a zero-day threat, is a

computer attack that tries to exploit software vulnerabilities that are unknown or
undisclosed by the software vendor. The term zero hour describes the moment when
someone discovers the exploit.

Keyboard Logging - Keyboard logging is a software program that records or logs the
keystrokes of the user of the system. Criminals can implement keystroke loggers through
software installed on a computer system or through hardware physically attached to a
computer. The criminal configures the key logger software to email the log file. The
keystrokes captured in the log file can reveal usernames, passwords, websites visited, and
other sensitive information.
Packet Sniffing
Sniffer software works by capturing packets not destined for the sniffer systems MAC
address but rather for a targets destination MAC address. This is known as promiscuous
mode. Normally, a system on the network reads and responds only to traffic sent directly
to its MAC address. However, many hacking tools change the systems NIC to promiscuous
mode. In promiscuous mode, a NIC reads all traffic and sends it to the sniffer for processing.
Promiscuous mode is enabled on a network card with the installation of special driver
software. Many of the hacking tools for sniffing include a promiscuous-mode driver to
facilitate this process. Not all Windows drivers support promiscuous mode, so when using
hacking tools ensure that the driver will support the necessary mode.

Any protocols that dont encrypt data are susceptible to sniffing. Protocols such as
HTTP, POP3, Simple Network Management Protocol (SNMP), and FTP are most commonly
captured using a sniffer and viewed by a hacker to gather valuable information such
as usernames and passwords.
There are two different types of sniffing: passive and active. Passive sniffing involves listening and
capturing traffic, and is useful in a network connected by hubs; active sniffing involves launching an
Address Resolution Protocol (ARP) spoofing or traffic-flooding attack against a switch in order to
capture traffic. As the names indicate, active sniffing is detectable but passive sniffing is not
detectable.

In networks that use hubs or wireless media to connect systems, all hosts on the network can see all
traffic; therefore, a passive packet sniffer can capture traffic going to and from all hosts connected via
the hub. A switched network operates differently. The switch looks at the data sent to it and tries to
forward packets to their intended recipients based on MAC address.

The switch maintains a MAC table of all the systems and the port numbers to which theyre connected.
This enables the switch to segment the network traffic and send traffic only to the correct
destination MAC addresses. A switch network has greatly improved throughput and is more secure
than a shared network connected via hubs.

Another way to sniff data through a switch is to use a span port or port mirroring to enable all data sent
to a physical switch port to be duplicated to another port. In many cases, span ports are used by
network administrators to monitor traffic for legitimate purposes.
Sniffing Countermeasures
The best security defense against a sniffer on the network is encryption. Although encryption
wont prevent sniffing, it renders any data captured during the sniffing attack useless
because hackers cant interpret the information. Encryption such as AES and RC4 or
RC5 can be utilized in VPN technologies and is commonly used to prevent sniffing on a
network.
Tools for countermeasures :
NetIntercept is a spam and virus firewall. It has advanced filtering options and can learn and adapt as it
identifies new spam. It also intercepts and quarantines the latest email viruses and Trojans, preventing a
Trojan from being installed and possibly installing a sniffer.

Sniffdet is a set of tests for remote sniffer detection in TCP/IP network environments. Sniffdet implements
various tests for the detection of machines running in promiscuous mode or with a sniffer.

WinTCPKill is a TCP connection termination tool for Windows. The tool requires the ability
to use a sniffer to sniff incoming and outgoing traffic of the target. In a switched network,
WinTCPKill can use an ARP cache-poisoning tool that performs ARP spoofing.
IP Spoofing
The creation of IP packets with a forged source.
The purpose of it is to conceal the identity of the sender or
impersonating another computing system.
Uses of IP Spoofing
Denial-of-service attack
the goal is to flood the victim with overwhelming amounts of traffic.
This prevents an internet site or service from functioning efficiently
or at all, temporarily or indefinitely.
Uses of IP Spoofing
To defeat networks security
Such as authentication based on IP addresses.
This type of attack is most effective where trust relationships exist between
machines.
For example, some corporate networks have internal systems trust each other, a
user can login without a username or password as long he is connecting from
another machine on the internal network. By spoofing a connection from a
trusted machine, an attacker may be able to access the target machine without
authenticating.
Defense against IP spoofing
Packet filtering- one defense against IP spoofing
Ingress filtering- blocking of packets from outside the network with
a source address inside the network
Egress filtering blocking outgoing packets from inside the network
source address.
Encryption and authentication IPSec may be an answer
ARP Spoofing
A computer connected to an IP/Ethernet has two addresses
Address of network card (MAC address)
Globally unique and unchangeable address stored on the network card.
Ethernet header contains the MAC address of the source and the
destination computer.
IP address
Each computer on a network must have a unique IP address to
communicate.
Virtual and assigned by software.
 IP communicates by constructing packets.
Packet are delivered by Ethernet.
1. Adds an Ethernet header for delivery
2. Splits the packets into frames
3. Sends them down the cable to the switch.
4. The switch then decides which port to send the frame to. By
comparing the destination address of the frame to an internal
table which maps port numbers to MAC addresses.
 When an Ethernet frame is constructed from an IP packet,
it has no idea what the MAC address of the destination
machine is.The only information available is the
destination IP address.
There must be a way to the Ethernet protocol to find the
MAC address of the destination machine, given a
destination IP. This is where ARP, Address Resolution
Protocol, come in.
Figure 8-1

Address resolution and Reverse address resolution

 ARP Spoofing
Construct spoofed ARP replies.
A target computer could be convinced to send frames
destined for computer A to instead go to computer B.
Computer A will have no idea that this redirection took
place.
This process of updating a target computers ARP cache is
referred to as ARP poisoning.
 Defenses against ARP Spoofing
No Universal defense.
Use static ARP entries
Cannot be updated
Spoofed ARP replies are ignored.
ARP table needs a static entry for each machine on the network.
Large overhead
Deploying these tables
Keep the table up-to-date
 Someone point out
Windows still accepts spoofed ARP replies and updates the static
entry with the forged MAC.
Sabotaging the purpose of static routes.
Port Security
Also known as port binding or MAC Binding.
A feature on some high-end switches.
Prevents changes to the MAC tables of a switch.
Unless manually performed by a network administrator.
Not suitable for large networks and networks using DHCP.
 Arpwatch
A free UNIX program which listens for ARP replies on a network.
Build a table of IP/MAC associations and store it in a file.
When a MAC/IP pair changes (flip-flop), an email is sent to an
administrator.
Some programs, such as Ettercap, cause only a few flip flops is
difficult to be detected on a DHCP-enabled network, where flip
flops occur at regular intervals.
 RARP (Reverse ARP)
Requests the IP of a known MAC.
Detect MAC cloning.
Cloning can be detected, if multiple replies are received for a
single RARP.
Session Hijacking
Session hijacking is when a hacker takes control of a user session after the user has
successfully authenticated with a server. Session hijacking involves an attack
identifying the current session IDs of a client/server communication and taking
over the clients session. Session hijacking is made possible by tools that perform
sequence-number prediction. The details of sequence-number prediction will be
discussed later in this chapter in the sequence prediction section.
Spoofing attacks are different from hijacking attacks. In a spoofing attack, the
hacker performs sniffing and listens to traffic as its passed along the network
from sender to receiver. The hacker then uses the information gathered to spoof
or uses an address of a legitimate system. Hijacking involves actively taking
another user offline to perform the attack. The attacker relies on the legitimate
user to make a connection and authenticate. After that, the attacker takes over
the session, and the valid users session is disconnected.
Hackers can use two types of session hijacking: active and passive.
The primary difference between active and passive hijacking is the
hackers level of involvement in the session. In an active attack, an
attacker finds an active session and takes over the session by using
tools that predict the next sequence number used in the TCP
session.

In a passive attack, an attacker hijacks a session and then watches and

records all the traffic that is being sent by the legitimate user.
Passive session hijacking is really no more than sniffing. It gathers
information such as passwords and then uses that information to
authenticate as a separate session.
Reasons for Session Hijacking :
No Standards for Maintaining State

Session Tracking and State information at Client

Hacking Tools
Juggernaut is a network sniffer that can be used to hijack TCP sessions. It runs on
Linux operating systems and can be used to watch for all network traffic, or it can be
given a keyword such as a password to look for. The program shows all active network
connections, and the attacker can then choose a session to hijack.
Hunt is a program that can be used to sniff and hijack active sessions on a network.
Hunt performs connection management, Address Resolution Protocol (ARP) spoofing,
resetting of connections, monitoring of connections, Media Access Control (MAC)
address discovery, and sniffing of TCP traffic.
How to Prevent Session Hijacking
Session Identifiers Should Be Unique
Session Identifiers Should Not be Guessable
Session Identifiers Should Be Independent
Session Identifiers Should be Mapped with Client-Side
Use encryption.
Use a secure protocol.
Limit incoming connections.
Minimize remote access.
Have strong authentication.
Educate your employees.
Maintain different username and passwords for different accounts.
Use Ethernet switches rather than hubs to prevent session hijacking attacks. Connections
Eavesdropping
Eavesdropping is the unauthorized real-time interception of a
private communication, such as a phone call, instant message,
videoconference or fax transmission. The
term eavesdrop derives from the practice of actually standing
under the eaves of a house, listening to conversations inside.
VoIP systems that don't use encryption make it relatively easy for
an intruder to intercept calls.
Eavesdropping is easier to perform with IP-based calls than TDM-based calls.
Any protocol analyzer can pick and record the calls without being observed by
the callers. There are software packages for PCs that will convert digitized
voice from standard CODECs into WAV files.
The speakerphone function can be turned on remotely, with the caller on
mute so that there is no sound coming from the phone. This has happened
with some IP phones in executives' offices. Their offices can be listened to
without their knowledge.
PCs and laptops that have microphones attached or integrated into them can
be enabled as listening devices without the user's knowledge. There is a
rootkit available for this purpose.