The OSI layer, its application to TCP/IP and the fundamentals of routing
Squire James
eamonn@relative-networks.com
OSI, TCP, IP, TCP/IP, networking, model, security, stack, layers,
The OSI layer, its application to TCP/IP and the fundamentals of routing
By Squire James
1.1 Introduction
2.1 The OSI Stack
3.1 How the layers function
3.1.1 The exchange of information
3.1.2 The Application Layer
3.1.3 The Presentation Layer
3.1.4 The Session Layer
3.1.5 The Transport Layer
3.1.6 The Network Layer
3.1.6.1 Logical Addresses
3.1.7 The Data-Link layer
3.1.7.1 the MAC SubLayer
3.1.7.2 The LLC SubLayer
3.1.7.3 Physical Addresses
3.1.8 The Physical Layer
4.1 The formation of a transmitted unit of information
5.1 Just what is a protocol?
6.1 So, how does TCP/IP work, how does it relate to the OSI Stack, and how could
I gain the
Information needed at the start of a hack?
6.1.1 Section Introduction
6.1.2 IP and the DoD Model
6.1.3 The TCP/IP Protocol Suite
6.1.4 The structure of IP Networks
6.1.5 Reserved Addresses on an IP Network
6.1.6 Routing and Server "Chasing" on a network
6.1.6.1 ARP and RARP
6.1.6.2 Basic Routing on a Network
6.1.6.2.1 Static Routes, Dynamic Routes, Routes of Last Resort and
Routing Tables
6.1.6.2.2 The act of routing packets
6.1.6.2.2.1 The transmitting host
6.1.6.2.2.2 The routing host
6.1.6.2.2.3 The receiving host
6.1.6.3 "Chasing" the server down
6.1.6.4 Problems that you may come across
7.1 What I've actually explained here
8.1 Final Shout
1.1 Introduction
This file explains the OSI Stack, and it's application in a TCP/IP environment.
This is not intended to be a complete or definitive article on any of the topics
Covered, but hopefully the reader will have some understanding of how networks
get
Data from one computer, out to the wire, and up to another.
As always, I do not support or take responsibility for the actions of any
individual or
group based on any information that is provided in this document. All
information
presented here is for educational use only.
2.1 The OSI Stack
Back in the early 1980's, a problem within networking was discovered. LAN's and
WAN's,
especially those based on a Mainframe/Terminal system were becoming more and
more common,
and people wanted to combine their networks into large Internetworks. This
presented a
problem, as there were a number of vendors supplying networking solutions to the
internetworking community using their own particular methodology (eg IBM's
System Network
Architecture and Digital's Network Architecture). To this end The OSI (Open
Systems
Interconnection) Reference Model was developed and released in 1984 by the
International
Organization for Standardisation (IOS) group. The model is the currently
accepted de jure
standard for internetworking (meaning, if you make a system that relies on some
other
methodology, don't expect anybody to implement it). Each layer in this system is
pretty much
a separate entity in it's own right, so that a change or update can be made at
one layer
without adversely affecting another. The OSI Reference Model allows us to;
1. Write new applications that would work to a standard, thus cutting down
on consultancy and testing times involved
2. Support communication over different/older media
3. Allow centralised and standardised support and troubleshooting
4. Allow a reliable service to be maintained
The concept resulted in seven layers being created, with each layer being
responsible for
performing a different set of tasks. The layers are;
Layer 7 - Application
Layer 6 - Presentation
Layer 5 - Session
Layer 4 - Transport
Layer 3 - Network
Layer 2 - Data-Link (Containing the MAC and LLC sublayers), and
Layer 1 - Physical
I find that I can remember this layer using the phrase "All poofters seek
transvestites
near dimly lit pubs" and before everybody jumps on me about political
correctness, the
bloke that taught me this little phrase was gay himself. I use it because it's
the kind of
phrase that people won't forget in a hurry.
well, okay..... it's kinda funny too
You'll notice that the Data-Link layer has two sublayers, named MAC and LLC.
Why this
happened, I'm not really sure. All I can do is guess that the propellor heads
that
made this standard decided that 7 layers, one with 2 sublayers looked much
fancier than
8 layers.
3.1 How the layers function
Each layer on the OSI stack is responsible for a certain function, or group of
functions.
The top 3 layers (Application through Session) are generally controlled by the
application
itself, so the user inherently has some level of control, the proceeding 4
layers are
usually controlled by the computer itself.
It can be quite difficult to envisage the stack performing some of the functions
that it
does, and at this level, it is generally easier to imagine a "grey
area" between each
layer, where the upper AND the lower layers have some influence. Confusing, I
know, but
trust me, I used to be a doctor.......
3.1.1 The exchange of information
An exchange of information occurs at all levels of the OSI Model. This
"layer level"
information is sent in the form of either a header, or a trailer (footer). A
header or a
trailer is passed down from one level to another, attached to the data. The
level below
sees the information as one large piece of data, so it attaches its
header/footer and passes
it down.
This method of attaching data is called Encapsulation. The only layers that will
not apply
headers or footers are the application and Physical layers. When the receiving
computer
receives the packet, it strips the header off at each layer, and passes the
remaining data
"up the stream." Once it gets to the Presentation Layer, the
presentation layer headers
are removed, and the data is reassembled together, then passed to the
application layer as
the original data.
3.1.2 The Application Layer
The application layer is generally the only layer that a user will operate in.
It provides
services directly to applications. The application layer can Determine Resource
Availability, Synchronise communications and identify communication partners.
TCP/IP
applications that work on this layer include FTP, Telnet, SMTP and POP3
3.1.3 The Presentation Layer
The presentation layer is the only layer that can change the data itself. It
looks after
the coding and conversion details and ensures that information sent to another
system will
be readable by that system. Common implementations include JPEG, GIFF, TIFF,
DOC, MPEG,
MP3
Data Compression and Encryption also occur at this layer
3.1.4 The Session Layer
This layer maintains establishes and terminates communication between
presentation layer
entities. These service requests and responses are co-ordinated by protocols
that exist at
the Session Layer. These protocols include Zone Information Protocol (ZIP),
Session Control
Protocol (SCP) and the AppleTalk service that co-ordinates name binding
3.1.5 The Transport Layer
The transport layer is responsible for the reliable transfer of information
across an
internetwork that are transparent to the upper levels. It maintains the
reliability of
these connections in a number of ways;
1. Flow control, to ensure that the sending host does not send information
faster
than the receiving host can process it
2. Multiplexing, to allow data from multiple applications to be transmitted
across
a single link
3. Virtual Circuits between hosts are established, maintained and terminated by
this
layer
4. Error Checking, to detect transmission errors
5. Error Recovery, to request retransmission of erroneous data
The main protocol from the TCP/IP suite that resides at this level is TCP
itself. The
difference between TCP and UDP, which is the other protocol at this layer, is
the error
checking and correction facilities offered by each protocol. TCP is a reliable
connection
protocol whilst UDP is an unreliable connection protocol. Essentially each host
has up to
65,536 ports (or 2 to the power of 16) for TCP and UDP that can be utilised.
Each port can
only be accessed by a single process at a time. For example, a telnet
server/service will operate on TCP port 23 (which is different to UDP port 23),
and while
the service is running, no other process can use TCP port 23. There are a
number of
"conventional" ports that are utilised, for example, DNS is usually
active on TCP and UDP
ports 53. Trojans, such as Back Orifice etc. monitor a certain port on the host
and wait
for a connection to be established. Other remote control programs, such as
PCAnywhere also
operate in the same way. Administrators that need to have telnet active purely
for
administrative purposes will quite often reconfigure telnet to activate on
another Port, to
make it a little harder for a hacker to find.
Commonly Used Ports
TCP Ports
FTP - 21
Telnet - 23
SMTP - 25
DNS - 53
UDP Ports
DNS - 53
TFTP - 69
SNMP - 161
RIP - 520
3.1.6 The Network Layer
The network layer allows multiple data links to be combined into an internetwork
(i.e. this
is the section that logically defines a network, and what hosts are in that
network).
As a general rule, network layer protocols are routing protocols, but other
protocols do
exist at this level. Common routing protocols include IP (Internet Protocol),
Border
Gateway Protocol (BGP). Automatic Route discovery subsets of the IP Protocol
include Open
Shortest Path First (OSPF), and Routing Information Protocol (RIP).
3.1.6.1 Logical Addresses
A logical Address is an address that is (generally) assigned to a NIC (Network
Interface
Card). This allows an administrator to dictate which network a PC belongs to.
It also
allows for the provisioning of Multihomed Hosts (i.e. Machines with more than
one Network
Layer Protocol Address), which may be used for bridging between networks.
3.1.7 The Data-Link layer
The Data-Link layer's role is to provide a reliable transmission of data across
a physical
network link. Physical Addressing is used at this level to tie all transmissions
to one
outward location. This layer can also define topology requirements (Bus, Ring,
Star, Mash)
Error notification at this level will let upper layers know when a problem with
transmission
has occurred, whilst the sequencing function reorders frames that were
transmitted out of
sequence. Flow control is also used at this level.
The Institute of Electrical and Electronic Engineers' (IEEE) subdivided the
Data-Link layer
into two sublayers, which has now become the adopted standard.
3.1.7.1 The LLC Sublayer
The Logical Link Control Sublayer (LLC) manages potentially numerous
communications over a
single network link. This specification has been defined in the IEEE 802.2
specification
(for all you Novell Junkies out there). The 802.2 standard supports
connectionless and
connection oriented services.
3.1.7.2 The MAC Sublayer
The Media Access Control (MAC) Sublayer manages the access of a protocol to the
physical
network medium (eg. Ethernet cable). The IEEE MAC specification defines MAC
addresses (also
known as physical addresses), which allow multiple devices to identify one
another at the
Data-Link Layer.
3.1.7.3 Physical Addresses
Physical Addresses are addresses that are burned into a card, much like a serial
number.
These addresses are 6 bytes long, and are represented in Hexadecimal. The first
four
bytes are generally used to identify the card manufacturer, these first four
bytes combine
with the last eight bytes to generate a unique card identification number. If
you look
at a NIC, it will generally have the MAC address written like this;
1A 4F 33 FF A3 B0
If we did not have this feature on a card, then the only way that we could
reliably route
data would be if every computer had a unique TCP/IP or IPX/SPX address assigned
to it. This
will be covered more in the TCP/IP section, when I cover routing, ARP and RARP
requests.
3.1.8 The Physical Layer
This layer is responsible for actually getting the raw bitstream to transmission
on the
network media. As such, it defines characteristics such as Voltage Levels, the
timing of a
voltage change, physical data rates, maximum transmission distances and physical
connections.
Physical Layer, Data-Link layer and Networking Layer specifications do not
necessarily need
to be LAN based, they exist as either LAN or WAN implementations.
4.1 The formation of a transmitted unit of information
As a packet of information moves down the OSI Layers to be eventually
transmitted "across
the wire" it goes through some changes, most of these changes are the
result of Headers or
Footers that are applied to the packet. As such, there is a de facto standard
relating to
the names a unit of data is called at various stages
Layer # Layer Name Unit of Information term
7 Application User Information/Data
6 Presentation Data
5 Session Data
4 Transport Segment
3 Network Packet
2 Data-Link Frame
1 Physical Bits/Bitstream
Other terms for data include;
datagram a packet that exists at the network layer that use a connectionless
network
service(s)
message another term for an information unit existing above the network layer,
although this term is generally only applied at the application layer
cell a unit of information that exists at the Data-Link layer of fixed length,
generally used by WAN technologies such as ATM
data unit The generic term for data at any level
Remember: In a model that uses encapsulation, each layer only sees a data unit
to which
it's own header/footer have been applied. The Data-Link layer, for example,
cannot see the Frame Header/Footer for the Network Layer
Naturally, when the data "comes out the other end" to the receiving
computer, it then
follows the OSI stack from bottom to top (i.e. going from Bitstream to User
Information).
5.1 Just what is a protocol?
A protocol is a set of standards the define how data is packaged to eventually
become a
bitstream and get transmitted. The easiest way to think of a protocol is to
look at it as a
language. If you walked up to somebody who spoke Russian, and tried to talk to
them with
English, it just wouldn't work. The same thing goes for protocols, a computer
that
transmits with the TCP/IP protocol cannot communicate with a computer running
IPX/SPX.
There are a number of protocols in use today, some routable, some not, and
people choose
which protocol to use dependant on a number of factors. For example, IPX/SPX
will transmit
larger frames than TCP/IP, so if you're main goal from your network is to
transmit big files
as fast as possible (God only knows why it would be, but work with me ;-), then
you would
choose IPX/SPX over TCP/IP, because IPX/SPX is routable (just like TCP/IP), but
performs
better in the area that you require.
The reality of the situation, however, is that PC's are so fast today that small
protocol
limitations hardly make any effect on the productivity of a system. This,
coupled with the
fact that you require it as a protocol to access the internet has made TCP/IP
the 99.9%
option of choice for (inter)networks.
6.1 So, how does TCP/IP work, how does it relate to the OSI Stack, and how could
I gain the
information needed at the start of a hack?
6.1.1 Section Introduction
I thought that I'd better start this off by explaining what's going to be
contained in this
section. I am not here to give anybody step-by-step instructions into hacking
systems,
there are so many white papers out there at the moment that it's not funny.
What I have
noticed is that nobody has told anybody how to get the details that you need
before trying
an attack. For example, everybody knows how to create a BSOD on a Windows NT
server, it's
straight forward (not that I'd call that hacking). People also know how to grab
password
hashes and have programs to decode them. What I'm talking about here is how you
can get to
the Server that you want to. Let's say the server is behind a subnet. How do
you find out
how to get there? The same goes for bypassing routers, which is the first thing
that you
have to do. If you don't have local access to the server, then you're going to
need
shitloads of bandwidth or much time. I'm also not here to talk about
PortSniffing, or
Trojans, or any of that other stuff. That will come later (if I can be bothered
- except for
the trojans bit, they're lame). I'm not going to talk about using Socks Port
1080 to ride an
IP address, which too will come in a later paperl. I will explain how you can
build a
picture of a Network, and to "chase" a server across multiple networks
that have been setup
to segregate the LAN's. Just remember that a true hack (not a crash of a system)
takes a
long time to execute, and you really do need either a lot of manpower, or a lot
of time,
especially if you don't have local access.
6.1.2 IP and the DoD Model
--------
TCP/IP was invented by the Department of Defence (DoD) as a sturdy and robust
protocol that
would help to ensure communications continued in a time of catastrophic war. If
a TCP/IP
network is implemented correctly it is extremely dependent and reliable.
The DoD Model for TCP/IP is a 4-layer model, due to the fact that it was created
before
the OSI reference model. These four layers do equate to the seven OSI layers.
DoD Model OSI Reference Model
) Application
Process/Application Layers ) Presentation
) Session
Host-to-host ) Transport
Internet ) Network
Network Access ) Data-Link
) Physical
For much of this discussion on TCP/IP, we will use the DoD model, as it provides
a better
natural distribution between services.
6.1.3 The TCP/IP Protocol Suite
DoD Model Protocols At Level
Process/ Telnet FTP LPD SNMP TFTP SNMP XWindow
Application
Host - To Host TCP UDP
Internet ICMP BootP ARP RARP IP
Network Access Ethernet Fast Ethernet Token Ring FDDI
6.1.4 The structure of IP Networks
We're not going to be covering too much of the Upper 2 layers of the DoD model,
as these
areas tend to be concerned with the actual application of a hacking methodology.
Hopefully before I start this section, you have all read my paper on Subnetting
within IP
Networks, which has been published in issue #11 of Black Box (http://black.box.sk).
As we all know, there are 3 classes of addresses that are used by Machines
Running TCP/IP.
Whilst most machines on an internal network comprise of whole networks
(generally Class A
or Class B), a company will generally only have a small number of Subnetted
addresses that
connect directly to the internet. I am assuming at this time that the hacker
has gained
access past any firewall/router and is directly connected to the network. There
are a
couple of methods used to find out IP addresses and SubNet masks, although you
should find
out this information as you hack through/bypass a router. A packet sniffer is
generally the
easiest way to get Logical Network Addresses.
For this exercise we will assume a Class C Network 192.168.0.0/24. Within all
IP Networks
there are 2 reserved addresses, the first and the last addresses in the network.
Our
network appears as such in Dotted Decimal Notation;
192.168.0.0 (IP Address)
255.255.255.0 (SubNetMask)
Looking at the SubNet Mask, we automatically know that 192.168.0 is our Network
ID, and the
final octet represents our Hosts. This Octet, being an 8-bit number, has 256
available
values (0-255), therefore the first and last IP addresses (192.168.0.0 &
192.168.0.255) are
reserved.
Working this out can be pretty tricky in the case of a subnetted network, so I'd
advise you
to download an IP Calculator that allows you to enter an IP Address and a SubNet
mask, and
will return the entire Network Range.
6.1.5 Reserved Addresses on an IP Network
As stated earlier, there are two reserved addresses on every network/subnet. The
first
number on a network (192.168.0.0, using the above example), is used when
subnetting and
referring to the network as a whole. Therefore, when I refer to 192.168.0.0/24,
I am
talking about the whole network, whilst if I refer to 192.168.0.1/24 I am
talking about a
host on that network. This is used for when referencing networks on
firewalls/routers etc.
so the systems administrator does not have to type in a statement for every
possible
IP address on a network.
The last available address (192.168.0.255/24) is the broadcast address of the
network. If
you're unsure what broadcasts do, check out my subnetting paper mentioned above.
The great
thing about the broadcast address is that if you ping it, every device on the
network will
respond, and you have an instant list of every device that is on the network.
Note, though,
that it is possible to prevent some hosts responding to this type of broadcast
query, and
a really good administrator will have seen the possible hole and tried to stop
it. An
alternative to this method is to use a program like PingSweep, which pings every
possible
IP address on a Network, this works well, but generates a lot of traffic on the
network.
Once all this information has been collected, you can view the output by
referring to your
ARP cache entries ["arp -a |more" in Windows NT]. From here, you
should be able to pick some
likely possibilities for servers, which are generally placed at the beginning or
end of a
network, or you could check out the IP addresses which get the most traffic, by
using a
packet sniffer. Another way could be to attempt to locate the Internal DNS
server (scan port
53 on the network), and resolve the IP's to hostnames to try and find out from
there. Or,
you could use one of many available portscanners to try and guess from the TCP
frame what
the Operating system is.
On a side note, this broadcast request is the basic principal for a (D)DoS
attack.
Essentially, a hacker pings the broadcast address for a network. Every host on
the network
attempts to respond to the request, which reduces the bandwidth. Take, for
example, a
Hacker with a 1MBit (Lucky bastard) connection to the internet. He rides a socks
port on
another machine, let's call it unsecure.acme.com so that he is sending his
requests from a
real live address that the firewalls will let through. This machine also has a
1MBit link.
The hacker then sends a 500KBit Ping Request to 192.168.0.255/24, which happens
to be
domain.acme-competitor.com, who have a 2MBit link Every machine on the
192.168.0.0/24
network connected to the internet will try to respond back. Let's say that there
are only
100 machines directly connected at acme-competitor, if each on of them generate
a 500KBit
ping response to the Ping request, that's a massive 50MBits of traffic that has
been
generated and is attempting to fit through the router. If this attack has been
done properly
it will bring down acme-competitors router, and it will look like acme
themselves did it.
Don't get me wrong, there is a lot more that can go on, but this is the basic
concept
behind a (D)DoS attack. The main difference between a DDoS (Distributed Denial
of Service)
attack and a DoS (Denial of Service) attack is that a DDoS will have more than
one place
sending these requests.
6.1.6 Routing and Server "Chasing" on a network
So, you're onto the network, and you have all the IP addresses. You
painstakingly go through
each one trying to find a server, but you've had no luck. Workstations galore,
routers
galore, but nothing holding some real juicy information. What needs to be done?
In a
situation like this, It probably means that the server is on another network,
therefore
packets must be routed through to the server somewhere. Using your soon to be
gotten
knowledge of how routing works, you should be able to find what you're looking
for.
6.1.6.1 ARP and RARP
Before you can start to understand routing, you need to know two
protocols/programs from the
TCP/IP Suite at the Internet Level (Network level by the OSI stack), ARP and
RARP.
ARP is a function that a computer uses to get the Physical Addresses on a NIC
when the
sending node has an IP address. Essentially is works something like this, When
the Internet
Layer receives a packet, it inspects the IP Address. The computer will then
check its ARP
cache to see if there is already an entry for that particular IP address. If
the computer
has the MAC address in cache, then it will add the header/footer to the packet
and pass it
down to the Network Access Layer. If it is not in cache, then the computer will
broadcast
an ARP request. If the host exists on that local network, it will respond to
the request
and send the necessary information. The computer will then receive the data,
add the bits
to the frame and pass it down to the Network Access Layer. If the computer
receives no
reply to the ARP request, it will route the packet, which will be covered in the
next
section.
RARP is a feature that is not as commonly used by a host. It does exactly the
opposite to
ARP. If a computer has a hardware address, it can perform a RARP lookup to try
and find the
IP address of the originating computer. Once again, it works in the same way as
ARP,
checking it's cache first, and then broadcasting for the details if
unsuccessful.
6.1.6.2 Basic Routing on a Network
6.1.6.2.1 Static Routes, Dynamic Routes, Routes of Last Resort and Routing
Tables
Routing in itself is a relatively simple process. The first thing to understand
is Static
Routes, Dynamic Routes and Routes of Last Resort (also known as Default
Gateway's). A
static route is a route that has been manually entered by a user to direct
traffic for a
certain IP address or network to a router, so the packet can be forwarded.
Essentially a
route statement looks something like this
[Destination IP Address] [SubNet Mask] [Gateway] [Metric]
Therefore, to route all packets intended for a host on the 192.168.2.0/24
network to the
router at 192.168.0.241 (the gateway must be on the network that the host is
attached to,
otherwise is can't get there), with a metric of 1, the route would look like
this
192.168.0.0 255.255.255.0 192.168.0.241 1
Different Operating environments have different commands, but any machine
capable of
running TCP/IP should be able to contain static routes.
The first three items entered are pretty straightforward. The metric information
relates to
the number of "hops" to take away from the packet when it is passed.
This may be done for
two reasons, the first is to ensure correct "ageing" of packets. Each
packet has a maximum
number of "hops" that it can undertake. Once the packet has reached
that number of hops, it
is expired and a "destination route unreachable" error is generated.
The second is to
ensure that the best route is taken when used in conjunction with a routing
protocol. If
you assign a metric of 3 to a static route and run a routing protocol on the
same machine,
and the routing protocol can locate a less "expensive" path to move
the data down, it will
take it over the static route. This metric value is known under different names
on different
systems, such as "Administrative Cost," and they can relate to other
things instead of just
the basic number of hops.
Static routes can generally be entered as temporary entity (i.e. will be lost
when the
machine shuts down), or as a permanent entity (i.e. Will remain across reboots).
The benefit
with static routes is that an administrator can have very specific and complete
control over
the direction of packets on his/her network. Unfortunately, if you have a number
of
different networks or routers, this can become extremely time consuming and
confusing
(especially if you're not too bright, like me). As a tip for all the
administrator's out
there, if you want to secure your network that little bit more, you can add your
static
routes on your users computers as temporary entities that expire after each
shutdown. If
you add these routes as part of your login scripts you can ensure that only
users that
successfully log in to the system will be able to access the server without
having to
manually enter their routes in. It would also ensure that users with notebooks
did not
bring routing (and therefore network) information off-site. Not that this would
stop a
truly dedicated hacker, but it would add to the total amount of time that a
hacker has to
spend on the intrusion, which would increase their chance of getting caught.
Dynamic Routes are similar to static routes. The only difference is that they
are always
temporary routes. These routes are entered by a routing protocol (such as RIP
or OSPF).
The methods that these routing protocols used aren't of any concern for this
document, all
you need to know is that they appear in the same place and look identical to
static routes.
Most routing protocols are run on routers themselves, and all computers send all
of their
non-local packets to one specific router, which then routes them through from
there. Most
packet sniffers will be able to locate routing protocol packets.
Routes of Last Resort, or Default Gateways, is the location that a host will
send its packet
through if it cannot find the packet locally or in a route statement. A number
of systems
have been configured so that packets that are not local are forwarded to the one
router
which then works out by itself what to do with them from there. This is much
easier from
an administrative stance, but also significantly less secure.
All this information is located in the routing table, which is maintained on
each host. How
we observe the route table is different across Operating Systems, but is
generally activated
by a "Show Route" "Show IP Route" or "Route View"
type of command. The host will then list
all routes that are contained. Static and Dynamic Routes have the same outlook,
i.e. with a
specific Network/Host Destination, usually followed by the remote Subnet Mask,
which is
followed by the gateway to use to transfer the packet. We can always spot the
route of last
resort, because it's Network/Host Destination AND SubNet Mask is always 0.0.0.0.
Also, if a
route is pointing to a specific host, rather then a network, the SubNet mask
will appear as
255.255.255.255.
6.1.6.2.2 The act of routing packets
6.1.6.2.2.1 The transmitting host
Keeping our OSI stack in mind, we're now going to discuss the action of a packet
routing
through a network.
Application Layer
Joe Blow (IP Address 192.168.0.1/24) starts up a telnet session with an
imaginary telnet
server, which we'll call telnet.demo.com (IP Address 203.55.57.29/24).
Presentation Layer
This layer doesn't really concern us, but for the sake of writing something in
here, we'll
say that the presentation layer slices the data going to 203.55.57.29 into the
predetermined
size and adds the presentation layer header/footer to the user data.
Session Layer
Once again, this layer has very little to do with the routing of the packet
itself, but it
adds its header/footer to the user data, which exists to control the flow of
data.
Transport Layer
This layer is the first layer where the guts of TCP/IP comes into play. The
transport
layer header/footer is added, with originating/destination TCP port 23 (telnet).
The
segment is then passed down to the network layer.
Network Layer
The network layer applies it's header/footer to the data (surprise, surprise)
which
contains the source and destination IP Addresses (and by that we mean the total
IP Address,
comprising of IP Address and SubNet Mask). The Network Layer also inspects the
packet to
discover the destination IP Address. From the logical AND that is performed on
the
Source/Destination the Network layer knows whether or not the packet is on the
local
network. If the packet is local, then the Network layer will generate an ARP
request for
the MAC address of the destination IP address. If the packet is not local, then
the
Network layer will check its routes. If a route exists for the packet, then an
ARP
request is generated for the IP Address of the route gateway. If a route does
not exist
(which is the case in this example), then an ARP request is generated for the
Route of Last
resort. The Source MAC address, and which ever MAC address represents the
destination for
this hop (in this case the route of last resort) is added in the header/footer.
This
completed packet is passed down to the Data-Link layer. The destination MAC
address is not
added to the Network Layer header, rather, it is handed down to the Data-Link
Layer to
"process."
Data-Link Layer
The Data Link Layer essentially adds it's header or footer, which includes the
source/destination MAC addresses, then passes this Frame to the Physical Layer
for
transmission
Physical layer
Transmits the raw bitstream
-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
Keep in mind that this is a simplified version of what each layer does. For
example, I have
not gotten into the fact that the Data-Link layer is responsible for
co-ordinating numerous
packet transmissions etc. etc., it is purely concerned with what each layer does
when
routing.
6.1.6.2.2.2 The routing host
The routing host essentially recognises it's MAC address in the Packet, pulls it
off the
wire and begins by removing the Data-Link Layer Header/Footer and passing the
packet up to
the Network Layer. Once the network layer receives the packet, it inspects it's
header/footer to find the destination IP Address. If the destination IP address
is not (one
of) the Hosts IP Addresses, then the host inspects the packet to find out if
it's on one of
it's local networks. If the destination is on one of its interfaces, then an
ARP request is
generated, and the packet is forwarded directly to the host. If not, then just
like the
previous host, the router will inspect its route table, to find out if a route
exists to the
destination network. If a route exists, then the machine will send an ARP
request for the
MAC address of the Destination gateway, and pass the packet down to the
Data-Link layer with
the new MAC address. If no route exists, then the machine will generate an ARP
request for
the route of last resort, and pass the packet down to the Data-Link layer for
processing.
NB: This is the core of routing, and is exactly what happens every single time a
packet is
sent across the internet. Because a router only deals with packets up to the
Network Layer
when routing, the act of routing is known as a Layer 3 action.
-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
6.1.6.2.2.3 The receiving host
Physical Layer
Pulls the Raw BitStream off the Network Cable
Data-Link Layer
Removes its header/footer and ensures that the packet was actually meant for
this machine
(i.e. correct MAC Address)
Network Layer
Removes its header/footer and ensures that the destination IP address is a valid
IP address
for this host.
Transport Layer
Removes its header/footer and opens a TCP connection between the two hosts on
Port 23 for a
telnet session.
Session Layer
Removes it's header/footer and regulates flow control of the traffic.
Presentation Layer
Removes it's header/footer, puts the packet into the right sequence, and decodes
the data
(if necessary).
Application Layer
Presents Joe Blow with the first bit of Data from the telnet session that he
initialised.
-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
6.1.6.3 "Chasing" the server down
So, when we get into the guts of a particular network, how do we track down
servers if they
exist on another network. Thinking back to our routing information, we know
that if a
route is required to pass the information then the host performs an ARP request
for the
MAC address of whatever gateway is being used, and uses that MAC address in the
Data-Link
header/footer to ensure that the router picks it up. However, one thing that
does not
change is the Source/Destination IP Address. Therefore, we can find the router
by using a
packet sniffer and observing the one MAC address that packets to a number of IP
addresses
are being forwarded to. Once that router has been located, we would then need
to use one
of the many methodologies around to discover exactly what it was (PC Based, or
Specific
router based, and which Operating System or Router Brand). once we find out
exactly what
type of router it is, we would then have to hack it or find a way across to get
to the
machines (hopefully the servers) on the other side.
6.1.6.4 Hardware that you may come across
A number of items need to go into a network to "make it work," and
Routers are just one of
these. The other main ones are Hubs, Switches and Gateways
Hubs:
Otherwise known as a "MultiPort Repeater," the hub is at the bottom of
network connectivity
technologies. Essentially, the hub will take any data sent to it from any port,
and repeat
it down all the other ports. The hosts are (obviously) listening for data, and
when a packet
is sent to a port, the host will listen to (read) it, accepting it if it for its
MAC address, ignoring it if it is not. Hubs have a couple of setbacks,
1) Only one machine on the entire hub can transmit at any one time
2) As all the information for any destination is flashed down all ports, from
any
location on the network a hacker can easily grab password hashes, monitor
login
requests etc. etc.
Switches:
Switches are the "grown up" version of hubs. Each switch maintains a
MAC address table, and
generates a "bridge" between the sending and receiving devices. This
is much better than a
hub because,
1) All ports can send or receive at the same time, so multiple
transmits/receives
can occur, unless, of course, the host that is being transmitted to is
currently
in a transmit or receive state
2) Due to the fact that multiple hosts can transmit at the same time, a 10Mbit
switch is GENERALLY faster than a 100Mbit Hub IN THE REAL WORLD, but not
according to most benchmark tests
3) Because a direct link is established between the sending and receiving
machines
all of the data is not flashed down every port, so it is much harder to
packet
sniff
If the site you are hacking from has switches installed and you are trying to
packet sniff
the network (presuming you have sufficient access/bandwidth), you will have to
run a
promiscuous mode driver. This, however, is a pretty risky thing to try, because
there are a
number of programs out there that detect promiscuous mode drivers, and you run a
good chance
of getting caught. A better solution would probably be to completely hack the
router
(instead of just getting through it), inspect it's route table and use the route
table and
ARP/RARP to do it all manually.
Gateways:
A gateway is a relatively rare device that provides a "translation
point" between two
protocols (for example, TCP/IP one side, IPX/SPX the other). There are a number
of reasons
for the implementation of a gateway, but from a security perspective, a gateway
would be
installed and IPX/SPX configured on the Servers, TCP/IP on the workstation (or
"working
network" side). This makes things SIGNIFICANTLY harder for a hacker, as the
hacker either
has to know IPX/SPX as well as TCP/IP backwards, or be able to pool his
resources with
another person who has a lot of IPX/SPX knowledge. The other thing to be aware
of is that a
system like this has probably been implemented by a professional security
company, so you'd
better be sure that you really want to try the hack, as you'd have to be very
good to make
sure you don't get caught.
Fortunately, for the hackers out there anyway, gateways are relatively rare
things, pretty
much because of the administrative overheads involved with a system such as
this, and that
most companies have not put a large emphasis on network security.
7.1 What I've actually explained here
So, what should you know after you've read this? I have covered the
implementation of TCP/IP
within a network, as well as the structures that it adheres to, and what those
structures do
to ensure that the data gets from it's source point to the destination point. I
also
covered routing within a network, and how you can chase down other networks
within an
Intranetwork. Also, a little bit about getting a logical picture of a network
and how to
find your way around the network, as well as some technologies and methods to
make a network
a little more secure.
8.1 Final Shout
Once again, not a lot to go in here. No references again, as this all came out
from my head
(frightening as that concept may be). I will probably do some sort of packet
sequencing or
router exploit paper next, or maybe a PortScanning or IP Riding one. I'm not
really sure
yet, and it does depend on how much time I have on my hands.
Catch yer all on the flip side,
Squire
(
geocities.com/eljehad1)