ORIGINALLY POSTED BY NOKIA FOR THETAZZONE/TAZFORUM HERE
Do not use, republish, in whole or in part, without the consent of the Author. TheTAZZone policy is that Authors retain the rights to the work they submit and/or post…we do not sell, publish, transmit, or have the right to give permission for such…TheTAZZone merely retains the right to use, retain, and publish submitted work within it’s Network
How Networks and Network Attacks Work
To attack a network there is a need to understand fully, the rules and protocols that a network follows.
Once you have a good understanding of these, you can start to understand how various attacks work.
When the time comes that you know how these attacks work, then and only then, can you go about securing it, with a confident
knowledge that you know what it is you are defending against.
The aim of this paper is to help explain how a network operates and how various attacks work.
For a network to operate effectively, there is a requirement for a set of rules that everything on that network must follow.
It must have its own language that everything on it understands and it must have it own way of transmitting things in this
language to other parts of its network. However as there are many networks in many different countries this standard needs to
be a universal one, to allow networks to talk to other networks across the world.
If someone from England was to phone up someone in Russia the chances are they wouldn’t be able to communicate too well.
But if a network were to send a data packet to a network in Russia, it would be received and processed in the correct way.
This is because all networks follow protocols defined by what is known as the Open Systems Interconnection model (OSI)
The OSI Model:
The OSI model provide a set of rules and protocols that enable any network following them to talk to any other network that
also follows them.
The rules that make up the OSI are arranged into seven different layers that are all interconnected with each other.
1) Physical Layer
2) Data Link Layer
3) Network Layer
4) Transport Layer
5) Session Layer
6) Presentation Layer
7) Application Layer
I’ve always found it easier to look on these as different stages a data packet must pass through, at each stage something
is added to the packet and when it is received the same thing is taken away from it by the corresponding stage in the other
As its name suggests this is the physical connection between two pieces of hardware. So we are talking about the actual Ethernet cable and Network Interface Card (NIC) – hubs are also considered layer one devices. Its major function is to
communicate raw bit streams (The Ones and Zeros). It is responsible for the activation and deactivation of these bit stream
communications. It is also responsible for the defining of the actual cable attachments to the NIC’s and how they work.
This is the lowest layer.
This layer is what deals with the transfer of the data between two points on the network. If the Physical layer
is what is used to pass the raw bits, this is what actually sends them on their way. It also provides error and flow control
of the data packets that are sent and received. MAC addressing is found here – layer 2 switches are also found here – funnily enough. (A MAC address is commonly called a Layer 2 address due to where is sits in the OSI model)
I will go into more depth on this later on. This layer provides the addressing and routing of the data and acts as a
kind of middle ground between the upper layers and the lower layers.
Again this will be explained in more detail later. This is where TCP comes into the process by providing a reliable
and stable method of passing the data packet.
This is what actually establishes the connections between network applications and then maintains that connection. It also keeps the sessions separate. (A session loosely refers to a connection, so if you are viewing a web page via IE and also sending an email via Outlook then there will be two separate sessions. This layer will ensure data from one session will not end up in the other session.)
This is what translates the data provided by the application in use, into a format that the rest of the
OSI model understands and can work with and vice versa when the data is received, it translates it back into a language
for the application to work with. So to go back to our web page an email example, data is sent in binary over a network, however, if this was displayed in IE and Outlook in this format you would be pretty confused, so something needs to translate the data into an email or a web page and pass it up to the correct application. This layer also handles encryption
This is used for applications that can support and use network services such as, DNS, FTP, TELNET, SMTP
and NetBIOS type applications
So when you send a data packet it starts at the application layer, then the presentation layer wraps its bit of information
around the packet, then the session layer does the same and so on until the packet reaches the Physical layer where it
is passed to where ever it needs to go.
This whole process is known as Encapsulation.
That’s the seven layers of the OSI model.
Now that we know about the methods used to pass data, lets talk about what it actually is that gets passed around.
When information is getting passed around the network it is transmitted in small chunk of data called a Packet.( In truth the terminology changes depending on where in the OSI model the data is – at layers 7, 6, 5 and 4 it is simply called Data, at layer 3 it is called a Packet, at layer 2 it is called a Frame and then at layer one it is referred to a bits (binary bits that is). To avoid confusion data in transit is generically called a Datagram or a Packet.
As the packet passes through each layer small bits of data are added to it or taken away from it depending on if the
packet is being transmitted or received.
A data packet has both a body and a header. The Body obviously contains the message that is being passed, whilst the
header contains things like: The Source IP address, the destination IP address, the total data length, what protocols
are being used, checksum information. See here for more info on headers:
To understand how most network attacks operate it is necessary to go into more detail about some of the layers used.
The rules that govern this layer to ensure that the addressing is correct and efficient is what’s called Internet Protocol (IP)
Everything That is connected to the internet has an IP address. An IP address is made up of four bytes that can be no
greater than 255. E.g. 100.100.100.100.
They can be no bigger that 255 as this is the highest number that binary goes to in one byte and all numbers are converted to binary as far as computers are concerned.
128 —- 64—- 32—- 16—- 8—- 4—- 2—- 1
–1——- 1—– 1—– 1—– 1—– 1—- 1—- 1
This number 11111111 would be the highest number in binary for one byte as 1 byte long (8 bits make a byte, so eight 1’s make the byte)
If you add the numbers above the ones up, you will see it comes to 255
128 +64 + 32 + 16 + 8 + 4 + 2 + 1 = 255
128 —- 64—- 32—- 16—- 8—- 4—- 2—- 1
–0——- 0—– 0—– 0—– 0—– 0—- 0—- 1
This would equal the number 1. If there is a zero under the number it is discounted, only where there is a 1 is the value
128 —- 64—- 32—- 16—- 8—- 4—- 2—- 1
–0——- 0—– 0—– 0—– 1—– 1—- 1—- 1
So this would equal 15. 8 + 4 + 2 + 1 = 15
A bit off topic there but that is how binary works; hence that is how an IP address is looked at by your computer.
If you need a number bigger that 255 that is where hex comes in. Hex will be explained later when we talk about MAC addresses
Anyway, in the network layer, both IP packets and Internet Control Messaging Protocol (ICMP) packets exist.
IP packets are used for the actual sending of data, whilst the ICMP packets are there for diagnostic and messaging/notification purposes.
If there is a problem with the delivery or receipt of an IP packet, an ICMP packet can be sent to tell the other system that
there has been a problem.
ICMP can also be used to test the connectivity of something on the network in the form of an Echo Request commonly known as
a Ping. This is a quick and easy way to test if a host is up and running and how latent the connection is between you.
If you send an Echo Request get an Echo Reply the host has to be alive and reachable. If you send an Echo request and if you don’t get anything back then it generally (but not always) means the host is down. Unlike TCP there doesn’t have to
be an established connection to allow ICMP packets to transmit, so systems can be configured to ignore ICMP packets
as a security measure.
The final thing to mention on this topic is IP fragmentation.
Most networks have a limit on the size of IP packet that can be transmitted, so the network layer can break the packet down
A normal packet may look like this:
| Header | DATA DATA DATA |
This may be too big to be transmitted, so the network layer will break it down like so:
| Header | Data 1 |
| Header | Data 2 |
| Header | Data 3 |
It is a simplified explanation of it as in real life Offsets are used instead of 1 2 and 3.
To reconstruct the packet at the receiving station the network layer will put them back in order 1,2 and 3 and
pass it on up to the Transport Layer.
Which, strangely enough, brings us nicely on to the transport layer.
The Transport Layer:
The two major set of rules in this layer are the TCP (Transport Control Protocol) and UDP (User Datagram Protocol) protocols
Most services on a network and on the internet will use the TCP protocol, these include things such as; HTTP, FTP, SMTP.
Although each one of these is a protocol in its own right, to actually transfer the data it is being asked to, it will use TCP.
The reason for this is because TCP provides a very reliable, two-way connection between hosts on a network or Internet.
TCP will ensure that all the data is received and in the correct order, if packets are missing or corrupted
it will hold on to these packets until they have been re-sent and only then will it pass it up to the next layer.
To be able to do all this TCP uses a system known as flags.
There are 6 flags in total, they are:
URG………………..Urgent………………..Used for priority data
ACK………………..Acknowledgment….Acknowledges a connection and is usually turned on
PSH………………..Push……………………Tell the recipient to push the data through rather than
RST………………..Reset……………………Resets the connection
SYN………………..Synchronize…………..Synchronizes sequence numbers at the beginning of the
connection (REMEMBER THIS)
FIN………………..Finish…………………….Closes a connection
What makes TCP such a reliable connection is that, unlike UDP it establishes a connection before sending the data packet.
It does this by way of a three-way handshake using the flag described above.
Say we have computer ‘A’ and ‘B’. ‘A’ wants to send something to ‘B’, here is what happens:
First,’A’, will send a packet with the SYN flag turned on to ‘B’
‘B’ will then send a packet back with the SYN and ACK flags turned on
Then ‘A’ will send another packet back with just the ACK flag turned on.
(After this has been completed every packet will have the ACK flag turned on.)
This is basically computer ‘A’ saying to ‘B’, “Hi, I have a message for you, do you want it?”
Then ‘B’ says ” OK, im ready send it”
Then ‘A’ says” OK, here it comes”
There is a little bit more to it than that which we will look at next.
The reason that the packets had the SYN flag turned on was to enable the two machines to Synchronize sequence numbers.
Sequence numbers are used to ensure that the packets arrive in the correct order and to determine if any packets have gone missing somewhere along the line. This is what makes TCP so good. They also allow data from an established and authenticated sessoon to be accepted.
The First SYN packet that is sent to open a connection, will look like this:
Syn = On
Ack = Off
Notice the Sequence number (Seq#) is 000001 and the Acknowledgment Number (Ack#) is 0
So this arrives at ‘B’ and ‘B’ now send a SYN/ACK Packet back to ‘A’, so called because both the SYN flag and the ACK flag will be turned on.
Syn = On
Ack = On
Now, this bit can get a bit confusing.
The original sequence number from ‘A’ now becomes ‘B’s Acknowledgment number (Ack#) as it is acknowledging the data sent, it will also increment it accordingly.
Computer ‘A’ knows that he sent a packet with a sequence number of 000001 to ‘B’, so now when the next packet is received from ‘B’ he will be expecting it to have and Ack# of 000002 – he gets this as expected and knows that it is authentic and from B. Also he now has the sequence number ‘B’ is using – 111111, so the next packet that he sends to ‘B’ he knows that he needs to increment it and place this in the ack# field.
So the third and last part of the handshake will be like this:
Syn = Off
Ack = On
When ‘B’ sent back the second packet, he had increased it by 1- that now becomes ‘A’s sequence number for the third packet.
Now that both station are aware of each others sequence numbers the mail data that needs to be sent can safely be transmitted safe in the knowledge that error and missing packets will be detected.
I hope that wasn’t to confusing. It is important to understand the sequence number concept for when I move onto TCP/IP Hijacking later on.
The last layer (and what is used in our first attack) is the Data Link Layer.
The Data Link Layer
This is where Ethernet comes into the network layers. This layer provides a standard method of addressing for all Ethernet connected devices on the network. These address are commonly known a Media Access Control addresses or MAC addresses.
Every single Ethernet device is assigned a unique MAC address in the factory where it is made.
Usually the address is in Hex format, i.e. 00-30-BD-07-AC-32
Sometimes the address is also referred to as the Hardware address as it is unique to each piece of hardware.
The reason for this is so that any hardware on a network will have an address that will never change, unlike an IP address, which can change very regularly.
When a data packet is sent over Ethernet it will have in its header the source address and the destination address.
There is a special address that can be used with Ethernet to broadcast to all Ethernet devices on the network, this is all the 1’s in binary, 11111111 which as we now converts to 255 but remember IP address have 4 bytes in them so the broadcast address will be 255.255.255.255.
On the layer above (the network layer) the addressing system used there is IP but on this layer we use MAC addresses for local transmission. There is a requirement to know someones MAC address before we can send data to it providing the destination host is on the same LAN segment – if it is not then the requirement is to know the MAC address of the default gateway.
This is where a protocol know as the Address Resolution Protocol (ARP) comes into effect.
This protocol designs a table know as an ARP table to link MAC address to IP addresses and looks (in an edited version) something similar to this
and so on.
To establish this table ARP messages need to be sent around the network via the broadcast address 255.255.255.255.
There are two main ARP messages – ARP request and ARP reply.
When a packet comes to this layer, it looks at the header and to see what the destination IP address is. It will now send out an ARP request message saying, ” Who does the IP address 192.168.2.2 belong to?”
The computer that is on that network who has that IP address, will receive the ARP request via the broadcast IP, know it has got the IP that it is looking for and reply with an ARP reply message, saying “Yep I have the IP 192.168.2.2, here is my MAC address 00-30-BD-07-CA-37”
This will now get cached in the ARP table and next time a data packet comes down with the destination IP of 192.168.2.2, it will know the correct MAC address to send it to and send it using this straight away.
The ARP broadcast happens at very regular intervals to keep the table up to date.
If an ARP reply message comes in with a new MAC address for a certain IP address, it will overwrite it there and then (unless it has been marked as permanent) – Even if it didn’t send out an ARP request message…
Can anyone see the security flaw here and potential for a possible exploit? If not keep reading.
On the data link layer also exists a method to distinguish between switched and unswitched networks.
The definition of an unswitched network is that – Every Ethernet packet will pass to every host on the network as a Hub will broadcast all traffic out of all ports except for the port the traffic was received on. All the hardware on this network is expected to only look at the destination address to see if it is meant for them or not. If it is, it will read the data part of the packet and the layer process will begin. If it is not meant for it, it should just ignore it.
Again, can anyone see the security flaw here?
If you set a computer on a network to promiscuous mode it will look at the data part of all packets whether it is addresses to it or not
This is what programs such as TCPDump and Ethereal/Wireshark utilize.
This method of attacking a network is known, as Sniffing and it can be a very useful way of gathering information such as Passwords, user names etc especially with services that don’t use encryption by default – Telnet, POP3 and FTP for example.
The security implications are quite obvious here and the way to fix them is to get a switched network.
The idea of a switched network is to ensure that only the packet addresses to a certain computer is sent to it.
This is done by the switch knowing what MAC address is plugged into which port on the switch and only sending data addressed to it out on that port
So say the switch has 3 ports, three computers are plugged into it with three different MAC address, I will use 1 2 and 3 to represent the Mac’s here.
The switch receives a data packet addressed to the MAC address of 1.
(If it were an unswitched network it would now send this data packet out of all ports to all computers.)
But this switch knows that computer with the MAC address of 1 is plugged into port 2, so it will only send the data packet out of port 2.
(Technically the switch will initially flood the traffic out of all ports until it finds out which port the MAC address is on, and then from here on in it will only send it out of the relevant port – this is not too much of a concern though as the first packets destined for the host are likely to be ARP requests anyway – which are broadcast packets….)
Seems like a foolproof way to send data packets, doesn’t it? Well there is a way around it.
So far the security measures have been concerned with the destination IP/MAC address, what they cant verify is if the source address is correct.
This type of spoofing is simply fooling the switch into thinking that a data packet has come from somewhere it didn’t – normally a device it trusts.
So if you can send a data packet out and make a switch think it has come from somewhere else, you have successfully spoofed its source address.
To spoof an address we need to let the network know that the address you are going to use, is alive and well on the network and let it know an IP and MAC address.
Where are these kept? Yep, the ARP table. You may recall me saying earlier that when an ARP reply arrives with a known IP address but a different MAC address all it will do is overwrite the old MAC address with the new one! Even if it has not sent out an ARP request broadcast..
This is called ARP poisoning.
Say we have two computers on a network, old faithful ‘A’ and ‘B’.
They will each have an ARP cache; ‘A’ will have ‘B’s IP address and Mac address and in return ‘B’ will have ‘A’s IP and MAC address.
Think back to the three-port switch, we will be the third computer on that switch.
For the sake of simplicity we will have the MAC addresses of 1,2 and 3 belonging to computers A, B and C respectively. So we will be C with the MAC of 3.
We will have used a program such as TCPDump to capture all the ARP messages that have been sent and we can know see the IP addresses and MAC addresses of ‘A’ and ‘B’. (Failing this, the results of a ping will add the MAC and IP address to your ARP table, providing you are on the same network)
What we now need to do now, is make ‘A’ think we are ‘B’ and also make ‘B’ think we are ‘A’.
So now matter what, the switch will send all the data packets to us.
So, we send an ARP reply out to ‘A’ saying that we are ‘B’ and have a MAC address of 3 (remember our actual MAC is 3, so the switch will send all packets out to us) So now any packets that ‘A’ wants to send to ‘B’, he will now address to the MAC of 3. (aka us) as per his ARP cache.
The beauty of this attack is that at this exact point of the attack ‘B’ can still send traffic as normal to all other hosts – all we are doing is making host ‘A’ address the packets to us instead of host ‘B’. The switch is not attacked or exploited in anyway – it carries on doing what it is meant to do and sends the packets to the MAC address host ‘A’ has addressed them too..It is a good idea to keep a constant stream of forged ARP replies running to host ‘A’ as if host ‘B’ was to send a packet to host ‘A’ then its ARP cache would be updated to reflect the true ARP information.
There are a few tools that will do this for us DSniff and Nemesis are two of the most common.
We still have an issue though in that the data that ‘A’ is sending to ‘B’ is not getting there as it is coming to us. We need to turn IP forwarding on to allow the data to reach ‘B’. Obviously this will only allow us to sniff half of the traffic – traffic from ‘A’ that is being sent to ‘B’ – host B still has the correct MAC address for host A so it will not be sent to us…
We now need to do the same thing to B and send him a fake ARP Reply informing him that host ‘A’ has the MAC address of 3. This will ensure we get the return traffic and as long as we have IP Forwarding enabled and have fired Ethereal/TCPDump up we will have a log of all traffic sent between the two hosts and neither of them will be aware that there is a ‘Man in the Middle’ sniffing their traffic.
We need to ensure the regular sending of the ARP replies to the two hosts to ensure that the relevant ARP caches always have our MAC address in them.
You can do this for every computer on the network should you so wish, as far as they are concerned they are sending a data packet addressed to 3, and the switch will duly oblige and send the data straight to you.
Imagine what you could do if one of the computers was a gateway for that sites Internet traffic?
Hijacking a TCP/IP Connection.
For this attack you will need to understand how the sequence numbers work, so if you didn’t understand it before, go back and re-read it!
For this to work it is essential the attacker is on the same network as the victim.
When a packet is received after a connection has been established, it has to have the correct sequence number, if the number has already been used the packet will be dropped. If it is higher than what was expected but still within the defined limits then it will be stored in case it was from a message that has been fragmented and may need to be put back together.
If the sending stations sequence number is not what the receiving station expected and vice versa, all data packets are not passed up through the layers and you have a form of denial of service. If this happens the connection will still remain established.
Here’s how this attack works:
We will use hosts ‘A’ and ‘B’ again for this.
We need to sniff all packets coming from the victim computer (‘A’) with a utility such as TCPDump.
From these sniffed packets we can get the sequence number that ‘A’ is up to.
Now we send a packet with the source address spoofed to make it looked like it came from ‘A’ to ‘B’ with the correct sequence number. (TCPDump again)
When ‘B’ receives this packet, believing it cam from ‘A’ he will respond to this data packet, after increasing the sequence number.
Now ‘A’ didn’t send the packet, we did, so when the packet from ‘B’ arrives with the wrong sequence number it will keep it for reconstruction purposes as the sequence number will be higher but to all intents and purposes he will ignore it.
But what will happen now, if ‘A’ sends a packet to ‘B’? His sequence number will be one that has already been used (by us) so ‘B’ will drop the packet. So no matter what ‘A’ sends now, it will always be ignored. And everything B sends to A will be stored for later use, as the sequence number will be too high.
But as we sent out the first packet that caused all this, we have the correct sequence number that ‘B’ is expecting, so we have in effect hijacked the connection because we can carry on talking to ‘B’ and whatever ‘A’ sends will be ignored! And we have caused a denial of service (DoS) between two computers on this network.
There is another similar method whereby you sniff a connection, spoof get the relevant sequence numbers, spoof the source address and send a packet with the RST (reset) flag turned on, when you send this you will reset the connection. Again causing a DoS state that can be hijacked as long as you have the correct sequence number.
I hope this has been an informative paper and helps people to understand network protocols and very basic attacks a bit more thoroughly.