Professional Documents
Culture Documents
Work Protocol Fundamentals 2
Work Protocol Fundamentals 2
Part 2
1
Vincent Ryan
Agenda:
Ethernet
ICMP
2
Vincent Ryan
Typical Frame Layout
(Simplified)
Data
Ports TCP
IP addresses IPv4
3
Vincent Ryan
Ethernet
6 6 2
bytes bytes bytes
4
Vincent Ryan
Ethernet Full Details
Typically Typically
NOT NOT
Captured Captured
5
Vincent Ryan
wifi
6
Vincent Ryan
Ethernet Header
7
Vincent Ryan
Ethernet Review
●
The header features destination and source MAC addresses (each six
bytes in length), the EtherType field and, optionally, an IEEE 802.1Q tag.
●
The EtherType field is two bytes long and it can be used for two
different purposes.
– Values of 1500 and below mean that it is used to indicate the size of the payload
in bytes
– Values of 1536 and above indicate that it is used as an EtherType, to indicate
which protocol is encapsulated in the payload of the frame. (When used as
EtherType, the length of the frame is determined by the location of the
interpacket gap and valid frame check sequence (FCS).)
●
The IEEE 802.1Q tag, if present, is a four-byte field that indicates VLAN
membership and IEEE 802.1p priority.
– So note that NOT every Ethernet header is 14 bytes long
Source : https://en.wikipedia.org/wiki/Ethernet_frame
8
Vincent Ryan
Ethernet Review
●
Note that Ethernet Frames also have a 4-byte trailer which
is also known as a Cyclic Redundancy Check (CRC)
●
Used to detect frame corruption
●
Not captured by tcpdump and other sniffers, as it is not
considered to be data
9
Vincent Ryan
Ethernet Review
●
Some Ethernet Type values:
0x0800 represents IPv4
0X86DD represents IPv6
0x0806 represents ARP
0x8137 represents Novell IPX
0x8100 represents VLAN
Source : en.wikipedia.org/wiki/EtherType
10
Vincent Ryan
ICMP
11
Vincent Ryan
ICMP
●
ICMP was created to report about problems that
are not transient. e.g a corrupt packet
●
A non-transient example is one where
fragmentation is needed, but the DF bit is set in
the IP Header.
●
Another is a non-listening UDP port – the
problem is unlikely to be solved
●
ICMP is also used for ping.
12
Vincent Ryan
ICMP
●
ICMP Doesn't Have Ports
●
ICMP Works At Layer Three (3)
– While ICMP sits "on top of" IP, ICMP is not a layer 4
protocol. Strangely, it is still considered to be at
layer 3 rather than one layer higher. IGMP and
ICMP operate directly over IP, but they don't provide
Layer 4 services.
– The network layer routes the packets according to
the unique network addresses.
●
However, I always think of it as a layer 4
protocol
13
Vincent Ryan
Network layers
17
Vincent Ryan
ICMP ID and Sequence Numbers
●
Used to pair Ping responses with the ping
requests
●
The ICMP ID is in bytes 4 and 5
●
The ICMP Sequence numbers are in bytes 6
and 7
●
In UNIX, the ICMP ID is typically the Process ID
of the ping
18
Vincent Ryan
ICMP to find live hosts
●
If any of the following ICMP messages can be
got from a host, we can assume that the host is
alive:
– Host Unreachable, Protocol Unreachable, Port
Unreachable
– Echo Request/Reply
– Timestamp Request/Reply
– Address Mask Request/Reply
– Reassembly Time Exceeded
– Parameter Problem
19
Vincent Ryan
ICMP Tunnel
●
ICMP tunneling is a command-and-control (C2)
attack technique that secretly passes malicious
traffic through perimeter defenses.
●
Malicious data passing through the tunnel is
hidden within normal-looking ICMP echo
requests and echo replies.
●
There are a number of tools such as icmpsh
and ptunnel
20
Vincent Ryan