Scribd Logo
Upload

Welcome to Scribd!

  • Work Protocol Fundamentals 2

    Uploaded by

    tdyrdy
    8 views20 pages
    This document discusses network protocols, beginning with Ethernet and ICMP. It provides details on typical Ethernet frame layout, including data, ports, IP addresses, and MAC addresses. It reviews key aspects of Ethernet including typical header length and fields. It also discusses ICMP, noting that it works at the network layer to report problems, lacks ports, and can be used to find live hosts. ICMP tunneling is also mentioned as a technique for passing malicious traffic.

    Original Description:

    Original Title

    2.network-protocol-fundamentals-2

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    This document discusses network protocols, beginning with Ethernet and ICMP. It provides details on typical Ethernet frame layout, including data, ports, IP addresses, and MAC addresses. It reviews key aspects of Ethernet including typical header length and fields. It also discusses ICMP, noting that it works at the network layer to report problems, lacks ports, and can be used to find live hosts. ICMP tunneling is also mentioned as a technique for passing malicious traffic.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    8 views20 pages

    Work Protocol Fundamentals 2

    Uploaded by

    tdyrdy
    This document discusses network protocols, beginning with Ethernet and ICMP. It provides details on typical Ethernet frame layout, including data, ports, IP addresses, and MAC addresses. It reviews key aspects of Ethernet including typical header length and fields. It also discusses ICMP, noting that it works at the network layer to report problems, lacks ports, and can be used to find live hosts. ICMP tunneling is also mentioned as a technique for passing malicious traffic.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 20

    Network Protocols Review

    Part 2

    1
    Vincent Ryan
    Agenda:

    Ethernet

    ICMP

    2
    Vincent Ryan
    Typical Frame Layout
    (Simplified)

    Data

    Ports TCP

    IP addresses IPv4

    MAC addresses Ethernet

    3
    Vincent Ryan
    Ethernet

    6 6 2
    bytes bytes bytes

    4
    Vincent Ryan
    Ethernet Full Details

    Typically Typically
    NOT NOT
    Captured Captured

    5
    Vincent Ryan
    wifi

    6
    Vincent Ryan
    Ethernet Header

    7
    Vincent Ryan
    Ethernet Review

    The header features destination and source MAC addresses (each six
    bytes in length), the EtherType field and, optionally, an IEEE 802.1Q tag.

    The EtherType field is two bytes long and it can be used for two
    different purposes.
    – Values of 1500 and below mean that it is used to indicate the size of the payload
    in bytes
    – Values of 1536 and above indicate that it is used as an EtherType, to indicate
    which protocol is encapsulated in the payload of the frame. (When used as
    EtherType, the length of the frame is determined by the location of the
    interpacket gap and valid frame check sequence (FCS).)

    The IEEE 802.1Q tag, if present, is a four-byte field that indicates VLAN
    membership and IEEE 802.1p priority.
    – So note that NOT every Ethernet header is 14 bytes long

    Source : https://en.wikipedia.org/wiki/Ethernet_frame
    8
    Vincent Ryan
    Ethernet Review

    Note that Ethernet Frames also have a 4-byte trailer which
    is also known as a Cyclic Redundancy Check (CRC)


    Used to detect frame corruption


    Not captured by tcpdump and other sniffers, as it is not
    considered to be data

    9
    Vincent Ryan
    Ethernet Review

    Some Ethernet Type values:
    0x0800 represents IPv4
    0X86DD represents IPv6
    0x0806 represents ARP
    0x8137 represents Novell IPX
    0x8100 represents VLAN

    Source : en.wikipedia.org/wiki/EtherType

    10
    Vincent Ryan
    ICMP

    11
    Vincent Ryan
    ICMP

    ICMP was created to report about problems that
    are not transient. e.g a corrupt packet

    A non-transient example is one where
    fragmentation is needed, but the DF bit is set in
    the IP Header.

    Another is a non-listening UDP port – the
    problem is unlikely to be solved

    ICMP is also used for ping.

    12
    Vincent Ryan
    ICMP

    ICMP Doesn't Have Ports

    ICMP Works At Layer Three (3)
    – While ICMP sits "on top of" IP, ICMP is not a layer 4
    protocol. Strangely, it is still considered to be at
    layer 3 rather than one layer higher. IGMP and
    ICMP operate directly over IP, but they don't provide
    Layer 4 services.
    – The network layer routes the packets according to
    the unique network addresses.

    However, I always think of it as a layer 4
    protocol
    13
    Vincent Ryan
    Network layers

    Note that ARP belongs to both layer 2 and


    layer 3. It translates layer 3 to layer 2. ARP
    requests and replies are not routed.
    14
    Vincent Ryan
    ICMP
    Typical ICMP packet structure:

    IP Hdr: ICMP packet:


    20 bytes Variable length
    (maybe)

    Typical ICMP header structure:


    Type Code Checksum Type is 1 byte
    Code is 1 byte
    Contents Checksum is 2 bytes

    Contents depends on the type and code


    15
    Vincent Ryan
    When ICMP should not be sent

    If the condition is temporary and is likely to be
    corrected, then an ICMP message should not
    be sent.

    ICMP packets should not be sent in response to
    another ICMP packet

    ICMP packets should not be sent in response to
    an IP packet with a destination broadcast
    address
    – e.g if a UDP packet is sent to a broadcast address,
    then any host that does not listen on that port will
    respond
    16
    Vincent Ryan
    ICMP codes and types

    Refer to the tcpdump cheat sheet for some
    codes and types

    Also see
    http://www.iana.org/assignments/icmp-
    parameters/icmp-parameters.xhtml
    for a list of those which are deprecated.

    17
    Vincent Ryan
    ICMP ID and Sequence Numbers

    Used to pair Ping responses with the ping
    requests


    The ICMP ID is in bytes 4 and 5

    The ICMP Sequence numbers are in bytes 6
    and 7


    In UNIX, the ICMP ID is typically the Process ID
    of the ping
    18
    Vincent Ryan
    ICMP to find live hosts

    If any of the following ICMP messages can be
    got from a host, we can assume that the host is
    alive:
    – Host Unreachable, Protocol Unreachable, Port
    Unreachable
    – Echo Request/Reply
    – Timestamp Request/Reply
    – Address Mask Request/Reply
    – Reassembly Time Exceeded
    – Parameter Problem
    19
    Vincent Ryan
    ICMP Tunnel

    ICMP tunneling is a command-and-control (C2)
    attack technique that secretly passes malicious
    traffic through perimeter defenses.

    Malicious data passing through the tunnel is
    hidden within normal-looking ICMP echo
    requests and echo replies.

    There are a number of tools such as icmpsh
    and ptunnel

    20
    Vincent Ryan

    You might also like