Advanced P Tti Tti Penetration Testing and Security Analysis

Advanced
P
Penetration
t ti T Testing
ti
and Security Analysis
Module 03 3
TCP/IP Packet
Analysis
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Copyright © 2004 EC-Council. All rights reserved worldwide.
Module Objective
This module will familiarize you with:
• TCP/IP Model
• Comparing OSI and TCP/IP
• Addressing
• Subnetting
• IPv4 and IPv6
• Windowing
• TCP/IP Protocols
• TCP and UDP Port Numbers
• TCP Operation
i
• Sequencing Numbers
• UDP Operation
• ICMP and ICMP Control Messages
As a Security Analyst, you must have complete
mastery over TCP/IP protocol.
This module covers the technical aspects of TCP/IP protocol.
TCP/IP Model
The TCP/IP model has four layers:
Application layer
Transport layer
Internet layer
Network Access layer
Application Layer
The application layer of the TCP/IP model handles high-level protocols,

i
issues off representation,
t ti encoding,
di and
d di
dialog
l control.
t l
Application Layer
Remote Network Name

File Transfer Email
Login Management Management
TFTP SMTP Telnet SNMP DNS
FTP rlogin
NFS
Transport Layer
The transport layer provides transport services from the source host to the
destination host.
host
The transport layer constitutes a logical connection between the endpoints of the
network, the sending host and the receiving host.
End-to-end control is the primary duty of the transport layer when using TCP.
Transport Layer
Transmission Control User Datagram Protocol

Protocol (TCP) (UDP)
Internet Layer
The purpose of the Internet layer is to select the best path through the
network for packets to travel.
Internet Layer
Internet Control Address Reverse Address

IInternet
t t Protocol
P t l
Message Protocol Resolution Resolution
(IP)
(ICMP) Protocol (ARP) Protocol (RARP)
Network Access Layer
The network access layer

y is also called the host-to-network layer.
y
It includes the LAN and WAN technology details.
Network
Address
Fast ATM, Frame

Ethernet SLIP & PPP FDDI Relay & ARP Proxy ARP RARP
Ethernet SMDS
Comparing OSI and TCP/IP
OSI MODEL TCP/IP MODEL
APPLCATION LAYER
PRESENTATION APPLICATION
LAYER LAYER
SESSION LAYER
TRANSPORT LAYER TRANSPORT LAYER
NETWORK LAYER INTERNET LAYER
Data Link LAYER

NETWORK
ACCESS LAYER
PHYSICAL LAYER
Comparing OSI and TCP/IP
(cont d)
(cont’d)
Both have application layers, •TCP/IP combines the presentation
though they include very different and session layer into its
services. application layer.
•Combines the data link and
physical layer into the network
access layer.
Both have comparable transport TCP/IP appears simpler because it

and network layers. has fewer layers.
Packet-switched,
Packet switched not circuit
circuit- TCP/IP transport layer using UDP
switched, technology is assumed. does not always guarantee reliable
delivery of packets as the transport
layer in the OSI model does.
TCP
Transmission Control Protocol (TCP) is a connection-oriented

connection oriented four layer
protocol.
It is responsible for breaking messages into segments, reassembling

them at the destination station, resending.
The protocols that use TCP include:
• FTP (File Transfer Protocol).

Protocol)
• HTTP (Hypertext Transfer Protocol).
• SMTP (Simple Mail Transfer Protocol).
• Telnet.
TCP Header
IP Header
Protocol Field
IP Header: Protocol Field
Connection-
C ti Connection
C ti
oriented less
Connectionless
The IP packet has a protocol field that specifies whether the segment is
TCP or UDP.
UDP
User Datagram
g Protocol ((UDP)) is the connectionless transport
p p
protocol.
It is a simple protocol that exchanges datagrams, without

acknowledgments
g or g
guaranteed delivery.
y
It uses no windowing or acknowledgments, so reliability if needed, is

provided by application layer protocols.
The protocols that use UDP include:
• TFTP (Trivial
( l File
l Transfer
f Protocol).
l)
• SNMP (Simple Network Management Protocol).
• DHCP (Dynamic Host Control Protocol).
• DNS (Domain Name System).
System)
TCP and UDP Port Numbers
Both TCP and UDP use p

port ((socket)) numbers to p
pass information to the
upper layers.
Port numbers are used to keep track of different conversations crossing
the network at the same time.
time
Port numbers have the following assigned ranges:
• Numbers below 1024 are considered well-known port numbers.

• Numbers above 1024 are dynamically assigned port numbers.
• Registered port numbers are those registered for vendor
vendor-specific
specific
applications, most of these are above 1024.
Port Numbers
Conversations that do not involve an application with a well-known port number are,
instead, assigned port numbers that are randomly selected from within a specific range.
These port numbers are used as source and destination addresses in the TCP segment.
Some ports are reserved in both TCP and UDP, although applications might not be written to
support them.
Port numbers have the following assigned ranges:
Numbers below 255 are reserved for public applications.
Numbers from 255-1023 are assigned to companies for marketable applications.
Numbers above 1023 are unregulated.
Port Numbers
TCP Header
0 15 16 31
16-bit Source Port Number 16-bit Destination Port Number
32-bit Sequence Number
32 bit Acknowledgement Number
4-bit Header 6-bit U A P R S F

Length (Reserved) R C S S Y I 16-bit Window Size
G K H T N N
16-bit TCP Checksum 16-bit Urgent Pointer
Options (if any)
Data (if any)
End systems use port • Originating source port numbers, usually a

numbers to select the proper value larger than 1023, are dynamically
pp
application: assigned by the source host.
IANA
The well-known ports are assigned by the IANA and on most systems can
only
l be
b usedd by
b system (or
( root)) processes or by
b programs executeddb
by
privileged users.
The registered ports are listed by the IANA and on most systems can be
used by ordinary user processes or programs executed by ordinary users.
The IANA registers uses of these ports as a convenience to the

community.
The range
g for assigned
g p
ports managed
g byy the IANA is 0-1023.
Source and Destination
Port Numbers
Notice the difference in how source and

destination port numbers are used with clients
and servers:
Cli t
Client:
Destination Port = 23 (telnet)
Source Port = 1028 (dynamically assigned)
Server:
Destination Port = 1028 (source port of client)
Source
S P
Portt = 23 (telnet)
(t l t)
What Makes Each Connection
Unique?
A connection is defined by the pair of

numbers:
• Source IP address, source port

• Destination
i i IP address,
dd d
destination
i i
port
Different connections can use the same

destination port on server host as long as
the source ports or source IPs are different.
TCP or Source IP Destination IP Connection State
UDP
Source Port Destination
P t
Port
www.google.com
www.cisco.com
netstat command
Note: In actuality, when you open up a single web page, there are usually several TCP
sessions created, not just one.
Example of multiple TCP connections for a single HTTP session is as follows:

Application
Header + data
Port numbers are used to know Application

which application
pp the receiving
g Header + data
host should pass the “Data” to.
TCP Operation
IP is a best effort delivery.

delivery
The transport
p layer
y ((TCP)) is responsible
p for reliabilityy and flow control
from source to destination.
• Sliding windows (flow control).

This is accomplished • Sequencing numbers and acknowledgments
using: (reliability).
• Synchronization (establish a virtual circuit).
Three-Way Handshake
TCP requires connection establishment

before data transfer begins.
For a connection to be established or

initialized, the two hosts must
synchronize.
The synchronization requires each side

to send its own initial sequence number This exchange is called a
and to receive a confirmation of three-wayy handshake.
exchange in an acknowledgment (ACK)
from the other side.
Application
Header + data
IP Protocol Field = 17
Application
Header + data
Flow Control
Flow control avoids the problem of a transmitting host overflowing the

buffers in the receiving host.
TCP p
provides the mechanism for flow control byy allowing
g the sending
g
and receiving host to communicate.
The two hosts then establish a data-transfer rate that is agreeable to

both.
Windowing
Windowing is a flow-
control mechanism.
Windowing requires
that the source device
receive
i an
acknowledgment from
the destination after
transmitting a certain
amount off d
data.
Windowing and Window Sizes
This is an example of simple windowing.

windowing
The window
Th i d size
i refers
f tto th
the number
b off b
bytes
t
that are transmitted before receiving an
acknowledgment.
After a host transmits the window-size number

of bytes, it must receive an acknowledgment
before anyy more data can be sent.
The window size determines how much data the

receiving
i i station
i can accept at one time.
i
Simple Windowing
TCP is responsible for breaking data into TCP Header

segments.
0 15 16 31
16-bit Source Port Number 16-bit Destination Port Number
32 bit Sequence Number

32-bit
With a window size of 1, each segment carries
only one byte of data and must be acknowledged 32 bit Acknowledgement Number
before another segment is transmitted. 4-bit Header

Length
6-bit
(Reserved)
U A P R S F
R C S S Y I 16-bit Window Size
G K H T N N
16-bit TCP Checksum 16-bit Urgent Pointer
Options (if any)

The purpose of windowing is to improve flow
control and reliability. Data (if any)
With a window size of 1, there is very inefficient

use off b
bandwidth.
d idth
Simple Windowing
(cont d)
(cont’d)
TCP window size:
TCP uses a window size, number of bytes, that the receiver is willing to accept, and is usually
controlled by the receiving process.
TCP
C uses expectational
i l acknowledgments,
k l d which
hi h means that
h the
h acknowledgment
k l d
number refers to the next byte that the sender of the acknowledgement expects to receive.
A larger window size allows more data to be transmitted pending acknowledgment.
N t
Note:
The sequence number being sent
identifies the first byte of data in
that segment.
Simple Windowing (cont’d)
TCP full-duplex service: independent data flows
TCP provides full-duplex service, which means data can be flowing in each
direction, independent of the other direction.
Window sizes, sequence numbers, and acknowledgment numbers are independent

of each other’s data flow.
Receiver sends acceptable window size to sender during each segment

transmission (flow control):
• If too much data is sent, the acceptable window size is reduced.
• If more data can be handled, the acceptable window size is increased.
This is known as a Stop-and-Wait windowing protocol.
Acknowledgement
Positive acknowledgment with

retransmission is one technique that
guarantees reliable delivery of data.
It requires a recipient to communicate

with the source and send back an
acknowledgment
k l d message when
h the
h ddata
is received.
Segments that are not acknowledged

within a given time period will result in
a retransmission.
Sliding Windows
Initial Window size Working Window size
Usable Window Octets sent Usable Window
Can send ASAP Not ACKed Can send ASAP
Sliding window algorithms are a method of flow control for network data
transfers using the receiver’s window size.
The sender computes its usable window, or up to how much data it can
immediately send.
Over time,, this sliding

g window moves to the right,
g , as the receiver
acknowledges data.
Th receiver
The i sends
d acknowledgements
k l d t as its
it TCP receiving
i i b buffer
ff empties.
ti
Sliding Windows (cont’d)
The terms used to describe the movement of the left and right edges of this
sliding window are:
The left edge closes (moves to the right) when data is sent and
acknowledged.
The right edge opens (moves to the right) allowing more data to
be sent. This happens when the receiver acknowledges a certain
number of bytes received.
The middle edge opens (moves to the right) as data is sent, but not
yet acknowledged.
Host A - Sender
1 2 3 4 5 6 7 8 9 10 11 12 13
Host B - Receiver
1 2 3 4 5 6 7 8 9 10 11 12 13
1 2 3 4 5 6 7 8 9 10 11 12 13
1
2
Window size = 6 3 Octets received
Octets sent Usable Window 1 2 3 4 5 6 7 8 9 10 11 12 13
Not ACKed Can send ASAP ACK 4
Host B gives Host A a window size of 6 (octets or bytes).
Host A begins by sending octets to Host B: octets 1, 2, and 3 and slides its window over
showing it has sent those 3 octets.
Host A will not increase its usable window size byy 3, until it receives an acknowledgment
g
from Host B that it has received some or all of the octets.
Host B, not waiting for all of the 6 octets to arrive, after receiving the third octet sends an
expectational acknowledgement of “4” to Host A.
Note: The left edge closes (moves to the right) when data is sent and acknowledged.
Host A - Sender
1 2 3 4 5 6 7 8 9 10 11 12 13
Host B - Receiver
1 2 3 4 5 6 7 8 9 10 11 12 13
1 2 3 4 5 6 7 8 9 10 11 12 13
Window size = 6 1
2
Octets sent Usable Window
3
Not ACKed Can send ASAP
ACK 4 1 2 3 4 5 6 7 8 9 10 11 12 13
1 2 3 4 5 6 7 8 9 10 11 12 13
4
5
1 2 3 4 5 6 7 8 9 10 11 12 13
1 2 3 4 5 6 7 8 9 10 11 12 13
ACK 6
Host A does not have to wait for an acknowledgement from Host B to keep sending data, not
until the window size reaches the window size of 6, so it sends octets 4 and 5.
Host A receives the acknowledgement of ACK 4 and can now slide its window over to equal
6 octets, 3 octets sent – not ACKed plus 3 octets, which can be sent ASAP.
Note: The right edge opens (moves to the right) allowing more data to be sent. This happens
when the receiver acknowledges a certain number of bytes received.
Host A - Sender Host B - Receiver
1 2 3 4 5 6 7 8 9 10 11 12 13 1 2 3 4 5 6 7 8 9 10 11 12 13
1 2 3 4 5 6 7 8 9 10 11 12 13
1
Window size = 6
Octets sent Usable Window 2
3
Not ACKed Can send ASAP
ACK 4 1 2 3 4 5 6 7 8 9 10 11 12 13
1 2 3 4 5 6 7 8 9 10 11 12 13
4
5
1 2 3 4 5 6 7 8 9 10 11 12 13
1 2 3 4 5 6 7 8 9 10 11 12 13
1 2 3 4 5 6 7 8 9 10 11 12 13 ACK 6
6
7
1 2 3 4 5 6 7 8 9 10 11 12 13
1 2 3 4 5 6 7 8 9 10 11 12 13
1 2 3 4 5 6 7 8 9 10 11 12 13
8
9
1 2 3 4 5 6 7 8 9 10 11 12 13
Sequencing Numbers
This is only if one octet was

sent at a time.
The transferred data segments must be
reassembled at the receiver end after
successful transfer of data.
There is no guarantee that the data will arrive

i the
in th order
d it was ttransmitted.
itt d
TCP applies sequence numbers to the data

segments.
Sequencing Numbers (cont’d)
The receiver can interpret the arrangement of data segments by following the
sequence number from the receiver.
The sequencing number helps the receiver to cross check whether the data
transfer is successful.
successful
Sequencing number helps the sender to retransmit the data in case there is an
error in the data transfer.
Packet 1: source: 130.57.20.10 dest.:130.57.20.1
TCP: -----
TCP:
TCP header -----
Source port = 1026
Sequencing
Numbers (cont
(cont’d)
d)
TCP: Destination port = 524
TCP: Initial sequence number = 12952
TCP: Next expected Seq number= 12953
TCP: .... ..1. = SYN
TCP: Window = 8192
TCP: Checksum = 1303 (correct)
TCP
TCP: M
Maximum
i segment
t size
i = 1460 (TCP O
Option)
ti )
Packet 2: source: 130.57.20.1 dest: 130.57.20.10
TCP: ----- TCP header -----
TCP: Source port = 524
TCP: Destination port = 1026
TCP: Initial sequence number = 2744080
TCP: Acknowledgment number = 12953
TCP: .... ..1. = SYN
TCP: Window = 32768
TCP: Checksum = D3B7 (correct)
TCP: Maximum segment size = 1460 (TCP Option)
Packet 3: source: 130.57.20.10 dest: 130.57.20.1
TCP: ----- TCP header -----
TCP: Source port = 1026 O l portions
Only i off theh TCP C
TCP: Destination port = 524 headers are displayed.
TCP: Sequence number = 12953
TCP: Acknowledgment number = 2744081
TCP: ...1 .... = Acknowledgment
TCP: Window = 8760
TCP: Checksum = 493D (correct) Copyright © by EC-Council
EC-Council
TCP: No TCP options All Rights Reserved. Reproduction is Strictly Prohibited.
Synchronization
For a connection to be established, the two end stations must synchronize with each other's
i iti l TCP sequence numbers
initial b (ISN )
(ISNs).
Sequence numbers are used to track the order of packets and to ensure that no packets are
lost in transmission.
The initial sequence number is the starting number used when a TCP connection is
established.
The
h initial
i i i l exchange
h off sequence numbers
b d i the
during h connection
i sequence ensures recovery
of lost data.
Positive Acknowledgment and
Retransmission (PAR)
PAR: The source sends a packet, starts a timer, and waits for an
acknowledgment before sending the next packet.
If the timer expires before the source receives an acknowledgment, the

source retransmits
t it th
the packet
k t and
d restarts
t t ththe ti
timer.
TCP uses expectational acknowledgments in which the acknowledgment

number refers to the next octet that is expected.
What is Internet Protocol v6
(IPv6)?
IPv6 provides a base for enhanced Internet functionalities.
functionalities
Also called as IPng,

IPng or next generation protocol.
protocol
Purpose of IPv6:
• Expandable address space

• Overcomes the issues in IPV4
• Scalable to new users and new services
Why IPv6?
IPV6 provides flexibility for further growth and expansion of IT

development.
The following
Th f ll i are the
h ffactors that
h provide
id a stage ffor above
b
growth:
• Address space (large and diverse)

• Auto configuration ability (plug-n-play)
• Mobility (improves mobility model)
• End-to-end security (high comfort factor)
• Extension headers (offer enormous potential)
IPv6 Header
Features of IPv6
Expanded addressing and routing capabilities
Simplified header format
E t
Extension
i h headers
d
Security
Authentication and privacy
Auto-configuration
g
Support for source demand routing protocol
Quality of Service (QoS)
IPv4/IPv6 Transition
Mechanisms
There are three transition mechanisms available to deploy IPv6 on
IPv4 networks.
k
Th transitions
The t iti can be
b used
d iin any combination:
bi ti
D l stacks:
Dual t k B Based
d on th
the DNS value,
l it uses IPV4 or IPV6
IPV6.
Tunneling: It encapsulates IPv6 packets in IPv4 packets.

packets
Translation: NAT-PT and SIIT are used to enable IPv6 host to

communicate
i t with
ith an IP
IPv4 host.
h t
IPv4/IPv6 Transition
Mechanisms (cont
(cont’d)
d)
IPv6 Security Issues
Dual-stack related • IPv6-IPv4 dual stacks increase the potential for

issues: security vulnerabilities.
Header manipulation
p • Using extension headers and IPsec can deter
issues: some header manipulation-based attacks.
• Scanning in IPv6 networks for valid host

Flooding issues: addresses is difficult.
Security Flaws in IPv6
• With the advanced network discovery of IPv6,

Trespassing: it becomes easy for an attacker to get
information from any remote networks.
• There are chances of attackers hiding traffic

Bypassing filtering
due to the variation in DMZ protection for
d i
devices: IPv6 traffic.
• There are possibilities of DoS attacks while

Denial-of-service (DoS) using the same links for sending and receiving
IPv6 packets.
Security Flaws in IPv6 (cont’d)
• The routing header 0 (zero) feature of IPv6

Anycast (no longer
can single out all instances of anycast services
safe):
) that works with the same IP on the Internet.
Internet
• Enabling IPv6 may be vulnerable to:

• The IPv4 network and devices.
IPv6 puts IPv4 at risk: • Security devices.
• Operating systems.
• Applications.
IPv6 Infrastructure Security
DNS issues: Mobile IP:
Performance may be affected

Need for authenticated,
p p
due to the IPv6’s improper
d
dynamic
i registration
i t ti
configuration and use
Firewalls need to control use

IPv6 has less impact on DNS
of routing and home address
Security
headers
IPsec
IP security, or IPsec, is a framework of open standards developed by the Internet

Engineering Task Force (IETF).
(IETF)
IPsec provides secure transmission of sensitive data over unprotected medium,

like the Internet.
From the network layer, IPsec protects and authenticates IP packets.
Network security services that IPsec provides are:
• Data confidentiality.
confidentiality
• Data integrity.
• Data origin authentication.
• Anti-replay.
Firewalls and Packet Filtering
Packet filtering:
• Is a process of controlling network traffic by checking every

transmitting packet against a predefined security policy.
• Uses rules based on source and destination addresses,
addresses but there is a
restricted scope for some of the IPv6 addresses.
• Basic IP filtering is still in wide use at the border of networks.
IPv6 firewalling:
• Firewall is an IP packet filter that enforces filtering and security

policies to the flowing network traffic.
• Using firewalls in IPv6 is still a best way of protection from low level
attacks at network and transport layers.
(cont d)
(cont’d)
• “Internet-router-firewall-net
IP 6 fi
IPv6 firewall
ll usage 1: architecture”:
hi ” This
hi order
d iis compatible
ibl if the
h
firewall is ready for distinguishing IPv6.
Firewall
Internet
Protected
Network
Router
• “Internet-firewall-router-net architecture”:
IPv6 firewall usage 2: This order cannot handle routing protocols properly.
Firewall
Protected Internet
Network
Router
(cont d)
(cont’d)
• “Internet
“Internet-firewall/router(edge
firewall/router(edge device)-net
device) net
IPv6 firewall usage 3: architecture”: This order can be powerful for
routing and security policy.
Firewall + Router
Protected Internet
Network
Denial-of-Service (DoS) Attacks
A DoS attack is a common method used by attackers to disrupt system response.
SYN flooding is a type of DoS attack.
SYN flooding exploits the normal three-way handshake.
Malicious flooding by large volumes of TCP SYN packets to the victim’s

victim s system with spoofed
source IP addresses can cause a DoS.
DoS SYN Flooding Attack
A DoS SYN flooding attack takes advantage of a flaw in how most hosts A
implement the TCP three
three-way
way handshake.
B
Normal connection
When Host B receives the SYN request from A, it must keep track of establishment
the partially-opened connection in a "listen queue" for at least 75
seconds.
When Host B receives the SYN request from A, it must keep track of
the partially-opened connection in a "listen queue" for at least 75
seconds.
A malicious host can exploit the small size of the listen queue by
SYN Flooding
sending multiple SYN requests to a host, but never replying to the
SYN&ACK.
The victim’s listen queue is quickly filled up.
This
hi ability
bili off removing
i a host
h from
f the
h network
k for
f at least
l 75 seconds
d
can be used as a DoS attack.
UDP Operation
UDP does not use windowing or acknowledgments so application layer protocols must
provide error detection.
detection
The Source Port field is an optional field used only if information needs to return to the
sending host.
When a destination router receives a routing

update, the source router is not requesting
anything so nothing needs to return to the
source.
This is regarding only RIP updates:
BGP
G uses TCP,C , IGRP
G iss sent
se t directly
d ect y
over IP.
EIGRP and OSPF are also sent directly
over IP with their own way of handling
reliability
reliability.
UDP Operation (cont’d)
IP Header Protocol Field
IP Header
0 15 16 31
4-bit 4-bit 8-bit Type Of
Version Header Service 16-bit Total Length (in bytes)
Length (TOS)
3-bit
16 bit Identification
16-bit Flags 13 bit Fragment Offset
13-bit
8 bit Time To Live 8-bit Protocol 16-bit Header Checksum

TTL
32-bit Source IP Address
32-bit Destination IP Address
Options (if any)
Data
Internet Control Message
Protocol (ICMP)
IP is an unreliable method for delivery of network data.

data
IP does not notify the sender for failed data transmission.

transmission
Internet Control Message Protocol (ICMP) is the component of the TCP/IP

protocoll stack
k that
h addresses
dd this
hi bbasic
i li
limitation
i i off IP
IP.
ICMP does not overcome the unreliability issues in IP.
Reliability must be provided by upper layer protocols (TCP or the application) if it

i required.
is i d
Error Reporting and Error
Correction
When datagram delivery errors occur, ICMP reports the following errors
back to the source of the datagram:
Workstation 1 sends a datagram to Workstation 6
Fa0/0 on Router C goes down
Router C then utilizes ICMP to send a message back to Workstation X

1 indicating that the datagram could not be delivered ICMP
msg
source
ICMP does not correct the encountered network problem destination
Router C knows only the source and destination IP addresses of the

datagram
ICMP reports on the status of the delivered packet only to the

source device
ICMP Message Delivery
ICMP messages are encapsulated into datagram.
It follows the same technique used by IP to deliver data. Subject to the same delivery failures as any IP
packet.
k t
This creates a scenario where error reports could generate more error reports.
This causes increased congestion on an already ailing network.

network
Errors created by ICMP messages do not generate their own ICMP messages.
Thus, it is possible to have a datagram delivery error that is never reported back to the sender of the data.
Format of an ICMP Message
Type Field
Type Name
---- -------------------------
Type Name
0 Echo Reply
---- -------------------------
1 Unassigned
17 Address Mask Request
2 Unassigned
18 Address Mask Reply
3 Destination Unreachable
19 Reserved (for Security)
4 Source Quench
20-29 Reserved (for Robustness Experiment)
5 Redirect
30 Traceroute
6 Alt
Alternate
t H Host
t Add
Address
31 Datagram Conversion Error
7 Unassigned
32 Mobile Host Redirect
8 Echo
33 IPv6 Where-Are-You
9 Router Advertisement
34 IPv6 I-Am-Here
10 Router Solicitation
35 Mobile Registration Request
11 Time Exceeded
36 Mobile Registration Reply
12 Parameter Problem
37 Domain Name Request
13 Timestamp
38 Domain Name Reply
14 Timestamp Reply 15
39 SKIP
Information Request
40 Photuris
16 Information Reply
41-255 Reserved
Format of an ICMP Message
(cont d)
(cont’d)
Code Field
Type 3: Destination Unreachable
Codes
0 Net Unreachable
1 Host Unreachable
2 Protocol Unreachable
3 Port Unreachable
4 Fragmentation Needed and Don't Fragment was Set
5 Source Route Failed
6 Destination Network Unknown
7 Destination Host Unknown
8 Source Host Isolated
9 Communication with Destination Network is Administratively Prohibited
10 Communication with Destination Host is Administratively Prohibited
11 Destination Network Unreachable for Type of Service
12 Destination Host Unreachable for Type of Service
13 Communication Administratively Prohibited
14 Host Precedence Violation
15 Precedence cutoff in effect
Unreachable Networks
Network communication depends upon

certain basic conditions being met:
• S
Sending
di and d receiving
i i devices
d i mustt h
have th
the
TCP/IP protocol stack properly configured:
• Proper configuration of IP address and subnet
mask.
• A default gateway must also be configured if
datagrams are to travel outside of the local network.
• A router also must have the TCP/IP protocol
properly configured on its interfaces, and it
must use an appropriate
pp p routing
gpprotocol.
• If these conditions are not met, then network
communication cannot take place.
Unreachable Networks
(cont d)
(cont’d)
Examples of problems:
• Sending device
de ice may
ma address the datagram to a non
non-existent
e istent IP
address
• Destination device that is disconnected from its network
g interface is down
• Router’s connecting
• Router does not have the information necessary to find the
destination network
Destination Unreachable
Message
If datagrams cannot always be forwarded to their destinations, ICMP delivers
b k to the
back h sender
d ad destination
i i unreachable
h bl message iindicating
di i to theh sender
d
that the datagram could not be properly forwarded.
A destination unreachable message may also be sent when packet fragmentation

is required in order to forward a packet:
• Fragmentation is usually necessary when a datagram is forwarded from a token-ring

network to an Ethernet network.
• If the datagram does not allow fragmentation, the packet cannot be forwarded, so a
destination unreachable
nreachable message will
ill be sent
sent.
Destination unreachable messages may also be generated if IP-related services

such as FTP or web services are unavailable.
unavailable
ICMP Echo (Request) and Echo
Reply
Echo
c o = Type
ype 8
Echo Reply = Type 0
Ethernet Header IP Header ICMP Message Ether.

Ether
(Layer 2) (Layer 3) (Layer 3) Tr.
Ethernet Ethernet Frame Source IP Add. Type Code Check- ID Seq. Data FCS
Destination Source Type Dest. IP Add. 0 or 8 0 sum Num.
Address Address Protocol field
(MAC) (MAC)
Th echo
The h requestt message iis ttypically
i ll iinitiated
iti t d using
i ththe ping
i command
d
Time Exceeded Message
IP Header
0 15 16 31
4-bit 4-bit 8-bit Type Of
Version Header Service 16-bit Total Length (in bytes)
Length (TOS)
3-bit
16-bit Identification Flags 13-bit Fragment Offset
8 bit Time To Live 8-bit Protocol 16-bit Header Checksum

TTL
32-bit Source IP Address
32-bit Destination IP Address

ICMP Time Exceeded
Options (if any) Type = 11
Data
A TTL value is defined in each datagram (IP packet).
A each
As h router processes the
h datagram,
d it
i ddecreases the
h TTL value
l byb one.
When the TTL of the datagram value reaches zero, the packet is discarded.
ICMP uses a time exceeded message to notify the source device that the TTL of the datagram has
been exceeded.
IP Parameter Problem
ICMP Parameter Problem
Type = 12
Devices that process datagrams may not be able to forward a datagram due to
some type of error in the header.
This error does not relate to the state of the destination host or network, but still
prevents the datagram
p g from being gpprocessed and delivered.
An ICMP type 12 parameter problem message is sent to the source of the

datagram
datagram.
ICMP Control Messages
Unlike error messages, control messages are not the results of lost
packets or error conditions which occur during packet transmission.
Instead,, theyy are used to inform hosts of conditions such as:
Network congestion.
Existence of a better gateway to a remote network.
ICMP Redirects
ICMP Redirect
Type = 5 Code = 0 to 3
Default gateways only sends ICMP redirect/change request

messages if the following conditions are met:
• The interface on which the packet comes into the router is the same
interface on which the packet gets routed out.
• The subnet/network of the source IP address is the same
subnet/network of the next
next-hop
hop IP address of the routed packet.
packet
• The datagram is not source-routed.
• The route for the redirect is not another ICMP redirect or a default
route.
• The router is configured to send redirects.
Clock Synchronization and
Transit Time Estimation
ICMP Timestamp Replaced by
Request
Type = 13 or 14
The TCP/IP protocol suite allows systems to connect to one another over vast distances through multiple
networks.
Each of these individual networks provides clock synchronization in its own way.
As a result, hosts on different networks who are trying to communicate using software that requires time
synchronization can sometimes encounter problems.
The ICMP timestamp message type is designed to help alleviate this problem.
problem
The ICMP timestamp request message allows a host to ask for the current time according to the remote
host.
The remote host uses an ICMP timestamp reply message to respond to the request.
Clock Synchronization and
Transit Time Estimation
All ICMP timestamp reply messages contain the originate

originate, receive
receive, and transmit timestamps
timestamps.
Using these three timestamps, the host can estimate transit time across the network by
subtracting the originate time from the transit time.
It is only an estimate however, as true transit time can vary widely based on traffic and
congestion on the network.
The host that originated the timestamp request can also estimate the local time on the remote
computer.
While ICMP timestamp messages provide a simple way to estimate time on a remote host and
total network transit time, this is not the best way to obtain this information.
Instead, more robust protocols such as Network Time Protocol (NTP) at the upper layers
Instead
of the TCP/IP protocol stack perform clock synchronization in a more reliable manner.
Information Requests and
Reply Message Formats
ICMP Information Request/Reply
Type = 15 or 16
Replaced by
The ICMP information requests and reply messages

were originally intended to allow a host to determine
its network number.
This particular ICMP message type is considered

obsolete.
Other protocols, such as BOOTP and Dynamic Host

Configuration Protocol (DHCP), are now used to allow
hosts to obtain their network numbers.
Address Masks
ICMP Address Mask Request/Reply
Type = 17 or 18
This new subnet mask is crucial in identifying network, Replaced by

subnet, and host bits in an IP address.
If a host does not know the subnet mask, it may send an

address mask request to the local router.
If the address of the router is known, this request may be

sent directly to the router.
Otherwise, the request will be broadcast.
When the router receives the request, it will respond with

an address mask reply.
reply
Router Solicitation and
Advertisement
ICMP Router Solicitation
Type = 10
ICMP Router Advertisement
Type = 9
p
Replaced by
y
When a host on the network boots, and the host has not
been manually configured with a default gateway, it
can learn of available routers through the process of
router discovery.
y
This process begins with the host sending a router

solicitation message to all routers, using the multicast
address 224.0.0.2 as the destination address (may also
be broadcast).
When a router that supports the discovery process

receives the router discovery message, a router
advertisement is sent in return.
Summary
In this
hi module,
d l we reviewed
i d advanced
d d techniques
h i ffor TCP/IP
/ packet
k
analysis.
We have studied the

TCP/IP model of • Comparing OSI and TCP/IP.
networking by:
We have discussed the addressing, subnetting, and windowing of TCP/IP

packets.
We have discussed TCP/IP protocols, TCP and UDP port numbers, TCP
and UDP operation,
p , sequencing
q g numbers,, and ICMP and ICMP control
messages.

Advanced P Tti Tti Penetration Testing and Security Analysis

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Advanced P Tti Tti Penetration Testing and Security Analysis

Uploaded by

Copyright:

Available Formats

Advanced

This module will familiarize you with:

This module covers the technical aspects of TCP/IP protocol.

The TCP/IP model has four layers:

Network Access layer

The application layer of the TCP/IP model handles high-level protocols,

Remote Network Name

TFTP SMTP Telnet SNMP DNS

Transmission Control User Datagram Protocol

Internet Control Address Reverse Address

The network access layer

It includes the LAN and WAN technology details.

Fast ATM, Frame

OSI MODEL TCP/IP MODEL

TRANSPORT LAYER TRANSPORT LAYER

NETWORK LAYER INTERNET LAYER

Data Link LAYER

Both have comparable transport TCP/IP appears simpler because it

Transmission Control Protocol (TCP) is a connection-oriented

It is responsible for breaking messages into segments, reassembling

The protocols that use TCP include:

• FTP (File Transfer Protocol).

It is a simple protocol that exchanges datagrams, without

It uses no windowing or acknowledgments, so reliability if needed, is

The protocols that use UDP include:

Both TCP and UDP use p

Port numbers have the following assigned ranges:

• Numbers below 1024 are considered well-known port numbers.

Port numbers have the following assigned ranges:

Numbers below 255 are reserved for public applications.

Numbers from 255-1023 are assigned to companies for marketable applications.

Numbers above 1023 are unregulated.

16-bit Source Port Number 16-bit Destination Port Number

32-bit Sequence Number

32 bit Acknowledgement Number

4-bit Header 6-bit U A P R S F

16-bit TCP Checksum 16-bit Urgent Pointer

Options (if any)

Data (if any)

End systems use port • Originating source port numbers, usually a

The IANA registers uses of these ports as a convenience to the

Notice the difference in how source and

A connection is defined by the pair of

• Source IP address, source port

Different connections can use the same

Example of multiple TCP connections for a single HTTP session is as follows:

Port numbers are used to know Application

IP is a best effort delivery.

• Sliding windows (flow control).

TCP requires connection establishment

For a connection to be established or

The synchronization requires each side

Flow control avoids the problem of a transmitting host overflowing the

The two hosts then establish a data-transfer rate that is agreeable to

This is an example of simple windowing.

After a host transmits the window-size number

The window size determines how much data the

TCP is responsible for breaking data into TCP Header

16-bit Source Port Number 16-bit Destination Port Number

32 bit Sequence Number

before another segment is transmitted. 4-bit Header

16-bit TCP Checksum 16-bit Urgent Pointer

Options (if any)