TCP/IP Concepts

Computer 1 Computer 2

Overview of TCP/IP
Layer 1 Layer 1
Layer 2 Layer 2
Layer 3 Layer 3
Layer 4 Layer 4

 Transmission Control Protocol/Internet Protocol

(TCP/IP)
Most widely used protocol set
 TCP/IP is a protocol set with 4 layers*
 Protocol
Common language used by computers for
“speaking”
 IPX/SPX is another protocol set used in Novell
networks.
 Some company protect their network by using
IPX/SPX internally. IPX/SPX LAN
TCP/IP
“poor man’s firewall” network
2
* A layer can be seen as a group of tasks/activities/jobs
 TCP/IP protocol set

Computer 1 Computer 2
Application layer Application layer
Transport layer Transport layer
Internet layer Internet layer
Interface layer Interface layer
Network interface layer

 TCP/IP is implemented as
software and hardware that
work together to create
messages that could be
“understood” by each computer

33
 Computer 1
The Application Layer
Application layer
Transport layer
Internet layer
Interface layer
 Front end to the lower-layer protocols
 Many Application layer protocols: HTTP, FTP, ARP, etc.
 Includes network services and client software
 Examples: Web (HTTP service), Web browser

 Commands/utilities for connecting & using

Application layer network services:
 ftp: used to transfer files between clients and servers
4
 telnet servername [port number]: to log on to a server
Using the ftp utility
 Unlike SFTP, FTP is not secure because it allows anonymous logins.
 Most companies do not allow FTP connection to their servers.
 If user has an account, they can use it to connect using SFTP-based
client program.

 Helpcommand: give info about the command

 Open ftp.eiu.edu should open an ftp session with the ftp.eiu.edu
server.
 Some public anonymous ftp servers: ftp.arsc.edu, ftp.ussg.iu.edu,
ftp.loc.gov/pub. Detailed list at http://www.ftp-sites.org/
5
[Instructor will show how to use ftp]
Questions
1) Based on your knowledge of the ftp utility and ftp-based client
programs, what do you think a hacker needs in order to connect to a
specific secure ftp server? Name three things that are absolutely
required.
________________________, ______________________, ___________________

2) Which of the three things you have mentioned is the hardest to get?
_________________________
3) Once connected to an ftp server, a hacker can upload/download files
only based on the permissions associated with the user account
he/she has used to connect. Imagine that the only permissions
associated with the user account are see and download files that are
in the default ftp directory. Name two things that must occur to make
it possible for the hacker to go beyond just seeing and downloading
files that are in the default directory and be able to browse through
the entire directory structure and upload files to the server for
instance?
6 ______________________________, _______________________________
 Computer 1
Application layer

The Transport Layer

Transport layer
Internet layer
Interface layer
 Prepares Application layer messages for proper
“transportation” to a receiving device
 Main protocol used:
 The TCP protocol for connection-oriented “dialog”
 The User Datagram Protocol or UDP for connectionless transmissions

Makes sure messages arrive at destination

exactly as they left source (in case of
connection-oriented communication)
 TCP opens connections using 3-way handshake
 Computer 1 sends a Synchronization SYN request
 Computer 2 replies with a Sync-Acknowledgement SYN-ACK packet
 Computer 1 replies with an ACK packet
Computer 1 Computer 2
Application layer Application layer
SYN
Transport layer Transport layer
SYN/ACK
Internet layer Internet layer
7 SYN
Interface layer Interface layer
 Computer 1

The Internet Layer

Application layer
Transport layer
Internet layer
Interface layer

 Responsible for routing packets to their destination

address
 Uses a logical address, called an IP address
 Main protocols used: IP and ICMP
 Internet Control Message Protocol (ICMP)
Used to send messages related to network operations
Helps in troubleshooting a network
Some Internet layer commands/utilities for
troubleshooting network connections. More complex
versions included in hacking tools:
 Ping: determines whether a computer is connected
 Traceroute and tracert: determine route to get to a computer
8
 ICMP codes are used internally by
network administrators to
troubleshoot network connectivity
(code 0 and 8) using PING
command, track IP packets’ route
(code 30) using TRACERT or
TRACEROUTE command, etc.
Appropriate ICMP codes could be
used to configure firewalls to
prevent network attacks by
outsiders.

9
 Using the ping utility
 Most companies do not allow “pinging” their computers from outside.

Pinging under Widows OS

Pinging under Linux

 Later, we will see how

some of these pinging
options may be used in
security attacks.

10
 Using tracert and traceroute
 As a Network [Internet] layer tool, Tracert and Traceroute generate a
network map, showing how to get to a target computer.

 Some of these
options may be
abused by
hackers as we
will see later.

 This is likely a firewall

or a router in EIU’s
network which real IP
address is hidden using
Network Address
11 Translation.
 Questions

Pinging under Widows OS

 Based on your knowledge of the PING command, what possible damage may be
done when it is used with the –l option?

12
 Computer 1

The Network Interface Layer

Application layer
Transport layer
Internet layer
Interface layer

 Represents the network pathway (i.e. transmission

media)
 Implemented through Network Interface Cards (NIC)
 Includes Medium Access Control (MAC) address
MAC is a physical address recorded on NICs)

 Breaks messages into short frames and adds MAC to

each
 Converts messages into signal for transmission

13
 Sending message using TCP/IP
 Generating message at the Application layer
 Encapsulation: Adding protocols headers (H)
and trailers (T) to pack the message.

HTTP request
Application HTTP req. Example: http://www.eiu.edu

Transport HTTP req. TCP-H TCP segment

Internet HTTP req. TCP-H IP-H IP Packet

Network Interface NI-T HTTP req. TCP-H IP-H NI-H Frames

User PC
14 Transmission medium
 Receiving a TCP/IP message
 Frames arrive through the network interface
 De-encapsulation: Removing protocols
headers (H) and trailers (T) to access request
HTTP request
Example: http://www.eiu.edu HTTP req. Application

TCP segment HTTP req. TCP-H Transport

IP Packet HTTP req. TCP-H IP-H Internet

Frames NI-T HTTP req. TCP-H IP-H NI-H Network Interface

User PC
15 Transmission medium
TCP Segment
0-3 4-7 8-15 16-31
Source port Destination port
Sequence number
Acknowledgment number
C E U A P R S F
Data
Reserved W C R C S S Y I Window Size
offset
R E G K H T N N
Checksum Urgent pointer
Options (if Data Offset > 5)
Data Field (should contain HTTP Request based on our previous example)

Source port (16 bits) – a number that identifies the Application layer program used to send the message.
Destination port (16 bits) – a number that identifies the Application layer program the message is destined to.
Sequence number (32 bits) – Tracks packets received. Helps reassemble packets. Hackers may guest SN to hijack
conversations. Has a dual role
If the SYN flag is set, then this is the initial sequence number. The sequence number of the actual first data
byte (and the acknowledged number in the corresponding ACK) will then be this sequence number plus 1.
If the SYN flag is clear, then this is the sequence number of the first data byte
Acknowledgment number (32 bits) – if the ACK flag is set then the value of this field is the next sequence number
that the receiver is expecting. This acknowledges receipt of all prior bytes (if any). The first ACK sent by each end
acknowledges the other end's initial sequence number itself, but no data.
Data offset (4 bits) – specifies the size of the TCP header in 32-bit words. The minimum size header is 5 words and
the maximum is 15 words thus giving the minimum size of 20 bytes and maximum of 60 bytes, allowing for up to
40 bytes of options in the header. This field gets its name from the fact that it is also the offset from the start of the
TCP segment to the actual data.
16
 TCP Segment (cont.)
0-3 4-7 8-15 16-31
Source port Destination port
Sequence number
Acknowledgment number
C E U A P R S F
Data
Reserved W C R C S S Y I Window Size
offset
R E G K H T N N
Checksum Urgent pointer
Options (if Data Offset > 5)
Data Field (should contain HTTP Request based on our previous example)
Flags (8 bits) (aka Control bits) – contains 8 1-bit flags
CWR (1 bit) – Congestion Window Reduced (CWR) flag is set by the sending host to indicate that it received
a TCP segment with the ECE flag set and had responded in congestion control mechanism (added to header
by RFC 3168).
ECE (1 bit) – Explicit Congestion Notification-Echo indicates
If the SYN flag is set, that the TCP peer is ECN capable.
If the SYN flag is clear, that a packet with Congestion Experienced flag in IP header set is received
during normal transmission (added to header by RFC 3168).
URG (1 bit) – indicates that the Urgent pointer field is significant
ACK (1 bit) – indicates that the Acknowledgment field is significant. All packets after the initial SYN packet
sent by the client should have this flag set.
PSH (1 bit) – Push function
RST (1 bit) – Reset the connection
SYN (1 bit) – Synchronize sequence numbers. Only the first packet sent from each end should have this flag
set. Some other flags change meaning based on this flag, and some are only valid for when it is set, and others
when it is clear.
17 FIN (1 bit) – No more data from sender
 TCP Segment (cont.)
0-3 4-7 8-15 16-31
Source port Destination port
Sequence number
Acknowledgment number
C E U A P R S F
Data
Reserved W C R C S S Y I Window Size
offset
R E G K H T N N
Checksum Urgent pointer
Options (if Data Offset > 5)
Data Field (should contain HTTP Request based on our previous example)

Window size (16 bits) – the size of the receive window, which specifies the number of
bytes (beyond the sequence number in the acknowledgment field) that the receiver is
currently willing to receive.
 Checksum (16 bits) – Used for error-checking of the header and data
 Urgent pointer (16 bits) – if the URG flag is set, then this field is an offset from the
sequence number indicating the last urgent data byte.

18
 TCP Ports
 Identifies the service that is running
 Helps you stop or disable services that are not
needed
 Open ports are an invitation for an attack
 Only the first 1023 ports are considered well-
known
 List of well-known ports
 Available at the Internet Assigned Numbers Authority
(IANA) Web site (www.iana.org)
Port Service Explanation
20 and 21 File Transfer Protocol (FTP) Used for sharing files over the
Internet. Requires a logon name and
password. More secure than Trivial
File Transfer Protocol (TFTP)
25 Simple Mail Transfer E-mail servers listen on this port
Protocol (SMTP) email
53 Domain Name Service – DNS Helps users connect to Web sites
19 using URLs instead of IP addresses
 TCP Ports (continued)
Port Service Explanation
69 Trivial File Transfer Protocol - Could be implemented using a very small
amount of memory.
- Implemented on top of the User Datagram
Protocol (UDP) using port number 69.
- Used for transferring router configurations
- TFTP only reads and writes files from/to a
remote server. It cannot list directories,
- Currently has no provisions for user
authentication
80 Hypertext Transfer Protocol - Used when connecting to a Web server
(HTTP)

20
 TCP Ports (continued)
Port Service Explanation
110 Post Office Protocol 3 (POP3) Used for retrieving e-mails from server

119 Network News Transfer Protocol For use with newsgroups

135 Remote Procedure Call (RPC) Critical for the operation of Microsoft
Exchange Server and Active Directory.
139 NetBIOS Used by Microsoft’s NetBIOS Session Service
143 Internet Message Access Used for retrieving e-mail. Better than POP3.
Protocol 4 (IMAP4) Could maintain mails on servers. Allows
searches, etc.

 Netstat command line

 displays open ports on a computer indicating
what services/applications are running.

21
 IP Header
0–3 4–7 8–15 16–18 19–31
Header
Version Type Of Service Total Length
length
Identification Flags Fragment Offset
Time to Live Protocol Header Checksum
Source Address
Destination Address
Options
Data

 Version - indicates the version of IP in four-bit . Should be 0100 for IPv4

 Internet Header Length (IHL) - tells the number of 32-bit words in the IP
header.
 TOS – Indicates the quality of service for delivering the packet: Normal
delay, high reliability, normal cost, high cost, etc.
 Total Length – defines entire packet size (header +data) in bytes. The
minimum-length is 20 bytes (20-byte header + 0 bytes data) and the
maximum is 65,535. Subnetworks may impose restrictions on the size, in
22 which case packets must be fragmented. Fragmentation is handled in either
the host or the router.
 IP Header
0–3 4–7 8–15 16–18 19–31
Header
Version Type Of Service Total Length
length
Identification Flags Fragment Offset
Time to Live Protocol Header Checksum
Source Address
Destination Address
Options
Data

 Identification - Primarily used for uniquely identifying fragments of an

original IP packet.
 Flags - A three-bit field used to control or identify fragments. They are (in
order, from high order to low order):
 Reserved, must be zero.
 Don't Fragment (DF): If the DF flag is set and fragmentation is required to route
the packet then the packet will be dropped
 More Fragments (MF): When a packet is fragmented all fragments have the MF
flag set except the last fragment,
23
 IP Header
0–3 4–7 8–15 16–18 19–31
Header
Version Type Of Service Total Length
length
Identification Flags Fragment Offset
Time to Live (TTL) Protocol Header Checksum
Source Address
Destination Address
Options
Data
 Fragment Offset - Specifies the offset of a particular fragment relative to the
beginning of the original unfragmented IP packet. The first fragment has an offset of
zero.
 TTL - Helps prevent packets from persisting (e.g. going in circles) on an Internet.
Time specified in seconds, but time intervals less than 1 second are rounded up to 1.
Also in number of hop counts.
 Protocol - Defines the protocol used in the data portion of the IP packet. Common
protocols and their codes are: 1: Internet Control Message Protocol (ICMP), 2:
Internet Group Management Protocol (IGMP), 6: Transmission Control Protocol
(TCP), 17: User Datagram Protocol (UDP), 89: Open Shortest Path First (OSPF), 132:
24 Stream Control Transmission Protocol (SCTP).
 IP Header
0–3 4–7 8–15 16–18 19–31
Header
Version Type Of Service Total Length
length
Identification Flags Fragment Offset
Time to Live (TTL) Protocol Header Checksum
Source Address
Destination Address
Options
Data
 Header Checksum - used for error-checking of the header. At each hop, the checksum
of the header must be compared to the value of this field. If a header checksum is
found to be mismatched, then the packet is discarded. Note that errors in the data field
are up to the encapsulated protocol to handle .

25
 Short Case
 After performing a test on ABC Inc.’s network, a
penetration tester discovered that outsiders are
able to test internal hosts connectivity. He also
discovered that outsiders are able to “map” ABC
Inc.’s network which allows them to determine
the names and IP addresses of internal routers
and firewalls.
1) What commands the outsiders could possibly use in their
attempts?
2) What would you recommend doing in order make it
impossible for outsiders to (a) successfully test internal
hosts’ connectivity, and (b) map ABC Inc.’s network? Be
very specific in naming the actions that needed to be
taken to address the problem.
26