Scribd
Upload
4 views

Network Fundamentels

The document discusses the concept of encapsulation in networking protocols, specifically within the TCP/IP protocol suite, where each layer adds its own header to the packet. It explains how the Internet Protocol (IP) is responsible for delivering packets using unique IP addresses, and details the structure of IPv4 addresses, including reserved addresses and subnetting. Additionally, the document covers how to identify network and host parts of an IP address using netmasks and provides examples of IP addressing.

Uploaded by

conanlover2006
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
4 views

Network Fundamentels

The document discusses the concept of encapsulation in networking protocols, specifically within the TCP/IP protocol suite, where each layer adds its own header to the packet. It explains how the Internet Protocol (IP) is responsible for delivering packets using unique IP addresses, and details the structure of IPv4 addresses, including reserved addresses and subnetting. Additionally, the document covers how to identify network and host parts of an IP address using netmasks and provides examples of IP addressing.

Uploaded by

conanlover2006
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 201

N E T WO R K

F U N DA M E N TA L S
Session1
2.1.4 Encapsulation

But how do protocols work together? If every protocol has a


header and a payload, how can a protocol use the one on
its lower layer?

The idea is simple. The entire upper protocol packet


(header plus payload) is the payload of the lower one; this
is called encapsulation.

PTSv4: Section 1, Module 2 - Caendra Inc. © 2019 | p.23


2.1.4 Encapsulation

In the following slides, you will see how encapsulation is


used by the IP protocol suite, or TCP/IP.

TCP/IP is a real-world implementation of a networking


stack and is the protocol stack used on the Internet.

PTSv4: Section 1, Module 2 - Caendra Inc. © 2019 | p.24


2.1.4 Encapsulation

TCP/IP has four layers:

Application Transport Network Data Link

You will learn how TCP/IP works in the remainder of this


module.

PTSv4: Section 1, Module 2 - Caendra Inc. © 2019 | p.25


2.1.4 Encapsulation

Application L
o
Header Payload
E
n
c
w
a
e
Transport r Header Payload p
s
u
L
l
Network a
y
Header Payload a
t
e
i
r
o
Data Link s Header Payload
n

PTSv4: Section 1, Module 2 - Caendra Inc. © 2019 | p.26


2.1.4 Encapsulation

Application L
o
Header Payload
E
n
c
w
a
e
Transport r Header Header Payload p
s
u
L
l
Network a
y The application layer gives a
t
e its packet to the transport i
r
layer, which adds its own o
Data Link s
header.
n

PTSv4: Section 1, Module 2 - Caendra Inc. © 2019 | p.27


2.1.4 Encapsulation

Application L
o
Header Payload
E
n
c
w
a
e
Transport r Header Payload p
s
u
L
l
Network a
y The application packet is a
t
e now the transport i
r
protocol's payload. o
Data Link s
n

PTSv4: Section 1, Module 2 - Caendra Inc. © 2019 | p.28


2.1.4 Encapsulation

Application L
o
Header Payload
E
n
c
w
a
e
Transport r Header Payload p
s
u
L
l
Network a
y
Header Header Payload a
t
e
i
r
The same technique is used o
Data Link s
by the following layers. n

PTSv4: Section 1, Module 2 - Caendra Inc. © 2019 | p.29


2.1.4 Encapsulation

Application L
o
Header Payload
E
n
c
w
a
e
Transport r Header Payload p
s
u
L
l
Network a
y
Header Payload a
t
e
i
r
o
Data Link s
n

PTSv4: Section 1, Module 2 - Caendra Inc. © 2019 | p.30


2.1.4 Encapsulation

Application L
o
Header Payload
E
n
c
w
a
e
Transport r Header Payload p
s
u
L
l
Network a
y
Header Payload a
t
e
i
r
o
Data Link s Header Header Payload
n

PTSv4: Section 1, Module 2 - Caendra Inc. © 2019 | p.31


2.1.4 Encapsulation

Application L
o
Header Payload
E
n
c
w
a
e
Transport r Header Payload p
s
u
L
l
Network a
y
Header Payload a
t
e
i
r
o
Data Link s Header Payload
n

PTSv4: Section 1, Module 2 - Caendra Inc. © 2019 | p.32


2.1.4 Encapsulation

During encapsulation every protocol adds its own header to


the packet, treating it as a payload.

This happens to every packet sent by a host.

PTSv4: Section 1, Module 2 - Caendra Inc. © 2019 | p.33


2.1.4 Encapsulation

Application L
o
Encapsulation Header Payload
E
n
w
headers c
a
e
Transport r Header Header Payload p
s
u
L
l
Network a
y
Header Header Header Payload a
t
e
i
r
o
Data Link s Header Header Header Header Payload
n

PTSv4: Section 1, Module 2 - Caendra Inc. © 2019 | p.34


2.1.4 Encapsulation

The receiving host does the same operation in reverse


order. Using this method, the application does not need to
worry about how the transport, network and link layers
work. It just hands in the packet to the transport layer.

You will see encapsulation in practice later, during the


Wireshark section.

PTSv4: Section 1, Module 2 - Caendra Inc. © 2019 | p.35


2.2

Internet Protocol
(IP)

PTSv4: Section 1, Module 2 - Caendra Inc. © 2019 | p.36


2.2 IP

How does this support my pentesting career?

• Understanding network attacks


• Using network attack tools at their maximum
• Studying other networking protocols

PTSv4: Section 1, Module 2 - Caendra Inc. © 2019 | p.37


2.2 IP

The Internet Protocol (IP) is the protocol that runs on the


Internet layer of the Internet Protocol suite, also known as
TCP/IP.

IP is in charge of delivering the datagrams (IP packets are


called datagrams) to the hosts involved in a
communication, and it uses IP addresses to identify a host.

PTSv4: Section 1, Module 2 - Caendra Inc. © 2019 | p.38


2.2.1 IPv4 Addresses

When you write a letter, you have to specify the recipient's


address on the envelope before sending it. Similarly, the
Internet uses its addressing scheme to deliver packets to
the right destination.

Any host on a computer network, be it a private network or


the Internet, is identified by a unique IP address.

PTSv4: Section 1, Module 2 - Caendra Inc. © 2019 | p.39


2.2.1 IPv4 Addresses

The vast majority of networks run IP version 4 (IPv4).


EXAMPLE

An IPv4 address consists of four bytes, or octets; a


byte consists of 8 bits.

73.5.12.132

PTSv4: Section 1, Module 2 - Caendra Inc. © 2019 | p.40


2.2.1 IPv4 Addresses

A dot delimits every octet in the address.

73.5.12.132
First Second Third Fourth

PTSv4: Section 1, Module 2 - Caendra Inc. © 2019 | p.41


2.2.1 IPv4 Addresses

As you may recall from the introduction module, with 8 bits,


you can represent up to 28 different values from 0 to 255.

This does not mean that you can assign any address
starting from 0.0.0.0 to 255.255.255.255 to a host. Some
addresses are reserved for special purposes.

PTSv4: Section 1, Module 2 - Caendra Inc. © 2019 | p.42


2.2.2 Reserved IPv4 Addresses

For example, some reserved intervals are:


• 0.0.0.0 – 0.255.255.255 representing "this"
network.
• 127.0.0.0 – 127.255.255.255 representing the local
host (e.g., your computer).
• 192.168.0.0 – 192.168.255.255 is reserved for
private networks.

You can find the details about the special use of IPv4
addresses in RFC5735.
http://tools.ietf.org/html/rfc5735 PTSv4: Section 1, Module 2 - Caendra Inc. © 2019 | p.43
2.2.3 IP/Mask

To fully identify a host, you also need to know its


network. To do that, you will need an IP address and a
EXAMPLE

netmask, or subnet mask.

With an IP/netmask pair, you can identify the network


part and the host part of an IP address.

IP address: 192.168.5.100
Subnet mask: 255.255.255.0

PTSv4: Section 1, Module 2 - Caendra Inc. © 2019 | p.44


2.2.3 IP/Mask

To find the network part you have to perform a bitwise AND


operation between the netmask and the IP address.

In the following example, we are going to see how to find


the network part of this IP address/mask pair:

192.168.33.12/255.255.224.0

PTSv4: Section 1, Module 2 - Caendra Inc. © 2019 | p.45


2.2.3.1 IP/Mask CIDR Example

Convert the octets in binary form:


192.168.33.12

11000000.10101000.00100001.00001100

255.255.224.0

11111111.11111111.11100000.00000000
PTSv4: Section 1, Module 2 - Caendra Inc. © 2019 | p.46
2.2.3.1 IP/Mask CIDR Example

Perform the bitwise AND:

IP: 11000000.10101000.00100001.00001100
&
Mask: 11111111.11111111.11100000.00000000
=
Network: 11000000.10101000.00100000.00000000

Network prefix in decimal 192.168.32.0


notation:
PTSv4: Section 1, Module 2 - Caendra Inc. © 2019 | p.47
2.2.3.1 IP/Mask CIDR Example

192.168.32.0 is the network prefix. You can identify the


network by using the following notation:
192.168.32.0/255.255.224.0

Or, as the netmask is made by 19 consecutive "1" bits:


192.168.32.0/19

The latter is the Classless Inter-Domain Routing (CIDR)


notation.
PTSv4: Section 1, Module 2 - Caendra Inc. © 2019 | p.48
2.2.3.2 IP/Mask Host Example

The address part not covered by the netmask is the host


part of the IP address. You can find it by performing a
bitwise AND with the inverse of the netmask.

Let’s look at an example with the same IP/mask.

PTSv4: Section 1, Module 2 - Caendra Inc. © 2019 | p.49


2.2.3.2 IP/Mask Host Example

Convert the octets in binary form:


192.168.33.12

11000000.10101000.00100001.00001100

255.255.224.0

11111111.11111111.11100000.00000000
PTSv4: Section 1, Module 2 - Caendra Inc. © 2019 | p.50
2.2.3.2 IP/Mask Host Example

Invert the netmask by performing a bitwise NOT:

¬(11111111.11111111.11100000.00000000)
=
00000000.00000000.00011111.11111111

PTSv4: Section 1, Module 2 - Caendra Inc. © 2019 | p.51


2.2.3.2 IP/Mask Host Example

Perform the final bitwise AND:

IP: 11000000.10101000.00100001.00001100
&
¬Mask: 00000000.00000000.00011111.11111111
=
Host: 00000000.00000000.00000001.00001100

Host part in decimal 0.0.1.12


notation: PTSv4: Section 1, Module 2 - Caendra Inc. © 2019 | p.52
2.2.3.2 IP/Mask Host Example

Moreover, the inverse of the netmask lets you know how


many hosts a network can contain.

In our example, we have 13 bits to represent the hosts; this


means that the network can contain 213 = 8192 different
addresses.

PTSv4: Section 1, Module 2 - Caendra Inc. © 2019 | p.53


2.2.4 Network and Broadcast Addresses

There are two special addresses:


• One with the host part made by all zeros.
• Another with the host part made by all ones.

These special addresses were used as the network and


broadcast addresses, thus reducing by 2 the number of
hosts on a given network. This technical limitation should
be extinct (RFC1878) but is still used to keep compatibility
with old equipment.
http://tools.ietf.org/html/rfc1878 PTSv4: Section 1, Module 2 - Caendra Inc. © 2019 | p.54
2.2.5 IP Examples

Let’s recap by going over some IP examples.

PTSv4: Section 1, Module 2 - Caendra Inc. © 2019 | p.55


2.2.5 IP Examples

• 10.54.12.0/24 (10.54.12.0/255.255.255.0)
• Contains 28 = 256 addresses

• 10.54.12.0 is the network address according to


the pre-CIDR standard

• 10.54.12.255 is the broadcast address


according to the pre-CIDR standard

PTSv4: Section 1, Module 2 - Caendra Inc. © 2019 | p.56


2.2.5 IP Examples

• 192.168.114.32/27 (192.168.114.32/255.255.255.224)
• Contains 25 = 32 addresses

• 192.168.114.32 is the pre-CIDR network address

• 192.168.114.63 is the pre-CIDR broadcast address

PTSv4: Section 1, Module 2 - Caendra Inc. © 2019 | p.57


2.2.5 IP Examples

• Given the network 172.16.2.0/23


• 172.16.3.12 and 172.16.2.66 are in the same network
• 172.16.3.240 and 172.16.4.2 are not in the same network

• The network 192.168.1.0/16


• Does not make sense; a bitwise AND between 192.168.1.0
and 255.255.0.0 leads to 192.168.0.0 as network address
• Could be a valid IP address in the 192.168.1.0/16 network

PTSv4: Section 1, Module 2 - Caendra Inc. © 2019 | p.58


2.2.6 Subnet Calculators

You can practice more on this topic by using a subnet


calculator.

Here are two subnet calculators you can check out:


• A classful calculator
• A CIDR calculator

http://www.subnet-calculator.com/
http://www.subnet-calculator.com/cidr.php PTSv4: Section 1, Module 2 - Caendra Inc. © 2019 | p.59
2.2.7 IPv6

IPv4 addresses are being consumed rapidly due to a large


number of new devices connecting to the internet every
day.

One day IPv4 addresses might be exhausted.

PTSv4: Section 1, Module 2 - Caendra Inc. © 2019 | p.60


2.2.7 IPv6

As a 32-bit address, IPv4 has 2^32 = 4.294.967.296


possible addresses.

While a 128-bit IPv6 address has 2^128 = 2^32 * 2^96


possible addresses.

2^96 is equal to 79 octillion addresses

PTSv4: Section 1, Module 2 - Caendra Inc. © 2019 | p.61


2.2.7 IPv6

An IPv6 address consists of 16-bit hexadecimal numbers


separated by a colon (:). Hexadecimal numbers are case
insensitive. In case zeros occur, they can be skipped.

Let’s check out some IPv6 examples on the next slide.

PTSv4: Section 1, Module 2 - Caendra Inc. © 2019 | p.62


2.2.7 IPv6

IPv6 addresses examples:


EXAMPLE

2001:0db8:0020:130F:0000:0000:087C:140B

2001:0db8:0:160F::850C:140B

PTSv4: Section 1, Module 2 - Caendra Inc. © 2019 | p.63


2.2.7.1 IPv6 header

https://www.researchgate.net/profile/Dragos_Truscan/publication/31596630/figure/ PTSv4: Section 1, Module 2 - Caendra Inc. © 2019 | p.64


download/fig5/AS:340685715722244@1458237212506/IPv6-Header-Format.png
2.2.7.2 IPv6 forms

IPv6 can be presented in following text representations:


• Regular form: 1080:0:FF:0:8:800:200C:417A

• Compressed form: FF01:0:0:0:0:0:0:43 becomes


FF01::43 as a result of skipping zeros

• IPv4-compatible: 0:0:0:0:0:0:13.1.68.3 or ::13.1.68.3


after skipping zeros

PTSv4: Section 1, Module 2 - Caendra Inc. © 2019 | p.65


2.2.7.3 IPv6 Reserved Addresses

IPv6 also has reserved addresses, which cannot be used


like the reserved IPv4 ones.

For example:
• ::1/128 is a loopback address
• ::FFFF:0:0/96 are IPv4 mapped addresses

For more information, you can check RFC3513


https://tools.ietf.org/html/rfc3513 PTSv4: Section 1, Module 2 - Caendra Inc. © 2019 | p.66
2.2.7.4 IPv6 Structure

An IPv6 address can be split in half (64 bits each) into a


network part and a device part.

Furthermore, the first 64 bits ends with a dedicated 16-bits


space (one hex word) that can be used only for specifying a
subnet.

PTSv4: Section 1, Module 2 - Caendra Inc. © 2019 | p.67


2.2.7.4 IPv6 Structure

http://www.steves-internet-guide.com/ipv6-guide/ PTSv4: Section 1, Module 2 - Caendra Inc. © 2019 | p.68


2.2.7.5 IPv6 Scope

Address Types and Scope

IPv6 addresses have three types:


• Global Unicast Address – These addresses are global
ones, and reside in global internet.

• Unique Local and Link Local — reside only in Internal


Networks.

PTSv4: Section 1, Module 2 - Caendra Inc. © 2019 | p.69


2.2.7.5 IPv6 Scope

http://www.steves-internet-guide.com/ipv6-guide/ PTSv4: Section 1, Module 2 - Caendra Inc. © 2019 | p.70


2.2.7.6 IPv6 Translation

IPv6 addresses can also be translated to binary.

One 4-digit hex word represents 16 binary digits; we can


see this demonstrated in the following way:
• Bin 0000000000000000 = Hex 0000 (or just 0)
• Bin 1111111111111111 = Hex FFFF
• Bin 1101010011011011 = Hex D4DB

PTSv4: Section 1, Module 2 - Caendra Inc. © 2019 | p.71


2.2.7.6 IPv6 Translation

Thus, 128-bit binary address looks like:


1111111111111111.1111111111111111.11111111111111
11.1111111111111111.1111111111111111.11111111111
11111.1111111111111111.1111111111111111

And, the above can be represented by 8 hex words,


separated by colons:
FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF
PTSv4: Section 1, Module 2 - Caendra Inc. © 2019 | p.72
2.2.7.7 IPv6 Subnets

Like IPv4, an IPv6 address has a network portion and a


device portion.

Unlike IPv4, an IPv6 address has a dedicated subnetting


portion. On the next few slides, we’ll show how the ranges
are divided in IPv6.

PTSv4: Section 1, Module 2 - Caendra Inc. © 2019 | p.73


2.2.7.7 IPv6 Subnets

Network Address Range


In IPv6, the first 48 bits are for Internet global addressing.

1111111111111111.1111111111111111.11111111111111
11.0000000000000000.0000000000000000.00000000000
00000.0000000000000000.0000000000000000

PTSv4: Section 1, Module 2 - Caendra Inc. © 2019 | p.74


2.2.7.7 IPv6 Subnets

Subnetting Range
The 16 bits from the 49th to the 64th are for defining
subnets.

0000000000000000.0000000000000000.00000000000000
00.1111111111111111.0000000000000000.00000000000
00000.0000000000000000.0000000000000000

PTSv4: Section 1, Module 2 - Caendra Inc. © 2019 | p.75


2.2.7.7 IPv6 Subnets

Device (Interface) Range


The last 64 bits are for device (interface) ID’s:

0000000000000000.0000000000000000.00000000000000
00.0000000000000000.1111111111111111.11111111111
11111.1111111111111111.1111111111111111

PTSv4: Section 1, Module 2 - Caendra Inc. © 2019 | p.76


2.2.7.8 IPv6 Subnetting

In IPv6, there are prefixes instead of subnets blocks. For


example:
2001:1111:1234:1234::/64

In the above IPv6 address, the number after the slash (64)
is the number of bits that is used for a prefix. Everything
behind it can be used for hosts of the subnet.

https://networklessons.com/ipv6/how-to-find-ipv6-prefix/ PTSv4: Section 1, Module 2 - Caendra Inc. © 2019 | p.77


2.2.7.8 IPv6 Subnetting

As you may have noticed, /64 means that the first 64 bits
are a prefix. And, as previously mentioned earlier, each 4-
digit hex word is 16 bits, thus in following IPv6 address we
can divide it as such:

https://networklessons.com/ipv6/how-to-find-ipv6-prefix/ PTSv4: Section 1, Module 2 - Caendra Inc. © 2019 | p.78


2.2.7.8 IPv6 Subnetting

We confirmed that 2001:1234:5678:1234 is the prefix, but


let’s now focus on writing down a correctly formatted IPv6
address.

https://networklessons.com/ipv6/how-to-find-ipv6-prefix/ PTSv4: Section 1, Module 2 - Caendra Inc. © 2019 | p.79


2.2.7.8 IPv6 Subnetting

2001:1234:5678:1234:0000:0000:0000:0000 is a valid
prefix, but it can be shortened by omitting zeros, into
following form:
2001:1234:5678:1234::/64

https://networklessons.com/ipv6/how-to-find-ipv6-prefix/ PTSv4: Section 1, Module 2 - Caendra Inc. © 2019 | p.80


2.5

TCP & UDP

PTSv4: Section 1, Module 2 - Caendra Inc. © 2019 | p.156


2.5 TCP and UDP

How does this support my pentesting career?

• TCP Session Attacks


• Advanced DoS attacks
• Network scanning

PTSv4: Section 1, Module 2 - Caendra Inc. © 2019 | p.157


2.5 TCP and UDP

In this section, you will see how the transport layer works,
and how the application layer uses its services to identify
server and client processes.

The Transmission Control Protocol (TCP) and the User


Datagram Protocol (UDP) are the most common transport
protocols used on the Internet.

PTSv4: Section 1, Module 2 - Caendra Inc. © 2019 | p.158


2.5 TCP and UDP

Before checking out the different services that a transport


layer protocol can offer to the application layer, let’s
consider something important about networks.

Computer networks can be unreliable. This means that


some packets can be lost during their trip from source to
destination. A packet can be lost because of network
congestion, temporary loss of connection and other
technical issues.
PTSv4: Section 1, Module 2 - Caendra Inc. © 2019 | p.159
2.5 TCP and UDP

When designing a transport layer protocol, the designer must


choose how to deal with these limitations. For example, TCP:
• Guarantees packet delivery. Because of that, an application
that needs a guaranteed delivery will use TCP as the transport
protocol.
• Is also connection oriented. It must establish a connection
before transferring data.

Keep in mind these facts during your study!


PTSv4: Section 1, Module 2 - Caendra Inc. © 2019 | p.160
2.5 TCP and UDP

TCP is the most used transport protocol on the Internet.


The vast majority of applications use it, and the IP protocol
suite is often called TCP/IP.

Email clients, web browsers and FTP clients are some


common applications using TCP.

PTSv4: Section 1, Module 2 - Caendra Inc. © 2019 | p.161


2.5 TCP and UDP

On the other hand, UDP is much more simple than TCP:


• It does not guarantee packet delivery.
• It is connectionless.

PTSv4: Section 1, Module 2 - Caendra Inc. © 2019 | p.162


2.5 TCP and UDP

UDP is faster than TCP, as it provides a better throughput


(number of packets per second); in fact, it is used by
multimedia applications that can tolerate packet loss but
are throughput intensive.

For example, UDP is used for VoIP and video streaming:


applications where you can tolerate a little glitch in the
audio or video.

PTSv4: Section 1, Module 2 - Caendra Inc. © 2019 | p.163


2.5 TCP and UDP

Here we can see a comparison table between TCP and UDP.

TCP UDP
Lower throughput Better throughput

Connection-oriented Connectionless
Does not guarantee packet
Guarantees delivery
delivery
PTSv4: Section 1, Module 2 - Caendra Inc. © 2019 | p.164
2.5.1 Ports

Applications and their processes use TCP and UDP to send


and receive data over the network. When an IP datagram
reaches a host, how can the transport layer know what the
destination process is?

We’ll now introduce ports.

PTSv4: Section 1, Module 2 - Caendra Inc. © 2019 | p.165


2.5.1 Ports

Ports are used to identify a single network process on a


machine. If you want to unequivocally identify a process on
a network, you need to know the <IP>:<Port> pair.

As an example, you can compare the port to the recipient's


name on a letter; the street address (IP) identifies the
building, while the person name identifies the final recipient
of the letter.

PTSv4: Section 1, Module 2 - Caendra Inc. © 2019 | p.166


2.5.1.1 Ports Examples

In this image, you can see how every client application on


Client PC uses a different port.

PTSv4: Section 1, Module 2 - Caendra Inc. © 2019 | p.167


2.5.1.1 Ports Examples

The browser uses local port 3028 to connect to the web


server...

PTSv4: Section 1, Module 2 - Caendra Inc. © 2019 | p.168


2.5.1.1 Ports Examples

... while the mail client uses local port 1022.

PTSv4: Section 1, Module 2 - Caendra Inc. © 2019 | p.169


2.5.1.1 Ports Examples

In the previous example:


• All the communication from the web browser to the web
server will have 3028 as the source port and 80 as the
destination port.

• All the communication back from the web server to the


browser will have 80 as the source port and 3028 as the
destination port.

PTSv4: Section 1, Module 2 - Caendra Inc. © 2019 | p.170


2.5.1.1 Ports Examples

Similarly, for the mail client and server:


• All the communication from the mail client to the server
will have 1022 as the source port and 25 as the
destination port.

• All the communication back from the mail server to the


mail client will have 25 as the source port and 1022 as
the destination port.

PTSv4: Section 1, Module 2 - Caendra Inc. © 2019 | p.171


2.5.1.1 Ports Examples

Furthermore, you may also have multiple instances of the same


application running at the same time. Every process will
reserve a different port.

PTSv4: Section 1, Module 2 - Caendra Inc. © 2019 | p.172


2.5.1.1 Ports Examples

In this example, ‘A’ communicates with the web server using 3028 as
the source port...

PTSv4: Section 1, Module 2 - Caendra Inc. © 2019 | p.173


2.5.1.1 Ports Examples

... while ‘B’ uses port 8723.

PTSv4: Section 1, Module 2 - Caendra Inc. © 2019 | p.174


2.5.1 Ports

To correctly address a process on a network, you have to


refer to the <IP>:<Port> pair. For example:
• 192.168.5.3:80
• 10.11.12.1:443
• 172.16.8.9:22

But, how can you know the right port for a common
service?
PTSv4: Section 1, Module 2 - Caendra Inc. © 2019 | p.175
2.5.2 Well-known Ports

Ports in the ranging from 0-1023, the first 1024 that is, are
called well-known ports and are used by servers for the
most common services.

For example, when a web browser connects to a server via


HTTPS, the user does not have to manually specify 443 as
the destination port.

PTSv4: Section 1, Module 2 - Caendra Inc. © 2019 | p.176


2.5.2 Well-known Ports

Each common protocol has a well-known port in the 0-1023


range. Common server processes, or daemons, use well-
known ports most of the time.

Ports are assigned by IANA and are referenced in this


document.

http://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml PTSv4: Section 1, Module 2 - Caendra Inc. © 2019 | p.177


2.5.2 Well-known Ports

You do not need to know all the service port assignments, but
you should at least remember the most common, such as:
• SMTP (25) • SFTP (115)
• SSH (22) • Telnet (23)
• POP3 (110) • FTP (21)
• IMAP (143) • RDP (3389)
• HTTP (80) • MySQL (3306)
• HTTPS (443) • MS SQL Server (1433)
• NETBIOS (137, 138, 139)
PTSv4: Section 1, Module 2 - Caendra Inc. © 2019 | p.178
2.5.2 Well-known Ports

As briefly introduced before, a daemon is a program that


runs a service. System administrators can change the
daemon configuration, changing the port the service listens
to for connection. They do that to make services
recognition a little bit harder for hackers.

For example, you could find an FTP daemon listening on


port 4982 instead of 21 or SSH listening on port 8821.

PTSv4: Section 1, Module 2 - Caendra Inc. © 2019 | p.179


2.5.3 TCP and UDP headers

Let’s now see how ports are used by applications.

How can server and client applications know which port to


use? They use two fields in the TCP or UDP header: the
source and destination ports.

PTSv4: Section 1, Module 2 - Caendra Inc. © 2019 | p.180


2.5.3.1 TCP Header
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Source Port | Destination Port |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
The source and destination
| port are Sequence Number |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
included in the transport layer protocol
| TCP header...
header. Like the Acknowledgment Number |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Data | |U|A|P|R|S|F| |
| Offset| Reserved |R|C|S|S|Y|I| Window |
| | |G|K|H|T|N|N| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Checksum | Urgent Pointer |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Options | Padding |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| data |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
PTSv4: Section 1, Module 2 - Caendra Inc. © 2019 | p.181
2.5.3.1 TCP Header
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Source Port | Destination Port |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Sequence Number |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Acknowledgment Number |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Data | |U|A|P|R|S|F| |
| Offset| Reserved |R|C|S|S|Y|I| Window |
| | |G|K|H|T|N|N| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Checksum | Urgent Pointer |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Options | Padding |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| data |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
PTSv4: Section 1, Module 2 - Caendra Inc. © 2019 | p.182
2.5.3.2 UDP Header

…or the UDP header.

0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Source Port | Destination Port |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Length | Checksum |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| data |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

PTSv4: Section 1, Module 2 - Caendra Inc. © 2019 | p.183


2.5.3.2 UDP Header

0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Source Port | Destination Port |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Length | Checksum |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| data |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

PTSv4: Section 1, Module 2 - Caendra Inc. © 2019 | p.184


2.5.4 Netstat Command

To check the listening ports and the current (TCP)


connections on a host you can use:
• netstat -ano on Windows
• netstat -tunp on Linux
• netstat -p tcp -p udp together with
lsof –n –i4TCP –i4UDP on MacOS

Use these commands to show information about the


processes listening on the machine and processes
connecting to remote servers.
PTSv4: Section 1, Module 2 - Caendra Inc. © 2019 | p.185
2.5.4 Netstat Command

Another great tool for Windows is TCPView from


Sysinternals.

TCPView shows:
• Process name • Local and remote ports
• PID • State of the connection (if
• Protocol applicable)
• Local and remote addresses

http://technet.microsoft.com/en-us/sysinternals/bb897437 PTSv4: Section 1, Module 2 - Caendra Inc. © 2019 | p.186


2.5.5 TCP Three Way Handshake

We have seen that TCP is connection oriented. Now, let’s


look at how TCP connections work, as well as highlight the
most important factors involved, from the penetration
tester's point of view, in a 3-way handshake.

To establish a connection between two hosts running TCP,


they must perform three steps: the three-way handshake.
They can then start the actual data transmission.

PTSv4: Section 1, Module 2 - Caendra Inc. © 2019 | p.187


2.5.5 TCP Three Way Handshake

0 1
The header fields involved in 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
the handshake are: | Source Port |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
• Sequence number | Sequence Number |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
• Acknowledgement | Acknowledgment Number |
numbers +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Data | |U|A|P|R|S|F|
• SYN and ACK flags | Offset| Reserved |R|C|S|S|Y|I|
| | |G|K|H|T|N|N|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |

PTSv4: Section 1, Module 2 - Caendra Inc. © 2019 | p.188


2.5.5 TCP Three Way Handshake

The steps in the


handshake are used to SYN
synchronize the sequence
and acknowledgment SYN+ ACK
numbers between the
server and the client. ACK

Time Time
PTSv4: Section 1, Module 2 - Caendra Inc. © 2019 | p.189
2.5.5 TCP Three Way Handshake

During the first step, the SYN


client sends a TCP packet Seq: 329 Ack: 0

to the server with the SYN


flag enabled and a random
sequence number.

Time Time
PTSv4: Section 1, Module 2 - Caendra Inc. © 2019 | p.190
2.5.5 TCP Three Way Handshake

In the second step, the


server replies by sending a SYN
Seq: 329 Ack: 0
packet with both the SYN
and ACK flag set and SYN/ACK
Seq: 498 Ack: 330
another random sequence
number.

Time Time
PTSv4: Section 1, Module 2 - Caendra Inc. © 2019 | p.191
2.5.5 TCP Three Way Handshake

The ACK number is always SYN


Seq: 329 Ack: 0
a simple increment of the
SYN number sent by the SYN/ACK
Seq: 498 Ack: 330
client.

Time Time
PTSv4: Section 1, Module 2 - Caendra Inc. © 2019 | p.192
2.5.5 TCP Three Way Handshake

Finally, the client completes


the synchronization by
SYN
sending an ACK packet. Seq: 329 Ack: 0

SYN/ACK
Note that the client Seq: 498 Ack: 330

behaves just like the server ACK


when sending ACK packets. Seq: 330 Ack: 499

Time Time
PTSv4: Section 1, Module 2 - Caendra Inc. © 2019 | p.193
2.3

Routing

PTSv4: Section 1, Module 2 - Caendra Inc. © 2019 | p.82


2.3 Routing

How does this support my pentesting career?

• Understanding routing protocol attacks

• Performing network traffic inspection

PTSv4: Section 1, Module 2 - Caendra Inc. © 2019 | p.83


2.3 Routing

Addressing devices is just half of the work needed to reach


a host. Your packets need to follow a valid path to reach it.

Routers are devices connected to different networks at the


same time. They are able to forward IP datagrams from one
network to another. The forwarding policy is based on
routing protocols.

PTSv4: Section 1, Module 2 - Caendra Inc. © 2019 | p.84


2.3 Routing

Routing protocols are used to determine the best path to


reach a network. They behave like a postman who tries to
use the shortest path possible to deliver a letter.

A router inspects the destination address of every incoming


packet and then forwards it through one of its interfaces.

PTSv4: Section 1, Module 2 - Caendra Inc. © 2019 | p.85


2.3.1 Routing Table

To choose the right forwarding interface, a router performs


a lookup in the routing table, where it finds an IP-to-
interface binding.

The table can also contain an entry with the default address
(0.0.0.0). This entry is used when the router receives a
packet whose destination is an unknown network.

PTSv4: Section 1, Module 2 - Caendra Inc. © 2019 | p.86


2.3.1.1 Routing Table Example

IP Netmask Interface
228.72.0.0 255.255.0.0 1
192.168.5.0 255.255.255.0 2
0.0.0.0 0.0.0.0 3

PTSv4: Section 1, Module 2 - Caendra Inc. © 2019 | p.87


2.3.1.1 Routing Table Example

In this example, the routing table is made of three entries.


• Interface 1 is used to forward the packets to
228.72.0.0/16.
• Interface 2 is used to forward the packets to
192.168.5.0/24.
• Interface 3 is used as the default route for packets
whose destination does not match any other entry in the
table.
PTSv4: Section 1, Module 2 - Caendra Inc. © 2019 | p.88
2.3.1.1 Routing Table Example

A packet arriving on interface 3 for 192.168.5.3 is


forwarded on interface 2.
EXAMPLE

PTSv4: Section 1, Module 2 - Caendra Inc. © 2019 | p.89


2.3.1.1 Routing Table Example

In fact, the first entry in the routing table does not match
the destination network.

IP Netmask Interface
228.72.0.0 255.255.0.0 1
To: 192.168.5.3 192.168.5.0 255.255.255.0 2
0.0.0.0 0.0.0.0 3

PTSv4: Section 1, Module 2 - Caendra Inc. © 2019 | p.90


2.3.1.1 Routing Table Example

• While the second does: 192.168.5.3 sits in the


192.168.5.0/24 network.

IP Netmask Interface
228.72.0.0 255.255.0.0 1
192.168.5.0 255.255.255.0 2
To: 192.168.5.3 0.0.0.0 0.0.0.0 3

PTSv4: Section 1, Module 2 - Caendra Inc. © 2019 | p.91


2.3.1.2 Default Route Example

A packet arriving on interface 1 for 72.13.37.2 is


EXAMPLE

routed through interface 3, the default route.

PTSv4: Section 1, Module 2 - Caendra Inc. © 2019 | p.92


2.3.1.2 Default Route Example

There is no matching entry, so the router forwards the


packet through interface 3.

IP Netmask Interface
228.72.0.0 255.255.0.0 1
192.168.5.0 255.255.255.0 2
0.0.0.0 0.0.0.0 3
To: 72.13.37.2

PTSv4: Section 1, Module 2 - Caendra Inc. © 2019 | p.93


2.3.2 Routing Metrics

As in the real world, there could be more than a way to


reach a destination.

So, during path discovery, routing protocols also assign a


metric to each link.

PTSv4: Section 1, Module 2 - Caendra Inc. © 2019 | p.94


2.3.2 Routing Metrics

This ensures that, if two paths have the same number of


hops, the fastest route is selected.

The metric is selected according to the channel's estimated


bandwidth and congestion.

PTSv4: Section 1, Module 2 - Caendra Inc. © 2019 | p.95


2.3.2.1 Routing Metrics Example

Let’s look at how routing decisions are made according to metrics.

IP Netmask Interface Metric


228.72.0.0 255.255.0.0 1 5
192.168.5.0 255.255.255.0 2 8
11.32.0.0 255.255.0.0 2 17
11.32.0.0 255.255.0.0 1 15
0.0.0.0 0.0.0.0 3 7

PTSv4: Section 1, Module 2 - Caendra Inc. © 2019 | p.96


2.3.2.1 Routing Metrics Example

A packet arriving on
interface 3 for
11.32.3.118 is routed
through interface 1, as
the metric for that route
is 15.

Routing through
interface 2 would have a
metric of 17.
PTSv4: Section 1, Module 2 - Caendra Inc. © 2019 | p.97
2.3.3 Checking the Routing Table

Routing tables are not only kept by routers; every host


stores its own table.

To check what they look like, you can use:


• ip route on Linux
• route print on Windows
• netstat -r on OSX

PTSv4: Section 1, Module 2 - Caendra Inc. © 2019 | p.98


2.3.3 Checking the Routing Table
EXAMPLE

Checking the routing table on a Linux box:

root@host:~# ip route
default via 192.168.51.1 dev eth0 proto static
192.168.51.0/24 dev wlan0 proto kernel scope link src 192.168.51.123

PTSv4: Section 1, Module 2 - Caendra Inc. © 2019 | p.99


2.3.3 Checking the Routing Table

Checking the routing table on Microsoft Windows:


EXAMPLE

C:\Users\User>route print
===========================================================================
Interface List
11...08 00 27 bf ac c8 ......Intel(R) PRO/1000 MT Desktop Adapter
1...........................Software Loopback Interface 1
===========================================================================

IPv4 Route Table


===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 10.0.2.2 10.0.2.15 10
10.0.2.0 255.255.255.0 On-link 10.0.2.15 266

PTSv4: Section 1, Module 2 - Caendra Inc. © 2019 | p.100


2.3.3 Checking the Routing Table

Checking the routing table on Mac OSX:


EXAMPLE

User:~ user$ netstat -r


Routing tables

Internet:
Destination Gateway Flags Refs Use Netif Expire
default 192.168.51.1 UGSc 13 0 en1
127 127.0.0.1 UCS 0 0 lo0
127.0.0.1 127.0.0.1 UH 1 16 lo0
169.254 link#4 UCS 0 0 en1
192.168.51 link#4 UCS 4 0 en1
192.168.51.1 58:6d:8f:e5:e:d2 UHLWIir 14 24 en1 1200
192.168.51.109 2:f:b5:4b:76:cf UHLWIi 0 0 en1 1148

PTSv4: Section 1, Module 2 - Caendra Inc. © 2019 | p.101


2.4

Link Layer Devices


and Protocols

PTSv4: Section 1, Module 2 - Caendra Inc. © 2019 | p.102


2.4 Link Layer Devices and Protocols

How does this support my pentesting career?

• MAC spoofing
• Testing switches security
• Sniffing techniques
• Man in the middle attacks

PTSv4: Section 1, Module 2 - Caendra Inc. © 2019 | p.103


2.4 Link Layer Devices and Protocols

Packet forwarding also happens in the lowest layer of the


TCP/IP stack: the link layer.

While routers are aware of the best overall path to the


destination, link layer devices and protocols deal only with
the next hop.

PTSv4: Section 1, Module 2 - Caendra Inc. © 2019 | p.104


2.4 Link Layer Devices and Protocols

In this section you will see:


• How switches work

• Network card’s MAC addresses

• The Address Resolution Protocol (ARP)

PTSv4: Section 1, Module 2 - Caendra Inc. © 2019 | p.105


2.4.1 Link Layer Devices

Hubs and switches are network devices that forward


frames (layer 2 packets) on a local network.

They work with link layer network addresses: MAC


addresses.

PTSv4: Section 1, Module 2 - Caendra Inc. © 2019 | p.106


2.4.2 Mac Addresses

IP addresses are the Layer 3 (Network layer) addressing


scheme used to identify a host in a network, while MAC
addresses uniquely identify a network card (Layer 2).

A MAC (Media Access Control) address is also known as


the physical address.

PTSv4: Section 1, Module 2 - Caendra Inc. © 2019 | p.107


2.4.2 Mac Addresses

MAC addresses are 48 bit (6 bytes) long and are expressed


in hexadecimal form (HEX).

00:11:AA:22:EE:FF

PTSv4: Section 1, Module 2 - Caendra Inc. © 2019 | p.108


2.4.2 Mac Addresses

To discover the MAC address of the network cards installed


on your computer, you can use:
• ipconfig /all on Windows
• ifconfig on *nix operating systems, like MacOS
• ip addr on Linux

PTSv4: Section 1, Module 2 - Caendra Inc. © 2019 | p.109


2.4.2 Mac Addresses

Every host on a network has both a


MAC and an IP address.

Let us see how they are used IP Layer
together to send packets.
Link Layer
Remember: the lower layer serves
the layer above.
PTSv4: Section 1, Module 2 - Caendra Inc. © 2019 | p.110
2.4.3 IP and MAC Addresses

Let’s take a look at an example to see how MAC addresses


are used.

PTSv4: Section 1, Module 2 - Caendra Inc. © 2019 | p.111


2.4.3 IP and MAC Addresses

Two different networks are connected together by a router:


• 10.32.1.0/24
• 192.168.2.0/24

PTSv4: Section 1, Module 2 - Caendra Inc. © 2019 | p.112


2.4.3 IP and MAC Addresses

Every host on the network has both an IP and a MAC


address. The router has two interfaces, each with its own
addresses.

PTSv4: Section 1, Module 2 - Caendra Inc. © 2019 | p.113


2.4.3 IP and MAC Addresses

If workstation A wants to send a packet to workstation B,


which IP and MAC addresses will it use?

PTSv4: Section 1, Module 2 - Caendra Inc. © 2019 | p.114


2.4.3 IP and MAC Addresses

Workstation A will create a packet with:


• The destination IP address of workstation B in the IP
header of the datagram.
• The destination MAC address of the router in the link
layer header of the frame.
• The source IP address of workstation A
• The source MAC address of workstation A

PTSv4: Section 1, Module 2 - Caendra Inc. © 2019 | p.115


2.4.3 IP and MAC Addresses

The router will then take the packet and forward it to B's
network, rewriting the packet's MAC addresses:
• The destination MAC address will be B's
• The source MAC address will be the router's

The router will not change the source and destination IP


addresses.

PTSv4: Section 1, Module 2 - Caendra Inc. © 2019 | p.116


2.4.3 IP and MAC Addresses

When a device sends a packet:


• The destination MAC address is the MAC address of the
next hop; this ensures that, locally, the network knows
where to forward the packet.

• The destination IP address is the address of the


destination host; this is global information and remains
the same along the packet trip.

PTSv4: Section 1, Module 2 - Caendra Inc. © 2019 | p.117


2.4.3 IP and MAC Addresses

This method, in a way, recalls how you send a letter to a


friend.

You need to know his or her home address (IP address) and
the address of the nearest post office (MAC address)
where you can drop the letter.

PTSv4: Section 1, Module 2 - Caendra Inc. © 2019 | p.118


2.4.4 Broadcast MAC Address

There is also a special MAC address

FF:FF:FF:FF:FF:FF

…which is the broadcast MAC address.

A frame (the name of the packets at Layer 2) with this


address is delivered to all the hosts in the local network
(within the same broadcast domain).
PTSv4: Section 1, Module 2 - Caendra Inc. © 2019 | p.119
2.4.5 Switches

While routers work with IP addresses, switches work with


MAC addresses. Switches also have multiple interfaces, so
they need to keep a forwarding table that binds one or more MAC
addresses to an interface.
MAC Interface TTL
00:11:22:33:44:55 1 30
AA:BB:CC:DD:EE:01 2 5
AA:CC:FF:0A:0C:12 2 5
11:22:33:1D:CC:0A 3 7

PTSv4: Section 1, Module 2 - Caendra Inc. © 2019 | p.120


2.4.5 Switches

The forwarding table is called Content Addressable


Memory (CAM) table. Many hosts can connect to a switch.
Let’s see how.

MAC Interface TTL


00:11:22:33:44:55 1 30
AA:BB:CC:DD:EE:01 2 5
AA:CC:FF:0A:0C:12 2 5
11:22:33:1D:CC:0A 3 7

PTSv4: Section 1, Module 2 - Caendra Inc. © 2019 | p.121


2.4.5 Switches

The smallest switches you can encounter are home


switches, usually integrated into a DSL home router. They
usually have 4 ports.

Corporate switches may have up to 64 ports, and system


administrators can connect multiple switches together to
accommodate more hosts.

PTSv4: Section 1, Module 2 - Caendra Inc. © 2019 | p.122


2.4.5 Switches

The main difference between one switch and another is the


packet forwarding speed.

The speed of a switch varies from 10Mbps (megabits per


second) to 10Gbps (gigabits per second). Nowadays,
1Gbps is the most common forwarding speed in
commercial switches.

PTSv4: Section 1, Module 2 - Caendra Inc. © 2019 | p.123


2.4.5.1 Multi-switch Network

In this diagram, all the machines are on the


same network.

PTSv4: Section 1, Module 2 - Caendra Inc. © 2019 | p.124


2.4.5.1 Multi-switch Network

Switches let all the computers talk to


each other.

PTSv4: Section 1, Module 2 - Caendra Inc. © 2019 | p.125


2.4.5.2 Segmentation

Switches, without VLANs, do not segment networks.


Routers do.

192.168.2.0/24 10.10.0.0/16

PTSv4: Section 1, Module 2 - Caendra Inc. © 2019 | p.126


2.4.5.2 Segmentation

Usually, every interface of a router is attached to a different


subnet with a different network address.

Also, routers do not forward packets coming from one


interface if they have a ff:ff:ff:ff:ff:ff broadcast MAC
address (imagine if they did!).

PTSv4: Section 1, Module 2 - Caendra Inc. © 2019 | p.127


2.4.5.3 Multi-switch Example

What happens if 10.10.9.4 wants to send a packet to


10.10.1.4?

PTSv4: Section 1, Module 2 - Caendra Inc. © 2019 | p.128


2.4.5.3 Multi-switch Example

The first switch receives the packet, performs a look-up in


the CAM table and forwards it to the next switch.

PTSv4: Section 1, Module 2 - Caendra Inc. © 2019 | p.129


2.4.5.3 Multi-switch Example

The second switch forwards the packet to 10.10.1.4.

PTSv4: Section 1, Module 2 - Caendra Inc. © 2019 | p.130


2.4.5.4 Multi-switch and Router Example

What happens if 10.10.1.4 wants to send a packet to


192.168.2.3?

PTSv4: Section 1, Module 2 - Caendra Inc. © 2019 | p.131


2.4.5.4 Multi-switch and Router Example

10.10.1.4 needs to send the packet to the router so that the


first switch will forward the packet to the next one.

PTSv4: Section 1, Module 2 - Caendra Inc. © 2019 | p.132


2.4.5.4 Multi-switch and Router Example

The packet then arrives at the router that, after a look up in


the routing table, forwards it to the 192.168.2.0/24 network.

PTSv4: Section 1, Module 2 - Caendra Inc. © 2019 | p.133


2.4.5.4 Multi-switch and Router Example

Finally, the packet is delivered.

PTSv4: Section 1, Module 2 - Caendra Inc. © 2019 | p.134


2.4.5.5 Forwarding Tables

A forwarding table binds MAC addresses to interfaces.

In the following slides you will see:


• The structure of the table
• The way a switch constructs the MAC address –
interface binding
• How forwarding works

PTSv4: Section 1, Module 2 - Caendra Inc. © 2019 | p.135


2.4.5.5 Forwarding Tables

A typical forwarding table contains:


• The MAC address
• The interfaces the switch can use to deliver packets to a
specific MAC address
MAC Interface TTL
• A time to live (TTL)
00:11:22:33:44:55 1 30
AA:BB:CC:DD:EE:01 2 5
AA:CC:FF:0A:0C:12 2 5
11:22:33:1D:CC:0A 3 7
PTSv4: Section 1, Module 2 - Caendra Inc. © 2019 | p.136
2.4.5.5 Forwarding Tables

The forwarding table, or Content Addressable Memory table


(CAM table), is stored in the device's RAM and is constantly
refreshed with new information.
MAC Interface TTL
00:11:22:33:44:55 1 30
AA:BB:CC:DD:EE:01 2 5
AA:CC:FF:0A:0C:12 2 5
11:22:33:1D:CC:0A 3 7

PTSv4: Section 1, Module 2 - Caendra Inc. © 2019 | p.137


2.4.5.5 Forwarding Tables

Looking at the table you can tell that:


• A single host is attached to Interface 1 and 3 respectively
• Two hosts are attached to interface 2 (probably via
another switch).
MAC Interface TTL
00:11:22:33:44:55 1 30
AA:BB:CC:DD:EE:01 2 5
AA:CC:FF:0A:0C:12 2 5
11:22:33:1D:CC:0A 3 7
PTSv4: Section 1, Module 2 - Caendra Inc. © 2019 | p.138
2.4.5.5 Forwarding Tables

There might be multiple hosts on the same interface and


interfaces without any host attached.

In our example interface, 4 has no hosts attached.


MAC Interface TTL
00:11:22:33:44:55 1 30
AA:BB:CC:DD:EE:01 2 5
AA:CC:FF:0A:0C:12 2 5
11:22:33:1D:CC:0A 3 7
PTSv4: Section 1, Module 2 - Caendra Inc. © 2019 | p.139
2.4.5.5 Forwarding Tables

The TTL determines how long an entry will stay in the table.
This is important because the CAM table has a finite size.

So, as soon as an entry expires it is removed from the table.


MAC Interface TTL
00:11:22:33:44:55 1 30
AA:BB:CC:DD:EE:01 2 5
AA:CC:FF:0A:0C:12 2 5
11:22:33:1D:CC:0A 3 7
PTSv4: Section 1, Module 2 - Caendra Inc. © 2019 | p.140
2.4.5.6 CAM Table Population

Switches learn new MAC addresses dynamically; they


inspect the header of every packet they receive, thus
identifying new hosts.

While routers use complex routing protocols to update their


routing rules, switches just use the source MAC address of
the packets they process to decide which interface to use
when forwarding a packet.

PTSv4: Section 1, Module 2 - Caendra Inc. © 2019 | p.141


2.4.5.6 CAM Table Population

The source MAC address is compared to the CAM table:


• If the MAC address is not in the table, the switch will
add a new MAC-Interface binding to the table
• If the MAC-Interface binding is already in the table, its
TTL gets updated
• If the MAC is in the table but bound to another interface
the switch updates the table

PTSv4: Section 1, Module 2 - Caendra Inc. © 2019 | p.142


2.4.5.7 Forwarding

To forward a packet:
•1 The switch reads the destination MAC address of the
frame.
•2 It performs a look-up in the CAM table.
•3 It forwards the packet to the corresponding interface.
•4 If there is no entry with that MAC address, the switch will
forward the frame to all its interfaces.

PTSv4: Section 1, Module 2 - Caendra Inc. © 2019 | p.143


2.4.6 ARP

When a host wants to send a packet to another host, it


needs to know the IP and the MAC address of the
destination in order to build a proper packet.

You wouldn’t be able to send your friend a letter if you don’t


know his/her address, right? What happens if the source
host knows the IP address, but not the MAC address of the
destination host?

PTSv4: Section 1, Module 2 - Caendra Inc. © 2019 | p.144


2.4.6 ARP

This situation occurs in many circumstances, for example


at every power up.
• A PC in an office knows a bunch of IP addresses, like the
fileserver, the printers, and the webserver, but not their
corresponding MAC addresses.

The host needs to know the MAC addresses of the other


network nodes, and it can learn them by using the Address
Resolution Protocol (ARP).

PTSv4: Section 1, Module 2 - Caendra Inc. © 2019 | p.145


2.4.6 ARP

With ARP a host can build the correct IP Address – MAC


address binding.

This is one of the most fundamental protocols any modern


network uses, so make sure to fully understand it.

PTSv4: Section 1, Module 2 - Caendra Inc. © 2019 | p.146


2.4.6 ARP

When a host (A) wants to send traffic to another (B), and it only
knows the IP address of B:
1. A builds an ARP request containing the IP address of B
and FF:FF:FF:FF:FF:FF as destination MAC address.
This is fundamental because the switches will forward the
packet to every host.
2. Every host on the network will receive the request.
3. B replies with an ARP reply, telling A its MAC address.

PTSv4: Section 1, Module 2 - Caendra Inc. © 2019 | p.147


2.4.6 ARP
‘A’ sends a packet to the broadcast MAC address, asking for the MAC
address of B.
Who has 192.168.7.9?
Tell 192.68.7.3

FF:FF:FF:FF:FF:FF

IP: 192.168.7.3 IP: 192.168.7.9


MAC: 11:22:33:44:55:66 MAC: 77:88:99:AA:BB:CC
PTSv4: Section 1, Module 2 - Caendra Inc. © 2019 | p.148
2.4.6 ARP

The switch forwards the packet to all its ports.

IP: 192.168.7.3 IP: 192.168.7.9


MAC: 11:22:33:44:55:66 MAC: 77:88:99:AA:BB:CC
PTSv4: Section 1, Module 2 - Caendra Inc. © 2019 | p.149
2.4.6 ARP

B replies telling A its MAC address.


192.168.7.9 is at
77:88:99:AA:BB:CC

11:22:33:44:55:66

IP: 192.168.7.3 IP: 192.168.7.9


MAC: 11:22:33:44:55:66 MAC: 77:88:99:AA:BB:CC
PTSv4: Section 1, Module 2 - Caendra Inc. © 2019 | p.150
2.4.6 ARP

Finally, the switch forwards the reply to A.

192.168.7.9 is at
77:88:99:AA:BB:CC

11:22:33:44:55:66

IP: 192.168.7.3 IP: 192.168.7.9


MAC: 11:22:33:44:55:66 MAC: 77:88:99:AA:BB:CC
PTSv4: Section 1, Module 2 - Caendra Inc. © 2019 | p.151
2.4.6 ARP

‘A’ will save the IP – MAC binding in its ARP cache. Further
traffic to ‘B’ will not need a new ARP resolution protocol
round.

ARP cache entries have a TTL too, as the size of the device
RAM is finite. A host discards an entry at the power off or
when the entry's TTL expires.

PTSv4: Section 1, Module 2 - Caendra Inc. © 2019 | p.152


2.4.6.1 Checking the ARP Cache
You can check the ARP cache of your host by typing:
• arp -a on Windows.
• arp on *nix operating systems
• ip neighbour on Linux
$ ip neighbour
192.168.17.202 dev eth0 lladdr d0:d4:12:e1:ef:5a STALE
192.168.17.1 dev eth0 lladdr 00:50:7f:78:fc:40 STALE
192.168.17.99 dev eth0 lladdr 00:d0:4b:92:2d:89 STALE
192.168.17.14 dev eth0 lladdr 60:a4:4c:a8:be:5b STALE
192.168.17.18 dev eth0 lladdr 20:cf:30:c7:ad:ae STALE
192.168.17.30 dev eth0 lladdr 20:cf:30:ea:22:13 STALE
192.168.17.66 dev eth0 lladdr a4:ee:57:e8:2e:0b STALE
192.168.17.254 dev eth0 lladdr c8:4c:75:a4:79:a6 REACHABLE
192.168.17.12 dev eth0 lladdr 60:a4:4c:a8:bd:1a STALE
192.168.17.19 dev eth0 lladdr 54:04:a6:a0:6e:ad STALE
192.168.17.24 dev eth0 lladdr bc:5f:f4:ef:63:51 STALE

PTSv4: Section 1, Module 2 - Caendra Inc. © 2019 | p.153


2.4.7 Hubs

Hubs were used in computer networks before switches.


They have the same purpose but not the same
functionality.

Hubs are simple repeaters that do not perform any kind of


header check and simply forward packets by just repeating
electric signals. They receive electric signals on a port and
repeat the same signals on all the other ports.

PTSv4: Section 1, Module 2 - Caendra Inc. © 2019 | p.154


2.4.7 Hubs

This means that every node on a hub-based network


receives the same electric signals, thus the same packets.

Nowadays, hubs are very rare as they have mostly been


replaced by switches.

PTSv4: Section 1, Module 2 - Caendra Inc. © 2019 | p.155


2.6.7 NAT and Masquerading

Firewalls not only filter packets but can also be used to


implement Network Address Translation or NAT.

Note: Your home router is most probably running NAT protocol to


connect all your home devices to the internet without having to have a
public IP assigned for each of them.

What is NAT and why is it needed?

PTSv4: Section 1, Module 2 - Caendra Inc. © 2019 | p.233


2.6.7 NAT and Masquerading

As you know, every machine on the Internet must have a


unique IP address. This does not mean that every device
that can access the internet must have a unique public IP
address.

Network Address Translation (NAT) and IP masquerading


are two techniques used to provide access to a network
from another network.

PTSv4: Section 1, Module 2 - Caendra Inc. © 2019 | p.234


2.6.7 NAT and Masquerading

Network A can be a private network using a NAT device


to access the Internet. A machine on the internet
EXAMPLE

cannot directly access a machine in Network A.

PTSv4: Section 1, Module 2 - Caendra Inc. © 2019 | p.235


2.6.7 NAT and Masquerading

But, a machine in Network A can access the Internet, if the


NAT device allows the traffic to pass.

PTSv4: Section 1, Module 2 - Caendra Inc. © 2019 | p.236


2.6.7 NAT and Masquerading

Every machine inside Network A will use the NAT device as


its default gateway, thus routing its Internet traffic through
it. The NAT device then rewrites the source IP address of
every packet setting it to 72.65.2.78 (in our example),
thus masquerading the original client's IP address.

A machine on the Internet will never know the original


client's IP address.

PTSv4: Section 1, Module 2 - Caendra Inc. © 2019 | p.237

You might also like