Louis Cremen

@louiscremen

10 things InfoSec professionals need to know about networking

So this story stems from the fact that I’ve plopped myself into the InfoSec world from App Development and from my Sec work I’ve really seen and understood that there is a need for a greater security understanding amongst devs, and the planet in general.

However, it’s been a niggling problem in my head that while I love looking at vulnerabilities and designing secure systems, my network penetration skills aren’t as good as they could be. And so, when I open my Twitter feed and see a tweet from one of my InfoSec Idols, my heart skips a beat:

Oh crap… my weakness…

Magikarp is an expert at Layer 2. It’s in his name.

The thread that follows is a list of security experts listing basic network skills that InfoSec people seem to be lacking in the industry.

They’re not wrong. Many industries don’t care about lower level networking protocols

Now, I’ve worked hard to try to get up to speed with many of these concepts, but if someone has the development background that I have, everything is abstracted away and you’re taught not to care because it doesn’t matter.

How I used to feel about things in this article…

But in the InfoSec world, it matters. A lot.

What?!

With humour, memes and humility, here are the top 10 things we’ll be addressing today:
1. OSI Model
2. Hub/Switch/Router
3. Frames / Packets
4. Faking MAC/IP addresses
5. TCP Handshake
6. IPv6
7. InfoSec Community
10. Don’t assume base 10.

1. InfoSec talk in Ogres, I mean Onions, I mean, Layers

…and it’s an instant red flag if you get it wrong…

I have a Computer Science Degree. I know my OSI Model. I’ve referenced it while teaching — and cleverly used “Please Do Not Teach Students Pointless Acronyms” as the best way to remember “Physical/Data Link/Network/Transport/Session/Presentation/Application.”

Taste the rainbow

But as a developer I never referenced the OSI model. I never needed to. I’m sure this applies to plenty of other technical roles too.

The more I live in the InfoSec world, the more the OSI model is used quite frequently to help describe different tools, attack vectors, and defence mechanisms.

I assume EE is Electrical Engineer and not Easter Expert

So here’s an less abstracted view of OSI containing the basics you need to know

Don’t feel bad if you don’t know all of this, when I started I assumed SMTP was lower down just because it was older. Yes, I am an idiot

Any diagram of OSI in textbooks or lecture notes is generally just a tower without context. I like this one, and would love to see an interactive version of it (or better).

Why does this matter in InfoSec? Other than being a great way to classify concepts, OSI helps dictate what information you can use, the tools that are appropriate and what information can be manipulated as a hacker.

Look at all those tasty tasty headers leaking useful information or waiting to be edited

If you’re getting into InfoSec. Know your OSI. We’ll be covering some of the common misconceptions within many of those layers later on.

2. Hubs, switches and routers are very very different.

If you’re not from a networking world, or your view of networking is setting up two wireless routers in your home — you may have used Hubs / Switch / Router as the same word. There’s a good chance that you have a box that does all three and you don’t care about the difference. InfoSec cares.

Imagine this song confused switch, hub and router. Actually, it might have made more sense depending on your pronunciation of router and whether you use Australian Slang.

Hubs

Hubs live at Layer 1 (Physical). They literally carry electricity. Electricity goes in one port, and it traverses to all other ports as electricity. If you’re on a hub network and you want to send a message to another computer: you send that message as electricity, it goes into a hub, and it sends it to everyone connected on that hub as electricity.

It’s up to that 1 computer to recognise the message is for them.

Hubs are dumb. They are simple. They are basic. And it’s almost not worth mentioning how easy it is to sniff information off them, because it is literally sending everyone’s information to everyone.

Switch

A switch, like a hub, also carries electricity from port to port. But with one very key difference. A Switch keeps a record of MAC addresses of all the devices attached to it. Since we’re using MAC Addresses, we’re in Layer 2.

Apple call it an iMac Address. (FYI: They don’t)

Every computer has a MAC address. If you have ethernet, bluetooth and WiFi — you’ll have at least 3 MAC addresses. One for each network interface. You may have more if you use Thunderbolt, USB Network etc. Quantity doesn’t matter, if you are on a network, you have a MAC address and a Switch knows about it.

Since the switch knows about your MAC address and the MAC address of your destination — instead of sending electricity to every port like a hub — it will only send it to the port containing the destination MAC address.

If you’ve read everything so far, and not just looked at the pictures, you may be asking

Why use a hub?

The answer: You really shouldn’t. But…

You can make a switch act like a hub

And that is an important point. You can fill up the memory of a Switch (Google: CAM Table) to force it to act like a hub, you can flood, you can spoof, you can utilise/create a mirror-port to receive all traffic, you can utilise broadcast frames (FF:FF:FF:FF:FF:FF) to reach every computer on a LAN segment. Lots of ways of tricking a switch to do the wrong thing and to send data to you, including turning it into a hub.

Networks can be misconfigured, outdated, too trusting and weak in so many ways. If you’re relying on tools only — you will not penetrate the same amount of networks a skilled InfoSec individual will.

One day maybe… but not today.

So then… what’s a router? What makes a router a router?
Really simplistically? A router sends data to other routers.

That’s it. No jokes. One router to another. 1 IP address to 1 IP address. 
We’re up to Layer 3.

You place a router on a gateway, the place where two or more networks connect. In the home case, your ISPs network and your network. You have a public IP address given to you by your ISP and an internal one created by your NAT.

NAT? What’s NAT used for?

NAT (Network Address Translation) allows for a single device (at home, it’s usually your router) to act as an agent between the Internet (your 1 public IP address) and your local network (Generally 254 IP addresses, but can be very very large).

This is NAT what I asked for

Your home is probably on a 10.X.Y.Z, or a 192.168.X.Y network, but your public IP address will be whatever your ISP gives you (http://whatismyipaddress.com).

If 6 people live at your house, then 6 people are coming from the same public IP address. It is the responsibility of a NAT to differentiate and manipulate packets so that they are delivered to the right person. This can get complex very quickly, but suffice to say it’s worked very well for the world so far.

The original NAT. Actually.. whoever takes it out of the letterbox and distributes it would be the NAT.

So when your home router says it’s actually a hub / switch / router — it really is a hub/switch/router.

Your router connects your LAN (Local Area Network), WAN (Wide Area Network) and/or ISP Network. It has a Switch for communicating between devices on the same network, and if you’re super unlucky, it’s not acting like a Switch, but like a Hub and all data is being transmitted across every port and your network is super slow whenever there are more people on the network.

3. How does everything talk to each other?

So far we’ve just touched on the different hardware types and where they live on the OSI stack. How do they move between stacks? How is information sent?

Holy smokes Batman!! We’ve been Framed!

If you are sending information from one computer to another on the same network, you are doing it via an “Ethernet Frame”. Without getting too nerdy, an Ethernet Frame has a Source MAC address, a Destination MAC address and a Payload.

If you are communicating to another computer on the same network, the destination MAC address will be the other computer. Since it’s a frame sent on the same network, there’s no need for a router to send information to another router.

Same reason you don’t put country on an envelope if you live in the same country

I will send my payload addressed to your MAC Address. The IP address may be used to calculate if they’re on the same network, depending on the situation and there is still an IP destination since a MAC address might have multiple IP addresses, but it does not need to go to a router.

That involves talking about Subnet Masks and this post is long enough as it is…

How does your computer know a destination MAC Address? 
That is when we need ARP.

ARP is MAGIK. Oh wait.. I already made that joke…

ARP. Address Resolution Protocol. Matches IP addresses and corresponding MAC Addresses.

Go to a terminal. Type arp -a. Windows. macOS. Linux. Don’t care. Go.

sleep(20);

You’ll get something that looks like this:

IP Address. Mac Address. Done. Mapped. Your computer knows.

Your computer is keeping records of all systems it has communicated with on the network, and since we’re on modern systems — they are very chatty so this is likely* all of them.

*Likely. Not guaranteed.

Unlike your computer, a switch knows all of them since that’s its main job.

So, what does an Ethernet frame look like?

Well sure.. if you want to be boring about it…

Source. Destination. Data goes into Payload. In this case, the data is a IPv4 Packet.
What an excellent time for a Segue.

We love you Woz

Holy smokes Batman!! We’ve been Packet..ed

If you need to send data on another network then we’re working with IP addresses. Now that we’re dealing with IP addresses — we’re in Level 3. 
Information sent at this layer is called a “packet”.

Batman cares deeply for the proper usage of frames and packets

A packet consists of two things. A header and a payload.
The most common forms of packets in this layer are:

  • IPv4 Packets (most packets)
  • IPv6 Packets (future packets. some current packets)
  • ICMP Packets (ping)

The most common misconception is that TCP and UDP packets are network level and are at the same level of ICMP. They’re not. Misconception over.

Get to the Transport Layer

The Header consists of a source IP and a destination IP and a bunch of other nerdy stuff. This nerdy stuff is the play thing of InfoSec professionals.

This is just the header.

What fun can we have with a IP Header? We can set source and destination IP addresses. We can craft packets with specific TTL (Firewalking). We can.. do all sorts of things. Packet crafting is the bread and butter for breaking through a Firewall and IDS. Sure, you can get a tool to go in for you, but it’s good to know what the tool is doing.

This design of “Header & Payload” kind of keeps going up the OSI model. In the Transport Layer, there’s a TCP or UDP Header which you can craft packets for. The session you’re working with has a header. The presentation layer will have a header. The application will have a header.

There could be a weakness that could be exploited at any layer, and it’ll be your job to attack / defend that weakness.

4. MAC address and IP addresses are separate, important and fake-able. Very fake-able.

I think we’ve covered ‘separate’ and ‘important’ in a lot of detail, so let’s go back to why this post exists in the first place. My InfoSec Idol:

MAC addresses are not arbitrary

Lets talk about this directly. MAC (Media Access Control) Address is a unique* address for a network interface.

Ha! Wikipedia made the same Apple joke I did.

Now it “should” be unique, but experience of twitter tells me there are bugs where it may not be.

But I digress. They ‘should’ be unique. So what makes a MAC Address? It’s a physical address on the hardware:

Found in the form XX:XX:XX:YY:YY:YY. In Hexadecimal

Or to use words…

Using our MAC Address example of XX:XX:XX:YY:YY:YY. The XX:XX:XX is the OUI (Organisationally Unique Identifier), so Hewlett Packard have 3C:D9:2B (as well as a few others), so if you see a MAC Address 3C:D9:2B:12:34:56, there’s a good chance it’s from a HP.

Can these be faked? By gosh, they can.

If I’m trying to get onto your network, I will try to be you. I will try to spoof your MAC address and have the switch confuse you for me. If a DHCP server is using MAC addresses to help distribute IPs, I will use be your MAC address to get an IP address.

If I’m operating at Layer 2, I’m operating with MAC addresses.

If I’m operating at Layer 3, I’m operating with IP address.

Can IP addresses be faked? By gosh, they can! We can craft packets, therefore we can craft IP addresses. We can trick switches, routers and servers, we can map ourselves to IP. There are many ways and reasons for this.

There’s more to be said here, but I will leave you with this tweet and move on

5. Three-way handshake? Sorry, I’m married.

Wait, you’re still here? Congratulations! We’re at TCP/IP. This is part of the Transport layer (Layer 4).

Most important thing here. Repeat after me. SYN. SYN-ACK. ACK.

No no. She responds with SYN-ACK. You respond with ACK. And then you have a conversation involving SYNs and ACKs. Or Acts of Sin depending where this conversation is being held. Maybe you should just FIN because she wants to RST.

You initiate a TCP connection with a server via a three-way handshake or TCP handshake. This handshake allows for sequence numbers and acknowledgement numbers to be exchanged. That way, if a packet is dropped or appears out of order, it can be resent safely.

Here is that exchange in picture form

x and y start off random, tools will show they start at 0, but this is a lie.

As data is sent, sequence & acknowledgement numbers increase until a FIN is sent. If sending is going well, the window size can increase. If something goes wrong, a RST is sent (or received upon trying a closed connection) cancelling a connection and a brand new connection will need to be established.

This is how TCP stays accurate.

From a good tutorial found here: http://packetlife.net/blog/2010/jun/7/understanding-tcp-sequence-acknowledgment-numbers/
Notice that both sides FIN and ACK the FIN

Why is this important? Because we can craft these packets and be malicious with them. (I feel like I could make this article “All Layers can be Crafted and Malicious” and BAM, whole article done). We can do SYN flooding, we can detect using FIN, scan with XMAS scanning — there are lots of things that stem from this. However, knowing how TCP connects and operates is very important in InfoSec.

Maybe they cover it in the last week of term as they finally allow students to use the internet?

Edit: Did this topic wet your appetite for more? I heavily recommend the post below by Gary Bernhardt (Twitter garybernhardt) 
“Network Protocols for anyone who knows a programming language”

6. IPv6? No one uses it, why should I know it?

Because something might be weak to it. People who setup networks may ignore / misconfigure IPv6 and may not be watching IPv6 because they’re too busy watching IPv4.

History may repeat itself with IPv6. Knowing fundamentals is a great way to help avoid this

There are tools for helping people penetrate, fingerprint and craft packets with IPv6 and ICMP6. There are defence mechanisms in routers, firewalls and IPS/IDS.

So yes, you gotta learn IPv6 networking. Even if you think it’s only 1% of servers that support it, or that you don’t think anyone uses it. They do. And you need to prepare your attack / defence to use it.

7. Stay engaged with the InfoSec community

This one could not be any more true. While the fundamentals have existed for a long time, there are new exploits, vulnerabilities and things to learn every day (or at least it seems like it) and Twitter and RSS helps me do it.

Twitter is such an excellent platform for the InfoSec community and I heavily recommend you follow top people in the field you care about.

I believe Dan put it in better words:

People ask me quite reguarly how I do this, so in the link below is a list of all RSS feeds (shared through feedly so you can easily subscribe to those resources) and my top twitter infosec people (that you can easily subscribe to):

10. Did you get my joke? I said 10 things, but that’s 10 in base 8! What a great way to be lazy :)

And that’s it. My joke regarding not having two additional points completes our journey.

But seriously, you should be comfortable with Base 2, Base 8, Base 10 and Base 16

If you’ve made it to the end, I hope you’ve enjoyed a brief knowledge transfer of important networking concepts. If you are one of the people I tweeted — thank you for being part of the twitter community I love to read with.

There were a few other tweets that caught my eye in terms of things that people should know. Other than that — peace out

Actually, it’s probably because we’re doomed to repeat the mistakes of history. Just on new platforms. Hello IoT!!

FIN. ACK.

More by Louis Cremen

Topics of interest

More Related Stories