Transcript Networks - University of St. Thomas

CISC 210 - Class Today
•
•
•
•
•
Recap
Packet Formats
Network addressing
Looking at Network Traffic
Network Scanning
March 2005
R. Smith - University of St Thomas - Minnesota
1
Recap
• Going over the Exam Answers
• Intro Networking
– Technologies and Topologies
– Attacks: passive and active
– Addressing
March 2005
R. Smith - University of St Thomas - Minnesota
2
Packet Formats
• Modern computer networks use packets
– Packets: Blocks of data of varying sizes
– All data is sent in packets – never just bits or bytes
– Standardized formatting
• Nested Structure – packets inside of packets
– Outermost packet: LAN data (10-100-1000-BaseT; “Ethernet”)
• MAC addresses of LAN nodes
– Next in: Internet packet: IP addresses of hosts
– Next: TCP/UDP: port numbers for processes
– Next: application data, like HTPP/HTML for the web
March 2005
R. Smith - University of St Thomas - Minnesota
3
Addresses
• Lowest level – which plug on the machine
– Separate LAN interfaces sit behind those plugs
• MAC Address – node address on the LAN
–
–
–
–
Each LAN interface has its own MAC address
MAC addresses are internationally unique
There is no way to ‘route’ traffic to MAC addresses
The MAC address must be present on your LAN
• Internet addresses – host address on Internet
March 2005
R. Smith - University of St Thomas - Minnesota
4
Internet Addresses
• IP Address – host address on LAN/Internet
– You need a unique IP address to talk to the Internet
• IP addresses are valuable
• Many LANs use “local” addresses – explain later
– Any IP layer can send packets to any other w/IP address
• The IP address contains two parts
– Network number: upper bits
• Routes the packet to the right LAN on the Internet
– Host number: lower bits
• Routes the packet to the right host on its LAN
• Addresses and Routing
– We route with the “Network Address”
– Once on the correct LAN, use ARP to find the host
March 2005
R. Smith - University of St Thomas - Minnesota
5
Sockets
• Socket address – IP +TCP/UDP port numbers
– Port numbers direct packets to specific processes
– Socket address = unique process-process connection
– Contains sender’s IP + port and recipients' IP+port
March 2005
R. Smith - University of St Thomas - Minnesota
6
Sending Data on a LAN
• If we just use LAN addresses
– We fill in the MAC address of the recipient
– We fill in our own MAC address
– We send the packet
• If we use IP addresses
– We need to translate the IP address to a MAC address
• We use the “ARP Table”
• “Address Resolution Protocol”
• Converts between MAC addresses and IP on a LAN
– Fill in the destination’s MAC address, again
– Fill in the IP packet data
– Send it
March 2005
R. Smith - University of St Thomas - Minnesota
7
Address Resolution on a LAN
• The Problem
– We know the hosts’ IP addresses; we need the MAC addresses
• The Solution: ARP
– To ‘look up’ an address
• We broadcast an ARP query “Who is 11.22.33.44?”
• All LAN hosts receive it.
• The owner of 11.22.33.44. replies to us with their MAC addr
– If someone asks for our MAC address
• We send the reply
– All ARP results are saved in the ARP Table
• Lists IP addresses with corresponding MAC addresses
March 2005
R. Smith - University of St Thomas - Minnesota
8
Playing with ARP
• There’s an ARP command in DOS
• arp –a = display of the ARP table
• Use ‘ping’ to add new IP addresses
– ping 140.209.69.10
• Display the ARP table again – see the update
March 2005
R. Smith - University of St Thomas - Minnesota
9
What if the host isn’t on the LAN?
• Example: ARP comes back “No!”
• Example: IP address is not in your network
• Answer: Send it to your ‘default gateway’
– When we configure an Internet host, it gets the following:
• Own IP address
• Network mask – divides address into network/host parts
• Gateway address – router to reach non-local hosts
• DNS address – translator for Domain Names
– If it’s not on our LAN, we just send it to the default gateway
• The gateway has a more complete routing table
• Can send to “outside” Internet or to other local LANs
March 2005
R. Smith - University of St Thomas - Minnesota
10
What do attackers see?
• They can intercept your packets
– If they’re on the same LAN
• Sniffing traffic on a “hub”
– Hubs broadcast everything to everyone on the net
– A ‘promiscuous’ interface can pick up everything
• Redirection tricks with ARP
– An ARP packet can redirect traffic to the attacker’s host
– There’s no authentication in ARP
• Let’s look at some packets with WireShark
– Go to the CISC 210 home page
– Download the “Prairie Intl” file
March 2005
R. Smith - University of St Thomas - Minnesota
11
Wireshark
• Can follow net traffic in real time
– Capture from a wireless laptop
– Less to capture on a LAN these days (why?)
• Can save a trace in a file
• We can follow a trace in a file, too
– “Prairie Intl” File
3/27/2016
R. Smith - University of St Thomas - Minnesota
12
The Display
• All the packets, color coded by type
• LOTS OF NOISE DATA
• Important packets/conversations
– ARP
– DNS
– HTTP
• Let’s focus -> (next slide, please)
3/27/2016
R. Smith - University of St Thomas - Minnesota
13
Following Network Information
• ARP Transactions
– Let us know who is on the LAN
• DNS transactions
– Who is looking for what
• TCP/IP transactions
– Let us know what people are actually doing
• This is ‘passive’ probing of networks
March 2005
R. Smith - University of St Thomas - Minnesota
14
Class Things
• Seniors – send me e-mail if you’re graduating
• Reading: Chapters 3 and 4
Reading HTTP
• Cookies
• Authenticated sites
Active probing of networks
• ARP poisoning – redirect LAN traffic to us
– Send ARP Replies for all IP addresses; point to our MAC
– We can wireshark the traffic and forward it to the recipient
• “nmap” – map a network
– Sends packets to try to identify hosts on the network
• Which exist, their addresses on LAN and Internet
• What OS they run
• What protocols they support
• What versions of protocols
– “Active” because it ‘tickles’ the hosts with special packets
• While the probing tries to be benign, it isn’t always.
• Increased traffic, denial of service, authentication failures
March 2005
R. Smith - University of St Thomas - Minnesota
17
Wardialing
• The process of searching an address space for
potential targets
– Usually applies just to phone lines – from Wargames movie
• Same concept used by ‘nmap’
– Can search a range of IP addresses for hosts
• Search using IP protocols
• Also search for active ports on a host
– Can search IP addresses using ARP
• Hosts may respond to ARP but ignore other probes
• The problem with nmap
– The probes cause network traffic, sometimes disrupt hosts
– ISPs see nmap as a violation of Terms of Use
– Detecting nmap use
March 2005
R. Smith - University of St Thomas - Minnesota
18
Creative Commons License
This work is licensed under the Creative
Commons Attribution-Share Alike 3.0 United
States License. To view a copy of this license,
visit http://creativecommons.org/licenses/bysa/3.0/us/ or send a letter to Creative
Commons, 171 Second Street, Suite 300, San
Francisco, California, 94105, USA.
March 2005
R. Smith - University of St Thomas - Minnesota
19