Transcript CDPA 網管訓練

CDPA 網管訓練
駭客任務2
Ethernet Switching
ARP, IP, LAN, Subnet
IP Header, Routing
ICMP
[email protected] 2006.03.23
今日目標
複習&補充


Ethernet Switching
ARP
了解




IP Header
Gateway (Routing)
Subnet
ICMP Echo
工具


Nemesis
Tcpdump
Ethernet switching
Ethernet HUB
Ethernet Switching
Switch
1
2
3
A -> C
A
B
1
2
3
C
Ethernet Switching
Switch
1
2
3
A
A
C
B
C -> A
1
2
3
C
Ethernet Switching
Switch
1
2
3
A
C
A -> C
A
B
1
2
3
C
ARP
192.168.1.1
192.168.1.2
00:00:00:00:00:01
00:00:00:00:00:02
I want to
communicate
with
192.168.1.2
Who has 192.168.1.2 tell
192.168.1.1(00:00:00:00:00:01)
ARP
192.168.1.1
00:00:00:00:00:01
192.168.1.2
00:00:00:00:00:02
I (00:00:00:00:00:02)
have 192.168.1.2 to
(00:00:00:00:00:01) 192.168.1.1
Let’s try~~
2 people a group


Try to use computer A ping computer B.
Use computer C and the other two to listen.
Tool: tcpdump

sudo tcpdump –I eth0 icmp or arp
IP Header
IP Header
IP Header
Version

IPv4 -> value 4
Internet Header Length (IHL)


4-bit Internet Header Length (IHL) telling the
number of 32-bit words in the header.
Value = Header Length (byte) / 4
IP Header
Type of Service

In RFC 791, the following 8 bits were
allocated to a Type of Service (ToS) field:
bits 0-2: precedence
bit 3: 0 = Normal Delay, 1 = Low Delay
bit 4: 0 = Normal Throughput, 1 = High Throughput
bit 5: 0 = Normal Reliability, 1 = High Reliability
bits 6-7: Reserved for future use
IP Header
Total Length

This field defines the entire datagram size,
including header and data, in bytes. The
minimum-length datagram is 20 bytes (20
bytes header + 0 bytes data) and the
maximum is 65,535 — the maximum value of
a 16-bit word.
Identification

Fragments of original datagram.
IP Header
Flags (3 bits)



Reserved, must be zero
Don't Fragment (DF)
More Fragments (MF)
Fragment Offset

The offset of data from original datagram.
Time To Live (TTL)

The maxim hop (router) datagram travels.
IP Header
Protocol



TCP
UDP
ICMP
Header Checksum
Source, Destination Address
Options
Subnet, netmask, CIDR
CIDR

Classless Inter-Domain Routing
Netmask


The continues bit length from most significant
bit to least significant bit.
Used to determine the network id (LAN size).
subnet example
IP 140.117.205.1 Mask 255.255.255.0


IP:
10001100 1110101 11001101 00000001
MASK: 11111111 11111111 11111111 00000000

Network ID:1001100 1110101 11001101 00000000
Host ID:
00000001

Same Meaning: 140.117.205.1/24

Same network ID:


LAN
No need router.
Router
When do we need router?

Destination IP is not in LAN.
((Local IP) & (Netmask)) != ((Dst IP) & (Netmask))
Why do we need router?

Destination host is not in LAN, can’t access it by
Layer 2(Datalink Layer, MAC Address).
How do we use router?

Simply use router’s MAC Address as Frame’s
Destination MAC Address.
Router
How does router work?

Use Destination IP Address to decide where the
packet should go.
Let’s try it~~~
Routing table

netstat –rn
Become a router

sudo sysctl net.ipv4.conf.all.forwarding=1
Add new IP to interface

sudo ifconfig eth0 inet add xxx.xxx.xxx.xxx netmask
xxx.xxx.xxx.xxx
Modify the interface IP

sudo ifconfig eth0 inet xxx.xxx.xxx.xxx netmask
xxx.xxx.xxx.xxx
Add a default gateway

sudo route add default gw xxx.xxx.xxx.xxx
ICMP Echo {request, reply}
Type and Code must be set to 0.
The Identifier and Sequence Number can be used
by the client to manage which Echo Requests are
associated with the Echo Replies.
The Data received by the Echo Request must be
entirely included in the Echo Reply.
Final exercise
Use nemesis to send ICMP Echo Request



To LAN
To WAN
Must use following args:
-d –H –M, –S –D, -i -c -s -e
Use tcpdump to listen ICMP Echo Reply.

sudo tcpdump –i eth0 icmp
Thanks for listening
Any Question??