1 / 19

CISC 210 - Class Today

CISC 210 - Class Today. Recap Packet Formats Network addressing Looking at Network Traffic Network Scanning. Recap. Going over the Exam Answers Intro Networking Technologies and Topologies Attacks: passive and active Addressing. Packet Formats. Modern computer networks use packets

javan
Download Presentation

CISC 210 - Class Today

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CISC 210 - Class Today • Recap • Packet Formats • Network addressing • Looking at Network Traffic • Network Scanning R. Smith - University of St Thomas - Minnesota

  2. Recap • Going over the Exam Answers • Intro Networking • Technologies and Topologies • Attacks: passive and active • Addressing R. Smith - University of St Thomas - Minnesota

  3. Packet Formats • Modern computer networks use packets • Packets: Blocks of data of varying sizes • All data is sent in packets – never just bits or bytes • Standardized formatting • Nested Structure – packets inside of packets • Outermost packet: LAN data (10-100-1000-BaseT; “Ethernet”) • MAC addresses of LAN nodes • Next in: Internet packet: IP addresses of hosts • Next: TCP/UDP: port numbers for processes • Next: application data, like HTPP/HTML for the web R. Smith - University of St Thomas - Minnesota

  4. Addresses • Lowest level – which plug on the machine • Separate LAN interfaces sit behind those plugs • MAC Address – node address on the LAN • Each LAN interface has its own MAC address • MAC addresses are internationally unique • There is no way to ‘route’ traffic to MAC addresses • The MAC address must be present on your LAN • Internet addresses – host address on Internet R. Smith - University of St Thomas - Minnesota

  5. Internet Addresses • IP Address – host address on LAN/Internet • You need a unique IP address to talk to the Internet • IP addresses are valuable • Many LANs use “local” addresses – explain later • Any IP layer can send packets to any other w/IP address • The IP address contains two parts • Network number: upper bits • Routes the packet to the right LAN on the Internet • Host number: lower bits • Routes the packet to the right host on its LAN • Addresses and Routing • We route with the “Network Address” • Once on the correct LAN, use ARP to find the host R. Smith - University of St Thomas - Minnesota

  6. Sockets • Socket address – IP +TCP/UDP port numbers • Port numbers direct packets to specific processes • Socket address = unique process-process connection • Contains sender’s IP + port and recipients' IP+port R. Smith - University of St Thomas - Minnesota

  7. Sending Data on a LAN • If we just use LAN addresses • We fill in the MAC address of the recipient • We fill in our own MAC address • We send the packet • If we use IP addresses • We need to translate the IP address to a MAC address • We use the “ARP Table” • “Address Resolution Protocol” • Converts between MAC addresses and IP on a LAN • Fill in the destination’s MAC address, again • Fill in the IP packet data • Send it R. Smith - University of St Thomas - Minnesota

  8. Address Resolution on a LAN • The Problem • We know the hosts’ IP addresses; we need the MAC addresses • The Solution: ARP • To ‘look up’ an address • We broadcast an ARP query “Who is 11.22.33.44?” • All LAN hosts receive it. • The owner of 11.22.33.44. replies to us with their MAC addr • If someone asks for our MAC address • We send the reply • All ARP results are saved in the ARP Table • Lists IP addresses with corresponding MAC addresses R. Smith - University of St Thomas - Minnesota

  9. Playing with ARP • There’s an ARP command in DOS • arp –a = display of the ARP table • Use ‘ping’ to add new IP addresses • ping 140.209.69.10 • Display the ARP table again – see the update R. Smith - University of St Thomas - Minnesota

  10. What if the host isn’t on the LAN? • Example: ARP comes back “No!” • Example: IP address is not in your network • Answer: Send it to your ‘default gateway’ • When we configure an Internet host, it gets the following: • Own IP address • Network mask – divides address into network/host parts • Gateway address – router to reach non-local hosts • DNS address – translator for Domain Names • If it’s not on our LAN, we just send it to the default gateway • The gateway has a more complete routing table • Can send to “outside” Internet or to other local LANs R. Smith - University of St Thomas - Minnesota

  11. What do attackers see? • They can intercept your packets • If they’re on the same LAN • Sniffing traffic on a “hub” • Hubs broadcast everything to everyone on the net • A ‘promiscuous’ interface can pick up everything • Redirection tricks with ARP • An ARP packet can redirect traffic to the attacker’s host • There’s no authentication in ARP • Let’s look at some packets with WireShark • Go to the CISC 210 home page • Download the “Prairie Intl” file R. Smith - University of St Thomas - Minnesota

  12. Wireshark • Can follow net traffic in real time • Capture from a wireless laptop • Less to capture on a LAN these days (why?) • Can save a trace in a file • We can follow a trace in a file, too • “Prairie Intl” File R. Smith - University of St Thomas - Minnesota

  13. The Display • All the packets, color coded by type • LOTS OF NOISE DATA • Important packets/conversations • ARP • DNS • HTTP • Let’s focus -> (next slide, please) R. Smith - University of St Thomas - Minnesota

  14. Following Network Information • ARP Transactions • Let us know who is on the LAN • DNS transactions • Who is looking for what • TCP/IP transactions • Let us know what people are actually doing • This is ‘passive’ probing of networks R. Smith - University of St Thomas - Minnesota

  15. Class Things • Seniors – send me e-mail if you’re graduating • Reading: Chapters 3 and 4

  16. Reading HTTP • Cookies • Authenticated sites

  17. Active probing of networks • ARP poisoning – redirect LAN traffic to us • Send ARP Replies for all IP addresses; point to our MAC • We can wireshark the traffic and forward it to the recipient • “nmap” – map a network • Sends packets to try to identify hosts on the network • Which exist, their addresses on LAN and Internet • What OS they run • What protocols they support • What versions of protocols • “Active” because it ‘tickles’ the hosts with special packets • While the probing tries to be benign, it isn’t always. • Increased traffic, denial of service, authentication failures R. Smith - University of St Thomas - Minnesota

  18. Wardialing • The process of searching an address space for potential targets • Usually applies just to phone lines – from Wargames movie • Same concept used by ‘nmap’ • Can search a range of IP addresses for hosts • Search using IP protocols • Also search for active ports on a host • Can search IP addresses using ARP • Hosts may respond to ARP but ignore other probes • The problem with nmap • The probes cause network traffic, sometimes disrupt hosts • ISPs see nmap as a violation of Terms of Use • Detecting nmap use R. Smith - University of St Thomas - Minnesota

  19. Creative Commons License This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit http://creativecommons.org/licenses/by-sa/3.0/us/ or send a letter to Creative Commons, 171 Second Street, Suite 300, San Francisco, California, 94105, USA. R. Smith - University of St Thomas - Minnesota

More Related