After reading TCP/IP VULNERABILITIES AND WEAKNESSES, I thought that new users will not be able to get the information out of it without a basic understanding of TCP/IP in general. I had written the following sometime ago but thought someone may find it helpful.
Full Version: Open Systems Interconnect Model And Tcp/cp Primer
| QUOTE |
| Open Systems Interconnect Model and TCP/IP Primer Prerequisite: Basic networking of computers What is the Open Systems Interconnect or OSI Model and why do I need it? The OSI model helps us understand the basics of network data transmission by using guidelines to the issues of sending and receiving data from one computer to another. This resolved the problem of different operating systems not being able to talk to each other and exchange information. The model is made up of seven layers, which are: Layer 7 Application Layer 6 Presentation Layer 5 Session Layer 4 Transportation Layer 3 Network Layer 2 Data Link Layer 1 Physical One way of remembering this is by using a mnemonic device. "ALL PEOPLE SEEM TO NEED DATA PROCESSING". Today whether you're using unix, Windows, DOS, Linux or Macintosh your using the OSI modeling layer. This is what makes these systems work together. Application layer refers to a set of tools that an application can use to accomplish a task such as a word processor request a file transfer. Other examples would be print access and e-mail relay. This layer defines how network services (allocations) and the network Interact. Presentation layer is for formatting data exchange. This is where data encryption and compression happen. Session layer is for defining how to computers establish, synchronize, maintain and end the session. This is where authentication, data transfer and end of a session happen. Transportation layer defines how data is checked to be error free and if data packets are too long or short. It will take long packets and break them up and the opposite for short packets. This is where IP to domain name resolution and error control occurs. Network layer defines translation of logical names into physical address. This is where routing (also prioritizing data such as delaying a video for a millisecond to let a small email go by) takes place and controls network congestion. This routing control is known as QoS or Quality of Service. Data link layer takes the raw packet from the Physical layer and gives it logical structure. After a data frame is sent the Data layer waits for a positive ACK. If one is not received the frame is sent again. Devices at this level are bridges and switches. These use token passing, carrier sense/multiple access with collision avoidance (CSMA/CA) and carrier sense/multiple access with collision detection CSMA/CD. Common IEEE networking standard of 802 are 802.3 (CSMS/CD, 802.5 token ring, 802.8 fiber optic, 802.10 VPN, 802.11 Wireless LAN. Physical layer controls the functional interface. This simply means the type of connector type, pin layout or transmission type (Bus, Star, Ring or Mesh topology). Devices at this layer are Network Interface Card, Transceivers, Repeaters, Hubs and MultiAccess Unit (MAU's). What is TCP/IP and why you need to understand it? Transmission Control Protocol/Internet Protocol TCP/IP (also sometimes just referred to as just "IP") is the protocol or the language of the Internet. When in Rome, do as the Romans! TCP, Transmission Control Protocol controls the transmission layer and provides reliable, verifiable data exchange. IP, Internet Protocol provides the routing function based on the datagram the TCP packet creates. What is UDP? User Data Protocol (UDP), provides applications a direct interface with ip and the ability to address a specific process running on a host using a port without TCP. What is ARP? Address Resolution protocol references the physical hardware address of the NIC (also known as a MAC address) to its IP address. What is DHCP? Dynamic Host Control protocol uses a predefined pool of IP addresses assigned for automatic distribution t client computers as an as needed basis. What is DNS? Domain Name Service translates host names into ip addresses and vice versa by using a lookup table. It's like a telephone book for the Internet. Lookup the persons name and get the telephone number. What is WINS? Windows Internet Naming Service works with IP and maps Netbios names to IP addresses. This allows you to access a device or service by its Netbios name or IP address. What is HOST OR LMHOST? A host or lmhost file is on the local machine and converts IP addresses to host names. The downside is the list must be on every machine and if you have a complicated network can get very unmanageable. The format of a host file is as follows: 192.168.1.1Win2000 192.168.1.2Netware6 192.168.1.3Unix 192.168.1.4Gateway 192.168.1.5Intranet Simple network Management Protocol (SNMP) SNMP is a communications protocol for getting information about devices on the network like routers, bridges, hubs, etc. Network News Transfer protocal (NNTP) NNTP enables a service to post messages and responses to newgroups hosted around on the Internet on newsgroup servers. These are broken up by subject and anyone with NNTP access can join any group. Simple Mail Transfer Protocol (SMTP) SMTP enables a email service to send messages from one email server to another. This usually uses POP or Internet Mail Access protocol (IMAP). Post Office Protocol (POP) POP is a storage location for incoming email. The current version is POP3 and all messages are downloaded there is no choice to download only certain messages. Internet Mail Access Protocol (IMAP) IMAP is also a storage location for incoming email. The difference between POP3 and IMAP is IMAP gives you the option of downloading selectively as you choose. IMAP can also use Kerberos encryption. Internet Control Message Protocol (ICMP) ICMP works at the network management level and control. A router sends an ICMP message in responds to undeliverable datagrams by placing an ICMP message in an IP datagram and sending it back to the source IP. An example if this is the Ping command. What is HTTP? Hypertext Transfer protocol in the command and control protocol used to control communication between a web browser and a web server. What is a port or socket? A port or socket is an address that identifies the application associated with the data. The source port number identifies the application that sent the data and the destination port number identifies the application that receives the data. The Well Known Ports are those from 0 through 1023. The Registered Ports are those from 1024 through 49151. The Dynamic and/or Private Ports are those from 49152 through 65535. What are Classes of IP addresses? IP addresses are 32 bits long. They are used to identify the network and host varies depending on the network class of the address. Class A is used for very large networks only. They allow up to 16,777,214 hosts and or computers and 127 networks. IP will be less than 126.0.0.0. Note: 127.0.0.1 is an internal loop back address for diagnostics only. Class B is used for medium networks only. They allow up to 65,534 hosts and or computers and 16,384 networks. IP will be between 128.0.0.0 and 191.0.0.0. Class C is used for small networks only. They allow up to 254 hosts and or computers and 2,097,152 networks. IP will be between 192.0.0.0 and 223.0.0.0. Note: 192.168.x.x is a reserved for IP addressing on private networks with no direct connection to the Internet. Class D is used for special multicast address and cannot be used for networks. IP address of 223.0.0.0 means it is reserved. What is sub-netting or a subnet mask? A subnet creates an additional way of getting more network addresses by dividing the 32-bit ip address. It uses the subnet address as an additional part of its address. Thereby creating more address that can be used for clients but also reduces the number of hosts that can belong to each network. There are three classes of subnet masks. Class A 255.0.0.0 Class B 255.255.0.0 Class C 255.255.255.0 What are public and private IP numbers? Public numbers must be registered with sans.org and are for Internet devices. Private numbers are reserved by SANS and will not be routed or sent through on the Internet. There are three ranges of private IP's: 10.0.0.0 to 10.25.255.255 172.16.0.0 to 172.31.255.255 192.168.0.0 to 192.168.255.255 Getting a web page from beginning to it is displayed on your PC goes as follows: -Your PC sends out a question (query) to a DNS (Domain Name Service) to find out the IP address of the web server your looking for. -The DNS server returns with the IP address of the web server you want to get to. -Since the address starts with http your PC tries to connect to TCP port 80 on the Web server. -Your PC determines that the web server is not on the same network segment and forwards the request to the local gateway for instructions. -From the local gateway the requests are directed to the device that handles Internet traffic and it's out to the web server. -The Web server then responds t the request with the data (packets) you've been looking for. Some of the common tcp/ip tools are: What is Ping? The ping (packet internet groper) command from the TCP/IP protocol is used to check if a particular site is down or if there is some sort of network trouble along the way. The ping achieves this by sending a packet to the remote or local host, requesting an echo. If the host returns the echo, then the site is up otherwise the site is down. For example, to determine if the system at Ozemail (www.ozemail.com.au) is available one would type: ping www.ozemail.com.au Command line switches are: Verifies connections to a remote computer or computers. This command is available only if the TCP/IP protocol has been installed. ping [-t] [-a] [-n count] [-l length] [-f] [-i ttl] [-v tos] [-r count] [-s count] [[-j computer-list] | [-k computer-list]] [-w timeout] destination-list Parameters -t Pings the specified computer until interrupted. -a Resolve addresses to computer names. -n count Sends the number of ECHO packets specified by count. The default is 4. -l length Sends ECHO packets containing the amount of data specified by length. The default is 64 bytes; the maximum is 8192. -f Sends a Do not Fragment flag in the packet. The packet will not be fragmented by gateways on the route. -i ttl Sets the Time To Live field to the value specified by ttl. -v tos Sets the Type Of Service field to the value specified by tos. -r count Records the route of the outgoing packet and the returning packet in the Record Route field. A minimum of 1 and a maximum of 9 computers may be specified by count. -s count Specifies the timestamp for the number of hops specified by count. -j computer-list Routes packets via the list of computers specified by computer-list. Consecutive computers may be separated by intermediate gateways (loose source routed). The maximum number allowed by IP is 9. -k computer-list Routes packets via the list of computers specified by computer-list. Consecutive computers may not be separated by intermediate gateways (strict source routed). The maximum number allowed by IP is 9. -w timeout Specifies a timeout interval in milliseconds. destination-list Specifies the remote computers to ping. Depending on your operating system, (and assuming the system was available) the following results would appear: On UNIX: www.ozemail.com.au is alive On Windows 9x Pinging www.ozemail.com.au [203.108.7.78] with 32 bytes of data: Reply from 203.108.7.78: bytes=32 time=118ms TTL=244 Reply from 203.108.7.78: bytes=32 time=95ms TTL=244 Reply from 203.108.7.78: bytes=32 time=96ms TTL=244 Reply from 203.108.7.78: bytes=32 time=100ms TTL=244 Ping statistics for 203.108.7.78: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 95ms, Maximum = 118ms, Average = 102ms If the system is not responding, the following message will be received: no answer from www.ozemail.com.au If the system is not connected, the following message will appear: ping: unknown host What is WINIPCFG? The WINIPCFG command is used to put a dynamically assigned IP address from the DHCP server in a Graphical environment or Window. WINIPCFG is how you can determine what tcp/ip seetings are and if needed change them. This works on Win 9x systems only. What is IPCONFIG? The IPCONFIG command is used to put a dynamically assigned IP address from the DHCP server into the DOS environment, for configuring TCP/IP applications. IPCONFIG is how you can determine what your tcp/ip settings are and if you need to change any or not all on one screen. Command line switches are: ipconfig [/all | /renew [adapter] | /release [adapter]] Parameters all Produces a full display. Without this switch, ipconfig displays only the IP address, subnet mask, and default gateway values for each network card. renew [adapter] Renews DHCP configuration parameters. This option is available only on systems running the DHCP Client service. To specify an adapter name, type the adapter name that appears when you use ipconfig without parameters. release [adapter] Releases the current DHCP configuration. This option disables TCP/IP on the local system and is available only on DHCP clients. To specify an adapter name, type the adapter name that appears when you use ipconfig without parameters. With no parameters, the ipconfig utility presents all of the current TCP/IP configuration values to the user, including IP address and subnet mask. This utility is especially useful on systems running DHCP, allowing users to determine which values have been configured by DHCP. Example of output from ipconfig /all on a Windows 98 PC would look like: Windows 98 IP Configuration Host Name . . . . . . . . . : COMPUTER DNS Servers . . . . . . . . : 216.145.239.254 216.145.239.253 Node Type . . . . . . . . . : Broadcast NetBIOS Scope ID. . . . . . : IP Routing Enabled. . . . .No WINS Proxy Enabled. . . No NetBIOS Resolution Uses DNS : No 0 Ethernet adapter: Description . . . . . . . . : PPP Adapter. Physical Address. . . . . . 44-45-53-54-00-00 DHCP Enabled. . . . . . . .: Yes IP Address. . . . . . . . . : 208.158.102.207 Subnet Mask . . . . . . . . 255.255.255.0 Default Gateway . . . . . .208.158.102.207 DHCP Server . . . . . . . . 255.255.255.255 Primary WINS Server . . . . : Secondary WINS Server . . . : Lease Obtained. . . . . . 01 01 80 12:00:00 AM Lease Expires . . . . . . . 01 01 80 12:00:00 AM What is NETSTAT? Netstat is another TCP/IP command. Netstat is used to show the network status. It achieves this by supplying the contents of various network related data structure in various formats, depending on your choice of format. Command line switches are: Displays protocol statistics and current TCP/IP network connections. This command is available only if the TCP/IP protocol has been installed. netstat [-a] [-e] [-n] [-s] [-p protocol] [-r] [interval] Parameters -a Displays all connections and listening ports; server connections are normally not shown. -e Displays Ethernet statistics. This may be combined with the -s option. -n Displays addresses and port numbers in numerical form (rather than attempting name look-ups). -s Displays per-protocol statistics. By default, statistics are shown for TCP, UDP, ICMP, and IP; the -p option may be used to specify a subset of the default. -p protocol Shows connections for the protocol specified by proto; proto may be tcp or udp. If used with the -s option to display per-protocol statistics, proto may be tcp, udp, icmp, or ip. -r Displays the contents of the routing table. interval Redisplays selected statistics, pausing interval seconds between each display. Press CTRL+C to stop redisplaying statistics. If this parameter is omitted, netstat prints the current configuration information once. For example: (Netstat -e) displays the Ethernet statistics If this command were performed in the Tafe lab in building G the following would be displayed. Interface Statistics Received Sent Bytes 89721959 29135420 Unicast packets 126879 117903 Non-unicast packets 33675 126 Discards 0 0 Errors 0 0 Unknown protocols 58883 What is NBTSTAT? This diagnostic command displays protocol statistics and current TCP/IP connections using NBT (NetBIOS over TCP/IP). This command is available only if the TCP/IP protocol has been installed. Command line switches are: nbtstat [-a remotename] [-A IP address] [-c] [-n] [-R] [-r] [-S] [-s] [interval] Parameters -a remotename Lists the remote computer's name table using its name. -A IP address Lists the remote computer's name table using its IP address. -c Lists the contents of the NetBIOS name cache giving the IP address of each name. -n Lists local NetBIOS names. Registered indicates that the name is registered by broadcast (Bnode) or WINS (other node types). -R Reloads the LMHOSTS file after purging all names from the NetBIOS name cache. -r Lists name resolution statistics for Windows networking name resolution. On a Windows NT computer configured to use WINS, this option returns the number of names resolved and registered via broadcast or via WINS. -S Displays both client and server sessions, listing the remote computers by IP address only. -s Displays both client and server sessions. It attempts to convert the remote computer IP address to a name using the HOSTS file. interval Redisplays selected statistics, pausing interval seconds between each display. Press CTRL+C to stop redisplaying statistics. If this parameter is omitted, nbstat prints the current configuration information once. (nbtstat-n) at Tafe NetBIOS Local Name Table Name Type Status --------------------------------------------- Registered Registered Registered Registered UMP717 <00> UNIQUE IT_DOMAIN <00> GROUP UMP717 <03> UNIQUE PETECH <03> UNIQUE What is TRACERT? Tracert is a utility that is used to trace the route taken by the packets on the Internet from its source to your computer. Tracert works by sending a packet with a time limit value that is designed to be exceeded by the first router that receives it, which will return a time exceeded message. From this message, the traceroute program will be able to work out the time required for the hop to the first router. Then it resends the packet with an increased time limit value designed to be exceeded by the second router that receives it. By repeating this task, the program, will be able to calculate and display the amount of time each hop took. Command line switches are: tracert [-d] [-h maximum_hops] [-j computer-list] [-w timeout] target_name This diagnostic utility determines the route taken to a destination by sending Internet Control Message Protocol (ICMP) echo packets with varying Time-To-Live (TTL) values to the destination. Each router along the path is required to decrement the TTL on a packet by at least 1 before forwarding it, so the TTL is effectively a hop count. When the TTL on a packet reaches 0, the router is supposed to send back an ICMP Time Exceeded message to the source system. Tracert determines the route by sending the first echo packet with a TTL of 1 and incrementing the TTL by 1 on each subsequent transmission until the target responds or the maximum TTL is reached. The route is determined by examining the ICMP Time Exceeded messages sent back by intermediate routers. Notice that some routers silently drop packets with expired time-to-live (TTLs) and will be invisible to tracert. Parameters -d Specifies not to resolve addresses to computer names. -h maximum_hops Specifies maximum number of hops to search for target. -j computer-list Specifies loose source route along computer-list. -w timeout Waits the number of milliseconds specified by timeout for each reply. target_name Name of the target computer. An example of tracert performed on www.ozemail.com.au Tracing route to www.ozemail.com.au [203.108.7.77] over a maximum of 30 hops: 1 * * * Request timed out. 2 1484 ms 1737 ms 1613 ms sydaggrsw01-vlan4.powertel.net.au [202.92.67.1] 3 1255 ms 1314 ms 1635 ms 202.92.64.65 4 1690 ms 1437 ms 1311 ms 202.92.64.131 5 1494 ms 1639 ms 1634 ms atm11-0-0-59.si1.optus.net.au [202.139.39.249] 6 1766 ms 1639 ms 1610 ms atm2-0-25.sb1.optus.net.au [192.65.89.129] 7 516 ms 490 ms 108 ms Ozemail.sb1.optus.net.au [202.139.0.46] 8 108 ms 99 ms 92 ms core1-fe4-0-0.syd.ozemail.net.au [203.108.190.153] 9 112 ms 92 ms 93 ms agg2-access-fe2-1.syd.ozemail.net.au [203.108.0.50] 10 124 ms 104 ms 104 ms www.ozemail.com.au [203.108.7.77] Trace complete. What is ROUTE? The route command allows you to make manual entries into the network routing tables. The route command distinguishes between routes to hosts and routes to networks by interpreting the network address of the Destination variable, which can be specified either by symbolic name or numeric address Routes to a particular host are distinguished from those to a network by interpreting the Internet address associated with the destination. The optional keywords -net and -host force the destination to be interpreted as a network or a host, respectively. If the destination has a local address part of INADDR_ANY or if the destination is the symbolic name of a network, then the route is assumed to be to a network; otherwise, it is presumed to be a route to a host. Command line switches are: route [-f] [-p] [command [destination] [mask subnetmask] [gateway] [metric costmetric]] Parameters -f Clears the routing tables of all gateway entries. If this is used in conjunction with one of the commands, the tables are cleared prior to running the command. -p When used with the ADD command, makes a route persistent across boots of the system. By default, routes are not preserved when the system is restarted. When used with the PRINT command, displays the list of registered persistent routes. Ignored for all other commands, which always affect the appropriate persistent routes. command Specifies one of four commands Command Purpose print Prints a route add Adds a route delete Deletes a route change Modifies an existing route destination Specifies the computer to send command. mask subnetmask Specifies a subnet mask to be associated with this route entry. If not specified, 255.255.255.255 is used. gateway Specifies gateway. All symbolic names used for destination or gateway are looked up in the network and computer name database files NETWORKS and HOSTS, respectively. If the command is print or delete, wildcards may be used for the destination and gateway, or the gateway argument may be omitted. metric costmetric Assigns an integer cost metric (ranging from 1 to 9999) to be used in calculating the fastest, most reliable, and/or least expensive routes. Example of Route command: C:\>route print <enter> Active Routes: Network Address Netmask Gateway Address Interface Metric 127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1 202.92.68.0 255.255.255.0 202.92.68.108 202.92.68.108 1 202.92.68.108 255.255.255.255 127.0.0.1 127.0.0.1 1 202.92.68.255 255.255.255.255 202.92.68.108 202.92.68.108 1 224.0.0.0 224.0.0.0 202.92.68.108 202.92.68.108 1 255.255.255.255 255.255.255.255 202.92.68.108 202.92.68.108 1 What is FTP? File Transfer protocol allows the transfer of files from one computer to another. FTP is not encrypted during authentication or after. Command line switches are: ftp [-v] [-d] [-i] [-n] [-g] [-s:filename] [-a] [-w:windowsize] [computer] Parameters -v Suppresses display of remote server responses. -n Suppresses auto-login upon initial connection. -i Turns off interactive prompting during multiple file transfers. -d Enables debugging, displaying all ftp commands passed between the client and server. -g Disables filename globbing, which permits the use of wildcard chracters in local file and path names. (See the glob command in the online Command Reference.) -s:filename Specifies a text file containing ftp commands; the commands will automatically run after ftp starts. No spaces are allowed in this parameter. Use this switch instead of redirection (>). -a Use any local interface when binding data connection. -w:windowsize Overrides the default transfer buffer size of 4096. computer Specifies the computer name or IP address of the remote computer to connect to. The computer, if specified, must be the last parameter on the line. You can also ftp with you browser (depending on your hosting site and browser) by using the following syntax: ftp://username:password@ipofwebhost What is TELNET? Telnet is an application based on the Telnet protocol. This application is used to connect to remote computers, usually via the telnet port (23). For example, when you "telnet in from home to check your mail at school", you are using telnet to connect from one computer (your computer) to another computer (school's computer) generally in a different location. Once you have established your telnet connection, you then log in to that computer and execute commands remotely on that computer through your telnet interface. Most often, you are telneting to a unix/linux based system. Therefore, the commands you use such as "ls, cd, pine, elm, talk, rm" are Linux/Unix commands, and NOT telnet commands. Telnet is not encrypted during authentication or after. This is the main weakness of telnet. Nslookup This diagnostic tool displays information from Domain Name System (DNS) name servers. Before using this tool, you should be familiar with how DNS works. Nslookup is available only if the TCP/IP protocol has been installed. nslookup [-option ...] [computer-to-find | - [server]] Modes Nslookup has two modes: interactive and non-interactive. If you only need to look up a single piece of data, use non-interactive mode. For the first argument, type the name or IP address of the computer to be looked up. For the second argument, type the name or IP address of a DNS name server. If you omit the second argument, the default DNS name server will be used. If you need to look up more than one piece of data, you can use interactive mode. Type a hyphen (-) for the first argument and the name or IP address of a DNS name server for the second argument. Or, omit both arguments (the default DNS name server will be used). Parameters -option ... Specifies one or more nslookup commands as a command-line option. For a list of commands, see Nslookup Commands. Each option consists of a hyphen (-) followed immediately by the command name and, in some cases, an equal sign (=) and then a value. For example, to change the default query type to host (computer) information and the initial timeout to 10 seconds, you would type: nslookup -querytype=hinfo -timeout=10 The command line length must be less than 256 characters. computer-to-find Look up information for computer-to-find using the current default server or using server if specified. If computer-to-find is an IP address and the query type is A or PTR, the name of the computer is returned. If computer-to-find is a name and does not have a trailing period, the default DNS domain name is appended to the name. (This behavior depends on the state of the set options: domains, srchlist, defname, and search.) To look up a computer not in the current DNS domain, append a period to the name. If you type a hyphen (-) instead of computer-to-find, the command prompt changes to nslookup interactive mode. server Use this server as the DNS name server. If you omit server, the default DNS name server is used. Finger Displays information about a user on a specified system running the Finger service. Output varies based on the remote system. This command is available only if the TCP/IP protocol has been installed. finger [-l] [user]@computer [...] Parameters -l Displays information in long list format. user Specifies the user you want information about. Omit the user parameter to display information about all users on the specified computer. @computer Specifies the server on the remote system whose users you want information [B]about. |
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
