Network concepts introduction & wireshark workshop (SHA2017) (Kirils Solovjovs)

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

[Music] okay welcome to the workshop we're going to be looking at Wireshark and we're gonna be looking at the basic networking so how we gonna do it is we will take the hacker approach and rather than learning and then doing we're gonna do and then learn on the go with Wireshark to enjoy this fully you will need the device preferably a laptop something that runs Wireshark you it would be wise if you would download Wireshark Wireshark now already I see some recognizable faces so there are some knowledgeable people here and I'm sure those of you who I don't recognize also knowledgeable please help your neighbors to install Wireshark into our network right so you have it all if you don't have a laptop it may be less interesting for 30% of the talk but 70% is gonna be me talking right okay but having said that even though it's a hacker approach I come from an academic background so the goal of this talk is to make you really really really understand all the layers of networking and how it all adds up and how internet works okay so this is these are actual few models of cop networking works and we're gonna go through the layers one by one what does it presents Oh how many of you know what that and I'm sorry how many of you know what an IP address is okay how many of you have and aren't sure what an IP address is and that's okay that's what this workshop is named for one some more okay okay good so how many of you have seen a similar picture to this one before okay a bit more than half okay good so but this is a I try to make it beginners one okay but let's was it like that writing so the wire or the network medium is down here what this represents actually is different ways or different dye sectors that we can use to look at the data on the network if we take good old classical wired Network this is where the wire goes this is where your electrical signals go or your optical signals and different and coatings are used to encapsulate the data up to the user so for this picture and you're gonna see it again today you can imagine the user or yourself on the top where you sitting at the keyboard in your browser at you know in your email client and the physical medium the wire or the Wi-Fi on the very bottom okay and we will get back to that so what you're gonna be talking about our network layer models we're gonna take a look at either net I can take a look at white fine it's gonna take three hours we're gonna take a look at layers three protocols those are layers the seven layers in inland models but we can take a look at that we can look at our PI CMP ipv4 ipv6 we're gonna look at later for UDP and TCP how many of you aren't sure or don't know at all the difference between UDP and TCP if I asked you to explain how many who could not do that do that or would wouldn't be sure they could do that okay we have beginners here great kill I really that okay we're gonna have a quick peek at routing I think if I didn't remove that from this deck and finally application level protocols do you actually know the common thing between SMTP which is used to send your mails online and the post office the return address is whatever you write an envelope it's the same for SMTP same for email you're gonna look at that and of course the advanced stuff patching calls and firewalls breaking VPI - and much more because we have a lot of time right the approach academic approach and the same time hacker approach already covered this did you look at what we see we'll try to understand it deeply enough and we'll try to make it fun please make sure all Fuca Wireshark you have laptops here should first ask questions later and the first thing we do is we get to know Wireshark so we're not going to go deep right now you just can take a quick peek and then are we gonna discuss what we see and then I'm gonna go deeper in all the protocols right I didn't tell you what network is is there either a need to explain what network is network is generally more than one connected devices it's very general definition because it doesn't have to be computer network it can be USB and and and all that and Wireshark as we will see is actually quite good at capturing different protocols not only network protocols alright but computer network is basically a network that's made up of these layers that we looked previously okay I'm gonna sit over there I'm gonna open Wireshark and I'm gonna show you some stuff okay is it it's not all louder louder yes ode nap okay hmmm I think I got to clean my Wireshark settings not to show stuff anyway so Wireshark is an application that is used to analyze network traffic to visualize network traffic it can also be used to capture network traffic I should have had water color okay whatever I just I just launched it won't be some files in there but doesn't matter it because I'm there let me set the screens up for us okay it should be there now right so this is it actually a clean clean copy of Wireshark depending on what direction you got and what upper 16 you got it might look a bit differently but the common thing is you have a filter entry here allows you to enter filters you have interfaces here some operating systems really picky about getting you giving you access to the actual network interfaces if you don't see them this graph doesn't show up in all the versions right if you don't see them ask a neighbor to enable the capturing for you you will have time to do that anyway this is a general interface and one thing one thing I can suggest even to pros look if I if I click on the interface it starts got it start capturing the data yeah let's let's capture it whatever so this is my data that's on the wire and it's not it's not so easy to see because you you see you have these different parts and we can talk about them what I suggest everyone do is go to preferences edit preferences and in layout under appearance select the second layout it's much easier to work with right then we have it like here why is this good because the left side and the right side now is having the same information different view which is much better so edit preferences appearance and then layout and you take the second second option there if you don't like it you message back okay so we will talk about what all these numbers and all these letters mean in a moment but what you need to know now and if I'm going too fast please please let me know we have time at least for now on the top we have well you better not but you can and it's if you run Wireshark is so the question is the question was would you have to run the Wireshark as a pseudo so it's not advisable but it solves many problems at once creating some other bigger problems but it does it does get the job done oh why don't you run Wireshark a pseudo wife wreck not only captures data from the network which it needs privileges for but it also processes them and these so called dissectors which allow you to visually see what you see on the left here so each line here is provided by a different dissector it actually allows you to see what's inside the protocol you can take a look at that later much later on are written by many different people both of them and there are bugs and you don't want bugs in your program you run this route right especially if it's taking live data from the network all the data anyway if there are no more questions at this point let me continue so on top we have each frame each packet it depends on what what that is but basically each piece of incoming data on the wire we have here on top on the left in this view we have dissected data so it's processed data and we can take a look at what what on the right we have raw data this is the whole frame and the cool thing about this is if you click anywhere on the right it will show you the matching part on the left so it actually shows you which byte is what this is quite cool but we don't know what that is right it's it's some jumbo number now remember jumbo let's let's get back to presentation we're gonna work is that a bit let me switch back we'll be quicker than previously okay so for capturing data locally that's what I just did for this workshop I hope your neighbors will help me up setting this up can you do that at home and usually it's useful after after you've been to workshop to go back at home and and and try to repeat it so you actually don't forget it different hardware if you want to capture the data on the wire not only that it goes to your computer for example now I capture data that goes to my computer you can capture capture all the data that is received by the network interface by layer one you need to bring sure to enable promiscuous mode and it means that your network card does not drop packets that are not addressed to you or frames they're not addressed to you that means you can get to see other stuff on the network or on the Wi-Fi we're gonna probably take a look at that later on in into our network card drivers have to support this feature most do if they don't for example for for Wi-Fi I recommend I recommend these TP links quite quite good this is TL WN 7 to 2 n it's it's only two point four gigs but it gets the job done if you're built and do not support it Wireshark owns to be used to capture other network data like he is be data just same data some of these may require additional tools meaning that you will not usually be able to capture GSM which Marshak directly but there's a cool project or smoke on you can who knows McComb some do good which you can install and configure it's a pain but it it works nicely after you do that and you have the right hardware of course you can't do that with this one this is too much for gigahertz GSM is just under gigahertz and then you can capture it and and dissect it right just to cover a bit more advanced stuff now we are not gonna try it but you might be interested in the future so let's say you have larger network or let's say you are not at the network at the time at all you're in a different place and you want to capture the data remotely or rather you want to dissect the data remotely want to take a look at it for example you're renting a server in a server room somewhere in Amsterdam and you're not from Netherlands and you need to debug what the hell is happening there you have multiple options depending on the network between where you capturing ever you are so if you're close you can use port mirroring let's feature on switches where you say I want all the other ports from switches so the calls you plug the wire in right go to this support - and then you also get the data so if you're in local network that's a feature you can use to get to the data you can use some protocol for example Desmond sniffer protocol can be used and that can be used over long distances I think it's UDP meaning it might lose some data what it means we'll get to that in a moment but it basically forwards everything to an IP address on the internet so it can be used over longer distances but it's not encrypted in case you're okay was not getting live data you can use the command down below TCP dump this specific command what what would it do this specific command hood would take interface called a certain @ 0 at 0 and write all the data without size limitation so 65 64 K is the largest size you can have without size limitation to file block dot product pickup and then you could open the file with Wireshark let me show you that right now thank you so much so let me stop this here so my interface here is a real on zero I don't have advertiser net connected currently because I was running the speaker that's all day but vo here let's delete the program stuff from here whoops all right so I think it needs to do of course because it needs to capture from the interface and TCP dump then we specify the interface which is we want zero for this case we heard of system D yeah system because the school feature run interprets are called something like something like that you can turn it off actually I I did Khulna I if if some field I'm not gonna do it I mean I don't remember how I did it it's it's somewhere there look look it up in line anyway especially Maxim size here and the file you can write it too and the sacred passphrase it's secret one two three sorry never mind permission denied oh okay what's happening here okay so apparently apparently permissions for my ramdisk don't allow route 2 right there whatever however that happened okay so currently I'm writing to test cap I think that's enough now when you launch Marsh Ark you can also click file open here you can go to your TMP folder test cap here it is you open it up and there we have it we have basically the same information same layout but it's not real time and this time here on the left is relative to the start of TCP dump not relative to start a fire shark and we have stuff here right we also have visual clue here this is a feature of the newer versions if you have an older one you will not have this on the right it represents what you have on the left but but you see everything okay we still some of you most of you probably still don't know what the hell all this is about so we gonna we're gonna move forward and talk about what this is about this is gonna be the most academic part of the workshops so if you are an academic or like academics this is a time for you to listen carefully okay I should have put a nicer wallpaper I can do that for tomorrow's talk right so these are these are the models this RC model is on the left there it consists of seven layers of encapsulation of the way to look at datum the DoD four models on the very right it says network internet host the host and process there's just four layers it doesn't mean that anything on the network changes if you look at I mean if you have the data is there it doesn't mean that stuff changes it's just a different way to look at it okay and what do layers actually mean what do they represent so if you connect a measurement device to a networking medium on the very bottom you will have some kind of signal for example you might you might see electronic signal on the other end wire you might see optical signal intensity of light on optical wire for radio signals you might listen on a specific frequency and you might also hear some intensity on specific frequency and the frequencies around it that's all there and all the layers are in there the question is which layer do we look at how to interpret the date the date doesn't change depending the data on the wire does not change depending on the layer that we are looking at okay and I hope you will understand at the end of this presentation what are the reasons for having layers and and looking at them more differently okay we're gonna use a academic model the it's awesome model for this presentation the OD model basically it's it's more down-to-earth is it's a bit more simple it encapsulates sorry it joins multiple layers together in less layers because even even when working is a salsa module these three layers you can see they're in the same color it's hard to distinguish them at times depending on what the protocols are the great success of the model and the model does not influence what's on the wire but it influenced how academics and practitioners create protocols for the internet they look at the model and the great success of the model is that it's layered meaning you can basically suami swap up swap out one layer and everything else can really the same for example if we swap up the swap out the physical layer we can still have an IP address it does matter if your Wi-Fi or if you have wire or if you have optic optic cable you still have the same IP addresses theoretically for DNS for example domain name system we can look at that later we can swap public swap out the transport layer it can change UDP to TCP and we still have basically the same protocol on top on layer 5 and same protocols below and later friend and down each layer can be swapped out mostly independently meaning that Internet can evolve we can create new protocols and it's easy enough there are some bigger projects doing some some larger stuff where they want to replace the whole stack it's bit more complex than that but that's a great success [Music] moving moving data from the user on top to the wire on bottom is called encapsulation there's one encapsulation step between each pair of layers so going from layer seven to layer six there's encapsulation six to five serves encapsulation five to four and so on technically you only need to have the lowest layers so let's say we capture data at the specific moment in time you measure the voltage on on the wires it has to have a physical layer because we measure the voltage that is the physical layer if the voltage makes sense in say Ethernet sense we can also interpret that it either is layer two if that ethernet frame contains IP protocol it's layer 3 and so on but it doesn't have to go all the way up as we will see in example with escaping it can stop at any time this clay is there depending on what data is in there and you can if you can work on you can take a look at the data you can capture some dissect some packets will show you only up the specific layer right so let's say I was typing an email I typed my body my text that I once sent and I press send so what all the applications and all the firmware in your computer does together it encapsulate sits down to physical layer and then the network card takes the raw bits zeros and ones and creates a signal out of them depending on what kind of physical layer you're on a encapsulation usually includes adding a header the data from the upper layer so let's say your email text was really short let's say it was hello sha right hello space sha encapsulating it one by one well layer by layer you would add additional data it's it's usually binary data so I can't really pronounce it C but let's for the sake of argument let's say let's take some simple numbers at the transport layer it might be seven seven seven hello sha at the next layer it might be three five six seven seven seven hello Sochi will add more and more data more more metadata with every encapsulation for some layers it will also add check sequences it depends on the specific protocols that we're going to look at but there are check sequences that ensure that the data of the upper layer has not been corrupted when being transferred so this is basically encapsulation if if anyone asks you what encapsulation is it means taking separate layer data adding some stuff to it and then passing it down to the lower layer there's one more thing decapsulation anyone knows or thinks they know what it is right decapsulation the process the other way around you have your you have your bits here they're decoded and then they're d-cups letting you check the check the check sequence if there is any you do what you need to do with the headers sometimes for example the promiscuous mode right you remember that if you don't have it on your network card check the header check the MAC address we're going to talk about the MAC address later and discards the frame and doesn't pass up it discards it depending on what the metadata here is so something is done with the header and if it's all fine the data is passed up please watch me carefully so this data here D capitalized to this here so all this is considered data on the lower layer again all this sorry all this is considered data on the lower layer right encapsulation and decapsulation okay shortly back to the academic part of the presentation correct names for the packet data units for each layer our physical layer those are bits datalink is framed network is packet and transport its segment and here just data just in case you were wondering technically with what I do here today you might be able to pass half of CCNA of course you can try the exam later on I don't have much insight about the physical layer I mentioned the different physical m and walk around server you can see I mentioned different physical layers multiple times already so academic definition of physical layer is that the goal of it is to specify the electrical mechanical procedural and functional requirements for activating maintaining and deactivating a physical link between and systems there are some keywords there that are actually important this actually makes sense actually oh that makes sense to me but electrical means physical layer deals with voltage levels it deals with which voltage levels zero which one is one physical means it deals with what kind of socket there is so if you want to plug in a cable in a port sockets have to match right and so on the physical link between end systems means that physical layer only works between systems on the same network with wire it's simple you have wiry each wire has come an end to and if you cut in half one you cut the a cut the wire that has two ends in half common ends do you have you still have two ends four ends you have four ends anyway because you got two wires so no joke sorry about that okay so a wire however how many times you captain hop only connects two systems right so it's it's a physical link between two systems to network interfaces to cards it's bit different way is Wireless but Wireless still we can talk about physical link we have an access point and we have all the devices that are physically connected to that interface using that medium medium for wireless is the radio spectrum basically the electromagnetic band is available for using for using the radio and it's it's that physical link between end systems on the physical layer alone we cannot transmit further than the physical cable goes if you put the switch in between in order to make a cable larger the physical layer ends with a switch switch by the way is called the layer 2 device because it operates on later - we can look take a look at layer 2 right now and we're gonna see what that what that is ice which is layer 2 device it breaks down layer 1 and operates at layer 2 it also breaks down layer 2 but it recreates it for communication to happen oh we're still looking at layer one sorry about that so layer one actually consists of two sub layers continuing with academic academic Mart here the data link layer is responsible for delivering the messages to the proper device meaning that there's some kind of identifier in the dating data link layer that can be used by networking equipment to route well route is not the correct term but to manage the direction of the data now this is layer two my apologies just layer two right layer two consists of data link layer and the mac layer so data link layer also formats the message into data frames and adds a header and it contains these addresses it contains the destination address and the source address now only four as are only for Ethernet those are called MAC addresses only for Ethernet there are different layer two protocols than Ethernet Ethernet is the most accessible one for most of us and data link layer consists of these two layers MIDI access control and logical link control Ethernet is one of the protocols that can be used on layer 2 here is a small example on your right it's a so-called Manchester encoding how many of you know what measuring coding is cool we have cornica pro's nice but the real question is why is it used I mean I I don't want to talk about much encoding per said because it's it's actually used up to 100 megabits wired if I'm not mistaken hundred mega thousand 100 base T so it's not not not so poor anymore but the idea is good and it can be used when designing protocols of such a low level the idea behind Manchester encoding is to build in a clock to Dayton so what is a clock for Lowell protocols remember we have these two devices let's take a simple case we have these two devices wiring between them and the device a wants to send the device B data 1 0 1 0 0 1 1 1 0 0 1 right what if device a wanted to send 1000 0 0 how would device B know that those are 1000 zeros not 1000 1 0 what do they wanted to send a million zeros clocks between devices may not match clock speed may not match and was specifically a problem back in the day and even currently between different manufacturers it is possible for oscillation frequencies on the chips to not match to fix that an encoding can be used one of the simplest schemes is called the measure encoding and as you can see it takes a clock of the sending device it has its clock and responds to synchronize this clock to the receiver so the Sabre knows how many zeros or ones are being received and it's quite simple really for each clock we have one bit so clock is on and off right the first line we have one bit and if the bit is 1 it means change the signal level on the wire this is signal level on the wire like you can look at it as minus 5 and plus 5 volts which is not not correct but you can look at it like that change the level on the wire from minus 5 to +5 and for every 0 change the level on the wire from plus 5 s minus 5 and what do we have in the end and then we have oscillations all the time so if you have multiple ones we go down and we go back up if you have multiple zeros we go up and we go back down that way clock gets built in into data stream it's a it's a good principle that can be used in many many places right this way receiver always knows how many sequential zeros or ones are being sent anyway this was a bit deep let look at the MAC address this is something you actually need to use Wireshark correctly so on layer 2 it is easier and you have a MAC address it's six bytes and it's represented by six hexadecimal symbol pairs examples on the screen let's I think I just made the teller sup yeah just I just have two random number generator and and there's an address first three bytes are what's called organizationally you do unique or your organizational unique identifier it's assigned by I Triple E to different vendors of network equipment including network cards well then there are some people to the east some countries disease who just take them randomly and create other routers they like but it there should be globally unique theoretically but it's not such a huge thing because remember layer to only matters locally even a switches layer 2 device and then MAC addresses do not matter because we get a new set of MAC addresses even though they should be unique I first byte that 0 8 is the first byte in this example first byte is has to end with two zeros in binary meaning that it has to be divisible by 4 in decimal if it's not done bad stuff happens why take a look at Wikipedia it says that you don't have that much time last 3 bytes I mean if you if you know everything I'm talking about right you can do your deeper deeper research right now so you not get bored last 3 bytes our vendor sign meaning that if I have a company and a register was a triple e to get prefix 0 8 1 a c7 then I can randomly or sequentially assign these numbers to my network equipment and give them out to customers and again these are used to identify devices on the local network oh you're also gonna let's take a look at the Wi-Fi here this is Wi-Fi this is basically one of one of options for the lower layer this is a neat table I I put together so we have different Wi-Fi standards we have different frequencies for them and we have different maximum speeds currently the newest standard that was approved is actually a OAD was a new service that was approved I think the year here in this table if I remember correctly when putting this together means the year it the first device became actually available for the specific standard so 60 gigahertz stuff hasn't really worked out yet but it promises up to almost 7 gigabits per second of Wi-Fi cool modulation is another cool thing so OFDM for example means orthogonal frequency-division multiplexing which is which is how how the radio spectrum is used to to put the data in let me give you a simple example this is quite complex it has some trigonometry in it and let's look at the frequency modulation FM radio you can heard about that right frequency modulation means that to encapsulate data or let's say your voice into the radio frequency change in the pitch of your voice which will create the change in actual frequency so there's a carrier frequency for example hundred megahertz and I'm gonna exaggerate the numbers here but to send one kind of data the frequency will shift one hundred and one megahertz to send those guys it will shift in 99 megahertz right that's frequency modulation then there is amplitude modulation none of these are used in in Wi-Fi because they're a bit too simplistic amplitude modulation work is amplitude meaning we have our frequency we stay there as a transmitter and we change the strength of the signal or depending on what they do and send we change how strong we are right and these all of these I think combine both thetac thinks and more to work their life at bypass security I actually have a cool slider should I put it in here that shows how many Wi-Fi networks in the world by percentage which kind of security we have quite a lot of no encryption Wi-Fi switch is okay because we have some public Wi-Fi some cafes where you would like to check your bank account or the banking on those person sitting next to you we have but when you have these WEP vibe modes which is a great encryption scheme it's it's called how was it called Wireless and enhanced privacy okay quit won't privacy oh yeah so it was created some time ago and it can be cracked on my laptop in an active mode meaning that you send out packets in under half a second in passive mode this might take up to a couple minutes super super scheme so we're not going to track that we're gonna we're gonna crack we pay to later on that's more fun 802.1 X at this conference here for those of you who read the booklet carefully you using probably the right network which has eight hundred point one X encryption meaning that well a user can tell that by entering by having to enter a username and the password and that's that's cool cuz key gets it's it's it's a bit more secure right because for one attacker has to guess both the the username in the password for for other you can't really use traditional offline brute forcing techniques for reversing that yeah if anyone has any doubts when you go back back home the remember this is a big beginners worship read if anyone has any doubts when you get back home which setting choose choose we pay to choose we pay to at home you will not be easily able to setup the last one choose we pay to and it is gonna be fine choose a card password all right Network layer then Network layer is layer number three it goes after layer number two it is responsible for other thing and routing between devices that are not locally attached meaning we're gonna have a switch in between we can have the call internet in between we can have routers in between of course the most popular protocol the most recognizable protocol for then through Claire is of course ipv6 again ipv4 so IP protocol it's the code this internet protocol that are the internet entrant protocol of course uses Internet Protocol addresses IP addresses to address and IP addresses have to be globally unique for sure except North Korea they just take them randomly seriously and then for the couple computers that they have then they can't access some stuff because their national sysadmin chose the wrong addresses right so you can read the definition of the screen now let me walk here so we can read it IP address are assigned here are quickly meaning that let's say is this camp actually I had I had so much work I haven't even looked at the IP set up here I'm just an end-user this year but I guess do we have real IP address here yeah yeah okay cool yeah anyway so the camp got some some part of IP space IP other space and each of us is getting some smaller part one address of all the space so it's hierarchical system there's a network part and a host part for IP addresses we can take a look at that soon and then there is ipv4 versus ipv6 we stands for version good question what happened to five it never happened right ipv4 so the thing is I don't actually I'm not sure but I think ipv4 is an actual version for I think ipv4 stands for four bytes per IP address but ipv6 doesn't have six bytes per IP addresses has much more but addresses are by far not the only difference between a p4 and ipv6 it's a completely different protocol but check this out applications still work even though we have a bit different TCP and UDP protocols and later for latter fiving up same stuff so that's great but somehow we still haven't deployed ipv6 two to four right those of you who have laptops so you can continue look at them I'm not going to show anything right now we're going to get back to that later on but you can continue looking at Wireshark you might already recognize some of the things I'm talking about and to do that if you set up the screen as I showed before on your left on your screen you will see those dissectors they match layers approximately actually you know what I have to show this so everyone understands and then we get back to IP addresses any questions so far yeah sure sure oh it's it's a quick fix as I said with some risks I mean I could do a workshop on the world short setup but the different workshop and it would take one hour and I'm sorry about that okay so here's my test pick up foil or it's it's a lie capture doesn't matter let's take a lot of capture here here it is you can you can note that I press this button here and magically started capturing so you already see you already see some IP address here semi v6 addresses we can look at them yet you also can see some MAC addresses those are not here but you can see them here and the thing I wanted to show you right now why in heaven's own screen is because in Wireshark it's the other way around user is on the bottom and the wire is on the top right so this is well it's not like one but this is layer to this layer 3 layer 4 and later 5 and up in this case right this is the way it goes we don't have layer 1 in Wireshark because that would take quite expensive network adapters to get that information and what's more important it wouldn't be useful at all well it would be useful if you're doing later one research and the taxon layer 1 so I guess some people have that that equipment we don't so instead of having layer 1 here what we're sure does is it puts all the metadata instead of layer 1 so we see where it was captured what comes in Appalachian when it arrived the prime number sequence number is the length so it's basically metadata instead of layer 1 but we don't really need layer 1 for most work including most security research including most networks you research we don't really need layer 1 here so it starts at layer 2 here so again I want to show you this so you know and it's easier for you to follow layer 2 is here and then 3 goes down for goes down so it goes down and so on ok let's get back to the presentation then and meanwhile you can keep clicking around and seeing what you see okay so that's an example of an IP address ipv4 to be specific usually when people talk about IP addresses they mean happy for a P addresses because as a de facto protocol for layer 3 on the Internet ipv4 is divided into five classes A to E and a B and C are generic classes assigned to organizations D is a special class and in special class these used for multicast which is actually which could be a topic for separate worship it allows you to send information to all the devices at the same time yes thank you for the question are we talking about the class and we have a slide because of D and D to understand those others can be used for all purposes but of course we're gonna be talking about classless routing so as I was saying Class D is used for multicast purposes you should not and I would guess you can not in large enough deployments use those addresses and it won't work Class E is used for Rd research and development those work okay on most of most applications even though normal people usually just create a closed Network with whatever addresses they want from a B and C to to do their research because the responsible research is not connecting it to the internet otherwise your new application Cronos or whatever might get leaked and then you get in trouble okay so final thing for this slide is a B and C was back then back 15 maybe 20 years ago now used to actually decide how much computers can be put on a network on one layer 2 network but it's not so important anymore that's why we three of them currently it's not being really used currently was being used is classless routing and I mentioned briefly before two things I mentioned the network part of an IP address and the host part of an IP address here it is the red is the network part and the white is the host part in this specific example the network part is responsible for identifying which network which layer 3 network is the device on the white part the host part identifies which device on that network is being addressed specifically and this is written in bits here in binary ones and zeros why it because that is how calculations can be done until you learn to do it at metal in your head network address of any network is network part plus all zeros so in this case if you have this IP address and we put on zeros here we get the network address here and if we convert that back to binary sorry that that mask nevermind if you put all zeros here and we take this number and we convert all of these four parts back to decimal we get to 1 6 3 9 106 and here we get 1 6 oh because we have 128 here we can start a twofer here and that's it and that's 116 if you don't own with binary is put down a note later on go to Wikipedia it's fun stuff well not really but it's useful really the broadcast address the address used to address all the devices on the network that's when you put all the ones in the white part in the host part again same stuff applies when you do this last one you get 128 plus 32 plus eight sorry plus four let's do plus 1 which is 167 for this specific network [Music] classless inter-domain routing notation 29 what does 29 mean you might notice that netmask which is actually what indicates which part is red which part is blue it starts with all ones and then zeros it always does that mathematically doesn't have to in real life it has and we could if we write it down that way we have all these ones here right and it's it's it's way too space because it's 2.5 2.5 2.5 and then usually zero much shorter way to write it down this sitter we just write down how many ones we have in this case we have 29 ones and the same thing is saying slash 29 as two five five two four five two five two four eight two in order to understand networks and work is networking to know both notations depending on the tool you using you might be required to input or the output would be in one or the other form write some more special IP addresses that you might see when working wash our cars our network tools all zeros that's yeah so all zeros that means default route in most settings it may be something else in other settings but basically it talks about the default route the device on your network where all data should be sent if your computer doesn't know where to send it that is the default route for foreign devices then we can loop back address it's actually a loopback network is one two seven zero zero loopback address is one two seven zero zero one for most operating systems anything will work instead of one loopback address is used to address your own device so let's say you around the server if you try to connect to this IP address then you will connect to the device itself by the way I'm running this cool challenge I've been running it for five years I think it's called up let me let me make this larger gonna need this right so my email is shot two thousand seven two thousand seventeen at Carol's at work right the first one who sends me the root password to server back the zero to the Toby get some more time right okay let's let's take some time to sit in okay we got two we got one person following that's good right [Music] so basically of course you can set an IP address to dana century two to loopback which means that depending on the computer that you are using to connect to this address you will get the you'll get the same computer that you're on and finally we have all ones this means all nodes on the current network so we can use the broadcast address here I'll put this down we can use the broadcast address here for the basic network if we don't know or don't care which network we're on we can use all ones it is a broadcast address on the current network that's how you write it down most tools will not accept this form you cannot you cannot use this in Windows by the way I think there are multiple ways to write IP addresses I haven't use it for some time but you can use that small form you can like take all 32 bits and write it's a huge decimal and and it will work you can you can try it out it worked I mean that's 98 which was when I last used it it should work still I guess why not last slide about that before currently it's still the case there are some other IP addresses which are reserved on the open Internet you will not find these three ranges these are private IP addresses and because ipv4 addresses are so scarce we need those private IP addresses because we are lazy but people who don't want to adopt ipv6 we are using these private IP addresses and we have what's called Matt network address translation meaning that for conferences that suck you get one IP address and everything else is private which means you cannot directly connect to every computer on the network which in other words is why you should have firewall on when on the conference center because the internet knows you here right but having these as private IP addresses also means they do not route normally on the Internet if I am at home and I type and and some conference has private IP addresses say 10.10 point four point three if I type it at home it will not route because it's private address and it doesn't go through routers under normal configuration okay next yes please research in tourism no I think it's not I think it's not because it's not assigned to anybody meaning that routers do not don't number to route it you would send it through default route up upstream and then when we get to BGP routing it would it will drop it okay ARP by the way those of you who have our shark open up up in the line where filter is you can type in ARP three letters and press Enter some of you or most of you may see something it's been capturing for some time this anyone anyone got something there yeah we have something good so the filter it's much more powerful than just typing in the protocol but currently you filtered all the data units that contain the ARP protocol or rather the terminating our protocol where the highest layer is ARP ARP is a protocol that does this basically you have an IP address you go to the MAC address why do we need that we need this because well humans don't really work is a P address either but we get to that later so you have an IP address but on the local segment where you are and in the local segment between the huge drought that is the internet and the connection that you're making we need to know the MAC address remember encapsulation user types are email it goes down it goes to layer three there's an IP address it is added at that point in the header and if it goes to layer two computer needs to add the MAC address if it's easier not in order for computer to know the MAC address of a different IP address it uses ARP it it asks around who has this IP address and it only works on local network and a device that has a type II errors responds and says ok this is my this is my MAC address yes if you both have the same MAC address ok ok let's look at let's take a look at that let's say the most interesting case here is let's say you bought ok the country in the east right China let's say you both bought the cheap Chinese devices and you can have the same MAC address we shouldn't happen because all all Y's are assigned by I Triple E but some companies just take it at random both of your devices will think that it's addressed to them and the first one to respond will actually be the one that can be the registers and puts in the ARP table Oh mine does well semi random doesn't really help because let's say you want to leave the first three by the same and you want to randomly change the last three bytes some other persons network might actually have that MAC address because the vendor has assigned to someone with random IP addresses there is this risk that you might run into similar into equal MAC addresses sorry I said I pee wees around the MAC addresses there is risks that you might run into the same MAC addresses but then you just if stuff doesn't work it just it takes the next address right but anyway the other case is when the IP addresses match you know what I I made a mistake there so the explanation I gave to you was about IP addresses if two computers have the same IP address the first one does respond to their MAC address is the one that goes in the table if the computers have the same MAC address well we have a problem because they both of them think that that they are it's for them they're both responding and we have this extra traffic all the time and depending on the timings each time a different frame might be picked up by the destination what you can try it out create an test network there's equipment all around don't use the equipment connected to upstream don't screw it for people who want to use the Internet I'll take take some switch somewhere connect couple computers or Corgan eyes and and try it out this our thing the first one right having different IP addresses having different MAC address understand Piedras can actually be used for attacks right I think we have a slide in there later on but basically the idea is let's say you want to attack someone and you wanna in a simple case make sure that when they connect to this IP address they talk to you you you just have to be super fast you have to even be pre-emptive and you have to send our perp lie to them saying this IP address is me not not that guy and the computer will believe it there's no encryption location of signing for ARP and to verify that you can actually use water char can you go inside you can go inside ARP you can click on it and you can expand all the fields that are in ARP you will see there is not a shrink that that's on your computer so remotely modifies the earth table is just that you send the earth reply and it does that if it's empty at that point if the IP address is not in the earth table luckily for an attacker our table is being flushed while entries expire in our table quite regularly meaning that you have enough options to do that oh the local I modify the ARP table use the command ARP I think it's both on Windows and Linux and probably Mac too so you can use that to modify it locally and I do appreciate your questions if you have questions please go ahead and ask them and I'll try to remember to repeat them because I forgot that all the time ICMP [Music] interns control messaging protocol is a management protocol it is used in conjunction with IP to inform the source of the packet that something went wrong here are some examples TTL means time to live and it's implemented inside IP protocol to avoid routing loops each time a packet crosses the layer 3 device or a router the TTL field and you can find it in an IP packet you can type in search and and take a look at some IP packets that you have every time it crosses a router TTL gets decreased by 1 the initial value depends on the operating systems you use it's usually no more than 32 and if you cross the number of routers that you have TTL set to initially then your packet gets dropped by the next router and router creates an ICMP packet saying TTL exceeded and send it back to you this is source knowing that there was as a routing loop or the packet was too as a routing loop or the route was too large too long by the way as I said and again I'm sorry that I was a bit too busy and I didn't go through the presentation again today so did that a week ago and I might tell you something that's in the slides later on but let's risk it rather tell you then twice to not tell you let me show you an example [Music] so just to show your outing is so specifying max hops here so how many routers can go through let's say 60 for this case well we can yeah let's say 16 for this case traceroute is actually a bit different application and actually I'm going to show you in Wireshark it's quite interesting so trace route is used to identify those devices that your packets go through when going for a specific destination and it's done in quite an interesting manner I'm gonna set up the capture here didn't wash the trace route right there we are it's done so you can see these IP packets here you can you can run this Amy on computer sure you choose different domain and then run it so a packet is sent to the destination IP address that I chose and in IP field TTL is set to the minimum value in this case one the first router decreases the counter and looks at it and says it's zero and sends back detail exceeded and this here is the first recipe a dress because it is the device that sends us the packet then my computer sends it again but this case it says that's probably repeat oh there we go TTL to assess detail - and send it again in this case I get the same reply for a different device that way I can get the list of routers you can see them here I won't repeat it's actually ROC configuration this way in the network we can get the list of routers that the packet goes through when going to specific IP address yes please if you get stars that means the specific device is sent not to reply with ICMP to you or it is set to filter the specific protocol that you are sending so here for example trace pass uses UDP protocol on some specific ports technically you can use this with any type of protocol you can do this detail trick and there is what was the name H ping 3 which allows you to do all these tricks and it's a bit complex but it's fun you can use different different type of packets to send it right so let me show you let me show you one cool trace route here if you actually go to the address bed of course there's a cool song don't place here because I need to speak but you can if you have headphones you can put on or play later it's these are the lyrics for the song and that's the face expression the guy makes at at the point okay right let's continue then so ipv6 replaces ipv4 in layer three create a parallel network which means it's not that easy to have it together with zapping before it works with layer five and up protocols the same way but layer three it's replaces completely because different layer 3 protocol and that's why it's so hard to deploy it I guess it has that many possible addresses in theory which is you can you read it first okay that's fine so it's a bit more than 4 billion addresses in in ipv4 that we have we have one IP address for every person on the planet every device they have every port that device has and every service that might want to run on every port of the device and and more an example of ipv6 address you can see on line 3 the borough's error question no okay you can see on line 3 and it's quite long so what you can do and it's a standard an ipv6 when you type in ipv6 addresses you can concatenate it you can find just one if there are multiple you can find just one place when there are all zeros we're two bytes the two bytes of the same part within the semicolons are between the columns or zeros and you can remove them all so this is a call these are zeros we'd remove them and leave two colons and that's it and it's a bit easier I actually a year ago I had this IP address and then 6 dotnet shut down it's a total broker yeah and I don't have anymore yes exactly but but the idea I mean the principle is still the same we have network part somewhere here and we have a host part somewhere on the right so usually if you start your host at low numbers you don't have somebody reserved and it is actually helpful but you have to understand this is the same address double dance way around double colons means you put in blocks of zeros until the length matches right I thought you have 16 bytes that's it about every six yes no later two stays the same MAC addresses do not change thank you for a question okay the next layer is later oh the question please I did not well let me show it to you okay here is a musics magic here and here some IP for non magic right so first of all we can well it's not visible here but I think the TCP part goes a bit different is UDP so if you look at IP version 6 we can see different headers and IP version 4 take a look here the router advertisements is a new thing for ipv6 - it's quite specific to be to be honest right for this audience but if we take a look it's it's it's very different right again Wikipedia I have I have a different slide deck for a few 6 but we have only how much time do you have actually 1 hour and a half ok when I want to come and we are in the middle of the deck and we have met demos demos demos huh yeah yeah yeah ok thank you but thank you for that okay so transport layer transport layer is the name suggest is responsible for transfer of data in a reliable manner it's responsible for the data to arrive at the destination in order and error-free and this is because IP the most recognizable layer of the protocol is a packet switched protocol meaning that the router that we have in between two endpoints they can switch the route that they're using for every packet they're not bound by any law to send all your packets for the same stream through the same route they can change like that and that's why we have transport layer it does some buffering among other things and receives the packet and rearranges them in the original order that way if you send a long text doesn't fit in the packet you can actually arrange them back in the right order this has to deal with DCP mostly just transport control protocol and we're going to talk about that in a minute but here so two types of layers or protocols connectionless and connection-oriented connectionless meaning meaning that we can just send data and that's it we don't need to agree on anything we can send the first packet and it's already data connection oriented means we have to set up a connection in some way or another here is UDP UDP is nothing what what what layer four is about UDP is basically there to fill the void because there needs to be a layer four if you want to have layer five it's a best-effort protocol meaning it doesn't care about errors it doesn't care about delivering data this is everything there is header consists of these four fields for UDP and then data data is layer five stuff coming in there notable features of UDP user Datagram protocol is minimal design as you can see it doesn't read transmit data if it's not delivered it doesn't care it just sends the next part and it doesn't control the delivery of the data either it is stateless and transaction oriented so it doesn't keep the state of the connection it's not a connection written protocol all right the fun demo yay okay so what we have on screen here is a theoretical setup we have the Internet in blue and brown the globe we have two firewalls depicted by the icon of fire and the wall and we have two relatively modern pcs there's a X Y and B that is the set up each of them have an IP address do anyone notice anything special about any of the IP addresses okay which ones are the private IP addresses that's correct a and B are the private IP addresses so if computers a and B would like to communicate without any third party they would have no way of doing that but UDP and the specific arrangement allows us to do that so what we can do is we can take a bit array and we're gonna send connection from computer a to IP address Y router or firewall Y will drop it will drop the packet will drop the UDP UDP what's the actual correct time for UDP segment right will drop the UDP segment then computer B and think about this they all they both need to communicate then you have to know that they have to communicate other than that it works magically B will send data back to a back to X I mean and X will already know where to send it why because when computer a sends the data to be a connection entry is created in the firewall X and it says that okay so if a wants to communicate whose IP address why I know where to send it back let me show you how it works okay so I got some of the others here right and I have let me connect somewhere let's see where would we connect cool okay so both these computers have firewalls those are not private addresses but there are firewalls which will not allow to connect to them I'm gonna so the left one is my computer the right one is my server I'm in a different country so this command will listen for UDP packets on port 2 3 4 5 I forgot my IP address and now if I try to try to connect their on port which are also forget so 3 4 5 I shouldn't be able to send anything because of the firewall I hope I didn't lie to you about the firewall other side let's try the other way around and I'm gonna try to connect from this side sure and the data doesn't go through to even it even sends a resset so as you see the data didn't go through now what we can do to make these two computers talk together even though there are firewalls in this case in my computer's case on my computer and in on server case on the network how do you make them communicate without reconfiguring the firewalls I will now write the commands again from here I will connect to the server on port say 8 8 8 using UDP it will not work of course on the server I will not listen rather I will connect to my IP address here on this network on the same port I will also specify the source port which the packet is coming from which is this can be sent from and they match let me it's not ok Wireshark isn't helpful ok we do o- u UDP we do this so UDP is connectionless protocol meaning that when I launch this nothing has been set up yet only when I sent the first packet will actually any data be sent the first packet will be sent from the server to my laptop and it will not reach it because of this firewall but at this point the firewall at the server side knows that server side could communicate on port 80 8 8 8 for 8 with that IP address my firewall doesn't know anything about it now I try to communicate this server I already get data true and now as I send this for 5 six 6 seven my firewall knows that I 1 communicate server on port 80 8 8 8 and to think the data coming in is part of that connection not the other connection there actually two connections in in quotes of course because UDP is connectionless but now we can actually communicate between the two devices on UDP yes it can be used and thank you very much for reminding me the question was is this one of the techniques that is used by peer-to-peer networks when the end points are behind that we can astragalus translation it can be used and actually read read some papers that say it is being used I haven't verified it myself personally using wireshark one part is missing here of course from this demo how did the house now to communicate and one way is to use a stun server to establish the connection just to make sure that the other part knows that you want to communicate and what port you can communicate on third party server but it's not as fun but it's it is what what most peer-to-peer programs use they use a stun server there's actually research and it's been finished it's done that allows you not to use any third party service at all and let the other party know that you want to communicate I don't have a demo for that you can you can google it it's proven that P wnat it's it's implementation of this basically the basically goes like that a host is pinging and none existing IP address in the paper it's one two three four and the other part the other house that wants to communicate at any time since ICMP reply saying something like saying for example sorry is this technique can't be reached or sorry temple it exceeded and routers and firewalls will sentence replies through because they think it's a legitimate reply to your pings to trying to connect to one two three four and that way you can pass data on you can initiate the connection you can get the data running okay if there are no more questions here let's look at the more complex TCP DCP is stateful and connection-oriented meaning it preserves States between different packets it has some information that the information stays there during the communication it has quite a lot of possible header field here that can be filled but not both features include I'm gonna start from the bottom flow control meaning the other the other device can inform the sender that it needs the sender to go slower or faster there are different devices that use IP nowadays especially knowledge we have fridges we have light bulbs and we have laptops right laptops to and they process data at different speeds and that's my flow control is so important especially nowadays order transfer meaning that this actually implements the solution to the problem of packets arriving at different order we have sequence number here that's responsible for order transfer it's 32 bits it has error detection it has a checksum here and it has acknowledgment number here which includes the sequence number plus one of the packet that was received that way you can already tell your communication partner your other device that you have received the packet and it has three way handshake which is the way to inform the other party that you want to communicate and establish the initial connection this is the three-way handshake right here and we're gonna take a look at it in Wireshark just to learn a bit more about Wireshark [Music] so the client will send a so called scene request synchronization request several respond with AK and CIN client will send sin and then we will have act from the server let's take a look at that live okay I'm gonna go to google.com who's telnet on port 80 and that's it I'm gonna close the connection I'm sorry me yes I have no idea is it possible yeah please please find out we need warm and cozy in here we can get the campfire maybe going that would be warmer okay good luck with that there is some space over there if he comes a chair and and over there okay so let's continue [Applause] that is quite interesting yeah nice nice thank you run applause perfect thank you so much okay there's too much stuff in here let's let this again so I'm gonna run this I'm gonna connect to an IP address so I know how to filter it later on and that's it I'm gonna stop the capture and now when I hop filter it's not here okay so one more cool feature of Wireshark that even professionals out here may not use may have forgotten or never knew is how you can nicely filter so of course here you can type in different expressions like tcp or UDP right but that's not we won't do what we can actually do is if we choose any field here for example the destination address and we right-click it what we can do is apply its filter selected and we only get matching packets where this field is set to this parameter we wanted we want to see both parts of the communication we change that to a be addressed not IP destination here is our three-way handshake and of course encourage you to follow through and also try to connect somewhere and capture it we can see the Wireshark has helpfully already selected I mean highlighted the flags of this we pack is here syn synack an ACK but let's go in a bit deeper so Internet Protocol version 4 Flags oh sorry no it's not not flags that's it all right my bad TCP right TCP these be flags these are all the possible flags that you can set flags are actually two byte by large here on the left you can see it and you can set any combination of flags in theory in this case you we have set the syn flag meaning it's a synchronization packet meaning this IP address here who wants to establish a connection to this IP address here on this specific port right the thing I haven't mentioned about layer for our ports both UDP and TCP have ports meaning those are channels for communication over the Internet we have the same IP address we can have multiple services port 80 is typically used for web so HTTP port 443 is typically used for HTTP so encrypted HTTP source port is usually assigned randomly by the operating system unless you specified manually like we did with NC minus P okay so we got response here it has seen an ACK set and if we pay attention here those are relative segment sequence numbers not real ones but sequence number here set to zero and in our reply here acknowledgment number set to 1 meaning that back at 0 was successfully received by the server and here it's sending again it's a zero and we acknowledge it 1 saying ok and at this point we can start exchanging data at this camp there's actually a project being run that allows you to scan the whole internet Wow it's it's nothing new technically but I mean the good thing is there's there's a guy who manages it and actually work with the requests you send in and and runs the scan for you zmapp is a tool that can be used for doing that and zmapp is internet wide scanner it's against the whole ipv4 address space in 45 minutes it only gigabyte on a gigabit connection if you have a faster connection you can use zip your zmapp that does it even faster it's actually quite relatively new breakthrough I think it's three or four years old the idea and allows you to do that because you are not waiting for the reply so how it works simplistically is it sends syn packets and masses to all the IP addresses in a specific pseudo-random order and it uses the metadata the other part of the TCP header to mark that these packets that the reply to these magnets would belong to the scanned and it doesn't store any information on your computer about what was send where all these sources and index are for are we in the list of IP addresses and when the reply comes it analyzes those that metadata included and it can tell you if the port is open or not so it's quite quite cool I'm not gonna run it here because I don't have either not connected but it is it is a cool features and a way you can use knowledge of of networking to create cool stuff okay routing I mentioned that time to live is decreased with every cop with every router that you cross routing decisions are taken based on the routing table for your computer usually you'd have just a default gateway just one router where all your information center for Internet routers it's not uncommon to have many different routes you send your data to and routing table is used there to actually route the data to the correct path three types of routing static routing default routing and dynamic routing is what I want to talk about briefly here static routing entails manually setting up routes on each router so let's say you are Google and you want to set up your routers you connect to each other of your routers I guess in the thousands hundreds of thousands maybe and you set up the route by typing if IP address is in this network send it to this router which doesn't scale really well but it's easy in the sense that you don't have to know much just have to understand basic stuff about IP networking default routing is when you set if it is when you set the destination address to all zeros and it includes the IP address that the IP address of the router that you want to send all the data to when you don't know to send it this is the only thing that is usually used on a laptop on on an end device on a computer so we have some link local address and the last line we can ignore that it's a bit different topic so here it's replaces zeros with default taxable zeros are there let me see if I can get it on the screen nope okay there we go so it says oh that's a fun I wonder if it's if it's an Easter egg of network team basically it says by default it will send everything here unless of course it's in your network lots of data here we only want to look at the wireless adapter it has this internet address this is the netmask slash 19 if the device can reach the IP address locally on the same network by using the maths that I showed half an hour earlier it will send it directly it will do an ARP request ask for a MAC address and send away if it can't it will use the default route what else do we have in the routing table here we also have here information that the Val just talked about if your stuff is on the same network do not wrote it send it directly and here this is the easter-egg I guess I don't anyone know what that is I seriously don't know the second line basically I can tell you what it says I don't know what the meaning of that so it said that if you want to send if you want to send data to this specific one IP address you should also route this through the same ip address as everything else it's set by the HTTP from the network team from knock so I don't know what's that about unless someone's hacking me then that's cool sure okay any questions here so far [Music] okay then I'm crowding the coolest way and basically the only way to do large-scale lateral deployments it dynamically updates the routing tables on the router using routing protocols so basically two types you should know about just real quick because it is again a very in-depth think not suitable for a beginners worship but distance-vector protocol determine that the route that uses the least number of routers is the best route to use it just tries to dynamically find out what would be the number of hops to each network destination some particles there are rip or a GOP SPF or link-state protocols use digital metrics and they try to recreate the topology or the picture of how all the network looks like visually on each router they can also take network congestion into account on making routing decisions for example OSPF would be one of such protocols and these protocols are usually why you might have one packet going one way and the other packet going a different route because congestions and different parameters change and route through or multiple routers might take a different decision on how to route your next packet oh the fun part finally so we went through we went through to recap layer one so physical physical layer two most popular one is Ethernet on layer 2 we have MAC addresses there they're called frames the parts are called frames and data parts we have layers three most popular there is IP protocol those are packets and they have IP addresses we have layer four which has segments and we have UDP and TCP there and now we're up to application level protocols by the way I did now I was recapping I think Wireshark tries to keep yes not that I think I know where track tries to keep this in order that's because you can see it on the right so the fields are actually here in the orders that they come in the data unit since we had the four knock off network experts here why is this nation address first before the source address if you look at IP sources first destination is then look at the right here right this nation is after source for Ethernet for MAC addresses here destination is first and then we have source it it's not only first it's actually the first byte the first bit of the frame is already a stations rest any of the networks person or any other people here why is that okay we can we hear we heard an answer speed could you elaborate more thank you very good so the answer was switch when you switch also layer 2 device when you try to understand which word to send the frame through switch can do fast forwarding it can decide where to move the frame without actually looking at the whole frame and it has to look at this from the beginning because electrical or whatever signals come that's how it's ordered physically and because we started distillation there is not the MAC address not the source address switch can take a decision depending on the destination address without reading too much bytes from the packet and it is much faster and it's still quite important these days with all this pieces we have okay where are we right so we are up to layer five and this is the place where where I will will stop going through the layers I will try to do some explanation of differences between session later presentation layer and application layer but it tastes usually hard to distinguish which is which and while chart dissectors do not try to do it usually they usually just have one layer there what we can do now is we're gonna take a look at some core protocols for the internet core application layer protocols and shortly look how they work which is the last missing part for you to understand how basic stuff on the internet works technically so this here is the overview of the DNS system or domain name system it consists of the roots root zones an example of root zone would be calm calm calm calm or LV or NL or horse I guess cool domains we have these days it's a hierarchical system meaning that meaning that if you have a domain signed dog bad dog horse it is a subdomain of bad horse and that is a subdomain of horse and it entails some administrative features before we look at that practically and those of you who already know this theoretical stuff the command is dig I'm just gonna remind you dick you can start playing around with it if you have it on your computer's so just some of the DNS record types what is DNS domain name system allows us to not use IP addresses we already learned how can we avoid using MAC addresses but people don't want IP IP addresses that on one type every four addresses even less they would like to type every six addresses so we have DNS which provides nice readable names for us computers have basically no use for them it's it's all for us humans there are different record types in the audience in the DNS system the main record type is a or for A's and returns an IP address for domain okay so if I dig a for Ashley say J to two hundred two thousand seventeen org I will get the answer this happens automatically whenever we use an application that supports DNS which is 99.9% of the applications these days we just type in it in a browser or an email program and we'll find that Peters very automatically for an email program the procedure is bit different so for a browser it will look for a record and we'll know this is AP address I need to send my data to let's take a look at well shark for a moment here so if I even if I just pink which is just sending an ICMP packet to check if the IP is up it will still need to find out the IP address out from the name I typed here so if I type the NS here I will see the query here it's asking for a record for gmail.com as a response here and it has given me here these answers so these are four of the IP addresses that my computer can use to connect to gmail.com MX is used for mail exchange and that is the one used when actually sending an email so if we dig if we dig a max Google com this is the answer section you can see that email for at Google calm is handled by any of these mail exchangers and if you would like to connect them we would need then to get the a record for them right and depending on the configuration you might also get them automatically from the server which is issues happen here it's additional section it's not what I asked for but it might be useful oh I skipped a a a but I think you already see what that is right who raised is ipv6 address not ID before address NS record is a name server record it delegates his own to use a specific server for lookups so here for example every DNS resolver knows of 20-ish root servers there are distributed all around the globe but it is basically the one and only part of the internet that is actually the weakest link not really decentralized even though we have 22 of them if a hacker a bad actor well if a bad actor right hackers are good it'll matter seriously though yeah okay if a bad actor were to take all of them down at the same time DNS would not work globally that's the centralization point there anyway each of these servers know they know where to look up the first the top-level domains so if we do diggin s-shut 2017 dot org and if we ask this question to one of the root servers sorry about that so I did that by by typing at and the name of the server IP address of the server all it will say to me in this case is which name servers are responsible for the torque even if I ask not an S but I ask hey I want the IP address of this it will still give me only the same answer in authority section because the system is hierarchical those name servers do not know anything about this let's use program sha which is very dear address to me today I spend spend four hours trying to fix the the program CSS some people can scroll to the right and didn't see how and PI ok so we can see the name servers and what would not metally happen if we didn't specify specific name server it would then ask that one of randomly one of the next name servers the same question and we would get an answer hopefully if if it would not get an answer to try the next name sharor so we have an answer and again it's not our answer it's just an authority section it says for this domain ask any of these name servers we take one at random we have the same question there's our address it's a cname record canonical name an alias it says basically this says DNS for this is the same as the answer for this and again automatically server also sends me by the way you probably will want to know they a for this so here it is so I don't have to ask it again yes to what domain yes yes yes well I'm not I'm not the system and I'm the content team so system ins are doing that but well it doesn't it doesn't have any it doesn't cause any technical difficulties as far as I could imagine I think it's fine now that you asked I'm getting bit suspicious about if it's fine to do that but I I would I would also do that if needed yeah sure I mean unless you have really good reason to use a cname depending on your name server it's better to use a record directly but yeah you can use it why why you could avoid CNM in situation is because it's on the same domain this zone the server Holdings is owned knows the IP address you can send directly depending on the server you might force your DNS client to make a separate request if I wouldn't have this one here I would have Mike I would have to now do those this to get the IP address which is bad yes I think it's not fine to do this when you're doing this email from for a different thank you so your comment was that you think it's not okay to do that if CNN goes to a different upper domain yeah so that's that's what you said well that's actually this thing when you put cname to a different upper domain say to google.com is actually the the only real use for cnames it is it is not good network wise because you will have to make a request because this specific measure doesn't know anything about calm but it's it's a legitimate use it's it's it's legitimate use because that way you can actually you can actually link your IP address to whatever this other IP address is the other atom exchange the IP address and your change to unless you want to delegate the call zone using an S record thank you one hour left okay Pierre is a pointer unlike cname which we already discussed here PTR would stop the processing meaning that it's basically a kind of text record not exactly but it returns just the name meeting our most commonly are used in reverse DNS so when we did this trace route and trespass bad horse you you can notice that we get the names here but if you watch it carefully traceroute uses this detail trick and those are IP addresses of course we are getting answered from an IP address not a domain name what that means is that this sound somehow this gets here if we run run trespass - and it doesn't do the Nazca race we can see all the appears here and what it does is actually looks for reverse DNS for every IP address you can also do it like that right you can you can take this which is just IP address with all the bytes in reverse order you can dig it and here it is adjust in just a string basically if you if you just dig it dig any to still turn it it would not try to resolve it and that of course means that you can type any domain you want in there if you have DNS server yes but it's I mean yeah it's hard to can I be feel before it versus now I when I was running a large network I think I just got around 500 diapies just because of downtime I emailed them and said come on what's up is downtime every week and they said ok ok don't be angry here it's like an ipv4 address isn't now I have them but this is bad horse isn't mine it's it's someone else ok so we already looked at dig this is a reference slide that you can use any is a pursue the record it's not real record it just asks server to send all the records it has a X and far is authoritative transfer and it asks to send all the subdomains the server knows usually this is turned off there was this one or maybe two times when a top-level domain like dot something didn't turn this off and and some researchers just download at all the domains of a country so you can you should regularly check if if stuff happens and then it can be doing good job one more thing is plus trace let's take a look at that it's explained here I already explained this process previously how your resolver Curie is the root server then queries the name server then the sub name subdomain name server and so on until it gets the answer it sends the same query to all of these servers one by one what's Trace helps you see that visually my screen is not large enough to show to you but if you type in your computer's big plus trace program sha 2017 don't work I will use less to actually fit sunscreen not ability I guess okay let's try this out less oh they have internet yep what star different domain okay maybe maybe I messed up sorry let's let's put it in the right place I don't think it matters but maybe does okay I don't know what's happening here now it should it should perform the request one by one right my name is Erin maybe down let's see yeah it's some systemd stuff dealing is it like everybody else you will need systemd right we need the bad guys it unites the community I agree okay now it works right so this is the request to my lookup server it gives me the root servers requesting one of the root servers for who knows about work cut out but the main we get the org name servers then we ask one of those who knows about our request we get the shrine name servers and we ask those we finally get our see name and also the a address here so that's DNS for you o SMTP right the Simple Mail Transfer Protocol it's simple it's underlined that means it's really simple in the beginning I spelled a bit about how how you can forge the return addresses let me show what I mean I'm gonna use split screen for this okay now let's say we would like to send an email to me my domain is kirilus dot org so my mail application let's say it's a classical mail application right outlook would look up the mail exchanger for girls that work the domain of my email there it is then we need the IP address for that technically and there it is what happens next is let me see if I have slides actually in the deck oh yeah I kept slides let me show you the slides first what happens next is your computer connects to SMTP server its port 25 that's a well-known port it gets greeted with hello 220 you reply with hello and your domain name you get an okay 250 you say whose mail is from like some address of the mail from this is a enveloped address you say who's the mail is to again you get okay then you send data and then you send the email body with all the headers now this here this part here starting from from up to subject could theoretically be described this presentation layer so layer 6 technically but if you don't describe to that and call the whole application layer it's not a big mistake it's quite an academic debate between those three layers anyway you send that this will be parsed by the email client not email server and that's it it says ok 250 and you quit and it says bye-bye two to one so let's take a look at them on here so we have their Pinterest and port 25 there we go hello okay pleased to meet you mail from okay oh the man doesn't exist white hos my bad so some servers check more some so restrict less of what you actually type boom senator Kay good recipient now curse in the cake for recipients most servers will actually check what the hell are you typing there so if the main would if an accountant existed wouldn't accept it also unless it's an open relay it will not accept email for other domains and then data and now this will be all parsed by mail client if I received email let me try okay and you finishes a dot on the line by itself as it's actually said here in the message okay I don't know quit gracefully that's basically it now let me fire my email client and hope that it doesn't go on screen okay it sits on my screen that's a good sign and oh look I have an email it's not in spam because my spam filters suck I'm gonna opened up for you and move it to the screen to the main screen I can zoom some way or another okay let's look at a tellers so this is everything received my server added some headers of course additional headers that we didn't send but basically it's all there it it says it's from Billy to admin and it's all there period here it is okay so that's SMTP demo okay we are at almost the last slide so we're gonna have the practical stuff soon thank you thank you so HTTP hypertext Transfer Protocol this is a protocol used to transfer web pages it's not HTML it's not the markup language is the protocol and rather than doing it in telnet you can see how it looks here this is a response rather than take it and tell it let's use my shark to to do that okay so let's run this and let's open up a page there we go remove the filter a filter for HTTP lookup this request here let's close all this and HTTP here this is how it looks so we have get request here meaning open this page and this is page address so basically part of URL it says open the main page just slash if I would ask some google.com slash one two three to say slash on this tree here there's a host name and some headers that identify you user agent and so on so here on hide then take note of that and the response and here's a cool trick for Wireshark press here on the packet and follow HTTP stream look how the stream we have the request and reply add the same in the same view and what's even better if you close it we can see all the stream packets here visible okay now what they usually do here with a group and this is a small part of five day five day workshop that I do commercially actually when I do here is a group usually is I get everybody to launch their wash rack and open up a web page it's better if it's HTTP web web sites are not encrypted just launch Wireshark close your browser open them again open up a web site and then we will take a look at what we see I'm gonna I'm gonna take two minute break here you stay right here open up a web site and I'll be back okay I'm gonna I'm gonna log this for reasons [Music] what was darking here oh man now you can see it hold on let me let me make sure it doesn't show the pastor on screen no for real thing okay so many of you are still here which is cool thank you for that so I hope you managed if you didn't offer any questions before I show you it on my laptop the thing I want you to answer for yourself here is what kind of protocols are involved in the simple action of opening a web page I'm just typing in an address and pressing enter okay here the NSC CP what would be the first the first protocol that's employed DNS yes DNS is the one you might see in Wireshark because you've been using the internet or at least your computer has been using the internet from the theory that we covered if you would have just turn on your turned on your computer what would be the first protocol that you would see r3 have successfully and fully connected this network ARP that's correct address resolution protocol let's go step by step and I'll try to simulate here that my computer is just has just been turned on okay okay so I'm deleting some art butters here let me relaunch this okay now if I connect the web I'm gonna use my favorite web browser there I am this surfing recap let's see if ARP is there yep so of course we have some background data happening going on it starts as ARP in this case it's because it deleted my ARP table manually but it what really happens when you start up your computer and connect those network out towards so the full explanation for this is that I typed in the domain 0 to Del V my computer knows the DNS server to use is eight eight eight eight because I put it in there manually now it tries to connect it tries to do the DNS it tries to connect to eight eight eight eight to do that it looks at the routing table it all happens in the background instantly it checks the destination addresses ordered by the mask it starts with the most is the largest mask and goes to load to the lower masks eight eight eight eight doesn't match any of the networks so it goes to the more generic mask and it will send david paquette to this IP address for routing in order to do that computer now looks at the ARP table our table was empty at the moment so computer finally sends the first packet it asks who has this IP address is the gateways address it's here and it says I want answer here the router which is made by Juniper by the way how this works of course by using employing a database remember first three bytes are assigned to an organization and they're trackable that way it replies I'm here this is my MAC address you can contact me there our table gets populated by this information and now for some period of time depending on the operating system the length depends on the operating system my computer will know that this is a MAC address for that IP address now we can finally send the request to a t-888 it asks what is the IP address for zero to the Tovey and what is the ipv6 address for the rest of the towing and it's got the response now what you'll see here what we see here is that we get a reply who knows about 0-2 little bee and some steps are skipped here meaning that Google 88 88 belongs to Google that's their public resolver Google does many of the steps for us and we already get the real name server that will know the answer this one by the way DNS system doesn't support the symbol ad but there are emails in each DNS zones so if you want to send spam I hate here so but seriously though if we take a look at any DNS zone you can request any type of record and if it's set up correctly we should which the request starts sorry we should record start of authority we can't forget any type of record if it's set up correctly the second entry here will be the email address first dot gets replaced by add of course Wireshark does that automatically here on the right we can see the response here right then don't we'll ask for the IP address again and this time we get the answer here we get an a record now computer final knows the IP address of the web server it can start connecting please note that for DNS the usual layer 3 protocol is sorry the usual layer 4 protocol for DNS is UDP as you can see it's very simple protocol just to discuss in theory we can see the source port destination port length and the checksum here there's nothing else and then there is data which were Kirk already divides for us as any layer here HTTP is usually based on TCP that's why we see our three-way handshake we have CIN CIN AK and AK over here and as soon as it's established successfully and we can see the sequence numbers of course here we can finally send the data we have our layer 2 layer 3 layer 4 and layers five to seven here in hypertext Transfer Protocol does the user agent each TCP packet gets acknowledged to this data gets divided into smaller segments because it's a large amount of data then gets sent and each segment gets acknowledged okay here it says that we have acknowledged like sent server receives it and finally sends the answers this is reassembled on the on the wire you actually see all the separate TCP packets here water does the for you to assemble it back to a response in the end server says please close the connection fin and we have handshake for clothing it's acknowledged and it's finally closed this was summer transmission it looks like more than attack to me so it's a hacker Network right people are attacking stuff okay so this is this is it that's that it's a bit dark to do some of the some of the hands-on demos let me show you the last slide I I worked I worked for two hours on the effect so look closely might miss it okay thank you thank you so much I'm ready to take any any random questions about networking or me or whatever tomorrow evening I'm having talked on routing the micro tech routers this is this is one of the routers yeah hard to see okay yeah well that's that's that's a pity anyway so we gonna I'm going to talk about jailbreaking these these boxes because you don't get through it on them by default it's gonna be in in in no and a large tent so yeah if you have any questions on networking I'm here if you want to take a look at some of the simplistic hardware we have here you can come and come and take a look at it's nothing it's nothing fancy I didn't take Wi-Fi pineapple with me for example which is a cool easy to use device for screwing with people's Wi-Fi so yes any any questions here yes you will be able to download these slides over here depending on how much work I have tomorrow probably on Wednesday and Wednesday go there there will be slides yes the question is is it possible for network traffic to not show up in Wireshark this regards capturing so depending on how you capture if you set promiscuous mode all the if you successfully set it and the driver supports it all the traffic all the signals that physically reach your network adapter and are eligible are understandable on in layer one sense will show up on Wireshark so there are many of course it might not show up it might not show up for example for Wi-Fi after they do we have open Network Russia is there open Openshaw network there is I'm gonna show you there is yeah insecure the open one okay I'm gonna since we have some time I'm gonna show you them off through questions with the Wi-Fi right a small demo not not the whole thing just just to show you how it works but for the Wi-Fi for wiping for example for normal network cards you have to choose the channel basically the the center frequency meaning that you will probably not see the other frequencies at the same time so there are different tips to that yes it is possible tuned for that don't show up [Music] oh I would I would doubt that there is any traffic it's it's a link local address and it would not usually show up I mean there's usually nothing happening there that's a but one more thing is you have all these interfaces and similarly to as an IP we have loopback address 127.0.0.1 Linux and UNIX machines and loopback data would show there so if you would do pink one two seven zero zero one you would not see it on your resume Ethernet or villain you would see it on the loopback only where was the next question I haven't I haven't tried it thank you the answer the answer is yes again and the question was can you capture Bluetooth traffic is Wireshark another couple years ago it was it was there was an issue there is uber closed of course but there was not any any sensible way to connect it if you can now that's great can you use your toes for that okay yes so you can use uber tools apparently to capture blue this traffic I should I should try that that's a fun experiment I I don't have it with me I have it at home okay so if you run Marcus sudo as a super user what kind of problems are the opening yourself up to iid the rest is briefly Wireshark has this they thinks called dissectors instead of really d caps lighting and encapsulating the traffic it uses the simulation it mathematically try to understand what's inside the traffic and show to you graphically and because of that combined is the fact that it captures everything on wire it's quite a high risk that if there is a bug an attacker can exploit it easily because you basically you take everything up from the internet that goes to your device that goes to your device and a bug in one of the dissectors running his route may cause remote code execution for example okay any more questions so far yes this is my first sha or the previous event kind of event right I usually attend CCC's I can tell you what happens disease Network theme comes and confiscates your Wi-Fi device sorry the question is what would happen if you would set your MAC address there's a junipers MAC address as a router for local Wi-Fi and I hope they have the card word here they have that CCC's they can triangulate you quite well or where you are they have the cash card here okay yes it's a Bitcoin okay so the question was Bitcoin messages appear in two separate packets always scatter separately and and fell out separately and what would be the reading for that I don't know I haven't looked at beacon protocol yep that's anyone anyone can comment on that nope okay and I don't have a Bitcoin client installed so I can't we could if I could if I did we could take a look and understand well the generic reason would be it's too large the header is so large that it can't fit but I guess it's not the case it's not the case so yeah you can research that and there are lightning talks you can do a small research presented day four day five okay well let's see we have 15 minutes right 24 let's say 15 minutes it's been long enough right so those of you that want to see me screwing around with Wi-Fi can can stay yeah I'm not promising anything specific I don't know what was gonna happen let's let's try [Music] [Applause] okay so here's my new wife adapter okay I want to know the frequency for for a Wi-Fi here to do that lets me use kismet I guess it's an old tool I hope it doesn't have any bugs if it does I'm screwed oh don't remember all the options never mind let's not use kismet let's do okay let's just start I'm just gonna start monitor mode than any any frequency that we have or I could take a look at 5.30 damn okay let's head let's go up there 2.4 gigahertz frequencies here - so arrow arrow moon and gene I'm gonna start VLAN 1 in monitor mode so what I have now I have monitor mode enabled on mantra 0 it also enables the promiscuous promiscuous mode definitely no there is not the same thing so I have this interface here and a start oh and we have a lots of data so raspberry pi huh okay we would want to filter some stuff out right let's filter out prop responses so type subtype prop response applies filter not selected got some bacon frames this bigger frame is saying saying we have oh we have this one sha 2017 insecure okay so we're on the right channel I guess getting some cool data well if it's not encrypted we should be able just to select TCP TCP as you know is layer 3 sorry later for protocol let's select IP it's live free protocol which is a bold layer 2 which means if I get layer 3 here my setup is able to access the data so it's not encrypted then okay so we have some data here some devices according badge dot s 2017 dot org okay let's go deeper let's look for some fun protocol let's look for HTTP nothing no one's using network on why not I smart guys well let's go back to IP ok ok this is this is something so apparently I wasn't early enough with starting to captured packets but there is a disconnect using SSH from a client so someone is using putti which is the windows mainly windows is associated client to access some server here let's like a look at the server so this connect was sent by I'm not sure who sent this kind of message is it sent what is that server sensor disconnect okay let's try oh we can look and talk by the port right for SSH we have a TCP on top TCP shows us the port 222 is the well-known port for this message so the distillation in this case was the server's the clients and the disconnect okay so this is the server let's see if it has a reverse hostname set up technically we can also copy it it's not useful for small things like IP addresses there were larger you use copy and then you select the right selection of these things printable text I think will work this time nope value was the right answer yep okay there nothing there okay there's open a search server over there if it's in the same subnet as we are we should be seeing it an ARP table there it is and we should be able to see the vendor we can also see it here of course on layer 2 Joel whatever that is okay this wasn't fun sorry for that what else do we have here Oh someone is trying to use TLS which may be HTTP here yep it's HTTP as you give us reply from server finally it's one of you thank you so here we have something similar to http and some DNS again not much stuff going on here there's NTP so not not that fun I'm sorry this is a hacker conference so people know what they're doing or maybe it's too late oh no no I mean we the point is you see it that isn't encrypted what we would see you would see the same kind of data is capturing our own traffic basically right if that is encrypted there is a slide on how to attack BPA - in one of my presentations on closeted org goes through the 50 of them and you will find it and then you can try it out if you confirms a knock ok I think one last question no yes thank you very much for your time and see some of you tomorrow I guess [Applause] [Music]

Info

Channel: MCH2022

Views: 41,412

Rating: undefined out of 5

Keywords: SHA, SHA2017, hacking, Hacker camp, Netherlands, Scoutinglandgoed, Zeewolde, Kirils Solovjovs

Id: HtNvcaqJHPw

Channel Id: undefined

Length: 156min 51sec (9411 seconds)

Published: Sat Aug 12 2017