DO NOT REPLICATE. Analyze IP. Given a Windows Server 2003 computer, you will use Network Monitor to view and analyze all the fields of IP.

Advanced TCP/IP Overview There is one primary set of protocols that runs networks and the Internet today. In this lesson, you will work with those protocols: the Transmission Control Protocol (TCP) and the Internet Protocol (IP). In order to manage the security of a network, you must become familiar with the details of how TCP/IP functions, including core concepts, such as addressing and subnetting, and advanced concepts, such as session establishment and packet analysis. Objectives To better understand advanced TCP/IP concepts, you will: 2A 2B 2C 2D 2E 2F Define the core concepts of TCP/IP. Given a machine running TCP/IP, you will define the core concepts of TCP/IP, including the layering models, RFCs, addressing and subnetting, VLSM and CIDR, and the TCP/IP suite. Analyze sessions of TCP. Given a Windows Server 2003 computer, you will examine control flags, sequence numbers, and acknowledgement numbers, and you will use Network Monitor to view and analyze all of the fields of the three-way handshake and session teardowns. Analyze IP. Given a Windows Server 2003 computer, you will use Network Monitor to view and analyze all the fields of IP. Analyze ICMP. Given a Windows Server 2003 computer, you will use Network Monitor to view and analyze all the fields of ICMP. Analyze TCP. Given a Windows Server 2003 computer, you will use Network Monitor to view and analyze all the fields of TCP. Analyze UDP. Given a Windows Server 2003 computer, you will use Network Monitor to view and analyze all the fields of UDP. LESSON 2 Data Files tftp.cap fragment.cap ping.txt ping.cap ftp.txt ftp.cap Lesson Time 6 hours Lesson 2: Advanced TCP/IP 31

2G 2H Analyze fragmentation. Given a Windows Server 2003 computer, you will use Network Monitor to view and analyze network traffic fragmentation. Complete a full session analysis. Given a Windows Server 2003 computer, you will use Network Monitor to view and analyze a complete FTP session, frame by frame. 32 Tactical Perimeter Defense

Topic 2A TCP/IP Concepts In order for two hosts to communicate, there must first be an agreed-upon method of communication for both hosts to use. The protocol that the Internet was built on, and the protocol that all hosts on the Internet use is TCP/IP, or Transmission Control Protocol/Internet Protocol. Because the two hosts agree on the protocol they will use, we can go right into the details of the protocol itself. The TCP/IP Model In order for data to move from one host to another, it must be transmitted and received. There are several ways this could happen, in theory. The data file could be sent as a whole file, intact, from one host to another. The data file could be split in half and sent, sending and receiving two equal sized pieces. The data file could be split into many smaller pieces, all sent and received in a specific sequence. It is this last method that is actually used. For example, if a user is at a host and wants to view a web page on a different host, the request and subsequent response will take many small steps to complete. In Figure 2-1, you can see the four layers of the TCP/IP Model, along with the browser s request for a web page going to the web server. Figure 2-1: A web request moving along the TCP/IP Model. The four layers of the TCP/IP Model are: The Application Layer The Transport Layer The Internet Layer (also called the Network Layer) The Network Access Layer (also called the Link Layer) Many of the Concepts in this topic were covered in the prerequisite courses, but are provided here for review. host: A single computer or workstation; it can be connected to a network. server: A system that provides network service such as disk storage and file transfer, or a program that provides such a service. A kind of daemon that performs a service for the requester, which often runs on a computer other than the client machine. Lesson 2: Advanced TCP/IP 33

network: Two or more machines interconnected for communications. OSI: (Open Systems Interconnection) A set of internationally accepted and openly developed standards that meet the needs of network resource administration and integrated network components. The reason that there are alternate names for these layers is that there has never been an agreed-upon standard for the names to which the industry agrees. Each of these layers are detailed as follows: The Application Layer is the highest layer in the model, and communicates with the software that requires the network. In our example, the software is the web page request from a browser. The Transport Layer is where the reliability of the communication is dealt with. There are two protocols that work at this layer, TCP (Transmission Control Protocol) and UDP (User Datagram Protocol). An immediate difference between the two is that TCP does provide for reliable delivery of data, whereas UDP provides no such guarantee. The Internet Layer (or Network Layer) provides the mechanism required to address and move the data from one host to the other. The primary protocol you will examine at this layer is IP (Internet Protocol). The Network Access Layer (or Link Layer) is where the data communication interacts with the physical medium of the network. This is the layer that does the actual sending and receiving of the data. As you saw in Figure 2-1, as the web page request was initiated on the host, it moved down the layers, was transmitted across the network, and moved up the layers on the web server. These are the layers on which all network communication using TCP/IP is based. There is a different set of layers, however, called the OSI Model. The OSI Model The TCP/IP Model works well for TCP/IP communications, but there are many protocols and methods of communication other than TCP/IP. A standard was needed to encompass all of the communication protocols. The standard developed by the International Organization for Standardization (ISO) is called the OSI Model. The Open Systems Interconnect (OSI) Model has seven layers, compared to the four layers of the TCP/IP Model. The seven layers of the OSI Model are: The Application Layer The Presentation Layer The Session Layer The Transport Layer The Network Layer The Data Link Layer The Physical Layer 34 Tactical Perimeter Defense

The names of these layers are fixed, as this is an agreed upon standard. The details of each layer are as follows: The Application Layer is the highest layer of the OSI Model, and deals with interaction between the software and the network. The Presentation Layer is responsible for data services such as data compression and data encryption/decryption. The Session Layer is responsible for establishing, managing (such as packet size), and ending a session between two hosts. The Transport Layer is responsible for error control and data recovery between two hosts. Both TCP and UDP work at this layer. The Network Layer is responsible for logical addressing, routing, and forwarding of datagrams. IP works at this layer. The Data Link Layer is responsible for packaging data frames for transmission on the physical medium. Error control is added at this layer, often in the form of a Cyclic Redundancy Check (CRC). This layer is subdivided into the LLC (Logical Link Control) and MAC (Media Access Control) sublayers. The MAC sublayer is associated with the physical address of the network device and the LLC sublayer makes the association between this physical address (such as the 48-bit MAC address if using Ethernet) and the logical address (such as the 32-bit IP address if using IP) at the Network Layer. The Physical Layer is responsible for the actual transmission and receipt of the data bit stream on the physical medium. The OSI Model and the TCP/IP Model do fit together. In Figure 2-2, you can see that the two primary layers of concern in the TCP/IP Model (the Transport and Internet Layers), match directly with the Transport and Network Layers of the OSI Model, while the other two TCP/IP Model layers encompass two or more layers of the OSI Model. Figure 2-2: A comparison of the OSI and TCP/IP Models. As the data from one host flows down the layers of the model, each layer attaches a small piece of information relevant to that layer. This attachment is called the header. For example, the Network Layer header will identify the logical addresses (such as IP addresses) used for this transmission. This process of adding a header at each layer is called encapsulating. Figure 2-3 shows a visual representation of the header and the encapsulation process. packet: A block of data sent over the network transmitting the identities of the sending and receiving stations, errorcontrol information, and message. Lesson 2: Advanced TCP/IP 35

Figure 2-3: Headers and the encapsulation process as data moves down the stack. When the second host receives the data, and as the data moves up the layers, each header will let the host know how to handle this piece of data. After all the headers have been removed, the receiving host is left with the data as it was sent. RFCs With all the standards defined in the previous section, you may be asking where to go to find the standards. The answer is to the RFCs. A Request For Comments (RFC) is the industry location for standards relating to TCP/IP and the Internet. RFCs are freely available documents to read and study, and if you ever want to go directly to the source, be sure to use the RFC. Although you will find RFCs listed all over the Internet, to view them all online go to: www.rfc-editor.org. This is the website with a searchable index of all RFCs. There are several RFCs you should be familiar with, and that you should know by name to look up. This way you will not have to search hundreds of responses to find what you need. The RFCs you should know are: The Internet Protocol (IP): RFC 791. The Internet Control Messaging Protocol (ICMP): RFC 792. The Transmission Control Protocol (TCP): RFC 793. The User Datagram Protocol (UDP): RFC 768. The Function of IP The Internet Protocol (which works at the Network layer of both the OSI and the TCP/IP models), by definition, has a simple function. IP identifies the current host via an address and using addressing, moves a packet of information from one host to another. Each host on the network has a unique IP address, and each packet the host sends will contain its own IP address and the IP address to which the packet is destined. The packets are then directed, or routed, across the network, using the destination address, until they reach their final destination. The receiving host can read the IP address of the sender and send a response, if required. 36 Tactical Perimeter Defense

Although it sounds straightforward, and does work, there are drawbacks. For instance, when packets are sent from one host to another, they may be received out of order. IP has no mechanism for dealing with that problem. Also, packets can get lost or corrupted during transmission, again a problem IP does not manage. These problems are left to an upper protocol to manage. Often that protocol will be TCP, as you will see in the following topic. Binary, Decimal, and Hexadecimal Conversions Even though you may be familiar with the concept of binary math, you may wish to review this section briefly. In binary, each bit has the ability to be either a1or a 0. In computers, these bits are stored in groups of 8. Since each bit can be either a 1 or a 0, each location is designated a power of 2. A byte, therefore, has binary values from 2 0 through 2 7. In Figure 2-4, you can see the value of each of the 8 bits in a byte. When the bits are presented as a byte, the value of each of the 8 locations is added to present you with the decimal equivalent. For example, if all 8 bits were 1s, such as 11111111, then the decimal value would be 255 or 128+64+32+16+8+4+2+1. Here are a few other quick binary to decimal conversions: Binary 11000000 is decimal 192 or 128+64+0+0+0+0+0+0 Binary 10000000 is decimal 128 or 128+0+0+0+0+0+0+0 Binary 10000010 is decimal 130 or 128+0+0+0+0+0+2+0 Binary 01011010 is decimal 90 or 0+64+0+16+8+0+2+0 The IP addresses that are either manually or dynamically assigned to a host are 32-bit fields, often shown as four decimal values for ease of reading. For example, a common address would be 192.168.10.1. Each number is an 8-bit binary value, or an octet. In this example, the first octet is 192, the second 168, the third 10, and the fourth 1. Even though the fourth octet is given a decimal value of 1, it is still given an 8-bit value in IP addressing. Each bit of the 32-bit address must be represented, so the computer sees a decimal 1 in an IP address as 00000001. Keeping this in mind, the full decimal IP address of 192.168.10.1 is seen to the computer as binary IP address: 11000000.10101000.00001010.00000001 In tools that are designed to capture and analyze network traffic, the IP address is often represented in its hexadecimal (Hex) format. The ability to view and recognize addressing in Hex format is a useful skill to have when you are working with TCP/IP. In hexadecimal format, the IP address 192.168.10.1 is C0-A8-0A- 01. The following is a quick summary on Hex conversions. Lesson 2: Advanced TCP/IP 37

To convert the decimal address 192.168.10.1 to hexadecimal, convert each of its octets, then combine the results, as follows: 1. Divide 192 by 16. The result is 12, with a remainder of 0. Because decimal 12 is the same as Hex C and decimal 0 is the same as Hex 0, decimal 192 is equal to Hex C0. 2. Divide 168 by 16. The result is 10, with a remainder of 8. Because decimal 10 is the same as Hex A and decimal 8 is the same as Hex 8, decimal 168 is equal to Hex A8. 3. Decimal 10 is the same as Hex A. 4. Decimal 1 is the same as Hex 1. 5. Combining the results of each conversion shows that decimal 192.168.10.1 is equal to Hex C0A80A01. Another way to derive this result is to first convert from decimal to binary, then convert binary to hexadecimal four bits at a time, and finally, combine the results, as shown here: 1. Decimal 192 is the same as binary 11000000. 2. Decimal 168 is the same as binary 10101000. 3. Decimal 10 is the same as binary 00001010. 4. Decimal 1 is the same as binary 00000001. 5. Binary 1100 (the first four bits of the first octet) is the same as Hex C. 6. Binary 0000 is the same as Hex 0. 7. Binary 1010 is the same as Hex A. 8. Binary 1000 is the same as Hex 8. 9. Binary 0000 is the same as Hex 0. 10. Binary 1010 is the same as Hex A. 11. Binary 0000 is the same as Hex 0. 12. Binary 0001 is the same as Hex 1. 13. Combining the Hex equivalents shows that decimal 192.168.10.1 is equal to Hex C0A80A01. IP Address Classes There are five defined classes of IP addresses: Class A, Class B, Class C, Class D, and Class E. The details of each class are as follows: Class A IP addresses use the first 8 bits of an IP address to define the network, and the remaining 24 bits to define the host. This means there can be more than 16 million hosts in each Class A network (2 24 2, because all 1s and all 0s cannot be used as host addresses). All Class A IP addresses will have a first octet of 0xxxxxxx in binary format. 10.10.10.10 is an example of a Class A IP address. Class B IP addresses use the first 16 bits to define the network, and the remaining 16 bits to define the host. This means there can be more than 65,000 hosts in each Class B network (2 16 2). All Class B IP addresses will have a first octet of 10xxxxxx in binary format. 172.16.31.200 is an example of a Class B IP address. Class C IP addresses use the first 24 bits to define the network, and the remaining 8 bits to define the host. This means there can be only 254 hosts 38 Tactical Perimeter Defense

in each Class C network (2 8 2). All Class C IP addresses will have a first octet of 110xxxxx in binary format. 192.168.10.1 is an example of a Class C IP address. Class D IP addressing is not used for hosts, but is often used for multicasting (which will be discussed later), where there is more than one recipient. The first-octet binary value of a Class D IP address is 1110xxxx. 224.0.0.9 is an example of a Class D IP address. Class E IP addressing is used for experimental functions and for future use. It does have a defined first-octet binary value as well. All Class E IP addresses have a first octet binary value of 11110xxx. 241.1.2.3 is an example of a Class E IP address. Figure 2-4: IP address classes and their first-octet values. Private IP Addresses and Special-function IP Addresses There are several ranges of IP addresses that are not used on the Internet. These addresses are known as private, or reserved, IP addresses. Defined in RFC 1918, any host on any network can use these addresses, but these addresses are not meant to be used on the Internet, and most routers will not forward them. By using these reserved IP addresses, organizations do not have to be as concerned with address conflicts. The defined private addresses for the three main address classes (A, B, and C) are: Class A: 10.0.0.0 to 10.255.255.255 Class B: 172.16.0.0 to 172.31.255.255 Class C: 192.168.0.0 to 192.168.255.255 In addition to the private address ranges listed, there are a few other address ranges that have other functions. The first, is the range of 127.0.0.0 to 127.255. 255.255. This address range is used for diagnostic purposes, with the common address of 127.0.0.1 used to identify IP on the host itself. The second range is 169.254.0.0 to 169.254.255.255. This address range is used by Microsoft to allocate addresses to hosts, for Automatic Private IP Addressing (APIPA). Lesson 2: Advanced TCP/IP 39

The Subnet Mask Along with an IP address, each host that uses TCP/IP has a subnet mask. The subnet mask is used during a process called ANDing to determine the network to which the host belongs. The way the mask identifies the network is by the number of bits allocated, or masked, for the network. A bit that is masked is identified with a binary value of 1. By default, a Class A IP address has 8 bits masked to identify the network, a Class B IP address has 16 bits masked to identify the network, and a Class C IP address has 24 bits masked to identify the network. These default subnet masks use contiguous bits to create the full mask. The following table shows the default subnet masks for the three classes, first in binary, then in the more traditional dotted decimal format. Default Subnet Masks Class Binary Format Dotted Decimal Format A 11111111.00000000.00000000.00000000 255.0.0.0 B 11111111.11111111.00000000.00000000 255.255.0.0 C 11111111.11111111.11111111.00000000 255.255.255.0 The subnet mask can be represented in different formats. For example, one common format is to list the IP address followed by the full subnet mask, such as this: 192.168.10.1 255.255.255.0. Another option, and one that is easier to write, is to count and record the number of bits that are used as 1s in the subnet mask. For example, in the default subnet mask for Class C, there are 24 bits designated as 1. So, to use the second format, list the IP address followed by a slash and the number of bits masked, such as this: 192.168.10.1/24. Subnetting Example In the event that you need to split a network into more than one range, such as having different buildings or floors, you will need to subdivide the network. The following example will step you through the process of splitting a network and creating the subnet mask necessary to support the resulting subnetworks. Let s say you have been assigned the 10.0.0.0 network with the 255.0.0.0 subnet mask, and need to break this up into 12 network ranges to support, for example, the 12 major departments in your corporate building. Here s what you should do: 1. Determine how many bits, in binary, it takes to make up the number of subnetworks you need to create. In binary, 12 is 1100, so you will need 4 bits. 2. Take 4 bits from the host side of the subnet mask and, AND them to the network side, effectively changing your subnet mask from 255.0.0.0 to 255. 240.0.0. As you know, the subnet mask tells you where the dividing line between network and host bits reside. You started with a network ID of 10.0.0.0 and subnet mask of 255.0.0.0, which in binary looks like this: 00001010.00000000.00000000.00000000 (IP address for network) 11111111.00000000.00000000.00000000 (subnet mask) Your dividing line is at the end of the first octet (eight bits starting from the left). You have one big network with a network ID of 10.0.0.0, a 40 Tactical Perimeter Defense

range of usable addresses from: 10.0.0.1 to 10.255.255.254, and a broadcast address of 10.255.255.255. The new, divided network looks like this: 00001010.0000 0000.00000000.00000000 (IP address for network) 11111111.1111 0000.00000000.00000000 (subnet mask) Notice that the network/host dividing line is now in the middle of the second octet. All of your networks will have binary addresses that will look like this: 00001010.xxxx yyyy.yyyyyyyy.yyyyyyyy, where x represents one of the variable bits used to create your subnetworks and y represents a bit on the host side of the address. 3. Determine the subnetwork addresses by changing the value of the x bits. The first possible permutation is the 00001010.0000 network; the second is the 00001010.0001 network, and so forth. The following table lists all of the possible subnetwork addresses (notice the pattern?). Subnetwork Binary Address Decimal Address First 00001010.0000 0000.00000000.00000000 10.0.0.0 Second 00001010.0001 0000.00000000.00000000 10.16.0.0 Third 00001010.0010 0000.00000000.00000000 10.32.0.0 Fourth 00001010.0011 0000.00000000.00000000 10.48.0.0 Fifth 00001010.0100 0000.00000000.00000000 10.64.0.0 Sixth 00001010.0101 0000.00000000.00000000 10.80.0.0 Seventh 00001010.0110 0000.00000000.00000000 10.96.0.0 Eighth 00001010.0111 0000.00000000.00000000 10.112.0.0 Ninth 00001010.1000 0000.00000000.00000000 10.128.0.0 Tenth 00001010.1001 0000.00000000.00000000 10.144.0.0 Eleventh 00001010.1010 0000.00000000.00000000 10.160.0.0 Twelfth 00001010.1011 0000.00000000.00000000 10.176.0.0 Thirteenth 00001010.1100 0000.00000000.00000000 10.192.0.0 Fourteenth 00001010.1101 0000.00000000.00000000 10.208.0.0 Fifteenth 00001010.1110 0000.00000000.00000000 10.224.0.0 Sixteenth 00001010.1111 0000.00000000.00000000 10.240.0.0 For the first network, the network ID is 10.0.0.0 with a subnet mask of 255.240. 0.0. The first usable address is 10.0.0.1, and the last usable address is 10.15.255. 254. The broadcast address is 10.15.255.255 (the next possible IP address would be 10.16.0.0, which is the network ID of the second network). The second network has an ID of 10.16.0.0, a usable range of 10.16.0.1 to 10.16.255.254, and a broadcast address of 10.16.255.255. Notice that you needed only 12 networks, but you have 16. That can happen, depending on the number of networks needed. For example, if you had needed 20 networks, you would have needed to move the network/host dividing line over 5 bits to the right (20 in binary is 10100, so 5 bits must be used). In that case, you would have had a subnet mask of 255.248.0.0 (instead of the 255.240.0.0 that you used for the first example), which would have given you 32 subnetworks, even though you needed only 20. Consider it room for corporate growth! Lesson 2: Advanced TCP/IP 41

router: An interconnection device that is similar to a bridge but serves packets or frames containing certain protocols. Routers link LANs at the Network Layer. Note that any combination of addressing can be represented in different text. For example, you may come across a resource that defines the IP address in decimal, and the subnet mask in hexadecimal. You must be able to quickly recognize the addressing as defined. Use the following task to test your ability to quickly perform these conversions. TASK 2A-1 Layering and Address Conversions 1. Describe how layering is beneficial to the function of networking. By using a layered model, network communications can be broken into smaller chunks. These smaller chunks can each have a specific purpose, or function, and in the event an error happens in one chunk, it is possible that only that error be addressed, instead of starting over from scratch. 2. If you have an IP address of 192.168.10.1 and a subnet mask of FF-FF- 00-00, to which IP network does your computer belong? Provide both decimal and Hex notations. In decimal, the network address is 192.168.0.0; in Hex, the network address is C0-A8-00-00. 3. If you have an IP address of C0-A8-0A-01 and a subnet mask of /16, to which IP network does your computer belong? Provide both decimal and Hex notations. In decimal, the network address is 192.168.0.0; in Hex the network address is C0-A8-00-00. Routing You will get into routing in more detail later, but at this stage, you will address the basics. Being familiar with a network and how one host will communicate with another host within the same network, what do you think will happen if a host needs to send information to a host that is not in its network? This is exactly the situation where routing is needed. You need to route that information from your network to the receiving host s network. Of course, the device that makes this possible is the router. The first router you will encounter on your way out of your network is the default gateway. This is the device that your computer will send all traffic to, once it determines that the destination host is not local (on the same network as itself). After the default gateway gets a packet of information destined for host User1 on network X, it looks at its routing table (think of this as a sort of directory telling the router that traffic destined for networks C, G, F, and X should go out interface 1, traffic destined for networks E, A, B, and R should go out interface 2, and so forth), then the router forwards the packet out through interface 1. The destination network may or may not be attached to interface 1 the router doesn t really care at this point it just forwards the packet on according to the information in its routing table. This process 42 Tactical Perimeter Defense

repeats from one router to the next until the packet finally reaches the router that is attached to the same network as the destination host. When the packet reaches this router, which is usually also the destination host s default gateway, it is sent out on the network as a unicast directed to the destination host User1. VLSM and CIDR The standard methods of subnet masking discussed earlier are effective; however, there are instances where further subdividing is required, or more control of the addressing of the network is desired. In these cases, you can use either of the following two options: Variable Length Subnet Masking (VLSM) or Classless Interdomain Routing (CIDR). Think back to the previous example of subnet masking. In particular, let s take a closer look at the fourth network. It was intended to be used by the IT staff; however, they want to break the rather large network block given to them into smaller, more manageable blocks. Specifically, they need five smaller subnetworks to be created from their network block of 10.48.0.0 with a subnet mask of 255.240.0.0. This time, let s represent the IP addresses and subnet masks using the slash method: 10.48.0.0/12. Notice the IP address stays the same, but we replace the subnet mask with /12 to tell others that the subnet mask has 12 1s in it (which, of course, corresponds to 255.240.0.0). Now, back to the IT staff s networking issue. You have an already subnetted network (10.48.0.0/12) that you would like to split into five smaller networks. To begin, you need to ask the same starting question: How many bits does it take to make 5? In binary, 5 is 101, so you will need three bits. Then, add three bits to the present subnet mask (don t worry that it has already been subnetted before that doesn t matter). So, now you have 10.48.0.0/15 as your first network address and new subnet mask. The new variable range is 00001010.0011xxx y.yyyyyyyy.yyyyyyyy, where the binary numbers will not change, x represents the variable bits that will make up the networks, and y designates the host bits. So, what are the new network addresses? Subnetwork Binary Address Decimal Address First 00001010.0011000 0.00000000.00000000 10.48.0.0 Second 00001010.0011001 0.00000000.00000000 10.50.0.0 Third 00001010.0011010 0.00000000.00000000 10.52.0.0 Fourth 00001010.0011011 0.00000000.00000000 10.54.0.0 Fifth 00001010.0011100 0.00000000.00000000 10.56.0.0 Sixth 00001010.0011101 0.00000000.00000000 10.58.0.0 Seventh 00001010.0011110 0.00000000.00000000 10.60.0.0 Eighth 00001010.0011111 0.00000000.00000000 10.62.0.0 Lesson 2: Advanced TCP/IP 43

44 Tactical Perimeter Defense For the first network, the network ID is 10.48.0.0, the usable addresses are 10.48. 0.1 to 10.49.255.254, and the broadcast address is 10.49.255.255; for the second, the network ID is 10.50.0.0, the usable addresses are 10.50.0.1 to 10.51.255.254, and the broadcast address is 10.51.255.255, and so forth. Did you notice that you have eight possible networks when you needed only five? Again, you can consider it just having more room for expansion. X-casting When a packet is sent from one host to another, the process of routing functions and the packet is sent as defined. However, the process is different if one host is trying to reach more than one destination, or if one message is to be received by every other host in the network. These types of communication are referred to as broadcasting, multicasting, and unicasting. Unicast is a term that was created after multicasting and broadcasting were already defined. A unicast is a directed communication between a single transmitter and a single receiver. This is how most communication between two hosts happens, with Host A specifically communicating with Host B. A broadcast is a communication that is sent out from a single transmitting host and is destined for all possible receivers on a segment (generally, everyone in the network, since the routers that direct traffic from one network to another are generally used to stop broadcasts, thereby creating broadcast domain boundaries). Broadcasting can be done for many reasons, such as locating another host. For a MAC broadcast, the broadcast address used is FF:FF:FF:FF:FF:FF. For an IP broadcast, the address used is based on the network settings. For example, if you are on network 192.168.10.0/24, the broadcast address is 192.168.10.255. A multicast is a communication that is sent out to a group of receivers on the network. Multicasting is often implemented as a means for directing traffic from the presenter of a video conference to the audience. In comparison to the broadcast, which all receivers on the segment will receive, those who wish to receive a multicast must join a group to do so. Group membership is often very dynamic and controlled by a user or an application. Currently, Class D addresses are used for multicasting purposes. Remember, Class D has IP addresses in the range of 224.0.0.0 to 239.255.255.255. TASK 2A-2 Routers and Subnetting 1. You are using a host that has an IP address of 192.168.10.23 and a subnet mask of 255.255.255.0. You are trying to reach a host with the IP address 192.168.11.23. Will you need to go through a router? Explain your response. Yes, you will need to go through a router. Your subnet mask defines you as belonging to network 192.168.10.0, and the remote host you are trying to reach does not belong to your network. 2. Boot your computer to Windows Server 2003, and log on as Administrator, with a blank (null) password.

3. Choose Start Settings Network Connections. Right-click the network interface and choose Properties. 4. Select Internet Protocol (TCP/IP) and click Properties. 5. Click the Advanced button, and verify that the IP Settings tab is displayed. Under Default Gateways, record the IP address here: For the LEFT side of the classroom, the Default Gateway is 172.16.0.1. For the RIGHT side, it is 172.18.0.1. 6. Select the Default Gateway IP address you just recorded, and click Remove. Click OK twice and click Close twice. 7. Open a command prompt and ping an address that is not on your local network. For instance, if you are on the LEFT side of the classroom, you could ping an address in the 172.18.10.0 network, and if you are on the RIGHT side of the classroom, you could ping an address in the 172.16.10.0 network. 8. Observe the message you receive. The text Destination Host unreachable is displayed. Your computer knows that the ping packet is supposed to go to a computer that is outside your local network but it does not know how to get it there. 9. Switch to the Network Connections Control Panel and display the properties of the network interface. 10. Select Internet Protocol (TCP/IP), click Properties, and then click Advanced. On the IP Settings tab, click the Add button found in the Default Gateway area. 11. In the TCP/IP Gateway Address box, enter the IP address you recorded earlier in the task and click Add. Click OK twice and click Close twice. 12. Switch back to the command prompt and try to ping the remote address again. 13. Observe the message you receive. This time, as long as the other computer s default gateway is correctly configured, you should be successful in pinging the remote computer. This is because your computer now knows to send traffic to the router if that traffic is destined for another network. (How the routers know where to send the traffic is covered later in the course.) Contact your instructor if your ping attempt is not successful. 14. Close all open windows. Be prepared to diagram or otherwise explain the classroom setup. The recommended classroom layout is shown in the figure in the setup. Students must be able to ping all computers within the classroom for the remaining tasks to work properly. If any students are not successful in the second ping attempt, help them troubleshoot the issue. Lesson 2: Advanced TCP/IP 45

security: A condition that results from the establishment and maintenance of protective measures that ensure a state of inviolability from hostile acts or influences. Topic 2B Analyzing the Three-way Handshake Although a great deal of emphasis is given to IP due to the addressing and masking issues, TCP deserves equal attention from the security professional. In addition to TCP, the other protocol that functions as a transport protocol is UDP. This topic will concentrate on TCP; however, a brief discussion on UDP is warranted. The following table provides a brief comparison of the two protocols. Comparing TCP and UDP TCP Connection-oriented Slower communications Considered reliable Transport Layer UDP Connectionless Faster communications Considered unreliable Transport Layer TCP provides a connection-oriented means of communication, whereas UDP provides connectionless communication. The connection-oriented function of TCP means it can ensure reliable transmission, and can recover if transmission errors occur. The connectionless function of UDP means that packets are sent with the understanding they will make it to the other host, with no means of ensuring the reliability of the transmission. UDP is considered faster because less work is done between the two hosts that are communicating. Host 1 simply sends a packet to the address of host 2. There is nothing built into UDP to provide for host 1 checking to see if host 2 received the packet, or for host 2 sending a message back to host 1, acknowledging receipt. TCP provides the functions of connection-oriented communication by using features such as the three-way handshake, acknowledgements, and sequence numbers. In addition to these features, a significant part of TCP is the use of control flags. There are six TCP control flags in a TCP header, each with a specific meaning. 46 Tactical Perimeter Defense

TCP Flags The TCP flags are: SYN, ACK, FIN, RESET, PUSH, and URGENT. These flags may also be identified as S, ack, F, R, P, and urg. Each of these flags occupies the space of one bit in the header, and if they are assigned a value of 1, they are considered on. The function of each flag is identified as follows: The SYN, or S, flag represents the first part of establishing a connection. The synchronizing of communication will generally be in the first packet of communication. The ACK, or ack, flag represents acknowledgement of receipt of data from the sending host. This is sent during the second part of establishing a connection, in response to the sending host s SYN request. The FIN, or F, flag represents the sender s intentions of terminating the communication in what is known as a graceful manner. The RESET, or R, flag represents the sender s intentions to reset the communication. The PUSH, or P, flag is used when the sending host requires data to be pushed directly to the receiving application, and not fill in a buffer. The URGENT, or urg, flag represents that this data should take precedence over other data transmissions. Sequence and Acknowledgement Numbers In addition to the TCP flags, another critical issue of TCP is that of numbers: sequence and acknowledgement numbers, to be specific. Because TCP has been defined as a reliable protocol that has the ability to provide for connectionoriented communication, there must be a mechanism to provide these features. Sequence and acknowledgement numbers are what provide this. Sequence Numbers The sequence number is found in the TCP header of each TCP packet and is a 32-bit value. These numbers allow the two hosts a common ground for communication, and allow for the hosts to identify packets sent and received. If a large web page requires several TCP packets for transmission, sequence numbers are used by the receiving host to reassemble the packets in the proper order and provide the full web page for viewing. When a host sends the request to initiate a new connection, an Initial Sequence Number (ISN) must be chosen. There are different algorithms by different vendors for the choosing of an ISN; however, RFC 793 states that the ISN is to be a 32-bit number that increments by one every 4 microseconds. Acknowledgement Numbers The acknowledgement number is also found in the TCP header of each TCP packet, and is also a 32-bit value. These numbers allow the two hosts to be given a receipt of data delivery. An acknowledgement number is in the packet header in response to a sequence number in the sending packet. In the event that the sending host does not receive an acknowledgement for a transmitted packet in the defined timeframe, the sender will retransmit the packet. This is how TCP provides reliable delivery. If a packet seems to have been lost, the sender will retransmit it. Lesson 2: Advanced TCP/IP 47

48 Tactical Perimeter Defense Connections All communication in TCP/IP is done with connections between two hosts. Each connection is opened (or established), data is sent, and the connection is closed (or torn down). These connections have very specific rules they must follow. There are two different states of the open portion of this process: Passive Open and Active Open. Passive Open is when a running application tells TCP that it is ready to receive inbound requests via TCP. The application is assuming inbound requests are coming, and is prepared to serve those requests. This is also known as the listening state, as the application is listening for requests to communicate. Active Open is when a running application tells TCP to start a communication session with a remote host (which is in Passive Open state). It is possible for two hosts in Active Open to begin communication. It is not a requirement that the remote host be in Passive Open, but that is the most common scenario. Connection Establishment In order for the sequence and acknowledgement numbers to have any function, a session between the two hosts must be established. This connection establishment is called the three-way handshake. The three-way handshake involves three distinct steps, which are detailed as follows (please refer to Figure 2-5 when reading this section): 1. Host A sends a segment to Host C with the following: SYN = 1 (The session is being synchronized.) ACK = 0 (There is no value in the ACK field, so this flag is a 0.) Sequence Number = x, where x is a variable. (x is Host A s ISN.) Acknowledgement Number = 0 2. Host C receives Host A s segment and responds to Host A with the following: SYN = 1 (The session is still being synchronized.) ACK = 1 (The acknowledgement flag is now set, as there is an ack value in this segment.) Sequence Number = y, where y is a variable. (y is Host C s ISN.) Acknowledgement Number = x + 1 (The sequence number from Host A, plus 1.) 3. Host A receives Host C s segment and responds to Host C with the following: SYN = 0 (Session is synchronized with this segment; further requests are not needed.) ACK = 1 (The ack flag is set in response to the SYN from the previous segment.) Sequence Number = x + 1 (This is the next sequence number in series.) Acknowledgement Number = y + 1 (The sequence number from Host C, plus 1.) At this point, the hosts are synchronized and the session is established in both directions, with data transfer to follow.

Figure 2-5: The three-way handshake. Connection Termination In addition to specific steps that are involved in the establishment of a session between two hosts, there are equally specific steps in the termination of the session. There are two methods of ending a session using TCP. One is considered graceful, and the other is non-graceful. A graceful shutdown happens when one host sends a message (using the FIN flag) to the other, stating it is time to end the session; the other acknowledges; and they both end the session. A non-graceful shutdown happens when one host simply sends a message (using the RESET flag) to the other, indicating the communication has stopped, with no acknowledgements and no further messages sent. In this section, we will investigate the details of the standard graceful termination. As you saw earlier, it requires three segments to establish a TCP session between two hosts. The other side of the session, the graceful termination, requires four segments. Four segments are required because TCP is a full-duplex communication protocol (meaning data can be flowing in both directions independently). As per the specifications of TCP, either end of a communication can end the session by sending a FIN, which has a sequence number just as a SYN has a sequence number. Similar to the Active and Passive Opens mentioned earlier, there are also Active and Passive Closes. The host that begins the termination sequence, by sending the first FIN, is the host performing the Active Close. The host that receives the first FIN is the host that is performing the Passive Close. The graceful teardown of a session is detailed as follows (please refer to Figure 2-6 when reading this section): 1. Host A initiates the session termination to Host C with the following: FIN = 1 (The session is being terminated.) ACK = 1 (There is an ack number, based on current communication.) Sequence Number (FIN number) = s (s is a variable based on the current communication.) Acknowledgement Number = p (p is a variable based on the current communication.) 2. Host C receives Host A s segment and replies with the following: FIN = 0 (This segment is not requesting closure of the session.) ACK = 1 (This segment does contain an ack number.) Sequence Number = Not Present (As there is no FIN, there is no sequence number required.) Lesson 2: Advanced TCP/IP 49

Acknowledgement Number = s + 1 (This is the response to Host A s FIN.) 3. Host C initiates the session termination in the opposite direction with the following: FIN = 1 (The session is being terminated.) ACK = 1 (There is an ack number.) Sequence Number = p (p is a variable based on the current communication.) Acknowledgement Number = s + 1 (This is the same as in the previous segment.) 4. Host A receives the segments from Host C and replies with the following: FIN = 0 (This segment does not request a termination, there is no SYN.) ACK = 1 (This segment does contain an ack number.) Sequence Number = Not Present Acknowledgement Number = p + 1 (This is Host C s sequence number, plus 1.) At this point the session has been terminated. Communication in both directions has had a FIN requested and an acknowledgement to the FIN, closing the session. Figure 2-6: Connection termination. Ports You have been introduced to the fact that IP deals with addressing and the sending/receiving of data between two hosts, and you have been introduced to the fact that TCP can be selected to provide reliable delivery of data. However, if a client sends a request to a server that is running many services, such as WWW, NNTP, SMTP, and FTP, how does the server know which application is supposed to receive the request? The answer is by specifying ports. 50 Tactical Perimeter Defense

Port numbers are located in the TCP or UDP header, and they are 16-bit values, ranging from 0 to 65535. Port numbers can be assigned to specific functions or applications. Ports can also be left open for dynamic use by two hosts during communication. There are ranges of ports for each function. There are three main categories of ports: well-known, registered, and dynamic. The well-known ports (also called reserved ports by some) are those in the range of 0 to 1023. These port numbers are assigned to specific applications and need to remain constant for the primary services of the Internet to continue to provide the flexibility and usefulness it does today. For example, the WWW service is port 80, the Telnet service is port 23, the SMTP service is port 25, and so on. The well-known port list is maintained by the Internet Assigned Numbers Authority (IANA), and can be found here: www.iana.org/assignments/port-numbers. Registered ports are those in the range of 1024 to 49151. These port numbers can be registered to a specific function, but are not defined or controlled by a governing body, so multiple functions could end up using the same port. Dynamic ports (also called private ports) are those from 49152 to 65535. Any user of the Internet can use dynamic ports. When a client connects to a server and requests a resource, that client also requires a port. The client ports (also called ephemeral ports by some) are used by a client during one specific connection; each subsequent connection will use a different port number. These ports are not assigned to any default service, and are usually a number greater than 1023. There is no defined range for client ports; they can cover the numbers of both the registered and dynamic port ranges. When a client begins a session by requesting a service from a server, such as the WWW service on port 80, the client uses an ephemeral port on the client side. This enables the server to respond to the client. Data is then exchanged between the two hosts using the port numbers established for that session: 80 on the server side, and a dynamic number greater than 1023 on the client side. The combination of the IP address and port is often referred to as a socket, and the two hosts together are using a socket pair to communicate for this session. The following table lists some of the well-known ports and their associated services. Some Well-known Ports and their Services Port Service 23 Telnet 80 HTTP (Standard web pages) 443 Secure HTTP (Secure web pages) 20 and 21 FTP (Data and control) 53 DNS 25 SMTP 119 NNTP Lesson 2: Advanced TCP/IP 51

Trojan Horse: An apparently useful and innocent program containing additional hidden code which allows the unauthorized collection, exploitation, falsification, or destruction of data. In addition to known valid services, such as those listed previously, there are many Trojan Horse programs that use specific ports (although the port can usually be changed). Ports Associated with Trojan Horses Port Number Name of Trojan Horse 12345 NetBus 1243 Sub Seven 27374 Sub Seven 2.1 31337 Back Orifice 54320 (TCP) Back Orifice 2000 (BO2K) 54321 (UDP) Back Orifice 2000 (BO2K) Network Monitor There is a very valuable tool available with Windows called Network Monitor. This tool allows for full packet capture and lets the analyst (you) peer into the packet s contents, examining both the payload, or data, and the headers, in detail. You can see any set flags s defined sequence and acknowledgement numbers, packet size, and more. The following is a discussion on the use of Network Monitor, provided as background for you to be able to perform the tasks in this lesson. Some of the things you can do with Network Monitor are: Monitor real-time network traffic. Analyze network traffic. Filter specific protocols to capture. In this lesson, you will be focusing on the capture and analysis of IP packets, and on the details of the protocol suite. 52 Tactical Perimeter Defense

Figure 2-7: The default view of Network Monitor, showing the various panes. In Figure 2-7, you can see the default view of Network Monitor. In this view, the screen is split into several sections. The top bar is the standard menu bar found in Microsoft programs. The basic functions on the toolbar that you will use in this lesson are contained in the File and Capture menus. The File menu contains three commands: Open, Save As, and Exit. Choose Open to open a previously saved Network Monitor capture. Choose Save As to save a Network Monitor capture. Choose Exit to exit. The Capture menu has more commands: Start, Stop, Stop And View, Pause, and Continue. The Start, Pause, and Continue commands are self-explanatory. The difference between Stop and Stop And View is that the Stop command ends the capture. The Stop And View command ends the capture and switches Network Monitor to its next mode, Display View. The other sections of the Capture View are panes (windows in a window) called Graph, Session Stats, Station Stats, and Total Stats. The Graph pane provides five bars that measure percentages of pre-defined metrics. The top graph indicates the percentage (%) of network utilization, meaning how much the network is being used. The second graph indicates the number of frames per second, meaning frames transmitted per second over the network. The third graph indicates the number of bytes per second that are transmitted over the network. Lesson 2: Advanced TCP/IP 53