<Transcribed from Holon X-Ray Training Series 3>
pyre addresses the class
“There are a few key concepts you need to learn to defend
yourself as an Agent. The first is “Keep
Your Doors Locked”, the second is “Recognize When You Have Been Pwned”, and the
third is “Identity is Everything”. We’ll
focus on the first concept in this lesson.
I’ll avoid an in-depth discussion of the following topics so
we can get you into the field as quickly as possible, but the following
concepts come out of the OSI
model. This model lays out the
seven-layer path that all computer-to-computer network communications follow,
from the 7th level Application Layer which holds the applications
with which you and your computer work, down to the Physical Layer at Layer 1 which
handles the electricity, wireless, and flashing lights at the base of your
communications, and back up again on the computer on the other side. This communication was standardized in layers
so that hardware and software from different vendors could handle one or more
layers and then seamlessly hand off to the next layer.
Core Concepts
IP Address
IP addresses live at Layer 3, the Network Layer, in the OSI
model. Every computer on a network has a
unique IP address, which allows other devices on the network to find them. There are two types of IP addresses in
popular use today, IP version 4 (IPv4) and IPv6; I will focus on IPv4 today,
but it is important for you to learn IPv6 to properly defend yourself.
IPv4 addresses take the format ###.###.###.###, which is
made up of four numbers separated by periods.
Each number is made up of 8 bits (also known as an octet), which is 2^8,
or 2x2x2x2x2x2x2x2 = 256. This means
that each number can be from 0 to 255 (the zero counts as one). An example of a valid IP address is
192.168.132.254. An invalid IP address
is 10.0.311.1, because the 311 is higher than 255.
Subnet Mask
This is a complicated subject that you can begin to dive
into here, https://en.wikipedia.org/wiki/Subnetwork. To put it as simply as possible, IP
addresses on a computer are paired with subnet masks, which identify groups of
hosts on a network. They are in the same
format as IP addresses, with four 8-bit numbers separated by periods. A valid subnet mask is 255.255.255.0. The numbers on the left, 255, mean that every
number in the IP address at that space is fixed/static and identifies ALL the
hosts in that network. As an example, for
an IP address of 192.168.0.1 with a subnet mask of 255.255.255.0, every host on
the current network MUST have the first three sets of numbers (octets) be the
same in their IP address. A computer
with an IP address 192.168.10.2 would be on a different network because the
third octet is different from our example.
The 0 in the subnet mask means you can assign any number in that slot
(from 1 to 254 – more on why that second number is not 0 or 255 in a moment) to
any computer in your network, so 192.168.0.150 with a subnet mask of
255.255.255.0 would also be on our network.
Now for the reason why IP addresses with 0 and 255 are not
used on IP addresses with subnet mask 255.255.255.0, as a simple example. The 0 in the last octet of the IP address
identifies the network, and 255 is the broadcast address. If you want to send a message to a single
computer, you sent it to its IP address.
If you want to send a message to ALL computers on the network, you send
it to the broadcast address. For more
complicated subnet masks, the first address in the range identifies the
network, and the last address in the range is the broadcast address.
There is a shorthand known as CIDR notation, which allows
you to write IP addresses and subnet masks in a shorter format. More about CIDR can be found at https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing. As an example, CIDR allows you to write the
IP/subnet mask combination of 192.168.0.1 255.255.255.0 as 192.168.0.1/24.
Default Gateway
This is the IP address for the device on your local network
that lets you get onto other networks, such as the Internet. Your computer can freely communicate with
other devices on the same network and knows how to find them (using ARP, see
below), but your computer does not know how to reach devices on other networks,
such as the web server www.google.com. If you try to reach a computer that is not on
your local network, your computer uses the Default Gateway setting and passes
the request on to that computer (also called a router) to handle. Your request then goes from router to router
until it hits www.google.com. It is standard for default gateways to be at
the .1 address, such as 192.168.0.1, but it is not required.
DHCP
The Dynamic Host Configuration Protocol (DHCP) is used to automatically
assign network parameters (IP address, subnet mask, default gateway, DNS, among
other parameters) when your computer joins a network. This allows you to get onto the network at
your local coffee shop without knowing the parameters needed for communication
on that network.
DNS
The Domain Name System (DNS) is used to provide
user-friendly names to IP addresses.
This is what lets you type www.google.com
into your browser, and your computer knows that it needs to reach out to 172.217.11.36.
To help you understand how DNS works, I’ll start from your
computer and work my way out. When you try
to go to www.google.com, your computer,
- Checks its local DNS cache to see if you have
gone to www.google.com recently. If you have been there, then it just uses
that IP address. This cache entry is
deleted after its TTL – Time To Live time has passed – this feature is used to
keep entries from getting old and provide protection in case Google decides to
move www.google.com to another IP address.
- If the name is not in your local cache, then a
process is followed that is explained in detail at https://en.wikipedia.org/wiki/Domain_Name_System
under Operation.
Ports
Now that you know how to identify computers on your network
by their IP address, let’s look at how we open their doors so we can
communicate with them
Ports are the doors on a computer that give access to a
program running on that port. When a
program runs on a port, it is said to be ‘listening’ on that port for incoming
requests from other computers. An
example would be an email server program listening for requests for new email.
Ports are made up of 16-bit values, or 2^16, and thus can be
from 0 to 65,535. There are a set of
ports from 0 to 1023 that have been set aside as “well-known” or system ports. Many of these ports have been permanently
assigned to specific services, such as running web servers (port 80), SSL web
servers (port 443), and DNS (port 53).
The ports from 1024 to 49,151 are registered ports – companies reach out
to IANA (Internet Assigned Numbers Authority) to be assigned one of these ports
for their software. Ports 49152–65535
are dynamic or private ports that are up for grabs.
When your computer connects to a port, it does so in a predefined
series of steps called a protocol.
Protocols let computers speak the same language when they want to do a
job such as requesting a web page or downloading new email. These protocols will also be stacked so that
you see protocols from different layers of the OSI model in a single interaction.
One set of protocols handles the software with which you
interact, such as http for web page interaction, and DNS for matching up IP
addresses with friendly names. These
protocols operate at Layer 7, the Application Layer of the OSI model.
When your computer interacts with ports, those Layer 7
protocols ride on another set of protocols a few layers down in Layer 4, the
Transport Layer (skipping a few layers for simplicity). These are TCP and UDP protocols. TCP and UDP handle the breaking up of a data
stream into chunks called packets. TCP
is used for communication and services that require reliable connections – it
does a 3-way handshake for the initial connection, puts packets in order, and does
error checking. Web page delivery and
file transfers use TCP. UDP is used for communications
that require speed, where reliability is not an issue. UDP is used for things like streaming audio
or online gaming.
You can see a list of ports and whether they use TCP or UDP
at https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers
Firewalls (Windows, Linux, Mac)
Now that you know about all these open doors, it’s time to
close them all except the ones you need
Firewalls are used to lock down access to ports. Many computers come with a set of ports that
are open by default so they can communicate with other computers on your
network. Unfortunately, this means that
an attacker can also use those ports to communicate with your computer. If there is a flaw in the protocol used on
that port, the attacker could use that flaw to completely take over your
computer.
Firewalls block or allow access using rules. Most firewalls have three types of rules:
- Inbound/Input rules block or allow access to
ports from the outside world, i.e. other devices on your network. For example, this type of rule allows other computers
to have access to a web server running on port 80.
- Outbound rules block or allow your computer to
reach out to other computers. For
example, allow your computer to reach out to any web server on TCP port 80 or
check email on TCP port 110.
- Forwarding rules block or allow traffic to flow
between network interfaces for computers that have multiple interfaces. This could be a computer that sits on two
networks or one that has a wireless interface and a wired Ethernet
interface. Your laptop or work/home
computer likely will not need this type of rule.
You can get more information on configuring your firewall at
one of the following sites. Note that you
should not mess with these rules unless you are absolutely sure you know what
you are doing, otherwise you will be completely cut off from email, the web,
your loved ones, and society. Before changing these rules, see the section
on Scanning below so you can see what you have open.
How to configure the firewall for the major operating
systems:
Mac
Linux
Windows
Scanning
Scanning is a tool used by attackers and defenders
alike. Scanning allows you to determine
who else is on your network (by IP address) and check to see what ports they
have open.
My scanning tool of choice is Nmap because it is available
for most operating systems and it is full of options. You can get it from their website at https://nmap.org.
For a great read, check out NMAP Network Scanning by Gordon “Fyodor”
Lyon, or browse the Nmap website.
Scanning can take time, so break it into four
steps. You can do a Nmap ping scan (-sP)
of the network if you are in a hurry or are doing a very large network; advanced
users can feed the output of the scan to a file, use grep and awk to clean it
up, and then use that file as your host list, with the -iL filename command.
- Scan for
interesting hosts
- TCP port scanning
(can take minutes to hours)
- UDP port scanning
(can take several hours or days, depending on the size of the network; only do
it when you have time)
- Application
enumeration
Host Scan
First, you need to find the IP addresses of
devices in the range you are scanning.
If you are scanning your local network, you can examine your own IP
address to get an idea of the range of IP addresses. On Windows, open a command prompt and type
ipconfig. Look for the IPv4 Address
(usually on the Wireless LAN Adapter for a wireless connection or the Ethernet
Adaptor for a wired connection) and its subnet mask. On a Mac or Linux open a terminal window and
use ifconfig.
nmap -T4 -sP IPrange -oA outputfile
- T4 is the speed of
the scan, and you have the option of 1-5.
4 is fast and not as likely to lose packets as a setting of 5.
- sP is the ping
scan. This is used for host discovery. Nmap sends an ICMP echo request, a TCP ACK or
SYN packet to port 80, and ARP. Some of these
are only used if you are a privileged user.
- IPrange is the
range of hosts you are scanning. Options
include single hosts (192.168.0.10), CIDR notation (192.168.0.0/24), ranges
(192.168.0.1-254), a comma list of hosts, or an input file with one host per
line using the argument -iL.
- oA outputs the scan
results into several different formats, with the filename being “outputfile”
TCP Scan
nmap -T4 -p0-65535 IPRange
- T4 – fast scanning
- P0-65535 – scan all
ports; you can also use a list of ports to speed up your scan, e.g.
20,21,25,110-150
- IPrange is the
range of hosts you are scanning. Options
include single hosts (192.168.0.10), CIDR notation (192.168.0.0/24), ranges
(192.168.0.1-254), a comma list of hosts, or an input file with one host per line
using the argument -iL.
- Note that scanning
can take some time. Hit the spacebar to
see progress.
UDP Scan
Note that this can take more than a week
to complete this scan on a large network, so only use it if you have time
nmap -v -sUV IPRange -host-timeout 900000 -T4
Enumeration
Enumeration is used to determine what
software is running on a port. This tool
is useful because some system administrators run services on unusual ports to
thwart attackers, such as running web services (port 80) on an email port
(110). A computer may also be behind a
port-forwarding firewall, so some of the ports that are discovered are actually
on the firewall and not the target computer.
Nmap will probe the port and check the responses against its database. For speed, use the results of previous scans
to target specific open ports.
- TCP Scan:
nmap -A -O -T4 -p0-65535 IPrange
- Note that this scan
can take over an hour to scan 8 devices.
- A – version detection
– runs a series of queries against the port to determine what software is
running
- T4 – fast scanning
- P0-65535 – scan all
ports; you can also use a list of ports to speed up your scan, e.g. 20,21,25,110-150
- IPrange is the
range of hosts you are scanning. Other
options include single hosts, CIDR notation (192.168.0.0/24), ranges
(192.168.0.1-254), and a comma list of hosts.
Trick
If you ever get a result with no hosts found, or discover
that some hosts are missing, then scan the entire network without pinging first
using the option -P0. If a computer’s firewall
blocks the initial ping scan, then Nmap will not scan through the list of open
ports, even if the computer is operational.
Sniffing
Packet sniffing, or sniffing, lets you see everything that
your computer sees at every layer of the OSI model. The most popular visual tool for sniffing is
Wireshark, which you can download at https://www.wireshark.org/. There is also the command line tool tcpdump
on *nix systems.
Modern switches are designed so that you only see traffic
that is intended for your computer, as well as broadcast traffic that is sent
to the broadcast IP of your network. If
you want to see traffic that is destined for other systems, then you will need
to find some way to copy packets to you, through a SPAN port, port mirroring,
or network tap, or by inserting yourself in the path through a
man-in-the-middle attack.
On Windows systems you need special software called WinPcap to
enable the packet capture. This is
installed automatically when you install Wireshark.
Running
When you run Wireshark, it will give you the option of
selecting an existing saved packet capture file (PCAP) or a network interface. Choose your network interface.
Your screen will begin filling with sweet packets. Here are the default columns:
- The No. column shows the packets in the order in
which they are seen
- The Time column shows the seconds that have
elapsed since you started your packet capture
- The Source tells who sent the packet
- The Destination tells where the packet is going
- The Protocol is the protocol seen, (e.g. TCP,
UDP, DNS)
- Length is the number of bytes in the packet/frame
- Info gives some basic information about what is
seen in the packet
If you click on a packet/frame you will see more details in
the bottom half of the screen. Note that
it lays things out in the order of the OSI model, from the lowers layers at the
top to the highest layers at the bottom.
It only shows those layers that are appropriate for the selected
packet/frame.
Filters
When running Wireshark for the first time you will find a
lot of noise clutters up your view of useful information (unless you are specifically
looking for that clutter). The Display
Filter bar at the top of the window allows you to home in on data of
interest. It does not modify the packet
data that is stored, only changes what is displayed. Note that there is also a packet capture filter
which allows you to only capture the packets of interest.
I typically get rid of ARP traffic because it is very chatty,
unless I am looking to enumerate other active hosts on the same network. ARP is generated by a computer on the local
network looking for the Layer 2 MAC address (the hardware address that uniquely
identifies all networked devices) behind an IP address so it can communicate
with it. I also get rid of ICMP traffic
– this is used for error messages and other useful things but can be
noisy. For this filter, use: !(arp or
icmp). Note that these are from the
Protocol column. Continue adding to this
filter until you can better-discern patterns in the packet traffic.
Tools
There are all sorts of useful tools, such as being able to follow
a TCP conversation or SSL stream (under the Analyze menu, then Follow-TCP
Stream or SSL Stream), seeing how much traffic is generated between two hosts
(Statistics menu, then Conversations).
Google is your friend – look up anything that you find interesting
Network Miner is a free tool that will grab useful items out
of a packet capture
Remote Packet Capture
If you have SSH access to a computer, you can also do a
remote packet capture. On Windows
systems, Wireshark makes it difficult to set up remote connections – the
ability to save the connections was removed several years ago, and you have to
dig through menus to find the option. You
can use PuTTY’s companion tool plink.exe as an alternative. PuTTY can be downloaded from https://www.chiark.greenend.org.uk/~sgtatham/putty/
(stay away from putty.org – it is not legitimate), and plink will be installed
with it. Run plink using the following command:
“C:\Program Files\PuTTY\plink.exe” -ssh -batch
-T -pw $password $user@$IPAddress -P $port | “C:\Program
Files\Wireshark\Wireshark.exe” -k -i –
- $password is the SSH password
- $user is the username for the SSH connection
- $IPAddress is the IP address of the SSH server
- $port is the port used for SSH, in case it is
not the default of 22
- Wireshark will automatically load and will start
displaying packets. The command prompt
will display any error messages and will remain locked until Wireshark is
closed.
Linux is a little easier, just run the command:
ssh -l $user $IPAddress tshark -w – not tcp port 22 |
wireshark -k -i –