Understanding how packets travel from one endpoint to another in the Network, as well as understanding how to properly secure or intercept those packets, is an invaluable knowledge when it comes to Cybersecurity. Networking can be subdivided into multiple subjects and in this article we'll look deeper into this concept, in order to learn how important it is to understand Networking.
I'm writing this article as part of my process to take eJPT and just fixate the knowledge I got from INE's official Learning Path, Penetration Testing Student, by Lukasz Mikula. I truly believe that learning is more of an active process than a passive one, so I do think I can better understand things once I'm teaching other people about that subject and practicing around it. I'll try to take this approach in this article as well. We'll start with a bit of theory, which is really necessary when it comes to Networking, but we'll go practical as well with TryHackMe's rooms. I'll do my write-up to all the necessary rooms, so you can learn a bit more about my methodologies and try them yourself. No worries if you just do a step-by-step follow-up in the beginning, as long as you understand all the procedures and start to build your own processes and methodologies.
The main objective with this article, at the end of the day, is to provide an easy-to-understand starting guide to all those who want to kickstart their lifes in Cybersecurity. It can also work as a study companion material to all those who are studying to eJPT. It can also be a study companion to newcomers in the CTF community, who just joined TryHackMe and want to get some write-ups for a bunch of popular rooms. Or it can just be a study guide to introduce some core concepts from Cybersecurity to curious people!
First of all, we need to understand what Computer Networking means. In a very abstract manner, we can consider Computer Networking as "the practice of interfacing two or more computing devices with each other for the purpose of sharing data." (Bradley Mitchell). This interaction can occur in different "flavors", like LANs or WANs, and also different designs, such as client-server and peer-to-peer.
Computer Networking also has a standard basic model that can be used to better visualize and understand the theory behind it. This model is called OSI Model:
This is the top layer, the one most end users see. It's the layer that receives input from and displays data to the end user. However, the application itself does not reside in the Application layer. This layer is just a platform to easily connect the information to the end-user by accepting communication requests inputted into the application, then wiring it down to lower layers. Web Browsers and FTP are good examples of Application Layer Communications.
The Presentation Layer is usually called the "Translation Layer", because it represents the preparation from Application Formatting to Networking Formatting, or vice-versa. The Presentation Layer is not as visual as the Application Layer (if at all!), but it's responsible to "display" and translate data for the Application or the Network. Good examples of Presentation Layer artifacts is the process of encryption, decryption, compression and transformation of data for a secure transmission.
If the Presentation Layer was the "translation layer", we can call the Session Layer a "Connection Layer". In order to maintain a "dialogue" between two computers, a session must be established. This layer is responsible not only for creating this bridge, but also to maintain, manage track and finish the conversation when required or needed.
The Transport Layer is the "Post-Office Layer" in the OSI Model. It coordinates all things related to data, like data transfers, how much data it will send, its transmission rate, where it is going, etc. Although they're not included in the OSI model, Transmission Control Protocols (TCP) and User Datagram Protocols (UDP) are categorized as Layer 4 Protocols. The TCP is a connection-based protocol, meaning that the connection between the two computers will be maintained for the whole duration of the request. It's also a patient connection, because it allows the two computers to keep a reliable connection, in which all packets are ensured to be delivered to the right place. For the whole duration, the bridge between the two computers will stay stable while data is sent in an acceptable speed. Lost packets will be recovered and re-sent. The UDP protocol is a hasty connection, meaning: If the computers can't keep up with its pace, it's their problems. Some usage examples are simple: If you need data accuracy over speed, choose TCP. If you need that all the packets are delivered (like in a video chat application), then speed must be prioritized over accuracy, and UDP seems to be a perfect selection.
The Network Layer is responsible for locating the destination of your requests, as well as forwarding packets to the said destination. This is the home of the IP addresses and Logical Addressing, and also it's the layer where the connection will find the best route to take in order to establish a connection. This layer also handles logical addressing If a packet is too large to be transmitted, it can be dismantled into several fragments which are shipped out and then reassembled on the other end.
The Data Link Layer is where the node-to-node data transfer happens. It's also home for the MAC (Media Access Control) Address, and it's considered a physical layer. The Layer 2 is divided into two sub-layers: MAC, or Media Access Control, and LLC, or Logical Link Control. MAC addresses determines the way devices in a network will gain access to a medium and how they'll get permission to transmit data over the network. LLC identifies and encapsulates network layer protocols and controls error checking and frame synchronization. The MAC Address is also responsible for the physical address of the machine, checking if received packets are corrupted, and also for formatting and preparing data that is about to be sent.
The Physical Layer represents the tangible end of the system. The electrical parts are included here, as well as layouts of pins, voltages, radio frequency links, and other physical requirements. It's a media layer used to transmit and receive raw bits of data (called segments) which it converts into all sorts of signals.
Which layer would you choose to send data over TCP or UDP?
- The UDP and TCP protocols are handled by the Layer 4.
Which layer checks received packets to make sure that they haven't been corrupted?
- One of the responsibilities of Layer 2 is to provide a physical address for the machine, format and prepare data and confirm if it the packets aren't corrupted.
In which layer would data be formatted in preparation for transmission?
- As it was already mentioned in the question above, one of the responsibilities of Layer 2 is to provide a physical address for the machine, format and prepare data and confirm if it the packets aren't corrupted.
Which layer transmits and receives data?
- One of the responsibilities of the Layer 1 is to transmit and receive data segments and convert them into signals.
Which layer encrypts, compresses, or otherwise transforms the initial data to give it a standardized format?
- The process of encryption, decryption, compression and transformation of data for a secure transmission is a responsibility of the Layer 6
Which layer tracks communications between the host and receiving computers?
- Layer 5 is responsible not only for creating this bridge, but also to maintain, manage track and finish the conversation when required or needed.
Which layer accepts communication requests from applications?
- Layer 7 connects the information to the end-user by accepting communication requests inputted into the application, then wiring it down to lower layers.
Which layer handles logical addressing?
- Layer 3 is the home of the IP addresses and Logical Addressing
When sending data over TCP, what would you call the "bite-sized" pieces of data?
- Bite-sized pieces of data are called Segments
Which layer would the FTP protocol communicate with?
- Web Browsers and FTP are good examples of Layer 7 Communications.
Which transport layer protocol would be best suited to transmit a live video?
- If you need that all the packets are delivered (like in a video chat application), then speed must be prioritized over accuracy, and UDP seems to be a perfect selection.
Whenever Data is passed down the multiple layers of the OSI Model, it gets encapsulated. It means that information about each of the layers is added to the data as a header, with information that is considered important to the next layer to evaluate. In the Data Link Layer, it also adds a trailer at the end of the data, which is used to confirm if that data was corrupted or not during its journey. During this journey, data's name can vary, being considered, for example, a Segment or Datagram while in the Transport Layer, and Frames while in the Data Link Layer. Once the data reaches its destination, the de-capsulation process begins, and the same steps are taken but in reverse order. You might ask why this whole process occurs, and the answer is simple. Headers added during the encapsulation process help not only managing critical information for the data to be send correctly to its destination, but it also adds an extra layer of security and reliability.
As mentioned by MuirlandOracle on his TryHackMe's box, "it's important to understand exactly why the TCP/IP and OSI models were originally created. To begin with there was no standardisation -- different manufacturers followed their own methodologies, and consequently systems made by different manufacturers were completely incompatible when it came to networking. The TCP/IP model was introduced by the American DoD in 1982 to provide a standard -- something for all of the different manufacturers to follow. This sorted out the inconsistency problems. Later the OSI model was also introduced by the International Organisation for Standardisation (ISO); however, it's mainly used as a more comprehensive guide for learning, as the TCP/IP model is still the standard upon which modern networking is based."
It's also important to understand that the TCP/IP is a Connection-Oriented Protocol (Or Connection-Based Protocol*)*. According to the Oracle documentation, "it requires a logical connection to be established between the two processes before data is exchanged. The connection must be maintained during the entire time that communication is taking place, then released afterwards. The process is much like a telephone call, where a virtual circuit is established--the caller must know the person's telephone number and the phone must be answered--before the message can be delivered."
The whole communication in the TCP/IP Model works with a SYN/ACK connection, or a three-way handshake.
You might be asking: Okay, but how does this work?
It's quite simple! In a three-way handshake, the first computer sends a request to a second computer, indicating that it want to start a connection, to SYNchronize with it. The second computer then responds with a packet containing the SYNchronize information sent by the first computer, as well as an extra packet ACKnowledging the request to start a connection. Finally, the first computer will send over a final packet, containing only the ACKnowledgment that the conversation between those 2 computers can start.
Which model was introduced first, OSI or TCP/IP?
- The first model to be introduced was the TCP/IP Model, in 1982. The OSI Model was introduced two years later, in 1984
Which layer of the TCP/IP model covers the functionality of the Transport layer of the OSI model (Full Name)?
- As we could see in our graph, the Transport Layer of the OSI Model has its functionalities covered by the Transport Layer from the TCP/IP Model.
Which layer of the TCP/IP model covers the functionality of the Session layer of the OSI model (Full Name)?
- As we could see in our graph, the Session Layer of the OSI Model has its functionalities covered by the Application Layer from the TCP/IP Model.
The Network Interface layer of the TCP/IP model covers the functionality of two layers in the OSI model. These layers are Data Link, and?.. (Full Name)?
- As we could see in our graph, the Network Interface represents the funcionalities from the Data Link and the Physical Layer from the the OSI Model.
Which layer of the TCP/IP model handles the functionality of the OSI network layer?
- As we could see in our graph, the Network Layer of the OSI Model has its functionalities covered by the Internet Layer from the TCP/IP Model.
What kind of protocol is TCP?
- According to the Oracle Documentation, the TCP/IP Model is a Connection-Based protocol.
What is SYN short for?
What is the second step of the three way handshake?
What is the short name for the "Acknowledgement" segment in the three-way handshake?
Moving on to our first tool in this write-up, we open the .pcap file as suggested in the TryHackMe's room - https://tryhackme.com/room/introtonetworking
Once we open the file on WireShark and analyze the packets, we get the following information:
1 - For the first packet
2 - For the second packet
Going for the second packet, as suggested, we can start to answer the questions
What is the protocol specified in the section of the request that's linked to the Application layer of the OSI and TCP/IP Models?
- Domain Name System
Which layer of the OSI model does the section that shows the IP address "172.16.16.77" link to (Name of the layer)?
- In the section of the request that links to the Transport layer of the OSI and TCP/IP models, which protocol is specified?
Wireshark displays the usage of User Datagram Protocol
- Over what medium has this request been made (linked to the Data Link layer of the OSI model)?
The Ethernet II
- Which layer of the OSI model does the section that shows the number of bytes transferred (81) link to?
The Frame 2 section links to the Physical Layer
- [Research] Can you figure out what kind of address is shown in the layer linked to the Data Link layer of the OSI model?
According with the Pearson IT Certification, "a MAC address is a unique 6-byte address that is burned into each network interface or more specifically, directly into the PROM chip on the NIC. The number must be unique, as the MAC address is the basis by which almost all network communication takes place. No matter which networking protocol is being used, the MAC address is still the means by which the network interface is identified on the network. Notice that I say network interface. That’s very important, as a system that has more than one network card in it will have more than one MAC address.". That being said, we can attest that the address shown is a valid MAC address
Once the theory is past us, now it's time to move on to some practical applications on the network studies by using some useful tools to get a better understanding on those networks.
For starters, let's take a look on Ping. This tool is used to test the connection between your machine and a remote target, either a web application or just another machine. By typing
ping -h we are able to see on our Kali terminal all the options related to this tool, making it easier for us to plan and implement this usage during our daily tasks.
For a more detailed explanation and a deep dive into the documentation, you can also type
man ping to access its manual, which we are going to do in order to answer the following questions.
- What command would you use to ping the bbc.co.uk website?
For pinging any website, you simply need to write
website's URL/website's IP. So, in this case, the answer is simply ping bbc.co.uk
- Ping muirlandoracle.co.uk. What is the IPv4 address?
ping [muirlandoracle.co.uk](http://muirlandoracle.co.uk) we can test a connection with the said website, and we can also find out what the IPv4 address for this website.
- What switch lets you change the interval of sent ping requests?
- What switch would allow you to restrict requests to IPv4?
- What switch would give you a more verbose output
Tracerout is also a really useful tool for you, since it's capable of follow the packets through your connection to the desired endpoint. If it's not installed by default on your Kali Linux, simply run
apt-get install traceroute to download it.
- What switch would you use to specify an interface when using Traceroute?
- What switch would you use if you wanted to use TCP SYN requests when tracing the route?
- [Lateral Thinking] Which layer of the TCP/IP model will traceroute run on by default (Windows)?
We know that by default, the Windows traceroute utility (tracert) operates using the same ICMP protocol that ping utilises, which is the Internet layer in the TCP/IP Model
Most internet traffic occurs using DNS, the Domain Name System, which allows us to access Google by simply typing google.com in our browsers, instead of some nasty and complicated four octet's IP address. That being said, whois is a tool that can help us retrieve more informaton on websites we know only about its Domain Name. So, for example, if we want to get more information on Google, we simply type
whois google.com and we are presented with a whole lot of information.
- Perform a whois search on facebook.com
- What is the registrant postal code for facebook.com?
- When was the facebook.com domain first registered?
- Perform a whois search on microsoft.com
- Which city is the registrant based in?
- [OSINT] What is the name of the golf course that is near the registrant address for microsoft.com?
To start this OSINT procedure, we need to know Microsoft's registrant address. By analyzing the information retrieved from our
whois search, we are able to see the address is One Microsoft Way, Redmond, WA 98052. By typing it on Google Maps and zooming out a bit, we can see that Microsoft headquarter's are quite close to the Bellevue Golf Course.
- What is the registered Tech Email for microsoft.com?
Dig, a fantastic tool for troubleshooting networks, can provide a lot of information about the DNS servers related to a domain.
- What is DNS short for?
DNS stands for Domain Name System, which provides a name to an IP address number.
- What is the first type of DNS server your computer would query when you search for a domain?
- What type of DNS server contains records specific to domain extensions (i.e. .com, .co.uk*, etc)*? Use the long version of the name.
This is a Top-Level Domain, the part of the domain that comes after the dot. It's divided into two categories, gTLD (generic top-level domain) and ccTLD (country-code top-level domain).
- Where is the very first place your computer would look to find the IP address of a domain?
- [Research] Google runs two public DNS servers. One of them can be queried with the IP 220.127.116.11, what is the IP address of the other one?
- If a DNS query has a TTL of 24 hours, what number would the dig query show?
Considering that dig shows timestamps based in seconds, we simply need to 60 * 60 * 24 (The seconds in a day) to get the result of 86400