3/18/2024

Hacking Techniques and Intrusion

Detection

Chapter 3
Network Overview

Prof. Jaafer Al Saraireh

Objectives
• Describe the TCP/IP protocol stack
• Explain the basic concepts of IP addressing

Prof. Jaafer Al Saraireh - Princess Sumaya University for Technology 2

1
 3/18/2024

Overview of TCP/IP
• Language used by computers
• Transmission Control Protocol/Internet Protocol (TCP/IP)
o Most widely used

Prof. Jaafer Al Saraireh - Princess Sumaya University for Technology 3

The OSI Model

A - All
P - People
S - Seem
T - To
N - Need
D - Data
P - Processing

Prof. Jaafer Al Saraireh - Princess Sumaya University for Technology 4

2
 3/18/2024

The OSI Model (Continued)

Prof. Jaafer Al Saraireh - Princess Sumaya University for Technology 5

The OSI Model (Continued)

Prof. Jaafer Al Saraireh - Princess Sumaya University for Technology 6

3
 3/18/2024

The OSI Model (Continued)

• (1) The physical layer is responsible for the movements of individual bits from one
hop (node) to the next.
• (2) The data link layer is responsible for the movements of frames from one hop
(node) to the next.
• (3) The network layer is responsible for the movements of individual packets from
one hop (node) to the next.
• (4) The transport layer is responsible for the delivery of a segment from one process
to another.
• (5) The session layer is responsible for dialog control and synchronization.
• The presentation layer is responsible for translation, compression, and encryption.
• The application layer is responsible for providing services to the user.

Prof. Jaafer Al Saraireh - Princess Sumaya University for Technology 7

The OSI Model and Devices

• Layer 3 switches offer routing between different network segments..

• It has built-in security features, such as access control lists, that can help protect your network from security threats.
(layer 2 switch)
 layer 2 switch offer limited to no routing capabilities within network segments such as VLANs.
 It is by default do not have built-in security features, making them vulnerable to security threats such as ARP spoofing attacks.

Prof. Jaafer Al Saraireh - Princess Sumaya University for Technology 8

4
 3/18/2024

Summary of Layers

Prof. Jaafer Al Saraireh - Princess Sumaya University for Technology 9

TCP/IP Model
• TCP/IP stack
o Four distinct layers
 Network
 Internet
 Transport
 Application

Prof. Jaafer Al Saraireh - Princess Sumaya University for Technology 10

5
 3/18/2024

TCP/IP Model Application Layer

• Front end to the lower-layer protocols

Prof. Jaafer Al Saraireh - Princess Sumaya University for Technology 11

Protocols

Prof. Jaafer Al Saraireh - Princess Sumaya University for Technology 12

6
 3/18/2024

TCP/IP Model Transport Layer

• Encapsulates data into segments
o Use TCP or UDP to reach a destination host
 TCP is a connection-oriented protocol
 UDP is a connectionless protocol
• TCP three-way handshake
o Computer A sends computer B a SYN packet
o Computer B replies with a SYN-ACK packet
o Computer A replies with an ACK packet

Prof. Jaafer Al Saraireh - Princess Sumaya University for Technology 13

TCP/IP Model Internet Layer

• Routes packets to destination address
o Uses a logical address (i.e., IP address)
o IP addressing packet delivery is connectionless
• Internet Control Message Protocol (ICMP)
o Sends messages related to network operations
o Helps troubleshoot network connectivity problems
 Ping command
o Tracks the route a packet traverses
 Traceroute command

Prof. Jaafer Al Saraireh - Princess Sumaya University for Technology 14

7
 3/18/2024

TCP/IP Model (continued)

• (1) Internet Control Message Protocol (ICMP)
o The primary purpose of ICMP is for error reporting. When two devices connect over the
Internet, the ICMP generates errors to share with the sending device in the event that any of
the data does not get to its intended destination. For example, if a packet of data is too large
for a router, the router will drop the packet and send an ICMP message back to the original
source of the data.
o A secondary use of ICMP protocol is to perform network diagnostics; the commonly used
terminal utilities traceroute and ping both operate using ICMP.
 The traceroute utility is used to display the routing path between two Internet devices. The
routing path is the actual physical path of connected routers that a request must pass through
before it reaches its destination.
 The ping utility is a simplified version of traceroute. A ping will test the speed of the
connection between two devices and report exactly how long it takes a packet of data to reach
its destination and come back to the sender’s device.
 Attacker can exploit this process, creating two type of attacks such as the ICMP flood attack
and the ping of death attack.

Prof. Jaafer Al Saraireh - Princess Sumaya University for Technology 15

TCP/IP Model (continued)

• (1) Internet Control Message Protocol (ICMP)
o ICMP flood attack: Also known as a ping flood. It is a type of distributed
denial-of-service (DDoS) attack in which an attacker overwhelms the
targeted device or network with continuous request packets (pings). This
can cause network congestion and prevent legitimate users from accessing
network resources.
o In a ping flood attack, the perpetrator uses multiple compromised systems to
send a huge volume of ICMP echo requests to the target.
o The target system tries to respond to each ICMP echo request with an
echo reply packet. However, with thousands or even millions of echo
requests coming in per second, the target is unable to handle the traffic
volume. The incoming ping flood occupies all of the target’s inbound
bandwidth, preventing legitimate users from accessing the system.

Prof. Jaafer Al Saraireh - Princess Sumaya University for Technology 16

8
 3/18/2024

TCP/IP Model (continued)

• (1) Internet Control Message Protocol (ICMP)
o Ping of death attack. It is a variation on the ping flood. In this type of attack, the
attacker sends abnormal or oversized ICMP packets that exceed the maximum
IPv4 packet size of 65,535 bytes. This crashes or freezes the target system as it
struggles to process the oversized packets.

Prof. Jaafer Al Saraireh - Princess Sumaya University for Technology 17

TCP/IP Model (continued)

• (2) Internet Group Management Protocol (IGMP) is a protocol that allows several
devices to receive the same data. IGMP is a network layer protocol used to set up
multicasting on networks that use the Internet Protocol version 4 (IPv4). Specifically,
IGMP allows devices to join a multicasting group.
• (3) Address Resolution Protocol (ARP) is used to find the physical address of the
node when its Internet address is known.
• (4) Reverse Address Resolution Protocol (RARP) allows a host to discover its
Internet address when it knows only its physical address.

Prof. Jaafer Al Saraireh - Princess Sumaya University for Technology 18

9
 3/18/2024

Addressing

Prof. Jaafer Al Saraireh - Princess Sumaya University for Technology 19

Addressing (continued)
• Application-Specific Addresses: Some applications have user-friendly addresses
that are designed for that specific application.
• Examples include the e-mail address (for example, [email protected]) and the
Universal Resource Locator (URL) (for example, www.mhhe.com). The first defines
the recipient of an e-mail; the second is used to find a document on the World Wide
Web. These addresses, however, get changed to the corresponding port and logical
addresses by the sending computer.

Prof. Jaafer Al Saraireh - Princess Sumaya University for Technology 20

10
 3/18/2024

Addressing (continued)
• The physical address, also known as the link address, is the address of a node as
defined by its LAN or WAN. It is included in the frame used by the data link layer. It is
the lowest-level address.
• The size and format of these addresses vary depending on the network. For example,
Ethernet uses a 6-byte (48-bit) physical address that is printed on the network
interface card (NIC).

Prof. Jaafer Al Saraireh - Princess Sumaya University for Technology 21

Addressing (continued)

Prof. Jaafer Al Saraireh - Princess Sumaya University for Technology 22

11
 3/18/2024

Addressing – Port Address

• Port address is a 16-bit address
represented by one decimal number as
shown. (216 = 65536 Ports)
• The sending computer is running three
processes at this time with port
addresses a, b, and c.
• The receiving computer is running two
processes at this time with port
addresses j and k.
• Note: The physical addresses change
from hop to hop, but the logical and
port addresses usually remain the same.

Prof. Jaafer Al Saraireh - Princess Sumaya University for Technology 23

Network Layer: Logical Addressing

• The Internet addresses (IPv4) are 32 bits in length; this gives us a maximum of 232
addresses. (4,294,967,296) addresses.
• IPv6 are 128-bit addresses this gives us a maximum of 2128 addresses.
(5.4445178707350154154139937189083e+39) addresses.

Prof. Jaafer Al Saraireh - Princess Sumaya University for Technology 24

12
 3/18/2024

IP Addresses
• IP addresses are classified into
5 classes based on the
first octet value

Prof. Jaafer Al Saraireh - Princess Sumaya University for Technology 25

IP Address Classes

Prof. Jaafer Al Saraireh - Princess Sumaya University for Technology 26

13
 3/18/2024

IPv4 Address: CIDR (Classless Inter-Domain Routing)

• The netid is in color, the hostid is in Black.

• Example: ellington.cs.virginia.edu
• Network address is: 128.143.0.0 (or 128.143)
• Host number is: 137.144
• Netmask is: 255.255.0.0 (or ffff0000)
• Prefix or CIDR notation: 128.143.137.144/16
• Network prefix is 16 bits long

Prof. Jaafer Al Saraireh - Princess Sumaya University for Technology 27

IPv4 Address: Classless Address/Address Blocks

• Example: A block of 16 addresses granted to a small organization

Prof. Jaafer Al Saraireh - Princess Sumaya University for Technology 28

14
 3/18/2024

IPv4 Address: Classless Address/Address Blocks

• A better way to define a block of addresses is to select any address in the block and the
mask. As we discussed before, a mask is a 32-bit number in which the n leftmost
bits are 1s and the 32 - n rightmost bits are 0s. However, in classless addressing, the
mask for a block can take any value from 0 to 32. It is very convenient to give just the
value of n preceded by a slash (CIDR notation).

Prof. Jaafer Al Saraireh - Princess Sumaya University for Technology 29

IPv4 Address: Classless Address/Address Blocks

• Last Address: The last address in the block can be found by setting the 32 - n
rightmost bits in the binary notation of the address to 1s.
• Find the last address for the block 205.16.37.39/28.
• Solution:
• The binary representation of the given address is 11001101 00010000 00100101
00100111.
• If we set 32 - 28 rightmost bits to 1, we get 11001101 00010000 00100101 00101111
or 205.16.37.47. This is actually the block shown before the four sides.

Prof. Jaafer Al Saraireh - Princess Sumaya University for Technology 30

15
 3/18/2024

IPv4 Address: Classless Address/Address Blocks

• Number of Addresses: The number of addresses in the block is the difference
between the last and first address. It can easily be found using the formula 232- n.
• Find the number of addresses for the block 205.16.37.39/28.
• Solution
• The value of n is 28, which means that number of addresses is 232- 28 = 16.

Prof. Jaafer Al Saraireh - Princess Sumaya University for Technology 31

IPv4 Address: Classless Address/Address Blocks

• Another way to find the first address, the last address, and the number of addresses is
to represent the mask as a 32-bit binary (or 8-digit hexadecimal) number.
• We know that one of the addresses is 205.16.37.39/28. What is the first and last
address and number of address in the block?
• For Example, the /28 can be represented as 11111111 11111111 11111111 11110000
(twenty-eight 1s and four 0s). Find
• a. The first address ANDing the given addresses with the mask

• b. The last address ORing the given addresses with the complement of the mask

• c. The number of addresses. 2^32-CIDR

d. Number of hosts: 2^(32-CIDR)-2

Prof. Jaafer Al Saraireh - Princess Sumaya University for Technology 32

16
 3/18/2024

IPv4 Address: Classless Address/Address Blocks

Solution:
• a. The first address can be found by ANDing the given addresses with the mask.
The results will be 205.16.37.32

Prof. Jaafer Al Saraireh - Princess Sumaya University for Technology 33

IPv4 Address: Classless Address/Address Blocks

• B. The last address can be found by ORing the given addresses with the
complement of the mask.
• Solution: The results will be 205.16.37.47

• C. The number of addresses can be found by complementing the mask,

interpreting it as a decimal number, and adding 1 to it.

Prof. Jaafer Al Saraireh - Princess Sumaya University for Technology 34

17
 3/18/2024

Private & Public IP Addresses

Private IP Public IP
Used on Local Networks Used on Global Networks
Locally Unique Globally Unique
Not routable on Internet and not recognized Routable on Internet and recognized over
over internet internet
Assigned by LAN Administrator or DHCP Assigned by Severs provider/ IANA
Free of charge Cost associated with using Public IP
IP Address range: IP Address range:
Class A: 10.0.0.0 – 10.255.255.255, Class A: 1.0.0.0 – 9.255.255.255,
Class B: 172.16.0.0 – 172.31.255.255, 11.0.0.0 – 126.255.255.255
Class C: 192.168.0.0 – 192.168.255.255 Class B: 128.0.0.0 – 172.15.255.255,
173.32.0.0 – 191.255.255.255
Prof. Jaafer Al Saraireh - Princess Sumaya University for Technology Class C: 192.0.0.0 – 192.168.255.255
35

192.169.0.0 – 223.255.255.255

Network Address Translation (NAT)

• NAT is used to translate private IP addresses to public addresses that can be routed
over the Internet or translate public IP addresses to private IP addresses.
• One public IPv4 address can be used for thousands of devices that have private IP
addresses.

Prof. Jaafer Al Saraireh - Princess Sumaya University for Technology 36

18
 3/18/2024

Types of NAT
• [1] Static NAT:
• Static address translation (static NAT) assigns one public IP address to one private IP
address
• Commonly used for servers that need to be accessed by external devices or for devices that
must be accessible by authorized personnel when offsite
• One-to-one address mapping between local and global addresses

Prof. Jaafer Al Saraireh - Princess Sumaya University for Technology 37

Types of NAT
• [2] Dynamic NAT:
• Dynamic NAT assigns a public IP address from a
pool of addresses to each packet that originates
from a device that has a private IP address
assigned when that packet is destined to a
network outside the company.
• Addresses are assigned on a first-come, first
serve basis
• The number of internal devices that can transmit
outside the company is limited to the number of
public IP addresses in the pool.

Prof. Jaafer Al Saraireh - Princess Sumaya University for Technology 38

19
 3/18/2024

Types of NAT
• [3] Port Address Translation (PAT):
• PAT (otherwise known as NAT overload) can use one public IPv4 address to allow thousand
of private IPv4 addresses to communicate with outside network devices.
• Uses port numbers to track the session

Source Address Destination Address

Prof. Jaafer Al Saraireh - Princess Sumaya University for Technology 39

Types of NAT
• [3] Port Address Translation (PAT):
• Next Available Port
 PAT tries to preserve the original source port
number.
 If that port number is already used, PAT will
assign the first available port number for the
appropriate port group
o 0 - 511
o 512 - 1023
o 1024 - 65,535
 When there are no more port numbers
1. Notice how traffic is
available, PAT moves to the next public IP from two different internal
address in the pool if there is one. 2. Notice how PAT uses the devices using the same
same public address, but port number.
two different port numbers.

Prof. Jaafer Al Saraireh - Princess Sumaya University for Technology 40

20
 3/18/2024

TCP Protocol
• TCP is a reliable, connection-oriented delivery service:
o Connection-oriented means that a connection must be established before hosts
can exchange data.
o Reliability is achieved by assigning a sequence number to each segment
transmitted
o TCP peers, the two nodes using TCP to communicate, acknowledge segment
transmitted
o A TCP (segment is the protocol data unit (PDU) consisting of the TCP header and
the TCP payload, as presented in the next figure. For each TCP segment sent
containing data, the receiving host must return an acknowledgment (ACK). If an
ACK is not received within a calculated time, the TCP segment is retransmitted

Prof. Jaafer Al Saraireh - Princess Sumaya University for Technology 41

UDP Protocol
• UDP provides a connectionless datagram service that offers unreliable, best-effort
delivery of data transmitted in message. This means that neither the arrival of datagram nor
the correct sequencing of delivered packets is guaranteed. So, it does not retransmit lost
data.
• UDP messages consist of a UDP header and a UDP payload, as presented in next figure.

• Application use UDP if they do not require an acknowledgment of receipt of data, and they
typically transmit amount of data at one time.
• NetBIOS name service, NetBIOS datagram service, and SNMP are examples of services
and applications that use UDP

Prof. Jaafer Al Saraireh - Princess Sumaya University for Technology 42

21
 3/18/2024

TCP Header Diagram

• As a security professional, you should know the critical components of a TCP header:
TCP flags, the initial sequence number, and source and destination port numbers.

Prof. Jaafer Al Saraireh - Princess Sumaya University for Technology 43

TCP-Header- TCP Flag

• Each TCP flag occupies 1 bit of the TCP segment and can be set to 0
(off) or 1 (on). These are the six flags of a TCP segment:
1. SYN flag: The synchronize flag signifies the beginning of a session.
2. ACK flag: The acknowledgment flag acknowledges a connection and
is sent by a host after receiving a SYN-ACK packet.
3. PSH flag: The push flag is used to deliver data directly to an
application. Data isn’t buffered; it’s sent immediately.
4. URG flag: This flag is used to signify urgent data.
5. RST flag: The reset flag resets or drops a connection.
6. FIN flag: The finish flag signifies that the connection is finished.

Prof. Jaafer Al Saraireh - Princess Sumaya University for Technology 44

22
 3/18/2024

TCP Flags and Values

Order 9 8 7 6 5 4 3 2 1 0

Value 32 16 8 4 2 1

Flag Reserved Nounce CWR Echo Urgent Ack Push Reset Syn Fin
0 1 0 1 0 0

• If send ACk, Rst then value = 20 in decimal  14 in hexadecimal

TCP Flag Decimal Value HexValue
SYN+AcK 2+16 = 18 2+10 =12
Rst + Ack 4+16=20 4+10 = 14
Psh+Ack 8+16=24 8+10 = 18
Fin+Psh+Urg 1+8+32=41 1+8+10+1=29
URG 32 20
PSH 8 8
And so on

Prof. Jaafer Al Saraireh - Princess Sumaya University for Technology 45

TCP Communication Flags

1 2 3

4 5 6

23
 3/18/2024

TCP-Header- Initial Sequence Number

• The initial sequence number (ISN) is a 32-bit number that tracks packets received by
a node and allows reassembling
• Steps 1 and 2 of the three-way handshake send an ISN.
• That is, the ISN from the sending node is sent with the SYN packet, and the ISN from
the receiving node is sent back to the sending node with the SYN-ACK packet.
• An ISN can be quite a large number because 232 allows a range of numbers from zero
to more than four billion.
• Many network attacks have used network session hijacking, an attack that relies on
guessing the ISNs of TCP packets.

Prof. Jaafer Al Saraireh - Princess Sumaya University for Technology 47

TCP/IP Communication

24
 3/18/2024

Creating Custom Packet Using Colasoft Packet Builder

https://www.colasoft.com/packet_builder/

Creating Packet Colasoft Packet Builder

• Colasoft Packet Builder provides several way to create packets:
o Users can import a existing packet trace file created by sniffer software such as Colasoft
Capsa, Wireshark, Network General Sniffer and WildPackets EtherPeek/OmniPeek etc.

o Users can use the Add or Insert Packet command in Edit menu or Toolbar to create a new
packet, Colasoft Packet Builder provides several common-used packet format- Ethernet
Packet, ARP Packet, IP Packet, TCP Packet and UDP Packet.

o If Colasoft Capsa has been installed, users can also send packets in Capsa to Packet Builder
on the fly.

o Colasoft Packet Builder supports auto-checksum feature, users can enable this feature by
check the Checksum button in toolbar, Packet Builder will calculates the IP, TCP, ICMP, and
UDP checksum automatically every time when changing packet data (see the below
figure).sion hijacking, an attack that relies on guessing the ISNs of TCP packets.

Prof. Jaafer Al Saraireh - Princess Sumaya University for Technology 50

25
 3/18/2024

Types of Attacks in OSI Layer

• There are set of Attacks in OSI Layer

Prof. Jaafer Al Saraireh - Princess Sumaya University for Technology 51

Types of Attacks in OSI Layer

• Attacks in detail

Prof. Jaafer Al Saraireh - Princess Sumaya University for Technology 52

26