TCP – Transmission Control Protocol

• Connection oriented
• Sequenced packets
• Acknowledgement is sent back for received packets
• If no acknowledgement then packet is resent
• Packets are re-sequenced
• Manageable data flow is maintained

Note: TCP and UDP use dynamic port numbers greater than 1023

UDP

• Best effort
• Doesn’t care about sequence order
• Connectionless
• Less overhead and faster than TCP

Planning to take the CISSP Exam? Get a copy of my personal notes (300plus pages worth) that I used to pass the exam for only $25.00. Click the Add To Cart Button to Purchase Plus you will also get copies of notes from other CISSPs. Learn more about this package by visiting this blog entry: CISSP REVIEW NOTES I USED TO PASS THE EXAM. CLICK BELOW TO MAKE YOUR PURCHASE NOW. All Purchases are securely processed through Paypal. Once you click the button please check your shopping cart at the upper right hand side of the page to complete your order. IMPORTANT NOTICE: I MANUALLY REVIEW ALL ORDERS. SO ONCE YOU PURCHASE THE PRODUCT, THERE WILL BE SOME DELAY ON YOU RECEIVING AN E-MAIL FROM ME WITH THE LINK TO THE DOWNLOAD AREA OF THE PRODUCT. YOU WILL GET A RESPONSE FROM ME WITHIN 24-48 HOURS.

Internet Layer Protocols

IP – Internet Protocol

• All hosts on a network have an IP address
• Each data packet is assigned the IP address of the sender and the receiver
• It provides an “unreliable datagram” services
• Provides:
  • No guarantees that the packet will be delivered
  • No guarantee that the packet will be delivered only once
  • No guarantee that it will be delivered in the order in which it was sent

ARP – Address Resolution Protocol

• Use the IP Address to get the MAC address
• MAC Address is 48 bit
• IP address is 32 bit
• Only broadcast to network first time, otherwise stores IP and MAC info in table

RARP – Reverse Address Resolution Protocol

• Use the MAC address to get the IP address
• RARP Server tells diskless machines’ IP address

ICMP – Internet Control Message Protocol

• Management Protocol and messaging service provider for IP
• Sends messages between network devices regarding the health of the network
• Ping is ICMP packet
• Ping checks if a host is up and operational

Note: TCP/IP does not define physical standards it uses existing ones

Other TCP/IP Protocols

Telnet

• Terminal Emulation
• No File Transfer

FTP

• File Transfer Protocol
• Can not execute files

TFTP

• Trivial FTP
• No directory browsing capabilities, no authentication
• Can only send and receive files
• UDP-base file transfer program that provides no security

NFS – Network File Sharing

SMTP – Delivers e-mails

X-Windows – For writing graphical interface applications

SNMP

• Simple Network Management Protocol
• Provides for the collection of network information by polling the devices on the network from a management station
• Sends SNMP traps (notification) to  MIBS – Management Information Bases

Bootstrap Protocol (BootP)

• Diskless bootup
• BootP server hears the request and looks up the client’s MAC address in its BootP file
• Internet Layer Protocol

TCP session hijacking is when a hacker takes over a TCP session between two machines. Since most authentication only occurs at the start of a TCP session, this allows the hacker to gain access to a machine.

Planning to take the CISSP Exam? Get a copy of my personal notes (300plus pages worth) that I used to pass the exam for only $25.00. Click the Add To Cart Button to Purchase Plus you will also get copies of notes from other CISSPs. Learn more about this package by visiting this blog entry: CISSP REVIEW NOTES I USED TO PASS THE EXAM. CLICK BELOW TO MAKE YOUR PURCHASE NOW. All Purchases are securely processed through Paypal. Once you click the button please check your shopping cart at the upper right hand side of the page to complete your order. IMPORTANT NOTICE: I MANUALLY REVIEW ALL ORDERS. SO ONCE YOU PURCHASE THE PRODUCT, THERE WILL BE SOME DELAY ON YOU RECEIVING AN E-MAIL FROM ME WITH THE LINK TO THE DOWNLOAD AREA OF THE PRODUCT. YOU WILL GET A RESPONSE FROM ME WITHIN 24-48 HOURS.

A popular method is using source-routed IP packets. This allows a hacker at point A on the network to participate in a conversation between B and C by encouraging the IP packets to pass through its machine.

If source-routing is turned off, the hacker can use “blind” hijacking, whereby it guesses the responses of the two machines. Thus, the hacker can send a command, but can never see the response. However, a common command would be to set a password allowing access from somewhere else on the net.

A hacker can also be “inline” between B and C using a sniffing program to watch the conversation. This is known as a “man-in-the-middle attack”.

A common component of such an attack is to execute a denial-of-service (DoS) attack against one end-point to stop it from responding. This attack can be either against the machine to force it to crash, or against the network connection to force heavy packet loss. (Source: http://en.wikipedia.org/wiki/Session_hijacking).

Common Session Hijacking Attacks

• IP Spoofing
  • Used to convince a system that it is communication with a known entity that gives an intruder access
  • Involves altering the packet at the TCP level
  • The attacker sends a packet with an IP source address of a known, trusted source
• E-mail Spoofing
  • The forgery of an e-mail header so that the message appears to have originated from someone or somewhere other than the actual source
• TCP Sequence Number
  • Tricks the target in believing that it’s connected to a trusted host and then hijacks the session by predicting the target’s choice of an initial TCP sequence number
  • Used to launch various other attacks on other hosts