Chapter 2 System Fundamentals Flashcards
- Network Topologies
- Physical Layout (List 5 types)
- Logical Layout
-
Network topologies - represent the physical side of a network, as well as the foundation of our overall system
-
Physical Layout - relates directly to the wiring & cabling that connect devices
- Bus, ring, star, mesh, & hybrid topologies
- Logical Layout - the flow of information or other data, the stuff you can’t readily see or touch OR how traffic enters the NW
-
Physical Layout - relates directly to the wiring & cabling that connect devices
Bus Topology
- lays out all connecting nodes in a single run that acts as the common backbone connection for all connected devices
- Analogy: such as a person on a bus, signals get on, travel to their destination, and get off
- Downside to its simplicity is its vulnerability. All connectivity is lost if the bus backbone is damaged
- Imagine Christmas lights, if one turns off, they all turn off
Token
A token is used to be passed around for permission to transmit
This token-based method is only used by the Bus Topology
Ring Topology
the common backbone is looped in a ring; some ring layouts use a concentric circle design to provide redundancy if one ring fails (not required).
each client or node attaches to the ring & delivers packets according to its designated turn or availability of the token
Star Topology
one of the most common bc of its ease of setup & isolation of connectivity problems, meaning a single node of a star can go offline without affecting other nodes;
A star topology attaches multiple nodes to a centralized NW device, a hub or a switch, that ties the NW together
Mesh Topology
essentially a web of cabling that attaches a group of clients or nodes to each other;
can look a little messy and convoluted, but this setup is often used for mission critical services bc of its high level of redundancy & resistance to outages.
The internet was designed to survive a nuclear attack and is built as one large mesh NW
Hybrid Topology
By far most common in use today;
A hybrid layout combines different topoologies into one mixed topology; it takes the best of other layotus and uses them to its advantage
OSI
Open Systems Interconnection Model is an industry standard for data communication; data travels from one end to another, & each layer communicates with the next
The OSI model has 7 layers
- Application Layer (App Layer)
- Presentation Layter (App Layer)
- Session Layer (App Layer)
- Transport Layer (Host 2 Host Transport)
- NW Layer (Internet Layer, strictly deals with IP addresses)
- Data Link Layer (NW Interface Layer, strictly deals with MAC addresses)
- Physical (NW Interface Layer)
Layer 1: Physical Layer
consists of the physical media & devices that make up the infrastructure of our NWs;
- Attack considerations are aligned with the physical security of site resources*
- Examples: cabling, connections, fiber optics, microwave transmission equipment*
- Stuxnet - a worm named Stuxnet shows up on the scene - wreaking havac & destroying industrial equipment; it replicated itself via removable drives (physical layer)*
Layer 2: Data Link Layer
works to ensure that the data it transfers is free of errors;
Functions such as media access control (MAC) & link establishment occur at this layer; as well as basic protocols such as 802.3 for Ethernet & 802.11 for WiFi
MAC
Media Access Control - unique identifier assigned to network interfaces for communications on the physical network segment
Layer 3: NW Layer
determines the path of data packets based on protocol used;
At this layer, we see IP addressing for routers
Routing Information Protocol
prevents routing loops by limiting the # of hops allowed in a path from source to destination
Layer 4: Transport Layer
ensures the transport or sending of data is successful;
Layer 5: Session Layer
identifies established system sessions between different NW entities
When accessing a system remotely, you are creating a session between your computer & the remote system;
NetBIOS & RPC is found here
NetBIOS
LAN
RPC
Network Basic Input/Output System - a program that allows applications on different computers to communicate within a LAN
LAN - a computer NW that interconnects computers within a limited area using NW media
Remote Procedure Call - inter-process communication that allows a computer program to execute in another address space
Most attacks reside within layers
3,4,5 which is NW, Transport, Session
Layer 6: Presentation Layer
provides translation of data that is understandable by the next receiving layer
& can optionally be encrypted with protocols such as SSL (Secure Sockets Layer)
SSL
Secure Sockets Layer - standard security technology for establishing an encrypted link between web server & browser
Layer 7: Application Layer
functions as a user platform in which the user & SW processes within the system can operate & access NW resources
Apps & SW suites that we use on a daily basis are under this layer; includes protocols such as FTP and HTTP
TCP
3 way handshake
connection-oriented protocol that establishes connection & verifies the packets sent across that connection make it to their destination
3 way handshake - Process starts with a SYN packet that tells the receiving system that another system wants to connect; (random seq #1000)
The receiving system responds with a SYN-ACK (random seq #2585)
Then an ACK is sent back verifying and connection is initiated (#1001)
3 way handshake, SYN, SYN-ACK, ACK explained
SYN (start)
SYN-ACK (acknowledge start)
ACK (acknowledge the acknowledge)
IP Subnetting
Purpose: if you can subnet, you can pinpoint a target & know how to go after it in the most efficient & effective way
Knowing a few IP addresses can give you a clue as to how an organization’s NW is laid out
Defined: Subnetting is a sequential breakdown of IP addresses based on desired NW size & host quantity
NW bits & host bits are manipulated by the subnet mask;
The mask is used to determine what subnet an IP address belongs to. An IP address has two components, the NW address & the host address
Localhost Loopback Address
NW Address
Broadcast Address
CIDR
Loopback : 127.0.0.1 is a hostname that refers to this computer & is used to access this computer’s own NW services via its loopback NW interface
NW Address : address that identifies the subnet of a host
Broadcast Address: an IP address that allows information to be sent to all machines on a given subnet rather than a specific machine
Classless Inter-Domain Routing: CIDR Value is equivalent to the # of ON bits in a 32 bit address going left to right
IP Address 150.215.017.009
If this NW is divided into 14 subnets, identify the subnet mask and subnet address
For the Subnet Mask, the first 16 bits (network address) are all set to 1.
The host address is determined by how much space is needed for the 14 subnets. 16 is the closest bit to turn on to accomodate the 14 subnet addresses, so 256-16 = 240 making the subnet mask 255.255.240.0
As for the subnet address, it becomes the inverse, 255.255.16.0
Basic Slash Notation
IP Address (Subnet) 192.168.1.15
CIDR (Netmask): 24
Identify the NW address & Broadcast address of a subnet
Convert everything to binary
CIDR defines the # of bits that are on, so out of the 32 bits in an IP address, the first 24 from left to right are 1s
To find the NW address, we want to add the IP address AND Netmask.
NW Address = 192.168.1.0
To find the broadcast address, we want to peform utilize the OR operator between the NW address & the inverse of the Netmask
Broadcast address = 192.168.1.255
What are bits, nibbles, & a byte
Bits are 1s and 0s
Nibbles are 4 bits
A byte is 2 nibbles
Ports
List of Well-Known Ports
allows computers to send data out the door while simultaneously identifying that data by category
These ports range from 1-1024
- FTP 20-21
- SSH 22
- Telnet 23
- SMTP 25
- WINS 42
- DNS 53
- HTTP 80, 8080
- Kerberos 88
- Computer NW authentication protocol, authenticates request for a service in a computer NW
- POP3 110
- Portmapper-Linux 111
- Makes RPC Calls
- NTP 123
- RPC-DCOM 135
- SMB 139
- IMAP 143
- SNMP 161, 162
- LDAP 389
- CIFS 443
- Syslog 514
- Secure LDAP 636
Registered Ports
These ports are the ones that have been identified as usable by other applications running outside of the user’s present purview.
Registered ports range form 1025-49151.
- WINS 1512
- Windows Internet Naming Service - maps NetBIOS names to IP addresses; solves problem of NetBIOS name resolution in routed environments
- Socks5 1080
- routes NW packets between client & server through an application proxy which is different from a normal proxy; An example would be when using HTTP proxy, you are actually fowarding an HTTP request, and the HTTP proxy server then performs the request on your behalf
- Nessus Server 1241
- SQL Server 1433, 1434
- Citrix Applications 1494, 2598
- Oracle Listener 1521
- Citrix Mgmt 2512, 2513
- RDP 3389
- IRC 6662-6667
- Internet Relay Chat - Application layer protocol that facilitates transfer of messages in the form of text
Proxy Server
a server that sits between client applications, such as between a web browser and server
Dynamic Ports
free ports available for use by TCP, UDP requests made by an application
These ports range from 49152 - 65535
DNS
DNS Hacking
AD
database that contains the translated names to IP addresses that can be queried by any DNS-aware applications
The internet root servers, or top level servers, contain addresses of the DNS servers for all top-level domains, .com, .org, etc. Each top-level server contains a DNS database of all names & addresses in that domain
Local NWs isolated from the Internet may use their own domain name systems through use of DNS mgmt SW. These names are typically same as those used by internet implementation
Hacking - if an attacker manipulates DNS, in modern day environments, applications may not work without DNS present & functioning; Ex. Microsoft AD wouldn’t work without DNS present or accessible
Active Directory - special purpose database for windows that handles a large # of read & search operations
Networking Devices: Routers (& Switches)
Routers work at layer 3 by directing packets & connecting different NWs
Routers also used as gateway between different types of NWs, such as on different NWs or IP ranges or NWs that don’t understand each other’s protocols
i.e. can’t just jam a fiber-run T1 connection into client computer & have fast NW; NIC (NW interface card) is nto capable of speaking the same language as the outside connection, Routers bridge that gap and allow different protocols on different NWs to communicate
Routers use NAT (NW Address Translation) allows internal NW clients to share a single public IP address for access to the outside world. A router has two interfaces: one for outside world & one for internal NW
The public side is assigned a public IP address purchased from Local ISP; The internal side is connected to the local intranet, which contains all of your internal IPs & protected resources; internally, you can create your own IP schemes. When an internal client makes a request to an outside resource, the router receives the traffic & sends it out the public side with its public IP safeguarding the client’s internal IP address
NAT is great for security and also conserves IP addresses cutting cost for ISP
Switches
MAC
Finding MAC address
Switches creates multiple broadcast (multicasted) domains & collosion domains for each port, it delivers data or frames based on HW addresses (MAC Address) of the destination computers/devices; considered Layer 2 device (few modern switches operate Layer 2 & 3)
MAC or Media Access Control addresses are permanent identifiers burned into each NIC by manufacturer; Broken down into 6 pair hexadecimal, i.e. c0-cb-38-ad-2b-c4, the 1st half (3 pair) identifies vendor, 2nd half identifies NIC or device
Finding Mac Address: cmd command for windows –> ipconfig/all
for linux: ifconfig
Hubs
Hubs are similar to swtiches but are considered dumb devices,
they operate at layer 1 physical layer, they forward the data they receive, no filtering or directing of traffic which is why they are considered layer 1
Switches: Understanding broadcast domains & collosion domains
Hubs
A broadcast domain allow traffic to be broadcast to all connected nodes
ARP requests (Address Resolution Protocol), which are sent to the NW to resolve HW addresses, are an example of broadcast domain
Collosion domains are NW segments in which traffic sent will potentially collide w/ other traffic; In a collion domain, traffic will not be sent to a broadcast, it will collide w/ other traffic on the wire
So what this means is when you throw your little penetration testing laptop on a wire & connect to a switch, no matter how promicious your NIC is, your captured traffic will be limited to the collosion domain
In current modern day technology, sniffing a wi-fi NW allows you to capture traffic from all of its clients; not limited to particular switchport CD
Hubs: similar to switches but are dumb devices that make no decision in data direction or addressing
Proxies (& Firewalls)
These are the device deliberately put in place to prevent unauthorized access; only as effective as their configuration, & configuration is only as effected as the admin creating them
Proxies work at the Layer 7 application layer, & can be used for caching & filtering of web content. Itwork in the middle of the traffic scene. acts as an intermediary between internal NW client systems & outside untrusted entities; prevent client from communicating directly with outside source
Benefits of Proxies - protection of internal client systems, reducing exposure & risk
Acts as middleman, protecting clients from themselves
Speed up browsing by caching frequently visited websites & resources
(Proxies) & Firewalls
Includes proxy firewalls; filter outgoing traffic requests & verify legitimate traffic; firewall attacks intended to circumvent rather then head-on assult;
Mainly broken into these categories
-
Packet Filtering
- Packet filtering firewalls look at the header information (such as IP address or port) of packets to determine legitimate traffic; inspects packets at most granular level possible & improving traffic efficiency
-
Stateful packet filtering (keeps records of interaction)
- determine legitimacy based on state of connection from which traffic originated
- (web) Application proxies (mentioned in last card, client to outside untrusted entities)
IPS & IDS
both used to cover your tracks, keep a low profile
IDS - intrusion detection system - detect any suspicious NW activity & notifies admin, passive in nature; similar to a burglar alarm that alerts you, but doesn’t stop the burglar
IPS - intrusion prevention system - proactive & preventive, senses potential malicious activity on NW & takes steps to prevent further damage and thwart further attacks
Holistic vs focused process
securing a NW is a holistic process where the entire system as a whole is more important then the individual tools that create the system
breaking into a NW however is a focused process, you have to consider each part of the system & plan accordingly; could sabatoge an entire NW if you take the right steps in preparing
Typical Enterprise NW
Archive
Archive bit
Archive - used to compress files to use less space or to organize several files into one for portability or storage
Archive Bit - used in certain OSs, it indivates whether or not a file needs to be backed up
Backup
Types of backups
backup - making extra copies
- Full backup - full back up resets the archive bit of all files & backs them up accordingly
- Differential backup - backs up all changed files since last successful full backup. Does not reset archive bit; creates one large file and fully restores off of latest differential backup (full is not needed)
-
Incremental Backup - backs up all changed files since last full back up OR since the last incremental; does not reset archive bit; creates several small backup jobs; last full back up + incrementals are needed to restore
4.
Windows Vs. Linux (regarding port scans)
Windows systems respond to port scans, but Linux does not!!!
