Chapter 2 System Fundamentals

Question 1

1. Network Topologies
   
   • Physical Layout (List 5 types)
   • Logical Layout

Answer 1

1. Network topologies - represent the physical side of a network, as well as the foundation of our overall system
   
   • Physical Layout - relates directly to the wiring & cabling that connect devices
     
     • Bus, ring, star, mesh, & hybrid topologies
   • Logical Layout - the flow of information or other data, the stuff you can’t readily see or touch OR how traffic enters the NW

Question 2

Bus Topology

Answer 2

• lays out all connecting nodes in a single run that acts as the common backbone connection for all connected devices
• Analogy: such as a person on a bus, signals get on, travel to their destination, and get off
• Downside to its simplicity is its vulnerability. All connectivity is lost if the bus backbone is damaged
• Imagine Christmas lights, if one turns off, they all turn off

Question 3

Token

Answer 3

A token is used to be passed around for permission to transmit

This token-based method is only used by the Bus Topology

Question 4

Ring Topology

Answer 4

the common backbone is looped in a ring; some ring layouts use a concentric circle design to provide redundancy if one ring fails (not required).

each client or node attaches to the ring & delivers packets according to its designated turn or availability of the token

Question 5

Star Topology

Answer 5

one of the most common bc of its ease of setup & isolation of connectivity problems, meaning a single node of a star can go offline without affecting other nodes;

A star topology attaches multiple nodes to a centralized NW device, a hub or a switch, that ties the NW together

Question 6

Mesh Topology

Answer 6

essentially a web of cabling that attaches a group of clients or nodes to each other;

can look a little messy and convoluted, but this setup is often used for mission critical services bc of its high level of redundancy & resistance to outages.

The internet was designed to survive a nuclear attack and is built as one large mesh NW

Question 7

Hybrid Topology

Answer 7

By far most common in use today;

A hybrid layout combines different topoologies into one mixed topology; it takes the best of other layotus and uses them to its advantage

Question 8

OSI

Answer 8

Open Systems Interconnection Model is an industry standard for data communication; data travels from one end to another, & each layer communicates with the next

The OSI model has 7 layers

1. Application Layer (App Layer)
2. Presentation Layter (App Layer)
3. Session Layer (App Layer)
4. Transport Layer (Host 2 Host Transport)
5. NW Layer (Internet Layer, strictly deals with IP addresses)
6. Data Link Layer (NW Interface Layer, strictly deals with MAC addresses)
7. Physical (NW Interface Layer)

Question 9

Layer 1: Physical Layer

Answer 9

consists of the physical media & devices that make up the infrastructure of our NWs;

• Attack considerations are aligned with the physical security of site resources*
• Examples: cabling, connections, fiber optics, microwave transmission equipment*
• Stuxnet - a worm named Stuxnet shows up on the scene - wreaking havac & destroying industrial equipment; it replicated itself via removable drives (physical layer)*

Question 10

Layer 2: Data Link Layer

Answer 10

works to ensure that the data it transfers is free of errors;

Functions such as media access control (MAC) & link establishment occur at this layer; as well as basic protocols such as 802.3 for Ethernet & 802.11 for WiFi

Question 11

MAC

Answer 11

Media Access Control - unique identifier assigned to network interfaces for communications on the physical network segment

Question 12

Layer 3: NW Layer

Answer 12

determines the path of data packets based on protocol used;

At this layer, we see IP addressing for routers

Question 13

Routing Information Protocol

Answer 13

prevents routing loops by limiting the # of hops allowed in a path from source to destination

Question 14

Layer 4: Transport Layer

Answer 14

ensures the transport or sending of data is successful;

Question 15

Layer 5: Session Layer

Answer 15

identifies established system sessions between different NW entities

When accessing a system remotely, you are creating a session between your computer & the remote system;

NetBIOS & RPC is found here

Question 16

NetBIOS

LAN

RPC

Answer 16

Network Basic Input/Output System - a program that allows applications on different computers to communicate within a LAN

LAN - a computer NW that interconnects computers within a limited area using NW media

Remote Procedure Call - inter-process communication that allows a computer program to execute in another address space

Question 17

Most attacks reside within layers

Answer 17

3,4,5 which is NW, Transport, Session

Question 18

Layer 6: Presentation Layer

Answer 18

provides translation of data that is understandable by the next receiving layer

& can optionally be encrypted with protocols such as SSL (Secure Sockets Layer)

Question 19

SSL

Answer 19

Secure Sockets Layer - standard security technology for establishing an encrypted link between web server & browser

Question 20

Layer 7: Application Layer

Answer 20

functions as a user platform in which the user & SW processes within the system can operate & access NW resources

Apps & SW suites that we use on a daily basis are under this layer; includes protocols such as FTP and HTTP

Question 21

TCP

3 way handshake

Answer 21

connection-oriented protocol that establishes connection & verifies the packets sent across that connection make it to their destination

3 way handshake - Process starts with a SYN packet that tells the receiving system that another system wants to connect; (random seq #1000)

The receiving system responds with a SYN-ACK (random seq #2585)

Then an ACK is sent back verifying and connection is initiated (#1001)

Question 22

3 way handshake, SYN, SYN-ACK, ACK explained

Answer 22

SYN (start)

SYN-ACK (acknowledge start)

ACK (acknowledge the acknowledge)

Question 23

IP Subnetting

Answer 23

Purpose: if you can subnet, you can pinpoint a target & know how to go after it in the most efficient & effective way

Knowing a few IP addresses can give you a clue as to how an organization’s NW is laid out

Defined: Subnetting is a sequential breakdown of IP addresses based on desired NW size & host quantity

NW bits & host bits are manipulated by the subnet mask;

The mask is used to determine what subnet an IP address belongs to. An IP address has two components, the NW address & the host address

Question 24

Localhost Loopback Address

NW Address

Broadcast Address

CIDR

Answer 24

Loopback : 127.0.0.1 is a hostname that refers to this computer & is used to access this computer’s own NW services via its loopback NW interface

NW Address : address that identifies the subnet of a host

Broadcast Address: an IP address that allows information to be sent to all machines on a given subnet rather than a specific machine

Classless Inter-Domain Routing: CIDR Value is equivalent to the # of ON bits in a 32 bit address going left to right

Question 25

IP Address 150.215.017.009

If this NW is divided into 14 subnets, identify the subnet mask and subnet address

Answer 25

For the Subnet Mask, the first 16 bits (network address) are all set to 1.

The host address is determined by how much space is needed for the 14 subnets. 16 is the closest bit to turn on to accomodate the 14 subnet addresses, so 256-16 = 240 making the subnet mask 255.255.240.0

As for the subnet address, it becomes the inverse, 255.255.16.0

Question 26

Basic Slash Notation

IP Address (Subnet) 192.168.1.15

CIDR (Netmask): 24

Identify the NW address & Broadcast address of a subnet

Answer 26

Convert everything to binary

CIDR defines the # of bits that are on, so out of the 32 bits in an IP address, the first 24 from left to right are 1s

To find the NW address, we want to add the IP address AND Netmask.

NW Address = 192.168.1.0

To find the broadcast address, we want to peform utilize the OR operator between the NW address & the inverse of the Netmask

Broadcast address = 192.168.1.255

Question 27

What are bits, nibbles, & a byte

Answer 27

Bits are 1s and 0s

Nibbles are 4 bits

A byte is 2 nibbles

Question 28

Ports

List of Well-Known Ports

Answer 28

allows computers to send data out the door while simultaneously identifying that data by category

These ports range from 1-1024

1. FTP 20-21
2. SSH 22
3. Telnet 23
4. SMTP 25
5. WINS 42
6. DNS 53
7. HTTP 80, 8080
8. Kerberos 88
   
   • Computer NW authentication protocol, authenticates request for a service in a computer NW
9. POP3 110
10. Portmapper-Linux 111
    
    • Makes RPC Calls
11. NTP 123
12. RPC-DCOM 135
13. SMB 139
14. IMAP 143
15. SNMP 161, 162
16. LDAP 389
17. CIFS 443
18. Syslog 514
19. Secure LDAP 636

Question 29

Registered Ports

Answer 29

These ports are the ones that have been identified as usable by other applications running outside of the user’s present purview.

Registered ports range form 1025-49151.

1. WINS 1512
   
   • Windows Internet Naming Service - maps NetBIOS names to IP addresses; solves problem of NetBIOS name resolution in routed environments
2. Socks5 1080
   
   • routes NW packets between client & server through an application proxy which is different from a normal proxy; An example would be when using HTTP proxy, you are actually fowarding an HTTP request, and the HTTP proxy server then performs the request on your behalf
3. Nessus Server 1241
4. SQL Server 1433, 1434
5. Citrix Applications 1494, 2598
6. Oracle Listener 1521
7. Citrix Mgmt 2512, 2513
8. RDP 3389
9. IRC 6662-6667
   
   • Internet Relay Chat - Application layer protocol that facilitates transfer of messages in the form of text

Question 30

Proxy Server

Answer 30

a server that sits between client applications, such as between a web browser and server

Question 31

Dynamic Ports

Answer 31

free ports available for use by TCP, UDP requests made by an application

These ports range from 49152 - 65535

Question 32

DNS

DNS Hacking

AD

Answer 32

database that contains the translated names to IP addresses that can be queried by any DNS-aware applications

The internet root servers, or top level servers, contain addresses of the DNS servers for all top-level domains, .com, .org, etc. Each top-level server contains a DNS database of all names & addresses in that domain

Local NWs isolated from the Internet may use their own domain name systems through use of DNS mgmt SW. These names are typically same as those used by internet implementation

Hacking - if an attacker manipulates DNS, in modern day environments, applications may not work without DNS present & functioning; Ex. Microsoft AD wouldn’t work without DNS present or accessible

Active Directory - special purpose database for windows that handles a large # of read & search operations

Question 33

Networking Devices: Routers (& Switches)

Answer 33

Routers work at layer 3 by directing packets & connecting different NWs

Routers also used as gateway between different types of NWs, such as on different NWs or IP ranges or NWs that don’t understand each other’s protocols

i.e. can’t just jam a fiber-run T1 connection into client computer & have fast NW; NIC (NW interface card) is nto capable of speaking the same language as the outside connection, Routers bridge that gap and allow different protocols on different NWs to communicate

Routers use NAT (NW Address Translation) allows internal NW clients to share a single public IP address for access to the outside world. A router has two interfaces: one for outside world & one for internal NW

The public side is assigned a public IP address purchased from Local ISP; The internal side is connected to the local intranet, which contains all of your internal IPs & protected resources; internally, you can create your own IP schemes. When an internal client makes a request to an outside resource, the router receives the traffic & sends it out the public side with its public IP safeguarding the client’s internal IP address

NAT is great for security and also conserves IP addresses cutting cost for ISP

Question 34

Switches

MAC

Finding MAC address

Answer 34

Switches creates multiple broadcast (multicasted) domains & collosion domains for each port, it delivers data or frames based on HW addresses (MAC Address) of the destination computers/devices; considered Layer 2 device (few modern switches operate Layer 2 & 3)

MAC or Media Access Control addresses are permanent identifiers burned into each NIC by manufacturer; Broken down into 6 pair hexadecimal, i.e. c0-cb-38-ad-2b-c4, the 1st half (3 pair) identifies vendor, 2nd half identifies NIC or device

Finding Mac Address: cmd command for windows –> ipconfig/all

for linux: ifconfig

Question 35

Hubs

Answer 35

Hubs are similar to swtiches but are considered dumb devices,

they operate at layer 1 physical layer, they forward the data they receive, no filtering or directing of traffic which is why they are considered layer 1

Question 36

Switches: Understanding broadcast domains & collosion domains

Hubs

Answer 36

A broadcast domain allow traffic to be broadcast to all connected nodes

ARP requests (Address Resolution Protocol), which are sent to the NW to resolve HW addresses, are an example of broadcast domain

Collosion domains are NW segments in which traffic sent will potentially collide w/ other traffic; In a collion domain, traffic will not be sent to a broadcast, it will collide w/ other traffic on the wire

So what this means is when you throw your little penetration testing laptop on a wire & connect to a switch, no matter how promicious your NIC is, your captured traffic will be limited to the collosion domain

In current modern day technology, sniffing a wi-fi NW allows you to capture traffic from all of its clients; not limited to particular switchport CD

Hubs: similar to switches but are dumb devices that make no decision in data direction or addressing

Question 37

Proxies (& Firewalls)

Answer 37

These are the device deliberately put in place to prevent unauthorized access; only as effective as their configuration, & configuration is only as effected as the admin creating them

Proxies work at the Layer 7 application layer, & can be used for caching & filtering of web content. Itwork in the middle of the traffic scene. acts as an intermediary between internal NW client systems & outside untrusted entities; prevent client from communicating directly with outside source

Benefits of Proxies - protection of internal client systems, reducing exposure & risk

Acts as middleman, protecting clients from themselves

Speed up browsing by caching frequently visited websites & resources

Question 38

(Proxies) & Firewalls

Answer 38

Includes proxy firewalls; filter outgoing traffic requests & verify legitimate traffic; firewall attacks intended to circumvent rather then head-on assult;

Mainly broken into these categories

1. Packet Filtering
   
   • Packet filtering firewalls look at the header information (such as IP address or port) of packets to determine legitimate traffic; inspects packets at most granular level possible & improving traffic efficiency
2. Stateful packet filtering (keeps records of interaction)
   
   • determine legitimacy based on state of connection from which traffic originated
3. (web) Application proxies (mentioned in last card, client to outside untrusted entities)

Question 39

IPS & IDS

Answer 39

both used to cover your tracks, keep a low profile

IDS - intrusion detection system - detect any suspicious NW activity & notifies admin, passive in nature; similar to a burglar alarm that alerts you, but doesn’t stop the burglar

IPS - intrusion prevention system - proactive & preventive, senses potential malicious activity on NW & takes steps to prevent further damage and thwart further attacks

Question 40

Holistic vs focused process

Answer 40

securing a NW is a holistic process where the entire system as a whole is more important then the individual tools that create the system

breaking into a NW however is a focused process, you have to consider each part of the system & plan accordingly; could sabatoge an entire NW if you take the right steps in preparing

Question 41

Typical Enterprise NW

Answer 41

Question 42

Archive

Archive bit

Answer 42

Archive - used to compress files to use less space or to organize several files into one for portability or storage

Archive Bit - used in certain OSs, it indivates whether or not a file needs to be backed up

Question 43

Backup

Types of backups

Answer 43

backup - making extra copies

1. Full backup - full back up resets the archive bit of all files & backs them up accordingly
2. Differential backup - backs up all changed files since last successful full backup. Does not reset archive bit; creates one large file and fully restores off of latest differential backup (full is not needed)
3. Incremental Backup - backs up all changed files since last full back up OR since the last incremental; does not reset archive bit; creates several small backup jobs; last full back up + incrementals are needed to restore
   4.

Question 44

Windows Vs. Linux (regarding port scans)

Answer 44

Windows systems respond to port scans, but Linux does not!!!