Professional Documents
Culture Documents
CyberOpsAssociate-Session 5
CyberOpsAssociate-Session 5
The ping utility sends ICMP echo request packets out to a destination host to test the IP connectivity to that
destination host. Receiving an ICMP echo reply message indicates that the host can be successfully reached.
As a security analyst, it is important to understand ICMP. For example, in ICMP echo request packets, one should not
expect to see a large data payload. Echo replies should also be paired with echo requests. If you see many ICMP
echo request and reply packets with large payloads, or if you see an imbalance in echo request and echo reply
numbers, you should suspect that something suspicious may be happening. An attacker may be tunneling data out
using ICMP. ICMP tunneling is possible because RFC 792, which documents IETF's rules governing ICMP packets,
allows for an arbitrary data length for any type 8 (echo request), or type 0 (echo reply) ICMP packets.
Internet Control Message Protocol (ICMP) (cont.)
ICMP uses IP protocol number 1. ICMP messages are identified by the type field. Many of these ICMP types also use
a code field to indicate different conditions. The table below shows a few of the common ICMP messages.
Type Name Code
0 Echo reply 0
3 Destination 0 = Network Unreachable (usually means that a failure has occurred in the routing or addressing of a
Unreachable packet)
1 = Host Unreachable (usually indicates that the packet has been correctly routed to the destination
network, but the destination device is not active on that segment)
2 = Protocol Unreachable (the destination does not support the transport-layer protocol that is
specified in the packet)
3 = Port Unreachable (the destination is not listening on the specified TCP or UDP port)
4 = Fragmentation needed and Don’t Fragment flag is set in IP header
8 Echo request 0
11 Time 0 = Time to Live exceeded (sent by the router if an IP packet’s TTL field reaches zero. The TTL field
exceeded prevents packets from continuously circulating the internetwork if the internetwork contains a routing
loop. The router then discards the original packet)
Ping
Ping is based on Echo request and Echo reply ICMP Messages.
TTL = 1
TTL = 2
TTL = 3
TTL = 4
Address Resolution Protocol (ARP)
To send data to a destination, a host on an Ethernet network must know the MAC address of the destination. ARP
provides the essential service of mapping IP addresses to physical addresses on a network.
The MAC address is the unique identifier of the device. It is usually embedded in the hardware during
manufacturing. The MAC address is also referred to as the hardware address or the physical address. The address is
48 bits long and is usually represented using hexadecimal notation. Groups of digits are commonly separated with
colons, dashes, or periods. The following three example notations are common and equivalent: 54:EE:75:B1:6F:22,
54-EE-75-B1-6F-22, and 54EE.75B1.6F22.
Address Resolution Protocol (ARP) (cont.)
When a system knows the IP address of its peer but does not know the MAC address, it sends an ARP request,
specifying the known IP address. The request is broadcasted on the local network and it is received by all devices on
the Ethernet segment.
When the target recognizes its own IP address by reading the contents of the ARP request packet, it responds with
the required MAC address in its ARP reply.
The response is saved in the ARP cache. The bindings in the table are kept current by a process of aging out unused
entries after a period of inactivity. The aging time is operating system dependent.
ARP is a necessary and fundamental service in the TCP/IP
protocol suite. It does have some security shortcomings. One
significant issue is that there is no validation of the ARP replies.
Under the right circumstances, a system can produce fraudulent
ARP replies, tricking victim systems into mapping the attacker's
MAC address to a different IP address, and causing the victim
systems to send traffic that is intended for other systems to the
attacker. The attacker can then become a man-in-the-middle,
and can monitor and manipulate the misdirected traffic before
forwarding it to the valid destination.
Transmission Control Protocol (TCP)
TCP is a connection-oriented protocol that provides data reliability between hosts, and it is the most widely used
transport layer protocol.
Sequence number: The sequence number of the first data octet in this segment, used to ensure correct sequencing
of the arriving data (32 bits)
Acknowledgment number: Next expected TCP octet (32 bits). A TCP connection is a reliable connection. The sending
and receiving computers use acknowledgment to ensure that the data is sent and received as specified and that it
arrives without errors and in the right order.
Reserved: Set to 0 (6 bits). Note that Some experimental specifications defined in RFCs are making use of some of
the reserved bits.
Transmission Control Protocol (TCP) (cont.)
Code (control) bits: Contains 1-bit fields which are often referred to as a flag:
URG: Indicates that the Urgent pointer field is significant.
ACK: Indicates that the Acknowledgment field is significant. All packets, after the initial SYN packet, that
are sent by the client should have this flag set.
PSH: Push function. Asks to push the buffered data to the receiving application.
RST: Reset the connection.
SYN: Initiates a connection. Only the first packet that is sent from each end should have this flag set.
FIN: No more data from sender.
Window: Number of octets that the device is willing to accept (16 bits). This allows the sending computer to send
out several packets without waiting to receive acknowledgment of those packets, which helps maintain the speed
and reliability of the connection.
Checksum: Calculated checksum of the header and data fields (16 bits)
Options: One currently defined maximum TCP segment size (0 or 32 bits, if any)
2 The receiving device responds with a TCP SYN/ACK Host B is telling Host A: "I'm accepting your connection
(a TCP segment with the SYN and ACK bits set) request. My initial sequence number is 300. I'm
acknowledging the peer's initial sequence number acknowledging your initial sequence number of 100.
and presenting its own initial sequence number. The next byte of data I expect to receive from you is
byte number 101."
3 The initiating device responds with a TCP ACK (TCP Host A is telling Host B: "Great. I'm acknowledging your
segment with the ACK bit set), acknowledging the initial sequence number of 300. The next byte of data
initial sequence number of the receiving device. that I expect from you is byte number 301. The hosts
are now ready for two-way data exchange."
User Datagram Protocol (UDP)
UDP is another widely used transport layer protocol, having the following characteristics: