Networking Flashcards
OSI Model
Application; layer 7 (and basically layers 5 & 6) (includes API, HTTP, etc).
Transport; layer 4 (TCP/UDP).
Network; layer 3 (Routing).
Datalink; layer 2 (Error checking and frame synchronisation).
Physical; layer 1 (Bits over fibre).
Firewalls
Rules to prevent incoming and outgoing connections.
NAT
Useful to understand IPv4 vs IPv6.
IPv6 does not NAT.
Private ranges:
Range from 10.0.0.0 to 10.255.255.255 — a 10.0.0.0 network with a 255.0.0.0 or /8 (an 8-bit) mask
Range from 172.16.0.0 to 172.31.255.255 — a 172.16.0.0 network with a 255.240.0.0 or /12
A 192.168.0.0 to 192.168.255.255 range, which is a 192.168.0.0 network masked by 255.255.0.0 or /16
A special range 100.64.0.0 to 100.127.255.255 with a 255.192.0.0 or /10 network mask; this subnet is recommended according to rfc6598 for use as an address pool for CGN (Carrier-Grade NAT)
DNS
(53)
Requests to DNS are usually UDP, unless the server gives a redirect notice asking for a TCP connection.
Look up in cache happens first.
DNS exfiltration.
Using raw IP addresses means no DNS logs, but there are HTTP logs.
DNS sinkholes. - hands out non-routeable addresses
In a reverse DNS lookup, PTR might contain- 2.152.80.208.in-addr.arpa, which will map to 208.80.152.2. DNS lookups start at the end of the string and work backwards, which is why the IP address is backwards in PTR.
NSLookup on Windows, Dig -x on Linux.
DNS configs
Start of Authority (SOA). - Ownership Information
IP addresses (A and AAAA). (ipv4 and ipv6)
SMTP mail exchangers (MX).
Name servers (NS).
Pointers for reverse DNS lookups (PTR).
Domain name aliases (CNAME).
ARP
Pair MAC address with IP Address for IP connections.
DHCP
UDP (67 - Server, 68 - Client)
Dynamic address allocation (allocated by router).
DHCPDISCOVER -> DHCPOFFER -> DHCPREQUEST -> DHCPACK
Multiplex
This Multiplexing Protocol is defined to allow the combining of transmission units of different higher level protocols in one transmission unit of a lower level protocol. Only messages with the same Internet Protocol (IN) [1] header, with the possible exception of the protocol field may be combined.
Traceroute
Usually uses UDP, but might also use ICMP Echo Request or TCP SYN. TTL, or hop-limit.
Initial hop-limit is 128 for windows and 64 for *nix. Destination returns ICMP Echo Reply.
Nmap
Network scanning tool.
Intercepts (MiTM)
Understand PKI (public key infrastructure in relation to this).
PKI takes place in top 3 layers (session (protocol provides point to point session security), presentation (encryption), application (http over secure socket)
Client Hello (with cipher suite RSA, EC, AWS, DH) >
< Server Hello
< Certificate (digital file that stores website info: public key, )
< Hello Done
-Client Creates Pre Master Secret
>Sends pre-master secret in key exchange (change cipher spec)
-Server decrypts pre-master secret
=both sides calculate master key (is an AES key)
>Client Finished
Certificate contains: version (x509), eg v3 serial # > from CA Sig Algo > CA uses to sign Certificate hash (SHA-256) Sig Hash Algo > SHA-1, SHA-256 Issuer - CA Valid Dates: 39 month limit Subject Info:
VPN
Hide traffic from ISP but expose traffic to VPN provider.
Tor
Tor traffic is easy to identify. Compare logs with Tor exit nodes. Can also check port 9001 and certificate irregularity.
Border Gateway Protocol
Autonymous System (internal)
BGP Routers
AS Providers trust each other and setup peering
TLS/SSL Attacks
Heartbleed: This weakness, reported in April 2014, allows attackers to steal private keys from servers that should normally be protected.[261] The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret private keys associated with the public certificates used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.[262] The vulnerability is caused by a buffer over-read bug in the OpenSSL software, rather than a defect in the SSL or TLS protocol specification.
Downgrade Attack > tricks a web server into negotiating connections with previous versions of TLS (such as SSLv2) that have long since been abandoned as insecure. (Chrome modified their product with False Start to mitigate)
DROWN attack > The DROWN attack is an exploit that attacks servers supporting contemporary SSL/TLS protocol suites by exploiting their support for the obsolete, insecure, SSLv2 protocol to leverage an attack on connections using up-to-date protocols that would otherwise be secure.[228][229] DROWN exploits a vulnerability in the protocols used and the configuration of the server, rather than any specific implementation error. Full details of DROWN were announced in March 2016, together with a patch for the exploit. At that time, more than 81,000 of the top 1 million most popular websites were among the TLS protected websites that were vulnerable to the DROWN attack.[229]
POODLE attack
Main article: POODLE
On October 14, 2014, Google researchers published a vulnerability in the design of SSL 3.0, which makes CBC mode of operation with SSL 3.0 vulnerable to a padding attack (CVE-2014-3566). They named this attack POODLE (Padding Oracle On Downgraded Legacy Encryption). On average, attackers only need to make 256 SSL 3.0 requests to reveal one byte of encrypted messages.[73]
Although this vulnerability only exists in SSL 3.0 and most clients and servers support TLS 1.0 and above, all major browsers voluntarily downgrade to SSL 3.0 if the handshakes with newer versions of TLS fail unless they provide the option for a user or administrator to disable SSL 3.0 and the user or administrator does so[citation needed]. Therefore, the man-in-the-middle can first conduct a version rollback attack and then exploit this vulnerability.[73]
