Basics of

Networks and
Scanning
This Week’s Objectives
• Understand key concepts and protocols in
computer networks
o OSI layers
o Ethernet/ARP/DHCP
o IP/TCP/UDP/ICMP
o DNS
• Understand network and host scanning

2
 The Internet
129.127.120.7

Global network that provides best-effort delivery

of packets between connected hosts

• Packet: a structured sequence of bytes

• Header: metadata used by network

• Payload: user data to be transported

• Every host has a unique identifier — IP address

Series of routers receive packets, look at

destination address on the header and send it
8.8.8.8
one hop towards the destination IP address
Network Protocols
We define how hosts communicate in published network protocols

• Syntax: How communication is structured (e.g., format and order of messages)

• Semantics: What communication means. Actions taken on transmit or receipt of

message, or when a timer expires. What assumptions can be made.

Example: What bytes contain each field in a packet header

Protocol Layering

Networks use a stack of protocol layers

• Each layer has different responsibilities. Application

• Layers define abstraction boundaries Transport

Lower layers provide services to layers above Network

• Don’t care what higher layers do
Data Link
Higher layers use services of layers below
Physical
• Don’t worry about how it works
OSI 5 Layer Model

Defines how individual applications communicate. For example,

Application HTTP defines how browsers send requests to web servers.

Allows a client to establish a connection to specific services

Transport (e.g., web server on port 80). Provides reliable communication.

Packet forwarding. How to get a packet to the final destination

Network when there are many hops along the way.

How to get packet to the next hop. Transmission of data

Data Link frames between two nodes connected by a physical link.

Physical How do bits get translated into electrical, optical, or radio signals
Packet Encapsulation

IP TCP TCP
HTTP Request
Ethernet (IEEE 802.3)
Most common Link Layer Protocol. Let’s you send packets to other local hosts.

EtherType gives layer 3 protocol in payload

0x0800: IPv4
0x0806: ARP
0x86DD: IPv6
• At layer 2 (link layer) packets are called frames
• MAC addresses: 6 bytes, universally unique
• Other popular Link Layer protocols include WiFi and LTE/5G
Internet Protocol (IP)
Internet Protocol (IP) defines what packets that cross the Internet need to
look like to be processed by routers

• Every host is assigned a unique identifier (“IP Address”)

• Every packet has an IP header that indicates its sender and receiver

• Routers forward packet along to try to get it to the destination host

• Rest of the packet should be ignored by the router

IPv4 Header
Two Questions in IP routing

1. Internet: How does each host/router know

where to send each packet next?

• Answer: Routing protocols

2. Local: How does a host know what MAC address it

needs to send the packet to given an IP address?

• Answer: Address Resolution Protocol (ARP)

IP routing protocols
129.127.120.7

• Interior Gateway Routing Protocols (IGP)

o Used for routing inside an autonomous
IGP
system & used to route within the
individual networks themselves.
o Examples: RIP, EIGRP, OSPF EGP
• Exterior Routing Protocols (EGP)
o Used for routing between autonomous
systems
8.8.8.8
o Example: BGPv4
ARP: IP to MAC

• ARP (Address Resolution Protocol) is a Network

protocol that lets hosts map IP addresses to MAC
addresses

• Host who needs MAC address M corresponding to IP

address N broadcasts an ARP packet to LAN asking,
“who has IP address N?”

• Host that has IP address N will reply, “IP N is at MAC

address M.”
ARP Packet
Dynamic Assignment of IP addresses - DHCP

• Dynamic assignment of IP addresses is desirable for several reasons:

o IP addresses are assigned on-demand
o Avoid manual IP configuration
o Support mobility of laptops
• Dynamic Host Configuration Protocol (DHCP)
o Supports temporary allocation (“leases”) of IP addresses
o DHCP client can acquire all IP configuration parameters needed to operate

19
DHCP Interaction (simplified)

Argon
00:a0:24:71:e4:44 DHCP Server

DHCP Request
00:a0:24:71:e4:44
Sent to 255.255.255.255

Argon
128.143.137.144
00:a0:24:71:e4:44 DHCP Server
DHCP Response:
IP address: 128.143.137.144
Default gateway: 128.143.137.1
Netmask: 255.255.0.0

20
The Internet Control Message Protocol

The Internet Control Message Protocol (ICMP) is a helper protocol that

supports IP with facility for
o Error reporting
o Simple queries

ICMP messages are encapsulated as IP datagrams:

IP header ICMP message

IP payload

21
ICMP Query message

ICMP query:
• Request sent by host to a router or host
• Reply sent back to querying host

22
Protocol Layering
How does Application
structure data?

How do I get to the right service?

How do I have a reliable “stream” of data?

How do I get to final destination?

How do I get to next hop?

The Transport Layer
# Name Protocol Data Unit Addressing

HTTP,
5 Application Messages
SMTP…
TCP/
4 Transport Segment Port #
UDP

3 Network IP Datagram IP Address

Ethernet, Mac
2 Data Link Frames
Wifi Address
10 Base T,
1 Physical Bits N/a
802.11
Physical Data Link Network Transport Application
Transport Layer Functions

Reliability
Multiplexing
Segmentation
Flow Control
Error detection and Correction
UDP (User Datagram Protocol)
Characteristics: Application:
1. Short 1. DNS, DHCP
2. Unreliable 2. Live streaming
3. Fast (low latency) 3. VoIP
TCP (Transmission Control Protocol)
1. 3 handshakes Application:
2. Slow
3. Reliable a. HTTP, SMTP
b. File transferring
a. Error checking c. Video streaming
b. Retransmission
sender receiver
multiplex demultiplex
Application
P2
Application
P1 P5 P3 P4

Transport Transport

Network Network

Data Link Data Link

Physical Physical
 multiplex demultiplex
chrome web server
port 61243 port 80
mail server
port 993

file server
outloook port 21
port 60421

multiplex demultiplex
gathering data from deliver packet to a
multiple process, and correct process
envelop with headers
chrome Apache web server
port 61243 port 80
 data

H seg. 1 H seg. 2 H seg. 3

12 13 14
 sender receiver
seq # = 11
send pkt1 ack # = …

seq # = … receive pkt1

ack # = 12 send ack1

seq # = 12
receive ack1
ack # =…
send pkt2
seq # = … receive pkt2
ack # = 13 send ack2

receive ack2
seq # = 13
send pkt3
ack # = …
…
receive pkt3
…
Segmentation (Transport Layer):

Break large data stream into smaller segments

Maximum Segment Size (MSS) is typically 1460 bytes

Fragmentation (Network Layer):

Break down large segment into smaller fragments Maximum

transmission unit (MTU) is typically 1,500 bytes
Header Length (4 bit)
indicates the start of payload
Control flags
Windows
range of sequence number
Checksum
Urgent/Options -
rarely used
Flow Control (windowing)
Error Detection & Correction
Error detection – Checksum
Error correction - Retransmission
Control flags and TCP Handshake
URG - urgent
ACK - acknowledgement
PSH - push
RST - reset
SYN - synchronize
FIN - finish
Ports
Each application on a host is identified by a port number
TCP (Transmission Control Protocol) connection established
between port A on host X to port B on host Y
• Ports are 1–65535 (16 bits)
Some destination port numbers used for specific applications by
convention
TCP header
Common Ports

Port Application
80 HTTP (Web)
443 HTTPS (Web)
25 SMTP (mail)
67 DHCP (host config)
22 SSH (secure shell)
23 Telnet
 UDP (User Datagram Protocol)

User Datagram Protocol (UDP) is a transport layer

protocol that is essentially a wrapper around IP

Adds ports to demultiplex traffic by application

TCP Three Way Handshake
Ending a Connection
• Sends packet with FIN flag set
• Peer receiving FIN packet
acknowledges receipt of FIN
packet with ACK
• Eventually other side sends
packet with FIN flag set —
terminates session
 TCP Connection Reset

• Packets that are invalid given current

state of session generate a reset
• If a connection exists, it is torn down
• Packet with RST flag sent in response

• TCP RST can be sent for many

different reasons
• If a host receives a TCP packet with
RST flag, it tears down the
connection
From names to IP addresses - DNS
We (people) usually refer to Internet host by host name (e.g.,
adelaide.edu.au). How does a computer know the IP address of the
destination?

DNS (Domain Name

Service) is a
delegatable, hierarchical
name space
DNS (Domain Name System)

32
 DNS Record
A DNS server has a set of records it authoritatively knows about

name servers
Caching
• DNS responses are cached
• Quick response for repeated translations

• NS records for domains also cached

• DNS negative queries are cached

• Save time for nonexistent sites, e.g. misspelling

• Cached data periodically times out

• Lifetime (TTL) of data controlled by owner of data

• TTL passed with every record

Scanning
Pre-Engagement Recon Scanning
Scanning

IP addresses of live
(Network) scanning is an systems
intense and methodical
Operating system
process of uncovering the versions
structure of the network
(including firewalls), hosts MAC addresses
and applications on it.
Service information
• Require good
understanding of network
Port data
protocols
• Used by both attackers
and defenders etc
Current Scanners

State of the art

ZMap

Network scanners should be fast, scalable, and

non-intrusive

5
Host Discovery - Port Scanning
• Finding applications that listen on ports
• Use TCP fingerprinting to find out OS type
• Send various packets:
o Establish and tear down TCP connection
o Half-open and tear down TCP connection
o Send invalid TCP packets: FIN, Null, Xmas scan
o Send TCP ACK packets – find firewall holes
o Send ICMP packets
o Others (not covered in this course): FTP bounce scans,
Find Remote Procedure Call (RPC) applications
TCP Full Connect Scan
Utilises the three-way handshake

Completed handshake
indicates open port

Incomplete handshake
indicates closed
Scan gives most accurate
picture of port status

Drawback is scan can be

easily logged

nmap –sT–v <target IP address>

Half Open Scans Starts like full connect
scan
Scan does not
complete the final step
of the handshake
Lower chance of
being logged

Faster than full

connect

nmap –sS –v <target IP

address>
XMAS Scan
A packet is sent with PSH, URG,
and FIN all set at once

Combination of flags is illegal

(RFC 793)
Some software developers do
not implement TCP correctly
(should send TCP RST)
Does not work on most modern
systems

nmap –sX –v <target IP

address>
FIN Scan Occurs when a packet is sent
with the FIN flag set

Used to determine whether

ports are open or closed (RFC
793)

May not function on newer

targets

Can be blocked by some

firewalls
Banner Grabbing
Banner grabbing is an activity that is
used to determine information about Used to identify a system and
services that are being run on a services
remote computer.
Retrieves information
from open ports and
services
Services respond to
banner grabs with
application-specific
information
Can use many applications
(wget, curl, nmap, ssh, etc) to
perform this task
Firewalk: Determining Firewall Rules
• Find out firewall rules for new
connections
• We don’t care about target machine,
just about packet types that can get
through the firewall
o Find out distance to firewall
o Send arbitrary packets (Ping, TCP/UDP)
destination setting TTL=distance+1
o If you receive ICMP_TIME_EXCEEDED
message, the ping went through
o If not, the firewall filtered it
Mass Scanning

• Finding active IP addresses

o Ping sweep: ICMP based tools to check live hosts

• Finding active ports

o TCP SYN sweep: to check open ports
nmap -p0- 127.0.0.1

o MASSCAN: try it out

https://labs.hackxpert.com/PortScanning/masscan/00/
Mapping network topology
• Traceroute
▪ Sends out ICMP or UDP packets with increasing TTL
▪ Gets back ICMP_TIME_EXCEEDED message from
intermediate routers
Network Mapping with Traceroute

www
1. ICMP_ECHO to www.target.com
TTL=1

A R1 R2 R3 DB

1a. ICMP_TIME_EXCEEDED
from R1

mail

A: R1 is the first hop to www.target.com!

target.com
Network Mapping with Traceroute

www
1. ICMP_ECHO to www.target.com
TTL=2

A R1 R2 R3 DB

1a. ICMP_TIME_EXCEEDED
from R2

mail

target.com
A: R1-R2 is on my path to www.target.com!
Network Mapping with Traceroute

Repeat for DB and mail servers www

A R1 R2 R3 DB

A: R1-R2-R3-www is my path to www.target.com mail

R1-R2-R3-db is my path to db.target.com
R1-R2-R3-mail is my path to mail.target.com target.com
Target network is a star with R3 at the center
For security reasons, most networks filter ICMP probes
 At The End Of Scanning Phase

• Attacker has a list of “live” IP addresses

• Open ports and applications at live machines
• Some information about OS type and version of live
machines
• Some information about application versions at open ports
• Information about network topology
• Information about firewall configuration
 Scan Challenges: Performance and Accuracy

• Scanning is often long and hard work. Can be

disheartening:
– Stats: 93:57:40 elapsed; 254868 hosts
completed (2048 up), 2048 undergoing UDP Scan
UDP Scan Timing: About 11.34% done; ETC: 03:21 (688:41:48
remaining)
• Finding and resolving performance and accuracy
problems is a key goal
• Try to reduce footprint and disruptions
 Insecure.Org

Packet Rate Control

• --min-rate <packets per second>

• --max-rate <packets per second>
nmap –min-rate 500 scanme.nmap.org
Lecture 0x04 - Summary
• Scanning requires a good understanding of networking technologies.
o OSI layers
o Ethernet/ARP/DHCP
o IP/TCP/UDP/ICMP
o DNS
• Understand network and host scanning and various tools