Welcome to Module 2 of your cybersecurity training!
In this module, we'll embark on a detailed exploration of network protocols, with a special focus on the TCP/IP stack and its vulnerabilities. You’ll also learn advanced packet analysis techniques using powerful tools like Wireshark and Scapy.
2.1 TCP/IP Stack and Protocols
The TCP/IP stack is the cornerstone of modern networking, enabling communication across diverse networks. Understanding this stack is crucial for identifying and mitigating network vulnerabilities.
What is the TCP/IP Stack?
The TCP/IP (Transmission Control Protocol/Internet Protocol) stack is a set of protocols that allows computers to communicate over a network. It's the protocol suite used by the internet and most local networks.
The TCP/IP stack is divided into four layers, each responsible for specific functions that ensure data is transmitted accurately and efficiently.
The Four Layers of the TCP/IP Stack
- Application Layer
- Role
This layer is responsible for providing network services directly to end-users and applications. It encompasses protocols that facilitate user interaction and data exchange.
- Key Protocols
- HTTP/HTTPS (HyperText Transfer Protocol / Secure)
Role: Facilitates the transfer of web pages and web resources. HTTP is not encrypted, which makes it very vulnerable. HTTPS provides secure communication through encryption, we'll see that hackers found multiple way to break this and make it readable in clear.
Ports: 80 (HTTP) / 443 (HTTPS)
- FTP/SFTP (File Transfer Protocol / Secure)
Role: Transfers files between a client and a server. FTP is not encrypted, which makes is very vulnerable. SFTP provides the same service, with encryption.
Port: 21 (FTP) / 22 (SFTP)
- SMTP/SMTPS (Simple Mail Transfer Protocol / Over SSL)
Role: Sends emails between servers.
Ports: 25, 587, 465 or 2525
- IMAP/IMAPS (Internet Message Access Protocol / Over SSL)
Role: Retrieves emails from a mail server, allowing clients to read messages stored on the server.
Ports: 143 (IMAP) / 993 (IMAPS)
- POP3 (Post Office Protocol version 3)
Role: Retrieves emails from a mail server, downloading them to the client’s device.
Port : 103 (POP3) / 995 (POP3 Over SSL)
- DNS (Domain Name System)
Role: Translates domain names (like www.example.com) into IP addresses.
Port: 53
- Telnet
Role: Provides a text-based remote login session to another computer.
Port: 23
- SSH (Secure Shell)
Role: Provides a secure channel for remote login and other network services.
Port: 22
- SNMP (Simple Network Management Protocol)
Role: Manages and monitors network devices.
Ports: 161, 162
- DHCP (Dynamic Host Configuration Protocol)
Role: Automatically assigns IP addresses and other network configuration parameters to devices on a network.
Ports: 67, 68
- NTP (Network Time Protocol)
Role: Synchronizes clocks of networked devices to a precise time reference.
Port: 123
- Transport Layer
- Role
The transport layer ensures reliable data transmission between hosts. It handles error correction, data flow control, and data integrity.
- Key Protocols:
- TCP: Transmission Control Protocol
Role: provides reliable, ordered, and error-checked delivery of data.
- UDP: User Datagram Protocol
Role: provides a faster, connectionless service with no guarantee of delivery.
- Internet Layer
- Role
This layer is responsible for addressing, routing, and packaging data for transmission. It ensures data packets are sent from the source host to the destination host across multiple networks.
- Key Protocols:
- IP: Internet Protocol
Role: Responsible for delivering packets from the source to the destination based on IP addresses.
- ICMP: Internet Control Message Protocol
Role: Used for diagnostic and error messages (e.g., ping).
- ARP: Address Resolution Protocol
Role: maps IP addresses to physical MAC addresses.
- RARP: Reverse Address Resolution Protocol
Role: Maps a physical MAC address to an IP address.
- Network Access Layer:
- Role
Also known as the Link Layer, this layer deals with the physical transmission of data over network hardware. It includes the hardware and technologies used to physically transmit the data.
- Key Protocols
- Ethernet
Defines the wiring and signaling standards for the physical layer and a data link layer protocol for controlling access to the physical transmission medium.
- Wi-Fi: Wireless Fidelity
Provides wireless access to network resources and the internet.
- PPP: Point-to-Point Protocol
Provides a standard method for transporting multi-protocol datagrams over point-to-point links.
- SLIP: Serial Line Internet Protocol
Provides a standard for transmitting IP datagrams over serial lines.
How the TCP/IP Stack Works
- Data Encapsulation
- Data from an application is passed down the stack, with each layer adding its own header (containing control information) to the data. This process is called encapsulation.
- At the receiving end, each layer strips off its respective header and processes the data accordingly, a process known as decapsulation.
- Data Flow Example
- Sending Data: When you send an email, the email application (Application Layer) sends your message to the Transport Layer, where it is encapsulated in a TCP segment. The Internet Layer then wraps the segment in an IP packet, and finally, the Network Access Layer places the packet into a frame for transmission over the physical network.
- Receiving Data: The process is reversed at the receiving end, with each layer decoding its corresponding header and passing the data up the stack until it reaches the email application.
Importance of the TCP/IP Stack
- Interoperability: The TCP/IP stack enables different types of devices and networks to communicate seamlessly.
- Scalability: It supports the growth of the internet by allowing an ever-increasing number of devices to connect and communicate.
- Reliability: Protocols like TCP ensure data integrity and reliable delivery, which are essential for many applications.
2.2 Vulnerabilities and Weaknesses
The idea here is to understand some common attacks and vulnerabilities. This is definitely not exhaustive. Each line could (and will) be a whole new Course (ans Lab!).
Application Layer Vulnerabilities
-
HTTP/HTTPS
Here is a brief overview (definitely not exhaustive!) of some common attacks here:
- Man-in-the-Middle (MitM) Attacks: Interception of http communications.
- SSL Striping: Downgrades an HTTPS connection to HTTP, intercepting and reading the traffic as plain text.
- Injection Attacks: SQL injection, command injection through improperly sanitized input fields.
- Cross-Site Scripting (XSS): Injection of malicious scripts into web pages viewed by other users.
- Cross-Site Request Forgery (CSRF): Forcing a user to execute unwanted actions on a web application in which they’re authenticated.
-
SMTP/IMAP/POP3
- Email Spoofing: Sending emails with forged sender addresses.
- Phishing: Malicious attempts to acquire sensitive information by masquerading as a trustworthy entity.
- Man-in-the-Middle (MitM) Attacks: Interception of email communications.
-
DNS
- DNS Spoofing: Redirecting traffic by corrupting DNS cache with false IP address mapping.
- DNS Amplification Attacks: A type of DDoS attack that exploits DNS servers to flood a target with large amounts of traffic.
- Cache Poisoning: Injecting false DNS records into the cache of a resolver.
-
FTP
- Clear Text Transmission: Transmitting data, including passwords, in unencrypted form.
- Brute Force Attacks: Attempting to gain access through repetitive attempts of username and password combinations.
Transport Layer Vulnerabilities
-
TCP
- SYN Flooding: A type of Denial-of-Service (DoS) attack that exploits the handshake process.
- TCP Reset Attacks: Sending forged packets to close an active connection.
- Session Hijacking: Intercepting and taking over an established TCP session.
-
UDP
- UDP Flooding: Sending a large number of UDP packets to flood a target.
- Amplification Attacks: Exploiting the stateless nature of UDP to generate more traffic than originally sent by the attacker.
Internet Layer Vulnerabilities:
-
IP
- IP Spoofing: Sending packets with a false source IP address to masquerade as another system.
- Fragmentation Attacks: Exploiting the packet fragmentation process to bypass security mechanisms or cause system crashes (e.g., Teardrop attack).
-
ICMP
- Ping Flooding: Overwhelming a target with ICMP echo request (ping) packets.
- ICMP Redirect Attacks: Tricking a host into redirecting traffic to a different route.
- ICMP Smurf Attack: A type of DDoS attack that exploits ICMP by sending packets to a network’s broadcast address with a spoofed source address.
-
ARP
- ARP Spoofing/Poisoning: Associating the attacker’s MAC address with the IP address of another host, allowing interception or redirection of traffic.
- Man-in-the-Middle (MitM) Attacks: Intercepting and potentially altering communications between two parties.
Network Access Layer Vulnerabilities (Link Layer)
-
Ethernet
- MAC Flooding: Overloading a switch’s MAC address table to force it into broadcast mode, facilitating eavesdropping.
- CAM Table Overflow: Exploiting a switch's limited capacity to store MAC addresses, causing it to act like a hub.
-
Wi-Fi
- WEP/WPA Cracking: Breaking weak encryption protocols like WEP or WPA.
- Rogue Access Points: Setting up unauthorized access points to intercept network traffic.
- Evil Twin Attacks: Creating a fraudulent Wi-Fi access point that mimics a legitimate one to eavesdrop on users.
Cross-Layer/Utility Protocol Vulnerabilities
- SSL Stripping: Downgrading HTTPS connections to HTTP.
- Heartbleed: Exploiting a vulnerability in OpenSSL to read sensitive memory content.
- POODLE Attack: Exploiting vulnerabilities in SSL 3.0 to decrypt secure communications.
- ...
We wanted to cover even more in this Module, but this is already a lot of information to digest.
Each topic covered here will get its own full Course. Links will be added here, as well as in the Hacking Courses section.
Question
Answer the question below to validate the course and earn easy points:
What type of web security vulnerability involves tricking a user's browser into making an unwanted request to a different site where the user is authenticated, without their knowledge?