Time
7 hours 47 minutes
Difficulty
Advanced
CEU/CPE
10

Video Description

This unit discusses headers and the information they contain. Participants learn about the following types:

  • Ethernet
  • Internet Protocol (IP)
  • Transmission control protocol (TCP)
  • User datagram protocol (UDP)

Video Transcription

00:04
next topic for discussion is the Ethernet header.
00:07
So this Ethernet header is something I've pulled from a p shark or boasts which something will be looking at a little bit later on. But this is going to be useful because it's gonna let us look at what sort of data is contained inside of an Ethernet header.
00:19
And it's also going to let us know what sort of things we can do with that information. So we see that it uses Ethernet version to which pretty much everything you're gonna be using Will
00:29
uh,
00:29
the source Mac, which is
00:32
000 c 29
00:36
22 d D c.
00:38
See,
00:39
we see automatically gets broken out into being where
00:42
22.
00:44
Which means
00:45
that this already knows that it's using the M where which again is useful.
00:50
So
00:51
when you see the M wear in the wild, when you're you've just exploited a machine, you just broken in. You see that your Mac addresses a BM. Wear it back, which will be either 000 c 29 or 005056
01:04
Either one of those air pretty well known to be owned by the M. Where
01:08
now, if you see that,
01:11
that means you've probably broken into something. That's not what you think. It iss. Unless you knew you were going after of'em. You knew it was a virtualized server or what have you? Probably in bad shape.
01:22
So you're going to want to look into Well, why is it Of'em and I had a honey nut? Um, I have I've been captured by a researcher. What's going on?
01:30
And if either of those were the case, you're gonna want to get out of there.
01:34
Your destination
01:37
we see here again is the same thing just broken out.
01:40
Your address, your destination address. Rather,
01:42
uh,
01:45
has the LG bit not set. So it's a global, unique address
01:49
or it's a non globally unique address
01:52
because the LGBT LG bit is not set.
01:55
We see that it's not an individual address because the idea but is not set.
02:00
We see the source address. The place where everything has come
02:05
from is also VM, where, as I mentioned a moment ago, we see that it's also
02:09
factory default,
02:13
non unique. Now, the reason why that matters is pretty straightforward.
02:16
It's a V m and V M where basically just gives a randomly assigns,
02:21
uh, Mac address to all of its BMS. But
02:25
if you see things like this in the wild, if you look in and you see oh, well, this bit's not center that it's not set.
02:31
The actual breakdown of these headers can actually tell you what's going on.
02:36
Knowing that can give you information can tell you how they've configured their network, what sort of data they're using, or even just whether or not they've got a good tech guy.
02:44
The next ends very important thing that each header is going to tell us
02:47
is a type field of some sort.
02:50
That time is actually the next type.
02:52
So in this case, it's going to be 0800 and hex what the Xerox means, which is I p specifically,
03:00
we don't actually know what version it iss. We only know that it is
03:04
Hi, p.
03:06
So to find that out,
03:07
we go into the next one
03:08
and we see it breaks out to I p before
03:12
now, we're not actually looking at the raw hex in this because well, one, that's not what you're here for. Two raw eggs work my eyes and three, it's really, really, really boring.
03:22
So we see the source machine is 1 to 8.
03:24
We see it's 192168129.1 to 8. Specifically
03:29
see its destination is
03:30
31 13 71 1 28
03:35
The I P version is four,
03:37
and the header length is 20 bites. That's fairly consistently. The case across I p. Most I p headers are going to be 20 bites. It is possible to have options in place that will extend to that, but it's very, very rare.
03:50
Differentiated Service's field doesn't really matter to us.
03:53
Total length is 40
03:55
identification number. The I P identification number right here. 8 68
04:00
Orin Hack 0364
04:02
and we've got one flag, which is the don't fragment bit. That's the only flag currently set.
04:06
Well, they don't fragment bit. Means is, don't break this. Pack it up.
04:11
If it gets to a point where the Maxim transmission unit says Sorry, I can't take a packet that big. Send me an error and I'll send you a smaller version. But don't break this. Pack it up.
04:21
Time to live is 64
04:24
protocol is TCP which is again our next protocol.
04:28
We have a header check some although the actual system we're not using we didn't actually enable validation.
04:33
But we do know that it took a check, some of the header and if we wanted to, we can validate. Make sure the header hasn't been changed in route.
04:41
So
04:42
that's pretty much everything that we need out of the i p Header.
04:44
And from there we can go on to. In this case, we're going to go into a C P to a TCP header
04:49
which we see right here. TCP, as we said before, is the transmission control protocol.
04:54
In this case, it's coming from Port 44 to 77 which again we saw was the 1 to 8 machine
05:01
is going to port 4 43
05:04
which we know to be https and which is hopefully
05:08
were informed of that here, which is very nice of this one of this tea shark.
05:14
Um it tells us Hey, it's using https port. That doesn't necessarily mean is using entity to be yes, but it's a fairly strong indicator that it iss
05:23
so we know that it's coming from a random high on this right here is called Random High
05:27
to a well known port.
05:29
So most likely the 1 to 8 is a client and is going out to a website
05:33
on the 31.13 etcetera etcetera machine,
05:38
and it's looking at something there.
05:41
The sequence number
05:43
is 25 37 the acknowledgment numbers 19 4 59
05:47
These two are very important. Their relative in this case they're not. That's not the entire full number, but it's relative to the start.
05:54
So if we know that the relative sequence number is 25 37 we know this communication has been going on for a little while.
06:00
Um, if the acknowledgment number,
06:02
the acknowledgment number, can give us a vague idea of how much data has been sent, the specifics of how acknowledgement in sequence work
06:11
aren't important. But what matters is that if it's a big number in the acknowledgment field, you know that a good bit of date has been set. If it's a big number of this relative sequence field, you know that a lot of packets have been set.
06:21
So the header length right here
06:25
it breaks out and says, Hey, your TCP headers, 20 bites.
06:29
That's not really important to us right now, but it could be in the future.
06:32
The flags that are set, however, are extremely important.
06:36
DCP flags are very, very indicated, indicative of a lot of things.
06:43
The reserve. These 1st 3 should never be set if they are set, someone is spoofing packets. Someone is doing bad things on the network. The nonce should also not ever be set.
06:55
The congestion when the reduced
06:58
could theoretically be set but in reality is only ever really sent during an ex messed scan, which is something we'll look at a little bit later.
07:05
E c n again experts only
07:09
Urgent
07:11
urgent is something that was designed with the intent of a quality of service being built into TCP. But it never quite happened, so it's sort of just there. It's another one they should only ever that you'll only ever see in an excellent scan, which means
07:24
it's not something you should see for normal use,
07:27
the ones that you will see from normal use higher and those ones I will indicate in blue
07:31
our acknowledgment,
07:32
which says, Hey, I got some sort of data from you or some sort of communication from you
07:36
put
07:39
which says, Hey,
07:41
I've got more data for you. Add it to the data I've already sent you
07:45
reset,
07:46
which says you've done something very, very, terribly wrong and I'm going to kill this connection, and we can try again in a minute
07:53
sin,
07:54
which is only ever used to initiate a conversation.
07:58
It's the first packet they get sent. You get a sin sin ack ack. It's called the three way Handshake. Sinise, sent as a synchronized, says, Hey, let's synchronize sequence numbers and let's start working together to create a communication.
08:09
And then Finn, which is part of the graceful tear it out.
08:11
Ah, Finn, Tear down looks like Finn, Finn, AC, fit and finish
08:16
Ah, which is designed with the simple intent of
08:20
making sure that the turnaround happens in the right way. Everyone's done with sending data. Everything looks good and is good to go.
08:26
Window size value you see here is 65 1 60
08:30
which could be useful in OS fingerprinting
08:33
and the check some again. We've disabled validation, but if we wanted to make sure that a packet was sent correctly,
08:39
that's where we would check
08:41
next header and final header that we're going to look at Here is the UDP header. Now A quick reminder from before you TV is much, much simpler and much less reliable. It's not designed to ensure the traffic gets word traffic should go
08:56
So in the user Data Grand Protocol, the UDP header. We don't have very many fields. We have a sore sport.
09:01
Right here is 17 500
09:03
and we have a destination port which here is 17 500
09:07
Now, I don't know about you, but I don't know that part Off the top of my head, we here we see here that it's d v l s b d I S c
09:15
Probably some sort of discovery port. We don't really care that much.
09:20
We might care in a minute, but right now we don't It's worth a Google,
09:22
by all means. If you find a port with which you're unfamiliar being used always looking up, I recommend whenever you're doing some sort of task. Whenever you're working in a network, have a separate machine disconnected from that hour with which to google things with which to look up. What, you're unfamiliar whatever you might need. Don have a second machine or, at the very least, a smartphone like everyone seems to carry. Now,
09:43
Um,
09:45
beyond that, there's the length of this packet is 122 bites
09:48
again. The unity check some
09:52
which we don't validate.
09:52
And that's really it. All you TV does is say, Hey, here's where it's from. Here's where it's going here, Ma, Here's how much there is of it. And here's a check some that may or may not be correct.
10:03
And then it just throws that data
10:05
at whoever the sort Whoever the destination is
10:09
with that, we've pretty much completed our discussion of headers and therefore a discussion of basic networking concepts.
10:15
After this, we're going to be building into gathering information and I will see you then,
10:20
thank you very much and enjoy your day

Up Next

Post Exploitation Hacking

In this self-paced online training course, you will cover three main topics: Information Gathering, Backdooring and Covering Steps, how to use system specific tools to get general information, listener shells, metasploit and meterpreter scripting.

Instructed By

Instructor Profile Image
Joe Perry
Senior Technical Instructor at FireEye, Inc
Instructor