Given the pervasiveness of the Internet in our daily lives, understanding how computers communicate with one another is essential to improving your online security. In this article, we are going to go over the basics of computer networking.
IP Addresses
Internet Protocol addresses (IP addresses) allow for the identification of internet connected devices and in theory, is no different than your home address or phone number.
We presently use IP version 4, or IPv4 for networking computers. It is made up of 32 bits of four octets; each number group is made up of 8 bits (binary on/off switches). As an example, let’s look at 192.168.1.1.
Each of the numbers between the periods (.) is the decimal equivalent of 8 bits. This means that we calculate the base 2 number that computers use represented by the 8 bits and convert them to decimal numbers that humans are more accustomed to working with . Each one of the octets (8 bits) is capable of representing numbers within the range 0 through 255 (2 to the 8th power).
Public vs. Private IP Addresses
It’s important to note that our IP address system has its limitations. The biggest limitation is that there are not enough IP addresses to cover all of the devices that need to connect to the internet. The IPv4 system that we are working with now has only 4.3 billion IP addresses. With 7.3 billion people on the planet and far more devices, that certainly is not enough.
As a result, a system was developed to reuse a group of IP addresses to be used within a LAN—and are not usable over the internet. These addresses can be used over and over again within each local area network, but not over the internet, thereby conserving the number of IP addresses necessary to keep the world going ’round.
Classes of Private IP Addresses
IP addresses are generally put into three classes, and the ranges are:
Class A: 0.0.0.0 – 127.255.255.255
Class B: 128.0.0.0 – 191.255.255.255
Class C: 192.0.0.0 – 223.255.255.255
This is your private IP that is only usable on the local area network. To communicate over the internet, it must be translated to a public IP by a NAT device.
DHCP
Dynamic Host Configuration Protocol (DHCP) assigns IP addresses dynamically, so that you do not have the same IP address all of the time. Most of the time, these IP address assignments are on a local area network. When each device is connected to the LAN, it must request an IP address. That device sends that request to the DHCP server that then assigns an IP address to that system for a fixed length of time known as a “lease.”
Each time you connect to the LAN, you are likely to receive a different (dynamic) IP address, but usually in the same range. For instance, 192.168.0.0 – 192.168.255.255.
NAT
Network Address Translation (NAT) is networking protocol whereby internal private IP addresses are “translated” to an external public IP address that can be routed through the internet to its destination. Remember, every LAN uses the same IP addresses inside their network.
The NAT device accepts requests to traverse the internet from an internal machine. It then records that machine’s IP address in a table and converts the IP address to the external IP address of the router. When the packet returns from its destination, the NAT device looks into its saved table of the original request and forwards on the packet to the internal IP address of the system that made the original request within the LAN. When working properly, the individual systems and users don’t even realize this translation is taking place. In this way, the routers along the way know exactly where to send the packets.
Ports
If the IP address is the primary address for your computer, then the port is the sub-address. If the IP address is the street address of a building and think of the port as the suite number. The IP address gets us to right machine, but the port takes us to correct service, say HTTP on port 80.
There are 65,536 (2 raised to the 16th power) ports. The first 1,024 are generally referred to as the “common ports”. As a network administrator, there are a few ports that you should know by heart:
| Port Number | Protocol | Description |
|---|---|---|
| 20 | FTP | File Transfer Protocol is used for sending files to and from a server. |
| 21 | SFTP | Secure File Transfer Protocol is used for sending files to and from a server. |
| 22 | SSH | The Secure Shell protocol is used for sending encrypted data to a server. |
| 25 | SMTP | The Simple Mail Transport Protocol (SMTP) is used for sending email between servers. |
| 53 | DNS | The Domain Name System (DNS) provides a name service to match IP addresses to computer names on a network. |
| 67 | DHCP | The Dynamic Host Configuration Protocol (DHCP) enables client computers to obtain a valid IP address on a network automatically. |
| 69 | TFTP | |
| 80 | HTTP | The Hypertext Transfer Protocol (HTTP) allows clients to request web pages from servers. |
| 88 | Kerberos | |
| 109/10 | POP3 | The Post Office Protocol (POP) allows clients to communi- cate with a mail server to read messages in their mailbox. |
| 123 | NTP | |
| 135 | Microsoft’s RPC | |
| 137-139 | Microsoft’s NetBIOS | Microsoft servers use the Server Message Block (SMB) protocol for file and print sharing with clients. |
| 143, 220 | IMAP | The Internet Message Access Protocol (IMAP) provides advanced mailbox services for clients. |
| 161 | SNMP | |
| 389 | LDAP | The Lightweight Directory Access Protocol (LDAP) provides access to directory services for authenticating users, workstations, and other network devices. |
| 443 | HTTP/HTTP over SSL | The secure version of HTTP provides encrypted communica- tion with web servers. |
| 445 | SMB | |
| 500 | IKE | |
| 514 | syslog | |
| 2049 | NFS | The Network File System (NFS) provides file sharing between Unix and Linux systems. |
| 3389 | RDP |
Networking Protocols
As a network engineer or security professional, an understanding of the structure and anatomy of these protocols is sacrosanct. Whether investigating a network attack or setting up a network, understanding these protocols and their fields is essential, otherwise you leave your self exposed to a range of risk.
What Are Network Protocols
Protocols define the rules of a specific method of communication and are usually outlined by a RFC (Request for Comments). There are many, many protocols in use on the internet, including TCP, IP, UDP, FTP, HTTP, SMTP, each of which has a set of specific of rules that must be followed in order for the communications to be successful (not that much different than how grammar rules define languages). Probably the two most important protocols for use over the internet are IP and TCP, so let’s take a look at each of these.
Internet Protocol
Internet Protocol (IP) defines the source and destination IP address of a packet as it traverses the internet and often used in conjunction with other protocols such as TCP, hence the often used conjunction, TCP/IP.
Let’s go through IP packet header (seen in the image below) row by row to see how it functions and learn what information it contains as well as how that information is used by administrators, hackers and forensic investigators.
Row 1 of IP Packet Header
- Version: This defines the version of IP, either v4 or v6;
- IHL: Defines the header length;
- Type of Service (TOS): This defines the type of service of this packet. These include minimize delay, maximize throughput, maximize reliability, and minimize monetary cost;
- Total Length: This defines the total length of the IP datagram (including the data) or the fragment. Its maximum value is 65,535.
Row 2 of IP Packet Header
Identification: This field uniquely identifies each packet. It can be critical in reassembling fragmented packets.
IP Flags: This field defines whether the packet is fragmented (M) or not (D). The manipulation IP flags can aid in the evasion of IDS and firewalls.
Fragment Offset: Used when packets are fragmented and indicates where the packets should be reassembled from the beginning of the IP header.
Row 3 of IP Packet Header
TTL: This is the “time to live.” This defines how many hops across the internet before the packet expires. It varies by operating system making it useful to identify the OS of the sender.
Protocol: This field defines what protocol is being used with IP. Most often, it will be 6 or TCP, 1 for ICMP, 17 for UDP, among others.
Header Checksum: An error checking field that calculates the checksum (a simple algorithm) to determine the integrity of the data in the header.
Row 4 & 5 of IP Packet Header
Source / Destination: The most important rows of the IP header; they contains the source and destination IP address.
Row 6 of IP Packet Header
Options: An optional field of variable length, so it is not always used.
Row 7 of IP Packet Header
The data payload
Transmission Control Protocol (TCP)
Much like the IP header, the TCP header has a number of fields that need to be understood by anyone in charge of network administration. As before, we will dissect the rows of the TCP header below.
Row 1 of TCP Header
Source Port / Destination Port: The most important layer; These fields determine which port the communication came from and which port it is going to.
Row 2 of TCP Header
Sequence Number: Generated by the source machine’s TCP stack and used to ensure that packets are arranged in the proper sequence when they arrive as well as defeat “Man in the Middle” attacks.
Row 3 of TCP Header
Acknowledgement Number: An echo of the Sequence Number sent back by the receiving system to ensure the sender knows that the packet arrived. If the sender does not receive an Acknowledgment Number back in a fixed amount of time, it resends the packet to make certain the receiver gets the packet. This is a key difference between TCP and UDP, which does not send this acknowledgement and is therefore unreliable.
Row 4 of TCP Header
The fourth row has some critical information that are used by:
- Three-way handshake; and
- Nmap scans.
We will only focus on a few of the flags seen in the diagram above..
SYN: The opening of a new connection.
FIN: The normal, “soft” closing of a connection.
ACK: The acknowledgment of a packet. All packets after the three-way handshake should have this bit set.
RST: The hard-close of a connection and usually used to communicate that the packet has arrived at the wrong port or IP.
URG: This flag indicates that the following data is urgent.
PSH: Push the data past the buffer to the application. Although these flags are part of the normal utilization of TCP, they can be manipulated to test the security of networks or evade detection from security systems.
Window Size: Communicates the buffer size of the TCP stack and by TCP to manage flow control. A hacker can use this field to identify the OS that sent the packet with about 80% accuracy as this field varies from OS to OS. This field along with DF and TTL in the IP header are used by fingerprinting tools to identify a target’s operating system.
Row 5 of TCP Header
Checksum: An error checking algorithm to ensure integrity of the packet.
URG Pointer: Used in connection with the URG flag and points to the last byte of the sequence number of urgent data.
Row 6 of TCP Header
Options: An optional field that can be of varying length..
Padding: Contains extra bits to bring the length of the TCP packet to a multiple of 32 bits.
Simple Network Management Protocol
Simple Network Management Protocol (SNMP) is an application-layer protocol which provides networked devices such as routers, servers and printers with a common language for sharing information with a network management system in order to allow monitoring and managing network devices on a LAN or WAN. SNMP uses UDP ports 161 and 162 to manage network devices. The protocol’s client/server architecture has three components:
- The SNMP Manager: acts as the client;
- The SNMP Agent: acts as the server; and,
- The Management Information Base (MIB): acts as the server’s database.
When the SNMP Manager asks the Agent a question, the Agent uses the MIB to supply the answer.
If SNMP can be breached, an attacker can gather a large amount of information about your system, unmask your encrypted VPN communication and possibly control devices connected to your network.
Background on SNMP
SNMP, part of the Internet Protocol Suite, is designed to:
- manage computers and network devices.
- facilitates the exchange of information between network devices
SNMP is a stateless (Meaning there is no record of previous system interactions and each interaction request is handled based entirely on information that comes with the current request) datagram (A datagram, typically structured with header and payload sections, is a basic transfer unit associated with a packet-switched connectionless communication network.) oriented protocol.
SNMP involves one or more administrative computers called managers, which monitor and manage a group of computers. Each of the managed computers has an agent installed that communicates with the manager. Please see the diagram below for a schematic on how SNMP operates.
The agent (1 through 6) on the managed computers provides management data to the managing computer (the red box). The manager can undertake management tasks, including modifying and applying new configurations.
The management data exposed by the agents on each of the managed machines is stored in a database, the Management Information Bases or MIB, and contains information on every device on the network (users, software installed, operating systems, open ports, etc), All of which can be invaluable to a hacker in exploiting a target.
SNMP protocol communicates on UDP port 161 using 1 of 7 types of protocol data units or PDU’s, which are:
- GetRequest
- SetRequest
- GetNextRequest
- GetBulkRequest
- Response
- Trap
- InformRequest
SNMP Versions
SNMP has three (3) versions.
SNMPv1 has very poor security as client authentication is in cleartext and uses a “community string”, which functions as a password for every node on the network, is set to “public” by default. The manager authentication also makes use of a community string set to private by default. As a result of depending on community strings, attackers can gather all the information from the MIB (with the public community string) and potentially set the configuration on the devices by using the private community string. Although these security flaws are well known,SNMPv1 remains widely used. The insecurity stems from the fact that hackers can sniff the community authentication string, even if the network administrator changes it.
SNMPv2 improved performance and security, but lacked the backwardly compatibility needed for it to be adopted by SNMPv1 users, so it was not widely adopted.
SNMPv3 adds encryption, message integrity and authentication features, booting its security, and is significantly more secure than either SNMPv1 or v2. SNMPv3.
In order to better understand that SNMP protocols, let’s take a look at it with Wireshark
Wireshark Analysis of SNMPv1
Below we can see a Wireshark capture of SNMPv1 communication over a LAN.
Note the Get-Request, Get-Response and Get-Next-Request in the upper windows and the community string in the lower window.
Abusing SNMP for Information Gathering
Now that we have a bit of background on the SNMP protocol, let’s use or abuse it to gather information on our target. Open Kali and go to Applications –> Kali Linux –>Information Gathering –> SNMP Analysis –>snmpcheck as in the screenshot below.
When you do so, you will be greeted by the snmpcheck help screen like below.
Snmpcheck is a Perl script that queries the SNMP MIB for information on the target IP. It’s syntax is fairly simple;
kali > snmpcheck -t
Of course, some options are available such as the community string (it uses “public” by default), the SNMP version (it uses 1 by default or 2 is the other option. Note, it will not work on the more secure SNMP v3) and few others. We will be using it here against a 2003 Server on our network to see what information SNMP can provide us about the target.
As you can see in the screenshot below, we ran snmpcheck and it began to gather information from the MIB about the target and displaying it on our screen. Initially, it gives information about the hardware and then the operating system and uptime (uptime can be very useful information to determine whether a system has been patched).
Next, it displays device information.
Next, storage information.
Then, user accounts (this can be useful later when trying to crack user passwords. It eliminates the need to guess user account names).
Finally, the software installed on the system. This can be particularly useful when we begin to develop an exploitation strategy as exploits are specific to applications and their version.
Cracking SNMP community strings
As you saw in the previous exercise, SNMP can provide us with a significant amount of information about our target, if we can access it. In the previous exercise, we assumed that the admin had left the community string set to “public”. What if the admin was a bit more cautious and security minded and had changed the community string? How can we find the community string?
There is an excellent tool built into Kali named onesixtyone (presumably named after the default port that SNMP operates on). In essence, it is a SNMP community string cracker. Like most “password” crackers, it relies upon a dictionary or wordlist to try against the service until it finds a match.
Let’s open onesixtyone by going to Applications –> Kali Linux –> Information Gathering –>SNMP Analysis –>onesixtyone. It should open a help screen like below.
The syntax of onesixtyone is pretty simple and straightforward.
kali > onesixtyone [options]
Like an dictionary-based password cracker, the dictionary you use with onesixtyone is critical. In the case of onesixtyone, it has a built-in dictionary. It’s small, but contains many of the commonly used strings with SNMP. If you are creating your own dictionary for SNMP cracking, this is a good starting point, but you may want to expand it with variations of the domain name or company name as network administrators don’t usually put much effort in creating complex strings for SNMP.. For instance, if the company is Microsoft, you might try strings that a lazy admin might use, such as microsoft-public, microsoft-private, microsoft-snmp, microsoft-network, etc.
Let’s take a look at the dictionary file by typing;
kali > cat /usr/share/doc/onesixtone/dict.txt
As you can see, it includes a short list of widely used SMNP community strings.
In this exercise, we will use this short and simple dictionary to see whether we can find that community string on our network and then use it in snmpcheck to gather all the info on the target.
In our case, we will be using it on the same system as before, so our command will be;
kali > onesixtyone 192.168.1.102 -c /usr/share/doc/onesixtyone/dict.txt
As you can see in the screenshot above, it was able to find both the private community string (still set to the default “private”) and the public community string (still set to the default as “public”). These community stings can then be used with snmpcheck to grab information from the MIB about the target system.
NSA Exploits SNMP to Unmask VPN Communications
We know that the NSA has exploited SNMP to unmask VPN communications from documents released by Edward Snowden. For a tutorial on this NSA ExtraBacon exploit, click here. Although this vulnerability has been patched by Cisco, it is likely that the NSA has still another exploit of SNMP to view encrypted communication.
Conclusion
SNMP can be a rich source of information on the target network if we can access it. snmpcheck will pull the information from the MIB and onesixtyone helps us crack the SNMP “passwords”. Both can be critical in exploiting SNMP for reconnaissance.ƒsn
