|
* Disclaimer
============
Off course I take NO responsibility for actions or damage
caused by this document. All information provided in this tutorial
is for educational purpose ONLY.
* Intro
========
Well, I've written this tutorial because a friend of mine
asked me. I liked that because many people would read it and could
learn something. Maybe I'll write some more tutorials later, but I'm
reading lots of tutorials and articles myself. So I don't have a lot
of time and knowledge to write some good tutorials, but I'll try to
do my best... (please accept my poor English).
I've written this tutorial especially for newbies who are
interested in networking/security and who don't know much about the
structure and basics of the Internet and its protocols.
If you've already some experience with this subject I
suppose you won't learn much from it though. This document explains only the OSI-model in a VERY basic
way, so it's easy to understand for newbies. If you want to
understand the OSI-model completely you'll have to read some more
tutorials, RFC's and books that you can find on the internet.
Have fun... 8)
* The
OSI-model
===============
So, what's the OSI-model? Well in the past, communications
between computers from different vendors were difficult, because
they used different protocols and data-formats. So the International
Organization for Standardization (ISO) developed a communications
architecture known as the Open System Interconnection (OSI) model
that defines standards for linking computers from different vendors.
The OSI model has been divided into 7 layers, and the second layer
contains also a few sub-layers (divided by the Institute of
Electrical and Electronic Engineers (IEEE) which I won't discuss in
this tutorial). Have a look at the following table:
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
. 7th - layer: Application .> Services .
. 6th - layer: Presentation.> Services .
. 5th - layer: Session .> Communication .
. 4th - layer: Transport .> Communication .
. 3rd - layer: Network .> Communication .
. 2nd - layer: Data-link .> Physical connections.
. 1st - layer: Physical .> Physical connections.
<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
The layers are defined in such a manner so that changes in
one layer do not require changes in the other layers. The higher
layers (5, 6 and 7) are smarter than the lower layers; the
Application layer can handle the same protocols and data-formats
used by the other layers, and more. So there is a huge difference
between the Physical layer and the Application layer. Maybe this
isn't clear, but you'll (hopefully) understand what I mean after
you've read the whole document. A request, generated at the top (for
example the application Layer) travels down six layers to the
bottom, or physical layer. Maybe you'll think: "Why are there
different layers?" Well, the answer is quite simple: Each layer has
its own task(s) to perform, let's have a look at the physical layer
first:
* The Physical
layer (1)
========================
This is the simplest layer; it only has to deal with the
electrical (and optical) connections between devices. Binary data is
encoded into impulses suitable for transmission over the network
medium. For example wires, cables, transceivers & connectors belong
all to the Physical layer. Devices like repeaters, hubs & network
cards belong also to this layer.
* The
Data-link layer (2)
=========================
This layer is a little bit "smarter" than the physical
layer, because it provides the reliable transfer of data. As the
interface between the network medium and the higher-level protocols
and layers, the data link layer is responsible for the final
packaging of the upper-level binary data into discrete packets
before it goes to the physical layer. It sends frames (blocks of
data) across a network. Ethernet (802.2 & 802.3), Tokenbus (802.4)
and Tokenring (802.5) are protocols at the Data-link layer.
* The Network
layer (3)
=======================
The primary task of the network layer is to provide the
routing functionality by which packets can be sent across the
boundaries of the local network segment to a destination that may be
located on an adjacent network or on one thousands of miles away.
IP, Internet Protocol, is mostly used for this task. Another
protocol on the Network layer is IPX, Internet Packet eXchange. The
Novell incorporation has programmed this protocol and some others
too, like SPX (Sequence Packet Exchange) & NCP (Netware Core
Protocol). These protocols have been imported at the Netware
Operating System. A few functions that may take place at the network
layer:
- The division of the binary data stream into discrete
packets of a specified length
- Error detection
- Error correction through the retransmission of bad
packets
- Flow control
* The
Transport layer (4)
=========================
Well, this layer transports data, using protocols like UDP,
TCP and/or SPX (Sequence Packet eXchange, this one is also used by
NetWare, but it’s in contrast to IPX connection-oriented). The
Transport layer is the centre of the OSI-model. This layer provides
reliable, transparent transfer of data between end points, this
layer provides also multiplexing, flow control and error
checking/recovery.
* The TCP/IP
protocol-suite and a few other protocols
=====================================================
Before I'll go on with the fifth layer in the OSI-model, I
want to explain something about the most common protocols at this
moment: TCP/IP. If you already know the basics of TCP/IP it's
advisable to skip this part and read further about the session
layer.
* TCP/IP
========
TCP stands for 'Transmission Control Protocol' and almost
all computers are compatible with this protocol. TCP is
connection-based, that means it establishes a (constant) connection
between two computers and transfers the data between the two hosts.
A packet contains a header and a data gram. In the data gram you'll
find the data, in the header(s) of a packet is important information
mentioned:
TCP Header:
- Source Port
- Destination Port
- Sequence number
- Acknowledgement number
- Header Length (Standard 20 Bytes)
- Flags (syn, ack, psh, fin, rst, urg)
- Window size
- Checksum
IP Header:
- IP_v4 or IP_v6
- Header Length
- DSF
- Total Length
- Identification
- Flags (Set Fragment bit or not)
- Fragment Offset
- TTL
- Protocol (this case TCP)
- Header checksum
- Source IP
- Destination IP
If you want to know how a connection is established, please
read on...
First a packet with the SYN-flag has to be send to the
destination IP, the destination will respond with an ACK(SYN) flag
or a packet with the RST-flag. I'll explain: SYN stands for
SYN-(chronisation), so it's used to 'ask' the destination computer
to establish a connection, when it's accepted, it replies with a
packet with the ACK(SYN) flag. ACK stands for ACK-(nowledgement).
After receiving the packet with the ACK(SYN) flag, the computer
sends back an ACK to tell the other host the connection is
established. This is what we call the 'Three-Way-Handshake'. If the
connection is established and one of the two hosts wants to
disconnect, it sends a packet with the FIN-flag set (FIN stands for
FINish). This table will make this (hopefully) a bit clearer:
Computer A
Computer B
========== ==========
1) SYN -->
2) <-- ACK(SYN)
3) ACK -->
YES, there's a connection established!
4) FIN -->
5) <-- ACK(FIN)
6) RST -->
Now the connection is closed and the data-transfer(s) are
terminated.
Computer A
Computer B
========== ==========
1) SYN -->
2) <-- RST
3) ACK -->
Shit... "Computer B" didn't want to be connected to
"Computer A!" (maybe Computer B is running a firewall)
There are a few ways to exploit the TCP protocol:
SYN-floods, teardrop, Smurf-attacks, sequence-number attacks & etc.
For more information check http://neworder.box.sk/ and
http://packetstorm.securify.com/
All right, IP is the abbreviation of Internet Protocol.
Look at the example above, if "Computer A" sends a packet to
"Computer B" the IP's of both computers are mentioned in the
IP-header of the packet, the destination IP (of computer B) and the
source IP (of computer A). The routers between the two hosts look in
the IP-header and masquerade the packets to the next segment. If an
error occurs while a packet is travelling over the (inter)network,
for example the destination host is unreachable, ICMP (Internet
Control Message Protocol) is used to send an error message so the
error could be corrected (and the packet(s) could be retransmitted).
The programs 'ping' and traceroute use ICMP messages to detect the
status of hosts in other segments.
Currently IP_v4 is standard, but in the future IP_v6, also
called IP_ng (next generation), will be used. IP_v4 is based on
32-bits addressing, while IP_v6 supports(!) 128-bits addressing.
That's a huge difference, so there're many more IP-addresses
available when using IP_v6. The IP_v6 header is a simplification of
the IP_v4 header, but it's possible to 'update' IP_v6 (so new
features could be added).
* Other
important protocols
===========================
I've discussed a well known Internet Protocol and
Transmission Control Protocol. Let's have a look at a few other
protocols (NOTE: they're not all in the TCP/IP-suite):
* UDP, User Datagram Protocol, is in contrast to TCP
connectionless. This means a packet travels over the network and
reaches the other computer without a connection being established.
On its way to the destination the packet could lose because there
isn't a direct connection between the two hosts, so UDP is
unreliable. UDP is much faster than TCP because there isn't a direct
connection.
* FTP (File Transfer Protocol), you probably already know
about this one... It is used to upload and download files. Security
is handled by requiring the user to specify a user name and password
at the daemon (sometimes anonymous login is allowed), but you can
use a packetsniffer to obtain the usernames and passwords. A FTP
daemon listens standard at 21/TCP and data travels at 20/TCP.
* HTTP, HyperText Transfer Protocol. HTTP is used to view
web pages, in the past a protocol named gopher was used. Gopher
can't be used to show nice graphics, only text. So HTTP was
developed and it's used by almost everybody. A HTTP daemon listens
standard at 80/TCP.
* SMTP, Simple Mail Transfer Protocol is used to send
electronic mail (E-mail). Read the sendmail-tutorial at
http://blacksun.box.sk/ and you will learn a lot more about this
protocol, a SMTP daemon (e.g. Sendmail) listens standard at 25/TCP.
* POP, Post Office Protocol. Nowadays POP3 is the most
favourite standard. POP is used to receive and read e-mail from a
web page. A POP3 daemon listens standard at 110/TCP.
* DHCP: Dynamic Host Configuration Protocol. If you've got
a Cable-connection you use DHCP to get your IP from your ISP.
* OSPF (Open Shortest Path First) & RIP (Routing
Information Protocol) are used for determining the best method of
routing.
* BOOTP is a protocol used by a network node to determine
the IP address of its Ethernet interfaces, in order to affect
network booting. The server standard listens at 67/UDP.
* ARP & RARP: Address Resolution Protocol. I'll explain
this with an example: If you want to send data to a host and you
have its MAC-address (Media Access Control, Ethernet-address) you
can query a router for the IP, this is handled by ARP. If you have
the IP of a host and you want to know its MAC-address, you can use
RARP (Reverse Address Resolution Protocol).
* Telnet (Network terminal protocol) is used for remote
logins at computers (usually UNIX-based boxes). Telnet sends the
usernames and passwords in plain text over the network, so anybody
can obtain them very easily by using a packetsniffer. There's a
protocol called SSH (Secured SHell) which is also used for remote
logins but it is more secure: The data transferred between the two
hosts is encrypted, so the sniffed packets won't reveal any valuable
information. Telnet and SSH are usually used in a UNIX-environment.
A telnet daemon listens standard at 23/TCP and an SSH daemon listens
standard at 22/TCP.
* A typical protocol on UNIX-based systems is finger,
nowadays you won't find much boxes with a finger daemon running,
standard listening at 79/TCP & 79/UDP. It gives valuable information
away (like account-names, and maybe phone numbers which could be
used in Social-Engineering attacks). There are a lot of
vulnerabilities in the finger daemon so it's very insecure.
Holy shit, this tutorial was about the OSI-model, let's go
on quickly with the Session layer...
* The Session
layer (5)
=======================
The Session layer, because of its name, it is often thought
(mistakenly) to be concerned with the network logon procedure and
related matters of security. This layer provides service to the
upper two layers, it co-ordinates communication between Presentation
layer entities. A few protocols at this layer:
NETBIOS: A session interface and protocol, developed by
IBM, which also provides services to the presentation and
application layers.
NETBEUI, (NETBIOS Extended User Interface), an extension of
NETBIOS used in Microsoft networking products, such as Windows NT
and LAN Manager.
ADSP (AppleTalk Data Stream Protocol).
PAP (Printer Access Protocol), provides Postscript printer
access to AppleTalk networks.
* The
Presentation layer (6)
============================
The Presentation layer of the OSI model performs only a
single function: the translation of different types of system
syntax. For example, a connection between a PC and a mainframe may
require a conversion from the EBCDIC character-encoding format to
ASCII and many other factors may have to be considered as well. Data
compression (and possible encryption) is handled by this layer.
* And finally:
The Application layer (7)
========================================
This layer is the 'smartest', gateways resides at this
layer. Gateways perform the same tasks as a router, but there's a
difference between them (look at the following section for more
information about this). The Application layer is the primary
interface between the application running on a computer and any
network resources it requires access to. The Application layer is
the only layer a user will operate at, protocols like FTP, telnet,
SMTP, HTTP, POP3 resides at this Application layer.
* Routers and
Gateways
======================
The difference between routers and gateways is easy to
understand when you know something about the OSI-model, and you know
about it because you have read the sections above very carefully,
didn't you?... :)
Well, as I told you a gateway is at the Application layer,
while a router is active at the Network and Transport layers. This
means that a router is faster than a gateway because a gateway has
also the protocols at the Session, Presentation and Application
layers to route. Hmm, let me make it something clearer with an
(stupid) example:
There are two boys doing their homework, the first boy has
only English to learn. While the second boy has English and
chemistry to learn. The first boy finished his homework faster
because he hadn't to do chemistry, but the second boy will be
smarter because he did English AND chemistry, so he knows things
that the first boy doesn't knows.
Do you understand me? The first boy could be compared with
a router (which is faster) while the second boy could be compared
with a gateway (which is 'smarter'). Read the example above again if
you don't understand it...
Final words
Well, I hope you enjoyed my (first) tutorial about
networking. This tutorial didn't explain you the OSI-model (and
TCP/IP) completely but it has given you a basic understanding. I'll
update this tutorial in the future. As I said in the Intro: maybe
I'll write some more tutorials later, so check regular the website
where you have downloaded this article. If you have a GOOD question,
comment, or you want to marry me, feel free to send me a mail:
shaolin123@hotmail.com
I'll try to answer all serious mails...
Greetz to: r00t, NederWiet, ThaMan, DarkWhite, IzNoGood,
TheZodiac, pi0d, Nakebod, Reflex and all the others...
Special thanks to: r00t, without him I probably wouldn't
have written this tutorial, the lectures he gave about networking
were great and I learned very much. He and NederWiet are the best
hackers I know..!! ;)
Some (nice) sites with information about hacking, security
and networking:
And remember: KNOWLEDGE IS POWER!!
Credits:
This tutorial is written by PØØL + Edited By Rek
OSI Model v 1.02, (C) POOL 2001
|