To become a proficient hacker, forensic investigator, or simply be a good network engineer, you should understand the structure and anatomy of these protocols. From my experience, many professionals in these fields do not understand the basics of TCP/IP, which means that you will have an advantage over them if you do understand TCP/IP.
When trying to create a new hacking tool or investigate a network attack, understanding these protocols and their fields is essential. Otherwise, you will be merely wasting your time.
What Are Protocols?
Protocols are simply agreed-upon ways to communicate. For instance, we here on Null Byte have agreed upon the English language with all its rules and grammar as our way to communicate. That is our protocol. If we did not have an agreed-upon way to communicate, people would be using many languages, grammar, and rules, and none of us would understand each other.
Protocols are similar. A protocol defines a way of communication with all its rules. These rules are usually defined by an RFC (Request for Comments).
There are many, many protocols in use on the internet. These include TCP, IP, UDP, FTP, HTTP, SMTP, etc., and each has its own set of rules that must be complied with in order to communicate effectively (similar to the rules we use in communication via written languages). Probably the two most important protocols for use over the internet are IP and TCP, so let's take a look at each of these.
IP (Internet Protocol)
IP, or Internet Protocol, is the protocol that is used to define the source and destination IP address of a packet as it traverses the internet. It is often used in conjunction with other protocols such as TCP, hence the often used conjunction, TCP/IP.
Let's take a look at an IP packet header and see what information it
contains that can be useful to the aspiring hacker and/or forensic investigator.
- Version: This defines the version of IP, either v4 or v6.
- IHL: Defines the header length.
- Type of Service (TOS): This defines the type of service of this packet. These include minimize delay, maximize throughput, maximize reliability, and minimize monetary cost.
- Identification: This field uniquely identifies each packet. It can be critical in reassembling fragmented packets.
- IP Flags: This field defines whether the packet is fragmented (M) or not (D). The manipulation of the field can be used to evade IDS and firewalls. Check out my tutorials on Nmap and Hping3 on how we can manipulate packets to evade intrusion detection systems and other security devices. It can also be used in conjunction with the Window field to identify the operating system of the sender.
- Fragment Offset: This field is used when packets are fragmented. It defines where the packets should be reassembled from the beginning of the IP header.
- TTL: This is the "time to live." This defines how many hops across the internet before the packet expires. It varies by the operating system, making it useful to identify the OS of the sender.
- Protocol: This field defines what protocol is being used with IP. Most often, it will be 6 or TCP, 1 for ICMP, 17 for UDP, among others.
- Header Checksum: This is an error checking field. It calculates the checksum (a simple algorithm) to determine the integrity of the data in the header.
- Source / Destination: These rows of the IP header are probably the most important part of the header as it contains the source and destination IP address.
- Options: This field is variable length, and its use is optional (as you might expect).
- Padding: This field is used to fill out, if necessary, the remaining bits and bytes of the header.
TCP (Transmission Control Protocol)
In the TCP header, there are numerous critical fields that the aspiring hacker and forensic investigator should understand.
- Source Port / Destination Port: Probably most importantly, these are the source port and destination port. These fields determine what port the communication came from and where it is going.
- Sequence Number: The sequence number is generated by the source machine's TCP stack and is used to make certain that packets are arranged in the proper sequence when they arrive. It is also important in defeating MitM attacks.
- Acknowledgment Number: This is an echo of the Sequence Number sent back by the receiving system. It basically says, "I received the packet with the Sequence #." In this way, the sender knows that the packet arrived. If the sender does not receive an Acknowledgment Number back in a fixed amount of time, it will resend the packet to make certain the receiver gets the packet. In this way, TCP is reliable (for instance, UDP does not do this and is therefore unreliable).
The fourth row has some critical information. Let's skip over the Data Offset and the Reserved fields. That takes us to 8 bits near the middle of Row 4. These are the infamous flags of the three-way handshake and Nmap scans. The first two bits, CWR and ECE, are beyond the scope of this lesson. The next six bits are the URG, ACK, PSH, RST, SYN, and FIN flags. These flags are used by TCP to communicate;
- SYN: The opening of a new connection.
- FIN: The normal, soft closing of a connection.
- ACK: The acknowledgment of a packet. All packets after the three-way handshake should have this bit set.
- RST: The hard-close of a connection and usually used to communicate that the packet has arrived at the wrong port or IP.
- URG: This flag indicates that the following data is urgent.
- PSH: Push the data past the buffer to the application.
- Window Size: In some diagrams, this is simply described as the Window field. Its role is to communicate the size of the window that the TCP stack has to buffer packets. This is the way that TCP manages flow control. From a recon or forensics perspective, this field alone can be enough to identify the OS that sent the packet. This field varies from OS to OS and even from SP to SP. Given this bit of information, one can predict with about 80% accuracy the OS that sent the packet. In fact, it is this field and a few others (DF and TTL in the IP header) that such operating system fingerprinters such as p0f use to identify the OS.
- Checksum: This field uses a simple algorithm to check for errors. In essence, it is an integrity checker.
- URG Pointer: This field points to the last byte of the sequence number of urgent data. The URG flag must be set in conjunction to activate this field.
- Options: Like the IP header, the TCP header has an options field that can be used if necessary, and it is varying length.
- Padding: The padding is necessary to bring the TCP header to a multiple of 32 bits.
If you have any questions on these basics of TCP/IP, ask in the comments below, and we'll try and help you understand better.