IS 432 Lecture Review: More TCP Packet Hell

So this evening’s class was a continuation of last week’s: starting to dig into manually inspecting packet headers- TCP, UDP, ICMP, etc. Tonight was mainly on TCP. As an example, we’re looking at things like:

4500 003c 1c46 4000 4006 b1e6 ac10 0a63 ac10 0a0c

And figuring out what all the parts mean and if the traffic is ‘normal’ or malicious. (This header example, by the way, was pulled from thegeekstuff.com found here.)

I’ll admit I was hung up on bits, bytes, and how one character is a nibble. I guess my mind wasn’t in hex mode. As an above example, the first character in the sequence- a 4- represents the IP version. However, look at any IP header cheat sheets (this one, for example) and the IP Version field is 4 bits long. But it’s one character. One character = 1 bit!!! Oh… but it’s hex. So yes, actually one character does equal 4 bits in terms of hex.

Now that my first hangup is settled, I need to work on the speed of which I map characters to their respective header fields. I found lots of cheat sheets but I’m actually making my own, a paper ‘form’ I can fill out when the professor hands us a 20 byte header and wants answers quick. I know this method isn’t practical when dealing with streams of data but at least it’ll help during lectures when we’re only given one or two headers at a time to deconstruct.

So Andrew, what have I learned today?

  1. Apparently my mind is stuck in binary mode
  2. When talking hex, one hex character equals 4 bits- also known as a nibble
  3. TCP headers must be a minimum of 20 bytes. Otherwise something is terribly wrong
  4. I need to review how to manually calculate the checksum
  5. With ICMP packets I only need to worry about the set and code
  6. Set and code? are converted into binary to determine?

Hardening Windows 10: A Personal Project

It’s that time again: I need to blow away my old computer, reconfigure its RAID, and start with a fresh install of Windows. Since I’m coming from Windows 7, I wanted to move to 10 in the “right” way. Given its controversies, the “right” way involves a heavy dose of security.

My goal is to create a reasonably secure version of Windows 10 using the CIA triad as the basis for its configuration. The target audience for this series are fellow power users (read: geeks) like me- gamers, sysadmins, etc. The scope is being kept to Windows 10 Professional. Even though I live and die by Microsoft AppLocker (found only in Windows 10 Enterprise), I want this project to apply to as many users possible.

So, the CIA triad, huh? It stands for Confidentiality, Integrity, and Availability. And computer security is always a balancing act, moving between these three pillars vs. maintaining usability.

My focus is Confidentiality. “Confidentiality prevents the unauthorized disclosure of data” (Gibson, 2014).  As this is a home system I choose to be less concerned with integrity or availability. It’s really for gaming, casual web browsing, and experimenting with tools inside VMs. Plus I plan on being the only user. So I’m not worried about multiple users mistakenly/maliciously changing files (example of Integrity) and I’m not installing a generator or setting up a cold site for a gaming rig (that’d be availability).

The best thing about the CIA triad is that you can choose what to emphasize- where you spend your resources. Again, since this is for personal use I’m focusing on Confidentiality. If this system needed to stand up in the court of law or was part of an enterprise environment then I’d place way more emphasis on integrity and availability than how I handle it here.

There’s several ways one can go about hardening. And there’s some great resources already out there (huge fan of DISA’s STIGS- Windows OS STIGs found here). But my first step is fact-finding. I’m going to install Windows 10 Professional with no Internet connection and see what a default install looks like: its services, its firewall config, etc.

My next post (hopefully next week) will be a report/analysis of said default install. What we find will shape how I approach hardening.

Source(s):

Gibson, D. (2014). CompTIA Security get certified get ahead SYO-401 study guide. North Charleston, SC: CreateSpace.

Lecture Review: RF Waves

Disclaimer:

These lecture review posts are a personal study tool. Because they are written from memory (usually) to re-enforce what I’ve learned, often at a fast speed, these posts don’t represent my true formatting/writing skill.

Radio Waves

These are electromagnetic waves. They contain a magnetic wave and an electric wave at 90 degree angles. They travel at speed of light and in all directions.

Several ways to describe waves:
1. Amplitude
2. Frequency
3. Wavelength
4. Phase (sorta)

Amplitude is the ‘height’ of the wave’s peaks.
Frequency is how many times a wave completes an up-and-down movement, returning to baseline, in a given amount of time.Wavelength is how long or short the waves are. Wavelength and amplitude have an inverse relationship.

Radio waves have to be ‘keyed’ or ‘modulated’ in order to carry data. A radio wave that has been keyed or modulated is called a carrier wave.

Radio waves can be analog or digital. Analog waves are continuous waves whereas digital waves can start and stop. Analog waves are modulated whereas digital waves are keyed.

Three modulations:
1. Phase Modulation
2. Amplitude Modulation
3. Frequency modulation

Phase Modulation changes starting point of waves where one position represents 1 and another represents 0.
Amplitude Modulation changes the height of the peaks where one height is 0 and another represents 1.
Frequency Modulation changes the wave’s frequency where a higher frequency represents 1 and a lower frequency represents 0.

FSPL stands for Free Space Path Loss. This is the natural attenuation (loss of signal) the radio wave naturally experiences as it travels.

Multipathing occurs when the same wave is bounced and reflected, creating copies, each reaching the receiver at the same time. This COULD be used to increase.

Rules of 10s and 3s.
-3dB means halve the watt value
+3dB means double the watt value-10dB means watt value becomes 1/10th of its value
+10dB means increase watt value by ten (multiply)

DON’T USE RSSI TO MEASURE SIGNAL STRENGTH!!!! It was never meant to do that! Only for internal use by the components. Further, each manufacturer can implement it differently.

Lecture Review: TCP, UDP, and ICMP

Hello people! One of the uses I have for my site is to post a recap of my school lectures here. I’m playing around with different study methods and wanted to see how well this works out. At the very least, it’ll serve as a good personal reference.

That being said, the information contained in these posts may or may not represent knowledge I already know. I.e., if we went over something basic (like OSI model), I’m still going to include it despite my familiarity with it.

Further, because I’m writing these posts from memory (as a practice to reinforce it), I am less concerned with grammar, punctuation, and formatting than with other posts.

TCP

TCP is

  • Connection-oriented
  • Unicast
  • Higher overhead
  • Corrective

It’s connection-oriented by way of the three-way handshake (SYN, SYN ACK, ACK). A connection is established first, then the data is exchanged. Delivery is ensured thanks to that connection and being able to keep track of what and how many packets were sent, and to resend what wasn’t acknowledged. All of which requires higher overhead.

You can close TCP connections with FIN or RESET (rude!).

TCP will always be in a certain state as defined in… RFC (forgot which number- doing these notes from memory).

UDP

Pretty much the exact opposite of TCP. Very little overhead. Is multicast. Used for video streaming (among others!). Fire-and-forget.

tcpdump, Datagrams, Fragmenting

The flow of data in tcpdump is denoted with > and <.

There are 0-1023 common ports. These are usually used by servers for common services. Clients can open any port, typically 1024 or above, when requesting services. The ports can be re-used and change after each connection. I.e., client-1 might open ephemeral port 31XXX when connecting to server-1:25. After that connection closes, that same 31XXX port could be opened again for a connection on server-3:22.

When viewing connections on tcpdump, especially TCP and its three-way handshake, you’ll actually see two connections in the output: client-to-server and server-to-client.

If the datagram being sent is larger than the recipient’s network’s MTU size (max is 1500 for Ethernet), datagrams have to be fragmented. In this case, each fragment gets a fragment ID so the recipient can keep everything in order. To ensure the order of the fragments, an offset counter is used after the fragment ID. Only the first fragment will have the protocol header, whereas all fragments will have the ~20byte IP header.

Teardrop attack uses mismatching offsets.

ICMP

ICMP can be helpful in troubleshooting things as well as reconnaissance.

Firewalls should be blocking incoming ICMP requests from the outside. And probably from internally, too.

Depending on what type of ICMP response you receive, that can indicate what’s going on at the target. For example, if a request comes back with host unreachable, time to move on. However if you get admin denied (thanks to ACL) or port unreachable, then that does tell you something’ sthere.

You can also use TTL to find how many hops you’re dealing with.