TCP Three-Way Handshake

Figure 1 illustrates how it works. Computer A sends a SYN asking computer B to establish a connection on port 80, if the port is open, then B acknowledges the SYN and send SYN in return as well. Third and final step is when A acknowledges that it also received the SYN from B.

If port 80 is closed, B will respond with RST.

Before proceeding to the following illustration, refresh your mind with the following list of TCP Communication Flags:

• Synchronize (SYN): Initiates connection between hosts.
• Acknowledgment (ACK): Establish connection between hosts.
• Push (PSH): System accepting requests and forwarding buffered data.
• Urgent (URG): Instructs data contained in packets to be processed ASAP.
• Finish (FIN): Communicates to the remote system of no more retransmissions.
• Reset (RST): Reset a connection.

TCP Three-Way Handshake

Port scanning is used to check which ports are open by sending and receiving packets directly between two computers. In SYN Stealth (Also known as Half Open Scan) for example Computer A sends SYN to B, If the port is Computer B is open, the reply will be: SYN+ACK based on the Three-Way Handshake rules. Otherwise, if B respond with a RST, then the port is closed or not listening.
SYN Stealth and other types of scaning expose the scanners IP to the targeted computer. To overcome that, Idle scan is used.

How Idle Scan works

Every IP packet on the internet has a fragment identification numer (IP ID), which is usually incremented by one by the operating system for every packet transmission. Hence, if we record the IP ID of a computer, we can compute the number of packets it sent after certain time.

Now, assume that Computer A wants to scan Computer B, while Computer C is being used as a Zombie.

• A will first ask to communicate with C, from C’s response, A knows that C’s IP ID is: 1445.
• A sends SYN to one of B’s ports asking for a connection using C’s IP address.
• B respond to the relevant IP address, that is C with a SYN+ACK if the port is open, else if the port is closed, then it will send back a RST or nothing at all.
• A ask to communicate with C one more time to read its IP ID again.
• If the IP ID is 1447 (increased by two since the last transmission) then the port is open assuming that B responded with a SYN/ACK back to C, hence C had to reply with a RST packet using IP ID = 1446.
• Else If the IP ID is 1446, (increased by one since the last transmission) then the port is close, assuming that B simply responded with a RST or nothing at all, hence C did not have to communicate back.

You must have noticed that, to collect reliable data, it is important that computer C does not communicate with any other devices while running the scan, otherwise, its IP ID will increase dramatically anyway. This is why, the zombie device should be chosen carefully to be Idle, hence the name of the scan.

Also, as you must have noticed, the scan was performed by sending packets with spoofed IP to the target computer. Hence the spoofed IP is blamed for the scan, not yours!

In practice, the following Nmap command is an example of how to perform Idle scans:

nmap -PN -p20-25 -sI 192.168.1.152 192.168.0.131

-sI: is used to run Idle Scan.
-PN: is necessary for stealth, otherwise packets would be sent to the target from your real addres.
-p20-25: scan ports 20, 21, 23, 24 and 25.
192.168.1.152: Zombie IP.
192.168.0.131: Target IP.

At the end, here is a reminder that you should not scan any computer/network without permission. There are many known cases where using Nmap unethically caused serious legal issues.

Connect the cables. Once done, you should first enable Internet Connection Sharing on your Windows machine. To do that, right-click your Internet connection and select “Properties“. Then click the “Advanced” tab. Now simply put a tick on the following option:

“Allow other network users to connect through this computer’s Internet connection”

This should give your Network card the following static IP address: 192.168.0.1. This address will represent the gateway address for the other computers in your LAN to connect to the Internet.

Now, move to your Linux box and use the following command to give it an IP address and a Subnet Mask:

ifconfig eth0 192.168.0.131 netmask 255.255.255.0

The following command is then used to set the default gateway

route add -net default gw 192.168.0.1

Finally, you will need to update your Linux DNS servers file. Get the two DNS servers IPs by typing
“Ipconfig /all” In the command prompt of your Windows machine, and then add them to “/etc/resolv.conf” in your Linux using your favorite editor. For instance, to open the file with nano use the following command:

sudo nano /etc/resolv.conf

That’s all, try to test the connection between the two computers by pinging their IP addresses and then test your DNS configuration with any of the following commands from your Linux box:

host google.com
 
nslookup google.com
 
ping google.com

VisualRoute

Traceroute is a famous program to draw the route taken by packets from your computer to any destination you chose. It uses UDP or ICMP echo packets with TTL value of one, then continuously increase it until it reaches the destination, this way it can get time exceeded responses from every hop in the pathway.

There is also TCP Traceroute programs which can be useful to bypass some firewalls filtering.

Similar techniques like Dig, Host for UNIX-like systems and PathPing for Windows may also be used to achieve similar results, but all these are command based. Although, using the Terminal is great pleasure, but it is always nice when these locations are illustrated on a real world map in addition to different forms of diagrams. To get such results, I suggest two tools I have used: NeoTrace Pro and VisualRoute.

Hubs are used to build a LAN by connecting different computers in a star/hierarchal network topology, the most common type on LANs now a day. A hub is a very simple (or dumb) device, once it gets bits of data sent from computer A to B, it does not check the destination, instead, it forwards that signal to all other computers (B, C, D…) within the network. B will then pick it up while other nodes discard it. This amplifies that the traffic is shared.

There are mainly two types of hubs:

1. Passive: The signal is forwarded as it is (so it doesn’t need power supply).
2. Active: The signal is amplified, so they work as repeaters. In fact they have been called multiport repeaters. (use power supply)

Hubs can be connected to other hubs using an uplink port to extend the network.

OSI Model: Hubs work on the physical layer (lowest layer). That’s the reason they can’t deal with addressing or data filtering.

Switches on the other hand are more advanced. Instead of broadcasting the frames everywhere, a switch actually checks for the destination MAC address and forward it to the relevant port to reach that computer only. This way, switches reduce traffic and divide the collision domain into segments, this is very sufficient for busy LANs and it also protects frames from being sniffed by other computers sharing the same segment.

They build a table of which MAC address belongs to which segment. If a destination MAC address is not in the table it forwards to all segments except the source segment. If the destination is same as the source, frame is discarded.

Switches have built-in hardware chips solely designed to perform switching capabilities, therefore they are fast and come with many ports. Sometimes they are referred to as intelligent bridges or multiport bridges.
Different speed levels are supported. They can be 10 Mb/s, 100 Mb/s, 1 Gb/s or more.

Most common switching methods are:

1. Cut-through: Directly forward what the switch gets.
2. Store and forward: receive the full frame before retransmitting it.

OSI: Switches are on the data link layer (just above physical layer) that’s why they deal with frames instead of bits and filter them based on MAC addresses. Switches are known to be used for their filtering capabilities.

VLANs (Virtual LANs) and broadcast domains: Switches do not control broadcast domains by default, however, if a VLAN is configured in a switch it will has its own broadcast domain.

*VLAN is a logical group of network devices located on different LAN physical segments. However they are logically treated as if they were located on a single segment.

Bridges are used to extend networks by maintaining signals and traffic.
OSI: Bridges are on the data link layer so in principle they are capable to do what switches do like data filtering and separating the collision domain, but they are less advanced. They are known to be used to extend distance capabilities of networks.

In a comparison with switches, they are slower because they use software to perform switching. They do not control broadcast domains and usually come with less number of ports.

Routers are used to connect different LANs or a LAN with a WAN (e.g. the internet). Routers control both collision domains and broadcast domains. If the packet’s destination is on a different network, a router is used to pass it the right way, so without routers the internet could not functions.

Routers use NAT (Network Address Translation) in conjunction with IP Masquerading to provide the internet to multiple nodes in the LAN under a single IP address.

Now a day, routers come with hub or switch technology to connect computers directly.

OSI: Routers work on the network layer so they can filter data based on IP addresses. They have route tables to store network addresses and forward packets to the right port.

Gateways are very intelligent devices or else can be a computer running the appropriate software to connect and translate data between networks with different protocols or architecture, so their work is much more complex than a normal router. For instance, allowing communication between TCP/IP clients and IPX/SPX or AppleTalk.

OSI: Gateways operate at the network layer and above, but most of them at the application layer.

P.S. The term Gateway is used to refer to routers in some articles so beware. In this case, the router has gateway software. And Default Gateway is used to refer to the node (e.g. router) connecting the LAN to the outside (e.g. internet).

Repeaters are simple devices that work at the physical layer of the OSI. They regenerate signals (active hubs does that too).

There is an important rule to obey while using repeaters/hubs to extend a local network and is called the 5-4-3 rule or the IEEE way. The rule forces that in a single collision domain there shouldn’t be more than 5 segments, 4 repeaters between any two hosts in the network and only 3 of the segments can be populated (contain user connections).
This rule ensures that a signal sent over the network will reach every part of it within an acceptable length of time.
If the network is bigger, the collision domain can be divided into two parts or more using a switch or a bridge.

Conclusion

What have been introduced so far are the main traditional devices used to build networks, understanding how they work helps to understand the logic behind networks designing, however, now that technology advance quickly, it is possible to find new products in the market combining two or more of these devices into one.

Examples are:

- Brouter: Works as a Bridge and as a Router.
- IP Switch or MultiLayer Switch (MLS): New switches with routing capabilities, they forward data based on IP addresses, work at the network layer too.

References used are the following in addition to my previous readings and background study.

[1] TCP IP in 24 hours by SAMS
[2] http://www.techexams.net/technotes/ccna/lan_technologies.shtml