Introductory Networking
The link for this lab is located here: https://tryhackme.com/room/introtonetworking
This room covers the basics principles of networking - a key skill for aspiring hackers. It will cover things like the OSI Model, TCP/IP Model, and basic networking tools.
Task 2 - The OSI Model
The OSI model is a standardized model used to demonstrate the theory behind computer networking. The TCP/IP model is what real-world networking is based off, but the OSI model is much easier to understand for beginners.
The OSI model consists of 7 layers:
Application (layer 7)
Presentation (layer 6)
Session (layer 5)
Transport (layer 4)
Network (layer 3)
Data Link (layer 2)
Physical (layer 1)
Layer 7 - Application
This layer provides networking options to programs running. It works exclusively with applications, providing an interface for them to use in order to transmit data. When data is given at this layer, it is passed down into the presentation layer.
Layer 6 - Presentation
This layer receives data from the application layer. The data tends to be in a format that the application understands, but not necessarily in a standardized format that could be understood by the application layer in the receiving computer.
The presentation layer translates the data into a standardized format as well as handles encryption, compression and other transformations to the data. When this is complete, it sends it down to the session layer.
Layer 5 - Session
This layer looks to see if it can set up a connection. If it CANNOT, it sends back en error and the process goes no further. If it CAN, then this layer is responsible for maintaining a session as well as co-operating with the session layer of the other computer to synchronize communications.
The layer is particularly important as it creates a UNIQUE session for the communication taking place. This is how you can make multiple requests to different endpoints simultaneously without data getting mixed up.
When the layer has succesfully logged a connection between two hosts, the data is passed to the transport layer.
Layer 4 - Transport
This layer serves numerous important functions. It chooses the protocol over which the data is transmitted (either TCP or UDP). TCP is connection-based which means a connection is established and maintained for the duration of the request - reliable transmission and data integrity. TCP also allows two computers to remain in constant communication to ensure that data is sent at an acceptable rate and any lost data is re-sent.
With UDP, the packets are essentially thrown at the receiving computer - if packets are lost, then they are not re-transmitted. Think streaming video over Skype as a good example of UDP.
TCP is usually chosen for situations wheere accuracy is favoured over speed (file transfer, webpages) where UDP would be used in situations where speed is more important (streaming).
With a protocol selected, the transport layer then divides the transmission up into bite-sized pieces (TCP called segments, UDP called datagrams) which makes it easire to transmit the message.
Layer 3 - Network
This layer is responsible for location the destination of your request. This layer takes the IP address for a web page for example and finds the best route to take. At this stage, we use what is called Logical Addressing (IP addresses) which are software controlled.
Logical addresses are used to provide order to networks. Currently, the most common form of logical addressing is IPv4 format.
Layer 2 - Data Link
This layer focuses on the Physical Addressing. It receives a packet from network layer and adds in the MAC address of the receiving endpoint. Inside every network enabled computer is a NIC which comes with a unique MAC address to identify it.
MAC addresses are set by the manufacturer and literally burnt into the card and cannot be changed but can be spoofed. The physical address is used to identify where exactly to send information.
This layer also presents the data in a format suitable for transmission and also checks the received information to make sure that it has not been corrupted by layer 1
Layer 1 - Physical
This layer is down to the hardware. It is where electrical pulses that make up data transfer over a network are sent/received. This layer's job is to convert the binary data of the transmission into signals and transmit them across the network as well as receive incoming signals and convert them back to binary data.
Questions
With this information, you should be able to answer the following questions. However, answers are provided aswell (click the question to reveal the answer)
Q1: Which layer would choose to send data over TCP or UDP?
A: Layer 4 (Transport)Q2: Which layer checks received packets to make sure that they have not been corrupted?
A: Layer 2 (Data Link)Q3: In which layer would data be formatted in preparation for transmission?
A: Layer 2 (Data Link)Q4: Which layer transmits and receives data?
A: Layer 1 (Physical)Q5: Which layer encrypts, compresses, or otherwise transforms the initial data to give it a standardized format?
A: Layer 6 (Presentation)Q6: Which layer tracks communications between the host and receiving computers?
A: Layer 5 (Session)Q7: Which layer accepts communication requests from applications?
A: Layer 7 (Application)Q8: Which layer handles logical addressing?
A: Layer 3 (Network)Q9: When sending data over TCP, what would you call the "bite-sized" pieces of data?
A: SegementsQ10: Which layer would the FTP protocol communicate with?
A: A simple Google search would reveal that FTP would use Layer 7 or the Application layer using a client application - read more hereQ11: Which transport layer protocol would be best suited to transmit a live video?
A: UDP
Task 3 - Encapsulation
As the data is passed down each layer, more information containing details specific to that layer is added to the start of the transmission. The header added by the Network layer would include things like the source and destination IP addresses while the header added by the Transport layer would include information specific to the protocol being used.
The Data Link layer also adds a piece at the end which is used to verify the data has not been corrupted on transmission - known as the L2 trailer. This whole process is referred to as encapsulation; the process by which data can be sent from one computer to another
In layers 7,6 and 5, the data is referred to as data. In layer 4, the data is referred to as a segment or a datagram (depending on TCP or UDP). In layer 3, the data is referred to as a packet. In layer 2, the data becomes a frame. At layer 1, it becomes known as bits.
When the message is received by the second computer, it reverse the process - known as de-encapsulation. The process of encapsulation and de-encapsulation are very important. They give us a standardized method for sending data.
This means that all transmissions will consistently follow the same methodology.
Questions
Q1: How would you refer to data at layer of the encapsulation process (with the OSI model)?
A: FramesQ2: How would you refer to data at layer 4 of the encapsulation process (with the OSI model) if the UDP protocol has been selected?
A: DatagramsQ3: What process would a computer perform on a received message?
A: De-encapsulationQ4: Which is the only layer of the OSI model to add a trailer during encapsulation?
A: Data LinkQ5: Does encapsulation provide an extra layer of security (aye/nay)?
A: Aye
Task 4 - The TCP/IP Model
The TCP/IP model is similiar to the OSI model. It serves as the basis for real-world networking. It consists of 4 layers:
Layer 4 - Application
Layer 3 - Transport
Layer 2 - Internet
Layer 1 - Network Interface
The two models match up something like this:
The process of encapsulation and de-encapsulation work in exactly the same way with the TCP/IP model as they do with the OSI model.
When we talk about the TCP/IP, we are actually talking about a suite of protocols - a set of rules that define how an action is to be carried out. TCP/IP takes its name from the two most important of these:
Transmission Control Protocol - controls the flow of data between two endpoints
Internet Protocol - controls how packets are addressed and sent
TCP is a connection-based protocol. Before you send any data via TCP, you must first form a stable connection between the two computers. The process of forming this connection is called the three-way handshake.
When you attempt to make a connection, your computer first sends a special request to the server indicating that it wants to initialize a connection. This is called a SYN packet which essentially makes first contact in starting the connection process.
The server then responds with a SYN/ACK packet. Finally, your computer will send an ACK packet confirming that the connection has been setup successfully.
With the three-way handshake successfully completed, data can be reliably transmitted between the two computers - any data lost or corrupted gets re-sent.
Questions
Q1: Which model was introduced first, OSI or TCP/IP?
A: TCP/IPQ2: Which layer of the TCP/IP model covers the functionality of the Transport Layer of the OSI model (Full Name)?
A: TransportQ3: Which layer of the TCP/IP model covers the functionality of the Session layer of the OSI model (Full Name)?
A: ApplicationQ4: The Network Interface layer of the TCP/IP model covers the functionality of two layers in the OSI model. These layers are Data Link, and?.. (Full Name)?
A: PhysicalQ5: Which layer of the TCP/IP model handles the functionality of the OSI network layer?
A: InternetQ6: What kind of protocol is TCP?
A: Connection-basedQ7: What is SYN short for?
A: SynchronizeQ8: What is the second step of the three way handshake?
A: SYN/ACKQ9: What is the short name for the "Acknowledgement" segment in the three-way handshake?
A: ACK
Task 5 - Wireshark
Wireshark is a tool used to capture and analyze packets of data going across a network - this task has a file to download to follow along.
When you first load the packet into Wireshark, you are given a list of captured data in the top window and in the bottom two windows you are shown the data contained in each captured packet of data:
There are five pieces of information here:
Frame 1 - this is showing details from the physical layer of the OSI model
Ethernet II - this is showing details from the Data Link layer of the OSI model: the transmission medium (in this case an Ethernet cable) as well as the sourrce and destination MAC addresses of the request
Internet Protocol Version 4 - this is showing details from the Network layer of the OSI model: the source and destination IP addresses of the request
Transmission Control Protocol - this is showing details from the Transport layer of the OSI and TCP/IP models: in this case, it tells us that the protocol was TCP along with a few other things
HyperText Transfer Protocol - this is showing details from the Application layer of the OSI and TCP/IP models: specifically this is a HTTP GET request which is requesting a web page from a remote server
Now, answer the following questions on the second packet:
Questions
Q1: What is the protocol specified in the section of the request that is linked to the Application layer of the OSI and TCP/IP models?
A: Domain Name SystemQ2: Which layer of the OSI model does the section that shows the IP address "172.16.16.77" link to (Name of the layer)?
A: NetworkQ3: In the section of the request that links to the Transport layer of the OSI and TCP/IP models which protocol is specified?
A: User Datagram ProtocolQ4: Over what medium has this request been made (linked to the Data Link layer of the OSI model)?
A: Ethernet IIQ5: Which layer of the OSI model does the section that shows the number of bytes transferred (81) link to?
A: PhysicalQ6: Can you figure out what kind of address is shown in the layer linked to the Data Link layer of the OSI model?
A: MAC
Task 6 - Ping
The ping command is used when we want to test whether a connection to a remote resource is possible. Usually, this will be a website on the internet but could also be another computer.
Ping works using the ICMP protocol, which is one of the slightly less well-known TCP/IP protocols that were mentioned earlier. The ICMP protocol works on the Network layer of the OSI model, and thus the Internet layer of the TCP/IP model.
The basic syntax for ping is: ping <target>
The ping command does return the IP address for the Google server that it connected to, rather than the URL requested. This is a handy secondary application for ping as it can be used to determine the IP address of the server hosting a site.
One big advantage of ping is that it is pretty much ubiquitous to any network enabled device - all OS support it and even most embedded devices can use ping
Questions
Q1: What command would you use to ping the bbc.co.uk website?
A: ping bbc.co.ukQ2: Ping muirlandoracle.co.uk. What is the IPv4 address?
A: 207.160.0.152Q3: What switch lets you change the interval of sent ping requests?
A: -i
Q4: What switch would you allow to restrict requests to IPv4?
A: -4
Q5: What switch would give you a more verbose output?
A: -v
Task 7 - Traceroute
The traceroute command allows you to see each connection that your PC takes to get to a certain destination. It allows you to see every intermediate step between your computer and the resource requested.
The basic syntax for traceroute on Linux is: traceroute <destination>
By default, the Windows traceroute utility (tracert) operates using the same ICMP protocol that ping utilizes and the Unix equivalent operates over UDP. This can be altered via switches
Questions
Q2: What switch would you use to specify an interface when using Traceroute?
A: -i
Q3: What switch would you use if you wanted to use TCP SYN requests when tracing the route?
A: -T
Q4: Which layer of the TCP/IP model will traceroute run on by default (Windows)?
A: Internet
Task 8 - Whois
Domains are leased out by companies called Domain Registrars. If you want a domain, you have to register it with a registrar then lease the domain for a certain length of time.
The tool Whois allows you to query who a domain name is registered to. Be aware that in Europe personal details are redacted but in other places, you might get a great deal of information from a simple search.
To do a Whois lookup, simply type whois <domain> to get a list of available information about the domain registration.
As you can see, there is some useful information in this output including:
Domain name
Company that registered the domain
Last renewal date & next due date
Now, perform your own search on Facebook and Microsoft to see some information.
Questions
Q2: What is the registrant postal code for facebook.com?
A: 94025
Q3: When was the facebook.com domain first registered?
A: 29/03/1997
Q5: Which city is the registrant of Microsoft.com based in?
A: Redmond
Q6: What is the name of the golf course that is near the registrant address for microsoft.com?
A: Searching the address (One Microsoft Way, Redmond) in Google reveals a location on the map. Zooming out a little reveals a golf course close to the Microsoft campus
Task 9 - Dig
DNS allows us to ask a special server to give us the IP address of the website we want to access. Making a request to google.com would send a request to a special DNS server which would then go looking for the IP address for google.com and send it back to us. Our computer could then send the request to the IP of the Google server.
When you make a request to a site, your computer first checks it local cache to see if it's already got an IP address for the website. If it does not, it goes to the next stage.
At the next stage, your computer will send a request to a Recursive DNS Server which are automatically known to the router on your network. ISPs maintain their own recursive servers but companies such as Google and OpenDNS also control their own. These servers wil also maintain a cache of results for popular domains. If the website you request is NOT stored in the cache, it passes the request on to a root name server
There are 13 root name DNS servers in the world. They keep track of DNS servers in the lext level down, choosing an appropriate one to redirect your request to. These lower level servers are called Top-Level Domain servers
TLD servers are split up into extensions. (.com, .co.uk, .ac.uk, etc....). As with root name servers, TLD servers keep track of the next level down which are Authoritative Name Servers. When a TLD server receieves your request, the server passes it down to an appropriate Authoritative Name Server
Authoritative Name Servers are used to store DNS records for domains directly. Every domain in the world will have its DNS records stored on one of these; they are the source of the information. When your request reaches the authoritative name server for the domain you want, it will send the relevant information back to you.
When you visit a website, this happens automatically but you can do it manually using the dig command. This allows us to manually query recursive DNS servers of our choice for information about domains. The syntax is dig <domain> @<dns-server-IP>
The most interesting piece of information for us is the ANSWER section. In summary, this information tells us that we sent it one query and successfully received one full answer which contains the IP address for the domain we queried.
Another interesting piece of information is the TTL (Time To Live). The TTL record tells your computer when to stop considering the record as valid and to request the data again - important to rememver that TTL is measured in SECONDS
Questions
Q1: What is DNS short for?
A: Domain Name SystemQ2: What is the first type of DNS server your computer would query when you search for a domain?
A: RecursiveQ3: What type of DNS server contains records specific to domain extensions (.com, .co.uk, etc...)
A: Top-level DomainQ4: What is the very first place your computer would look to find the IP address of a domain?
A: Local CacheQ5: Google runs two public DNS servers. One of them can be queried with the IP 8.8.8.8, what is the IP address of the other one?
A: Doing a quick Google search for "Google's DNS servers" yields the result we are looking for
Q1: If a DNS query has a TTL of 24 hours, what number would the dig query show?
A: Remember that TTL is measured in seconds. There are 86400 seconds in a day so there's our answer.
Task 10 - Further Reading
If you want to expand your knowledge of networking theory, the CISCO Self Study Guide by Steve McQuerry is a great resource or any other CCNA resource (videos, books, etc..) are always great for networking knowledge.
Congratulations! You now know a lot more about networking. Next in the Beginner Path, we will learn about the most powerful tool for hackers out there - Nmap.
