1. Communication Protocols

2.  A network is just a bunch of devices communication.  There are all sorts of protocols out there today being used: 3GPP/GSM/SS7, TCP/IP, Ethernet, W/LAN, Bluetooth, ATM, HDMI, USB, etc.  All protocols have been designed to serve different purposes, their purpose usually demands their structure and services they provide.  Of course the most important of all is the Internet Protocol (IP).

3.  Securing Transfer of Information is a problem of centuries. In the middle ages pigeons with notes were captured in order to intercept communication.  Our computer systems are valuable because they can communicate. Can you find a computer with out internet ?  Communications are an essential part of the security trust-base.

6.  Eavesdropping - information leaves a device it can be intercepted.  Man in the middle– communication is routed through a 3 rd party.  Man on the side– eavesdropping information is used to for impersonation.  Denial of Service (DoS).  Distributed Denial of Service (DDoS).  In other words, a hackers goals by priority is:  Divert traffic for man in the middle.  Eavesdrop on traffic.

7.  Firewalls - used to protect against unwanted packets, limiting in advance to a set of rules of acceptable traffic only.  VLAN – separate the network into different Virtual LAN, every virtual LAN is a different trust base segment. Needs to be carefully designed.  End-to-End encryption, who cares what happens in between its all encrypted and most importantly authenticated/signed, eg. SSH, SSL.  Intrusion Detection/Prevention Systems (IDS/IPS) – passively monitors data and looks for signs of “bad” behavior, and can then deny traffic.

8.  Destination (Media Acess Control ) MAC Address denotes the target device in the local network.  If the MAC Address is FF:FF:FF:FF:FF:FF the message is broadcast to all devices in the local network.

12.  A is connecting to B using the 3-way hand-shake  A sends a TCP-SYN from a random source port to a specific destination port (eg. Port 80 for HTTP)  B replies with TCP-SYN+ACK from the source port 80 to the random destination port.  A replies with an ACK.  DATA is exchanges.  A or B initiate a TCP-FIN to end the connection.

13.  Wireshark – a spin-off from ethereal which started as a GUI interface for tcpdump.  Wireshark sniffs communications and records them in capture files.cap or.pcap  Has many modules supporting enormous amount of protocol types.  Straight-forward interface.  Scapy – Another useful python module.  Also available for perl, don’t tell Itamar. (http://sylv1.tuxfamily.org/projects/scaperl.html)http://sylv1.tuxfamily.org/projects/scaperl.html  But we’ll use python anyhow.

14.  [Demo sniffing a cookie with wireshark.  [Demo using scapy].

16.  Capture filter are very fast and tell wireshark which data to record.

17.  Alternatively you can also record.pcap files with tcpdump.  eg.: tcpdump –ni any –w out.pcap  Reading files is also possible with scapy:  from scapy.all import *  all_packets = rdpcap(“data01.pcap”)