Network Fundamentals

# Network Fundamentals
## DAY 2
### Kendall Giles
### 21/7/2019

---

---

# LICENSE

Some of this material in this presentation has been adapted and remixed from course materials from the [Virginia Cyber Range](https://virginiacyberrange.org/) by Dave Raymond and Prem Uppuluri. Other images and materials are cited accordingly. This course content is provided under an [Attribution-NonCommercial-ShareAlike 4.0 International Creative Commons License](https://creativecommons.org)

All logos used are the property of their respective trademark owners.  Their use in these educational materials is not authorized by, sponsored by, or associated with the trademark owners.  No endorsement of the trademark owners by the creator of or educational institution is given or should be inferred.

---

# WORKSHOP ORIENTATION

DAY 1: *Introduction to Cybersecurity*

DAY 3: *Cryptography*

DAY 4: *Hacking and Your Cybersecurity Future*

---

# Updates 1

* [https://www.kali.org](https://www.kali.org)
* passphrase article: [https://theintercept.com/2015/03/26/passphrases-can-memorize-attackers-cant-guess/](https://theintercept.com/2015/03/26/passphrases-can-memorize-attackers-cant-guess/)

---

# Updates 2

.pull-left[
> The hackers managed to steal 7.5 terabytes of data from a major contractor, exposing secret FSB projects to de-anonymize Tor browsing, scrape social media, and help the state split its internet off from the rest of the world. The data was passed to mainstream media outlets for publishing.

]
.pull-right[<img src="network_fundamentals_assets/img/fsb_hack.png" style="width: 100%" /> .small[https://www.forbes.com/sites/zakdoffman/2019/07/20/russian-intelligence-has-been-hacked-with-social-media-and-tor-projects-exposed/amp/]

]

---

# TODAY'S SCHEDULE

.small[
| TOPIC      | TIME     |
| :------ | :----------: |
| [Networks and Network Components](#7) | 9:30-9:45 |
| [LAB: Ping and Traceroute ](#16) | 9:45-10:15 |
| [BREAK](#18) | 10:15-10:30 |
| [History of the Internet ](#19) | 10:30-11:15 |
| [LAB: Welcome to Wireshark](#27) | 11:15-11:45 |
| [BREAK](#35) | 11:45-12:00 |
| [Network Addressing and Port Numbers](#36) | 12:00-12:15 |
| [LAB: IP Address and MAC Address](#50) | 12:15-12:30 |
| [LUNCH BREAK](#49) | 12:30-14:15 |
| [DNS](#52) | 14:15-14:45 |
| [LAB: DNS](#55) | 14:45-15:00 |
| [The Need for Protocols](#58) | 15:00-15:30 |
| [BREAK](#57) | 15:30-15:45 |
| [LAB: Wireshark 2](#65) | 15:45-16:15 |
| [Protocol Layers](#77) | 16:15-16:45 |
| [LAB: Wireshark 3](#97) | 16:45-17:00 |
]

---
#  Learning Objectives

+ Describe a network
+ Describe a wired/cabled network
+ Describe a wireless network
+ Compare cabled/wired and wireless networks
+ Compare networking conceptual models
+ Become familiar with network security devices
+ Understand layered network models, including Open Systems Interconnect (OSI) and TCP/IP Models
+ Identify networking protocols
+ Use basic network commands on Kali Linux 
+ Apply software tools such as Wireshark to examine network traffic
+ Describe the client-server networking model
+ Describe how a clients speaks to a web server, and how Domain Name Services helps
+ Compare file transfer protocol (FTP) and secure shell (SSH) and select which one is secure

---
#  Note

+ Several types of computing devices connect to the Internet including:
	+ Traditional PCs or Macs
	+ Servers
	+ Tablets and smart phones
	+ Networking devices such as switches, routers, and firewalls
	+ IOT: Internet webcams, Amazon’s Alexa, televisions, cars, watches, coffee makers, washing machines...
+ In this lesson we will collectively refer to all these computing devices as computers or nodes.

???

No one even makes a hub anymore...

---

# Networks and Network Components

---

# The Need for Networks and Network Components

## Issue

The Internet is short for interconnected network. How are computers interconnected?
+ Answer: We need hardware to interconnect computers.

---
#  Network Defined

+ A network is a collection of computing devices that communicate digitally using wired or wireless connections
+ There are different types of networks depending on the size and scale of the group of communicating systems
	+ Local Area Network (LAN) – These are small groups of systems, usually numbering in the tens to hundreds, that occupy a single office space, building, or home.
	+ Wide Area Network (WAN) – Wide area networks generally cover larger geographic area and contain many LANs that comprise hundreds to thousands of systems
	+ Internet – This term refers to large numbers of small networks connected together to form a larger network. The term is most commonly used to refer to the global network of systems and devices that comprise the World Wide Web, as well as email and other services.

---
#  Example LAN: A Home Network

.pull-left[
+ Internet access is provided to home by an Internet Service Provider to the cable modem
	+ In this case, a local cable company
+ An Ethernet cable connects the cable modem to the Wireless Access Point (WAP)
+ Other devices in home are connected to the WAP via wireless network connections
+ WAP routes network traffic from each device through the cable modem to the Internet
]

.pull-right[<img src="network_fundamentals_assets/img/example_home_network.png" style="width: 100%" /> .small[All images courtesy of https://openclipart.org]]

---
#  Network Components

.pull-left[
+ Network Interface Card (NIC) – NICs are part of computers and other connected systems and allow wired or wireless digital communications with other devices.
	+ There are different NICs for wired and wireless connections
+ Switch – connects multiple network devices (computers and printers) inside a single LAN
+ Router – routes network traffic between LANs and WANS.
	+ Large core routers serve as the backbone of the Internet
]

.pull-right[<img src="network_fundamentals_assets/img/network_components.png" style="width: 70%" /> .small[All images courtesy of https://openclipart.org]]

---
#  Example Wide Area Network (1 of 2)

.center[<img src="network_fundamentals_assets/img/wide_area_network_1.png" style="width: 65%" /> .small[All images courtesy of https://openclipart.org]]

+ Individual home networks in a neighborhood are connected to a switch at the ISP
+ Multiple neighborhoods can be connected together via network switches and routers

---
#  Example Wide Area Network (2 of 2)

.center[<img src="network_fundamentals_assets/img/wide_area_network_2.png" style="width: 55%" /> .small[All images courtesy of https://openclipart.org]]

+ Many Internet Service Providers can be connected into a WAN using router(s)
+ One or more routers are connected to Internet core routers, providing access to the wider Internet
---

#  Wired and Wireless Networks

.center[<img src="network_fundamentals_assets/img/wired_wireless_networks.png" style="width: 100%" /> .small[All images courtesy of https://openclipart.org]]

---

#  Wired vs. Wireless Networks

**Wired network**
+ Higher bandwidth (faster upload/download speeds)
+ Not subject to interference by other wireless devices (phones, radios, etc.)
+ Cost of installation is high due to routing of cables and (potentially) additional network devices
+ Less flexible
+ Generally, costlier to maintain and troubleshoot problems

**Wireless network**
+ Cheaper and easier to install
+ Generally cheaper to maintain
+ Extremely flexible! Devices can leave and join network throughout the day
+ Lower bandwidth (slower network speed)
+ Subject to interference by wireless devices, as well as microwaves and other appliances

---
class: center, middle

# LAB: Ping and Traceroute

---
#  LAB: Ping and Traceroute

+ On your laptop, open a terminal window (If Windows: try Start-->Run-->cmd)

*ping www.nasa.gov* --> sends ‘ping’ message to specified host, to which the host responds

*ping www.yahoo.com*

*ping www.vt.edu*

+ Traceroute: Find the route a packet is taking from the source machine to a destination

*traceroute www.yahoo.com* (Linux)

*tracert www.yahoo.com* (Windows)

+ What is the packet route from your computer to www.yahoo.com?
+ Try *ping* and *traceroute* on your own.
		
---

# BREAK

---

# History of the Internet

---

# NOTE

* Please click the Power-On button for the ***2*** Exercise Environment on the Range

---
#  The Internet

.center[
<iframe width="560" height="315" src="https://www.youtube.com/embed/9hIQjrMHTv4" frameborder="0" allow="accelerometer; autoplay; encrypted-media; gyroscope; picture-in-picture" allowfullscreen></iframe> 
.small[https://www.youtube.com/watch?v=9hIQjrMHTv4]
]

???

+ The internet started in the 1960s when a handful of universities in California and Utah were connected as part of a project sponsored by the Defense Advanced Research and Development Agency (DARPA).
+ This network quickly expanded to include the entire US, as well as countries around the world.
+ The network was mostly used for electronic communications (email and bulletin board systems) between university students and faculty, research center scientists, and government agencies including the department of defense.
+ In the 1990’s, the web server and web browser were invented, starting what would become the world-wide web (WWW).
+ Increased access to high-speed networking has caused the internet to grow from the dozens of devices originally connected, to billions of computers, phones, cars, industrial control systems, and internet-of-things devices.

---

# Internet (Arpanet) in 1969

.center[<img src="network_fundamentals_assets/img/arpanet_1969.png" style="width: 65%" /> .small[Image courtesy of http://bpastudio.csudh.edu]]

---

# Internet (Arpanet) in 1982

.center[<img src="network_fundamentals_assets/img/arpanet_1982.png" style="width: 90%" /> .small[Image courtesy of http://bpastudio.csudh.edu ]]

---

# Internet in 2005 (A Partial Map)

.center[<img src="network_fundamentals_assets/img/Internet_2005.jpg" style="width: 50%" /> .small[By The Opte Project, CC BY 2.5]]

???

Partial map of the Internet based on the January 15, 2005 data found on opte.org. Each line is drawn between two nodes, representing two IP addresses. The length of the lines are indicative of the delay between those two nodes. This graph represents less than 30% of the Class C networks reachable by the data collection program in early 2005. Lines are color-coded according to their corresponding RFC 1918 allocation as follows: Dark blue: net, ca, us Green: com, org Red: mil, gov, edu Yellow: jp, cn, tw, au, de Magenta: uk, it, pl, fr Gold: br, kr, nl White: unknown

---

# Undersea Cables

.center[<img src="network_fundamentals_assets/img/undersea_cables.png" style="width: 90%" /> .small[https://www.submarinecablemap.com]]

???

.center[<img src="network_fundamentals_assets/img/global_flow.jpg" style="width: 70%" /> .small[https://atlasofplaces.com/academia/global-flows/]]

---

#  Network Security Devices

+ Firewall – Network device that blocks network traffic based on IP address, ports, and protocols
	+ Network-based firewall – blocks traffic coming into the network
	+ Host-based firewall – blocks traffic on the endpoint computer
	+ Most organizations use both – defense in depth!
+ Intrusion detection system – Network device that monitors network traffic and alerts security analysts of possible intrusion attempts
	+ Rule-based IDS – detects previously discovered threats for which rules have been created
	+ Anomaly-based IDS – detects ‘new threats’ based on anomalous network behavior
	+ Can be network-based or host-based

---

.center[<img src="network_fundamentals_assets/img/firewall_ids.png" style="width: 100%" /> .small[All images courtesy of https://openclipart.org]]

---

#  LAB: Welcome to Wireshark

---
#  LAB: Wireshark

+ *For after this workshop*, where to get it:
	+ https://www.wireshark.org/download.html
	+ Don’t just Google and download – you’ll end up with adware and other stuff you don’t need/want
---

# What is Wireshark?

.pull-left[
* Wireshark is a free, open-source network packet analyzer.
* Originally named Ethereal.
* Combines a packet capture engine (pcap) with a GUI.
* Normally your computer only sees packets addressed to it — Wireshark can put your network interface into “promiscuous mode” so that it sees all the packets (on the network segment containing your host)
* Free and open source!  Distributed under GNU GPLv2
* Extensible – write your own plug-ins and protocol dissectors
* Use with caution!
]

---
#  LAB: Wireshark (1)

+ Allows us to capture network traffic and analyze it.
+ The problem it solves: Network traffic can be overwhelming--imagine finding something small and specific in a haystack.
+ Wireshark provides us with tools to search for a needle in this haystack.
+ How? Two ways:
	+ **Capture filters** : These are rules that we can use to restrict the traffic that Wireshark captures in the first place.
		+ Think of this as restricting the size of a haystack
	+ **Display filters** : These are rules that we use to search within the data captured.
		+ Think of this as searching for a needle.
		+ Display filters are what makes Wireshark so useful--lots of options!

---
#  LAB: Wireshark (2) Starting the tool

+ For this exercise we will use Wireshark with existing previously captured packet traces.
+ Browse to the directory WiresharkTraces on your VM machine: 
  + ```cd WiresharkTraces```
+ Traces end with the extension .cap or .pcap or .pcap-gz
+ Enter: ```wireshark http.cap``` --> the Wireshark GUI will open.

---
#  LAB: Wireshark (3) Getting familiar with the GUI (Example)

---
#  LAB: Wireshark (4) Protocol Arrow

---
#  LAB: Wireshark (5)

.center[<img src="network_fundamentals_assets/img/wireshark_gui_protocol_expansion.png" style="width: 100%" />]

---

#  BREAK

---

# Network Addressing and Port Numbers

---
#  The Need for Network Addressing and Port Numbers

##Issue

Want to stream a movie on your computer? How does the video from the remote streaming video server reach only your computer and not, say, your neighbor's?
+ Answer: Every computer on the Internet must have a unique address

##Issue

We love to multi-task: we tend to browse the Internet, stream videos, chat with friends, check the weather on an app –  **all at the same time** (please don’t add driving to this)! How does the video streaming service send the video to the streaming software on your computer and not to the chat software? How does the website data you are browsing get to the browser instead of the weather app?
+ Answer: Network addressing must also uniquely address individual applications. This is done through *port* numbers.

---
#  Network Addressing (1) (Internet address/port numbers)

.center[<img src="network_fundamentals_assets/img/internet_address_port_number.png" style="width: 100%" />]

---
#  Network Addressing (2) Postal Mail and Internet Address Analogy

---
#  Network Addressing (3) (Self-Test)

Take this test on your own. Answers are on the next slide.
+ Which of the following represents the format of an (IPv4) Internet address? 
 a) A.B.C.D 
 b) A.B.C.D.E 
 c) A.B.C.D.E.F 
 d) A.B.C
+ Which of the following is a valid (IPv4) Internet address? 
	a) 192.168.1.256 
	b) 300.300.330.1 
	c) 192.256.0.0 
	d) All of the above 
	d) None of the above

---
#  Network Addressing (4) (Self-Test Answers)

+ Which of the following represent the format of an Internet address? 
	a) **A.B.C.D** 
	b) A.B.C.D.E 
	c) A.B.C.D.E.F 
	d) A.B.C
+ Which of the following is a valid (IPv4) Internet address? 
	a) 192.168.1.256 
	b) 300.300.330.1 
	c) 192.256.0.0 
	d) All of the above 
	e) **None of the above**

> (IPv4) IP addresses are of the form A.B.C.D. Each of the letters is 8 bits long (octet). Each octet can be a number between 0-255. All these IPs have at least one octet that exceeds 255 which is impossible. Hence, they are all invalid.

???
#  Network Addressing (5) (Hands-on)

+ Find the Internet address of your computer:
	+ * Linux: in a terminal, type: .remark-code[ifconfig]
	+ * Using a browser in your VM, open up your favorite browser and access the site: [https://support.google.com/websearch/answer/1696588](https://support.google.com/websearch/answer/1696588)

[http://www.digitalcitizen.life/7-ways-launch-command-prompt-windows-7-windows-8](http://www.digitalcitizen.life/7-ways-launch-command-prompt-windows-7-windows-8)
[https://support.google.com/websearch/answer/1696588](https://support.google.com/websearch/answer/1696588)

---
#  Network Addressing (5)

+ Computers are also assigned human readable hostnames.
	+ Example:
		+ Hostname: [www.vt.edu]( www.vt.edu) (Internet address: 198.82.215.14)
		+ Hostname: [www.google.com](www.google.com) (Multiple internet addresses: 216.58.203.196, … , 74.125.192.105)
+ URLs: Uniform resource locators
	+ Include the hostname and the software protocol used to access a specific application on the host.
		+ E.g., **[http://www.vt.edu](http://www.vt.edu)**
		+ We will soon study about the protocol called HTTP
+ An internet address can be load balanced between one of more hosts.
  + Example: maps.google.com is many hosts. kendallgiles.com shares one host with other websites.
---
#  Network Addressing (6)

+ Every computer is not an island! Think about a computer lab.
	+ It has a bunch of computers connected together
	+ Computers in the lab some common resources such as a printer
	+ Such a network is called a Local Area Network (LAN)
+ When network data reaches a LAN, we need to have an addressing scheme to dispatch the data to the correct computer in the LAN. This requires that Internet addresses be mapped to physical network cards on computers.
	+ So every network card on a computer has a physical address.
		+ A hardware level address that uniquely identifies a network card on a computer.
		+ Also called **M** edia **A** ccess **C** ontrol (MAC) address.
	+ Example: Consider a laptop with two network cards: one for wired network connectivity and the other for WiFi . It will have 2 MAC addresses.

---
#  Network Addressing (7)

+ A MAC address is a 48-bit number
	+ Every network card in the world should have a unique MAC address (at least in theory).
	+ They are often called permanent addresses – but in practice a MAC address can be changed.
+ Format: Uses hexadecimal format (this is base 16 numbers)
	+ Example: FF:FF:FF:FF:FF:FF
+ How can we ensure that every network card has a unique MAC address?
	+ Answer: vendors of network cards (Intel, RealTek , BroadCom etc.) ensure the uniqueness.
	+ How? The first 3 bytes (24 bits) of a network card define the vendor.
		+ Called the Organizationally Unique Identifier (OUI)
		+ OUI lookup table: [http://standards-oui.ieee.org/oui.txt](http://standards-oui.ieee.org/oui.txt)

---
#  Network Address Translation (NAT)

+ There are a limited number of IP addresses
+ Some IP addresses are "publicly routable"--they are "visible" on the Internet
+ Other IP addresses are "private" and are meant to be used on internal networks
  + 192.168.0.0 - 192.168.255.255 --> 65,536 IP addresses
  + 172.16.0.0 - 172.31.255.255 --> 1,048,576 IP addresses
  + 10.0.0.0 - 10.255.255.255 --> 16,777,216 IP addresses
+ Basic NAT
	+ Translates one IP address into another
  + Port Address Translation: + Allows multiple hosts use a single public IP address
+ Static and dynamic
+ Benefits
	+ Allows for sharing IP addresses
	+ Improves security of systems behind NAT device (like your home wireless access point)

---
#  Example: NAT on a Home Network

+ Network Address Translation happens on the Wireless Access Point
+ Converts “internal” network addresses (e.g.: 192.168.0.1) to the routable IP address assigned by your ISP

---
#  Network Addressing (8) Summary

+ We looked at different addresses :
	+ URLs: Define the location of a resource (hostname) on the network *and* how to access the resource (protocol)
	+ Hostname
		+ human readable
		+ maps to one or more internet addresses
	+ Internet address
		+ Unique to a computer on the internet
		+ 4 bytes long (IPv4)
		+ format: A.B.C.D (each letter is a number between 0 – 255)
		+ maps to one MAC or Physical address
	+ MAC/Physical address
		+ 48 bits, Format: AB:CD:EF:GH:IJ:KL. Each letter is a character between 0 – F (Hexadecimal notation)
		+ Unique to each network card

???

How does what we have said about networking affect privacy?

1. Can someone track you down to a location, like they can in the movies?

2. Can someone track your phone call to a particular device like they can in the movies?

3. Can someone provide that you surfed to a pariticular website or send a particualr email, like they can in the movies?

---

#  Lab: IP Address and MAC Address

???
#  Unix/Linux Networking

#  Windows Networking

---
#  LAB: IP Address and MAC Address

+ In your Kali VM, open a terminal window
+ .remark-code[ifconfig]
  + shows system network configuration settings
+ Also try .remark-code[ifconfig | grep inet]

---
#  LAB: Geolocation

+ Usually Internet addresses are assigned to a computer through an ISP (internet service provider, such as Time warner®, Comcast®, CenturyLink, Cox, Verizon, etc.)
	+ The ISP in a specific geographic location has a set of Internet addresses to assign…
	+ Hence, you may be able to trace them to a geographic location
	+ Determine the IP address of www.vt.edu
	+ E.g., Use this web site to find out where you are currently located: [https://www.maxmind.com/en/geoip-demo](https://www.maxmind.com/en/geoip-demo)

---

#  LUNCH BREAK

---

# DNS

---
#  The Need for DNS

## Issue

When it comes to addresses we humans remember names not numbers. Computers need numbers. So what should we choose?
+ Answer: Both! *Hostnames* associated with computers are human readable, while *Internet addresses* are numbers. So networks have to have a way of mapping the hostnames to Internet addresses.

---
#  Domain Name Service (DNS)

+ **Distributed database** that provides mapping from domain name to IP address
+ Hierarchical organization
	+ Top Level Domains: .com, .edu , .org, .net , etc.
+ Uses UDP port 53

.center[<img src="network_fundamentals_assets/img/image6_edit.jpg" style="width: 65%" /> .small[Image: https://cloudacademy.com/blog/how-dns-works/]]

---

# LAB: DNS

---
#  LAB: DNS

+ In your Kali VM, open a terminal window
+ .remark-code[nslookup** **vt.edu]
  + looks up the corresponding IP address for specified domain in the domain name system (DNS)
  + NOTE: Deprecated
+ Alternate: try .remark-code[dig www.google.com]
	+ Also try: .remark-code[dig -x 198.82.215.14]

---

# BREAK

---

# The Need for Protocols

---

#  The Need for Protocols

## Issue

There are different types of computers (Macs, PCs, smart phones etc.), how do they all talk to each other when they are interconnected?
+ Answer: The software that drives the network has to be standardized. Such software is called protocols.

Issue

There are different types of network data out there: emails vs websites vs videos. How does the networking software handle so many types of data?
+ Answer: There are several protocols – including one for each type of application.

???

#  Why Computer Networks?

Issue

I want to watch a movie online. How does my computer browser connect and receive data from a video streaming service? How do we find the best route from my computer to the video streaming service?
+ Answer: We need algorithms to *route* data effectively through all that hardware.

We have seen some issues. There are several others (e.g., what if a route between source and destination becomes congested? what if a computer in a route fails? how can computers share common hardware without conflict? … )

For now, let us focus on these issues.

---
#  Layered Models

.pull-left[
+ Layered models provide a **standard framework** for interconnecting network protocols to allow for end-to-end network communiciation
+ Allow for protocol independence and modularity
	+ Protocols can be substituted at each layer
+ Open Systems Interconnection (OSI) Model 
 + Used primarily for *teaching*
+ TCP/IP Model
 + Actually *used*
]
	
.pull-right[<img src="network_fundamentals_assets/img/image3.png" style="width: 60%" />]

---
#  Data Encapsulation

+ At each layer in the protocol hierarchy, information is encapsulated with header (and sometimes trailer) data on the way down.
+ At the far end, the data is decapsulated on the way back up the protocol stack.

.center[<img src="network_fundamentals_assets/img/image4.gif" style="width: 55%" /> .small[Encapsulation image courtesy of http://davidwills.us/cmit265/osi.html]]

---
#  Network Protocols

+ Network protocols define rules of communication between network devices
	+ Some apply to directly connected devices (e.g. Ethernet, WiFi ); some apply to end-to-end communications (e.g. IP, HTTP)
+ Protocols also define specific formats for messages exchanged between systems
+ Some protocols support message acknowledgement, data compression, and other mechanisms for efficient and reliable communication

.center[<img src="network_fundamentals_assets/img/example_protocol.png" style="width: 60%" /> .small[The "Get the Instructor's Attention" Protocol]]

???

<blockquote>Consider the “protocol” for voice telephone communications. When you pick up a phone to answer it, you say “hello”. Try ***not*** doing that – what do you think will happen? An awkward pause while the caller asks if you are on the line?
</blockquote>

---

# The Many Jobs of Protocols

* Sending data across a network is a complex task ➔ Protocols need to deal with many issues
*Example: when sending an email from computer A to computer B across the Internet, protocols need to deal with: 
  * What should be the format of such data? (e.g., email has a subject, to and from fields)
  * What is the best route across the network to send an email from A to B?
  * What if the destination B does not accept the email?
  * What if the best route between A and B ends up getting congested?
  * What if the transmission has errors (e.g., the email gets corrupted)? 
  * What if part of the route is wireless (data must be sent via radio signals) and part is wired (data must be sent as electric signals)? 
* And that’s only the beginning of the issues. Overwhelmed? 
* Solution: each protocol handles a specific task and protocols work with each other

---

---

#  LAB: Wireshark 2

---
#  LAB: Wireshark Display Filters

+ Enter filters in textbox
	+ Use Expression button to get help creating filters
	+ Filter box is green for valid filter, red otherwise
+ Click Apply to apply filter
+ Click Clear to clear filter

---
#  LAB: More Display Filters . . .

+ **Boolean Expressions in Filters:**
	+ The symbol for logical **AND** in TCP filters is **&&** (you can use **and**  and  **&&** interchangeably)
	+ The symbol for logical **OR** is **||** (you can use **or** and **||** interchangeably)
	+ Use parenthesis to form more specific Boolean expressions
	+ Wireshark generally doesn’t care about case except with matching a specific string value.
+ Some Examples:

.center[<img src="network_fundamentals_assets/img/more_example_display_filters.png" style="width: 50%" />]

---
#  LAB: More Example Filters

.center[<img src="network_fundamentals_assets/img/example_display_filters.png" style="width: 100%" />]

---
#  LAB: Wireshark: Getting familiar with the GUI (Example)

+ GUI Frame 3: Frame 3 displays the same packet as in Frame 2, but in a raw format (you can see the raw data in hexadecimal notation)

---
#  LAB: Wireshark: Display filters

+ Enter the display filter here. Next: we will look at display filters through some examples.

---
#  LAB: Wireshark: Display filter examples

+ Display filters allow us to search for specific information in captured network data. Examples:
	+ Usernames or passwords
	+ Websites being visited
	+ Specific text in the data being sent (e.g., to determine if any sensitive information was being sent)
	+ Any query involving a packet header
+ Wireshark provides several example display filters: https://wiki.wireshark.org/DisplayFilters

---
#  LAB: Wireshark: Display filter challenge 1

+ Challenge 1: In the http.cap file, find all packets that are being sent to and from port 80 on a remote machine. Note: port 80 indicates the presence of a web server.
+ Display filter: tcp.port == 80

---
#  LAB: Wireshark: Display filter challenge 2

+ Challenge 2: Is the webserver an apache server?
+ Display filter: http contains Apache

---
#  LAB: Wireshark: Display filter challenge 3

+ Challenge 3: Find a username and password in the trace: telnet-cooked.cap. Note this trace is on the Linux box provided with this module on the Range. Look for the trace in the directory: ~/WiresharkTraces

+ Solution: Select the first telnet packet then, "Wireshark Menu: Analyze --> Follow --> tcp stream"

???

packet 38 has "user" password in plaintext

---
#  LAB: Wireshark: Follow stream

+ The Follow TCP Stream option recreates the actions of the source and destination. You can see the user entered username and password here.

---
#  LAB: Wireshark: Display filter reference guide

+ Covering all display filters is impossible – a course by itself!
	+ Wireshark supports display filters on 216000 fields in over 2000 protocols.
+ So instead of trying to memory different display filters, the best course of action is to learn to lookup the Wireshark Display Filters reference guide: 
[https://www.wireshark.org/docs/dfref/](https://www.wireshark.org/docs/dfref/)

---

# Protocol Layers

---
#  Physical Layer

+ Transmission of bits: waveform, voltage, timing, etc.
+ Media: UTP/STP, Fiber, Coaxial Cable, etc
+ Selection considerations: *Which is most secure? Which is least secure? Which meets bandwidth requirements? Which is most practical to install?*
+ First step in network troubleshooting: *Is the cable good and is it plugged in to the right place?*

.center[<img src="network_fundamentals_assets/img/network_cable_types.png" style="width: 40%" /> .small[Image: http://cable.freebrem.site/difference-between-twisted-pair-coaxial-cable-fiber-optics/]]

---
#  Data Link Layer

+ Data Link Layer:
	+ Delivers data in a local network [or point to point]
	+ Protocol Data Unit: Frame
+ IEEE 802.3 (Ethernet)
	+ 48-bit MAC address (24-bit manufacturer ID, 24-bit device ID)
+ IEEE 802.11 ( WiFi / ‘Wireless Ethernet’ )
+ Data link layer devices
	+ Switch, Bridge

---
#  Network Layer

+ Delivers data between hosts, possibly on different networks
+ Protocol Data Unit
	+ Packet
+ Internet Protocol (IPv4)
	+ 32-bit addresses, usually written as four octets in ‘dotted-decimal’ format e.g. *172.16.1.250*
	+ Network and host addresses

---
#  Internet Protocol (IP) Address Format

---
#  Network Layer IPv4 Header

---
#  Transport Layer

+ Delivers data from a **process** on one host to a **process** on another host
	+ For example, from a **web browser** on your laptop to a **web server** at NASA (www.nasa.gov)
+ Port Numbers
	+ Used to get the data to the correct **process** on a host
	+ Well-known (<1024), registered and dynamic(>49151)

---
#  Transport Layer Protocols: TCP and UDP

+ Transmission Control Protocol (TCP)
	+ Connection-oriented with reliable delivery, flow control and congestion control
		+ Sequence numbers and acknowledgement numbers
		+ TCP flags: SYN, ACK, RST, FIN, PSH, URG
	+ Most Internet traffic uses TCP
+ User Datagram Protocol (UDP)
	+ Connectionless
		+ Less overhead than TCP, more efficient for small transfers
		+ Facilitates multicasting, streaming and tunneling
	+ Unreliable – delivery (and order of delivery) are not guaranteed, no flow or congestion control

---
# TCP Header 
.center[<img src="network_fundamentals_assets/img/tcp_header.png" style="width: 80%" />]

---
#  TCP Connection Setup

---
#  TCP Connection

---
#  Application Layer Protocols

+ Domain Name System(DNS)
	+ Resolves domain names to IP addresses
	+ Essential to making the other application protocols work
+ Hyper Text Transfer Protocol (HTTP) and HTTPS
	+ Used for web browser/server interaction
+ Email protocols
	+ Simple Mail Transfer Protocol (SMTP)
	+ Post Office Protocol (POP3) and IMAP4
+ Secure Shell (SSH) for remote access to other computers
+ File Transfer Protocol (FTP) to share files between computers

---

#  Client-Server Model

+ Servers offer Services
	+ Web sites using Hyper Text Transfer Protocol (HTTP)
	+ Secure Shell using SSH
	+ Email using Simple Message Transfer Protocol (SMTP)
+ Clients connect to Services
	+ Web browsers connect to web servers to display web pages
	+ Email clients connect to email servers to grab your mail
	
.center[<img src="network_fundamentals_assets/img/client_server_model.png" style="width: 80%" />]

---
#  Clients and Servers

+ **Servers** constantly listen for **client** requests
+ **Clients** request **services** over the Internet from **servers**

.center[<img src="network_fundamentals_assets/img/image5.png" style="width: 70%" /> .small[Image courtesy of Wikipedia.org]]

---
# World-Wide Web Spotlight

.center[
<iframe src="https://player.vimeo.com/video/13449907" width="640" height="360" frameborder="0" allow="autoplay; fullscreen" allowfullscreen></iframe> 
.small[https://player.vimeo.com/video/13449907]
]

---
#  The World-Wide Web

+ Relies (primarily) on three protocols
	+ HTTP – protocol used by your browser to request pages and used by server to respond
	+ HTTPS – a more secure version of HTTP
	+ HTML – Hypertext Markup Language – used to construct web pages
+ Web pages are simply a file (or lots of files) on a web server
	+ Client (browser) requests file using HTTP/HTTPS
	+ Server finds file on hard drive and returns it using HTTP/HTTPS
	+ Client interprets HTML file and displays it

.center[<img src="network_fundamentals_assets/img/the_www.png" style="width: 65%" /> .small[All images courtesy of https://openclipart.org ]]

---
#  Early WWW Model

---
#  "Modern" WWW Model

---
#  HTTP Protocol

.center[<img src="network_fundamentals_assets/img/http.png" style="width: 100%" /> .small[https://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol]]

---
#  Layers and Devices Summary

+ Physical and Data Link –
	+ Computer network interface card, Switch, Hub (MAC Address)
+ Network –
	+ Router (IP Address)
+ Transport –
	+ Firewall/Proxy (Ports / Protocols)
+ Application –
	+ Gateway devices:  Application-layer Firewalls, Intrusion detection/prevention systems

---

#  LAB: Wireshark 3

---
#  LAB: Hands-on with Wireshark (HTTP)

* In this lab we will try to capture our own packets instead of examining a previously-captured pcap
* Start wireshark with: *sudo wireshark*
* Note the active interface *eth0*
* Note the Capture Filter

???

use the ***1*** VM!

---

#  LAB: Packet Capture!

.pull-left[
+ Start capture
+ Use browser to browse to web page
	+ **dvwa.example.com**
+ Stop capture
+ Set display filter: tcp.port == 80
+ Go to top of capture
+ Wireshark Menu: Analyze --> Follow --> TCP Stream
]

.pull-right[<img src="network_fundamentals_assets/img/wireshark_tcp_stream.png" style="width: 100%" />]

???

NEED THE ***2*** exercise environment

#  Hands-on with Wireshark (outside Virginia Cyber Range)

+ Start Wireshark
+ Set display filter: tcp.port==80
+ Use browser to browse to web page
	+ E.g. www.sekritskwerl.com
+ Stop capture
+ Go to top of capture
+ Right-click -->Follow-->TCP Stream
![](assets/img/image14.png)

---

#  LAB: File Transfer Protocol

+ Used to transfer files between systems
+ Users can upload (PUT) and download (GET) files to/from an FTP server
+ Was once widely used
	+ Used less now because login and files are not encrypted in transit!
	+ (Why is this an issue?)
+ Uses TCP ports 20 and 21

---
#  LAB: Hands-on with Wireshark (FTP)

+ Goto to this lecture's URL within the Kali VM then goto this slide: download this pcap:

<a href="network_fundamentals_assets/resources/ftp_attack.pcap">ftp_attack.pcap</a>

+ Open the pcap with Wireshark 
+ Use this display filter to see all ftp traffic:

tcp.port==20 or tcp.port==21

+ Who logged on to the FTP server?
+ What files did they download?

---

#  Secure Shell (SSH)

.pull-left[
+ Provides secure (encrypted) tunnel to remote system
+ Used to access command prompt (Terminal)
	+ Replaces old ‘Telnet’ command, which was not encrypted
+ Uses port 22
+ Provides secure copy (SCP) for encrypted file transfer
	+ Replaces FTP
]
.pull-right[<img src="network_fundamentals_assets/img/ssh_logo.png" style="width: 100%" /> .small[Image: https://www.it.unlv.edu/software/directory/ssh-secure-shell ]]

???

#  DAY 2 Takeaways

* We use hardware components, software, and network media to connect devices together
* We use IP addresses to uniquely distinguish devices to communicate with on the Internet--eg 10.11.10.1 vs 172.87.9.43
* We use Port Numbers to uniquely distinguish programs--eg Port 80 on IP 10.11.10.1 is the web server on that machine
* We use protocols to speak between machines even from different manufacturers--eg ICMP allows any machine to ping any other machine