II. Approach: Configuration

  1. Server
    1. Static IP Addresses
  2. Client
    1. DHCP generated dynamic IP Addresses (see below)

III. Approach: Utilities

  1. Windows built in utilities
    1. Run command, ncpa.cpl (network connections)
  2. Powershell
    1. IpConfig /all
      1. Lists all network adapters and their IP Addresses, physical addresses (MAC)
    2. Netstat
      1. Lists all TCP connections
  3. Applications (Windows)
    1. TCPview (app from sysinternals.com)
      1. Shows port usages and associated applications useful for identifying malware port use
    2. WireShark
      1. Logs all low level ethernet traffic on the system

IV. Definitions: Ports

  1. Socket
    1. Server service (e.g. http) listens with a protocol (e.g. TCP) on a port (e.g. 80) and a static IP Address
  2. Port numbers (16-bit addresses from 0 to 65535)
    1. Well-Known ports (0 to 1024) - standardized internationally (all are TCP, some also are UDP)
      1. 20-21: File Transfer Protocol (Ftp)
      2. 22: Secure Shell Protocol (SSH)
      3. 23: Telnet (insecure remote)
      4. 25: Simple Mail Transfer Protocol (SMTP)
      5. 53: Domain Name System (DNS) - host name to IP resolution
      6. 67-68: Dynamic Host Configuration Protocol (DHCP)
      7. 80: Hypertext Transfer Protocol
      8. 110: Post-office Protocol (POP3) - email receiving
      9. 137-139: Server Message Box Protocol (SMB) or Common Internet Filing System (CIFS)
      10. 143: Internet Message Access Protocol (IMAP) - email send/receive
      11. 161-162: Simple Network Management Protocol (SNMP)
      12. 389: Lightweight Directory Access Protocol (LDAP)
      13. 443: Hypertext Transfer Protocol - Secure (HTTPS)
      14. 445: Server Message Box Protocol (SMB) - file sharing (includes Windows shares and active directory)
      15. 636: Lightweight Directory Access Protocol - Secure (LDAP) - used by active directory, user/group management
      16. 3389: Remote Desktop Protocol (RDP)
    2. Registered ports (1024 to 49151)
      1. Business-defined ports (2 businesses could assign the same port and conflict)
    3. Dynamic ports or ephemeral ports (49152 to 65535)
      1. Software may switch to a dynamic port after initially connecting on well known port
      2. Allows for multiple socket connections for an application
    4. Resources
      1. https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers

V. Definitions: Dynamic Host Configuration Protocol (DHCP)

  1. Background
    1. Dynamic private IP Addresses "leased" to individual devices on the network
    2. Allows a server with its own public, routable IP Address to distribute data to its clients
    3. DHCP is defined specifically for both IPv4 and IPv6
  2. Functionality
    1. Operates on User Datagram Protocol (UDP) ports 67 and 68 (connectionless, OSI 4)
    2. Servers on the network, on start-up, will broadcast a message within their subnet to attain a DHCP assigned IP
      1. Server on the same subnet will receive a DHCP call-back with the leased IP Address
      2. Server on the network, but outside the DHCPs subnet will not be able to broadcast to the DHCP Server
        1. Router must be specifically configured to allow communication with DHCP on different subnet
  3. Configuration
    1. DHCP Server has a range of private IP Addresses to lease to devices (e.g. 192.168.1.1 to 192.168.1.254)

VI. Definitions: IPv4

  1. See IPv6 below
  2. IP Address IPv4
    1. Written as 4 groups of 4 decimal numbers, 32-bit addresses (4.3 billion possible - all assigned)
    2. Each of the four groups are 8 bits (octet) and in decimal represent numbers 0-255
    3. In 2017, IPv4 and IPv6 coexist and IPv4 will ultimately be replaced
  3. Loopback address (127.0.0.1)
    1. Used for local diagnostics (if successful ping 127.0.0.1, then TCP/IP should be intact)
  4. Default Gateway
    1. IP Address for which the machine can call to remote (non-local machines)
  5. Private IP Addresses (RFC 1918, non-routable)
    1. 10.0.0.0 to 10.255.255.255 (with CIDR /8 and Subnet Mask 255.0.0.0)
    2. 172.16.0.0 to 172.31.255.255 (with CIDR /16 and Subnet Mask 255.255.0.0.)
    3. 192.168.0.0 to 192.168.255.255 (with CIDR 24 and Subnet Mask 255.255.255.0)
  6. Subnet Mask
    1. Used in combination with IP Address to identify a specific device or computer on a network
    2. Defines which IP octets define the local network machine
    3. Typically on home networks, Subnet Mask is 255.255.255.0 (Class C Address)
      1. In binary, 255 is eight 1s, and mark the first 3 octets as belonging to the overall network
      2. The last octet of 0 marks it as belonging to the host IP (254 unique host IPs)
    4. Subnet Mask may be abbreviated at end of IP as a CIDR representing number of bits for network
      1. 192.168.1.0 /24 is equivalent to subnet 255.255.255.0 (Class C)
      2. 192.168.1.0 /16 is equivalent to subnet 255.255.0.0 (Class B)
      3. 192.168.1.0 /8 is equivalent to subnet 255.0.0.0 (Class A)
  7. Network Segment (subnet, subnetwork, broadcast domain)
    1. Devices on a subnet (192.168.1.1 and 192.168.1.2) are connected to switches (OSI Layer 2)
    2. Switches are connected to other switches (and subnets) via a router (gateway, OSI Layer 3)
      1. Devices on the same subnet (e.g. 192.168.1.1 and 192.168.1.2) can communicate directly via switch
      2. Device on subnet 192.168.1.1 (subnet 1) must communicate with 192.168.2.1 (subnet 2) via router
  8. Host IP Address
    1. Defined by the incoming IP Address combined with the Subnet Mask

VII. Background: IPv4

  1. If Subnet Mask is 255.255.255.0, valid IP Addresses are x.x.x.1-254
    1. IP Address x.0 is reserved as a network ID
    2. IP Address x.255 is reserved as broadcast to all IPs on local network
  2. IP Addresses can be subnetted or divided
    1. Simple Example: IP Address with subnet of 255.255.255.128 will have 2 subnets
      1. IP x.x.x.0 will have 126 valid IPs of x.x.x.1 to x.x.x.126 (with local broadcast address x.x.x.127)
      2. IP x.x.x.128 will have 126 valid IPs of x.x.x.129 to x.x.x.254 (with LBA x.x.x.255)
    2. Subnet divisions may be assigned with Subnet Mask (Class C subnets shown for example)
      1. Where x.x.x is 255.255.255 for Class C Network, CIDR = classless Inter-domain routing
      2. Subnet Mask x.x.x.0 = 8 bits (254 host IPs + 2 reserved) in a single network (CIDR = /24)
      3. Subnet Mask x.x.x.128 = 7 bits (126 host IPs + 2 reserved) for each of 2 subnets (CIDR = /25)
      4. Subnet Mask x.x.x.192 (128+64) = 6 bits (62 hosts, 2 reserved) for each of 4 subnets (CIDR = /26)
      5. Subnet Mask x.x.x.224 (192 + 32) = 5 bits (30 hosts, 2 reserved) per subnet x8 subnets (CIDR = /27)
      6. Subnet Mask x.x.x.240 (224 + 16) = 4 bits (14 hosts, 2 reserved) per subnet x16 subnets (CIDR = /28)
      7. Subnet Mask x.x.x.248 (240+8) = 3 bits (6 hosts, 2 reserved) per subnet x32 subnets (CIDR = /29)
      8. Subnet Mask x.x.x.252 (248+4) = 2 bits (2 hosts, 2 reserved) per subnet x64 subnets (CIDR = /30)
    3. Subnets for Class B (similar pattern as Class C)
      1. Where x.x is 255.255 for Class B Network, CIDR = classless Inter-domain routing
      2. Subnet Mask x.x.0.0 = 16 bits (64k host IPs) in a single network (CIDR = /16)
      3. Subnet Mask x.x.128.0 = 15 bits (32k host IPs) for each of 2 subnets (CIDR = /17)
      4. Subnet Mask x.x.192.0 = 14 bits (16k host IPs) for each of 4 subnets (CIDR = /18)
    4. Subnets for Class A (similar pattern as Class B and C)
      1. Subnet Mask 255.0.0.0 = 24 bits (16M host IPs) in a single network (CIDR = /8)
      2. Subnet Mask 255.128.0.0 = 23 bits (8M host IPs) for each of 2 subnets (CIDR = /9)
      3. Subnet Mask 255.192.0.0 = 22 bits (4M host IPs) for each of 4 subnets (CIDR = /10)

VIII. Background: IP Address IPv6

  1. Newer (established 1996), IP Addressing 128-bit protocol (3.4×10^38 addresses), and coexists with IPv4
  2. Written as 8 groups of 4 hexadecimal numbers separated by colons
    1. First 4 groups (64 bits) are network and second 4 groups (64 bits) are node
    2. Each group represents 16 bits (2 octets)
    3. For each group, leading zeros need not be written ( :: represents the abbreviation point)
      1. 1657 : 0cf3 : 89a3 : 0 : 0 :0 : 0 : 55 may written as 1657 : cf3 : 89a3 :: 55
  3. Improvements over IPv4 (in addition to 10^38 more addresses)
    1. Simplified headers
    2. Encryption is built into the standard
    3. Requires less traffic over network than IPv4 (no broadcast needed)
  4. Stateless Address Autoconfigurations (SLAAC)
    1. Link-local addresses
      1. Witten as simple addresses (fe80::/64)
    2. Loopback address
      1. Used for local diagnostics (::1/128)
  5. https://en.wikipedia.org/wiki/IPv6

IX. References

  1. Jacob (2013) Subnetting, lynda.com, accessed 12/31/2016

Images: Related links to external sites (from Bing)

Related Studies