Differences
This shows you the differences between two versions of the page.
|
ep:labs:04:contents:tasks:ex2 [2021/10/05 01:23] radu.mantu [02. [??p] Network Exploration] |
ep:labs:04:contents:tasks:ex2 [2023/10/29 20:47] (current) radu.mantu |
||
|---|---|---|---|
| Line 1: | Line 1: | ||
| - | ==== 02. [??p] Network Exploration ==== | + | ==== 02. [30p] Network Exploration ==== |
| - | === [??p] Task A - ARP vs ICMP === | + | === [10p] Task A - ARP vs ICMP === |
| - | The [[https://datatracker.ietf.org/doc/html/rfc826|Address Resolution Protocol (ARP)]] resolves layer 2 addresses (MAC) from layer 3 addresses (e.g.: IP). Normally, all hosts are compelled to reply to ARP requests, but this can be fiddled with using tools such as [[https://linux.die.net/man/8/arptables|arptables]]. | + | The [[https://datatracker.ietf.org/doc/html/rfc826|Address Resolution Protocol (ARP)]] resolves layer 2 addresses (MAC) from layer 3 addresses (e.g.: IP). Normally, all hosts are compelled to reply to ARP requests, but this can be fiddled with using tools such as **arptables**. You can show the currently known neighbors using **iproute2**. |
| + | |||
| + | <code bash> | ||
| + | $ ip -c neigh show | ||
| + | </code> | ||
| + | |||
| + | <note tip> | ||
| + | //Pro tip #2//: yes, **ip** can also generate color output. Most people don't know this and still use **ifconfig**, even though it's already deprecated at this point. Add this as an alias to your //.bashrc// or //.zshrc// and source it. | ||
| + | |||
| + | <code bash> | ||
| + | # alias for iproute2 color output | ||
| + | alias ip='ip -c' | ||
| + | </code> | ||
| + | </note> | ||
| The [[https://datatracker.ietf.org/doc/html/rfc792|Internet Control Message Protocol (ICMP)]] is an ancillary protocol meant mainly to report errors between hosts. Sometimes it can also be used to perform measurements (**ping**) or to inform network participants of better routes ([[https://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/nx-os-software/213841-understanding-icmp-redirect-messages.html|Redirect Messages]]). There are many ICMP functionalities, most of which are now deprecated. Note that some network equipment may not be capable of understanding new and officially recognized protocols, while other may not even recognize experimental ICMP codepoints (i.e.: [[https://www.iana.org/assignments/icmp-parameters/icmp-parameters.xhtml|type=253,254]]) and simply drop the packet. Because ICMP can be used to stage attacks in a network, some operating systems (e.g.: Windows ≥7) went so far as to disable Echo Replies by default. | The [[https://datatracker.ietf.org/doc/html/rfc792|Internet Control Message Protocol (ICMP)]] is an ancillary protocol meant mainly to report errors between hosts. Sometimes it can also be used to perform measurements (**ping**) or to inform network participants of better routes ([[https://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/nx-os-software/213841-understanding-icmp-redirect-messages.html|Redirect Messages]]). There are many ICMP functionalities, most of which are now deprecated. Note that some network equipment may not be capable of understanding new and officially recognized protocols, while other may not even recognize experimental ICMP codepoints (i.e.: [[https://www.iana.org/assignments/icmp-parameters/icmp-parameters.xhtml|type=253,254]]) and simply drop the packet. Because ICMP can be used to stage attacks in a network, some operating systems (e.g.: Windows ≥7) went so far as to disable Echo Replies by default. | ||
| Line 10: | Line 23: | ||
| Use **arp-scan** to scan your //local// network while monitoring ARP traffic with **wireshark** to get a sense of what's going on. | Use **arp-scan** to scan your //local// network while monitoring ARP traffic with **wireshark** to get a sense of what's going on. | ||
| - | After that, use the following script to identify hosts discoverable via ARP but no ICMP. | + | After that, use the following script to identify hosts discoverable via ARP but not ICMP. |
| <spoiler> | <spoiler> | ||
| Line 66: | Line 79: | ||
| </solution> | </solution> | ||
| - | === [??p] Task B - nmap vs traceroute === | + | === [20p] Task B - nmap vs traceroute === |
| **nmap** is a network exploration tool and a port scanner. Today, we will look only at a specific functionality that it shares with the **traceroute** utility. | **nmap** is a network exploration tool and a port scanner. Today, we will look only at a specific functionality that it shares with the **traceroute** utility. | ||
| Line 93: | Line 106: | ||
| * uses ICMP because we didn't perform a port scan first | * uses ICMP because we didn't perform a port scan first | ||
| </solution> | </solution> | ||
| + | |||
| + | <note tip> | ||
| + | Troubleshooting: | ||
| + | * **permission denied** : make sure that **nmap** is not installed as a **snap**; you have two choices: | ||
| + | * reinstall **nmap** with apt : ''sudo snap remove nmap && sudo apt install nmap'' | ||
| + | * grant **nmap** permissions : ''snap connect nmap:network-control'' | ||
| + | </note> | ||
| If we do allow for a port scan by removing ''-sn'' (default is a TCP-based scan; use ''-sU'' for a UDP scan), this will take place //before// the actual traceroute. What changes does this bring? | If we do allow for a port scan by removing ''-sn'' (default is a TCP-based scan; use ''-sU'' for a UDP scan), this will take place //before// the actual traceroute. What changes does this bring? | ||
| Line 100: | Line 120: | ||
| </solution> | </solution> | ||
| + | == Optional Task (... no, really) == | ||
| + | |||
| + | When doing the TCP scan with **nmap**, you may have noticed a weird field in the TCP header: **Options**. | ||
| + | Generate some TCP traffic with **curl** and look at the SYN packet in **wireshark**. What options do you see there? | ||
| + | |||
| + | [[https://www.firewall.cx/networking-topics/protocols/tcp/138-tcp-options.html|Here]] is a quick break down of the more common TCP options and how they are used to overcome protocol limitations and improve throughput. Take a quick look if you want, then move on. We'll dive deeper into protocol options in the next task. | ||
