Modern hacking

7/30/2019 Modern hacking

1/212

The Modern Hacker's Desk Reference

The MH DeskReferenceVersion 1.2

Written/Assembled byThe Rhino9 Team

Table of Contents

=Part One==Essential background Knowledge=

[0.0.0] Preface[0.0.1] The Rhino9 Team[0.0.2] Disclaimer[0.0.3] Thanks and Greets

[1.0.0] Preface To NetBIOS[1.0.1] What is NetBIOS?

[1.0.2] NetBIOS Names[1.0.3] NetBIOS Sessions[1.0.4] NetBIOS Datagrams[1.0.5] NetBEUI Explained[1.0.6] NetBIOS Scopes

[1.2.0] Preface to SMB's[1.2.1] What are SMB's?[1.2.2] The Redirector

[2.0.0] What is TCP/IP?[2.0.1] FTP Explained[2.0.2] Remote Login

[2.0.3] Computer Mail[2.0.4] Network File Systems[2.0.5] Remote Printing[2.0.6] Remote Execution[2.0.7] Name Servers[2.0.8] Terminal Servers[2.0.9] Network-Oriented Window Systems[2.1.0] General description of the TCP/IP protocols[2.1.1] The TCP Level[2.1.2] The IP level[2.1.3] The Ethernet level[2.1.4] Well-Known Sockets And The Applications Layer[2.1.5] Other IP Protocols

[2.1.6] Domain Name System[2.1.7] Routing[2.1.8] Subnets and Broadcasting[2.1.9] Datagram Fragmentation and Reassembly[2.2.0] Ethernet encapsulation: ARP

[3.0.0] Preface to the WindowsNT Registry[3.0.1] What is the Registry?[3.0.2] In Depth Key Discussion[3.0.3] Understanding Hives[3.0.4] Default Registry Settings


2/212

[4.0.0] Introduction to PPTP[4.0.1] PPTP and Virtual Private Networking[4.0.2] Standard PPTP Deployment[4.0.3] PPTP Clients[4.0.4] PPTP Architecture[4.0.5] Understanding PPTP Security[4.0.6] PPTP and the Registry

[4.0.7] Special Security Update

[5.0.0] TCP/IP Commands as Tools[5.0.1] The Arp Command[5.0.2] The Traceroute Command[5.0.3] The Netstat Command[5.0.4] The Finger Command[5.0.5] The Ping Command[5.0.6] The Nbtstat Command[5.0.7] The IpConfig Command[5.0.8] The Telnet Command

[6.0.0] NT Security

[6.0.1] The Logon Process[6.0.2] Security Architecture Components[6.0.3] Introduction to Securing an NT Box[6.0.4] Physical Security Considerations[6.0.5] Backups[6.0.6] Networks and Security[6.0.7] Restricting the Boot Process[6.0.8] Security Steps for an NT Operating System[6.0.9] Install Latest Service Pack and applicable hot-fixes[6.1.0] Display a Legal Notice Before Log On[6.1.1] Rename Administrative Accounts[6.1.2] Disable Guest Account[6.1.3] Logging Off or Locking the Workstation

[6.1.4] Allowing Only Logged-On Users to Shut Down the Computer[6.1.5] Hiding the Last User Name[6.1.6] Restricting Anonymous network access to Registry[6.1.7] Restricting Anonymous network access to lookup account names and networkshares[6.1.8] Enforcing strong user passwords[6.1.9] Disabling LanManager Password Hash Support[6.2.0] Wiping the System Page File during clean system shutdown[6.2.1] Protecting the Registry[6.2.2] Secure EventLog Viewing[6.2.3] Secure Print Driver Installation[6.2.4] The Schedule Service (AT Command)[6.2.5] Secure File Sharing

[6.2.6] Auditing[6.2.7] Threat Action[6.2.8] Enabling System Auditing[6.2.9] Auditing Base Objects[6.3.0] Auditing of Privileges[6.3.1] Protecting Files and Directories[6.3.2] Services and NetBios Access From Internet[6.3.3] Alerter and Messenger Services[6.3.4] Unbind Unnecessary Services from Your Internet Adapter Cards[6.3.5] Enhanced Protection for Security Accounts Manager Database[6.3.6] Disable Caching of Logon Credentials during interactive logon.


3/212

[6.3.7] How to secure the %systemroot%\repair\sam._ file[6.3.8] TCP/IP Security in NT[6.3.9] Well known TCP/UDP Port numbers

[7.0.0] Preface to Microsoft Proxy Server[7.0.1] What is Microsoft Proxy Server?[7.0.2] Proxy Servers Security Features[7.0.3] Beneficial Features of Proxy

[7.0.4] Hardware and Software Requirements[7.0.5] What is the LAT?[7.0.6] What is the LAT used for?[7.0.7] What changes are made when Proxy Server is installed?[7.0.8] Proxy Server Architecture[7.0.9] Proxy Server Services: An Introduction[7.1.0] Understanding components[7.1.1] ISAPI Filter[7.1.2] ISAPI Application[7.1.3] Proxy Servers Caching Mechanism[7.1.4] Windows Sockets[7.1.5] Access Control Using Proxy Server[7.1.6] Controlling Access by Internet Service

[7.1.7] Controlling Access by IP, Subnet, or Domain[7.1.8] Controlling Access by Port[7.1.9] Controlling Access by Packet Type[7.2.0] Logging and Event Alerts[7.2.1] Encryption Issues[7.2.2] Other Benefits of Proxy Server[7.2.3] RAS[7.2.4] IPX/SPX[7.2.5] Firewall Strategies[7.2.6] Logical Construction[7.2.7] Exploring Firewall Types[7.2.3] NT Security Twigs and Ends

=Part Two==The Techniques of Survival=

[8.0.0] NetBIOS Attack Methods[8.0.1] Comparing NAT.EXE to Microsoft's own executables[8.0.2] First, a look at NBTSTAT[8.0.3] Intro to the NET commands[8.0.4] Net Accounts[8.0.5] Net Computer[8.0.6] Net Config Server or Net Config Workstation[8.0.7] Net Continue[8.0.8] Net File

[8.0.9] Net Group[8.1.0] Net Help[8.1.1] Net Helpmsg message#[8.1.2] Net Localgroup[8.1.3] Net Name[8.1.4] Net Pause[8.1.5] Net Print[8.1.6] Net Send[8.1.7] Net Session[8.1.8] Net Share[8.1.9] Net Statistics Server or Workstation


4/212

[8.2.0] Net Stop[8.2.1] Net Time[8.2.2] Net Use[8.2.3] Net User[8.2.4] Net View[8.2.5] Special note on DOS and older Windows Machines[8.2.6] Actual NET VIEW and NET USE Screen Captures during a hack

[9.0.0] Frontpage Extension Attacks[9.0.1] For the tech geeks, we give you an actual PWDUMP[9.0.2] The haccess.ctl file[9.0.3] Side note on using John the Ripper

[10.0.0] WinGate[10.0.1] What Is WinGate?[10.0.2] Defaults After a WinGate Install[10.0.3] Port 23 Telnet Proxy[10.0.4] Port 1080 SOCKS Proxy[10.0.5] Port 6667 IRC Proxy[10.0.6] How Do I Find and Use a WinGate?[10.0.7] I have found a WinGate telnet proxy now what?

[10.0.8] Securing the Proxys[10.0.9] mIRC 5.x WinGate Detection Script[10.1.0] Conclusion

[11.0.0] What a security person should know about WinNT[11.0.1] NT Network structures (Standalone/WorkGroups/Domains)[11.0.2] How does the authentication of a user actually work[11.0.3] A word on NT Challenge and Response[11.0.4] Default NT user groups[11.0.5] Default directory permissions[11.0.6] Common NT accounts and passwords[11.0.7] How do I get the admin account name?[11.0.8] Accessing the password file in NT

[11.0.9] Cracking the NT passwords[11.1.0] What is 'last login time'?[11.1.1] Ive got Guest access, can I try for Admin?[11.1.2] I heard that the %systemroot%\system32 was writeable?[11.1.3] What about spoofin DNS against NT?[11.1.4] What about default shared folders?[11.1.5] How do I get around a packet filter-based firewall?[11.1.6] What is NTFS?[11.1.7] Are there are vulnerabilities to NTFS and access controls?[11.1.8] How is file and directory security enforced?[11.1.9] Once in, how can I do all that GUI stuff?[11.2.0] How do I bypass the screen saver?[11.2.1] How can tell if its an NT box?

[11.2.2] What exactly does the NetBios Auditing Tool do?

[12.0.0] Cisco Routers and their configuration[12.0.1] User Interface Commands[12.0.2] disable[12.0.3] editing[12.0.4] enable[12.0.5] end[12.0.6] exit[12.0.7] full-help


5/212

[12.0.8] help[12.0.9] history[12.1.0] ip http access-class[12.1.1] ip http port[12.1.2] ip http server[12.1.3] menu (EXEC)[12.1.4] menu (global)[12.1.5] menu command

[12.1.6] menu text[12.1.7] menu title[12.1.8] show history[12.1.9] terminal editing[12.2.0] terminal full-help (EXEC)[12.2.1] terminal history[12.2.2] Network Access Security Commands[12.2.3] aaa authentication arap[12.2.4] aaa authentication enable default[12.2.5] aaa authentication local-override[12.2.6] aaa authentication login[12.2.7] aaa authentication nasi[12.2.8] aaa authentication password-prompt

[12.2.9] aaa authentication ppp[12.3.0] aaa authentication username-prompt[12.3.1] aaa authorization[12.3.2] aaa authorization config-commands[12.3.3] aaa new-model[12.3.4] arap authentication[12.3.5] clear kerberos creds[12.3.6] enable last-resort[12.3.7] enable use-tacacs[12.3.8] ip radius source-interface[12.3.9] ip tacacs source-interface[12.4.0] kerberos clients mandatory[12.4.1] kerberos credentials forward

[12.4.2] kerberos instance map[12.4.3] kerberos local-realm[12.4.4] kerberos preauth[12.4.5] kerberos realm[12.4.6] kerberos server[12.4.7] kerberos srvtab entry[12.4.8] kerberos srvtab remote[12.4.9] key config-key[12.5.0] login tacacs[12.5.1] nasi authentication[12.5.2] ppp authentication[12.5.3] ppp chap hostname[12.5.4] ppp chap password

[12.5.5] ppp pap sent-username[12.5.6] ppp use-tacacs[12.5.7] radius-server dead-time[12.5.8] radius-server host[12.5.9] radius-server key[12.6.0] radius-server retransmit[12.6.1] show kerberos creds[12.6.2] show privilege[12.6.3] tacacs-server key[12.6.4] tacacs-server login-timeout[12.6.5] tacacs-server authenticate


6/212

[12.6.6] tacacs-server directed-request[12.6.7] tacacs-server key[12.6.8] tacacs-server last-resort[12.6.9] tacacs-server notify[12.7.0] tacacs-server optional-passwords[12.7.1] tacacs-server retransmit[12.7.2] tacacs-server timeout[12.7.3] Traffic Filter Commands

[12.7.4] access-enable[12.7.5] access-template[12.7.6] clear access-template[12.7.7] show ip accounting[12.7.8] Terminal Access Security Commands[12.7.9] enable password[12.8.0] enable secret[12.8.1] ip identd[12.8.2] login authentication[12.8.3] privilege level (global)[12.8.4] privilege level (line)[12.8.5] service password-encryption[12.8.6] show privilege

[12.8.7] username[12.8.8] A Word on Ascend Routers

[13.0.0] Known NT/95/IE Holes[13.0.1] WINS port 84[13.0.2] WindowsNT and SNMP[13.0.3] Frontpage98 and Unix[13.0.4] TCP/IP Flooding with Smurf[13.0.5] SLMail Security Problem[13.0.6] IE 4.0 and DHTML[13.0.7] 2 NT Registry Risks[13.0.8] Wingate Proxy Server[13.0.9] O'Reilly Website uploader Hole

[13.1.0] Exchange 5.0 Password Caching[13.1.1] Crashing NT using NTFS[13.1.2] The GetAdmin Exploit[13.1.3] Squid Proxy Server Hole[13.1.4] Internet Information Server DoS attack[13.1.5] Ping Of Death II[13.1.6] NT Server's DNS DoS Attack[13.1.7] Index Server Exposes Sensitive Material[13.1.8] The Out Of Band (OOB) Attack[13.1.9] SMB Downgrade Attack[13.2.0] RedButton[13.2.1] FrontPage WebBot Holes[13.2.2] IE and NTLM Authentication

[13.2.3] Run Local Commands with IE[13.2.4] IE can launch remote apps[13.2.5] Password Grabbing Trojans[13.2.6] Reverting an ISAPI Script[13.2.7] Rollback.exe[13.2.8] Replacing System .dll's[13.2.9] Renaming Executables[13.3.0] Viewing ASP Scripts[13.3.1] .BAT and .CMD Attacks[13.3.2] IIS /..\.. Problem[13.3.3] Truncated Files


7/212

[13.3.4] SNA Holes[13.3.5] SYN Flooding[13.3.6] Land Attack[13.3.7] Teardrop[13.3.8] Pentium Bug

[14.0.0] VAX/VMS Makes a comeback (expired user exploit)[14.0.1] Step 1

[14.0.2] Step 2[14.0.3] Step 3[14.0.4] Note

[15.0.0] Linux security 101[15.0.1] Step 1[15.0.2] Step 2[15.0.3] Step 3[15.0.4] Step 4[15.0.5] Step 5[15.0.6] Step 6

[16.0.0] Unix Techniques. New and Old.

[16.0.1] ShowMount Technique[16.0.2] DEFINITIONS[16.0.3] COMPARISION TO THE MICROSOFT WINDOWD FILESHARING[16.0.4] SMBXPL.C[16.0.5] Basic Unix Commands[16.0.6] Special Chracters in Unix[16.0.7] File Permissions Etc..[16.0.8] STATD EXPLOIT TECHNIQUE[16.0.9] System Probing[16.1.0] Port scanning[16.1.1] rusers and finger command[16.1.2] Mental Hacking, once you know a username

[17.0.0] Making a DDI from a Motorola Brick phone

[18.0.0] Pager Programmer

[19.0.0] The End

==============Part One=================================Needed Background Knowledge===================This ones for you Kevin...[0.0.0] Preface

This book was written/compiled by The Rhino9 Team as a document for the modernhacker. We chose to call it the Modern Hackers Desk Reference because it mostly

deals with Networking Technologies and Windows NT issues. Which, as everyoneknows, is a must knowledge these days. Well, rhino9, as the premiere NT Securitysource, we have continually given to the security community freely. We continuethis tradition now with this extremely useful book. This book covers WindowsNTsecurity issues, Unix, Linux, Irix, Vax, Router configuration, Frontpage, Wingateand much much more.

[0.0.1] The Rhino9 Team

At the time of release, the rhino9 team is:


8/212

NeonSurge ([email protected]) [Security/Technical Research/Senior Member]Chameleon ([email protected]) [Security/Software Developer/Senior Member]Vacuum ([email protected]) [Security/Software Research/Senior Member]Rute ([email protected]) [Security/Software Developer/Code Guru]Syndicate ([email protected]) [Security/HTML Operations/Senior Member]The090000 ([email protected]) [Security]DemonBytez ([email protected]) [Security]NetJammer ([email protected]) [Security]

[0.0.2] Disclaimer

This text document is released FREE of charge to EVERYONE. The rhino9 team made NOprofits from this text. This text is NOT meant for re-sale, or for trade for anyother type of material or monetary possesions. This text is given freely to theInternet community. The authors of this text do not take responsibility fordamages incurred during the practice of any of the information contained withinthis text document.

[0.0.3] Thanks and Greets

Extra special greetings and serious mad ass props to NeonSurge's fiance

SisterMoon, and Chameleon's woman, Jayde. Special thanks to the people atntsecurity.net. Special thanks to Simple Nomad for releasing the NT HACK FAQ whichwas used in the making of this document. Thanks to Cisco Systems for making suchsuperior equipment. Thanks to the guy from Lucent Technologies, whose text filewas used during one of the NT Security sections (if you see this, contact me so Ican give you proper credit). Special props go out to Virtual of Cybrids for hisinformation on CellPhones and Pagers. Special props to Phreak-0 for his Unixcontributions. Mad props to Hellmaster for the Vax info. Thanks to Rloxley andthe rest of X-Treme for helping with the distribution and advertising of thisdocument. Thanks to Merlin45 for being the marketing pimp that he is. Greetings toCybrids, Intercore, X-Treme, L0pht, CodeZero (grins), 2600 Magazine (thanks foryour vigilance on the Mitnick case).

[1.0.0] Preface to NetBIOS

Before you begin reading this section, understand that this section was writtenfor the novice to the concept of NetBIOS, but - it also contains information theveteran might find educational. I am prefacing this so that I do not get e-maillike "Why did you start your NetBIOS section off so basic?" - Simple, its writtenfor people that may be coming from an enviroment that does not use NetBIOS, sothey would need me to start with basics, thanks.

[1.0.1] Whats is NetBIOS?

NetBIOS (Network Basic Input/Output System) was originally developed by IBM and

Sytek as an Application Programming Interface (API) for client software to accessLAN resources. Since its creation, NetBIOS has become the basis for many othernetworking applications. In its strictest sense, NetBIOS is an interfacespecification for acessing networking services.

NetBIOS, a layer of software developed to link a network operating system withspecific hardware, was originally designed as THE network controller for IBM'sNetwork LAN. NetBIOS has now been extended to allow programs written using theNetBIOS interface to operate on the IBM token ring architecture. NetBIOS has sincebeen adopted as an industry standard and now, it is common to refer to NetBIOS-compatible LANs.


9/212

It offers network applications a set of "hooks" to carry out inter-applicationcommunication and data transfer. In a basic sense, NetBIOS allows applications totalk to the network. Its intention is to isolate application programs from anytype of hardware dependancies. It also spares software developers the task ofdeveloping network error recovery and low level message addressing or routing. Theuse of the NetBIOS interface does alot of this work for them.

NetBIOS standardizes the interface between applications and a LANs operatingcapabilities. With this, it can be specified to which levels of the OSI model theapplication can write to, making the application transportable to other networks.In a NetBIOS LAN enviroment, computers are known on the system by a name. Eachcomputer on the network has a permanent name that is programmed in variousdifferent ways. These names will be discussed in more detail below.

PC's on a NetBIOS LAN communicate either by establishing a session or by usingNetBIOS datagram or broadcast methods. Sessions allow for a larger message to besent and handle error detection and correction. The communication is on a one-to-one basis. Datagram and broadcast methods allow one computer to communicate withseveral other computers at the same time, but are limited in message size. Thereis no error detection or correction using these datagram or broadcast methods.

However, datagram communication allows for communication without having toestablish a session.

All communication in these enviroments are presented to NetBIOS in a format calledNetwork Control Blocks (NCB). The allocation of these blocks in memory isdependant on the user program. These NCB's are divided into fields, these arereserved for input and output respectively.

NetBIOS is a very common protocol used in todays enviroments. NetBIOS is supportedon Ethernet, TokenRing, and IBM PC Networks. In its original induction, it wasdefined as only an interface between the application and the network adapter.Since then, transport like functions have been added to NetBIOS, making it morefunctional over time.

In NetBIOS, connection (TCP) oriented and connectionless (UDP) communication areboth supported. It supports both broadcasts and multicasting and supports threedistinct services: Naming, Session, and Datagram.

[1.0.2] NetBIOS Names

NetBIOS names are used to identify resources on a network. Applications use thesenames to start and end sessions. You can configure a single machine with multipleapplications, each of which has a unique NetBIOS name. Each PC that supports anapplication also has a NetBIOS station name that is user defined or that NetBIOSderives by internal means.

NetBIOS can consist of up to 16 alphanumeric characters. The combination ofcharacters must be unique within the entire source routing network. Before a PCthat uses NetBIOS can fully function on a network, that PC must register theirNetBIOS name.

When a client becomes active, the client advertises their name. A client isconsidered to be registered when it can successfully advertise itself without anyother client claiming it has the same name. The steps of the registration processis as follows:

1. Upon boot up, the client broadcasts itself and its NetBIOS information anywhere


10/212

from 6 to 10 to ensure every other client on the network receives the information.

2. If another client on the network already has the name, that NetBIOS clientissues its own broadcast to indicate that the name is in use. The client who istrying to register the already in use name, stop all attempts to register thatname.

3. If no other client on the network objects to the name registration, the client

will finish the registration process.

There are two types of names in a NetBIOS enviroment: Unique and Group. A uniquename must be unique across the network. A group name does not have to be uniqueand all processes that have a given group name belong to the group. Each NetBIOSnode maintains a table of all names currently owned by that node.

The NetBIOS naming convention allows for 16 characters in a NetBIOS name.Microsoft, however, limits these names to 15 characters and uses the 16thcharacter as a NetBIOS suffix. A NetBIOS suffix is used by Microsoft Networkingsoftware to indentify the functionality installed or the registered device orservice.

[QuickNote: SMB and NBT (NetBIOS over TCP/IP work very closely together and bothuse ports 137, 138, 139. Port 137 is NetBIOS name UDP. Port 138 is NetBIOSdatagram UDP. Port 139 is NetBIOS session TCP. For further information on NetBIOS,read the paper at the rhino9 website listed above]

The following is a table of NetBIOS suffixes currently used by MicrosoftWindowsNT. These suffixes are displayed in hexadecimal format.

Name Number Type Usage========================================================================== 00 U Workstation Service 01 U Messenger Service 01 G Master Browser

03 U Messenger Service 06 U RAS Server Service 1F U NetDDE Service 20 U File Server Service 21 U RAS Client Service 22 U Exchange Interchange 23 U Exchange Store 24 U Exchange Directory 30 U Modem Sharing Server Service 31 U Modem Sharing Client Service 43 U SMS Client Remote Control 44 U SMS Admin Remote Control Tool 45 U SMS Client Remote Chat

46 U SMS Client Remote Transfer 4C U DEC Pathworks TCPIP Service 52 U DEC Pathworks TCPIP Service 87 U Exchange MTA 6A U Exchange IMC BE U Network Monitor Agent BF U Network Monitor Apps 03 U Messenger Service 00 G Domain Name 1B U Domain Master Browser 1C G Domain Controllers


11/212

1D U Master Browser 1E G Browser Service Elections 1C G Internet Information Server 00 U Internet Information Server [2B] U Lotus Notes ServerIRISMULTICAST [2F] G Lotus NotesIRISNAMESERVER [33] G Lotus NotesForte_$ND800ZA [20] U DCA Irmalan Gateway Service

Unique (U): The name may have only one IP address assigned to it. On a networkdevice, multiple occurences of a single name may appear to be registered, but thesuffix will be unique, making the entire name unique.

Group (G): A normal group; the single name may exist with many IP addresses.

Multihomed (M): The name is unique, but due to multiple network interfaces on thesame computer, this configuration is necessary to permit the registration. Maximumnumber of addresses is 25.

Internet Group (I): This is a special configuration of the group name used tomanage WinNT domain names.

Domain Name (D): New in NT 4.0

For a quick and dirty look at a servers registered NetBIOS names and services,issue the following NBTSTAT command:

nbtstat -A [ipaddress]nbtstat -a [host]

[1.0.3] NetBIOS Sessions

The NetBIOS session service provides a connection-oriented, reliable, full-duplexmessage service to a user process. NetBIOS requires one process to be the client

and the other to be the server. NetBIOS session establishment requires apreordained cooperation between the two stations. One application must have issueda Listen command when another application issues a Call command. The Listencommand references a name in its NetBIOS name table (or WINS server), and also theremote name an application must use to qualify as a session partner. If thereceiver (listener) is not already listening, the Call will be unsuccessful. Ifthe call is successful, each application receives notification of sessionestablishment with the session-id. The Send and Receive commands the transferdata. At the end of a session, either application can issue a Hang-Up command.There is no real flow control for the session service because it is assumed a LANis fast enough to carry the required traffic.

[1.0.4] NetBIOS Datagrams

Datagrams can be sent to a specific name, sent to all members of a group, orbroadcast to the entire LAN. As with other datagram services, the NetBIOSdatagrams are connectionless and unreliable. The Send_Datagram command requiresthe caller to specify the name of the destination. If the destination is a groupname, then every member of the group receives the datagram. The caller of theReceive_Datagram command must specify the local name for which it wants to receivedatagrams. The Receive_Datagram command also returns the name of the sender, inaddition to the actual datagram data. If NetBIOS receives a datagram, but thereare no Receive_Datagram commands pending, then the datagram is discarded.


12/212

The Send_Broadcast_Datagram command sends the message to every NetBIOS system onthe local network. When a broadcast datagram is received by a NetBIOS node, everyprocess that has issued a Receive_Broadcast_Datagram command receives thedatagram. If none of these commands are outstanding when the broadcast datagram isreceived, the datagram is discarded.

NetBIOS enables an application to establish a session with another device and letsthe network redirector and transaction protocols pass a request to and from

another machine. NetBIOS does not actually manipulate the data. The NetBIOSspecification defines an interface to the network protocol used to reach thoseservices, not the protocol itself. Historically, has been paired with a networkprotocol called NetBEUI (network extended user interface). The association of theinterface and the protocol has sometimes caused confusion, but the two aredifferent.

Network protocols always provide at least one method for locating and connectingto a particular service on a network. This is usually accomplished by converting anode or service name to a network address (name resolution). NetBIOS service namesmust be resolved to an IP address before connections can be established withTCP/IP. Most NetBIOS implementations for TCP/IP accomplish name address resolutionby using either broadcast or LMHOSTS files. In a Microsoft enviroment, you would

probably also use a NetBIOS Namer Server known as WINS.

[1.0.5] NetBEUI Explained

NetBEUI is an enhanced version of the NetBIOS protocol used by network operatingsystems. It formalizes the transport frame that was never standardized in NetBIOSand adds additional functions. The transport layer driver frequently used byMicrosofts LAN Manager. NetBEUI implements the OSI LLC2 protocol. NetBEUI is theoriginal PC networking protocol and interface designed by IBM for the LanMangerServer. This protocol was later adopted by Microsoft for their networkingproducts. It specifies the way that higher level software sends and receivesmessages over the NetBIOS frame protocol. This protocol runs over the standard802.2 data-link protocol layer.

[1.0.6] NetBIOS Scopes

A NetBIOS Scope ID provides an extended naming service for the NetBIOS over TCP/IP(Known as NBT) module. The primary purpose of a NetBIOS scope ID is to isolateNetBIOS traffic on a single network to only those nodes with the same NetBIOSscope ID. The NetBIOS scope ID is a character string that is appended to theNetBIOS name. The NetBIOS scope ID on two hosts must match, or the two hosts willnot be able to communicate. The NetBIOS Scope ID also allows computers to use thesame computer namee as they have different scope IDs. The Scope ID becomes a partof the NetBIOS name, making the name unique.

[1.2.0] Preface to SMB's

The reason I decided to write this section was because recently the rhino9 teamhas been giving speeches and lectures. The two questions we most frequently comeacross is "What is NetBIOS?" and "What are SMBs?". Well I hope I have alreadyanswered the NetBIOS question with the section above. This particular section isbeing written to better help people understand SMB's.

[1.2.1] What are SMB's?

Server Message Blocks are a type of "messaging protocol" that LAN Manager (and NT)clients and servers use to communicate with each other. SMB's are a higher level


13/212

protocol that can be transported over NetBEUI, NetBIOS over IPX, and NetBIOS overTCP/IP (or NBT).

SMBs are used by Windows 3.X, Win95, WintNT and OS/2. When it comes to securityand the compromise of security on an NT network, the one thing to remember aboutSMBs is that it allows for remote access to shared directories, the registry, andother system services, making it a deadly protocol in the eyes of securityconscience people.

The SMB protocol was originally developed by IBM, and then jointly developed byMicrosoft and IBM. Network requests that are sent using SMB's are encoded asNetwork Control Blocks (NCB) data structures. The NCB data structures are encodedin SMB format for transmission across the network. SMB is used in many Microsoftand IBM networking software:

* MS-Net* IBM PC Network* IBM LAN Server* MS LAN Manager* LAN Manager for Unix* DEC Pathworks

* MS Windows for Workgroups* Ungermann-Bass Net/1* NT Networks through support for LAN Manager

SMB Messages can be categorized into four types:

Session Control: Used to establish or discontinue Redirector connections with aremote network resource such as a directory or printer. (The redirector isexplained below)

File: Used to access and manipulate file system resources on the remote computer.

Printer: Used by the Redirector to send print data to a remote printer or queue,

and to obtain the status of remote print devices.

Message: Used by applications and system components to send unicast or broadcastmessages.

[1.2.2] The Redirector

The Redirector is the component that enables a client computer to gain access toresources on another computer as if the remote resources were local to the clientcomputer. The Redirector communicates with other computers using the protocolstack.

The Redirectors primary function is to format remote requests so that they can be

understood by a remote station (such as a file server) and send them on their waythrough the network.

The Redirector uses the Server Message Block (SMB) structure as the standardvehicle for sending these requests. The SMB is also the vehicle by which stationsreturn responses to Redirector requests.

Each SMB contains a header consisting of the command code (which specifies thetask that the redirector wants the remote station to perform) and severalenvironment and parameter fields (which specify how the command should be carriedout).


14/212

In addition to the header, the last field in the SMB may contain up to 64K of datato be sent to the remote station.

[2.0.0] What is TCP/IP?

TCP/IP is a set of protocols developed to allow cooperating computers to shareresources across a network. It was developed by a community of researchers

centered around the ARPAnet (Advanced Research Projects Agency). Certainly theARPAnet is the best-known TCP/IP network. However as of June, 87, at least 130different vendors had products that support TCP/IP, and thousands of networks ofall kinds use it.

First some basic definitions. The most accurate name for the set of protocols weare describing is the "Internet protocol suite". TCP and IP are two of theprotocols in this suite. (They will be described below.) Because TCP and IP arethe best known of the protocols, it has become common to use the term TCP/IP torefer to the whole family.

The Internet is a collection of networks, including the Arpanet, NSFnet, regionalnetworks such as NYsernet, local networks at a number of University and research

institutions, and a number of military networks and a growing number of privatecorporation owned networks. The term "Internet" applies to this entire set ofnetworks. The subset of them that is managed by the Department of Defense isreferred to as the "DDN" (Defense Data Network). This includes some research-oriented networks, such as the Arpanet, as well as more strictly military ones.All of these networks are connected to each other. Users can send messages fromany of them to any other, except where there are security or other policyrestrictions on access.

Officially speaking, the Internet protocol documents are simply standards adoptedby the Internet community for its own use. More recently, the Department ofDefense issued a MILSPEC definition ofTCP/IP. This was intended to be a more formal definition, appropriate for use in

purchasing specifications. However most of the TCP/IP community continues to usethe Internet standards. The MILSPEC version is intended to be consistent with it.

Whatever it is called, TCP/IP is a family of protocols. A few provide "low-level"functions needed for many applications. These include IP, TCP, and UDP. (Thesewill be described in a bit more detail later.)Others are protocols for doing specific tasks, e.g. transferring files betweencomputers, sending mail, or finding out who is logged in on another computer.Initially TCP/IP was used mostly betweenminicomputers or mainframes. These machines had their own disks, and generallywere self-contained. Thus the most important "traditional" TCP/IP services are:

[2.0.1] File Transfer

The file transfer protocol (FTP) allows a user on any computerto get files from another computer, or to send files to anothercomputer. Security is handled by requiring the user to specify a username and password for the other computer, or logging into a system thatallows for Anonymous logins. Provisions are made forhandling file transfer between machines with different character set,end of line conventions, etc. This is not quite the same thing as morerecent "network file system" or "NetBIOS" protocols, which will bedescribed below. Rather, FTP is a utility that you run any time youwant to access a file on another system. You use it to copy the fileto your own system. You then work with the local copy. (See RFC 959


15/212

for specifications for FTP.)

[2.0.2] Remote LoginThe network terminal protocol (TELNET) allows a user to log in

on any other computer on the network. You start a remote session byspecifying a computer to connect to. From that time until you finishthe session, anything you type is sent to the other computer. Notethat you are really still talking to your own computer. But the telnet

program effectively makes your computer invisible while it isrunning. Every character you type is sent directly to the othersystem. Generally, the connection to the remote computer behaves muchlike a dialup connection. That is, the remote system will ask you tolog in and give a password, in whatever manner it would normally ask auser who had just dialed it up. When you log off of the othercomputer, the telnet program exits, and you will find yourself talkingto your own computer. Microcomputer implementations of telnetgenerally include a terminal emulator for some common type ofterminal. (See RFC's 854 and 855 for specifications for telnet. By theway, the telnet protocol should not be confused with Telenet, a vendorof commercial network services.)

[2.0.3] Computer MailThis allows you to send messages to users on other

computers. Originally, people tended to use only one or two specificcomputers. They would maintain "mail files" on those machines. Thecomputer mail system is simply a way for you to add a message toanother user's mail file. There are some problems with this in anenvironment where microcomputers are used. The most serious is that amicro is not well suited to receive computer mail. When you send mail,the mail software expects to be able to open a connection to theaddressee's computer, in order to send the mail. If this is amicrocomputer, it may be turned off, or it may be running anapplication other than the mail system. For this reason, mail isnormally handled by a larger system, where it is practical to have a

mail server running all the time. Microcomputer mail software thenbecomes a user interface that retrieves mail from the mailserver. (See RFC 821 and 822 for specifications for computer mail. SeeRFC 937 for a protocol designed for microcomputers to use in readingmail from a mail server.)

These services should be present in any implementation of TCP/IP, except thatmicro-oriented implementations may not support computer mail. These traditionalapplications still play a very important role in TCP/IP-based networks. Howevermore recently, the way in which networks are used has been changing. The oldermodel of a number of large, self-sufficient computers is beginning to change. Nowmany installations have several kinds of computers, including microcomputers,workstations, minicomputers, and mainframes. These computers are likely to be

configured to perform specializedtasks. Although people are still likely to work with one specific computer, thatcomputer will call on other systems on the net for specialized services. This hasled to the "server/client" model of network services. A server is a system thatprovides a specific service for the rest of the network. A client is anothersystem that uses that service. (Note that the server and client need not be ondifferent computers. They could be different programs running on the samecomputer.)

Here are the kinds of servers typically present in a modern computer setup. Notethat these computer services can all be provided within the framework of TCP/IP.


16/212

[2.0.4] Network File SystemsThis allows a system to access files on another computer in a

somewhat more closely integrated fashion than FTP. A network filesystem provides the illusion that disks or other devices from onesystem are directly connected to other systems. There is no need touse a special network utility to access a file on another system. Yourcomputer simply thinks it has some extra disk drives. These extra

"virtual" drives refer to the other system's disks. This capability isuseful for several different purposes. It lets you put large disks ona few computers, but still give others access to the disk space. Asidefrom the obvious economic benefits, this allows people working onseveral computers to share common files. It makes system maintenanceand backup easier, because you don't have to worry about updating andbacking up copies on lots of different machines. A number of vendorsnow offer high-performance diskless computers. These computers have nodisk drives at all. They are entirely dependent upon disks attached tocommon "file servers". (See RFC's 1001 and 1002 for a description ofPC-oriented NetBIOS over TCP. In the workstation and minicomputerarea, Sun's Network File System is more likely to be used. Protocolspecifications for it are available from Sun Microsystems.)

[2.0.5] Remote PrintingThis allows you to access printers on other computers as if

they were directly attached to yours. (The most commonly used protocolis the remote lineprinter protocol from Berkeley Unix. Unfortunately,there is no protocol document for this. However the C code is easilyobtained from Berkeley, so implementations are common.)

[2.0.6] Remote ExecutionThis allows you to request that a particular program be run on

a different computer. This is useful when you can do most of your workon a small computer, but a few tasks require the resources of a largersystem. There are a number of different kinds of remote execution.

Some operate on a command by command basis. That is, you request thata specific command or set of commands should run on some specificcomputer. (More sophisticated versions will choose a system thathappens to be free.) However there are also "remote procedure call"systems that allow a program to call a subroutine that will run onanother computer. (There are many protocols of this sort. BerkeleyUnix contains two servers to execute commands remotely: rsh andrexec. The man pages describe the protocols that they use. Theuser-contributed software with Berkeley 4.3 contains a "distributedshell" that will distribute tasks among a set of systems, dependingupon load. Remote procedure call mechanisms have been a topic forresearch for a number of years, so many organizations haveimplementations of such facilities. The most widespread

commercially-supported remote procedure call protocols seem to beXerox's Courier and Sun's RPC. Protocol documents are available fromXerox and Sun. There is a public implementation of Courier over TCP aspart of the user-contributed software with Berkeley 4.3. Animplementation of RPC was posted to Usenet by Sun, and also appears aspart of the user-contributed software with Berkeley 4.3.)

[2.0.7] Name ServersIn large installations, there are a number of different

collections of names that have to be managed. This includes users andtheir passwords, names and network addresses for computers, and


17/212

accounts. It becomes very tedious to keep this data up to date on allof the computers. Thus the databases are kept on a small number ofsystems. Other systems access the data over the network. (RFC 822 and823 describe the name server protocol used to keep track of host namesand Internet addresses on the Internet. This is now a required part ofany TCP/IP implementation. IEN 116 describes an older name serverprotocol that is used by a few terminal servers and other products tolook up host names. Sun's Yellow Pages system is designed as a general

mechanism to handle user names, file sharing groups, and otherdatabases commonly used by Unix systems. It is widely availablecommercially. Its protocol definition is available from Sun.)

[2.0.8] Terminal ServersMany installations no longer connect terminals directly to

computers. Instead they connect them to terminal servers. A terminalserver is simply a small computer that only knows how to run telnet(or some other protocol to do remote login). If your terminal isconnected to one of these, you simply type the name of a computer, andyou are connected to it. Generally it is possible to have activeconnections to more than one computer at the same time. The terminalserver will have provisions to switch between connections rapidly, and

to notify you when output is waiting for another connection. (Terminalservers use the telnet protocol, already mentioned. However any realterminal server will also have to support name service and a number ofother protocols.)

[2.0.9] Network-Oriented Window SystemsUntil recently, high- performance graphics programs had to

execute on a computer that had a bit-mapped graphics screen directlyattached to it. Network window systems allow a program to use adisplay on a different computer. Full-scale network window systemsprovide an interface that lets you distribute jobs to the systems thatare best suited to handle them, but still give you a singlegraphically-based user interface. (The most widely-implemented window

system is X. A protocol description is available from MIT's ProjectAthena. A reference implementation is publicly available from MIT. Anumber of vendors are also supporting NeWS, a window system defined bySun. Both of these systems are designed to use TCP/IP.)

Note that some of the protocols described above were designed by Berkeley, Sun, orother organizations. Thus they are not officially part of the Internet protocolsuite. However they are implementedusing TCP/IP, just as normal TCP/IP application protocols are. Since the protocoldefinitions are not considered proprietary, and since commercially-supportimplementations are widely available, it isreasonable to think of these protocols as being effectively part of the Internetsuite.

Also note that the list above is simply a sample of the sort of services availablethrough TCP/IP. However it does contain the majority of the "major" applications.The other commonly-used protocols tend to bespecialized facilities for getting information of various kinds, such as who islogged in, the time of day, etc. However if you need a facility that is not listedhere, we encourage you to look through the current edition of Internet Protocols(currently RFC 1011), which lists all of the available protocols, and also to lookat some of the major TCP/IP implementations to see what various vendors haveadded.


18/212

[2.1.0] General description of the TCP/IP protocols

TCP/IP is a layered set of protocols. In order to understand what this means, itis useful to look at an example. A typical situation is sending mail. First, thereis a protocol for mail. This defines a set of commands which one machine sends toanother, e.g. commands to specify who the sender of the message is, who it isbeing sent to, and then the text of the message. However this protocol assumesthat there is a way to communicate reliably between the two computers. Mail, like

other application protocols, simply defines a set of commands and messages to besent. It is designed to be used together with TCP and IP.

TCP is responsible for making sure that the commands get through to the other end.It keeps track of what is sent, and retransmits anything that did not get through.If any message is too large for onedatagram, e.g. the text of the mail, TCP will split it up into several datagrams,and make sure that they all arrive correctly. Since these functions are needed formany applications, they are put together intoa separate protocol, rather than being part of the specifications for sendingmail. You can think of TCP as forming a library of routines that applications canuse when they need reliable networkcommunications with another computer.

Similarly, TCP calls on the services of IP. Although the services that TCPsupplies are needed by many applications, there are still some kinds ofapplications that don't need them. However there are someservices that every application needs. So these services are put together into IP.As with TCP, you can think of IP as a library of routines that TCP calls on, butwhich is also available to applications that don't use TCP. This strategy ofbuilding several levels of protocol is called "layering". We think of theapplications programs such as mail, TCP, and IP, as being separate "layers", eachof which calls on the services of the layer below it. Generally, TCP/IPapplications use 4 layers: an application protocol such as mail, a protocol suchas TCP that provides services need by many applications IP, which provides thebasic service of getting datagrams to their destination the protocols needed to

manage a specific physical medium, such as Ethernet or a point to point line.

TCP/IP is based on the "catenet model". (This is described in more detail in IEN48.) This model assumes that there are a large number of independent networksconnected together by gateways. The user should be able to access computers orother resources on any of these networks. Datagrams will often pass through adozen different networks before getting to their final destination.

The routing needed to accomplish this should be completely invisible to the user.As far as the user is concerned, all he needs to know in order to access anothersystem is an "Internet address". This is anaddress that looks like 128.6.4.194. It is actually a 32-bit number. However it isnormally written as 4 decimal numbers, each representing 8 bits of the address.

(The term "octet" is used by Internet documentation for such 8-bit chunks. Theterm "byte" is not used, because TCP/IP is supported by some computers that havebyte sizes other than 8 bits.) Generally the structure of the address givesyou some information about how to get to the system. For example, 128.6 is anetwork number assigned by a central authority to Rutgers University. Rutgers usesthe next octet to indicate which of thecampus Ethernets is involved. 128.6.4 happens to be an Ethernet used by theComputer Science Department. The last octet allows for up to 254 systems on eachEthernet. (It is 254 because 0 and 255 are not allowed, for reasons that will bediscussed later.) Note that 128.6.4.194 and 128.6.5.194 would be differentsystems. The structure of an Internet address is described in a bit more detail


19/212

later.

Of course we normally refer to systems by name, rather than by Internet address.When we specify a name, the network software looks it up in a database, and comesup with the corresponding Internetaddress.

Most of the network software deals strictly in terms of the address. (RFC 882

describes the name server technology used to handle this lookup.) TCP/IP is builton "connectionless" technology. Information is transferred as a sequence of"datagrams". A datagram is a collection of data that is sent as a singlemessage. Each of these datagrams is sent through the network individually. Thereare provisions to open connections (i.e. to start a conversation that willcontinue for some time). However at some level, information from those connectionsis broken up into datagrams, and those datagrams are treated by the network ascompletely separate.

For example, suppose you want to transfer a 15000 octet file. Most networks can'thandle a 15000 octet datagram. So the protocols will break this up into somethinglike 30 500-octet datagrams. Each of these datagrams will be sent to the otherend. At that point, they will be put back together into the 15000-octet

file. However while those datagrams are in transit, the network doesn't know thatthere is any connection between them. It is perfectly possible that datagram 14will actually arrive before datagram 13. It is also possible that somewhere in thenetwork, an error will occur, and some datagram won't get through at all. In thatcase, that datagram has to be sent again.

Note by the way that the terms "datagram" and "packet" often seem to be nearlyinterchangable. Technically, datagram is the right word to use when describingTCP/IP. A datagram is a unit of data, which is what the protocols deal with. Apacket is a physical thing, appearing on an Ethernet or some wire. In most cases apacket simply contains a datagram, so there is very little difference. Howeverthey can differ. When TCP/IP is used on top of X.25, the X.25 interface breaks thedatagrams up into 128-byte packets. This is invisible to IP, because the packets

are put back together into a single datagram atthe other end before being processed by TCP/IP. So in this case, one IP datagramwould be carried by several packets. However with most media, there are efficiencyadvantages to sending one datagram perpacket, and so the distinction tends to vanish.

[2.1.1] The TCP Level

Two separate protocols are involved in handling TCP/IP datagrams. TCP (the"transmission control protocol") is responsible for breaking up the message intodatagrams, reassembling them at the other end, resending anything that gets lost,and putting things back in the right order. IP (the "internet protocol") isresponsible for routing individual datagrams. It may seem like TCP is doing all

the work. Andin small networks that is true. However in the Internet, simply getting a datagramto its destination can be a complex job. A connection may require the datagram togo through several networks at Rutgers, a serial line to the John von NeumanSupercomputer Center, a couple of Ethernets there, a series of 56Kbaud phone linesto another NSFnet site, and more Ethernets on another campus. Keeping track ofthe routes to all of the destinations and handling incompatibilities amongdifferent transport media turns out to be a complex job.

Note that the interface between TCP and IP is fairly simple. TCP simply hands IP adatagram with a destination. IP doesn't know how this datagram relates to any


20/212

datagram before it or after it. It mayhave occurred to you that something is missing here. We have talked about Internetaddresses, but not about how you keep track of multiple connections to a givensystem. Clearly it isn't enough to get adatagram to the right destination. TCP has to know which connection this datagramis part of.

This task is referred to as "demultiplexing." In fact, there are several levels of

demultiplexing going on in TCP/IP. The information needed to do thisdemultiplexing is contained in a series of "headers". A header is simply a fewextra octets tacked onto the beginning of a datagram by some protocol in order tokeep track of it. It's a lot like putting a letter into an envelope and putting anaddress on the outside of the envelope. Except with modern networks it happensseveral times. It's like you put the letter into a littleenvelope, your secretary puts that into a somewhat bigger envelope, the campusmail center puts that envelope into a still bigger one, etc.

Here is an overview of the headers that get stuck on a message that passes througha typical TCP/IP network:

We start with a single data stream, say a file you are trying to send to some

other computer:

TCP breaks it up into manageable chunks. (In order to do this, TCP has to know howlarge a datagram your network can handle. Actually, the TCP's at each end say howbig a datagram they can handle, and then they pick the smallest size.)

TCP puts a header at the front of each datagram. This header actually contains atleast 20 octets, but the most important ones are a source and destination "portnumber" and a "sequence number". The portnumbers are used to keep track of different conversations. Suppose 3 differentpeople are transferring files. Your TCP might allocate port numbers 1000, 1001,and 1002 to these transfers. When you are sending a datagram, this becomes the"source" port number, since you are the source of the datagram. Of course the TCP

at the other end has assigned a port number of its own for the conversation. YourTCP has to know the port number used by the other end as well. (It finds out whenthe connection starts, as we will explain below.) It puts this in the"destination" port field. Of course if the other end sends adatagram back to you, the source and destination port numbers will be reversed,since then it will be the source and you will be the destination.

Each datagram has a sequence number. This is used so that the other end can makesure that it gets the datagrams in the right order, and that it hasn't missed any.(See the TCP specification fordetails.) TCP doesn't number the datagrams, but the octets. So if there are 500octets of data in each datagram, the first datagram might be numbered 0, thesecond 500, the next 1000, the next 1500,

etc.

Finally, I will mention the Checksum. This is a number that is computed by addingup all the octets in the datagram (more or less - see the TCP spec). The result isput in the header. TCP at the other end computes the checksum again. If theydisagree, then something bad happened to the datagram in transmission, and it isthrown away.

The window is used to control how much data can be in transit at any one time. Itis not practical to wait for each datagram to be acknowledged before sending thenext one. That would slow things down


21/212


22/212

[2.1.3] The Ethernet level

Most of our networks these days use Ethernet. So now we have to describeEthernet's headers. Unfortunately, Ethernet has its own addresses. The people whodesigned Ethernet wanted to make sure that no two machines would end up with thesame Ethernet address. Furthermore, they didn't want the user to have to worryabout assigning addresses. So each Ethernet controller comes with an address

builtin from the factory. In order to make sure that they would never have toreuse addresses, the Ethernet designers allocated 48 bits for the Ethernetaddress. People who make Ethernet equipment have toregister with a central authority, to make sure that the numbers they assign don'toverlap any other manufacturer.

Ethernet is a "broadcast medium". That is, it is in effect like an old party linetelephone. When you send a packet out on the Ethernet, every machine on thenetwork sees the packet. So something is neededto make sure that the right machine gets it. As you might guess, this involves theEthernet header. Every Ethernet packet has a 14-octet header that includes thesource and destination Ethernet address, anda type code. Each machine is supposed to pay attention only to packets with its

own Ethernet address in the destination field. (It's perfectly possible to cheat,which is one reason that Ethernet communications are not terribly secure.)

Note that there is no connection between the Ethernet address and the Internetaddress. Each machine has to have a table of what Ethernet address corresponds towhat Internet address. (We will describe howthis table is constructed a bit later.) In addition to the addresses, the headercontains a type code. The type code is to allow for several different protocolfamilies to be used on the same network. So you canuse TCP/IP, DECnet, Xerox NS, etc. at the same time. Each of them will put adifferent value in the type field. Finally, there is a checksum. The Ethernetcontroller computes a checksum of the entirepacket. When the other end receives the packet, it recomputes the checksum, and

throws the packet away if the answer disagrees with the original. The checksum isput on the end of the packet, not in theheader.

When these packets are received by the other end, of course all the headers areremoved. The Ethernet interface removes the Ethernet header and the checksum. Itlooks at the type code. Since the typecode is the one assigned to IP, the Ethernet device driver passes the datagram upto IP. IP removes the IP header. It looks at the IP protocol field. Since theprotocol type is TCP, it passes the datagramup to TCP. TCP now looks at the sequence number. It uses the sequence numbers andother information to combine all the datagrams into the original file. The endsour initial summary of TCP/IP. There are

still some crucial concepts we haven't gotten to, so we'll now go back and adddetails in several areas. (For detailed descriptions of the items discussed heresee, RFC 793 for TCP, RFC 791 for IP, and RFC's894 and 826 for sending IP over Ethernet.)

[2.1.4] Well-Known Sockets And The Applications Layer

So far, we have described how a stream of data is broken up into datagrams, sentto another computer, and put back together. However something more is needed inorder to accomplish anything useful. Therehas to be a way for you to open a connection to a specified computer, log into it,


23/212

tell it what file you want, and control the transmission of the file. (If you havea different application in mind, e.g. computer mail, some analogous protocol isneeded.) This is done by "application protocols".

The application protocols run "on top" of TCP/IP. That is, when they want to senda message, they give the message to TCP. TCP makes sure it gets delivered to theother end. Because TCP and IP take care of all the networking details, theapplications protocols can treat a network connection as if it were a simple byte

stream, like a terminal or phone line. Before going into more details aboutapplicationsprograms, we have to describe how you find an application.

Suppose you want to send a file to a computer whose Internet address is 128.6.4.7.To start the process, you need more than just the Internet address. You have toconnect to the FTP server at the otherend. In general, network programs are specialized for a specific set of tasks.Most systems have separate programs to handle file transfers, remote terminallogins, mail, etc. When you connect to128.6.4.7, you have to specify that you want to talk to the FTP server. This isdone by having "well-known sockets" for each server. Recall that TCP uses portnumbers to keep track of individual conversations. User programs normally use more

or less random port numbers. However specific port numbers are assigned to theprograms that sit waiting for requests.

For example, if you want to send a file, you will start a program called "ftp". Itwill open a connection using some random number, say 1234, for the port number onits end. However it will specify portnumber 21 for the other end. This is the official port number for the FTP server.Note that there are two different programs involved. You run ftp on your side.This is a program designed to accept commandsfrom your terminal and pass them on to the other end. The program that you talk toon the other machine is the FTP server. It is designed to accept commands from thenetwork connection, rather than aninteractive terminal. There is no need for your program to use a well-known socket

number for itself. Nobody is trying to find it. However the servers have to havewell-known numbers, so that people can open connections to them and start sendingthem commands. The official port numbers for each program are given in "AssignedNumbers".

Note that a connection is actually described by a set of 4 numbers: the Internetaddress at each end, and the TCP port number at each end. Every datagram has allfour of those numbers in it. (The Internetaddresses are in the IP header, and the TCP port numbers are in the TCP header.)In order to keep things straight, no two connections can have the same set ofnumbers. However it is enough for any one numberto be different. For example, it is perfectly possible for two different users ona machine to be sending files to the same other machine. This could result in

connections with the following parameters:

Internet addresses TCP portsconnection 1 128.6.4.194, 128.6.4.7 1234, 21connection 2 128.6.4.194, 128.6.4.7 1235, 21

Since the same machines are involved, the Internet addresses are the same. Sincethey are both doing file transfers, one end of the connection involves the well-known port number for FTP. The only thingthat differs is the port number for the program that the users are running. That'senough of a difference. Generally, at least one end of the connection asks the


24/212


25/212

Note that TCP and IP do not care about the representation. TCP simply sendsoctets. However the programs at both ends have to agree on how the octets are tobe interpreted. The RFC for each application specifies the standard representationfor that application. Normally it is "net ASCII". This uses ASCII characters, withend of line denoted by a carriage return followed by a line feed. For remotelogin, there is also a definition of a "standard terminal", which turns out to bea half-duplex terminal with echoing happening on the local machine. Most

applications also make provisions for the twocomputers to agree on other representations that they may find more convenient.For example, PDP-10's have 36-bit words. There is a way that two PDP-10's canagree to send a 36-bit binary file. Similarly,two systems that prefer full-duplex terminal conversations can agree on that.However each application has a standard representation, which every machine mustsupport.

Keep in mind that it has become common practice for some corporations to change aservices port number on the server side. If your client software is not configuredwith the same port number, connection will not be successful. We will discusslater in this text how you can perform port scanning on an entire IP address tosee which ports are active.

[2.1.5] Other IP ProtocolsProtocols other than TCP: UDP and ICMP

So far, we have described only connections that use TCP. Recall that TCP isresponsible for breaking up messages into datagrams, and reassembling themproperly. However in many applications, we havemessages that will always fit in a single datagram. An example is name lookup.When a user attempts to make a connection to another system, he will generallyspecify the system by name, rather than Internetaddress. His system has to translate that name to an address before it can doanything. Generally, only a few systems have the database used to translate namesto addresses. So the user's system will want to send a query to one of the systems

that has the database. This query is going to be very short. It will certainly fitin one datagram. So will the answer. Thus it seems silly to use TCP. Of course TCPdoesmore than just break things up into datagrams. It also makes sure that the dataarrives, resending datagrams where necessary. But for a question that fits in asingle datagram, we don't need all thecomplexity of TCP to do this. If we don't get an answer after a few seconds, wecan just ask again. For applications like this, there are alternatives to TCP.

The most common alternative is UDP ("user datagram protocol"). UDP is designed forapplications where you don't need to put sequences of datagrams together. It fitsinto the system much like TCP. There is aUDP header. The network software puts the UDP header on the front of your data,

just as it would put a TCP header on the front of your data. Then UDP sends thedata to IP, which adds the IP header, puttingUDP's protocol number in the protocol field instead of TCP's protocol number.However UDP doesn't do as much as TCP does. It doesn't split data into multipledatagrams. It doesn't keep track of what it hassent so it can resend if necessary. About all that UDP provides is port numbers,so that several programs can use UDP at once. UDP port numbers are used just likeTCP port numbers. There are well-known portnumbers for servers that use UDP. Note that the UDP header is shorter than a TCPheader. It still has source and destination port numbers, and a checksum, butthat's about it. No sequence number, since it is not needed. UDP is used by the


26/212

protocols that handle name lookups (see IEN 116, RFC 882, and RFC 883), and anumber of similar protocols.

Another alternative protocol is ICMP ("Internet Control Message Protocol"). ICMPis used for error messages, and other messages intended for the TCP/IP softwareitself, rather than any particularuser program. For example, if you attempt to connect to a host, your system mayget back an ICMP message saying "host unreachable". ICMP can also be used to find

out some information about the network. See RFC 792 for details of ICMP. ICMP issimilar to UDP, in that it handles messages that fit in one datagram. However itis even simpler than UDP. It doesn't even have port numbers in its header. Sinceall ICMP messages are interpreted by the network software itself, no port numbersare needed to say where a ICMP message is supposed to go.

[2.1.6] Domain Name SystemKeeping track of names and information: the domain system

As we indicated earlier, the network software generally needs a 32-bit Internetaddress in order to open a connection or send a datagram. However users prefer todeal with computer names rather thannumbers. Thus there is a database that allows the software to look up a name and

find the corresponding number. When the Internet was small, this was easy. Eachsystem would have a file that listed all of theother systems, giving both their name and number. There are now too many computersfor this approach to be practical. Thus these files have been replaced by a set ofname servers that keep track of hostnames and the corresponding Internet addresses. (In fact these servers aresomewhat more general than that. This is just one kind of information stored inthe domain system.)

Note that a set of interlocking servers are used, rather than a single centralone. There are now so many different institutions connected to the Internet thatit would be impractical for them to notify a centralauthority whenever they installed or moved a computer. Thus naming authority is

delegated to individual institutions. The name servers form a tree, correspondingto institutional structure. The namesthemselves follow a similar structure.

A typical example is the name BORAX.LCS.MIT.EDU. This is a computer at theLaboratory for Computer Science (LCS) at MIT. In order to find its Internetaddress, you might potentially have to consult 4different servers. First, you would ask a central server (called the root) wherethe EDU server is. EDU is a server that keeps track of educational institutions.The root server would give you the names andInternet addresses of several servers for EDU. (There are several servers at eachlevel, to allow for the possibly that one might be down.) You would then ask EDUwhere the server for MIT is. Again, it

would give you names and Internet addresses of several servers for MIT. Generally,not all of those servers would be at MIT, to allow for the possibility of ageneral power failure at MIT. Then you would askMIT where the server for LCS is, and finally you would ask one of the LCS serversabout BORAX. The final result would be the Internet address for BORAX.LCS.MIT.EDU.Each of these levels is referred to asa "domain". The entire name, BORAX.LCS.MIT.EDU, is called a "domain name". (So arethe names of the higher-level domains, such as LCS.MIT.EDU, MIT.EDU, and EDU.)

Fortunately, you don't really have to go through all of this most of the time.First of all, the root name servers also happen to be the name servers for the


27/212

top-level domains such as EDU. Thus a singlequery to a root server will get you to MIT. Second, software generally remembersanswers that it got before. So once we look up a name at LCS.MIT.EDU, our softwareremembers where to find servers forLCS.MIT.EDU, MIT.EDU, and EDU. It also remembers the translation ofBORAX.LCS.MIT.EDU. Each of these pieces of information has a "time to live"associated with it. Typically this is a few days. After that,the information expires and has to be looked up again. This allows institutions to

change things.

The domain system is not limited to finding out Internet addresses. Each domainname is a node in a database. The node can have records that define a number ofdifferent properties. Examples areInternet address, computer type, and a list of services provided by a computer. Aprogram can ask for a specific piece of information, or all information about agiven name. It is possible for a node in thedatabase to be marked as an "alias" (or nickname) for another node. It is alsopossible to use the domain system to store information about users, mailing lists,or other objects.

There is an Internet standard defining the operation of these databases, as well

as the protocols used to make queries of them. Every network utility has to beable to make such queries, since this is now the official way to evaluate hostnames. Generally utilities will talk to a server on their own system. This serverwill take care of contacting the other servers for them. This keeps down theamount of code that has to be in each application program.

The domain system is particularly important for handling computer mail. There areentry types to define what computer handles mail for a given name, to specifywhere an individual is to receive mail, and todefine mailing lists. (See RFC's 882, 883, and 973 for specifications of thedomain system. RFC 974 defines the use of the domain system in sending mail.)

[2.1.7] Routing

The description above indicated that the IP implementation is responsible forgetting datagrams to the destination indicated by the destination address, butlittle was said about how this would bedone. The task of finding how to get a datagram to its destination is referred toas "routing". In fact many of the details depend upon the particularimplementation. However some general things can be said.

First, it is necessary to understand the model on which IP is based. IP assumesthat a system is attached to some local network. We assume that the system cansend datagrams to any other system on its own network. (In the case of Ethernet,it simply finds the Ethernet address of the destination system, and puts thedatagram out on the Ethernet.) The problem comes when a system is asked to send a

datagram to a system on a different network. This problem is handled by gateways.A gateway is a system that connects a network with one or more other networks.Gateways are often normal computers that happen to have more than one networkinterface. For example, we have a Unix machine that has two different Ethernetinterfaces. Thus it is connected to networks 128.6.4 and 128.6.3. This machine canact as a gateway between those two networks. The software on that machine must beset up so that it will forward datagrams from one network to the other. That is,if a machine on network 128.6.4 sends a datagram to the gateway, and the datagramis addressed to a machine on network128.6.3, the gateway will forward the datagram to the destination. Majorcommunications centers often have gateways that connect a number of different


28/212

networks. (In many cases, special-purpose gateway systems provide betterperformance or reliability than general-purpose systems acting as gateways. Anumber of vendors sell such systems.)

Routing in IP is based entirely upon the network number of the destinationaddress. Each computer has a table of network numbers. For each network number, agateway is listed. This is the gateway to beused to get to that network. Note that the gateway doesn't have to connect

directly to the network. It just has to be the best place to go to get there. Forexample at Rutgers, our interface to NSFnet is atthe John von Neuman Supercomputer Center (JvNC). Our connection to JvNC is via ahigh-speed serial line connected to a gateway whose address is 128.6.3.12. Systemson net 128.6.3 will list 128.6.3.12 asthe gateway for many off-campus networks. However systems on net 128.6.4 will list128.6.4.1 as the gateway to those same off-campus networks. 128.6.4.1 is thegateway between networks 128.6.4 and128.6.3, so it is the first step in getting to JvNC.

When a computer wants to send a datagram, it first checks to see if thedestination address is on the system's own local network. If so, the datagram canbe sent directly. Otherwise, the system expects to

find an entry for the network that the destination address is on. The datagram issent to the gateway listed in that entry. This table can get quite big. Forexample, the Internet now includes several hundredindividual networks. Thus various strategies have been developed to reduce thesize of the routing table. One strategy is to depend upon "default routes". Often,there is only one gateway out of a network. This gateway might connect a localEthernet to a campus-wide backbone network. In that case, we don't need to have aseparate entry for every network in the world. We simply define that gateway as a"default". When no specific route is found for a datagram, the datagram is sent tothe default gateway. A default gateway can even be used when there are severalgateways on a network. There are provisions for gateways to send a message saying"I'm not the best gateway -- use this one instead." (The message is sent via ICMP.See RFC 792.) Most network software is designed to use these messages to add

entries to their routing tables. Suppose network 128.6.4 has two gateways,128.6.4.59 and 128.6.4.1. 128.6.4.59 leads to several other internal Rutgersnetworks. 128.6.4.1 leads indirectly to the NSFnet. Suppose we set 128.6.4.59 as adefault gateway, and have no other routing table entries. Now what happens when weneed to send a datagram to MIT? MIT is network 18. Since we have no entry fornetwork 18, the datagram will be sent to the default, 128.6.4.59. As it happens,this gateway is the wrong one. So it will forward thedatagram to 128.6.4.1. But it will also send back an error saying in effect: "toget to network 18, use 128.6.4.1". Our software will then add an entry to therouting table. Any future datagrams to MIT will then go directly to 128.6.4.1.(The error message is sent using the ICMP protocol. The message type is called"ICMP redirect.")

Most IP experts recommend that individual computers should not try to keep trackof the entire network. Instead, they should start with default gateways, and letthe gateways tell them the routes, as justdescribed. However this doesn't say how the gateways should find out about theroutes. The gateways can't depend upon this strategy. They have to have fairlycomplete routing tables. For this, some sort ofrouting protocol is needed. A routing protocol is simply a technique for thegateways to find each other, and keep up to date about the best way to get toevery network. RFC 1009 contains a review ofgateway design and routing. However rip.doc is probably a better introduction tothe subject. It contains some tutorial material, and a detailed description of the


29/212

most commonly-used routing protocol.

[2.1.8] Subnets and BroadcastingDetails about Internet Addresses: Subnets and Broadcasting

As indicated earlier, Internet addresses are 32-bit numbers, normally written as 4octets (in decimal), e.g. 128.6.4.7. There are actually 3 different types ofaddress. The problem is that the address has to

indicate both the network and the host within the network. It was felt thateventually there would be lots of networks. Many of them would be small, butprobably 24 bits would be needed to represent all the IPnetworks. It was also felt that some very big networks might need 24 bits torepresent all of their hosts. This would seem to lead to 48 bit addresses. But thedesigners really wanted to use 32 bitaddresses. So they adopted a kludge.

The assumption is that most of the networks will be small. So they set up threedifferent ranges of address. Addresses beginning with 1 to 126 use only the firstoctet for the network number. The other three octets are available for the hostnumber. Thus 24 bits are available for hosts. These numbers are used for largenetworks. But there can only be 126 of these very big networks. The Arpanet is

one, and there are a few large commercial networks. But few normal organizationsget one of these "class A" addresses. For normal large organizations, "class B"addresses are used. Class B addresses use the first two octets for the networknumber. Thus network numbers are 128.1 through 191.254. (We avoid 0 and 255, forreasons that we see below. We also avoid addresses beginning with 127, becausethat is used by some systems for special purposes.) The last two octets areavailable for host addesses, giving 16 bits of host address. This allows for 64516computers, which should be enough for most organizations. (It is possible to getmore than one class B address, if you run out.) Finally, class C addresses usethree octets, in the range 192.1.1 to 223.254.254. These allow only 254 hosts oneach network, but there canbe lots of these networks. Addresses above 223 are reserved for future use, asclass D and E (which are currently not defined).

Many large organizations find it convenient to divide their network number into"subnets". For example, Rutgers has been assigned a class B address, 128.6. Wefind it convenient to use the third octet of theaddress to indicate which Ethernet a host is on. This division has no significanceoutside of Rutgers. A computer at another institution would treat all datagramsaddressed to 128.6 the same way. They wouldnot look at the third octet of the address. Thus computers outside Rutgers wouldnot have different routes for 128.6.4 or 128.6.5. But inside Rutgers, we treat128.6.4 and 128.6.5 as separate networks. Ineffect, gateways inside Rutgers have separate entries for each Rutgers subnet,whereas gateways outside Rutgers just have one entry for 128.6.

Note that we could do exactly the same thing by using a separate class C addressfor each Ethernet. As far as Rutgers is concerned, it would be just as convenientfor us to have a number of class Caddresses. However using class C addresses would make things inconvenient for therest of the world. Every institution that wanted to talk to us would have to havea separate entry for each one of ournetworks. If every institution did this, there would be far too many networks forany reasonable gateway to keep track of. By subdividing a class B network, we hideour internal structure from everyone else,and save them trouble. This subnet strategy requires special provisions in thenetwork software. It is described in RFC 950.


30/212

0 and 255 have special meanings. 0 is reserved for machines that don't know theiraddress. In certain circumstances it is possible for a machine not to know thenumber of the network it is on, or even itsown host address. For example, 0.0.0.23 would be a machine that knew it was hostnumber 23, but didn't know on what network.

255 is used for "broadcast". A broadcast is a message that you want every system

on the network to see. Broadcasts are used in some situations where you don't knowwho to talk to. For example, supposeyou need to look up a host name and get its Internet address. Sometimes you don'tknow the address of the nearest name server. In that case, you might send therequest as a broadcast. There are also cases where a number of systems areinterested in information. It is then less expensive to send a single broadcastthan to send datagrams individually to each host that is interested in theinformation. In order to send a broadcast, you use an address that is made byusing your network address, with all ones in the part of the address where thehost number goes. For example, if you are on network 128.6.4, you would use128.6.4.255 for broadcasts. How this is actually implemented depends upon themedium. It is not possible to send broadcasts on the Arpanet, or on point to pointlines. However it is possible on an Ethernet. If you use an Ethernet address with

all its bits on (all ones), every machine on the Ethernet is supposed to look atthat datagram.

Although the official broadcast address for network 128.6.4 is now 128.6.4.255,there are some other addresses that may be treated as broadcasts by certainimplementations. For convenience, the standardalso allows 255.255.255.255 to be used. This refers to all hosts on the localnetwork. It is often simpler to use 255.255.255.255 instead of finding out thenetwork number for the local network and forming abroadcast address such as 128.6.4.255. In addition, certain older implementationsmay use 0 instead of 255 to form the broadcast address. Such implementations woulduse 128.6.4.0 instead of 128.6.4.255 as the broadcast address on network 128.6.4.Finally, certain older implementations may not understand about subnets. Thus they

consider the network number to be 128.6. In that case, they will assume abroadcast address of 128.6.255.255 or 128.6.0.0. Until support for broadcasts isimplemented properly, it can be a somewhat dangerous feature to use.

Because 0 and 255 are used for unknown and broadcast addresses, normal hostsshould never be given addresses containing 0 or 255. Addresses should never beginwith 0, 127, or any number above 223. Addresses violating these rules aresometimes referred to as "Martians", because of rumors that the Central Universityof Mars is using network 225.

[2.1.9] Datagram Fragmentation and Reassembly

TCP/IP is designed for use with many different kinds of network. Unfortunately,

network designers do not agree about how big packets can be. Ethernet packets canbe 1500 octets long. Arpanet packets have a maximum of around 1000 octets. Somevery fast networks have much larger packet sizes. At first, you might think thatIP should simply settle on the smallest possible size. Unfortunately, this wouldcause serious performance problems. When transferring large files, big packets arefar more efficient than small ones. So we want to be able to use the largestpacket size possible. But we also want to be able to handle networks with smalllimits.

There are two provisions for this. First, TCP has the ability to "negotiate" aboutdatagram size. When a TCP connection first opens, both ends can send the maximum


31/212

datagram size they can handle. Thesmaller of these numbers is used for the rest of the connection. This allows twoimplementations that can handle big datagrams to use them, but also lets them talkto implementations that can't handle them. However this doesn't completely solvethe problem. The most serious problem is that the two ends don't necessarily knowabout all of the steps in between. For example, when sending data between Rutgersand Berkeley, it is likely that both computers will be on Ethernets. Thus theywill both be prepared to handle 1500-octet datagrams. However the connection will

at some point end up going over the Arpanet. It can't handle packets of that size.For this reason, there are provisions to split datagrams up into pieces. (This isreferred to as "fragmentation".) The IP header contains fields indicating thedatagram has been split, and enough information to let the pieces be put backtogether. If a gateway connects an Ethernetto the Arpanet, it must be prepared to take 1500-octet Ethernet packets and splitthem into pieces that will fit on the Arpanet. Furthermore, every hostimplementation of TCP/IP must be prepared to accept pieces and put them backtogether. This is referred to as "reassembly".

TCP/IP implementations differ in the approach they take to deciding on datagramsize. It is fairly common for implementations to use 576-byte datagrams wheneverthey can't verify that the entire path is able to

handle larger packets. This rather conservative strategy is used because of thenumber of implementations with bugs in the code to reassemble fragments.Implementors often try to avoid ever having fragmentation occur. Differentimplementors take different approaches to deciding when it is safe to use largedatagrams. Some use them only for the local network. Others will use them for anynetwork on the same campus. 576 bytes is a "safe" size, which every implementationmust support.

[2.2.0] Ethernet encapsulation: ARP

There was a brief discussion earlier about what IP datagrams look like on anEthernet. The discussion showed the Ethernet header and checksum. However it leftone hole: It didn't say how to figure out

what Ethernet address to use when you want to talk to a given Internet address. Infact, there is a separate protocol for this, called ARP ("address resolutionprotocol"). (Note by the way that ARP is not an IP protocol. That is, the ARPdatagrams do not have IP headers.)

Suppose you are on system 128.6.4.194 and you want to connect to system 128.6.4.7.Your system will first verify that 128.6.4.7 is on the same network, so it cantalk directly via Ethernet. Then it will look up 128.6.4.7 in its ARP table, tosee if it already knows the Ethernet address. If so, it will stick on an Ethernetheader, and send the packet. But suppose this system is not in the ARP table.There isno way to send the packet, because you need the Ethernet address. So it uses theARP protocol to send an ARP request. Essentially an ARP request says "I need the

Ethernet address for 128.6.4.7". Every system listens to ARP requests. When asystem sees an ARP request for itself, it is required to respond. So 128.6.4.7will see the request, and will respond with an ARP reply saying in effect"128.6.4.7 is8:0:20:1:56:34". (Recall that Ethernet addresses are 48 bits. This is 6 octets.Ethernet addresses are conventionally shown in hex, using the punctuation shown.)Your system will save this information in itsARP table, so future packets will go directly. Most systems treat the ARP table asa cache, and clear entries in it if they have not been used in a certain period oftime.


32/212

Note by the way that ARP requests must be sent as "broadcasts". There is no waythat an ARP request can be sent directly to the right system. After all, the wholereason for sending an ARP request is thatyou don't know the Ethernet address. So an Ethernet address of all ones is used,i.e. ff:ff:ff:ff:ff:ff. By convention, every machine on the Ethernet is requiredto pay attention to packets with this as anaddress. So every system sees every ARP requests. They all look to see whether therequest is for their own address. If so, they respond. If not, they could just

ignore it. (Some hosts will use ARP requests toupdate their knowledge about other hosts on the network, even if the request isn'tfor them.) Note that packets whose IP address indicates broadcast (e.g.255.255.255.255 or 128.6.4.255) are also sent with an Ethernet address that is allones.

[3.0.0] Preface to the WindowsNT Registry

This section is not meant for NT

Modern hacking

Documents

Transcript of Modern hacking