CEH 07/18/2018 – Class

Yesterday, I ended up giving a 90-minute talk in the Certified Ethical Hacker course and found that my colleagues required a little bit from brushing up on the network foundation. In the course of the hour and a half, I noted the following bullet points.

TOPIC: OSI Layers and ARP Poisoning

Things to note on the layers and ARPing.

Yesterday’s talk was the foundation of all Packet spoofing. Once I get my source code ready I’ll send you a copy.

Issues with Electricity / Electromagnetism
1: What is sent may not be received. *Addressed in layer 4 of the OSI if needed
2: What is sent in a specific order may not be received in the order (This is due to us wanting more speed/Larger bandwidth) *Addressed in layer 4 of the OSI if needed
3: What is received may not be from who you think it is. *Addressed in layer 5 of the OSI if needed

Additional features programmers normally want that is assessed in the OSI Model. Is the connection Alive or Broken? Save Money in Infrastructure. Computers to remember previous clients/connections A message orientated protocol vs. a Stream orientated.

Layer1: Physical, Keep the voltage HIGH so you don’t have to send someone out on horseback
Layer2: Addressing so you save cost on infrastructure instead of running multiple lines to the same physical location
Layer3: Routing, To fix issues broadcasting to the whole world and flooding bandwidth.
Layer4: Depending on your choice of Protocol you can resolve Data being sent in a specific order, and also if it even gets there
Layer5: Computer do not remember who they are connected to when the connection is closed, This is normally resolved at this layer along with AUTHENTICATION
Layer6: At this layer, you create your Message delimiter
Layer7: At this layer, you present the outcome to the end user.

ARP: Address Resolution Protocol Send a Normal reply packet to the Victim and replace your IP with the one you would like to highjack. ARP always act’s on the latest packet, so send it to the victim every second. To prevent dropped connections, ARP the other side as well to shut it up!

DHCP: Victim Broadcast on the network for an IP. How do you hack this protocol: BEAT THE ROUTER TO THE PUNCH AND REPLY BACK BEFORE THE ROUTER DOES!

DNS: Arp Poison the Router to intercept the reply back to the victim and update the IP inside the packet to point to where you want the victim to go OR Gain access to the router, Update the DHCP Settings so that there is a Static IP pointing to your DNS Server.

TCP Spoofing without/with ARPING / Layer 2/3 MITM(Man in the Middle) tricks: Can a TCP packet be spoofed? Yes, IF you know the SEQ number from the client in the middle of the transaction (Requires ARP poisoning or Port spanning/mirroring to figure this out, if not GOOD LUCK!) Expect the client may reply back to the correct host and a RST packet will soon follow, The most you can get in is one packet before the connect is disturbed. This is normally around 1460-1550 bytes of data.

What about a spoofing a Net new connection using someone else’s IP address on the network just at the TCP level? No, This is due to the Syn, Syn Ack, Ack handshake that cannot be intercepted at this level and a RST packet will shortly follow, in nature that provides a minor amount of security for TCP indirectly. At this point, ARP poison the host and create a net new TCP connection from there.

Spoof UDP just at layer 4?: Yes, You can spoof this completely to say the data is coming from another client.

Leave a comment

Your email address will not be published.