The OSI layer, its application to TCP/IP and the fundamentals of routing
Squire James
eamonn@relative-networks.com
OSI, TCP, IP, TCP/IP, networking, model, security, stack, layers, 

The OSI layer, its application to TCP/IP and the fundamentals of routing

By Squire James

1.1 Introduction
2.1 The OSI Stack
3.1 How the layers function
	3.1.1 The exchange of information
	3.1.2 The Application Layer
	3.1.3 The Presentation Layer
	3.1.4 The Session Layer
 	3.1.5 The Transport Layer
	3.1.6 The Network Layer
		3.1.6.1 Logical Addresses
	3.1.7 The Data-Link layer
		3.1.7.1 the MAC SubLayer
		3.1.7.2 The LLC SubLayer
		3.1.7.3 Physical Addresses
	3.1.8 The Physical Layer
4.1 The formation of a transmitted unit of information
5.1 Just what is a protocol?
6.1 So, how does TCP/IP work, how does it relate to the OSI Stack, and how could
I gain the 
    Information needed at the start of a hack?
	6.1.1 Section Introduction
	6.1.2 IP and the DoD Model
	6.1.3 The TCP/IP Protocol Suite
	6.1.4 The structure of IP Networks
	6.1.5 Reserved Addresses on an IP Network
	6.1.6 Routing and Server "Chasing" on a network
		6.1.6.1 ARP and RARP
		6.1.6.2 Basic Routing on a Network
			6.1.6.2.1 Static Routes, Dynamic Routes, Routes of Last Resort and 
				  Routing Tables
			6.1.6.2.2 The act of routing packets
				6.1.6.2.2.1 The transmitting host
				6.1.6.2.2.2 The routing host
				6.1.6.2.2.3 The receiving host
		6.1.6.3 "Chasing" the server down
		6.1.6.4 Problems that you may come across
7.1 What I've actually explained here
8.1 Final Shout



1.1 Introduction

This file explains the OSI Stack, and it's application in a TCP/IP environment. 

This is not intended to be a complete or definitive article on any of the topics

Covered, but hopefully the reader will have some understanding of how networks
get
Data from one computer, out to the wire, and up to another.

As always, I do not support or take responsibility for the actions of any
individual or 
group based on any information that is provided in this document. All
information 
presented here is for educational use only.

2.1 The OSI Stack

Back in the early 1980's, a problem within networking was discovered.  LAN's and
WAN's, 
especially those based on a Mainframe/Terminal system were becoming more and
more common, 
and people wanted to combine their networks into large Internetworks. This
presented a 
problem, as there were a number of vendors supplying networking solutions to the

internetworking community using their own particular methodology (eg IBM's
System Network 
Architecture and Digital's Network Architecture).  To this end The OSI (Open
Systems
Interconnection) Reference Model was developed and released in 1984 by the
International 
Organization for Standardisation (IOS) group. The model is the currently
accepted de jure 
standard for internetworking (meaning, if you make a system that relies on some
other
methodology, don't expect anybody to implement it). Each layer in this system is
pretty much 
a separate entity in it's own right, so that a change or update can be made at
one layer
without adversely affecting another. The OSI Reference Model allows us to;
	1. Write new applications that would work to a standard, thus cutting down
	   on consultancy and testing times involved
	2. Support communication over different/older media
	3. Allow centralised and standardised support and troubleshooting
	4. Allow a reliable service to be maintained

The concept resulted in seven layers being created, with each layer being
responsible for 
performing a different set of tasks. The layers are;

Layer 7 - Application
Layer 6	- Presentation
Layer 5 - Session
Layer 4 - Transport
Layer 3 - Network
Layer 2 - Data-Link (Containing the MAC and LLC sublayers), and
Layer 1 - Physical

I find that I can remember this layer using the phrase "All poofters seek
transvestites
near dimly lit pubs" and before everybody jumps on me about political
correctness, the
bloke that taught me this little phrase was gay himself.  I use it because it's
the kind of 
phrase that people won't forget in a hurry.

well, okay..... it's kinda funny too

You'll notice that the Data-Link layer has two sublayers, named MAC and LLC. 
Why this
happened, I'm not really sure.  All I can do is guess that the propellor heads
that
made this standard decided that 7 layers, one with 2 sublayers looked much
fancier than
8 layers.

3.1 How the layers function

Each layer on the OSI stack is responsible for a certain function, or group of
functions.
The top 3 layers (Application through Session) are generally controlled by the
application 
itself, so the user inherently has some level of control, the proceeding 4
layers are 
usually controlled by the computer itself.  
It can be quite difficult to envisage the stack performing some of the functions
that it
does, and at this level, it is generally easier to imagine a "grey
area" between each
layer, where the upper AND the lower layers have some influence.  Confusing, I
know, but
trust me, I used to be a doctor.......

3.1.1 The exchange of information

An exchange of information occurs at all levels of the OSI Model. This
"layer level" 
information is sent in the form of either a header, or a trailer (footer).  A
header or a 
trailer is passed down from one level to another, attached to the data.  The
level below 
sees the information as one large piece of data, so it attaches its
header/footer and passes 
it down. 

This method of attaching data is called Encapsulation. The only layers that will
not apply 
headers or footers are the application and Physical layers.  When the receiving
computer 
receives the packet, it strips the header off at each layer, and passes the
remaining data 
"up the stream."  Once it gets to the Presentation Layer, the
presentation layer headers 
are removed, and the data is reassembled together, then passed to the
application layer as 
the original data.

3.1.2 The Application Layer

The application layer is generally the only layer that a user will operate in. 
It provides
services directly to applications. The application layer can Determine Resource 
Availability, Synchronise communications and identify communication partners.
TCP/IP
applications that work on this layer include FTP, Telnet, SMTP and POP3

3.1.3 The Presentation Layer

The presentation layer is the only layer that can change the data itself.  It
looks after 
the coding and conversion details and ensures that information sent to another
system will 
be readable by that system.  Common implementations include JPEG, GIFF, TIFF,
DOC, MPEG, 
MP3

Data Compression and Encryption also occur at this layer


3.1.4 The Session Layer

This layer maintains establishes and terminates communication between
presentation layer 
entities. These service requests and responses are co-ordinated by protocols
that exist at 
the Session Layer.  These protocols include Zone Information Protocol (ZIP),
Session Control 
Protocol (SCP) and the AppleTalk service that co-ordinates name binding

3.1.5 The Transport Layer

The transport layer is responsible for the reliable transfer of information
across an 
internetwork that are transparent to the upper levels.  It maintains the
reliability of 
these connections in a number of ways;
	1. Flow control, to ensure that the sending host does not send information
faster
	   than the receiving host can process it
 	2. Multiplexing, to allow data from multiple applications to be transmitted
across 
	   a single link
	3. Virtual Circuits between hosts are established, maintained and terminated by
this 
	   layer
	4. Error Checking, to detect transmission errors
	5. Error Recovery, to request retransmission of erroneous data

The main protocol from the TCP/IP suite that resides at this level is TCP
itself.  The 
difference between TCP and UDP, which is the other protocol at this layer, is
the error 
checking and correction facilities offered by each protocol.  TCP is a reliable
connection 
protocol whilst UDP is an unreliable connection protocol.  Essentially each host
has up to 
65,536 ports (or 2 to the power of 16) for TCP and UDP that can be utilised. 
Each port can 
only be accessed by a single process at a time.  For example, a telnet 
server/service will operate on TCP port 23 (which is different to UDP port 23),
and while 
the service is running, no other process can  use TCP port 23.  There are a
number of 
"conventional" ports that are utilised, for example, DNS is usually
active on TCP and UDP 
ports 53.  Trojans, such as Back Orifice etc. monitor a certain port on the host
and wait 
for a connection to be established.  Other remote control programs, such as
PCAnywhere also 
operate in the same way.  Administrators that need to have telnet active purely
for 
administrative purposes will quite often reconfigure telnet to activate on
another Port, to 
make it a little harder for a hacker to find.

Commonly Used Ports

TCP Ports

FTP - 21
Telnet - 23
SMTP - 25
DNS - 53

UDP Ports

DNS - 53
TFTP - 69 
SNMP - 161
RIP - 520

3.1.6 The Network Layer

The network layer allows multiple data links to be combined into an internetwork
(i.e. this 
is the section that logically defines a network, and what hosts are in that
network). 
As a general rule, network layer protocols are routing protocols, but other
protocols do 
exist at this level.  Common routing protocols include IP (Internet Protocol),
Border 
Gateway Protocol (BGP).  Automatic Route discovery subsets of the IP Protocol
include Open 
Shortest Path First (OSPF), and Routing Information Protocol (RIP).

3.1.6.1 Logical Addresses

A logical Address is an address that is (generally) assigned to a NIC (Network
Interface 
Card).  This allows an administrator to dictate which network a PC belongs to. 
It also 
allows for the provisioning of Multihomed Hosts (i.e. Machines with more than
one Network 
Layer Protocol Address), which may be used for bridging between networks.

3.1.7 The Data-Link layer

The Data-Link layer's role is to provide a reliable transmission of data across
a physical 
network link. Physical Addressing is used at this level to tie all transmissions
to one 
outward location.  This layer can also define topology requirements (Bus, Ring,
Star, Mash) 
Error notification at this level will let upper layers know when a problem with
transmission 
has occurred, whilst the sequencing function reorders frames that were
transmitted out of 
sequence.  Flow control is also used at this level.

The Institute of Electrical and Electronic Engineers' (IEEE) subdivided the
Data-Link layer 
into two sublayers, which has now become the adopted standard.

3.1.7.1 The LLC Sublayer

The Logical Link Control Sublayer (LLC) manages potentially numerous
communications over a 
single network link.  This specification has been defined in the IEEE 802.2
specification 
(for all you Novell Junkies out there). The 802.2 standard supports
connectionless and 
connection oriented services.

3.1.7.2 The MAC Sublayer

The Media Access Control (MAC) Sublayer manages the access of a protocol to the
physical 
network medium (eg. Ethernet cable). The IEEE MAC specification defines MAC
addresses (also 
known as physical addresses), which allow multiple devices to identify one
another at the 
Data-Link Layer.

3.1.7.3 Physical Addresses

Physical Addresses are addresses that are burned into a card, much like a serial
number. 
These addresses are 6 bytes long, and are represented in Hexadecimal.  The first
four 
bytes are generally used to identify the card manufacturer, these first four
bytes combine 
with the last eight bytes to generate a unique card identification number.  If
you look 
at a NIC, it will generally have the MAC address written like this;

		1A 4F 33 FF A3 B0

If we did not have this feature on a card, then the only way that we could
reliably route 
data would be if every computer had a unique TCP/IP or IPX/SPX address assigned
to it. This 
will be covered more in the TCP/IP section, when I cover routing, ARP and RARP
requests.


3.1.8 The Physical Layer

This layer is responsible for actually getting the raw bitstream to transmission
on the 
network media. As such, it defines characteristics such as Voltage Levels, the
timing of a 
voltage change, physical data rates, maximum transmission distances and physical

connections.

Physical Layer, Data-Link layer and Networking Layer specifications do not
necessarily need 
to be LAN based, they exist as either LAN or WAN implementations.

4.1 The formation of a transmitted unit of information

As a packet of information moves down the OSI Layers to be eventually
transmitted "across 
the wire" it goes through some changes, most of these changes are the
result of Headers or 
Footers that are applied to the packet.  As such, there is a de facto standard
relating to 
the names a unit of data is called at various stages

Layer #		Layer Name		Unit of Information term

7		Application		User Information/Data
6		Presentation		Data
5		Session			Data
4		Transport		Segment
3		Network			Packet
2		Data-Link		Frame
1		Physical		Bits/Bitstream

Other terms for data include;

datagram	a packet that exists at the network layer that use a connectionless
network
		service(s)

message		another term for an information unit existing above the network layer, 
		although this term is generally only applied at the application layer

cell		a unit of information that exists at the Data-Link layer of fixed length, 
		generally used by WAN technologies such as ATM

data unit	The generic term for data at any level

Remember: In a model that uses encapsulation, each layer only sees a data unit
to which 
	  it's own header/footer have been applied.  The Data-Link layer, for example, 
	  cannot see the Frame Header/Footer for the Network Layer

Naturally, when the data "comes out the other end" to the receiving
computer, it then 
follows the OSI stack from bottom to top (i.e. going from Bitstream to User
Information).

5.1 Just what is a protocol?

A protocol is a set of standards the define how data is packaged to eventually
become a
bitstream and get transmitted.  The easiest way to think of a protocol is to
look at it as a 
language.  If you walked up to somebody who spoke Russian, and tried to talk to
them with 
English, it just wouldn't work. The same thing goes for protocols, a computer
that 
transmits with the TCP/IP protocol cannot communicate with a computer running
IPX/SPX.

There are a number of protocols in use today, some routable, some not, and
people choose 
which protocol to use dependant on a number of factors.  For example, IPX/SPX
will transmit 
larger frames than TCP/IP, so if you're main goal from your network is to
transmit big files 
as fast as possible (God only knows why it would be, but work with me ;-), then
you would 
choose IPX/SPX over TCP/IP, because IPX/SPX is routable (just like TCP/IP), but
performs 
better in the area that you require.

The reality of the situation, however, is that PC's are so fast today that small
protocol 
limitations hardly make any effect on the productivity of a system. This,
coupled with the 
fact that you require it as a protocol to access the internet has made TCP/IP
the 99.9% 
option of choice for (inter)networks.

6.1 So, how does TCP/IP work, how does it relate to the OSI Stack, and how could
I gain the 
    information needed at the start of a hack?

6.1.1 Section Introduction

I thought that I'd better start this off by explaining what's going to be
contained in this 
section.  I am not here to give anybody step-by-step instructions into hacking
systems, 
there are so many white papers out there at the moment that it's not funny. 
What I have 
noticed is that nobody has told anybody how to get the details that you need
before trying 
an attack.  For example, everybody knows how to create a BSOD on a Windows NT
server, it's 
straight forward (not that I'd call that hacking).  People also know how to grab
password 
hashes and have programs to decode them.  What I'm talking about here is how you
can get to 
the Server that you want to.  Let's say the server is behind a subnet.  How do
you find out 
how to get there? The same goes for bypassing routers, which is the first thing
that you 
have to do.  If you don't have local access to the server, then you're going to
need 
shitloads of bandwidth or much time.  I'm also not here to talk about
PortSniffing, or 
Trojans, or any of that other stuff. That will come later (if I can be bothered
- except for 
the trojans bit, they're lame). I'm not going to talk about using Socks Port
1080 to ride an 
IP address, which too will come in a later paperl. I will explain how you can
build a 
picture of a Network, and to "chase" a server across multiple networks
that have been setup 
to segregate the LAN's. Just remember that a true hack (not a crash of a system)
takes a 
long time to execute, and you really do need either a lot of manpower, or a lot
of time, 
especially if you don't have local access.

6.1.2 IP and the DoD Model
--------
TCP/IP was invented by the Department of Defence (DoD) as a sturdy and robust
protocol that 
would help to ensure communications continued in a time of catastrophic war. If
a TCP/IP 
network is implemented correctly it is extremely dependent and reliable.

The DoD Model for TCP/IP is a 4-layer model, due to the fact that it was created
before 
the OSI reference model.  These four layers do equate to the seven OSI layers.

	DoD Model			OSI Reference Model

				)	Application
Process/Application Layers	)	Presentation
				)	Session

Host-to-host			)	Transport

Internet			)	Network

Network Access			)	Data-Link
				)	Physical

For much of this discussion on TCP/IP, we will use the DoD model, as it provides
a better 
natural distribution between services.

6.1.3 The TCP/IP Protocol Suite

DoD Model		Protocols At Level

Process/		Telnet	FTP	LPD	SNMP	TFTP	SNMP	XWindow
Application	

Host - To Host		TCP	UDP

Internet		ICMP	BootP	ARP	RARP	IP

Network Access		Ethernet	Fast Ethernet	Token Ring	FDDI

6.1.4 The structure of IP Networks

We're not going to be covering too much of the Upper 2 layers of the DoD model,
as these 
areas tend to be concerned with the actual application of a hacking methodology.

Hopefully before I start this section, you have all read my paper on Subnetting
within IP 
Networks, which has been published in issue #11 of Black Box (http://black.box.sk).

As we all know, there are 3 classes of addresses that are used by Machines
Running TCP/IP. 
Whilst most machines on an internal network comprise of whole networks
(generally Class A 
or Class B), a company will generally only have a small number of Subnetted
addresses that 
connect directly to the internet.  I am assuming at this time that the hacker
has gained 
access past any firewall/router and is directly connected to the network.  There
are a 
couple of methods used to find out IP addresses and SubNet masks, although you
should find 
out this information as you hack through/bypass a router. A packet sniffer is
generally the 
easiest way to get Logical Network Addresses.

For this exercise we will assume a Class C Network 192.168.0.0/24.  Within all
IP Networks 
there are 2 reserved addresses, the first and the last addresses in the network.
 Our 
network appears as such in Dotted Decimal Notation;

192.168.0.0 	(IP Address)
255.255.255.0	(SubNetMask)

Looking at the SubNet Mask, we automatically know that 192.168.0 is our Network
ID, and the 
final octet represents our Hosts.  This Octet, being an 8-bit number, has 256
available 
values (0-255), therefore the first and last IP addresses (192.168.0.0 &
192.168.0.255) are 
reserved.

Working this out can be pretty tricky in the case of a subnetted network, so I'd
advise you 
to download an IP Calculator that allows you to enter an IP Address and a SubNet
mask, and 
will return the entire Network Range.

6.1.5 Reserved Addresses on an IP Network

As stated earlier, there are two reserved addresses on every network/subnet. The
first 
number on a network (192.168.0.0, using the above example), is used when
subnetting and 
referring to the network as a whole.  Therefore, when I refer to 192.168.0.0/24,
I am 
talking about the whole network, whilst if I refer to 192.168.0.1/24 I am
talking about a 
host on that network. This is used for when referencing networks on
firewalls/routers etc. 
so the systems administrator does not have to type in a statement for every
possible 
IP address on a network.

The last available address (192.168.0.255/24) is the broadcast address of the
network. If 
you're unsure what broadcasts do, check out my subnetting paper mentioned above.
The great 
thing about the broadcast address is that if you ping it, every device on the
network will 
respond, and you have an instant list of every device that is on the network.
Note, though, 
that it is possible to prevent some hosts responding to this type of broadcast
query, and 
a really good administrator will have seen the possible hole and tried to stop
it. An 
alternative to this method is to use a program like PingSweep, which pings every
possible 
IP address on a Network, this works well, but generates a lot of traffic on the
network. 

Once all this information has been collected, you can view the output by
referring to your 
ARP cache entries ["arp -a |more" in Windows NT]. From here, you
should be able to pick some 
likely possibilities for servers, which are generally placed at the beginning or
end of a 
network, or you could check out the IP addresses which get the most traffic, by
using a
packet sniffer. Another way could be to attempt to locate the Internal DNS
server (scan port 
53 on the network), and resolve the IP's to hostnames to try and find out from
there. Or, 
you could use one of many available portscanners to try and guess from the TCP
frame what 
the Operating system is.

On a side note, this broadcast request is the basic principal for a (D)DoS
attack. 
Essentially, a hacker pings the broadcast address for a network. Every host on
the network 
attempts to respond to the request, which reduces the bandwidth.  Take, for
example, a 
Hacker with a 1MBit (Lucky bastard) connection to the internet. He rides a socks
port on 
another machine, let's call it unsecure.acme.com so that he is sending his
requests from a 
real live address that the firewalls will let through.  This machine also has a
1MBit link. 
The hacker then sends a 500KBit Ping Request to 192.168.0.255/24, which happens
to be 
domain.acme-competitor.com, who have a 2MBit link Every machine on the
192.168.0.0/24 
network connected to the internet will try to respond back. Let's say that there
are only 
100 machines directly connected at acme-competitor, if each on of them generate
a 500KBit 
ping response to the Ping request, that's a massive 50MBits of traffic that has
been 
generated and is attempting to fit through the router. If this attack has been
done properly 
it will bring down acme-competitors router, and it will look like acme
themselves did it. 

Don't get me wrong, there is a lot more that can go on, but this is the basic
concept 
behind a (D)DoS attack. The main difference between a DDoS (Distributed Denial
of Service) 
attack and a DoS (Denial of Service) attack is that a DDoS will have more than
one place 
sending these requests.

6.1.6 Routing and Server "Chasing" on a network

So, you're onto the network, and you have all the IP addresses. You
painstakingly go through 
each one trying to find a server, but you've had no luck.  Workstations galore,
routers 
galore, but nothing holding some real juicy information. What needs to be done?
In a 
situation like this, It probably means that the server is on another network,
therefore 
packets must be routed through to the server somewhere. Using your soon to be
gotten 
knowledge of how routing works, you should be able to find what you're looking
for.

6.1.6.1 ARP and RARP

Before you can start to understand routing, you need to know two
protocols/programs from the 
TCP/IP Suite at the Internet Level (Network level by the OSI stack), ARP and
RARP.

ARP is a function that a computer uses to get the Physical Addresses on a NIC
when the 
sending node has an IP address. Essentially is works something like this, When
the Internet 
Layer receives a packet, it inspects the IP Address.  The computer will then
check its ARP 
cache to see if there is already an entry for that particular IP address.  If
the computer 
has the MAC address in cache, then it will add the header/footer to the packet
and pass it 
down to the Network Access Layer.  If it is not in cache, then the computer will
broadcast 
an ARP request.  If the host exists on that local network, it will respond to
the request 
and send the necessary information.  The computer will then receive the data,
add the bits 
to the frame and pass it down to the Network Access Layer.  If the computer
receives no 
reply to the ARP request, it will route the packet, which will be covered in the
next 
section.

RARP is a feature that is not as commonly used by a host. It does exactly the
opposite to 
ARP. If a computer has a hardware address, it can perform a RARP lookup to try
and find the 
IP address of the originating computer. Once again, it works in the same way as
ARP, 
checking it's cache first, and then broadcasting for the details if
unsuccessful.

6.1.6.2 Basic Routing on a Network

6.1.6.2.1 Static Routes, Dynamic Routes, Routes of Last Resort and Routing
Tables

Routing in itself is a relatively simple process. The first thing to understand
is Static 
Routes, Dynamic Routes and Routes of Last Resort (also known as Default
Gateway's).  A 
static route is a route that has been manually entered by a user to direct
traffic for a 
certain IP address or network to a router, so the packet can be forwarded.
Essentially a 
route statement looks something like this

[Destination IP Address]   [SubNet Mask]   [Gateway]   [Metric]

Therefore, to route all packets intended for a host on the 192.168.2.0/24
network to the 
router at 192.168.0.241 (the gateway must be on the network that the host is
attached to, 
otherwise is can't get there), with a metric of 1, the route would look like
this

192.168.0.0   255.255.255.0   192.168.0.241   1

Different Operating environments have different commands, but any machine
capable of 
running TCP/IP should be able to contain static routes.

The first three items entered are pretty straightforward. The metric information
relates to 
the number of "hops" to take away from the packet when it is passed. 
This may be done for 
two reasons, the first is to ensure correct "ageing" of packets.  Each
packet has a maximum 
number of "hops" that it can undertake. Once the packet has reached
that number of hops, it 
is expired and a "destination route unreachable" error is generated.
The second is to 
ensure that the best route is taken when used in conjunction with a routing
protocol. If 
you assign a metric of 3 to a static route and run a routing protocol on the
same machine, 
and the routing protocol can locate a less "expensive" path to move
the data down, it will 
take it over the static route. This metric value is known under different names
on different 
systems, such as "Administrative Cost," and they can relate to other
things instead of just 
the basic number of hops.

Static routes can generally be entered as temporary entity (i.e. will be lost
when the 
machine shuts down), or as a permanent entity (i.e. Will remain across reboots).
The benefit 
with static routes is that an administrator can have very specific and complete
control over 
the direction of packets on his/her network. Unfortunately, if you have a number
of 
different networks or routers, this can become extremely time consuming and
confusing 
(especially if you're not too bright, like me). As a tip for all the
administrator's out 
there, if you want to secure your network that little bit more, you can add your
static 
routes on your users computers as temporary entities that expire after each
shutdown. If 
you add these routes as part of your login scripts you can ensure that only
users that 
successfully log in to the system will be able to access the server without
having to 
manually enter their routes in.  It would also ensure that users with notebooks
did not 
bring routing (and therefore network) information off-site.  Not that this would
stop a 
truly dedicated hacker, but it would add to the total amount of time that a
hacker has to 
spend on the intrusion, which would increase their chance of getting caught.

Dynamic Routes are similar to static routes.  The only difference is that they
are always 
temporary routes.  These routes are entered by a routing protocol (such as RIP
or OSPF). 
The methods that these routing protocols used aren't of any concern for this
document, all 
you need to know is that they appear in the same place and look identical to
static routes. 
Most routing protocols are run on routers themselves, and all computers send all
of their 
non-local packets to one specific router, which then routes them through from
there. Most 
packet sniffers will be able to locate routing protocol packets.

Routes of Last Resort, or Default Gateways, is the location that a host will
send its packet 
through if it cannot find the packet locally or in a route statement. A number
of systems 
have been configured so that packets that are not local are forwarded to the one
router 
which then works out by itself  what to do with them from there.  This is much
easier from 
an administrative stance, but also significantly less secure.

All this information is located in the routing table, which is maintained on
each host. How 
we observe the route table is different across Operating Systems, but is
generally activated 
by a "Show Route" "Show IP Route" or "Route View"
type of command.  The host will then list 
all routes that are contained.  Static and Dynamic Routes have the same outlook,
i.e. with a 
specific Network/Host Destination, usually followed by the remote Subnet Mask,
which is 
followed by the gateway to use to transfer the packet. We can always spot the
route of last 
resort, because it's Network/Host Destination AND SubNet Mask is always 0.0.0.0.
Also, if a 
route is pointing to a specific host, rather then a network, the SubNet mask
will appear as 
255.255.255.255.

6.1.6.2.2 The act of routing packets

6.1.6.2.2.1 The transmitting host

Keeping our OSI stack in mind, we're now going to discuss the action of a packet
routing 
through a network.

Application Layer

Joe Blow (IP Address 192.168.0.1/24) starts up a telnet session with an
imaginary telnet 
server, which we'll call telnet.demo.com (IP Address 203.55.57.29/24).

Presentation Layer

This layer doesn't really concern us, but for the sake of writing something in
here, we'll 
say that the presentation layer slices the data going to 203.55.57.29 into the
predetermined 
size and adds the presentation layer header/footer to the user data.

Session Layer

Once again, this layer has very little to do with the routing of the packet
itself, but it 
adds its header/footer to the user data, which exists to control the flow of
data.

Transport Layer

This layer is the first layer where the guts of TCP/IP comes into play.  The
transport 
layer header/footer is added, with originating/destination TCP port 23 (telnet).
The 
segment is then passed down to the network layer.

Network Layer

The network layer applies it's header/footer to the data (surprise, surprise)
which 
contains the source and destination IP Addresses (and by that we mean the total
IP Address, 
comprising of IP Address and SubNet Mask). The Network Layer also inspects the
packet to 
discover the destination IP Address. From the logical AND that is performed on
the 
Source/Destination the Network layer knows whether or not the packet is on the
local 
network.  If the packet is local, then the Network layer will generate an ARP
request for 
the MAC address of the destination IP address.  If the packet is not local, then
the 
Network layer will check its routes.  If a route exists for the packet, then an
ARP 
request is generated for the IP Address of the route gateway.  If a route does
not exist 
(which is the case in this example), then an ARP request is generated for the
Route of Last 
resort.  The Source MAC address, and which ever MAC address represents the
destination for 
this hop (in this case the route of last resort) is added in the header/footer.
This 
completed packet is passed down to the Data-Link layer. The destination MAC
address is not 
added to the Network Layer header, rather, it is handed down to the Data-Link
Layer to 
"process."


Data-Link Layer

The Data Link Layer essentially adds it's header or footer, which includes the 
source/destination MAC addresses, then passes this Frame to the Physical Layer
for 
transmission

Physical layer

Transmits the raw bitstream

		-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-

Keep in mind that this is a simplified version of what each layer does. For
example, I have 
not gotten into the fact that the Data-Link layer is responsible for
co-ordinating numerous 
packet transmissions etc. etc., it is purely concerned with what each layer does
when 
routing.

6.1.6.2.2.2 The routing host

The routing host essentially recognises it's MAC address in the Packet, pulls it
off the 
wire and begins by removing the Data-Link Layer Header/Footer and passing the
packet up to 
the Network Layer.  Once the network layer receives the packet, it inspects it's

header/footer to find the destination IP Address.  If the destination IP address
is not (one 
of) the Hosts IP Addresses, then the host inspects the packet to find out if
it's on one of 
it's local networks.  If the destination is on one of its interfaces, then an
ARP request is 
generated, and the packet is forwarded directly to the host.  If not, then just
like the 
previous host, the router will inspect its route table, to find out if a route
exists to the 
destination network.  If a route exists, then the machine will send an ARP
request for the 
MAC address of the Destination gateway, and pass the packet down to the
Data-Link layer with 
the new MAC address. If no route exists, then the machine will generate an ARP
request for 
the route of last resort, and pass the packet down to the Data-Link layer for
processing.

NB: This is the core of routing, and is exactly what happens every single time a
packet is 
sent across the internet. Because a router only deals with packets up to the
Network Layer 
when routing, the act of routing is known as a Layer 3 action.

		-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-

6.1.6.2.2.3 The receiving host

Physical Layer

Pulls the Raw BitStream off the Network Cable

Data-Link Layer

Removes its header/footer and ensures that the packet was actually meant for
this machine 
(i.e. correct MAC Address)

Network Layer

Removes its header/footer and ensures that the destination IP address is a valid
IP address 
for this host.

Transport Layer

Removes its header/footer and opens a TCP connection between the two hosts on
Port 23 for a 
telnet session.

Session Layer

Removes it's header/footer and regulates flow control of the traffic.

Presentation Layer

Removes it's header/footer, puts the packet into the right sequence, and decodes
the data 
(if necessary).

Application Layer

Presents Joe Blow with the first bit of Data from the telnet session that he
initialised.
		
		-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-

6.1.6.3 "Chasing" the server down

So, when we get into the guts of a particular network, how do we track down
servers if they 
exist on another network.  Thinking back to our routing information, we know
that if a 
route is required to pass the information then the host performs an ARP request
for the 
MAC address of whatever gateway is being used, and uses that MAC address in the
Data-Link 
header/footer to ensure that the router picks it up. However, one thing that
does not 
change is the Source/Destination IP Address.  Therefore, we can find the router
by using a 
packet sniffer and observing the one MAC address that packets to a number of IP
addresses 
are being forwarded to.  Once that router has been located, we would then need
to use one 
of the many methodologies around to discover exactly what it was (PC Based, or
Specific 
router based, and which Operating System or Router Brand). once we find out
exactly what 
type of router it is, we would then have to hack it or find a way across to get
to the 
machines (hopefully the servers) on the other side.

6.1.6.4 Hardware that you may come across

A number of items need to go into a network to "make it work," and
Routers are just one of 
these. The other main ones are Hubs, Switches and Gateways

Hubs:
Otherwise known as a "MultiPort Repeater," the hub is at the bottom of
network connectivity 
technologies. Essentially, the hub will take any data sent to it from any port,
and repeat 
it down all the other ports. The hosts are (obviously) listening for data, and
when a packet 
is sent to a port, the host will listen to (read) it, accepting it if it for its

MAC address, ignoring it if it is not.  Hubs have a couple of setbacks,
	1) Only one machine on the entire hub can transmit at any one time
	2) As all the information for any destination is flashed down all ports, from
any 
	   location on the network a hacker can easily grab password hashes, monitor
login 
	   requests etc. etc.

Switches:
Switches are the "grown up" version of hubs.  Each switch maintains a
MAC address table, and 
generates a "bridge" between the sending and receiving devices. This
is much better than a 
hub because,
	1) All ports can send or receive at the same time, so multiple
transmits/receives 
	   can occur, unless, of course, the host that is being transmitted to is
currently 
	   in a transmit or receive state
	2) Due to the fact that multiple hosts can transmit at the same time, a 10Mbit 
	   switch is GENERALLY faster than a 100Mbit Hub IN THE REAL WORLD, but not 
	   according to most benchmark tests
	3) Because a direct link is established between the sending and receiving
machines 
	   all of the data is not flashed down every port, so it is much harder to
packet 
	   sniff

If the site you are hacking from has switches installed and you are trying to
packet sniff 
the network (presuming you have sufficient access/bandwidth), you will have to
run a 
promiscuous mode driver. This, however, is a pretty risky thing to try, because
there are a 
number of programs out there that detect promiscuous mode drivers, and you run a
good chance 
of getting caught. A better solution would probably be to completely hack the
router 
(instead of just getting through it), inspect it's route table and use the route
table and 
ARP/RARP to do it all manually.

Gateways:
A gateway is a relatively rare device that provides a "translation
point" between two 
protocols (for example, TCP/IP one side, IPX/SPX the other).  There are a number
of reasons 
for the implementation of a gateway, but from a security perspective, a gateway
would be 
installed and IPX/SPX configured on the Servers, TCP/IP on the workstation (or
"working 
network" side). This makes things SIGNIFICANTLY harder for a hacker, as the
hacker either 
has to know IPX/SPX as well as TCP/IP backwards, or be able to pool his
resources with 
another person who has a lot of IPX/SPX knowledge. The other thing to be aware
of is that a 
system like this has probably been implemented by a professional security
company, so you'd 
better be sure that you really want to try the hack, as you'd have to be very
good to make 
sure you don't get caught.

Fortunately, for the hackers out there anyway, gateways are relatively rare
things, pretty 
much because of the administrative overheads involved with a system such as
this, and that 
most companies have not put a large emphasis on network security. 

7.1 What I've actually explained here

So, what should you know after you've read this? I have covered the
implementation of TCP/IP 
within a network, as well as the structures that it adheres to, and what those
structures do 
to ensure that the data gets from it's source point to the destination point.  I
also 
covered routing within a network, and how you can chase down other networks
within an 
Intranetwork. Also, a little bit about getting a logical picture of a network
and how to 
find your way around the network, as well as some technologies and methods to
make a network 
a little more secure.

8.1 Final Shout

Once again, not a lot to go in here.  No references again, as this all came out
from my head 
(frightening as that concept may be).  I will probably do some sort of packet
sequencing or 
router exploit paper next, or maybe a PortScanning or IP Riding one.  I'm not
really sure 
yet, and it does depend on how much time I have on my hands.

Catch yer all on the flip side,

Squire