Join us for Wild West Hackin’ Fest Mile High conference! Register Here

Networking for Pentesters: Beginner – Part 1

Networking for Pentesters Beginner – Part 1

This webcast was originally published on February 15, 2023.

In this video, Serena discusses the fundamentals of networking for beginners, emphasizing the importance of understanding network infrastructure for security professionals. She introduces key concepts such as the OSI model, IP addressing, and the use of tools for reconnaissance, such as DNS and ARP. The presentation aims to equip viewers with the knowledge needed to navigate and secure networks effectively, even for those with minimal prior exposure to networking.

  • The presentation is designed as a beginner-friendly, comprehensive guide to networking, focusing on essential concepts for those new to the field.
  • The webinar employs a gamified approach to make learning about networking more engaging and interactive.
  • Through practical scenarios, the webinar demonstrates how to apply networking knowledge in real-world situations, such as securing a network and understanding IP addressing.

Highlights

Full Video

Transcript

Serena DiPenti

All right, everybody, welcome. Thanks for taking time on your day to join us here and learn a little bit about networking. Like Ian said, my name is Serena. A lot of people online probably know me more as she networks.

I have a background in networking, network engineering. I worked at Cisco as an engineer for quite a few years, and, now I’m a pen tester at Black Hills and a content creator.

So I get to really have my dream job here, which is very lucky for me. Now, this is an hour long presentation, and networking is a massive topic.

It was very difficult to pick out some of the most important things that I could cover in an hour. This presentation is meant to be for beginners.

some people come into security without really any networking knowledge. and that’s okay. I wanted to fill that gap for people who maybe came from maybe, like, a development perspective.

Maybe they took, like, one class in networking, or, like, you just need a refresher, because sometimes these are topics that you don’t think about too much in your day to day work, and sometimes you forget, like, me.

Keep that in mind as we go through the presentation, that it is an hour, and, it’s a lot to cover, and we’re just going to give you, like, a really broad overview of a lot of these topics.

But I also wanted to make this entertaining. So my agenda is very, very vague, but I wanted to make this kind of gamified a bit so that there will be some entertainment along the way.

Now, we’re going to start off with a scenario here. you’ve been hired, right? So you’ve been hired to hack into a network to secure a site before or to secure the site before anyone else can sneak in, find the vulnerabilities, and, report the findings.

The problem that you are running into is that you may have embellished on your resume a little bit, and, you are going to have to learn a lot along the way.

and, this is mostly in the scope of networking. So that brings us to the beginning of level one. Now, you’re given this task. You need to hack into this network.

This company hired you, but you really don’t have that much information about them aside from, the name of the company. And don’t worry, it’s totally legitimate, but the company’s name.

And now you have to do a little bit of recon in the beginning, and we want to learn about the employees at this company and what kind of infrastructure that they could have.

Two great places to do this is one LinkedIn. You can find employees of companies on LinkedIn, maybe system administrators, people with active directory experience, people who are maybe administering their office 365 cloud environment.

And these people may have, or probably do have some type of elevated privileges in the network. So you can learn about them and learn about their internal infrastructure.

The second option, job listings, also very similar. You can find out more information, sometimes on job listings, you’ll see like, oh, we want someone with five plus years of AWS experience or docker or, Cisco IP phones, different things like that.

You can learn about the technologies that this company has and is using in their infrastructure, just from some online resources.

Now, speaking of infrastructure, I have this little diagram here, and it kind of goes over, it’s very overly simplified, but it goes over some of the things that you’ll be seeing further throughout this presentation.

here, this little globe. This is the greater public Internet. Then we’re going to have a, firewall. This would be a router. And then we have a couple of switches over here that are connected to computers, point of sale systems, IP cameras.

And these are just some things that you would probably see on anybody’s network. but it’s a little bit oversimplified. And the green arrows here are going to be, your ethernet connection, sometimes they’re fiber, but your connections to each one of these, pieces of equipment.

Now, every person who has ever taken a networking class or has been interested in networking is going to hear about the OSI model. The OSI model is used to basically, describe certain pieces of how everything works together in this stack.

So down here we have the physical layer that’s going to be most often referred to as layer one. And you’re typically thinking more along the lines of cable cabling.

Then we go up to data length, network, transport session. We won’t get super in depth on each one of these, but we are going to cover, especially the first three here during this presentation.

The first layer, layer one is going to be, fiber optic cables, copper cables, transceivers, USB, SATA, some wireless devices and hubs.

They are not intelligent devices typically. They have one purpose and it’s usually moving data from one point to another. It doesn’t really make decisions on where data goes.

and it’s just layer one. Sometimes you can get into interesting things when you talk about wireless, but overall not super exciting.

and wireless is a little beyond the scope of this presentation. We had previously seen, how the cables were highlighted green. Now we have the switches, highlighted green.

Switches here are going to be your data lake layer, layer two. And there’s a couple technologies that operate within layer two.

Some of the important things to know are about Mac addresses, not to be confused with IP addresses. So, a Mac address is a burned and unique identifier used to communicate with devices within the same networking segment.

Then we have broadcast. Sometimes you will need to send out data to every piece of equipment or device connected on the same networking segment.

And that’s where broadcast comes in. We have this address here that’s just all f’s. and that’s going to be the broadcast address telling the switch to, hey, send this to everybody.

It’s for everybody. And one reason why you might need to send a broadcast packet or broadcast information is a protocol called ARP.

It’s a data link layer protocol, and it’s used to discover and map layer two devices. We’re going to get into it a little bit more here.

Now, ARP is interesting from the perspective of, well, one, there are some ways that ARP can be abused to your advantage as a pen tester. But let’s just discuss why ARP exists and how it works.

Pretend you are using computer A and you need to send information to computer battery. You have the IP address for computer B, but you don’t have the Mac address for computer B.

Over here on the right, we see what looks like our ARP table. Here, we see interfaces that align to physical addresses. And then below here, we see what’s called a packet.

We see data a, TCP port segment, a source IP address. So in this case, it would be 192168 1.2. Then we see a destination IP address, which is going to be 1921-6813 we have our source Mac address.

Computer A knows its Mac address, but again, it doesn’t know the destination Mac addresses. IP address is not in our arp table.

So, when we think about broadcast, we’re going to put all f’s in that destination Mac address. And so we’re going to send an ARP request, and an ARP request is going to ask everybody on that network segment, hey, who has this IP address?

So, 1921-6813 it will send that packet to the switch. The switch will see it has a broadcast address, and it’ll send it to each one of the connections that the switch has on its networking segment b will receive that broadcast packet that says, who has this IP address.

It’ll recognize that, oh, I have that IP address, and it will send an ARP reply to computer a saying, hey, that IP address belongs to me.

Here’s my Mac address. Computer A will then populate that into its ARP table. For future purposes. It will probably need to send more data to computer B at some point in the future.

It adds this so you don’t have to go through this ARP process all the time. You’re going to have some type of physical addressing in your ARP table, associated with your IP addresses.

And then once this address has been successfully, entered into the ArP table, now computer a can go ahead and send the packet with the appropriate destination Mac address of computer B.

And that’s just a broad overview of how ArP works and, why it’s important. If, you remember at the beginning, after we’ve learned about ARP, we have learned a little bit about layer two and layer one.

And we learned that we need to gather information about these types of devices and infrastructure, about the company that hired you.

So success. Through LinkedIn, you’re able to find multiple individuals on the IT staff and their emails. The employees listed Azure, Cisco, and active directory as, some of their job duties, and this information could be helpful in the future.

You learned about layer one and layer two, and now you realize I need to get connected to this company’s network. You can’t do that by just physically going because this company is in a different state than you are.

You can’t just drive there and get plugged in physically. You’re going to have to find a way to get in remotely. Which brings us to level two.

And that kind of starts off our layer three, the networking layer of the OSI model. When we’re typically talking about routers and routing information and IP addresses.

A lot of people probably have some familiarity with what an IP address is. It is the address to get to you, kind of like how you’re home has a physical address.

Your, home also has an IP address, most likely. And so we’re going to get into more information and get a little bit more detail about IP addressing.

We’re going to do it a little bit different though, because we’re going to talk about DNS and how DNS can help you as a pen tester, gather information about the client, the company.

So what is DNS domain name system? It’s the phone book of the Internet. So here we have your laptop. We, want to go to twitter.com.

we have the twitter.com comma. We know twitter.com comma, but we don’t know the IP address of twitter.com. and the IP address is what your computer needs to be able to send that data.

So DNS is going to translate human readable names, like twitter.com, into numeric IP addresses. So here for this instance, your computer knows a DNS server.

It’s saved in its own, tables. It says, hey, DNS server, I’m looking for twitter.com. the DNS server is going to check its massive phone book, and it’s going to reply with the IP address that, twitter.com is at.

the default port 50, three from your computer will send that query, and it will after identifies the correct IP address associated with it. Then your computer can be like, all right, I’m going to send this data so that I can connect to twitter.com.

but there’s a lot of information that you can get from DNS, aside from just, translating these human readable domain names to IP addresses.

It would really suck to have to remember all the IP addresses to all the websites you go to all the time. And that’s why DNS is so important. And there’s a couple of different things that you can do as a pen tester to go through these DNS records.

There are, more manual ways like using commands like who is or dig. There are tools of, like Recon, Ng, and amass that will help automate the discovery of, these DNS records that belong to maybe twitter.com.

twitter.com has way more public facing servers and hosts than just at that one IP address, right? So you want to gather all of those.

You want to try and find every possible public facing server that you can, for that customer or company. And that kind of helps you have more possibilities, more of a chance to be able to, get into a network, get an initial foothold, and, exploit another popular tool or service.

Shodan is a search engine for Internet connected devices. It’s, another really great, great way to do some recon and gather information about what hosts, and servers this company might have.

And here’s an example of what some of these things might look like. Over here we have a tool called amass. So we do amass intel, whois Dash Dash twitter.com.

and it’ll give you a list of all these other records that may be owned by Twitter. We have DNS recon doing this, a, similar thing, looking through DNS servers and finding information of IP addresses and other publicly accessible Twitter hosts.

And then we even have showed in over here you can put in twitter.com, and it’ll give you all these IP addresses that will show you port numbers. And so there you’re collecting this massive list of, things for this company.

Now let’s go break down IP addresses a little bit more. We’re going to start with IPV four. It, it’s really going to be the only thing at this point that will matter.

We will get into IPV six in a bit, but IPV four addresses typically are going to start from zero, zero to two.

5525-525-5255 but not every single one of these addresses between this range is usable or publicly routable.

Based off this range, there’s a little bit more than almost like 4.3 billion addresses. Over half a million of those are reserved, which only gives you about 3.7 billion, usable addresses.

And why are some of these addresses reserved? They’re reserved because they’re either used for private networks. There are some reserved for loopback addresses. So anytime you see an IP address that starts with 127, it’s a loop back link local addresses.

If you’ve ever connected a computer to the Internet and, or tried to, but it didn’t work, your computer might give you a 169 address.

And, that’s how it’s not actually connected. And so you probably have to do a little bit of troubleshooting. Some addresses are reserved for documentation, multicast, and some are reserved for the future.

IP addresses are, usually managed. Well, they are managed by the Internet assigned numbers authority. And the, Ayanna, I guess, is giving massive blocks of addresses to, regional Internet registries who are then in charge of distributing these IP addresses throughout the region.

Because you kind of need some structure. It can’t be a, free for all for these IP addresses because they need to be unique on the Internet. And if you have two people in two different areas using the similar IP address, it’s not going to work.

So there has to be a little bit of structure early on, when IP addresses and Internet and things like that first kind of were being developed and researched, a lot of IP addresses and IP address spacing went to universities like Stanford, and maybe like Georgia Tech.

I can’t remember all of them, but a lot of these universities have these massive blocks of IP space because back, then, you really didn’t know how big the Internet was going to be and how much it’s going to grow.

And think about all the devices that you have that are connected to the Internet and every single one of those devices needs an IP address. So you have like your phone, your smart fridge, your, toaster, now, your watches, your tvs and xboxes, PlayStations, all of that needs an IP address.

So we run into a problem where the population is 7.8 billion in 2021, but there’s only 4.3 billion IPV four addresses available.

That’s not even sufficient to have one address per person. So you run out of addresses fairly quickly. There’s two major things that came out of this exhaustion of IPV four addresses to help reduce the amount that people need.

One, we’re going to see the introduction to and launch of IPV six. It was developed specifically to deal with, IPV four exhaustion and does have some other features like additional security measures and things like that.

Hopefully we never run out of IPV six addresses, but again, who knows in the future, I don’t know. Then we also see the introduction of NAT, where you can map multiple IP addresses into one address, and there’s a few different ways you can nat, but this is going to be primarily the version we’re going to be focusing on for this presentation.

I have this little diagram here. We have private, and then we have a public address. We just have a single public address, and then we have the public Internet.

Now, private addresses are going to be given to addresses inside a company or inside, like your home, for instance. If you look, if you’re connected to Internet, you probably have a private IP address assigned to your computer that is not publicly routable.

All of those IP addresses go through, and to access the Internet, they all need to go through your home public router or Wi Fi router.

All of that stuff. And all of those IP addresses are going to translate into this single IP address that is publicly routed on the Internet and it’s given to you by your ISP.

Then all the information goes back out onto the Internet, and when it returns to your router, your router is going to send the information so the correct device that requested it.

And that’s very simple, simplistic way of looking at Nat, but I think it’s kind of the best way to look at it for our next couple slides.

Now, we talk a little bit about IPV four private address ranges. These are addresses that are not routable on the Internet. They’re used internally.

And you’ll hear about classes a lot too, when you get into networking classes and subnets and VLans. And all of these words that seem similar, but like, aren’t quite similar.

So here we have a class A address. Class a is going to start with 10.0 and all of the addresses available up to this final address here are in that class, class a, and it’s given a subnet of a slash eight.

We’ll get into subnets in a next slide, so just understand that it is a slash eight and you’ll have 16 million available addresses.

Well you probably don’t have 16 million devices in your home. You probably don’t need 16 million addresses.

And and companies too, maybe their own network, they’re like, we don’t need 16 million available addresses. You’re going to have smaller classes like class b, where you have a 16 a class C and this is the IP range for that 24 and smaller.

Some companies, especially big ones, try to be really efficient with how they use their internal addressing because think of a company like Amazon where they have tons of data centers and tons of just technology that needs to be connected.

You don’t want to be really wasteful of this IP address spacing and handing out network, ranges that aren’t going to be utilized. Maybe you only need 50 available addresses for the specific network segment that you want to be connected to each other.

Shopping Cart

No products in the cart.