This webcast was originally published on February 16th, 2023.
In this video, Serena discusses the basics of subnetting in networking, aiming to demystify the topic for beginners and encourage further exploration. They explain the concept of subnet masks, CIDR notation, and how these elements are used to define network and host addresses within a network. The talk further delves into practical applications of subnetting, such as efficiently managing IP address allocation and improving network security and performance.
- Subnetting is essential for efficient IP address utilization and network organization.
- Understanding VLANs can significantly reduce broadcast traffic and improve network efficiency.
- DHCP plays a crucial role in network management by dynamically assigning IP addresses to devices.
Highlights
Full Video
Transcript
Serena DiPenti
And then we get into subnets. I’m not gonna do a full, rant about subnetting here. This is more just like get your, feet wet with the, with the topic, because I think subnetting turns a lot of people off from wanting to learn about networking.
So here in class a, I was, we saw on the last slide, this is a slash eight, and that means this first octet, right, we have eight bits here, we have eight bits here, we have eight bits here at the bottom and then eight bits here.
And each one of these is called an octet.
Serena DiPenti
So the first octet, you see this.
Serena DiPenti
First number, like for instance, 192, that would be a part of your network address. And then a slack 16 would be like 192168, that would be a part of your network address.
And like the rest would be host.
Serena DiPenti
Addresses, meaning available IP addresses to give to each device on your network that needs one. The network addresses cannot change on that.
Serena DiPenti
Subnet, but the host addresses change based off of what device or what IP addresses the device is given.
Now, the eight, often called a CidR address or a subnet, you’ll see that it correlates with each one of these bits.
So all you have to do is count bits. so slash eight is these eight right here.
Serena DiPenti
And then you put the slash that means anything before the slash is going.
Serena DiPenti
To be not changeable, it’s going to be a part of that, that network address. Sometimes you’ll see like a slash 16.
Serena DiPenti
Which means all of these will be.
Serena DiPenti
A part of the network address where you cannot change it.
Serena DiPenti
there’s a slash 24.
Serena DiPenti
Sometimes you’ll see even like a slash 29. And when you’re in that, if you see a slash 29, okay, well this is till 24, right after the third octet. So you two, 4252-627-2829 and that’s where that slash is going to be.
So it’s very easy to, in my opinion, I like to visualize the bits.
Serena DiPenti
I think it makes a lot more sense to me when I visualize the bits.
Serena DiPenti
And, each bit is given a number. So you have this first bit right here.
Serena DiPenti
And this is for every single octet.
Serena DiPenti
You have this first bit, which is equals to 128. You have then, 64, 30, 216, 8421.
And then you’ll have some bits that are flipped on. So if there’s a one here in the first spot, that means that’s 128, but you could say it’s like one, and then maybe you’d see a zero and then one that would mean it would be 128 plus 32.
And that’s just very basic, right? I think a lot of people get.
Serena DiPenti
A little lost on the subnetting and.
Serena DiPenti
Maybe we could do an entire webcast just on subnetting if there is interest for that.
Serena DiPenti
But this is just like the general.
Serena DiPenti
Idea of things that you might need to know as a pen tester, as a network engineer. A lot of times they use there’s IP addressing products like Infoblox and things like that that calculate these subnets for you.
Serena DiPenti
There’s subnet calculators online.
Serena DiPenti
It’s really important to know how it’s done, but typically you’re only going to.
Serena DiPenti
Really use the information if you’re taking a certification exam because you have so many other resources on the Internet. You don’t have to memorize that you can use other resources, but it’s good.
Serena DiPenti
To know how it works. So now with this information about IP addresses, we found all of the websites that are owned by our company that we’re trying to pen test.
We, found a website where we could upload a web shell and get our initial foothold into their network. And that brings you to like a.
Serena DiPenti
Whole new world of things that are.
Serena DiPenti
Happening and things that you could do from a Pentagon perspective to manipulate the network and to give yourself a little.
Serena DiPenti
Bit of an advantage.
Serena DiPenti
But before we go on to the next level, here we are met with this very fancy wizard, and he’s giving you tools to take with you on this next part of the journey to hack this customer.
Right? So you will need to search for open ports.
Serena DiPenti
Open ports allow services to communicate to other hosts. Some ports may be used to your.
Serena DiPenti
Advantage, and the wizard gives us a.
Serena DiPenti
List of well known ports and a tool called nmap.
Serena DiPenti
Now, I have a very small list here. This is not at all comprehensive, but just to give you an idea of some, services that you probably have.
Serena DiPenti
Heard of before, like SSH, which would.
Serena DiPenti
Correlate to a well known port, 22 FTP correlates to 20 and 21 HTTP.
Serena DiPenti
You’ll see 808-08-4443 for HTTPs.
Serena DiPenti
And then like RDP is 3389.
Serena DiPenti
So these are some boards that you.
Serena DiPenti
Probably will see very frequently. And for a longer list, I always just Google like well known ports because.
Serena DiPenti
There’S some protocols that are associated with.
Serena DiPenti
A well known port, but you don’t.
Serena DiPenti
Use them that often, so you don’t remember. but it’s good to find these.
Serena DiPenti
Like cheat sheets and have them available for when you would need them and they might become handy later. Now, NMAP is a network scanner used.
Serena DiPenti
To discover hosts and services on a.
Serena DiPenti
Computer network by sending packets and analyzing their responses. And I use Nmap very heavily for when I’m doing pen tests because there’s.
Serena DiPenti
A ton of really great NMAp scripts.
Serena DiPenti
That you can use to either do brute forcing or enumeration and check for.
Serena DiPenti
Versions of specific things that are running.
Serena DiPenti
Some people might use, metasploit, some people use other different tools.
Serena DiPenti
I use NmaP a ton because it’s.
Serena DiPenti
Just very reliable and I love the scripts that are available for it. and it’s very helpful for me. Now, we have these tools and we have our initial foothold into this environment.
Serena DiPenti
But we’re going to need more information.
Serena DiPenti
On how networks work. And we had mentioned subnets a little.
Serena DiPenti
Bit, and we had previously mentioned vlans.
Serena DiPenti
But we hadn’t really gone super in depth with them. I have this, graphic here about vlans.
Now, vlans are going to be layer two, so we’re not quite at the router yet. We are more at these switches, and we have these computers that are highlighted.
Yellow is engineering, pink is finance, and the orange is HR. They’re given these vlans of 1020 and 30.
Serena DiPenti
And this is going to be one building, right?
Serena DiPenti
This is, we have a router out, but this is in the basement. We have these computers here.
Serena DiPenti
We have level one and level two.
Serena DiPenti
And it’s mixed use, right? So the benefit of a VLAN is.
Serena DiPenti
Going to be to reduce broadcast traffic. Broadcast traffic can be very, very noisy, especially between computers that talk to each other a lot.
Serena DiPenti
So if HR is sending tons of information back and forth to each other all the time, there’s going to be some other broadcast information that finance might get, and finance doesn’t need it, and.
Serena DiPenti
Engineering might get an engineering doesn’t need it, and it can get kind of congested. So vlans are a great way to.
Serena DiPenti
Reduce the broadcast traffic. And typically you’re going to want to group devices that are most commonly communicating.
Serena DiPenti
With each other to reduce that.
Serena DiPenti
So if Vlan ten was art of this computer, and VlaN ten in the basement was like, oh, I need to send a document to this other computer that’s also, in HR, but it doesn’t know where, where the computer is.
Serena DiPenti
It doesn’t have this Mac address like we had previously seen for art.
Serena DiPenti
It’s going to send it out as a broadcast. But, the yellow and pink computers aren’t going to get that broadcast. It’s going to go to only the HR computers.
And this really helps reduce processing that the other computers would need to typically do. Now that doesn’t mean that HR can’t send engineering a document or communicate with engineering, but you can’t do it from.
Serena DiPenti
A layer one perspective.
Serena DiPenti
You’re going to have to go from your computer up the switch to a router, and then the router will route it back down and it will be able to go to the appropriate computer that way.
And again, there’s a lot of benefits for vlans.
Serena DiPenti
There’s some really interesting things you can do from a networking perspective or a pen testing perspective with Vlans. But I wanted to make that distinction between a VLAN and a subnet because vlAns, you are going to see these at layer two.
Serena DiPenti
And this is a little controversial, but VLans aren’t typically supposed to be like a security feature, right? It’s more about networking and congestion.
They’re not some foolproof security method of, oh, these computers won’t be able to talk and all that.
Serena DiPenti
it’s great to split up your.
Serena DiPenti
Network that way, but I wouldn’t do it from a security, perspective necessarily. Now subnets which are different than vlans, subnets are going to be at layer.
Serena DiPenti
Three and they’re going to be more focused on IP addressing.
Serena DiPenti
Subnet is also known as a network.
Serena DiPenti
Inside of a network is a good.
Serena DiPenti
Way to conceptualize it. A subnet is decided by the IP.
Serena DiPenti
Address and a subnet mask.
Serena DiPenti
We subnet ranges to make them smaller so that we can better utilize the.
Serena DiPenti
IP addresses more efficiently.
Serena DiPenti
Because they are limited. They’re not especially in the IPv four space, or limited. You want to make sure that you’re utilizing them, better. This is better for security and it’s going to have better performance as well.
So here we have a 170, 216.
Serena DiPenti
Dot zero dot zero address. And that is a slash 16, which means this 172 and this 16 are.
Serena DiPenti
Not going to change because that’s the amount of bits before we put that slash here.
Serena DiPenti
And then these last two numbers
Serena DiPenti
Here will actually change based off of the IP address it gives to,
Serena DiPenti
your client that you assign it.
Serena DiPenti
To your computer or phone or printer. Now you might want to, and this is, I think is where the confusion comes in. You might want to have HR have its own subnet.
Serena DiPenti
You want HR to be on its own block of IP addresses.
Serena DiPenti
So here we see one, seven, two dot, one, six dot, 10, four. So these three numbers are going to stay the same for HR and then maybe HR only has like 200 computers.
Serena DiPenti
It only needs 200 addresses.
Serena DiPenti
And this is an appropriate amount of IP addresses available. We have HR that’s going to be.
Serena DiPenti
At the dot 20 here, and then.
Serena DiPenti
We also have engineering at dot 30. Again, these are the difference between VLAN.
Serena DiPenti
and a subnet is talking about.
Serena DiPenti
Layer two and layer three. Now we have all these IP addresses we know HR needs.
If I have a computer and I work in HR, my computer needs an IP address. And how do I get that IP address? Typically, we are going to get an IP address through DHCP.
Some IP addresses are statically assigned, but it would be a really big pain.
Serena DiPenti
To have to statically assign and give.
Serena DiPenti
Everybody an IP address and then tell people how to add their IP address to their computer. And it’s just, it’s not efficient, it’s not scalable or realistic. So we have a protocol called DHCP.
We have our computer and then we have a DHCP server here. Sometimes it’s its own server, sometimes it’s embedded in a router. And this DHCP server is going to have a pool of IP addresses that.
Serena DiPenti
It can give out to computers that.
Serena DiPenti
Are requesting an IP address so that it can connect to the Internet and.
Serena DiPenti
Communicate with other devices.
Serena DiPenti
Now, there’s a couple different messages that are exchanged during this DHCP kind of like, I guess request and, the whole transaction really.
So first we’re going to have a computer who’s going to discover, I just connected my brand new computer. My computer is going to say, all right, I need to get an IP address. It’s going to send out a DHCP discover message to everyone on its network segment and ask, hey, who is a DHCP server?
Serena DiPenti
Where is there a DHCP server?
Serena DiPenti
Because it doesn’t know. It just came out of the box.
Serena DiPenti
So it’ll send out a DHCP discover.
Serena DiPenti
Message to everybody, that has access in that networking segment, right? And the DHCP server will receive that message and say, like, hey, I’m a DHCP server, here’s an available IP address and the computer will say, okay, cool, I’m going to send a request for that specific IP address and then the DHCP server is going to acknowledge that the IP address has been given to this host over here.
Now why is there an offer? And then a request? Like, why is there not an offer? And then, the DHCP server is like, yeah, that’s fine, there’s an offer in a request because there can be more than one DHCP server that could answer that computer.
Maybe it has two or three DHCP.
Serena DiPenti
Servers that sends it a response.
Serena DiPenti
It’s typically going to go for the first server and that’s why it might.
Serena DiPenti
Receive more than one offer.
Serena DiPenti
But it’s only going to request an.
Serena DiPenti
IP address from the offer that it accepts.
Serena DiPenti
And that request will then let that DHCP server know, okay, this host accepted my request and as requesting or accepts my offer and is requesting that I take that IP address out of the available pool of IP addresses that I have and then the DHCP server acknowledges.
Now DHCP, this question you will get on so many certification exams like explain this little handshake that happens here. And one way to remember is this Dora acronym where D stands for Discover, O stands for offer, r stands for.
Serena DiPenti
Request and a stands for acknowledgement. And that’s an easy way to remember.
Serena DiPenti
How this handshake happens because if you are, like I said, interested in certification.
Serena DiPenti
Exams, this is a fairly common question.
Serena DiPenti
That you will see on those exams. Now.
Serena DiPenti
DHCP can also be abused by.
Serena DiPenti
A pen tester potentially. Typically. We’ll get into it. There’s more slides, we’ll get into it, but we’re going to continue the investigation a little bit. So while doing recon, when we were.
Serena DiPenti
Getting all those DNS records and information, we noticed that a publicly exposed DNS.
Serena DiPenti
Server revealed a name server record resolving to a private IP address. So when you got all this information from your DNS recon, you saw that.
Serena DiPenti
There is an IP address. Now that we’ve learned the difference between.
Serena DiPenti
A public and private IP address, you saw an IP address that was in the private range, which is weird because why would that be available? It’s not publicly routable.
So you kind of assume, I don’t think I should have access or know about this name server. I don’t think I should have access to this IP address.
And the IP address is also associated with a host name that appears that.
Serena DiPenti
It could be a domain controller.
Serena DiPenti
So sometimes you will see host names that will be like active directory domain server or adds example.com.
and so you’re like, I want to investigate that further because that is interesting information that and that does happen sometimes.
Serena DiPenti
I’ve seen that on pen test where.
Serena DiPenti
You’Re going through DNS records and recon information and you see private IP addresses. And so that’s like an interesting finding.
So we’re going to want to investigate that a little bit further. And we’re in the network now, so maybe we are able to connect to that IP, address.
Now you have the shell and you don’t actually have access to NMAP yet. The shell that you’re working on in the private network, it doesn’t have NMAP installed, but you can use Netcat.
We want to further investigate this potential domain controller. A domain controller is a server that uses, that authenticates other users on those networks.
There’s a lot of times very interesting servers. Occasionally they’re pretty easy to tell. And the way that we can tell or have an idea if this is confirmed to be a domain server or active directory server is by.
Serena DiPenti
Looking for specific open ports.
Serena DiPenti
Now we briefly talked about well known ports be correlating with specific services. So we know DNS is associated with well known port 53.
Another common port that you will see available and open is LDAP, which is another way to authenticate. That well known port is 389.
And we also see like Microsoft ad and SMB at 445. So we can check by using NCAT to the domain server here or the suspected domain server and checking to see if that port is open and if it can connect to that port, it means it open.
So good chance after checking to see that hey, this server has these available ports open. You have an idea that this is probably a domain server, using active directory where authentication is coming and going, which leads us to level four.
Serena DiPenti
Mhm.