Register now for our upcoming December Secure Code Summit! Register Here
Shopping Cart

No products in the cart.

Networking for Pentesters: Beginner – Part 2

Networking for Pentesters Beginner – Part 2

This webcast was originally published on February 16th, 2023.

In this video, Serena discusses the basics of subnetting in networking, aiming to demystify the topic for beginners and encourage further exploration. They explain the concept of subnet masks, CIDR notation, and how these elements are used to define network and host addresses within a network. The talk further delves into practical applications of subnetting, such as efficiently managing IP address allocation and improving network security and performance.

  • Subnetting is essential for efficient IP address utilization and network organization.
  • Understanding VLANs can significantly reduce broadcast traffic and improve network efficiency.
  • DHCP plays a crucial role in network management by dynamically assigning IP addresses to devices.

Highlights

Full Video

Transcript

Serena DiPenti

And then we get into subnets. I’m not gonna do a full, rant about subnetting here. This is more just like get your, feet wet with the, with the topic, because I think subnetting turns a lot of people off from wanting to learn about networking.

So here in class a, I was, we saw on the last slide, this is a slash eight, and that means this first octet, right, we have eight bits here, we have eight bits here, we have eight bits here at the bottom and then eight bits here.

And each one of these is called an octet.

Serena DiPenti

So the first octet, you see this.

Serena DiPenti

First number, like for instance, 192, that would be a part of your network address. And then a slack 16 would be like 192168, that would be a part of your network address.

And like the rest would be host.

Serena DiPenti

Addresses, meaning available IP addresses to give to each device on your network that needs one. The network addresses cannot change on that.

Serena DiPenti

Subnet, but the host addresses change based off of what device or what IP addresses the device is given.

Now, the eight, often called a CidR address or a subnet, you’ll see that it correlates with each one of these bits.

So all you have to do is count bits. so slash eight is these eight right here.

Serena DiPenti

And then you put the slash that means anything before the slash is going.

Serena DiPenti

To be not changeable, it’s going to be a part of that, that network address. Sometimes you’ll see like a slash 16.

Serena DiPenti

Which means all of these will be.

Serena DiPenti

A part of the network address where you cannot change it.

Serena DiPenti

there’s a slash 24.

Serena DiPenti

Sometimes you’ll see even like a slash 29. And when you’re in that, if you see a slash 29, okay, well this is till 24, right after the third octet. So you two, 4252-627-2829 and that’s where that slash is going to be.

So it’s very easy to, in my opinion, I like to visualize the bits.

Serena DiPenti

I think it makes a lot more sense to me when I visualize the bits.

Serena DiPenti

And, each bit is given a number. So you have this first bit right here.

Serena DiPenti

And this is for every single octet.

Serena DiPenti

You have this first bit, which is equals to 128. You have then, 64, 30, 216, 8421.

And then you’ll have some bits that are flipped on. So if there’s a one here in the first spot, that means that’s 128, but you could say it’s like one, and then maybe you’d see a zero and then one that would mean it would be 128 plus 32.

And that’s just very basic, right? I think a lot of people get.

Serena DiPenti

A little lost on the subnetting and.

Serena DiPenti

Maybe we could do an entire webcast just on subnetting if there is interest for that.

Serena DiPenti

But this is just like the general.

Serena DiPenti

Idea of things that you might need to know as a pen tester, as a network engineer. A lot of times they use there’s IP addressing products like Infoblox and things like that that calculate these subnets for you.

Serena DiPenti

There’s subnet calculators online.

Serena DiPenti

It’s really important to know how it’s done, but typically you’re only going to.

Serena DiPenti

Really use the information if you’re taking a certification exam because you have so many other resources on the Internet. You don’t have to memorize that you can use other resources, but it’s good.

Serena DiPenti

To know how it works. So now with this information about IP addresses, we found all of the websites that are owned by our company that we’re trying to pen test.

We, found a website where we could upload a web shell and get our initial foothold into their network. And that brings you to like a.

Serena DiPenti

Whole new world of things that are.

Serena DiPenti

Happening and things that you could do from a Pentagon perspective to manipulate the network and to give yourself a little.

Serena DiPenti

Bit of an advantage.

Serena DiPenti

But before we go on to the next level, here we are met with this very fancy wizard, and he’s giving you tools to take with you on this next part of the journey to hack this customer.

Right? So you will need to search for open ports.

Serena DiPenti

Open ports allow services to communicate to other hosts. Some ports may be used to your.

Serena DiPenti

Advantage, and the wizard gives us a.

Serena DiPenti

List of well known ports and a tool called nmap.

Serena DiPenti

Now, I have a very small list here. This is not at all comprehensive, but just to give you an idea of some, services that you probably have.

Serena DiPenti

Heard of before, like SSH, which would.

Serena DiPenti

Correlate to a well known port, 22 FTP correlates to 20 and 21 HTTP.

Serena DiPenti

You’ll see 808-08-4443 for HTTPs.

Serena DiPenti

And then like RDP is 3389.

Serena DiPenti

So these are some boards that you.

Serena DiPenti

Probably will see very frequently. And for a longer list, I always just Google like well known ports because.

Serena DiPenti

There’S some protocols that are associated with.

Serena DiPenti

A well known port, but you don’t.

Serena DiPenti

Use them that often, so you don’t remember. but it’s good to find these.

Serena DiPenti

Like cheat sheets and have them available for when you would need them and they might become handy later. Now, NMAP is a network scanner used.

Serena DiPenti

To discover hosts and services on a.

Serena DiPenti

Computer network by sending packets and analyzing their responses. And I use Nmap very heavily for when I’m doing pen tests because there’s.

Serena DiPenti

A ton of really great NMAp scripts.

Serena DiPenti

That you can use to either do brute forcing or enumeration and check for.

Serena DiPenti

Versions of specific things that are running.

Serena DiPenti

Some people might use, metasploit, some people use other different tools.

Serena DiPenti

I use NmaP a ton because it’s.

Serena DiPenti

Just very reliable and I love the scripts that are available for it. and it’s very helpful for me. Now, we have these tools and we have our initial foothold into this environment.

Serena DiPenti

But we’re going to need more information.

Serena DiPenti

On how networks work. And we had mentioned subnets a little.

Serena DiPenti

Bit, and we had previously mentioned vlans.

Serena DiPenti

But we hadn’t really gone super in depth with them. I have this, graphic here about vlans.

Now, vlans are going to be layer two, so we’re not quite at the router yet. We are more at these switches, and we have these computers that are highlighted.

Yellow is engineering, pink is finance, and the orange is HR. They’re given these vlans of 1020 and 30.

Serena DiPenti

And this is going to be one building, right?

Serena DiPenti

This is, we have a router out, but this is in the basement. We have these computers here.

Serena DiPenti

We have level one and level two.

Serena DiPenti

And it’s mixed use, right? So the benefit of a VLAN is.

Serena DiPenti

Going to be to reduce broadcast traffic. Broadcast traffic can be very, very noisy, especially between computers that talk to each other a lot.

Serena DiPenti

So if HR is sending tons of information back and forth to each other all the time, there’s going to be some other broadcast information that finance might get, and finance doesn’t need it, and.

Serena DiPenti

Engineering might get an engineering doesn’t need it, and it can get kind of congested. So vlans are a great way to.

Serena DiPenti

Reduce the broadcast traffic. And typically you’re going to want to group devices that are most commonly communicating.

Serena DiPenti

With each other to reduce that.

Serena DiPenti

So if Vlan ten was art of this computer, and VlaN ten in the basement was like, oh, I need to send a document to this other computer that’s also, in HR, but it doesn’t know where, where the computer is.

Serena DiPenti

It doesn’t have this Mac address like we had previously seen for art.

Serena DiPenti

It’s going to send it out as a broadcast. But, the yellow and pink computers aren’t going to get that broadcast. It’s going to go to only the HR computers.

And this really helps reduce processing that the other computers would need to typically do. Now that doesn’t mean that HR can’t send engineering a document or communicate with engineering, but you can’t do it from.

Serena DiPenti

A layer one perspective.

Serena DiPenti

You’re going to have to go from your computer up the switch to a router, and then the router will route it back down and it will be able to go to the appropriate computer that way.

And again, there’s a lot of benefits for vlans.

Serena DiPenti

There’s some really interesting things you can do from a networking perspective or a pen testing perspective with Vlans. But I wanted to make that distinction between a VLAN and a subnet because vlAns, you are going to see these at layer two.

Serena DiPenti

And this is a little controversial, but VLans aren’t typically supposed to be like a security feature, right? It’s more about networking and congestion.

They’re not some foolproof security method of, oh, these computers won’t be able to talk and all that.

Serena DiPenti

it’s great to split up your.

Serena DiPenti

Network that way, but I wouldn’t do it from a security, perspective necessarily. Now subnets which are different than vlans, subnets are going to be at layer.

Serena DiPenti

Three and they’re going to be more focused on IP addressing.

Serena DiPenti

Subnet is also known as a network.

Serena DiPenti

Inside of a network is a good.

Serena DiPenti

Way to conceptualize it. A subnet is decided by the IP.

Serena DiPenti

Address and a subnet mask.

Serena DiPenti

We subnet ranges to make them smaller so that we can better utilize the.

Serena DiPenti

IP addresses more efficiently.

Serena DiPenti

Because they are limited. They’re not especially in the IPv four space, or limited. You want to make sure that you’re utilizing them, better. This is better for security and it’s going to have better performance as well.

So here we have a 170, 216.

Serena DiPenti

Dot zero dot zero address. And that is a slash 16, which means this 172 and this 16 are.

Serena DiPenti

Not going to change because that’s the amount of bits before we put that slash here.

Serena DiPenti

And then these last two numbers

Serena DiPenti

Here will actually change based off of the IP address it gives to,

Serena DiPenti

your client that you assign it.

Serena DiPenti

To your computer or phone or printer. Now you might want to, and this is, I think is where the confusion comes in. You might want to have HR have its own subnet.

Serena DiPenti

You want HR to be on its own block of IP addresses.

Serena DiPenti

So here we see one, seven, two dot, one, six dot, 10, four. So these three numbers are going to stay the same for HR and then maybe HR only has like 200 computers.

Serena DiPenti

It only needs 200 addresses.

Serena DiPenti

And this is an appropriate amount of IP addresses available. We have HR that’s going to be.

Serena DiPenti

At the dot 20 here, and then.

Serena DiPenti

We also have engineering at dot 30. Again, these are the difference between VLAN.

Serena DiPenti

and a subnet is talking about.

Serena DiPenti

Layer two and layer three. Now we have all these IP addresses we know HR needs.

If I have a computer and I work in HR, my computer needs an IP address. And how do I get that IP address? Typically, we are going to get an IP address through DHCP.

Some IP addresses are statically assigned, but it would be a really big pain.

Serena DiPenti

To have to statically assign and give.

Serena DiPenti

Everybody an IP address and then tell people how to add their IP address to their computer. And it’s just, it’s not efficient, it’s not scalable or realistic. So we have a protocol called DHCP.

We have our computer and then we have a DHCP server here. Sometimes it’s its own server, sometimes it’s embedded in a router. And this DHCP server is going to have a pool of IP addresses that.

Serena DiPenti

It can give out to computers that.

Serena DiPenti

Are requesting an IP address so that it can connect to the Internet and.

Serena DiPenti

Communicate with other devices.

Serena DiPenti

Now, there’s a couple different messages that are exchanged during this DHCP kind of like, I guess request and, the whole transaction really.

So first we’re going to have a computer who’s going to discover, I just connected my brand new computer. My computer is going to say, all right, I need to get an IP address. It’s going to send out a DHCP discover message to everyone on its network segment and ask, hey, who is a DHCP server?

Serena DiPenti

Where is there a DHCP server?

Serena DiPenti

Because it doesn’t know. It just came out of the box.

Serena DiPenti

So it’ll send out a DHCP discover.

Serena DiPenti

Message to everybody, that has access in that networking segment, right? And the DHCP server will receive that message and say, like, hey, I’m a DHCP server, here’s an available IP address and the computer will say, okay, cool, I’m going to send a request for that specific IP address and then the DHCP server is going to acknowledge that the IP address has been given to this host over here.

Now why is there an offer? And then a request? Like, why is there not an offer? And then, the DHCP server is like, yeah, that’s fine, there’s an offer in a request because there can be more than one DHCP server that could answer that computer.

Maybe it has two or three DHCP.

Serena DiPenti

Servers that sends it a response.

Serena DiPenti

It’s typically going to go for the first server and that’s why it might.

Serena DiPenti

Receive more than one offer.

Serena DiPenti

But it’s only going to request an.

Serena DiPenti

IP address from the offer that it accepts.

Serena DiPenti

And that request will then let that DHCP server know, okay, this host accepted my request and as requesting or accepts my offer and is requesting that I take that IP address out of the available pool of IP addresses that I have and then the DHCP server acknowledges.

Now DHCP, this question you will get on so many certification exams like explain this little handshake that happens here. And one way to remember is this Dora acronym where D stands for Discover, O stands for offer, r stands for.

Serena DiPenti

Request and a stands for acknowledgement. And that’s an easy way to remember.

Serena DiPenti

How this handshake happens because if you are, like I said, interested in certification.

Serena DiPenti

Exams, this is a fairly common question.

Serena DiPenti

That you will see on those exams. Now.

Serena DiPenti

DHCP can also be abused by.

Serena DiPenti

A pen tester potentially. Typically. We’ll get into it. There’s more slides, we’ll get into it, but we’re going to continue the investigation a little bit. So while doing recon, when we were.

Serena DiPenti

Getting all those DNS records and information, we noticed that a publicly exposed DNS.

Serena DiPenti

Server revealed a name server record resolving to a private IP address. So when you got all this information from your DNS recon, you saw that.

Serena DiPenti

There is an IP address. Now that we’ve learned the difference between.

Serena DiPenti

A public and private IP address, you saw an IP address that was in the private range, which is weird because why would that be available? It’s not publicly routable.

So you kind of assume, I don’t think I should have access or know about this name server. I don’t think I should have access to this IP address.

And the IP address is also associated with a host name that appears that.

Serena DiPenti

It could be a domain controller.

Serena DiPenti

So sometimes you will see host names that will be like active directory domain server or adds example.com.

and so you’re like, I want to investigate that further because that is interesting information that and that does happen sometimes.

Serena DiPenti

I’ve seen that on pen test where.

Serena DiPenti

You’Re going through DNS records and recon information and you see private IP addresses. And so that’s like an interesting finding.

So we’re going to want to investigate that a little bit further. And we’re in the network now, so maybe we are able to connect to that IP, address.

Now you have the shell and you don’t actually have access to NMAP yet. The shell that you’re working on in the private network, it doesn’t have NMAP installed, but you can use Netcat.

We want to further investigate this potential domain controller. A domain controller is a server that uses, that authenticates other users on those networks.

There’s a lot of times very interesting servers. Occasionally they’re pretty easy to tell. And the way that we can tell or have an idea if this is confirmed to be a domain server or active directory server is by.

Serena DiPenti

Looking for specific open ports.

Serena DiPenti

Now we briefly talked about well known ports be correlating with specific services. So we know DNS is associated with well known port 53.

Another common port that you will see available and open is LDAP, which is another way to authenticate. That well known port is 389.

And we also see like Microsoft ad and SMB at 445. So we can check by using NCAT to the domain server here or the suspected domain server and checking to see if that port is open and if it can connect to that port, it means it open.

So good chance after checking to see that hey, this server has these available ports open. You have an idea that this is probably a domain server, using active directory where authentication is coming and going, which leads us to level four.

Serena DiPenti

Mhm.