 Okay, welcome to the workshop. We're gonna be looking at Wireshark and we're gonna be looking at basic networking. So how we're gonna do it is we will take the hacker approach and rather than learning and then doing we're gonna do and then learn on the go with Wireshark To Enjoy this fully you will need the device preferably a laptop something that runs Wireshark You it would be wise if you would download Wireshark Wireshark now already. I see some Recognizable faces, so there are some knowledgeable people here And I'm sure those of you who I don't recognize also are knowledgeable Please help your neighbors to install Wireshark. It's Wireshark.org, right? So you have it all if you don't have a laptop It may be less interesting for 30% of the talk, but 70% is gonna be me talking, right? Okay But having said that even though it's a hacker approach I Come from an academic background So the goal is this talk is to make you really really really understand all the layers of Networking and how it all adds up and how internet works Okay So this is these are actually two models of how networking works and we're gonna go through the layers one by one What this represents? Oh, how many of you know what that and I sorry how many of you know what an IP address is? Okay, how many of you have and aren't sure what an IP address is and that's okay. That's what this works of the same for one Some more. Okay. Okay. Good So How many of you have seen a similar picture to this one before? Okay, a bit more than half. Okay. Good. So but this is a I tried to make it beginners one. Okay, but let's Let's do it like that ready So the wire or the network medium is down here What this represents actually is different ways or different Dissectors that we can use to look at the data on the network if we take good old classical Wire network, this is where the wire goes. This is where your electrical signals go or your optical signals and Different encodings are used to encapsulate the data up to the user So for this picture and you're gonna see it again today You can imagine the user or yourself on the top Where you're sitting at the keyboard in your browser at your in your email client and the physical medium the wire or the Wi-Fi on the very bottom. Okay And we will get back to that So what we're gonna be talking about Our network layer models. We're gonna take a look at Ethernet. We're gonna take a look at Wi-Fi. It's gonna take three hours We're gonna take a look at layers three protocols. Those are layers the seven layers in one of the models But we're gonna take a look at that We're gonna look at our PC MP IPv4 IPv6 We're gonna look at later for UDP and TCP How many of you aren't sure or don't know at all the difference between UDP and TCP? If I ask you to explain how many you could not do that or would wouldn't be sure if they could do that Okay, we have beginners here. Great Cool. I really love that. Okay We're gonna have a quick peek at routing. I think if I didn't remove that from the deck And finally application level protocols. Did you actually know the common thing between SMTP? Which is used to send your mails online and the post office? The return address is what are you right on the envelope? It's the same for SMTP. Same for email. You're gonna look at that and of course the advanced stuff punching holes and firewalls, breaking WPA2 and Much more because we have a lot of time Right the approach Academic approach and the same time hacker approach. I already covered this but we'll look at what we see We'll try to understand it deeply enough and We'll try to make it fun. Please make sure all of you have wire shark who have laptops here should first ask questions later and The first thing we do is we get to know wire shark So we're not gonna go deep right now You're just gonna take a quick peek and then we're gonna Discuss what we see and then we're gonna go deeper in all the protocols, right? I didn't tell you what network is. Is there is there a need? to explain what network is Network is Generally more than one connected devices It's very general definition because it doesn't have to be computer network It can be USB and and all that and wire shark as we will see is actually quite good at capturing different protocols Not only network protocols, right? But computer network is basically Network that's made up of these layers that we looked previously Okay, I'm gonna sit over there. I'm gonna open a wire shark. I'm gonna show you some stuff Is it it's not all louder louder, yes loud enough, okay Hmm, I think I ought to clean my water settings not to show stuff Anyway, so wire shark is an application that is used to analyze network traffic to visualize network traffic It can also be used to capture network traffic I should have had Wireshark folder, okay, whatever Let's just let's just launch it There will be some files in there, but it doesn't matter. Oh, it goes it goes on there Let me set the screens up for us Okay, it should be there now Right, so this is a actually clean clean copy of wire shark depending on what version you got and what operating system you got It might look a bit differently But the common thing is you have a filter entry here allows you to enter filters You have interfaces here Some operating systems are really picky about getting you giving you access to the actual network interfaces if you don't see them This graph doesn't show up in all the versions, right? If you don't see them ask a neighbor to enable the capturing for you You will have time to do that. Anyway, this is a general interface and one thing one thing I can suggest even to pros Look, if I if I click on the interface it starts cat it starts capturing the data Yeah, let's let's capture it whatever So this is my data. That's on the wire and It's not it's not so easy to see because you use you have these different parts and we can talk about them what I suggest everyone do is go to preferences edit preferences and In layout under appearance select the second layout. It's much easier to work with Right, then we have it like here Why is this good because the left side and the right side now is showing the same information different to you It's just much better. So edit preferences Appearance and then layout and you take the second second option there if you don't like you can switch back Okay, so we will talk about what all these numbers and all these letters mean in a moment But what you need to know now And if I'm going to fast, please, please let me know you have time at least for now on the top we have Well, you better not but you can and it's if you run wire shark is so the question is the question was Would you have to run the wire shark as a pseudo? So it's not advisable But it solves many problems at once creating some other bigger problems, but it does it does get the job done Oh Why don't you run wire shark is so do Why are not only captures data from the network which it needs privileges for But it also processes them and these so-called dissectors Which allow you to visually see what you see on the left here? So each line here is provided by different dissector. It actually allows you to see what's inside the protocol You can take a look at that later much later on Are written by many different people lots of them and there are bugs And you don't want bugs in your program you run is rude, right? Especially if it's taking live data from the network All the data anyway If there are no more questions at this point, let me continue. So on top we have each frame Each packet it depends on what what that is, but basically each piece of incoming data on the wire We have here on top On the left in this view We have dissected data So it's process data and we can take a look at what's what on the right. We have raw data. This is the whole frame and The cool thing about this is if you click anywhere on the right It will show you the matching part on the left. So it actually shows you which bite is what This is quite cool, but we don't know what that is, right? It's it's some jumbo mumbo or mumbo jumbo. Let's Let's get back to presentation. We're gonna work with that a bit Let me switch back a bit quicker than previously Okay So for capturing data locally, that's what I just did For this workshop, I hope your neighbors will help you up setting this up Then you do that at home and usually it's useful after after you've been to a workshop to go back at home and and and try to repeat it So you actually don't forget it different hardware If you want to capture the data on the wire not only that it goes to your computer For example, now I capture the data that goes to my computer You can capture capture all the data that is received by the network interface by layer one you need to make sure to enable promiscuous mode and It means that your network card does not drop packets that are not addressed to you or frames that are not addressed to you That means you can get to see other stuff on The network or on on the Wi-Fi We're gonna probably take a look at that later on in in two hours Network car drivers have to support this feature most do if they don't for example for for Wi-Fi. I recommend I Recommend these TP links quite quite good. This is TL WN 7 2 to N It's it's only 2.4 gigs, but it gets this job done if you're built in do not support it Wireshark also be used to capture other network data like USB data GSM data Some of these may require additional tools Meaning that you will not usually be able to capture GSM with Wireshark directly But there's a cool project Osmo comb which you can who knows Osmo comb Some do good which you can install and configure it's a pain But it it works nicely after you do that and you have the right hardware Of course, you can't do that with this one. This is 2.4 gigahertz GSM is Just under gigahertz And then you can capture it and dissect it right Just to cover a bit more advanced stuff now. We are not gonna try it But you might be interested in the future So let's say you have larger network or let's say you are not at the network at the time at all You're in different place and You want to capture the data remotely or rather you want to dissect the date remotely want to take a look at it For example, you're renting a server in in a server room somewhere in Amsterdam and you're not from Netherlands And you need to debug what the hell is happening there? You have multiple options depending on the network between where you capturing and where you are So if you're close You can use port mirror ring That's a feature on switches where you say I want all the other ports from the switches So the holes you plug the wire in right go to this port to and then you also get the data So if you're on local network, that's a that's a feature you can use to get to the data You can use some protocol For example, Tasman Sniffer protocol can be used and that can be used over long distances I think it's UDP meaning it might lose some data what it means. We'll get to that in some moments But it basically Forwards everything to an IP address on the internet so it can be used over longer distances But it's not encrypted in case You're okay with not getting live data. You can use the command down below TCP dump this specific command. What would it do? This specific command would would take interface called Ethernet zero at zero and Write all the data without size limitation so 65 64 K is the largest size you can have Without size limitation to file block dot cap or dot p cap and then you could open that file with a wire shark Let me show you that right now Thank you so much So let me stop this here So my interface here is a wheel on zero. I don't have I don't have Ethernet connected currently because I was running the speaker that the whole day but We'll go here. Let's delete the Program stuff from here. Whoops Right So it's neat it needs to do of course Because it needs to capture from the interface and TCP dump then we specify the interface which is wheel on zero for this case Who heard of system D? Yeah, a system D has a school feature where interface are called something like something like that You can turn it off actually I did cool now I If if some of you don't know how to do it. I mean, I don't remember how I did it It's it's somewhere there look it up online. Anyway, it's best for the maximum size here and the file even write it to and The secret passphrase it's secret one two three if you sorry no mind Permission denied Okay, what's happening here Okay, so apparently Permissions for my RAM disk don't allow root to write there. Whatever however that happened. Okay So currently I'm writing to test cap. I Think that's enough now when you launch my shark, you can also click file open here. You can go to your TMP folder Test cap here it is you open it up and There we have it. We have basically the same information same layout, but it's not real time And this time here on the left is relative to the start of tcp dump not relative to start of where shark and We have stuff here, right? We also have visual clue here. This is a feature of the newer versions If you have an older one, you will not have this on the right to present what you have on the left But but you see everything Okay, we still some of you most of you probably still don't know what the hell all this is about So we gonna we gonna move forward and talk about what this is about This is gonna be the most academic part of the workshops. So if you are an academic or like academics This is the time for you to listen carefully Okay, I should have put a nice wallpaper. I'm gonna do that for tomorrow's talk Right. So these are these are the models Issa OC model is on the left there It consists of seven layers of Encapsulation of the way to look at the item The DoD4 model is on the very right. It says network internet host to host and process. There's just four layers It doesn't mean that anything on the network changes if you look at I Mean if you have the data it's there It doesn't mean that stuff changes. It's just a different way to look at it. Okay, and what do layers actually mean? What does that represent? So if you connect a measurement device to a networking medium on the very bottom You will have some kind of signal. For example, you might You might see electronic signal on the other end wire You might see optical signal intensity of light on optical wire for radio signals. You might listen on a specific frequency and you might also Hear some intensity on specific frequency and the frequencies around it that's all there and All the layers are in there the question is which layer do we look at? How do we interpret the data? The data doesn't change Depending the data on the wire does not change depending on the layer that we are looking at. Okay, and I hope you will understand that the end of this presentation What are the reasons for having the layers and and looking at them more differently? Okay, we're gonna use Academic model the isosia model for this presentation The OD model basically It's it's more down to earth. It's a bit more simple. It encapsulates. Sorry It joins multiple layers together in in in less layers because even even when working with isosia model These three layers you can see they're in the same color It's hard to distinguish them at times depending on what the protocols are the great success of the model And the model does not influence what's on the wire But it influence how academics and practitioners create protocols for the internet They look at the model and the great success of the model is that It's layered Meaning you can basically swap swap up swap out one layer and everything else can remain the same For example, if we swap up the swap out the physical layer We can still have an IP address. It doesn't matter if you have Wi-Fi or if you have wire Or if you have optic optic cable, you still have the same IP addresses Theoretically for DNS for example the main name system we can look at that later We can swap up the swap out the transport layer We can change GDP to TCP and we still have basically the same protocol on top on layer 5 and same protocols below on layer 3 and down Each layer can be swapped out mostly independently Meaning that internet can evolve We can create new protocols and it's easy enough. There are some bigger projects doing some some larger stuff where they want to replace the whole stack It's a bit more complex than that But that's a great success Moving moving data from the user on top To the wire on bottom is called encapsulation There's one encapsulation step between each pair of layers. So going from layer 7 to layer 6 there's encapsulation 6 to 5 there's encapsulation 5 to 4 and so on Technically you only need to have the lowest layers So let's say we capture data at a specific moment in time. We measure The voltage on on the wires It has to have physical layer because we measure the voltage that is the physical layer If the voltage makes sense in say Ethernet sense We can also interpret that it is layer 2 if that Ethernet frame contains IP protocol it's layer 3 on so on but it doesn't have to go all the way up as we will see in example with escapee It can stop at any time Physical layers there depending on what data is in there and you can if you have a work on you can take a look at the data Do you can capture? Some dissect some packets will show you only up to a specific layer Right so let's say I was typing an email I I typed my Body my text that I want to send and I press send so what all the applications and all the firmware your computer does together It encapsulates it's down to physical layer and then the network card takes the raw bits 0s and 1s and creates a signal out of them depending on what kind of physical layer you're on and Capsulation usually includes Adding a header to data from the upper layer. So let's say your email text was really short Let's say it was hello SHA, right? Hello Space SHA Encapsulating it one by one well layer by layer you would add additional data It's it's usually binary data. So I can't really pronounce it to you But let's for the sake of argument. Let's take it. Let's take some simple numbers At the transport layer it might be 777 Hello SHA at the next layer. It might be 356777 hello SHA it will add more and more data more and more metadata with every encapsulation For some layers, it will also add check sequences. It depends on specific protocols that we're gonna look at but there are check sequences that Ensure that the data of the upper layer has not been corrupted when being transferred So this is basically encapsulation if anyone asks you what encapsulation is it means taking the upper layer data adding some stuff to it and Then passing it down to the lower layer There's one more thing decapsulation Anyone knows or thinks they know what that is Right decapsulation is a process that way around you have your You have your bits here They're decoded and then they're decapsulating you check the check the check sequence if there is any you do what you need to do with the headers Sometimes for example the promiscuous mode right you remember that if you don't have it on your network card checks the header checks the MAC address we can talk about the MAC address later and Discards the frame and doesn't pass up. It discards it depending on what the metadata here is So something is done with the header and if it's all fine the data is passed up Please watch me carefully. So This data here Decapsulates to this here So all this is considered data on the lower layer again all this Sorry all all this is considered data on the lower layer right in encapsulation and decapsulation, okay Shortly back to the academic part of the presentation Correct names for the packet data units for each layer Our physical layer those are bits data link is frame network is packet and transport its segment and here just data Just in case you were wondering Technically with what I do here today. You might be able to pass half of CCNA one course. You can try the exam later on So I don't have much to say about the physical layer. I mentioned the different physical I'm gonna walk around so you can see I mentioned different physical layers multiple times already so Academic definition of physical layer is that the goal of it is to specify the electrical mechanical procedural and functional requirements for activating maintaining and deactivating a physical link between and systems There are some keywords there that are actually important is actually make sense actually all that makes sense to me but Electrical Means physical layer deals with voltage levels It deals with which voltage level zero which one is one Physical means it deals with what kind of socket there is So if you want to plug in a cable in a port sockets have to match right and So on the physical link between and systems means that Physical layer only works between systems on the same network With wires simple you have why are you each wire has how many ends? To and if you cut in half one You cut you cut the wires that has to ends in half how many ends do you have? You still have to ends for ends you have four ends. Anyway, because you got two wires So now that's just a small joke. Sorry about that Okay, so a wire however, how many times you cut in half only connects two systems, right? So it's a physical link between two systems to network interfaces two cards It's a bit different with wireless But wireless still we can talk about physical link We have an access point and we have all the devices that are physically connected to that interface using that medium medium for wireless is the radio spectrum basically the electromagnetic band is available for using for using the radio and It's it's that physical link between and Systems so on the physical layer alone. We cannot transmit further than the physical cable goes If you put the switch in between in order to make a cable larger the physical layer ends with a switch Switch by the way is called a layer 2 device Because it operates on layer 2 we're going to look take a look at layer 2 right now And we're gonna see what that what that is a switch is layer 2 device it Breaks down layer 1 and it operates at layer 2 it also breaks down layer 2 But it recreates it for communication to happen Oh, we're still looking at layer 1 sorry about that so layer 1 actually consists of two sub layers Continuing with the academy academic part here The data link layer is responsible for delivering the messages to the proper device Meaning that There's some kind of identifier in the dating data link layer that can be used by networking equipment to route well route is not the correct term, but to manage the Direction of the data. No, this is layer 2 my apologies Just layer 2 right layer 2 consists of data link layer and and the Mac layer So date link layer also formats the message into data frames and adds a header and It contains these addresses it contains the destination address and the source address now only for as an only for Ethernet Those are called Mac addresses Only for Ethernet There are different layer 2 protocols than Ethernet Ethernet is the most accessible one for most of us and Datalink layer consists of these two layers midi x control and logical link control Ethernet is one of the protocols that can be used on layer 2 here is a small example on your right It's a so-called Manchester encoding How many of you know what mention coding is? Cool, we have four and a half pros nice But the real question is why is it used? I mean, I I don't want to talk about Manchester encoding per se because it's it's actually used up to a hundred megabits Wired if I'm not mistaken hundred megabit doesn't a hundred base T So it's not not not so popular anymore but The idea is good and it can be used when designing protocols of such a low level The idea behind Manchester encoding is to build in a clock into data So what is a clock for low-level protocols? Remember we have these two devices. Let's take a simple case. We have these two devices wiring between them and The device a wants to send the device be data one zero one zero one one zero zero one, right? What if device a wanted to send one thousand zeros in a row? How would device be know that those are one thousand zeros not one thousand one zero? What if they wanted to send a million zeros? Clocks between devices may not match clock speed may not match and was specifically a problem back in the day and even currently between different manufacturers it is Possible for oscillation frequencies on the chips to not match to fix that and Encoding can be used one of the simplest schemes is called the Manchester encoding and As you can see it takes a clock of the sending device It has its clock and it wants to synchronize this clock to the receiver so the receiver knows how Many zeros or ones are being received and it's quite simple really For each clock we have one bit so clock is on and off right the first line we have one bit and If the bit is one it means change the signal level on the wire This is signal level on the wire like you can you can look at it as Minus five and plus five volts which is not not correct, but you can look at it like that Change the level on the wire from minus five to plus five and for every zero change the level on the wire from plus five Minus five and what do we have in the end in the end we have Oscillations all the time so if you have multiple ones we go down and we go back up If you have multiple zeros we go up and we go back down That way clock gets built in into data stream. It's a It's a good principle that can be used in many many places, right? This way receiver always knows How many sequential zeros or ones are being sent? Anyway, this was a bit deep Let's look at the MAC address. This is something you actually need to use Warshark correctly So on on on layer two if you these aren't you have a MAC address? It's six bytes and it's represented by six hexadecimal symbol pairs examples on the screen That's I think I just made that address up. Yeah, just and just ask the random number generator and there's an address First three bytes are what's called? Organizational unique unique organizational unique identifier. It's assigned by IEEE to different vendors of network equipment including network cards Well, then there are Some people to the east Some countries to the east who just take them randomly and create what the rather they like But it there should be globally unique theoretically, but it's not such a huge thing because remember layer two only matters locally even a switches layer to device and then macros do not matter because we get a new set of macros even though theoretically they should be unique a First byte that 0 8 is the first byte in this example first byte is Has to end with two zeros in binary Meaning that it has to be divisible by four in decimal If it's not then bad stuff happens why take a look at Wikipedia. It says that you don't have that much time Last three bytes, I mean if you if you know everything I'm talking about right you can do your deeper deeper research right now So you not get word last three bytes are when they're assigned meaning that if I have a company and I register with IEEE to get prefix 0 8 1 EC 7 then I can Randomly or sequentially assign these numbers to my network equipment and give them out to customers and again These are used to identify devices on the local network. Oh We also gonna let's take a look at Wi-Fi here because Wi-Fi is It's basically one of One of options for the lower layer This is a neat table. I I put together Also, we have different Wi-Fi standards We have different frequencies for them and we have different maximum speeds Currently the newest standard that was approved is actually a Oh ad was a new standard was that was approved I think the year here in the stable if I remember correctly when putting this together means the year it the first Device became actually available for the specific standard So 60 gigahertz stuff hasn't really worked out yet, but it promises up to Almost seven gigabits per second of Wi-Fi. Cool Modulation is another cool thing So all of them for example means orthogonal frequency division multiplexing which is Which is how how the radio spectrum is used to to put the data in Let me give you a simple example. This is quite complex. It's it has some trigonometry in it and Let's look at the frequency modulation FM radio. You have heard about that, right? Frequency modulation means that to encapsulate data or let's say your voice into the radio frequency change in The pitch of your voice will create the change in actual frequency. So there's a carrier frequency for example 100 megahertz and I'm going to exaggerate the numbers here But to send one kind of data the frequency will shift to 101 megahertz to send those kind it will shift to 99 megahertz, right? That's frequency modulation Then there's amplitude modulation none of these are used in in Wi-Fi because they're a bit too simplistic amplitude modulation work with amplitude meaning we have our frequency we stay there as a transmitter and We change the strength of the signal and depending on what they do on send we change how strong we are sending it, right? And these all of these I think yeah combine both these techniques and more to work Then there's life at Wi-Fi security. I actually have a cool slide. I should have put it in here That shows how many Wi-Fi networks in the world By percentage how which kind of security we have quite a lot of non encryption Wi-Fi Which is okay because we have some public Wi-Fi some cafes where you would like to check your bank account or the bank account Who's person sitting next to you? We have But but you have these WEP Wi-Fi, which is a great encryption scheme. It's it's called. How's it called? Wireless and enhanced privacy Okay, equivalent privacy. Oh, yeah, so it was created some time ago And it can be cracked on my laptop in an active mode meaning that you send out packets in under half a second In passive mode. It might take up to a couple minutes Super super scheme, so we're not gonna crack that we're gonna we're gonna crack we pay to later on that's more fun 802.1 X at this conference here for those of you who read the booklet carefully you're using probably the right network which has 800.1 X encryption Meaning that well a user can tell that by entering by having to enter a username and the password and That's that's cool because key gets it's it's it's a bit more secure right because for one attacker has to guess both the The username and the password for for other you can't really use a traditional offline brute-forcing techniques for brute-forcing that Yeah, if anyone has any doubts when you go back back home Remember this is a beginner's workshop right if anyone has any doubts when you get back home Which setting to choose choose we pay to choose we pay to at home You will not be easily able to set up the last one choose we pay to and it Is gonna be fine choose a hard password though right network layer then Network layer is layer number three it goes after layer number two It is responsible for addressing and routing between devices that are not locally attached meaning We can have a switch in between We can have the whole internet in between We can have routers in between of course The most popular protocol the most recognizable protocol For the truth layer is of course IPv6. Okay IPv4 So IP protocol It's the code this internet protocol that are the internet Internet protocol of course uses Internet protocol addresses IP addresses To address and IP addresses have to be globally unique for sure except North Korea. They just take them randomly seriously and then For the couple computers that they have then they can't access some stuff because they're national sysadmin Chose the wrong addresses Right, so you can read the definition of the screen. Let me walk here so we can read it IP addresses are assigned hierarchically Meaning that Let's say is this camp. I actually I had I had so much work I haven't even looked at the IP setup here. I'm just an end user this year But I guess do we have real IP addresses here? Yeah, yeah, okay cool. Yeah, that's what I thought anyway, so the camp got some Some part of IP space IP address space and each of us is getting some smaller part one address of all the space So it's hierarchical system There's a network part and a host part for IP addresses we're gonna take a look at that soon and then there is IPv4 versus IPv6 We stands for version Good question. What happened to five it never happened right IPv4 so The thing is I don't actually I'm not sure but I think IPv4 isn't actually version 4 I think IPv4 stands for 4 bytes per IP address But IPv6 doesn't have six bytes per IP address. It has much more but Addresses are by far not the only difference between IPv4 and IPv6 It's a completely different protocol, but check this out Applications still work even though we have a bit different TCP and UDV protocols on layer 4 layer 5 and up same stuff So that's great, but somehow we still haven't deployed IPv6 to too far Right those of you who have laptops so you can continue look at them I'm not gonna show anything right now again get back to that later on But you can continue looking at wireshark you might already recognize some of the things I'm talking about And to do that if you set up the screen as I showed before on your left on your screen You will see those dice sectors They match layers approximately actually, you know what I have to show this so everyone understands And then we get back to IP addresses Any questions so far Yeah, sure sure it's it's a quick fix as I said with some risks I Mean I could do a workshop on wireshark setup But it's different workshop and it would take one hour and I'm sorry about that Okay, so here's my test pick up file or it's a live capture doesn't matter. Let's take a live capture here Here it is You can you can note that I pressed this button here and it magically started capturing So you already see You already see some IP addresses here some IPv6 addresses we haven't looked at them yet You also can see some MAC addresses Those are not here, but you can see them here And the thing I wanted to show you right now why it has on screen is because in wireshark It's just the other way around User is on the bottom and the wire is on the top, right? So this is Well, it's not layer one, but this is layer two this later three layer four and Layer five and up in this case, right? This is the way it goes We don't have layer one in wireshark because that would take quite expensive network adapters to get that information and What's more important? It wouldn't be useful at all Well, it would be useful if you're doing layer one research and attacks on layer one So I guess some people have that equipment. We don't So instead of having layer one here What we're sure does is it puts all the metadata instead of layer one So we see where it was captured what comes from the installation when it arrived The frame number sequence number the length. So this is basically metadata Instead of layer one, but we don't really need layer one for Most work including most security research including most network security research. We don't really need layer one Here so it starts at layer two here. So again, I want to show you this so you know and It's easier for you to follow layer two is here and then three goes down for goes down five goes down and so on Okay, let's get back to the presentation then and Meanwhile, you can keep clicking around and Seeing what you see okay, so That's an example of an IP address IP for to be specific Usually when people talk about IP addresses, they mean IP for IP addresses because does it the facto protocol? for layer three on the internet IP for is divided into five classes a to e and A B and C are generic classes assigned to organizations D is a special class and the special class D is used for multicast Which is actually which could be a topic for separate worship It allows you to send information to multiple devices at the same time. Yes Thank you for the question we're talking about the class and we have a slide because of D and D to understand that those other things can be used for normal purposes But of course we're gonna be talking about a classless routing So as I was saying class D is used for multicast purposes you should not and I would guess you cannot enlarge the deployments use those addresses and it won't work a class C is used for R&D Research and development those work. Okay on most of most applications Even though normal people usually just create a closed network with whatever addresses I want from a B and C to To do their research because responsible research is not connecting it to the internet. Otherwise, you were new application Chronos or whatever might get leaked and then you get in trouble Okay So final thing for this slide is a B and C was back then back 15 maybe oh it's 20 years ago now used to Actually decide how much computers can we put on a network on one layer two network? But it's not so important anymore. That's why we had three of them Currently it's not being really used Currently what's being used is Classless routing and I mentioned briefly before Two things I mentioned the network part of an IP address and the host part of an IP address Here it is The red is a network part and the white is a host part in this specific example The number network part is responsible for identifying which network which layer three network is The device on the white part the host part identifies which device on that network is being addressed specifically and This is written in bits here in binary once and zeros Why it's because that is how calculations can be done until you learn to do it automatically in your head Network address of any network is network part Plus all zeros so in this case if we have this IP address and we put all zeros here We get the network address here, and if we convert that back to binary Sorry, that's that mask never mind if you put all zeros here And we take this number and we convert all of these four parts back to decimal We get two one six three nine one oh six and here we get one six oh Because we have 128 here. We have 32 her here, and that's it and that's 160 If you don't know what binary is put down a note later on got Wikipedia. It's fun stuff Well, not really, but it's useful really Broadcast address that's the address used to address all the devices on the network That's when you put all the ones in the white part in the host part again same stuff applies when you do this last one You get 128 plus 32 plus 8 sorry plus 4 plus 2 plus 1 Which is 167 for this specific network? Classless inter-domain routing notation that uh 29 what does 29 mean? You might notice that net mask which is actually what indicates which part is red which part is blue is Starts with all ones and then zeros it always does that Mathematically doesn't have to in real life. It has and We could if we write it down that way we have all these ones here right and it's it's it's waste of space We have this 255 255 255 and then usually zero Much shorter way to write it down is cedar We just write down how many ones we have in this case we have 29 ones and the same thing is saying 29 as 255 255 248 In order to understand networks and work with networks need to know both notations Depending on the tool you're using you might be required to input or the output would be in one or the other form right? Some more special IP addresses that you might see When working with Wireshark or other network tools all zeros That's Yeah, so all zeros that means default route in most settings. It may mean something else in other settings But basically it talks about the default route the Device on your network where all data should be sent If your computer doesn't know where to send it That is the default route for for end devices Then we have loopback address. It's actually Loopback network is one two seven zero zero Loopback address is one two seven zero zero one for most operating systems anything will work Instead of one loopback address is used to address your own device So let's say you're on the server if you try to connect to this IP address Then you will connect To the device itself By the way, I'm running this cool challenge. I've been running it for Five years. I think it's a Hold up. Let me let me make this larger. I'm gonna need this right um So my email is uh shot two thousand seven two thousand seventeen at kirls.org, right? If the first one who sends me the root password to server back the zero two dot lv Uh Get some otta Right Okay, let's let's take some time to set it in Okay, we got we got one person following. That's good right So basically, of course you can set an IP address to a dns entry to to to loopback Which means that depending on the computer that you are using to connect to this address you will get the You'll get the same computer that you're on and Finally We have all ones This means all nodes on the current network So we can use the broadcast address here Oh, I'll put this down We can use the broadcast address here for the specific network if we don't know or don't care Which network we're on we can use all ones. It is the broadcast address on the current network That's how you write it down. Uh, most tools will not accept this form You cannot you cannot use this. Um In windows by the way, I think there are multiple ways to write IP addresses I haven't used it for some time, but you can use that small form you can like Take all 32 bits and write. It's a huge decimal and and it will work you can you can try it out It worked in windows 98, which was where when I last used it. Uh, it should work still I guess. Why not? Last slide about ip 4 Currently it's still the case. There are some other IP addresses which are reserved On the open internet, you will not find these three ranges These are private IP addresses and because ip 4 addresses are So scars we need those private IP addresses or because we are Lazy bad people who don't want to adopt ipv6 We are using these private IP addresses and we have what's called NAT network address translation Meaning that for conferences that suck you get one IP address and everything else is private Which means you cannot directly connect to every computer on the network Which in other words is why you should have firewall on when on the conference network because the internet knows you're here Right, but having these as private IP addresses also means they do not route normally on the internet If I am at home and I type and and some conference has private IP addresses say 10.10.4.3 If I type it at home, it will not route because it's private address and it doesn't go Uh through routers under normal configuration Okay next yes, please Uh Research into the room No, I think it's not I think it's not because it's not assigned to anybody Meaning that routers don't don't know where to route it You you would send this through a default route upstream and then when we get to bgp routing it would it would drop it Okay ARP by the way, uh Those of you who have wireshark open up up in the line where filter is You can type in ARP three letters and press enter Some of you or most of you may see something if you've been capturing for some time This Anyone anyone got something there? Yeah, we have something good So the filter it's more more much more powerful than just typing in the protocol But currently you filtered all the data units that contain the ARP protocol or rather the terminate in our protocol Where the highest layer is ARP? ARP Is a protocol that Does this basically? You have an IP address you go to the MAC address. Why do we need that? we need this because Well humans don't really work with the IP address either, but we get to that later Uh, so you have an IP address, but on the local segment where you are and in the local segments between The huge route that is the internet and the connection that you're making We need to know the MAC address remember encapsulation User types their email it goes down it goes to layer three. There's an IP address. It is added at that point in the header and if it goes to layer two computer needs to add the MAC address if it's Ethernet In order for computer to know the MAC address of a different IP address It uses ARP it It asks around who has this IP address and it only works on local network and a device that has a IP address Responds and says okay. This is my This is my MAC address. Yes If you both have the same MAC address Okay, okay. Let's look let's take a look at that. Let let's say the most interesting case here is let's say you bought Okay, the country in the east, right china Let's say you both bought this cheap chinese devices and you have the same MAC address which shouldn't happen because O O Ys are assigned by IEEE, but some companies just take it at random Both of your devices will think that it's addressed to them And the first one to respond will actually be the one that computer registers and puts in the ARP table Oh, mine does Well semi random doesn't really help because let's say you want to leave the first three bytes the same and you want randomly change the last three bytes Some other person's network might actually have that MAC address because the vendor has assigned to someone With random IP addresses, there is this risk that you might run into similar into equal MAC addresses Sorry, I said IP with random MAC addresses There is this risk that you might run into the same MAC addresses Uh, but then you just uh, if stuff doesn't work, you just say that takes the next MAC address Right, but anyway The other case is when the IP addresses match You know what? I I made a mistake there. So the explanation I gave to you was about IP addresses If two computers have the same IP address, the first one that responds with their MAC address is the one that goes in the table If two computers have the same MAC address Uh, well, we have a problem because they both of them think that that uh, They are it's for them. They're both responding and we have this extra traffic all the time And depending on the timings each time a different frame, uh, might be picked up by the destination What you can try it out create and test network Uh, there's equipment all around don't use the equipment connected to upstream Don't Screw it for people who want to use the internet Uh Take take some switch somewhere connect a couple computers or co-organize and and try it out This ARP thing the first one right having Different IP addresses Having different MAC address and the same IP address can actually be used for attacks Right. Uh, I think we have a slide in the later on but basically the idea is Let's say you want to attack someone and you want to in a simple case make sure that when they connect to this IP address They talk to you You you just have to be super fast You have to even be pre-emptive and you have to send ARP reply to them saying This IP address is me not not that guy and the computer will believe it There's no encryption no refiation no signing for ARP And to verify that you can actually use water shark and you go inside you can go inside the ARP You can click on it and you can expand all the fields that are in ARP. You will see there is no such thing Uh, yeah, that's uh on your computer So remotely modifying the ARP table is just that you send the ARP reply and it does that If it's empty at that point if the IP address is not in the ARP table um Luckily for an attacker ARP table is being flushed Well entries expire in ARP table quite regularly meaning that you have Enough options to do that to locally modify the ARP table use the command ARP I think it's both on windows and linux and probably mac 2 So you can use that to modify it locally And I do appreciate your questions if you have questions Please go ahead and ask them and I'll try to remember to repeat them because I I forgot that all the time ICMP Uh Internet control messaging protocol Is a management protocol It is used in conjunction with IP to inform The source of the packet that something went wrong Here are some examples TTL means time to live and it's implemented inside IP protocol To avoid routing loops Each time a packet crosses a layer 3 device or a router the TTL field and you can find it in an IP packet You can type IP in search and and take a look at some IP packets that you have Every time it crosses a router TTL gets decreased by one The initial value depends on the operating system that you use It's usually no more than 32 And if you cross the number of routers that you have TTL set to initially Then your packet gets dropped by the next router and Router creates an ICMP packet saying TTL exceeded and send it back to you There's a source knowing that there was either a routing loop or the packet was to Either routing loop or the route was too large too long by the way, um As I said and again, I'm sorry that I I was a bit too busy and I didn't go through the presentation again today So I did that a week ago and I might tell you something that's in the slides later on But let's risk it rather tell you than twice than not tell you. Let me show you an example So Just to show you what routing is So specific max hops here. So how many routers can it go through? Let's say 60 for this case. Well, uh, we can Yeah, let's say 60 for this case trace route is actually a bit different application and Uh Actually, I'm going to show you In one shark. It's quite interesting. So trace route is used to identify those devices that your packets go through when going for a specific destination And it's done in quite an interesting manner I'm gonna set up the capture here I'm gonna launch the trace route Right there we are it's done So you can see these ICMP packets here You can you can run the same in your computer. Sure. You can choose different domain Um and then run it So a packet is sent to the destination IP address that I chose And in ip field TTL is set to the minimum value in this case one The first router decreases The counter and looks at it and says it's zero and sends back TTL exceeded and this here is the first routers IP address because it is the device that sends us the packet um then My computer sends it again But this case it says, uh That's probably repeat. Oh, there we go. Uh TTL 2 It says TTL 2 and sends it again in this case. I get the same reply for a different device That way I can get the list of routers You can see them here. Oh, it's not repeat. It's actually Route configuration this way in the network. Uh, we can get the list of routers that the packet goes through when going to the specific IP address Uh, yes, please If you get stars that means specific device is sent not to reply with ICMP to you Or it is set to filter the specific protocol that you are sending. So here for example, uh tracepass uses UDP protocol on some specific ports Technically you can use this with any type of protocol you can do this TTL trick and there is What was the name? Hpings 3 Which allows you to do all these tricks And it's a bit complex, but it's fun. You can use different different type of packets to send it Right So let me show you let me show you one cool trace route here If you actually go to the address bad.horse There's a cool song don't play it here because I need to speak but You can if you have headphones you can put on or play later It's it's these are the lyrics for the song That's the face the expression the guy makes at the point Okay Right, uh, let's continue then So ipv6 replaces ipv4 on layer 3 creates a parallel network, which means it's not that easy to Have it together with ipv4. It works with layer 5 and up protocols the same way But layer 3 it replaces completely because different layers 3 protocol and that's why it's so hard to Deploy it I guess It has that many possible addresses in theory which is You can can you read it for us? Okay That's fine. So it's a bit more than four billion addresses in in ipv4 that we have We have one ip address for every person on the planet every device they have Every port that device has and every service that might want to run on every port of the device and and more An example of ipv6 address you can see on line 3 The word is that a question? No, okay, uh, you can see on line 3 And it's quite long. So what you can do and it's a standard In ipv6 when you type in ipv6 addresses you can concatenate it You can find Just one if there are multiple you can find just one place when there are all zeros We're two bytes two bytes of the same Part within the semicolons or between the columns or zeros and you can remove them all so this is a call These all are zeros. We remove them and leave Two columns. That's it And that's a bit easier I actually a year ago. I had this ip address and then six dot net shut down. It's a tunnel broker Yeah, and I don't have that anymore Yes, exactly But but the idea I mean the principle is still the same we have network part somewhere here and we have a host part somewhere on the right So usually if you start your host at low numbers, you will have some zeros there And it is actually helpful But you have to understand this is the same address double The other way around double columns means you put in blocks of zeros until the length matches, right Until you have uh 16 bytes That's it about ipv6 Yes No later two stays the same mac addresses do not change. Thank you for a question Okay, the next layer is later. Oh the question, please I did not uh, well, let me show it to you Okay, here is a ipv6 magic here And here's some ipv4 non magic, right So first of all We can well it's not visible here but Uh, I think the oh tcp protocol is a bit different. This is udp. So if you look at ip version six We can see different headers than ip version four Take a look here. Uh, the router advertisements is a new thing for ipv6 too It's quite specific to be to be honest, right for this audience, but if we take a look it's uh It's it's way different, right Again wikipedia, I have I have a different slide deck for ipv6, but We have only How much time do you have actually? One hour and a half Okay, one hour and a half and we are uh in the middle of the deck and we have met demos demos demos Uh, yeah Yeah, yeah, okay. Thank you. Um, but thank you for that Okay, so transport layer Transport layer as the name suggests is responsible for transfer of data in a reliable manner it's responsible for the data to arrive at the destination in order and error free and This is because ip The most recognizable layers in protocol is a packet switched protocol Meaning that the router that we have in between two endpoints They can switch the route that they're using for every packet. They are not bound by any law to send All your packets for the same stream Through the same route they can change like that And that's why you have transport layer It does some buffering among other things and receives Uh the packets and rearranges them in the original order. That way if you send a long text, it doesn't fit in the packet You can actually Arrange them back in the right order this has to deal with tcp Mostly because transport control protocol and we're going to talk about that in a minute but here So two types of uh layer for protocols connection less and connection oriented Uh connection less meaning uh meaning that we can just send data and that's it We don't need to agree on anything. We can send the first packet and it's already data Connection oriented means we have to set up a connection in some way or another Here is udp udp is nothing what What layer 4 is about udp is basically there to fill the void Because there needs to be a layer 4 if you want to have layer 5 It's a best effort protocol meaning it doesn't care about errors It doesn't care about delivering data. This is everything there is Hadron consists of these four fields for udp and then data data is layer 5 stuff coming in there Notable features of udp user data protocol is minimal design as you can see It doesn't retransmit data if it's not delivered. It doesn't care. It just sends the next part And it doesn't control delivery of the data either It is stateless and transaction oriented So it doesn't keep the state of the connection. It's not a connection oriented protocol All right the fun demo. Yay Okay, so what we have on the screen here Is a theoretical setup We have the internet in blue and Brown the globe We have two firewalls depicted by the icon of fire and the wall and we have Two relatively modern pcs There's a x y and b That is the setup each of them have an ip address Do anyone notice anything special about any of the ip addresses? Okay, which ones are the private ip addresses? That's correct. A and b are the private ip addresses so If computers a and b would like to communicate without any third party They would have no way of doing that but udp And the specific arrangement allows us to do that So what we're going to do is We're going to take computer a And we're going to send connection from computer a to ip address y router or firewall y will drop Will drop the packet will drop the udp The udp What's the actual correct time for udp segment right will drop the udp segment? Then computer b And the thing about this they all they both need to communicate They need to have to know that they have to communicate Other than that it works magically b will send data back to a Back to x i mean and x We'll already know where to send it y because when computer a sends the data to b a connection entry is created in the firewall x And it says that okay, so if a wants to communicate with ip address y I know where to send it back. Let me show you how it works okay, so I have some ip address here right and I have Let me connect somewhere. Um, let's see where would we connect? Cool um, okay, so both these computers have firewalls Those are not private addresses But there are firewalls which will not allow to connect to them I'm gonna So the left one is my computer the right one is my server I'm in different country. Um, so this command will listen for udp packets on port 2345 I forgot my ip address and now if I try to Try to connect there on port, uh, which I also forgot 2345 I shouldn't be able to send anything because of the firewall Now I hope I didn't lie to you about the firewall on the other side Let's try it the other way around And I'm gonna try to connect from this side sure And the data doesn't go through to even it even sends a reset um So as you see the data didn't go through now What we can do to make these two computers talk together? Even though there are firewalls in this case in my computer's case on my computer And on server case on the network How do you make them communicate? Without reconfiguring the firewalls um, I will now Write the commands again From here, I will connect to The server on port say 888 Using udp It will not work, of course on the server. I will not listen rather. I will connect to My ip address here on this network On the same port. I will also specify the source port Which the packet is coming from? Which is this going to be sent from and they match um Let me uh, it's not okay. Wireshark isn't helpful. Okay Uh, we do oh minus you udp We do this so udp is connectionless protocol meaning that when I launch this nothing has been set up yet Only when I send the first packet will actually any data be sent The first packet Will be sent from the server to my laptop and it will not reach it because of this firewall But at this point the firewall at the server side knows that servers trying to communicate on port 888 848 uh with that ip address My firewall doesn't know anything about it. Now I try to communicate to the server I'll already get data through and now as I send this 45667 My firewall knows that I want to communicate with the server on port 8888 and will think That data coming in is part of that connection not the other connection. There are actually two connections in in quotes, of course because udp is connectionless But now We can actually communicate between the two devices on udp Yes, it it can be used and Thank you very much for reminding me the question was Is this one of the techniques That is used by peer-to-peer networks when the endpoints are behind net behind network as a translation It can be used and I actually read read some papers that say it is being used I haven't verified it myself personally using wireshark One part is missing here, of course from this demo How did the host know to communicate? and One way is to use a stun server To establish the connection just to make sure that the other part knows that you want to communicate and what port you want to communicate on Third-party server, but it's it's not as fun But it is what what most peer-to-peer programs use they use a stun server There's actually research And it's been finished. It's it's done. Uh that allows you not to use any third-party service at all and let the other party know that You want to communicate I don't have a demo for that. Uh you can You can google it. It's povnut p w nat It's its implementation of this Basically the basic idea goes like that Um a host is pinging a non-existing ip address In the paper it's one two three four um And the other part the other host that wants to communicate At any time sends ICMP reply saying something like saying for example, uh, sorry is this ip can't be reached or sorry temple exceeded And routers and firewalls will send the reply through because I think it's a legitimate reply to your Pings to trying to connect to one two three four and that way you can pass data on you can initiate the connection You can get the data running Okay, if there are no more questions here, uh, let's look at the more complex protocol tcp tcp is stateful and connection oriented meaning it preserves states between different packets It it has some information and the information stays there during uh the communication it has quite a lot of Possible header fields here that can be filled But notable features include I'm going to start from the bottom flow control Meaning the other the other device can inform The sender that it needs the sender to go slower or faster There are different devices that use ip nowadays, especially nowadays. We have fridges. We have light bulbs and we have laptops right laptops too And uh, they process data different speeds and that's why flow control is so important especially nowadays Uh order transfer meaning that this actually implements the solution to the problem of packets arriving at different order We have a sequence number here that's responsible for order transfer. It's 32 bits It has error detection. It has a checksum here And it has acknowledgement number here Which includes the sequence number plus one of the packet that was received That way you can already tell your communication partner your other device That you have received the packet And it has three way handshake, which is the way To inform the other parties that you want to communicate and establish the initial connection This is a three way handshake right here And we're going to take a look at it in wire shark just to learn a bit more about wire shark Um, so the client will send A so-called syn request synchronization request Server will respond with ak and syn Client will send syn and then we will have ak from the server. Uh, let's take a look at that live Okay, i'm gonna go to google.com with telnet on port 80 And that's it. I'm gonna close the connection I'm sorry Yes I have no idea. Uh, is it possible? Yeah, please please find out We need a warm and cozy in here. We can get the campfire maybe going that would be warmer Okay, good luck with that There's some space over there if you come to the chair and and over there. Um, okay, so let's continue That is quite interesting, yeah Nice nice. Thank you. Round of applause Perfect. Thank you so much. Okay, there's too much stuff in here. Let's let's do this again So i'm gonna run this I'm gonna connect to an ip address so I know how to filter it later on And that's it. I'm gonna stop the capture Oh now when I know how to filter it's not here. Okay, so One more cool feature of wire shark that even professionals out here may not Use may have forgotten or never knew Um Is how you can nicely filter. So of course here you can type in different expressions like tcp or udp Right, but that's not what we want to do. Uh, what we can actually do is If we choose any field here For example, the destination address and we right click it What we can do is apply this filter selected And we only get the matching packets where this field is set to this parameter We wanted we want to see both Parts of the communication we changed that to ip address not ip destination Here is our three-way handshake And I of course encourage you to follow through and and also try to connect somewhere and capture it We can see that wire shark has helpfully already selected. Uh, I mean highlighted the flags Of tcp packets here sin sinak and ak But let's go in a bit deeper So internet protocol version four flags. Oh, sorry, um No, it's not not flags Oh, right My bad tcp, right tcp tcp flags These are all the possible flags that you can set Flags are actually Two bytes bytes large here on the left. You can see it And uh, you can set any combination of flags in theory In this case You we have set the sin flag Meaning is a synchronization packet meaning This ip address here wants to establish a connection to this ip address here on this Specific port right the thing I haven't mentioned about layer four are ports Both tdp and tcp have ports meaning those are channels for communication over The internet we have the same IP address we can have multiple services port 80 Is typically used for web. So http Port 443 is typically used for https. So encrypted http Source port is usually assigned randomly by the operating system unless you specify it manually like we did with nc minus p Okay So we got response here. It's it has sin and ak set And if we pay attention here, uh, those are Relative second sequence numbers, not the real ones, but uh sequence numbers here set to zero And in our reply here acknowledgement number set to one meaning that Packet zero was successfully received by the server and here It's sending again. It says zero and we Acknowledge it one saying okay, and at this point we can start exchanging data At this camp. There's actually a project being run. Um That uh Allows you to scan the whole internet Uh, it's it's nothing new technically, but I mean the good thing is there's there's a guy who manages it and actually Worked with the requests you send in and and runs a scan for you Z-map is a tool that can be used for doing that And z-map is internet wide scanner. It scans the whole IP for other space in 45 minutes It on the gigabyte on a gigabit connection If you have a faster connection, you can use zip your z-map that does it even faster um It's actually what's relatively new breakthrough. I think it's three or four years old The idea and it allows you to do that because You are not waiting for the reply. So how it works Simplistically Is it sends sin packets And masses to all the IP addresses In a specific pseudo random order And it uses the metadata the other parts Of the tcp header to mark that these packets That the reply to these packets would belong to the scan And it doesn't store any information On your computer about what was sent where All the stores the index how far are we in the list of IP addresses And when the reply comes it analyzes those that metadata included and it can tell you if the port is open or not So it's quite quite cool. I'm not gonna run it here because I don't have either or not connected But it is it is a cool feature and a way you can use Knowledge of networking to create cool stuff Okay routing I mentioned that Time to leave is decreased with every hop with every router that you cross Routing decisions are taken based on the routing table For your computer Usually you would have just a default gateway just one router where all your information is sent to For internet routers It's not uncommon to have many different Routes you send your data to and routing table is used there to actually Route the data to the correct path Three types of routing static routing Default routing and dynamic routing is what I won't talk about briefly here Static routing entails manually setting up routes on each router So let's say you are google and you want to set up your routers You connect to each of your of your routers I guess in the thousands hundreds of thousands maybe and you set up the routes by typing If IP addresses in this network send it to this router Which doesn't scale really well, but it's easy in a sense that you don't have to know much Just have to understand basic stuff about IP networking Default routing is when you set If it is when you set the destination address to all zeros and It includes the IP address that The IP address of the router that you want to send all the data to when you don't know where to send it This is the only thing that is usually used on a laptop On on an end device on a computer So we have some link local address and the last line we can ignore that that's a A bit different topic So here it replaces zeros with default It's actually zeros in there. Let me see if I can get it on the screen Nope Okay, there we go So it says Oh, that's a fun. I wonder if it's if it's an Easter egg of the network team Basically it says by default It will send everything here Unless of course it's in your network Lots of data here. We only want to look at the wireless adapter It has this internet Address this is the net mask slash 19 If the device can reach the IP address locally on the same network By using the math that I showed half an hour earlier It will send it directly it will do an ARP request ask for a MAC address and send it away If it can't it will use a default route What else do we have in the routing table here? We also Have here information that That I just talked about if your stuff is on the same network do not route it send it directly And here this is the Easter egg. I guess I don't anyone know what that is I I seriously don't know the second line Basically, I can tell you what it says. I don't know what the meaning of that So it says that if you want to send If you want to send data to this specific one IP address You should also route this through the same IP address as everything else It's set by the htp from the network team from nok. So I don't know what's that about unless someone's hacking me then that's cool Sure Okay, any questions here so far Okay dynamic routing That's the coolest way and basically the only way to do large-scale network deployments It dynamically updates the routing tables on the router using routing protocols um, so basically Two types you should know about just real quick because it is again a very in-depth Think not suitable for a beginner's workshop but distance vector protocols Determine that the route that uses the least number of routers is the best route to use It just tries to Dynamically find out what would be the number of hops to each network destination um Some protocols there are rip or agp Um spf or link state protocols use digital metrics And they try to recreate the topology or uh the picture of how all the network looks like visually on each router They can also take network congestion into account when making routing decisions uh, for example osbf would be one of such protocols and These protocols are usually why You might have one packet going one way and the other packet going a different route Because congestions and different parameters change and routers or multiple routers might take a different decision on how to route your next packet Oh the fun part finally So we went through we went through to recap layer one um, so physical physical layer two Most popular one is ethernet on layer two. We have mac addresses there They're called frames the parts are called frames data parts We have layers three most popular there is ip protocol Um, those are packets And they have ip addresses We have layer four Which has segments and we have udp and tcp there And now we're up to application level protocols By the way, I did the now as I was recapping um I think Warshark tries to keep yes Not that I think I know Warshark tries to keep this in order. That's because you can see it on the right Uh, so the fields are actually here in the orders that they come in the data unit Since we had the four and a half network experts here Why? Is the destination address first? Before the source address if you look at ip Sources first destination is then look at the right here, right? The station is after source For ethernet for mac addresses here destination is first and then we have source. It's it's not only first It's actually the first byte the first bit Of the frame is already this nation address Any of the network experts are any or any other people here? Why is that? Okay, we had we heard we heard an answer speed. Could you elaborate more? Thank you very good So the answer was uh switch when you switch So layer two device when you try to understand which port to send the frame through Switch can do fast forwarding it can decide Where to move the frame without actually looking at the whole frame And it has to look at it from the beginning because electrical or whatever signals come That that's how it's ordered physically And because we started the station there is not the mac address not the source address switch can take a decision Uh, depend depending on the destination address without reading too much bytes From the packet and it is much faster and it's still quite important these days with all the speeds that we have Hmm Okay, uh, where are we? Right, so we are up to layer five and this is the place where where I will Will stop going through the layers. I will try to to do some explanation of differences between a session layer presentation layer and application layer But it is usually hard to distinguish Which is which and wire shark dissectors do not try to do it usually They usually just have one layer there Uh, what we can do now is we're going to take a look at some core protocols for the internet core application layer protocols And shortly look how they work, which is the last missing part for you to understand how Basic stuff on the internet works technically So this here is the overview of the dns system or the main name system Um It consists of the roots root zones An example of root zone would be dot com Well, not dot com com or Lv or nl or Horse I guess cool domains we have these days. Um It's a hierarchical system meaning that um Meaning that if you have a domain signed dot bad dot horse It is a sub-domain of bad horse and that is a sub-domain of horse And it entails some administrative features Before we look at that practically and those of you Who already know this theoretical stuff the command is dig. I'm just gonna remind you dig You can start playing around with it if you have it on your computers So just some of the dns record types, what is dns domain name system? Allows us To not use ip addresses. We already learned how can we avoid using mac addresses? But people don't want type ip addresses. They don't want type ip4 addresses even less they would like to type every six addresses So we have dns Which provides nice readable names for us computers have Basically no use for them. It's it's all for us humans There are different record types in dns in the dns system The main record type is a or four a's And returns an ip address for domain okay, so If I dig a for ssh a to 200 2017 org I will get the answer This happens automatically Whenever we use an application. That's a force dns, which is 99.99 of the applications these days We just type in it in a browser or an email program And we'll find the ip address for you automatically for an email program. The procedure is a bit different So for a browser it will look for a record and we'll know this is the ip address. I need to Send my data too Let's take a look at Where shark for a moment here? So if I even if I just ping which is just sending an icmp packet to check if the ip is up It will still need to find out the ip address out from the Name I typed here. So if I type dns here I will see a query here It's asking for a record for gmail.com and the response here and It has given me here These answers so these are four of the ip addresses that my computer can use to connect to gmail.com mx is used for mail exchange and that is the one used when actually sending an email so If we dig if we dig mx google.com This is the answer section We can see that email for at google.com is handled by any of these mail exchangers And if we would like to connect to them we would need then to get the a record for them, right and Depending on the configuration you might also get them automatically from the server which is which has happened here It's additional section. It's not what I asked for but it might be useful Oh, I skipped aaa, but I think you'll already see what that is, right? Forace is ipv6 address not ipv4 address ns record is a name server record It delegates a zone to use a specific server for lookups um, so here for example every DNS resolver knows of 20 root servers there are distributed all around the globe, but it is basically The one and only part of the intern that is actually the weakest link Not really decentralized even though we have 20 of them if a hacker A bad actor. Well, yeah, if a bad actor, right hackers are good if a bad seriously though Yeah, okay, if a bad actor were to take All of them down at the same time DNS would not work globally That's a centralization point there. Anyway, each of these servers know They know where to look up the first the top level domains So if we do dig ns Shad 2017.org And if we ask this question to one of the root servers Sorry about that So I did that by by typing at and the name of the server or IP address of the server All it will say to me in this case is Which name servers are responsible for the torque even if I ask not an s But I ask a I want the IP address of this It will still give me only the same answer in authority section Because the system is hierarchical Those name servers do not know anything about this. Let's use program.shaw which is a very Dear address to me today. I spend spend four hours trying to fix the The program CSS some people couldn't scroll to the right and didn't see tau and pi Okay, so You can see the name servers and what would not mentally happen if we didn't specify a specific name server It would then ask that one of randomly one of the next name servers the same question And we would get an answer hopefully If it would if it would not get an answer to try the next name server Um, so we have an answer and again, it's not our answer It's just an authority section. It says for this domain ask any of these name servers We take one at random We ask the same question There's our address It's a c name record Canonical name and alias. It says basically it says DNS for this is the same as DNS for this And again, automatically server also sends me by the way, you probably will want to know the a for this So here it is. So I don't have to ask it again. Yes To what domain? Yes, yes Well, I'm not I'm not the citizen and I'm the content team. So citizen means are doing that But Well, it it doesn't it doesn't have any it doesn't cause any technical difficulties as far as I could imagine I think it's fine now that you asked I'm getting a bit suspicious about if it's fine to do that But I I would I would also do that if if needed. Yeah Sure I mean unless you have really good reason to use a c name Depending on your name server, it's better to use a record directly But yeah, you can use it Why why you could avoid c name and situation is because it's on the same domain This zone The server holding this zone knows the AP address you can send directly Depending on the server You might force your DNS client to make a separate request if I wouldn't have this line here I would have my I would have to now do do this to get the AP address, which is bad. Yes Just notice the what address you're querying. I think it's not fine to do this when you're doing a c name from a for a different domain So let's say you are Doing a scene for oh And then you see Thank you. Uh, so your your comment was that You think it's not okay to do that if c name goes to a different uh upper domain Yeah, so that's that's what you said Well, that's actually this this thing when you put c name to a different upper domain Say to google.com is actually the The only real use for c names It is it is not good network wise because you will have to make those requests because this specific dancer doesn't know anything about google.com But it's it's a legitimate use It's it's it's a legitimate use because that way you can actually Um, you can actually link Your IP address to whatever this other IP address is the other admins change the IP address and yours changes to Unless you want to delegate the whole zone using a nest record Thank you one hour left, okay ptr is a pointer Unlike c name, which we already discussed here. Um, ptr would stop the processing Meaning that it's basically a kind of text record not exactly, but it returns just the name ptr most commonly are used in reverse dns So when we did this trace route Trace pass bad horse You you can notice that we get the names here But if you watched carefully trace route uses This detail trick and those are IP addresses, of course we are getting answered from an IP address not the domain name What that means is that this somehow this gets here if we run run trace pass minus n It doesn't do dns queries. We can see all the IP address here And what it does is actually looks for reverse dns for every IP address Um, you can also do it like that, right? You can you can take this which is just IP address with all the bytes in reverse order Can dig it And here it is it just it's just a string basically If you if you just dig it, uh dig any To still turn it it would not try to resolve it And that of course means that you can type any domain you want in there if you have dns server Oh, yes But it's uh, I mean, yeah, it is hard to get ipv4 addresses now Uh, I when I was running a large network, uh, I think I just got Around 500 IPs just because of downtime. I I I emailed them and said come on What's up is downtime every week and they said okay, okay, don't be angry here is 500 IP for addresses and Now I have them, but this is bad horse isn't mine. It's it's someone else Um, okay, so we already looked at dig. This is a reference slide that you can use Um any is a pseudo record. It's not real record. He just asks server to send all the records it has A x fr is Alternative transfer And it asks to send all the sub domains as a server knows usually this is turned off There was this one or or maybe two times when a top level domain like dot something Didn't turn this off and and some researchers just download at all the domains of a country Um, so you can you should regularly check if if stuff happens and then you can be Doing good job. Um One more thing is plus trace Let's take a look at that It's explained here I already explained this process previously how your resolver query is a root server then query is the name server Then the sub name sub domain name server and so on until it gets the answer It sends the same query to all of these servers one by one Plus trace helps you see that visually my screen is not large enough To show it to you, but if you type in your computer's dig plus trace program Shaw 2017.org I will use less to actually fit it on screen Not a good idea. I guess. Okay. Let's try this out less Oh, do you have interns? Yep Let's try different domain Um Okay, maybe maybe I messed up. Sorry. Let's let's put in the right place. I don't think it matters, but Maybe it does Okay, I don't know what's happening here now. It should it should perform the request one by one Hmm Right my names are maybe down. Hmm Let's see Yeah, it's some system d stuff. Um Dealing with it like everybody else If we need system d, right We need the bad guys. It unites the community. I agree Okay, now it works Right, so this is the request to my lookup server It gives me the root servers requesting one of the root servers For who knows about org who knows what domain we get the org name servers. Then we ask one of those Who knows about Our request we get the show name servers and we ask those we finally get our c name And also the a address here So that's dns for you. Oh smtp, right the simple mail transfer protocol. It's simple. It's underlined. That means it's really simple In the beginning I spoiled a bit about how how you can forge the return addresses Let me show what I mean. I'm gonna use split screen for this Okay Now let's say we would like to send an email to me My domain is kirls.org So my mail application, let's say it's a Classical mail application, right outlook Um would look up the mail exchanger for kirls.org the domain of my email There it is And then we need the ip address for that technically and there it is What happens next is let me see if I have slides actually in the deck Oh, yeah, I have slides. Let me show you the slides first what happens next is Your computer connects to smtp server. It's port 25. That's a well-known port It gets greeted with a hello 220 Your reply is hello and your domain name Um, you get an okay 250 You say who the mail is from like some address that the mail is from this is a envelope address um You say who the mail is to Again, you get okay Then you send data and then you send the email body with all the headers now this here This part here starting from from up to subject Could theoretically be described as presentation layer. So layer six technically But if you don't describe to that and call it whole application layer, it's not a big mistake. It's it's Quite an academic debate between those three layers. Anyway, you send that this will be parsed by the email client not the email server And that's it. It says, uh, okay 250 And you quit and it says bye. Bye two to one So let's take a look at demo here So we have the IP address and port 25 There we go Hello Okay, please to meet you um mail from okay Oh the main doesn't exist white hose. Oh my bad. So some servers check more some servers check less of what you actually type Ah, boom. So they're okay. Good our recipient Okay, so okay for recipients most servers will actually check what the hell are you typing there? So if a domain would if an account wouldn't exist it wouldn't accept it Also, unless it's an open relay it will not accept email for other domains and then data And now this will be all parsed by my email client if I receive the email Uh, let me try Okay And you finish as a dot online by itself as it's actually said here in the message Okay, um and don't ever quit gracefully That's basically it Now let me fire my email client and hope that it doesn't go on screen Okay, it's it's on my screen. That's a good sign And uh, oh look I have an email. It's not in spam because my spam filters suck um I'm gonna open it up for you and move it to the screen To the main screen I can zoom some way or or another Okay, whatever. Let's look at uh at headers So this is everything received my server added some headers, of course additional headers that we didn't send But basically it's all there it it says it's from billy To to admin and it's all there Here here it is Okay So that's smtp demo Okay, we are at Almost the last slide. So we're gonna have the practical Stuff soon. Thank you. Thank you So htp Hypertext transfer protocol This is a protocol used to transfer webpages. It's not html. It's not the markup language is the protocol and Rather than doing it in telnet you can see how it looks here. This is a response Rather than doing it in telnet. Let's use wire shark to to do that Okay So Let's run this And let's open a web page There we go Remove the filter if you filter for htp We have this request here Let's close all this and htp is here. This is how it looks So we have Get request here meaning open this page and this is page address. So basically part of url It says open the main page just slash if I would ask Some google.com slash 123 it would say slash 123 here There's a hostname And some headers that identify your user agent and so on. So if you want to hide then take note of that And the response and here's a cool trick for wire shark press here on the packet and Follow htp stream And we have the stream we have the request and the reply at the same In the same view And what's even better if we close it we can see all the stream packets here Visible okay Now what I usually do here with the group and this is a small part of a five-day Five-day workshop that I do commercially actually What I do here with the group usually is I get everybody to launch their wire track And open up a web page. It's better if it's htp websites. I'm not encrypted Just launch wire shark close your browser open up again open up a website And then we'll take a look at what we see Um I'm gonna I'm gonna take two minute break here. You stay right here Open up a website and I'll be back. Okay I'm gonna I'm gonna log this for reasons Wow, it's dark in here. Oh man. Now you can see it Hold on. Let me let me make sure it doesn't show the password on screen No for the real thing Okay, so Many of you are still here, which is cool Thank you for that So I hope you managed if you didn't Answer any questions before I show you it on my laptop The thing I want you to answer for yourself here Is what kind of protocols Are involved in the simple action of opening a web page I'm just typing in an address And pressing enter Okay, here dns tcp. What would be the first the first protocol that's employed dns Yes, dns is the one you might see in wire shark Because you've been using the internet or at least your computer has been using the internet From the theory that we covered If you would have just turned on your computer, what would be the first protocol? That you would see after you have successfully and fully connected to this network ARP, that's correct address resolution protocol Let's go step by step and I'll try to simulate here That my computer is just has just been turned on Okay Okay So I'm deleting some ARP addresses here Let me relaunch this Okay, now if I connect the web I'm gonna use my favorite web browser There I am This is everything you have Let's see if ARP is there Yep So of course we have some background data happening Going on It starts with ARP In this case it's because I deleted my ARP table manually But it what really happens when you start up your computer and connect To this network Outwards So the full Explanations for this Is that I typed in The domain 02.LV My computer knows that the DNS server to use Is 8888 because I put it in there manually Now it tries to connect it tries to do the DNS It tries to connect to 8888 To do that it looks at the routing table It all happens in the background instantly It checks the destination Addresses ordered by the mask it starts with the most is the largest mask and goes to the lower masks 8888 doesn't match any of the networks So it goes to the most generic mask And it will send David packet to this IP address for routing In order to do that Computer now looks at the ARP table ARP table was empty at the moment So computer finally sends the first packet It asks who has this IP address which is the gateway's Address it's here And it says I want to answer here The router which is made by juniper by the way This works of course by using employing a database remember first three bytes are assigned to an organization And they're trackable that way It replies I'm here. This is my MAC address You can contact me there ARP table gets populated by this information And now for some period of time depending on the operating system the length depends on the operating system My computer will know That this is a MAC address for that IP address Now it can finally send the request to 8888 It asks what is the IP address? for 0 to the tov and What is the ip 6 address for 0 to the tov? And it's got a response Now what we will see here What we see here is that We get a reply who knows about 0 to the tov And some steps Are skipped here meaning that Google 8888 belongs to google that's their public resolver Google does many of the steps for us and we already get The real names that will know the answer this one by the way DNS system doesn't support the symbol at But there are emails in each DNS zones So if you want to send spam I hate you So but seriously though If we take a look at any DNS zone You can request any type of record And if it's set up correctly No, we should we should request start. Sorry. We should request start of authority We can't request any type of record if it's set up correctly The second entry here will be the email address First dot gets replaced by ad Of course wire shark does that automatically here On the right we can see the response here right, um, then Then to ask for the IP address again And this time we get the answer here We get an a record Now computer finally knows the IP address of the web server. It can start connecting. Please note that for DNS The usual layer 3 protocol is sorry the usual layer 4 protocol for DNS is UDP As you can see it's very simple protocol just to be discussed in theory We can see the source port destination port length And the checksum here. There's nothing Else and then there's data which wire shark already divides for us as a new layer here Htp is usually based on tcp. That's why we see our three way handshake. We have sin sinak and ag over here And as soon as it's established successfully and we can see the sequence numbers of course here We can finally send the data We have our layer 2 Layer 3 layer 4 and layers 5 to 7 here in hypertext sensor protocol There's user agent each tcp packet gets acknowledged to This data gets divided into smaller segments Because it's a large amount of data and gets sent and each segment gets acknowledged Okay, here it says that we have acknowledged flag set The server receives it and finally sends the answer. This is reassembled On the on the wire. You'll actually see all the separate tcp packets here Warshark does it for you to assemble it back to a response in the end server says, please close the connection fin and we have Handshake for clothing. It's acknowledged and it's finally closed This was some retransmission It looks like more than attacked to me. So it's a hacker network, right people are attacking stuff Okay, so this is this is it that's that it's a bit dark to do some on the some of the hands on Demos, let me show you the last slide. I I worked I worked for two hours on the effect. So look closely might miss it Cool, isn't it? Okay, thank you. Thank you so much I'm ready to take any any random questions about Networking or me or whatever tomorrow evening. I'm having talk on rooting the microdic routers This is this is one of the routers Yeah, hard to see. Okay. Yeah. Well, that's that's that's pretty anyway So we're gonna I'm gonna talk about jailbreaking these these boxes because you don't get root on them by default It's gonna be in in in no in the large tent So, yeah, if you have any questions about networking I'm here If you want to take a look at some of the simplistic hardware I have here you can Come and come and take a look at it's nothing. It's nothing fancy. I didn't take Wi-Fi pineapple with me, for example, which is a cool easy to use device for screwing with people's Wi-Fi So, yes, any any questions here Yes, you will be able to download these slides over here Depending on how much work I have tomorrow Probably on Wednesday on Wednesday go there there will be slides Yes The question is is it possible for network traffic to not show up in wire shark this regards capturing So depending on how you capture If you set promiscuous mode All that if you successfully set it and the driver supports it All the traffic all the signals that physically reach your network adapter and are legible Are understandable on in layer one sense will show up on wire shark So there are many ifs of course It it may not show up. It may not show up. For example for Wi-Fi After any do we have open network or show Is is there open open show network there is I'm gonna show you there is yeah insecure the open one Okay, I'm gonna Since we have some time I'm gonna show you a demo after questions with the wi-fi right a small demo not Not the whole thing just just to show you how it works But for the wi-fi for wi-fi for example For normal network cards you have to choose the channel basically the the center frequency Meaning that you will probably not see the other frequencies at the same time So there are different ifs to that. Yes, it is possible to for data to not show up 169 I would I would doubt that there is any traffic it's it's a link local address And it would not usually show up. I mean There's usually nothing happening there. That's that's what I'm saying, but One more thing is you have all these interfaces and Similarly to as in ip we have loopback address 127.00.1 We also have a loopback interface on Linux and unix machines and loopback data would show there So if you would do ping 127.001, you would not see it on your ethernet or or vlan You would see it on the loopback only Where was the next question? I haven't I haven't tried it Thank you the answer the answer is yes again and the question was can you capture bluetooth traffic is wire shark? I know that a couple years ago. Uh, it was it was there was an issue There's uber twos, of course, but there was not any Any sensible way to connect it if you can now that's great. Can you use uber twos for for that? Okay, yes, so you can use uber twos apparently to capture bluetooth traffic. I should I should try that That's a fun experiment. I I don't have it with me. I have it at home Okay, so if you run wire shark as sudo as a super user, what kind of problems are you opening yourself up to? I I did address this briefly Wire shark has this the things called dice sectors Instead of really decapsulating and encapsulating the traffic it uses assimilation It mathematically tries to understand what's inside the traffic and show To you graphically and because of that Combined with the fact that it captures everything on wire It's quite high risk that if there's a bug an attacker can exploit it easily Because you basically you take everything up from the internet that goes to your device That goes to your device and a bug in one of the dice sectors Running as root may cause Can mark code execution for example Okay, any more questions so far Yes This is my first Shaw or the previous event Kind of event right I usually attend ccc's I can tell you what happens is this is Network team comes and confiscates your wi-fi device Sorry the question is what would happen if you would set your Mac address to the juniper's mac address as a router for local wi-fi And I hope they have the hardware here. They have that ccc's they they can triangulate you quite well Or where you are They have they have the hardware here. Okay Yes Did you say bitcoin? Okay, so the question was bitcoin messages appear in two separate packets Always head or separately and and payload separately and what would be the reason for that? I don't know. I haven't looked at bitcoin protocol Yep, that's anyone anyone can comment on that Nope, okay, and I don't have a bitcoin client installed so I can't We could if I could if I did we could take a look and understand Well, the generic reason would be it's too large the header is so large that it can't fit but I guess it's not the case it's not the case so Yeah, you can research that and there are lightning talks. You can do a small research presented day 4 day 5 Okay, well, let's see we have 15 minutes, right? 24 let's say 15 minutes It's been long enough, right So those of you that want to see me screwing around with wi-fi Can can stay. Yeah, I'm not promising anything specific. I don't know what's what's gonna happen. Let's let's try Okay, so here's my new wi-fi that through Okay, I want to know the frequency for For a wi-fi is here to do that. Let me use kismet. I guess It's an old tool. I hope it doesn't have any bugs If it does, I'm screwed Oh, I don't remember all the options Never mind. Let's not use kismet. Um, let's do Okay, let's just start. I'm just gonna start monter mode on any any frequency that we have or I could take a look at 5.3 out damn. Okay, let's let's hope there are 2.4 gigahertz frequencies here too. So aero airmon and gene I'm gonna start Vlan one in monter mode So what I have now I have monter mode enabled on monter zero it also enables the promiscuous promiscuous mode technically no Definitely it's not the same thing. So I have this interface here I'm gonna start. Oh, and we have lots of data So raspberry pi huh Okay, we would want to filter some stuff out Right, let's filter out probe responses So type subtype probe response applies filter not selected Got some beacon frames This beacon frame is saying Saying we have oh we have this one sha 2017 insecure Okay, so we're on the right channel. I guess getting some cool data. Well, if it's not encrypted We should be able just to select tcp tcp as you know is layer three. Sorry layer four protocol Let's select IP it's layer three protocol. Which is above layer two, which means if I get layer Three here my setup is able to Access the data. So it's not encrypted then Okay So we have some data here Some devices are querying badge dot sha 2017 dot org Okay, let's go deeper Let's look for some fun protocol. Let's look for htdp Nothing no one's using network. Come on Why not? I smart guys Let's go back to ip Okay Okay, this is this is something so apparently I wasn't early enough with starting To capture packets But there is a disconnect using ssh From a client so someone is using putty, which is the windows mainly windows as shsh client To access some server here It's like a look at the server so disconnect was sent by I'm not sure who sent this kind of message is it sent What is that? Server sends a disconnect Okay, let's try Oh, we can we can tell it by the port right for ssh. We have tcp on top tcp shows us the port to 22 is the well-known port version ssh So the destination in this case was the server so clients send the disconnect Um, okay, so this is the server Let's see if it has reverse hostname setup Technically we can also copy it. It's not useful for small things like ip addresses For larger you use copy and then you select the right selection of these Things printable text. I think it'll work this time Nope value was the right answer Okay, there's nothing there Okay, there's open ssh server over there If it's in the same subnet as we are we should be seeing it's an art table There it is And we should be able to see the vendor. We can also see it here, of course On layer two Jolla, whatever that is. Okay, this wasn't fun. Sorry for that. What else do we have here? Oh, someone is trying to use tls which may be htps here Yep, it's htps htps reply from server Finally if it was one of you, thank you. So we have something similar to htp and some dns Okay, not much stuff going on here. There's ntp So not not that fun. I'm sorry. This is hacker conference. So people know what they're doing or maybe it's too late Oh, no, no, no, I mean we The point is you see it date is unencrypted what we would see We would see the same kind of data as capturing our own traffic basically, right If that is encrypted there is a slide on how to attack vpa 2 In one of my presentations on curel.org goes through the 50 of them and you will find it And then you can try it out If you confirm the knock Okay, I think One last question. No, yes Thank you very much for your time and see some of you tomorrow. I guess