 Alright, folks, let's get started. Well, I can't really tell on zoom, but at least the people in the class right now don't seem to be hating each other they actually seem to be talking amongst themselves before class started so hopefully a good sign that friendships are being repaired and all the scamming that went on is being forgiven. You're a bad scammer then probably probably got way more people scammed. Yeah, so we'll create that assignment very soon I'll share the results I'll try to have that done by Thursday. It's always interesting to see the distribution of things. Let's see some of the. Some of the scams actually what I'm super interested in is knowing about ways to scam people that I don't know about, because I've been doing this for a decent amount of time. One of the things is. So how do you tell that a key is the same key in GPG the fingerprint what is the fingerprint. So how is it generated why can you trust it. Not a checks on the checks on you definitely can't trust it. Similar to a checks on just trust something you don't even know what it is. Be random letters. Be a fingerprint how's it created. Was it. Nope. It's a GBG thing it's not something I did. Yeah what have you learned about to tell when the integrity of something has been violated or changed in a cryptographic way hashing hash functions. They're very different checks and they're not cryptographically secure and they can be easily broken. But yeah, so the fingerprint is a cryptographic hash I don't know exactly what algorithm it's using of your public private key. That's why the only public key that you should trust has this exact fingerprint actually one of the big design flaws of GPG is that it will show you different fingerprints so sometimes in the output it will just show the last eight or so digits of the key. So known as your key ID is the last part there. But the whole thing is the fingerprint. And so that's what you need to download or that's what you need to check to see is this key that I'm signing actually signed by the real core signature. What's preventing anyone else from creating a key with the name CSE 365 frame 20 s 22. So yeah one of a very cool way that people scan people is you get your adversarial key. What happens if you edit the name on a key. The signatures go away why did the signatures go away. Yeah the keys changed. It's not that it's considered a new key. Everyone who signed your key to verify your identity was verifying the name and email address that was on your key at that moment when you change that you lose those signatures. But the key still remains the same because it has the same fingerprint. Yeah, correct. Yes but then what happens to that that key. The signatures go away including the course signature, but you shouldn't sign a key that's not valid right and only keys that are valid are signed by this hash, like this fingerprint of this course key. Right so before signing a key. If you always validate that it has a signature by this and you validate the identity those are the two big steps. Which if you're scanning people you can change the adversarial name you can change the name to your name, right back to your name. It drops the course signature so it's no longer signed by this. So how do clever attackers get around that make your own course signature key. So you create a fake CSE 365 spring 22 key, you sign your own key. And now if you send that new adversarial key that has this fake course signature if you just sent that to somebody, what would they see when they list the signatures on that. It's a user ID not found so that would be a clear indication that that signature is not valid. So how do you get around that. Yeah you can export both of them to one file because GPG when you import keys will import everything that it sees as a possible key. So if you send people in one file to keys your change adversarial key and your false your fake CSE 365 spring 22 key. And then when they do list six they see oh it's signed by CSE spring S 22, but the fingerprint will not match. Yeah. Yeah, you could continue to generate adversarial keys until you had one that the fingerprint matched enough of the digits. That they maybe wouldn't tell I don't know. I don't know that I can't remember exactly how much of the key ID it's used and how much you need to try to generate in order to get something that matches exactly. So if you run a script to do it you don't have to do it yourself right right the program to do it. Yeah zoom chat is saying when you import keys so if you're very careful if you import keys it would tell you, oh hey your import like I imported two keys so if you're looking at that you can spot this, this type of scam. Automated things. You most probably did unless you had safeguards in place. I don't know what other, any other scan ways that people either came up with or you could say your friend came up with if you don't want to admit to scanning people yet. I use the ASU chat. Sorry. Oh, it's okay go ahead. I use the, there was this thing on the ASU app I just found people there, then like, and I just did my best to just see like, if the email and the name matched. I guess you're talking about how you verified the key was correct. Yeah, yeah I'm interested in how people scam people that I made sure that that was like the closest I could think of to make sure I wasn't signing in, signing an adversarial key. Cool. Thanks. Yeah, I've seen that before. Yeah, one student, or I've seen that in the past where people got permission from other students in ASU to impersonate them even though they're not actually in the course. So you would see that they're really a student but not the same person but you still have the same problem changing the name. Right with the, like, you'd still lose the fingerprint and those kinds of things. Yeah. Oh yeah so that's zoom chat is saying that a few people just playing. They don't know what you're doing so pretending like you don't know what you're doing. And so if they ask you why isn't your key signed by grade scope. You just say like oh I don't know like I didn't even know you're supposed to do that part of the assignment. And so, if you can convince the other person that you're, you don't know what's going on enough maybe you can scan them. Hmm. Okay so creating a generic email from the start so it wouldn't be tied with like your ASU handle and ID. Yeah. Yeah right so the only requirements on the assignment was that the name match right we said nothing about the email and nothing about that so if you waited a little bit and maybe asked around people you could see what their names and emails were cool. Yeah anybody wait till the last day to scam people. Yeah, I bet it was a bloodbath I usually is that last day is just like bowls coming in and getting a bunch of signatures on their keys for sharks I don't know how we want to think about that. So some parallels real scammers and real cybercrime right they take advantage of people's like they're either their fear that they're getting edited by audited by the IRS, they take advantage of the fact that they're, that they're under a stressful situation in their job to try to get them to trick them to do something so you can take advantage of people and those kinds of situations. So what they think was a really good defense, like did did anybody like meet in person and only do. Yeah, go ahead. Louder. Yeah, that's probably an artifact of honestly the different versions of GPG that's running on the server that's generating the keys so it's using a different version of GP like an older version because it's the only one that yet running. Sorry, but the point is, you're basically trying to highlight differences that exist but how did you find that out. So do you share adversarial keys with people. Nice so some cool, like a proof of truth that I've seen is people only like always sharing their adversarial and their real key to somebody so whenever you wanted to sign you have to show like, here's my real key here's my adversarial key. My adversarial one only signed the real one and that's why I know you can trust me it's because I'm giving you and telling you my adversarial key. Yeah so in zoom chat talking about getting, figuring out how many trust and then using like comparing fake adversarial keys Okay, cool so using kind of, we call it like OSN so like open source intelligence right so all the information you could possibly find out online to see if they're a real person. If anybody do anything sketchy with the discord I was thinking it would be really funny to like create fake discord accounts and join a discord one year before. I think it was when we were only using Piazza and we weren't really using discord students created their own fake discord server for the class got people to join for key signing and like 10 of them would just like they had. They would do the assignment but it was all wrong like how to check keys and they would just everybody that joined that discord would get there like they would sign 10 people's adversarial keys like every time. Yeah screenshots so people asking each other for screenshots of your like as you ID card anybody fake those. I want to admit maybe faking them. I'm kind of prepared to fake it but didn't actually use it. Yeah, you can fake that you can fake screenshots right you can take a screenshot of your my ASU you can change anything in there. Yeah so there was a discord that existed where there's only legit people I would be shocked if everyone on there was legit and nobody stand anyone. Yeah. I think it was a new new safe safe server and yeah one year I did this the students asked me before class if they could like stand up and announce something and I was like sure so they stood up and announced that they were going to create their own certificate authority and they were going to verify everyone's identities to get on a Google Doc and that way everyone who had you know name email key ID everything was valid on that Google Doc. Somebody infiltrated their group like scammed their way on so they got signatures from all of those people on their adversarial key. So trust is really difficult. Okay that's weird. I just found out somebody went to their old elementary school so looked looked up their yearbook from elementary school to see that they were a real person that's pretty in depth, either good scamming or defense stories. Yeah, that's pretty funny that yeah so that kind of means you'd only likely to get scanned by people who are really good scammers but there's probably a very few of those anyways so maybe that's actually a good like defensive technique. You'd be surprised I, or any of the, any of the undergrad TAs in here who did the class with me last year. I think the lead scammer there. Yeah, do you remember what the what prime Danny got was it 110 120 over 200. Yeah, it was great that was last year so I'm super excited to dig into the results here and see what happened so I was also completely online class and all coven so I have no idea if, if maybe being in person has a positive effect in your ability to not get the results so anyways it'll be super interesting to learn I'll, as a heads up I'll probably just reach out to the person who was the best and see if they'd like to talk for five minutes or so about their techniques. Of course they don't have to but it's always cool to see how they go about that. Anybody do more than 200. I still won't trust anything you say until I verify it myself so that's okay but just wanted to see if anybody. If you get 300 would be insane. We'll have to. Maybe I'll have to keep like a leaderboard don't have to adjust it based on how many students were in class like what population of the class. Alright, and on that note. Cool. And, okay, before we jump on to back to network security. We will be having our midterm CTF starting tomorrow. I don't know what exact time so don't. I'll announce it soon, but it will be a week long CTF just like the other types of things it's going to be on the phone dot CC 365 the IO system. So you'll know exactly when you solve levels and the challenges will all be based on stuff that we've been doing previously so it's an application of your crypto your networking your access control all that kind of stuff so should be good. Alright, so before we all left for break and then devolved into horrible scammy people. We were learning about networking. So somebody remind me. What is the process like when what's the process like when I want to send an IP packet to another system and we're on the same network. Yeah, so if I'm. Let's see if I'm 121 14. So what do I know. I know what network I'm in so I know the subnet I know the subnet match I know cider, whichever way I know how to tell if that IP is in my local network or not a local network. I can see. Okay, so I know the network what else I know I know my own IP address and I know my own Mac address what else. I know the IP address of who I need to talk to. And that's it. Right, those are the only is a four pieces of information network info, my IP address my Mac address their IP address that's all you need. So I have all the information I then use. So the first step is I use the subnet to determine is this a local net is it a local IP address or not I determine yes it is a local IP address. What's the problem I'm trying to solve. Not quite. There's no integrity or verification ID verification at all. I'm missing one important piece of information that I can't send the packet directly to this person on my network. Yeah, but the destination MAC address right because I need that in order to create an Ethernet packet which is going to go out on the network and get delivered to dot 14 if it's available. So that's my broadcast and I say, hey, who has so I use ARP. And I asked the entire network hey, who has the IP address 111 1020 14 goes to all the hosts, the host that is 111 1020 14 responds to me and says I'm that host and I met MAC address. 08 1233 B2C 411 send that back and and then at that point now the host can send an IP packet so which is then layered in an Ethernet frame. Now we're going to tackle the problem of going back to that very first step right is this IP address on my local network or not. If I say not, it is not on my local network. Now I need to do indirect delivery so you can think about this it's very direct delivery you can just deliver it directly to that computer in your local Ethernet indirect delivery it needs to go somewhere else. That's kind of a question so if it's not going to any computer on my local network, where does it go. So we start back at what we know we know our subnet. We know our IP address we know our MAC address we know the destination IP address. Do we have enough information to know where that packet goes. Yeah, so on zoom chat we're saying, no it's like male if it's in your neighborhood you can just give it to your, to your neighbor. But if not I have to go to the post office right so I actually need some other bit of information I need to know not just a bit but I need to know information about where is the post office where do I give it to some of the, who must be in my local network, who knows how to get that packet somewhere else. And so this is. This is usually called the gateway. So this is why if you've looked at networking, usually what you'll see is your IP address or submit your MAC address and also the gateway. So basically what machine. Do I send this to. This is a piece of network configuration and then it's the gateways job at this point we've done our job. We've send it one hop away. Hopefully that gateway knows where to go. And it basically decides what to do with this you can think of gateway you can think of router so in a normal in most networks your gateway will be your router. So the device that you pass it back into it, your router probably has a connection to your cable modem or whatever. So it knows to send the packet to that cable modem it sends that cable modem that sends it to your service provider and then it just keeps going. The important thing is every step along the way is just a direct delivery and this is why this is actually very simple because we've already studied direct delivery. So basically we have something like, there's me. I'm just gonna draw the switch, like an X. Well you need to be able to see it. Let's go on. So we have me connected to the switch, which is connected to the gateway. So the gateway is not connected to anything else where will that packet go like there's nowhere for it to go so fundamentally what defines a gateway is that it's connected between it has two network, at least two and network interfaces. And it's connected somewhere else to something on the other end. I'm running out of room and then we'll call this G prime for now. That's probably a terrible name. So this that is done is all done at at local delivery. So let's walk through a scenario so we can kind of understand exactly how this plays out. So a I'm going to say 192168.0.2. We're going to say my MAC address of a is actually I'm just going to use Mac a I think that's going to be way simpler. I P a Mac a IPG. And I'm already regretting using G prime here so let's just change this to H. Technically doesn't make sense but sure I was also thinking that as well. Alright so IPG is 192.168.0.1. And has the MAC address of G. Let's just take it through this first step so let's say that I a wants to send IP packet packet to 8.8.8.8. Okay, but I don't have enough information here right because I also need to know for a what's the gateway one and two 168.0.1. And the net mask. So I'm just going to call this a slash 24. So I can say that okay I've so what's the algorithm here. What does a do so a wants to send IP packet to 8.8.8.8.8. Yeah, is local is 8.8.8 local to IPA. Well I'd say to a, including the network. Like we've gone over this. No it's not local it's not on. It doesn't have the prefix 192.168.0. So it's not local. Great. So now I need to send it to Gateway. At some point the gateway check to make sure it's on the local network as well because it's not you can't get any data there, but it obviously is so is 192.168.0.1 local to a. So now we need to do local delivery delivery what's the first step at our request. Basically, who has 192.168.0.1 tell 192.168.0.2. Right so that'll send a broadcast packet. Does that packet get to H. It only goes inside this local network here. So it only goes to all 192.168.0 hosts, they all get that G responds. Hey, I have 192.168.0.1 and my MAC address is the MAC address of G. Now, what's the IP packet that host a will send. So what's the source IP IP of a which is 192.168.0.2. What's the IP destination 8.8.8.8 how come it's not 192.168.0.2 because that's not where this packet is meant to be going it's just the first hop along the chain. Cool. So we'll also have some like IP data and probably some other stuff in here but we don't have to worry about what's actually in there. So we have this beautiful little packet and that's encapsulated inside an Ethernet. So what's the MAC source of this, and what's the MAC desk MAC G awesome. Right, so this gets sent out as an Ethernet frame, the switch, we already know how it figures out where to send it, we go back to our diagram. So this packet comes from a get sent out gets sent out goes to G, G gets it and says is this packet meant for me. Yes, it has the correct MAC address is the IP packet meant for me. Well, so then G has to figure out. Okay, and it may have multiple networks so it has to use, we're not going to get into how that stuff works, but it then has to figure out okay how do I get of all my networks, which one gets me the closest to 8.8.8.8.8. Right, let's say this network actually, well, let's not do that but so this will go through many such hops so let's say G that packet then G then which part of this whole packet remains. So on the hop from like G to H just the IP packet right the Ethernet gets completely destroyed and recreated, because the Ethernet is only used to send it one hop. Right, so Ethernet containing the IP packet from a to G, and then the IP packet mostly changes mostly stays the same the only thing that actually changes is the time to live value which we talked about to prevent infinite packets circulating around so it gets decremented, and we'll get dropped but and then G does the exact same process so G says okay who who does this packet need to go to and I on the same network as 8.8.8.8 if no then what gateway do I have where am I supposed to send that up. And so it would say H and it would say great I need to figure out the, I know the IP address of H because that's my gateway. How do I get its MAC address, I do an ARP request, which never makes it to a right that our request will only be local inside this network sends that our request gets the MAC address of H then sends an Ethernet packet from G to H. And then H goes on until finally that packet gets to wherever 8.8.8.8 local network is, and then that packet gets sent directly to them, they go yeah I got a little message awesome. And then they decide based on that message whether they want to respond and the process works in reverse. So to make debugging easier, so this situation is actually basically insane right because you're sending this packet out. You may know that it got to G but you don't know if G is able to get it anywhere else you don't know if anywhere else is able to get it anywhere else so there's. G is the is an IP layer message that is used. One of the ways so ping is one of these things so you can ping something it's supposed to send you something back with an ICMP message. When a packet is dropped, the machine may, depending on how it's configured tell you, so it may send an IP packet back. So that's when you'll see sometimes if you are trying to do something and it says, you got like can't gateway says the host or host says network is down. That means like your router can't get the data anywhere else so even though you're connected to your router there's nowhere else for the packets to go. So trace route works one of the other ways that people on the path will send you messages let's just look at this real quick. The way trace route works is it relies on the TTL. So the packet time to live. It first sends out one packet with a time to live with one. So on that first hop that's decremented and that router drops the packet, and then if it's configured correctly will send us back a. So depending on how it's configured so so I'm getting and packet back from 1015301. And then the stars mean it times out so I'm sending this packet and I'm not getting any reply this is because machines can be configured to not let people know when they're when they've lost a packet. I guess we'll come back here, but you can use this sometimes to map a network so you can see all the hops between you and another system. Cool. So, you actually have all of the fundamental knowledge to understand how data gets from one machine to the next. Now the question of, again, like we talked about where does a gateway decide where to send the packet for your router at home. It's a very simple process because there's only one place that could possibly go for a company like Cox or Century Link or somebody like that. They may have many different ways for that packet to go so how do they decide the shortest route if you were in charge what would you do shortest route. That would like the least number of hops. So if I know that you're trying to get to Netflix, like I know, based on IP address what is the Netflix is connected to. You either directly there or send you to somebody else that's connected there. Right shortest number of hops. The shortest number of hops always the fastest route. Say it again. Yeah, the crazy thing about networking is you always have to think of congestion right the shortest path may actually not be the fastest because it could be so congested that packets get dropped and and bad things happen. It could be that maybe it's a more direct hop so you're at one ISP and you're sending it to another ISP that's technically only one hop away from your destination but you know that their stuff sucks and is really slow. And so it actually could be faster going another way. What could be some other reasons on technical reasons. What drives most decision making and companies money, money. I could have a deal with one one IS one networking provider than another. So maybe cheaper for me to send traffic to Netflix through somebody else, even though it's slower and worse for my customers, because they're paying me less money, I have to pay less money for it. And actually the way things, the way that networking kind of does really work that's crazy is companies like Netflix, the ISPs pay so much in bandwidth that the Netflix will come to them and say hey what if we put a server in your network. That way your customers wouldn't have to talk to anybody else. They could just get content directly from our systems that are inside your networks and that's like contract distribution networks these kind of things have all of these arrangements with a bunch of internet service providers. Anyways, the short version is what happens in this networking decisions is insanely complicated due to financial decisions, all kinds of stuff. And so, trying to predict what happens is almost impossible so. Anyways, we actually don't need to worry about that if you want to go super in depth in that you can take a networking course you can learn. There's also the question. That should be in your mind a little bit. Okay, but how does my ISP know, essentially where 8.8.8.8 is located, like, how does it even get closer. So there's this protocol BGP the border gateway protocol but it's how networks talk to each other to say hey I, I support these IP address ranges so if you have any traffic for those send them to me. And it's how they communicate but anyways but we can still completely understand exactly how a packet gets from one location to the other so. There's a lot of different things source and destination addresses remain the same along every single hop. The TTL field is decremented at every hop. And the link layer completely changes at every hop right because the link layer that ethernet frame gets completely destroyed is a link layers only to get it for one hop, and so you're going hop hop hop hop. The other thing that decides the process is where the packet goes is the delivery IP address right because we're trying to get that packet to where it needs to go. So, if in this example we want to send something from 1110 2121 to 128 111 4110. We would need to have that packet would travel through many different switches and gateways, each switching gateway having its own little network. So finally, it gets to our destination, in which case the process reverses and it has to go backwards at any stage in this process. It uses our to figure out where the pack is going and all that fun stuff. Cool. Questions about this. It's pretty easy. The stuff's all knowable. You just know things magic. It's all understandable. I mean it's way more complicated of what's going on but the mechanisms of how it's getting from one place to the other is definitely noble. And you can then your whole career studying and optimizing these things and studying congestion and what happens with packets that dropped and all this kind of stuff like there's a lot of fascinating things to learn and study in here. But for our purposes we're just covering how things actually work. So the important things to remember are the various types. Oh, so very funny. It used to be that the delivery route so the route that packets would take were determined. So the main way that actually I think the only way now is every gateway just decides where the packet goes next. It used to be there was a back when the internet was more trusting. If you actually were creating an IP packet you could suggest hey you should take this these steps to get to your destination. This actually is a horrible idea. It provides a lot of power into the hands of the attacker, because I can now influence exactly where my packets go I can overload certain links in the network and do all kinds of bad things. And let's see. Oh, this isn't very interesting at all. Anyways, so this, we could see a couple machines here so this 172 2917 117 was somewhere along here. We can do the same. Let's see if this works better. What's running on Amazon server so absolutely no idea if we'll get. So you can kind of see the path that our packets are taking inside the Amazon network at some point it's transitioning from Amazon something else yeah. Here was the, here's the ASU one. I think anyways, something is different but anyways. Yeah so this was the ASU one that just had a few hops here that you can see this, this thing this thing, and then somehow it gets to Google. This is the from Amazon system so we don't actually have any nice names but we can actually see. There's a lot of different hops on the way between us. So you can think of this is kind of crazy like at least even from where I am right now it's there's 13 hops to get from me to Google's DNS servers. Like that's kind of crazy just along the way from us inside here so one hop would be definitely the Wi-Fi router that I'm connecting to that goes somewhere else somewhere else and just keeps going until it gets to Google. Cool. If you want to get really heavy into this, and you can actually configure all of these things so you can, you know, your most people think of like their Wi-Fi router, like the router is the switch and the gateway. But you can separate those things you can have a gateway just be separate machine that has multiple network cards, and you can configure everything. However you want so you can look on Linux the route dash and command will tell you the routes so it would say, and basically, yeah it's saying like the way to read this is it's a like a hierarchical table, and it basically says hey, if you want to talk directly to 192 168 or then you'd use ETH0 which is an Ethernet adapter. And if your destination doesn't match any of these any of these prefixes right so 192 168 1.0, there's no gateway, send it directly on ETH0, but if it doesn't match and then 127 000 so this was the local post. It's mostly 127 001 but it's actually a range that's a slash slash eight and send that on the local interface so that's just goes to your local machine doesn't go anywhere. And then if it doesn't match any of these, then, if it's not any of these addresses then send it to 192 168 1.1 so you can have crazy rules that say like, if a packet is destined for 888888, send it to 192 168.1.10. Otherwise send everything else the 192 168 1.1 so you can set up crazy complex networking rules. You can also do, we're not going to get into it but as should be either a little puzzling or you've been dealing with it so long it's obvious. It's that the fact that I'm sending IP packets. I think I have to show both of you zoom people can you see my, you can see the. What did I just type into the thing. You see the presenter view but not the other thing. Yeah, that's what I thought. What was I talking about. Oh, so my, I'm just all that I'm showing right now is my IP address. So one to 17231 1821 on this screen. I think that's a anyways let me just show. I have config zero. And of course I'm going to have to stop this displays. Now everyone can see everything is much rejoicing. Okay. So, this network, I'm on the 10153 177. This is where I'm at right now in this room at this point in time. We can see the net mask is a lot of ones I don't know exactly how many. I don't even number with this seat. But I sending packets from a, which should be a private IP address so this this 10, I think 10.0.0.0 slash eight so everything that starts with 10 is a local network address that is guaranteed not to be globally So how in the world, can I send packets to Google, or the reverse side. How can they send packets back to me. So we go by our simple applied diagram. Right. So just like in this example, I 1921680.2. Right that's another local address. So Google would get that and be like I'm going to drop this because this isn't a routable. I can't actually get traffic there. So yeah the trick is there's some trickery going on, where one of these machines one of these switches or gateways along the way is actually translating the local network address, changing it with its external network address. And then remembers what it had sent so it can change it when it comes back when that response comes back. And that's fine. If you go to something like IP chicken to see what your, your IP address. So the world thinks my IP address is 1292198.178. But if I go back here, and I did if was this was 129. I don't see that anywhere. Nothing my machine has absolutely no idea about this IP address. And yet, that's the world, everything that the world knows about is that address and that's because something is translating my IP addresses so in your home, when you're on your home Wi Fi your Wi Fi router actually does this automatically for you so it's translating your IP address and this is why we can. Why not we haven't completely run out of IPv4 addresses because not every machine and every network needs a globally routable IP address. Because when you plug into a local network, you're, you only have you can have 10 or 100 or thousands of devices, all connected to one gateway that's doing a network address translation, and externally you only appear as one IP address. Anyways, we're not going to go into how this stuff works but I did want to just say that to kind of clarify things. Cool. Okay, so. Yeah, so the routing process kind of as we've seen this is we first want to we're searching hey does anything match exactly. Otherwise search for a default entry. If we can't find anything then you send a host unreachable or network unreachable ICMP message this is what we've seen before they get sent back. And you can, like I said, you can completely create routing tables. This can actually be really useful I have. When you're doing something like. Oh, when we would play him like CPS when you go in person, they usually give you like one network cable and that's how you connect into their network and they'll say hey you need to be this IP address this network setup right IP address subnet math gateway. So you have a team of like eight or 10 people, not everyone can directly connect so you need to either one machine that acts as the router for your local team so you have everyone else connected to a switch. That's connected to one machine that has two network connections, and then you set up the routing table to say hey if you see a package this way send it this way otherwise send it this way. So that you can also there's a whole field that we're not going to dynamically creating writing tables and this is what if you've never manually entered your IP address and that mask and everything. That's because everything happens dynamically so DHCP is the name of that protocol or basically when you first connect to a network, you send a broadcast message that says hey I'm new here. Here's my Mac address what IP should I use what's the net mask what's the gateway, and then your router will respond and say, you can have IP address this, and this is the gateway and all the settings. It automatically gets configured and then boom you're on the network without having to set anything up. Questions about routing getting packets around. I have no idea. That was a great question. I, I haven't studied IPv6 a lot so I don't know those details but I know that there is one I think it's maybe all zeros, but I don't know. And there's like a huge range of I believe like everything in IPv6 is like a huge range so I'm sure there's like a two to the 64 local addresses available those kinds of things. They're all zeros actually but I don't know. Good question. Any other questions. Cool. So, now that we've learned on our diagram, right we've learned how the IP. So now we can go back to this, we're going to study the physical layer that's fine, we can ignore that for now, but we studied the link layer. So we looked at how packets get sent on a local network, we looked at our right, how IP addresses get translated to MAC addresses. We looked at the IP layer, how packets work on the local network also remote networks. We looked at a little bit of ICMP, these, these messages that can get sent to the IP layer, but to be perfectly honest it doesn't actually do much we need other things on top of this in order to actually send real data and communicate with people. And so that's when we'll, we'll start to look at now UDP and TCP and we'll start with UDP so this is a way that we can actually get data to our application so I'd say almost all because now a thing is weird and there's always exceptions, but almost all the communication that will happen over a network will happen over TCP or UDP packets. And we'll start with UDP because it's simpler. So, UDP basically provides nothing on top of IP provides one important thing that we'll talk about in a second. It provides a connectionless unreliable best effort datagram delivery service where delivery integrity non duplication ordering and bandwidth is not guaranteed so it provides nothing right these were essentially the exact same guarantees that we had on the IP layer. And so it provides almost nothing additional. Why is that useful. It's fast. Yeah, really fast, like, as we'll see there's at least a three packet round trip time so packet has to go from you to Google and then back from Google to you and then from you to Google in order to actually start to make that request. And so you have to send three packs even start communicating TCP and UDP to send a request and get a response to send a request to get a response. Of course you have the problem of if I send a request and never get the response what does that mean. Does it mean the system is down doesn't mean the system doesn't want to talk to me. Does it mean that my network cables cut who knows. Could be any of those things. But it does introduce one important thing and this is when you think about it. So we have multiple different applications right that are all running on one system. We have a web server, a DNS, I'll go with the UDP ones we have a DNS server we have an NFS server on one system. If I'm just sending IP packets to a system. How does it know which application those are destined to right fundamentally it doesn't there's nothing that says hey this. This packet is meant for DNS or NFS you'd actually had some way inside the IP data to differentiate but then what if other people don't want to use that and anyways it gets very confusing so very similar. It'd be similar if anybody live in an apartment building. Is that a complex. Yeah, when you send give your address to people, do they send you something just to the address of the apartment building. Why not. Yeah, there's multiple apartments we don't know exactly who inside this building this information is destined to. So it's a similar thing that we need here so we, the transport layer so TCP and UDP introduced this port abstraction that literally acts like an apartment number just a number 16 bits. So 65,000 roughly maximum. And it basically means that we can address a message to different application destinations on a host. So if we send a UDP message to ports. Then, whatever's listening for messages from port 53 on UDP will get that message and that by standard is the, I believe it's a DNS port. Oftentimes I think as we saw. I'm fairly certain when we did the TCP dump. However long ago that was with zoom running I'm fairly certain zoom audio and video uses UDP, because it doesn't really care if it drops packets. Cool. And so now we can look at that so really all UDP adds over TCP is this notion of a port and so it's very lightweight. This is the other nice thing. There is a source port. Yeah, so the question zoom is for the port abstraction I said it's like an apartment number so the network is like the apartment complex so we just say for apartment 30 and apartment 30 knows how to respond. Yes, so when you're writing an application, you say you tell the operating system hey, I would like to receive any packets UDP packets on port 30 and the operating system would go great whenever I see a UDP pack so it may say hey somebody's already listening there so go away you can't list. You can only have one application that receives that that. So, yes, so then the operating system whenever it gets a packet a UDP packet destined for port 30. It looks up is anybody listening. Great, let me, let me send that to the application. And that data goes to the application and it processes it does whatever it needs to do maybe send stuff and reply and then goes back to listening for new stuff. The two main components of the UDP message are the source port and the destination for so two bytes 16 bits, a message link and a check some and then the data. So almost nothing like very little on top of the other layers. And then the data. And finally is application data. And as we've seen right so networking is just onions. So we have the UDP data that we actually want to send to the application so the data that the application gets. We add that UDP header that just specified source port source port and destination port. And then that is encapsulated inside the IP data, which adds its own IP header and and at every step along the way that is then encapsulated inside frame data, which adds its frame header. And then on top along the way this frame header gets ripped off and created again ripped off and created again the IP header the TTL changes, but the rest of the packet stays exactly the same. Cool. And that's it. So there's really nothing. There's nothing fancy on top of this. It's literally just ports. So since we don't need to study how this works because we literally everything we just saw about how an IP packet works with indirect delivery is exactly the same thing a UDP packet works, just get sent along. Then decide to decide to respond. And so we talked about IP spoofing right. Yes, we definitely did but I'm confused. Okay, because. So to rewind a little bit, because UDP spoofing relies on this. So we saw when we looked at IP direct delivery that we can completely change the we can completely control the source and destination IP packet. Right, we can just specify, we can send a packet on the local network, and we control the IP header which means we can control the source IP and the destination IP. We can make that packet go anywhere we want when they get it, they have no idea that it came from somebody else and not us. We talked about how you could use this to abuse trust relationships inside of a network. And the same thing now that we just, you know, refreshed ourselves of that the same thing applies on UDP spoofing. And because it uses IP underneath it, it has all the same weaknesses of IP. So as an attacker, if there's a trust relationship between a client and a server based on IP address where the server says hey this IP address doesn't need to log in or do any type of authentication, or another way to phrase that would be it authenticates based on its IP address. So we as the attacker can simply create a spoofed UDP request to the server. So we can change that packets IP address that pretend to come from the client. Yeah so it's the equivalent of sending mail and somebody else's name right, the post office doesn't authenticate that you actually wrote that name that's actually coming from you or that the return addresses is the same. There's probably laws against that so please don't do that to try out the don't contest the postal system please. Now, when the server gets this right so we studied we know exactly how this packet gets from us the server. When the server responds where's that packet going to go. Yeah to the client how do you know. Yeah so the server exactly so the server uses what's in the packet right so it looks at the packet, and it says, who is this who's what IP address is sending me this. Oh, it's my trusted client IP great that means I'll allow them to do this and I'll send the reply back to that IP address which is the trusted client. So if we are. So the question is, can we send this boot UDP packet from wherever we want. So there's not there. There's some networks will do. I think it's egress filtering is what they call it so they will drop packets that are getting sent from their network that have IP address sources that are not from their own network, but many networks don't so you can fully want send this packet from wherever you are right we saw how indirect delivery works it'll just go out because remember indirect delivery, what decides where that packets goes only one thing. The destination IP address, nobody ever looks or cares about the source IP address, right it's just about the destination because it makes sense right because they know, hey, when the packet goes back, if there's a reply, then it will now be the destination so that's will be the only thing we care about. So, I can be in any network, I can send this packet out, it will make its way several hops at the server. And then when the server replies it will go to the trusted client will I ever as an attacker see that reply. You're shaking your head know why. Because the destination to the client. So what are the only systems that will see that reply packet pops right every hop between the server to the trusted client can potentially see that packet so every switch, every router, every gateway that that that is going through is an opportunity for an attacker to observe that response. What if we're in the same local network as the trusted client, they may or may not depending on how the network is configured can we as an attacker get to see that packet. That's how we can use an attack we've already studied. Yeah, ARP spoofing right we can actually inside this trusted client system, we can ARP spoof and use a poison attack to pretend to be the gateway for that trusted client. So the trusted client actually sends us all the packets they want to send out, which go through us to the server and that allows us to get that reply back because the replies from the gateway will go through us to their system. So, the way to think about in general these kinds of spoofing attacks against a target that's not in your local network is, you will never see the reply, unless you're in the local network of any of the hops here and then you can do some ARP stuff to see it. Okay, so UDP spoofing means we're trying to spoof the source IP address UDP hijacking is a slight variation this is when the client makes a request like the client is asking the DNS server. Hey, what's the IP address of Google.com might that be something he was an attacker would want to influence. What would you do. Are you just spent like two weeks thinking like attackers. Yeah, so if I changed the IP address of Google.com to be my IP address of the attackers machine. For me, their browser will say Google.com. I will show them a web page that looks like Google. Click to log in I will show them a web page that looks like Google login. I will type in their Google username password. Go ahead enter and I will steal that as an attacker and stolen their username and password. Now luckily there's other things that make this not as easy so HTTPS cryptographic is a way to cryptographically guarantee that I am actually talking to Google.com. And that is precisely to prevent this DNS hijacking attack so DNS is a UDP mechanism. So when a client makes a this is the other reason why being on a unsecured Wi-Fi network is incredibly dangerous because attackers can monitor that network see all the UDP or DNS requests and can respond and trick you to visiting other things than you're thinking of. So anything that's done over HTTP they could do that too. So the best way is if the attacker also can get a copy of that request, then they can respond correctly, and hopefully before faster than the server. So the client gets the first one says great this was a response to my query updates everything. Can the client know that that packet came from the attacker versus the server. Yeah the packet doesn't have all the packet has a source IP destination IP and source port and destination portal. So as long as those values are all what it expects when it gets to reply. It has no idea of knowing that there's a difference there. And then we're doing great on time. Okay. One super important thing so we talked about breaking into a bank right. We talked about breaking in the house but not a bank right. So we'll take two seconds. Okay, so you're never watching a crime movies. What's the first part of a crime movie when they're going to break into a bank what's the process like what's the first step. Yeah, first one is assembling the crew right okay after that you got the crew what's the step to recon you do reconnaissance on the bank you figure out exactly. And the guard shifts are who the people are that work what their schedules are like everything that you possibly can about that bank, you go to the county records office to get the building plans for the bank right that's how they always get like the schematics and everything. You go to the people that installed the, the ventilation system so maybe you can map out that thing and steal records from there anyways, you get all the data that you possibly can about a system. The exact same process, I guess except for assembling the crew happens when you're doing penetration testing of a system. So, oftentimes you want to know, hey, for that system, what applications are running that are listening on the network. Right the other way we think about it is what applications are running on what ports of that system, kind of like we just talked about is it a DNS server. It's a, an FS share. Because what I can do oftentimes, they will tell me, hey, I'm the DNS server is buying version 1.1. And I can then go look and see is that vulnerable to any known vulnerabilities can I just throw something known at it, and use that to then get on to that system scan the network from there see what other targets I can find and that's how you propagate the network. So, one of the key things we want to know is what services and and applications are running on a system so that's what we use a port scan for so we determine what UDP services are available. And it's actually interesting kind of so it seems like kind of a weird thing but it's a very interesting. It's also like a challenge of how do you do this right because you're sending one packet, and you want to determine, is there something listening on that or not. So, some systems will be very nice, and they'll send you a message back saying port unreachable. So you try out each port, how many ports are there. 535 something like that is a lot of ports but that's not that many, you can do that fairly easily. If, if we get back a port unreachable message, then we assume that nothing is there. But if they send us a response back there actually may be a limit on how many messages, they will send back so there's all kinds of settings. Anyways, a fun tool that will use for these kinds of things is called and that. So and the end there stands for network map. So the dash you option says you do a UDP sport scan of IP address 192 1681.10. It will scan that it will say by default it won't scan all the hosts, it will only scan 1445. And then it will show you hey, these would be port numbers that I see up the service name again, nothing guarantees that a certain application or services running on a given court. It is just convention because we need to be able to, when I make a DNS request to a system I need to know what port to use. So by convention port 53 is the DNS port. Just like port 137 is NetBios NS and port 148 is NetBios DGM. It's cool. So we did a lot today so we'll start on TCP on Thursday. Yeah, and code red was another one. I bet I don't know.