 Great. Let's get started today. Thanks, everyone, for coming on this lovely freezing Wednesday morning. Amy, I have any questions on projects that we've covered so far before we get started today? How many submissions do we actually get? Not this one, but this one. Fifteen. One five, okay. Yeah, one five. Such a good point. So I did announce on the mailing list. Let's see, what's there? So I did implement the test, the smoke test, or the actual submission and all the tests for part two. It took quite longer than I was expecting. But I guess that's the way it goes. So you can submit this smoke test as a real test, right? Any of your smoke tests, so you should see that it actually passes compilation before you actually submit it, otherwise you're just burning a submission rate. So I can submit it as real, and it says it successfully transferred it for homework one part two, so I have 11 submissions remaining of 15. And then I can see, are they not yet corrected? I think I deleted some of them for myself. Hopefully this will work. If you have problems, please let me know. If you have problems with the test cases, so this one was a... As I said, part two is kind of really difficult to write. There are actually like 40 things that have to happen, just to test like 10 test cases. You have to add things to files and then run your program to make sure those things are in the files and that the output's correct and all that kind of stuff. So here we go. So this submission got 62 points. It's actually not mine, but I won't tell you because it is. It's one of yours. So yeah, so it'll give you the output. So it should give you, if you fail the test case, it'll give you the name, it'll give you how much that test case was worth, and then it'll give you the standard out and the standard error from your program execution. So you should be able to use this to figure out where there were any problems or where there were any exceptions. That may be something I have to fix. So anyways, so yeah, let me know the things. Let me know how things are going. Any questions? We'll work on part three. Hopefully we get that done today or tomorrow. So yes, it's getting kind of tight. Can we maybe have an expert couple of days to turn that in? You already had two weeks. Yeah, exactly, but we haven't had a chance to test it against the test cases and they're going to be broader than, you have a lot more knowledge of the materials than we do, so we'll be learning while we submit test cases for any problem. It's a good advocate right there. I'll consider it. I'll consider it. Right now I'm leaning towards not because, you know, the purpose of this is to, basically so that you can know your grade beforehand, the alternative, and what you do in a lot of classes is you just submit the code and then I run it on test cases and then you get points knocked off for missing my test cases, but you never get a chance to know about it. So I'll consider it. Probably have the requirements a little more poorly defined. I mean, we're kind of getting some requirements as we go. Correct. And some of them have been subtly inconsistent. All right, we should get out all those inconsistencies. So that's, yeah, let's talk maybe on Monday or two to that one. Monday is the deadline. It's close to the deadline, right? Maybe a little bit. Ten hours to the deadline? That's pretty close. Other questions? Yeah. Vin Yu, can you speak louder? Can you please just give me the top number of votes that you know? Can I do what? Count? Count? I don't understand. Just give me a studio number of votes today. So for each test case, you'll have a specific number of votes. You're basically asking if I can give you what the test case is looking for. The answer is definitely no. Like, no. The whole point is you don't know exactly what it's expecting, right? I mean, the name of it should tell you what it's testing for. The output will probably not help you too much in this case because, no, you don't get, you know, that's the whole point, right? I'm changing the environment, I'm running your program, and based on my tweets to the environment, I expect changes in the output of your program. But it's not, like we said, right? So there's nothing. It doesn't have to be in a specific order or anything like that. So, you know, I aired on the side of leniency as far as testing, like the tests, so. Any other questions? Great. Oh, yeah. Slash, etc. Slash, no. Some of us are listed with pattern, like they can use as a start-up post name. Should we, the output should remove those patterns or is it a valid post name? I'm asking that a technical thing too. I would say, I mean, it's not a valid post name. I would say I could try it. I think it'd be fine to include it. I don't think they're not named or including it, I think. I think there's a practical point of view to be actually this program. Would it be, like, is it useful to get, like, a star post name? Possible. Yeah, there's a practical point of view. Yeah, you could think about taking off the star rate and taking out the dot to try to, you could try to enumerate other possible hosts based on that pattern. But if you're doing really more advanced, you could match that, match with other, maybe, any host names that you find, so maybe you can see some kind of relationship there. So, yeah, I think practically it'd be important if it's an interesting bit of information, right? And you could use that to actually try to find more of a, like, I was trying to go to, kind of, mail.test.organization.com, right? And it says, like, you saw star.mail.test, right? And it's like, well, maybe I want to try mail.test.organization.com and also test.organization.com and organization.com, right? Yeah, I can see it, maybe, so that's all. For the authorize, you can match pages. It gets written that there is a mention for hosts in any of the two cases. One is for the format of one. Correct. And another one is for the prompt option. Yeah. And they have written, like, you can do commerce, commerce, whatever. But there is no mention for any of the hosts in that file. Yeah, sorry. You responded well, right? Yeah, I was really confused with that mail because, like, on everything, on everything to watch, really, I'm not sure if you mentioned also these two cases only behind that. So the question is on known hosts. Authorize. Authorize key, right? The man page specifically mentioned two places where hosts are listed. You should absolutely check those places. The third thing that's pretty much a de facto standard if you look at any SSH key, right? The last, the comment field is usually host or user at host, right? To me, that's so used by almost every key-generating software that you want to grab that information. Do you want us to, okay, use an entirely host with only the hosts? What are you trying to get? Only the hosts. Only the hosts, yeah. I'm just making sure, you know, that you just don't put everything in there. Right. It's impossible that it's just me doing something without an app all the time. So on one of my examples, you know, I have a virtual machine set up through Vagrant and there's a reason not a whole lot of different hosts go out and generate a set of Vagrant and set Vagrant at something. Is that Vagrant considered a host? I would consider that a host. I would grab that. Okay. If there's no app signed there, I would say include that as a host unless it's an IP address. Otherwise, if it's, if there's an app signed there, take whatever it after the app is signed and return that as a host. So we take this, like, if it's a Vagrant, like, what's with the options that can be the host and the host starts that. Yeah, we talked about stars. So you should just include that, right? You're trying to be generous. Try to find as much as possible. Anyone include all words in the comments given that spot as a host? I'd say probably not all words. I think just that, I think you can special case this one case of an email or a user to add a host in the comments. So we should just include the host for that comment as well? Hmm? So we can include the host for that comment as well? That's just a comment there. It's not a platform. It's in a file format. It's a comment. That's what I'm saying, but it is a comment, but that comment is so commonly host, user at host that you should absolutely take care of that case. Yes, included. Take care of that case. Included. It's so common you should absolutely, absolutely include it. You're right. Just for real, you can see that in all these keys and you'd be like, I need that information. Yes, that specifically is tightly. This whole thing is about SSH, right? So that is tied in and says, hey, there's a user at this machine at that host. I know this key's in here, so I have a pretty good idea that this exists. So I should use that information. So if you were a student working on this assignment, how would you get a lot of examples of that host file if you don't? I mean, it's a use thing, right? That's true. You find out about it by us talking about it right now. And then you go look for examples of SSH public keys, right? Because that's basically what, I mean, the standard, well, none of the host is one thing, right? But the authorized key file, right, is all public keys. So you can Google for public keys, that kind of stuff. You can find a lot of, you know, public keys are public, right? They don't have to be private. So you can find a lot of examples. Okay. Other questions? So let's go on. So we've looked at, we've looked at some local area network attacks, right? We've looked at some architects, how we can poison the ARC cache in order to try to intercept or hijack traffic between two hosts in our local network. We may also want to spoof an IP packet. So what does spoofing mean again? What does that mean? What's our goal here? Yeah, let's hear something. Yeah, we want to impersonate, right? We want to send an IP packet that actually comes from us, but we say it comes from somebody else. Is there anything that prevents us from doing this, from what we've looked at, on IP and lower layers, like ARC and Ethernet? TechSum is just to make sure that the integrity of the packet is intact, right? That random fit flips didn't occur. It doesn't say anything that, you know, it doesn't verify that actually came from the IP address, the source IP address that the packet says it does. Is there anything else to check something? Your defense mechanism, right? If we get a packet on a local network and we have the source Ethernet, the destination Ethernet, the source IP and the destination IP, right? There's nothing else in that packet to tell us where this came from. So as an attacker, we can use this to spoof another host, and we can try to send them a datagram with the address of the host we want to impersonate, right? So if we're an attacker and we want to impersonate host A, we can create an IP packet as if it came from host A and send that out. So if we have the subnet and we have our devices on the subnetwork and we're an attacker at one-to-one, and we want to impersonate some other host, let's say host 76, we can actually create that and send that packet, right? We have to encapsulate that in an Ethernet frame, right? In an Ethernet packet, and we need to make sure that the destination, the to, is correct for that IP address. What do we, what can we do with the from? Can it be from us? Okay, what's the example? I was like, our own source MAC address wouldn't say that this is my IP address. Nope. It doesn't need to, right? Because our, it couldn't do that? Yes. Assuming that it knew already the ARP mapping, right? The mapping between was it 0.76 here and that MAC address? But if they'd never talked to that machine yet, right, they would never know that MAC address, right? So unless they have some prior knowledge, then yeah, they'll just accept it. And even if they do have an ARP table mapping, that's really only used for sending out packets, right? ARP is used, or ARP, or the ARP table to match an IP address to an Ethernet address, right, when we want to send a packet. But when we're getting it in, we just want to process it, right? So we use the from IP address here, and we're actually able to spoof to spoof that, oh yeah, so we need to encapsulate that in there. So why don't we want to use IP spoofing? Useful. Why? Because you can get the data that someone else would have received and you might have an IP address to knowing what that data is. Ooh. So what happens when, in this case, right, so just talking about ARP spoofing, right, so we don't, let's say we're not doing any ARP poisons, any ARP attacks, right? So here, what happens when host 14 tries to reply to this message? So what happens? Somebody walk us through the process, right? It's a normal, okay, so it sends out a packet with the IP address and this machine address from in... Why? How does it know how to, so first, let's take it by steps, right? So first, what's the IP address it's going to try to respond to? 0.76. 0.76. Right, exactly. And then, how does it know how to create an Ethernet packet to reply to that? It has a destination MAC address also inside the packet, which it will use as... It doesn't use that at all, right? It just uses that to receive it at the Ethernet layer or it goes away, right? It doesn't really ever use it again, right? Just exactly the same sequence of steps that happens if this machine wants to contact that host, right? To make that reply. So what's it first going to check? If it has the MAC window. Yeah, exactly. It's going to check the cache, right? And say, do I know the MAC address for 0.76? Let's say we're not doing any poisoning or any games, right? So that address of 0.76 is going to be some other the actual physical MAC address of that machine assuming it exists on the network, right? And then it's going to say, okay, let's send out that packet on the network. Is that going to come to us? So this is useful if we can't get the reply. So you can get the reply. But if there is no... Wait, let's go right here. Hold on. I mean, an example would be that I can send a derogatory message to one of the higher positions in the company and that person like Friday and the other person because he has a good kind of message. Tricky. A derogatory message. A what? A derogatory message. An email message, right? Okay, yes, yes, yes. Yeah, you could... It's a little bit tricky because we haven't gone to the upper layers, but yeah, you could basically... Essentially you're impersonating that machine, right? So it seems like it came from that other machine. More technically, if we look at some of the... Some protocols are required to reply, right? So this is a DNS response. So somebody makes a DNS request for, hey, what's the IP address for Google.com? And we reply before the DNS server and we impersonate the DNS server and say, hey, yeah, that's my IP address. It's 111.10.20.1.21, right? Now when they try to go to Google.com, they're actually going to go to R Machine. So then we can do like an active man in the middle attack. We can impersonate an NFS server. We can do kind of... This is kind of similar to the Kevin Mitnick attack where we maybe could try to do... Execute some commands on a server. So if there's some higher level protocol that uses IP address in order to do authentication, right? So that it's checking the IP address and says, I trust this IP address. Well, you know, that doesn't mean that that actually came from that other IP address, right? Because we can inject packets on the network as if we were that IP address. There's lots of tools to do this, to do DNS smoothing, all kinds of stuff. H-Ping is a tool that's ping-like interface to impersonate an IP. And... So you could do this yourself and... Oh, I'll talk about that in a second, but... So there's actually libraries to do this. So how do you actually do this IP smoothing, right? Does your operating system allow you to do this by default? No? Yeah, it doesn't like you to pretend to be other people, right? You have a well-defined series of interfaces for socket library, right? But it will allow you, if you have advanced privileges, it will allow you to create arbitrary Ethernet or IP address packets and send those out on the network. So LibNet is one of these libraries and it provides a way, it's a C library, so that you can actually write a program to build and inject arbitrary packets into the network. So you can write, you know, you can spoof Ethernet frames and this is really how all of those other tools are written, like EtherCAP and HPEng, right? They're using this library and this allows you to do this very easily. So you first, you initialize the packet and you initialize the network, you can construct a packet, you calculate the checksums on the packet, right? That's an important thing if you're doing this by yourself, otherwise it's not going to do it for you. So you have to manually calculate the checksum and then you can actually inject it onto the wire. I actually debated your next project, one of the projects will involve doing this and spoofing packets on the network. I will say, LibNet is horrible from my experience with it. It is one of the most poorly documented piece of crap C libraries that I've ever had to use. And so I was like, do I want to force the students to also go through what I went through? I think no. I'm leading much towards no because there's another library now. So, Scappy is a Python library to do this. And if you have an afternoon or a few hours to mess around and you want to play around with network stuff, Scappy is absolutely the way to go in the thing to learn and understand. It is insane how useful it is to create packets and IP packets and Ethernet packets. So you can kind of quickly prototype what you want to do. It's obviously you can sniff. So you can sniff on the network. You can set a function that is called every time a packet comes in that matches some parameters. It allows you to spoof and create packets. It's obviously slower than PCAP and LiveNet because it's running in Python. So it's actually I assume, I have to assume it's actually using these libraries underneath. So there's all those translations. But you can do super cool stuff like, hey, send us spoofed ICMP packet. And it's just like one line of Python code. Which is absolutely insane compared to LiveNet nonsense you have to do. Do you want to use a library this time? Yes. This time I think I will. Well, the other one's a library but I'll let I think I'll let you choose either SCAPI or LiveNet. But me and the TAs are coming up with some cool packet twiddling things that we can do. So it should be very interesting. Okay, so these are kind of the libraries that you can use to do these cool tricks. So we talked about sniffing, spoofing. What's hijacking? Do we talk about hijacking? What does it mean? Like GTA, steal somebody's car? That's what we're talking about. I'm going to teach you how to take control over someone else's device. Not necessarily the device. We're not quite there yet. But that's one way we can talk about it. Yeah, so you want to actually take control of the session or you want to be able to sniff and spoof and be able to inject some data into the conversation between two hosts. So rather than just reply to something or send a request for something or try to poison something we can actually manipulate the conversation between two hosts. So the idea is you sniff the network so you're listening to all the packets that are going. You wait for a client request, right? You wait for an HTTP request, a DNS request. And then when you see that your goal is to be faster than the other machine and send a response back on the network. And so we're going to see Artbase, we're going to see UDP base hijacking, TCP based variations of this attack. Each of them require something a little bit different, right? So we've kind of already seen this, right? Art Poisoning is kind of in some sense of hijacking these requests. We could we could listen to them, right? We could listen for broadcast requests and then reply with ours right away and hope that it gets there quickly. Or we can just kind of flood the network which is what we saw. But to understand how we have to do that, right? We want to first, okay, we talked about local networks. Now we're going to take one step up and say, okay, how how does the packet get, if we want to talk to a machine that's not in our local network, what actually happens? Right? So indirect delivery not on our local subnet, right? We want to actually talk to a different machine which is really how we get to the internet, right? It's not just we're all on a big local area network subnet where you just send out packets. Right? You have to have some ways with the packets to get there. So, IP is where this works. So the basic idea is if I want to send a packet to another machine and another network, I use IP and I deliver it to what we call the gateway. So the idea is the gateway is a machine in your local subnet who knows how to get outside and talk to other subnets. Right? So we'll see how this is set up on the machines. And so it's the gateway's idea the gateway then has to decide what do I do with this packet? Who do I send this to? Right? If you think about your home setup, right? Often you'll have a router at home and so if you're transferring a file or something between two machines you can just use Ethernet or Wi-Fi to talk to each other and it goes through the router but they're just talking to each other but once you want to talk to Google.com or somebody outside your local network well then you send the packet to your router and the router goes oh this isn't for the local network it's for outside let me send it along the cable line or whatever to the next hop which will be somebody at what is it Comcast or Cox whatever you have here or ASU I guess if you're on the ASU network. And then it gets the packet and it has to decide where to go it's usually not machine high level term usually like a switch or some kind of router so it gets a packet and it needs to know where to go and hopefully you're getting closer and closer to your destination where you actually want to go until you finally reach a subnet where the gateway is on the same subnet as the host you want to talk to and then it says okay now I know exactly where this goes and then we use the exact thing so this is where we think of as hops we're hopping hopping along our packet is hopping along do we have any guarantees about our packets that we're going to get there do we have any guarantees that's going to take the most efficient route possible the fastest route the least latency why what kind of things may affect that what was that if one of the routes is in the middle then it has to be in its root so it could be not be the best route well I guess in that case if the route is in some sense but that was one of the reasons yeah so there's mechanical failure right we definitely want to be able to route around that network traffic network traffic network traffic in one sense like if there is a huge communication going between the closest distance network it might need to go far around right so yeah it could be that there is actually a shorter in hops route right between us and our destination but maybe that link is very saturated so we actually go around that so we take more hops but hopefully it's faster but not slower then it would be just a straight up longer slower route these are people taking their heads why it might be for the security purpose like a hacker a person who is just watching one of the line and you can send half of the packet to another line so okay a hacker kind of not the hacker black guy that blackhead guy yeah blackhead sorry yeah there was actually cases where I think people were looking at network traces and they saw that traffic coming from Russia to another country would actually go through some servers in like Virginia and then go down there which is not the most efficient route but it put it on US soil so maybe somebody could intercept that but I don't know that's just a theory so yeah but it's definitely one thing how do you the big backbone networks right the horizons how do they decide where traffic goes yeah depends on the DNS in the perspective of the internet like how does it how does it know which network do they choose if they have their own I think yeah so routing so there's a protocol DGP where they decide and they announce routes that's what the background uses DNS got a something to do with it if you're at different level addresses there's one big thing that we're all not talking about right the cable it's in it's money it's money right so these big organizations like Verizon AT&T these big backbone providers right they charge each other money to access each other's network so Cox or ASU could decide hmm I know the shortest route is through level 3 but man they're charging me a lot of money for traffic this month so let's actually send it to another host and let them deal with it that's actually cheaper so they can actually sometimes play games like that and your traffic when you get to a high level it's actually much more of like a political economic decision rather than just a technical decision of what's the quickest way I can get there at each how do we how does it decide which direction to go good question here's a diagram that I clearly messed up a little bit in coloring so the idea is we have a system here .21 we we want to send a packet over to a whole another network at .10 so do we know from this so do we know from this that we're on different subnets what's missing from here to tell me that we're on different subnets what was it yeah yeah the the subnet maps right for something that tells me exactly what the subnet is right we can assume from these addresses they're very different so they're highly likely to be on different subnets right over to .10 right so the first thing my machine does is it looks and it says is 128 111.10 on my local subnet and so then it says okay where do I put this packet so we're going to look at it actually has a table each of the each of your machines right has a table in it that says exactly where packets should go so if it goes to this network it goes over here because the if you want to send packets to 121 all right if you want to send packets out of the network you have to send a packet to like this either address is the IP address either way this machine is the the gateway so this is how you get out and then this router has a rule that says hey if a packet's coming for my if I get a packet if its destination is to my internal subnetwork then I know where to send it here so basically the idea is each of these switches in between each have a table that tells them exactly where to route packets so some of the things we've kind of talked about right so the the source of destination IP address always stay the same right that's kind of the point is we just want to get our piece of mail from us to the destination and we want it and we don't care what hops it takes or whatever but that information better be exactly the same right what was the TCL what did the TCL feel the same part what was it time to live yeah which is very strong term so every hop along this way we're going to decrement that TCL field and if we ever get to zero we'll stop right because we don't want it to be the case where our packets are just going through the network just creating a cycle here because there's a problem and now the network's down because our packets are living forever so the other key thing is that the Ethernet packet right at each stage the Ethernet level completely changes right because we have at the first step we have our machine which is with it A B C D E F and you can see the A and the B that means two and I said it longer and at the first step we want to talk to this switch specifically right A0 B0 right so we have to encapsulate our IP packet in the Ethernet packet destined for our local host and then when they get it they take off that IP that Ethernet layer keep the IP packet repackage it in another Ethernet to get to the next hop and at every step along the way they do that so that when it finally gets here the packet that got 10 receives doesn't know our source Ethernet care. They can't talk to us over Ethernet. They can only talk to us over IP. So it doesn't matter what our source Ethernet addresses. And the delivery process it says is based on the destination address only. Technically it's just based on the destination address. That's the only thing each of the switches looked at. It's obviously also based on all kinds of crazy rules. So if we want to get this packet from 111, 1020, 121 to 128, 111, 41, 10, then we first create it here. And so this Ethernet frame, like we said, is going to have the source and destination. The source is our Ethernet. The destination has the gateways. And then at every packet along the way, that's going to be changed. So that when it gets here, the Ethernet frame here sources from the gateway. And the destination is the destination Ethernet. So questions on how kind of routing works at a high level? I think the short answer depends on whatever the protocols are in between each of those switches. Because IP, right, so the whole point is we don't care what's below it. So the IP packet could be over Fiber. It could be over, they can actually even, sometimes they take that packet, well encapsulate it in a completely different protocol to get it through their network. And then when they spit it out, they spit out an IP packet. Does it have CSU, DSU to a T1, I think, or would it have something different than, say, my Fiber to the house? Probably. I actually don't know. I'm not familiar with those protocols in there. So yeah, that would be, yeah, all kinds of stuff. And the idea is the IP packet always remains the same, right? It must be the same IP packet that we sent as the IP packet that they get. But the lower layers can completely change, right? Which is how we're able to talk to when my laptop is plugged in. I can talk to you on your wireless address, and on a wireless, you know, if you're on wireless, you can talk to Google because all those steps in between, they're each, everybody knows how to talk on their specific addresses, on their specific physical local subnets. So what if two different routers have two different length limits for an IP packet? So yeah, we're going to get into that. So yeah, one of the things to think about, right? So this is at a very high level, right? But we talked about how big can an IP packet be? 65,000 bytes, right? Really large. So what happens if one of these physical links actually can't support that? What happens then? We'll look at it as that was more internal design. So there's a couple different types of routing that we've seen. So the, basically, the standard is hot by hot, right? So each switch decides where to route the packet. So every switch, every gateway decides where the packet goes. You have actually router, yeah. Well, it's really just a matter of terminology is if it's a gateway or not a gateway, right? I can have a, oftentimes, for various circumstances, you may want an actual machine, like a server to be the gateway, right? And to route packets or something like that. Or, you know, this may be a gateway, but these are actually all switches. And then this is considered a gateway or router. I kind of use them kind of interchangeably. Yeah, they're very similar. So I guess the, I mean, I guess the big difference, right, is I guess this router is a switch that has a default route, right? So if it gets an IP address on the subnet, they can throw it up. Okay, so normal type of routing is you have no control, right? The gateways and switches in between they decide. The other way is source routing. So we saw, remember when we were talking about IP, that IP can actually have an option where that you, the center of the packet can specify where the packet goes and what hops it takes. And this can lead to a tax, which is actually, I think we talked about it kind of briefly. So we can do this, right? If we can control that, well, we can try to force the host to, we can force traffic through specific routes. And maybe we can put ourselves in the middle of that traffic and say, you know, hey, let's try to, when I talk to this other machine, always go through me or go through a thing I control. So if, you know, in the case of what we were talking about with IP spoofing, right, if when they reply, they use the same route that I told them about how to contact me, right, then when they reply back to me, it's actually going to come to me, right? So I can actually impersonate a lot easier. But this is kind of more of a historical fact. It's, but it does go to an idea and one of the important things and why we talk about it is that this is kind of a key flaw that will come up over and over again, right? So we should never trust the center of a packet to specify the correct things, right? Like we have, when we get a packet, we have no trust over the source route. We have no trust over the IPs, right, over the MAC addresses, right? We can see that the attacker can control all of those things on their own machine, right? I can't control your, what the output is of your packet, but I can control the output of mine. So if I can use that to some detriment, like in this case, to get traffic routed through me or to specify it and be able to attack things, it becomes a huge problem. Okay, so to do hop-by-hop routing, we need to maintain every one of these devices in between, whether they're hosts or switches or routers or gateways, they have to have a routing table. So you can check out the routing table on your Linux machines or on any kind of Linux-based machine by using the route command, so route-n. I will say on a Mac, you can't use route. It doesn't have route. You have to use netstat, and I believe you can do the same thing with netstat-r for the route, and then you can also do dash-n, so it will not print out the, not try to do reverse DNS. So that's all this dash-n does. So it just shows you a table, destination, gateway, mask, flags, and the interface. So the idea is, so to look something like this, so basically what this means is, so the gen mask, right, is a subnet mask is what we were looking at. So this means, hey, if I get a packet for 192.168.1.24 for exactly that address, then I can just go ahead and send that out on ethernet zero. I don't have to do any other processing, any lookup. I just always do that. This line basically says anything destined for 192.168.1.0. So what's the dot zero? Can we have a zero in our IP address? Yeah, so with that, with the gen mask, right, we can see with the net mask, a subnet mask, we can see that this means any packet that is destined for any host in 192.168.1, right, that has this as the prefix, then I know I can send it out on ethernet zero, right? What does the gateway as zero mean? It's all zeros. No, so it means no gateway. So I don't actually need a gateway here because it's on my local, yeah, it's an ethernet, right? It's in my subnet. So I don't need to use any kind of, I don't need to use a gateway at all. And I know where to send it, right? I know to send it out on ethernet zero. What about this third line? Does this look familiar? Logo host? Yeah, so any packet destined for, but isn't Logo host 127.001? What does this match? Else it's not on the routing table. What was that? Anything else that's not on the routing table? That's the last line, but this fourth line, or third line here, this line. So does it match 127.001? What else does it match? Anything that starts with 127? Yes, anything that starts with 127. So actually if you look up the RFCs, right, I actually should have looked this up, but I believe the RFC says any IP address that starts with 127, right, no matter what comes afterwards, they're all being your local machine. So actually you can get around some attacks. You can actually do some attacks with that knowledge. The basic idea is like if a remote machine will fetch some content from another server, like what's the example? Oh, like when you submit maybe like a tweet or something, right, and it goes out and fetches that URL and then shows you like a picture that's there or some content. Oftentimes it can be tricky. You can probe that machine to see what other ports are open on that machine if you tell it to try to fetch 127.001, right, the local host. Then you can specify ports in there to get local hosts with different ports. So you can kind of get it to scan itself. Oftentimes programmers will block that and say, okay, block 127.001 without realizing that actually you can pass any 127 address there and it will work just the same. So that's another bypass. And we can see here, right, we know it goes on the local interface. There's nothing special really about that except that it's in the routing table, right. If we got rid of this routing table, we'd probably try and actually do something and send that packet out. So then what's this last one? Yeah, right, so the zeros here in the destination and the gen mask is all zeros means it's a catch all. It's a default and matches everything. So this says, hey, if you get a, if you, if it doesn't match any of these rules, right, so it's on first matching in the rules. So if it doesn't match any of these rules, then by default send it out to 192.168.1.1 on the interface ethernet zero. And the flags tell us a little bit something more about there. The U flag tells us that that route is up. G says that it's a gateway. H says it's a route. And then D and M tell us if it was done by any, if it was modified at all. So you can do this, it's really, it's a good exercise to practice kind of, look at your computers, anything that makes sense to these routes. You can do kind of complicated routing things, which can be pretty cool. So yeah. And so the idea is you first search for an exact match, right? So you kind of use the tree or the, those rules as output, and you're trying to match more specific to more generic, right? So you first try to match any hosts, right? Does this match somebody I know about explicitly? And then you go, does it match any addresses? And there you go from specific to general. Then do I have a default entry? And then no match is found, right? It could be the case that you don't have a route for that. You don't know how to send that halfway hour. Then either you will return it, your machine will tell you that there's, that you can't reach that host, or the gateway will tell you, hey, I don't know how to reach this host. This is not a domain, or not a IP range I know about. So you can either set, you know, you can set these routes, you can do it statically. The route command is the kind of older style. The new one is the IP command. So you say IP route, and then you can specify things. The big guys do it dynamically, right? It would be kind of crazy if you were in there statically doing all these things. So there's all kinds of protocols for how you determine and broadcast routes. So if that way Verizon knows, right? So if you think about, you only need to know about how traffic goes around in your network, right? If you only have one gateway, it's really easy. When you get to the level of ASU, when they have multiple peers, well, how do I know how to match IP addresses to which peer, where do I send this? So there's a whole, so their tables are a lot bigger, right? Because they have a lot bigger addresses. So there's a whole protocol about how to do that. Cool. All right. So we will, let's stop here. On Friday, we'll get into blind IPs moving. So who made blind IPs moving? Okay, this. Kevin Mitnick. So this was the attack that he used on the San Diego Supercomputer Center. And we'll see that it's actually really, really cool. So, thanks.