 I have two problems, exactly. Great, okay, any of you have any questions before we start? Questions on the assignment, painting, make an answer? On the default installed by default, are you guys going to have it all by default, or are we going to provide packages for that? The default, so whatever is not installed by default when you first install it going to, then I believe yes. Any place we might look to know if we wanted to use Java or something, what packages you actually need to. That's a good question. Is it on the, yes, let me know. I have more pollution on the dial on that. Do what? Pollution on the dial. One, seven, probably. Is that, yeah, I think me or Eric, because it doesn't matter to me, it matters to you, right? Yeah. I mean, it's the Ubuntu 14.04 64 bit, so whatever is on there, that's fine. Yeah, it's not. So yeah, that's a good question. Anybody else know, is there a question? And what would the permission of the, like the user be having when you're running the program? So it would be having a root permission? Why? Was the morse for it? Did the morse for it have a root permission? No, it didn't need to. Oh, not necessarily, right? So yeah, that's why I said you have to be careful and code. Regarding the permissions. Exactly. Yeah. And you have to just make sure, and it's, you know, not to explicitly check, but you need to make sure that when you encounter permission issues, your app doesn't crash, right? You can't assume that you can just read any file on the system. Okay, back to the question. I don't know. I'll try to look up. If anybody finds it, if there's a list of the default packages that's sorted in Gootube, I think I can find it somewhere. I think I can run the command in the testing environment to dump out all the packages that are installed. So I do install some things, like build essentials, some C stuff. So I'm actually still setting it up. So if you have any, some, you have something that specifically, I think it's a little tricky with Java though, I think that there are different packages. So that's why. It has to be the open one. Right. Okay. The work will be again. Yeah, it should be, not a problem. People did it last time I used the system, so. But yeah, if you send me an email, I'll try and find out, find the list and post it so that you can know. Yeah. Official download in the website is 14.04.3. Yes, that's fine. Any other questions? Yeah, there's a line. Hey, hey, hey. Try and answer questions. Yeah. Can we presume that the files are valid? Got it. So the valid data is in the files, because you're most familiar with all those. Can we presume that the data is valid? Can you presume that the data is valid? Because, can you ever presume that data is valid? Yeah, I think it's a one. It's a what, say? Yeah, I think it's a one. You don't need to work with it. Exactly. Yeah, you shouldn't, yeah, you don't have to check that it's syntactically valid or whatever, right? So, yeah, you should, you know, yeah, exactly. You're a worm, so you should do best effort and try to find as many things as possible, even if the stuff is bad. On the flip side, though, right, you want to make sure you're grabbing the correct things. You know, you don't want to spread to unknown hosts and waste your energy, right? So, if there's a file format that has comments, for instance, right? You probably don't want to grab stuff in there, even if it looks like a host name, because it's a comment, right? It's not actually a valid host name that's used by the file. Yeah. So if you follow the file format guidelines as in most languages, which should be set. Yes, okay. Yes, so that's part of, part of the project, right, is that you're the Morris Worm Writer. The only thing you have available to you to find these things is the docs, right? How does it actually work? How does the file format work? So you have to be able to read it, understand it, and actually implement it. I know you said programming language is completely optional, but I also think- Well, it's not optional, it should help for everything. Yeah, I mean, does it, does, what if it's suspicious if a worm would install, like, 10 packages? True. But you're not actually installing packages, right? You're, I mean, yes. That's more of just submission system environment. That's, I agree, I mean, you know, if you want to be really cool, you write it in, like, assembly and you do all kinds of other stuff, right? We're just focusing on one portion of the worm's functionality to try to emulate that. But, you know, environment so that we can all test it and all that stuff. Or you can do it kind of crazy, do it like, have multiple VMs and have it all obfuscated and do all kinds of stuff like that, but that's, it's a different class. That's more about, like, malware rather than vulnerabilities, so. More questions? Yeah. To the me, why, why, why do you have reading the script that would have sort of access? Because my request would have been solely for you. No. So you shouldn't, you're, don't, you make files, but definitely not run as pseudo or anything like that, right? That's why you have the packages files that would install in the packages that you need. If you, anything else, right, you have to include as part of your source code in any kind of library or something like that. I would shy away from that. But if you have questions or problems, talk to me. I hope we'll be able to work them out near the TAs. All right, I, hopefully shortly after this, so I got this submission website up. It's just not actually hooked into anything and nothing actually tests anything. But you'll be able to sign up with your ASU ID. I'll send out an email later today. You should have external access. It's just internal for now. So yeah, that should be up very shortly. So it should be good. Any other questions? So many of you are. All right. Let's get right back to the network teams. So we looked at the IP datagram and we've been talking about Retranit. So to refresh everyone, right? We're trying to study the IP, we're trying to study the network team stack so we can understand what the points of attack are, how we can attack it and where the vulnerabilities are. And this is very helpful when you're, you're analyzing a network or analyzing and trying to understand what types of attacks are possible. Right, you have to understand how applications are communicating with each other, what types of things they're using, what types of games you play. So we looked at the header in case you forgot, this is kind of what it looks like. So the IP header is composed of, so bring it down a little bit more. Normally it's 20 bytes if there's no options. It has a version, so the version is four bits, four or six, we're ready to talk about that. A header length, which describes the number of 32 bit words in the header, including the options. The type of service, so this are bits that are used to flag priority or quality of service or there's actually an unused bit in here. Why did you include an unused bit in something that's so important like the IP protocol? Every packet that is sent on all of our millions and billions of devices is including this unused bit. Cash lines? Tricky, maybe. What was that? Future purpose? Yeah, future purpose, exactly. Once you just find something like this, it's very hard to change it or go back on things. Maybe you leave in a little bit of space so that way later on you can say, let's use this flag for some other purpose. To indicate, I don't know, we want to switch to IPv6 or something. Okay, then the total length, so we need to know the total length including not just the header, but also the data of the packet. Because of this, this is where we see a technical description actually influences the protocol. So we have 16 bits in here, so it's the length in bytes, so the maximum of an IP packet is 65,000 bytes. Actually a lot. An ID? So a unique identifier for a data grant. So cool. And you can kind of talk, why would you want an ID? An IP packet, we really care. Just send in packets. Ordering and unordering. Ordering and unordering? IP doesn't give us anything about ordering or unordering. It makes absolutely no guarantees. Can we use it in fragmentation? In fragmentation? So, when we join back the packet, we need some order. Yeah, so what's fragmentation? Why do we need it? The MQ size of the adapter is not big enough to fast enter packets. Right, so we gotta remember where on the stack we are, right? We could be, we're pretty low, but we're not actually on the physical layer. So let's say a host wants to send, I don't know, the max size to 65,000 bytes, right? But you're on a, whatever, a physical host where you can't actually send that many bytes, right? Physically that link layer has not support packets of that size. Well, fragmentation allows you to do is to rip apart the packets into sizes that are appropriate for the link layer size, and then you send me to those packets, and then this ID tells the other end, okay, this packet's been fragmented, and every fragment with this ID goes at certain offsets, and that's how it's able to reassemble the packet. I think we'll look at that tonight, because that's actually an important thing. Yeah, so the flags and the offsets, so these are used for fragmentation, let's say if this packet's been fragmented, what offset it goes on? Time to live, so this isn't like a speed thing or like a bomb that's about to go off. So why do we need a time to live? The number of hops it can be. What was that? It's the number of hops. The number of hops, why do we need it though? Does it work like the one next to the bias? Yes, right, so we're trying to get a packet from one host to another host using however many intermediaries, right? We don't actually know how many there are in between, but so there's absolutely no guarantee on what path our packet's gonna take, how it's gonna move through the network, where things are gonna move, right? So the idea is if we just send a packet out and let's say there's a routing error where it goes into a loop, do we want this packet to just keep looping forever as like a ghost in the matrix? It just like keeps going and going and going. No, we want it to stop at some time, right? If it's not able to get to the host. So the idea is when the host sends out the IP packet, it sets the TTL however it wants to the max or whatever and every hop along the way is gonna decrement that number and change and send the packet. And so that way when it gets to zero, the router knows it can drop the packet on the floor and not send it anymore. Okay, then this is where we get, we break some kind of abstraction in the upper layer. So this is where we specify if the IP packet is a TCP packet or a UDP packet. Then we have a check sum. So we do the check sum over the header to make sure that there weren't any transmission errors or anything there. And then we have our two addresses. So we have the source address and the destination address. Remember 32-bit addresses, so they take up 32 bits in our headers. Any questions on that? So the IP headers includes the options section, right? And so this is variable in length. It can get more or less. They're actually, they're identified so the first byte defines what option it is and then it could have an optional length after that. I was hoping something I knew would be here. I mean, I know a lot of you. Anybody in security or military operations know if they actually use this byte still? The IP options. So they have one of the options specifies the security clearance level of the packet. So that way at the network level, the military could drop a packet if somehow a confidential packet got out good on an open public network. Okay, or you can't say. I understand. It used to have, and maybe I actually want to look at it and see if they actually do this now. Some of these IP options are actually for debugging purposes. You're an administrator, you're trying, right? The internet is an incredibly complicated system of hosts of hosts and networks of networks, right? Things you don't control, the routing tables of switches you don't control. So one option says record the route, every router along the way, put a timestamp on the packet to say where it was and how it got there at one time. Presumably so you can help debug connection problems. I think, I have to say, so is this good from a security perspective? No, why no? Because even the hacker wouldn't probably know which part the packet is taking. Yeah, right? So you're giving out information to somebody who's outside of your network just because they ask nice, nicely, right? They put this option and the switch says yeah. Hang on, I'm the switch. I saw it at this date. So it's gonna actually allow an attacker to help mask your entire network and try to see what are all the hosts and what are all the switches in your network. It can timestamp, so not just record the IP address but also do the time that it got there. Source routing is actually really interesting. So this specifies a list of IP addresses. This actually was sourced, right? This IP packet tries to specify the exact router that the packet should take. Is this a security problem? Could be. Could be, yeah. Why? Because the hacker could set the route in such a way that it goes by his machines and he gets to know the data. Yeah, it could go by his machines. One of the things he could do about it. Overload a machine. One of your switches, right? I wanna take off on a good DOS attack. I'll set all of my sources to all go through your one switch and that one switch fails and then everything behind it fails. Right, essentially it's another case where you're actually giving an external entity control over your network and where packets flow in your network. So I'm also fairly certain that nobody actually respects these headers anymore. It'd be fun to play around with this. And there's actually a lot more of these headers that are defined. Oh, but why didn't they include it? So we say it's bad, right? Why would you include this source route thing when you're defining IP options? Maybe you want to test if a route is down or not. Yeah, maybe you want to test if a route is down or maybe reliability, right? When these things are first established. Who knows, maybe you know a better route than the admins do or somebody else's network does. So you can specify exactly how. Can we, for the speed up thing? Yeah, could be a speed up thing. Yeah, maybe you know a shortcut, right? In the network. Like, oh, I can go through this host and then go out that way. Yeah. Okay, so IP, what's below IP? You got the data? The data, the link layer, yeah, exactly, right? So the IP packet, right, is actually encapsulated. So the IP header and the IP data are all encapsulated in the frame. So the link layer frame, right? And that's the payload of the link layer frame. It has some header before it that specifies all of its options. Okay, but the question is, okay, I want to send a packet to somebody and we're on the same subnetwork, right? So what does it mean being on the same subnetwork? Okay. What is it? You don't have to pass it beautifully. Yeah, if we're on the same subnetwork, it means there's no hops in between us, right? We're all on the same little network. So anytime I send a packet out, you should get back if we're on the same subnet. For instance, if we had to subnet 11, 10, 20, right? So what does it mean when I define a subnet like this? Is this an ID address? Why not? Now, missing the last octet, right? So what does it mean? Any of the last 32 is the host on your network. Right, so it's basically defining a prefix, right? So it's saying that 11, 20, 10 is a prefix. So anything zero through 255, right, of the last octet, that's in the same subnet. So the idea is we have a computer here that's 11, 10, 21, 21 with a physical address, right, of something, wants to send a packet to 111, 10, 2014, which has some physical address. And I did, so we want to send this IP packet, right, from one machine to the other. But really, we have to encapsulate that, right, in a link layer packet. We can't just send this IP packet out on the wire and expect anything to happen. So really, we have to encapsulate that in another packet that is from our physical address to their physical address, right? And then we have to send that out, and then we can actually go through it. So how does that work? So Ethernet is actually a little bit simpler than IP. This is a link level thing, just between you and the next machine. So it doesn't have to be so complicated that it has to work across the entire internet, right? So we first have the, so these are in bytes. So we have the destination host in six bytes. We have our source Ethernet address in six bytes. We have a type, some data, variable length of data, up to 1500 bytes, and a CRC. So it checks them at the end, right, to make sure there wasn't any transmission errors at that level. And so there's various types. So this is one, another thing, right, where the types kind of matter. So if the type is in hex 08, there's zero. This means that we have an IP datagram. If it's 806, it means it's an ARP request, which we'll look at in a second. If it's 808, it means that it's a reverse ARP request, and so on and so forth. There's a whole list that you can go through and understand exactly what each of these types are and what they mean. So just for looking at this, what does this mean about the length of packets that Ethernet can carry? You can just add it up too. You're gonna have to add, right? So we only care about the data. We care about using it as a transmission protocol, right? So as long as it's able to carry our IP packets from one source Ethernet address to a destination Ethernet address, I don't really care what it's doing. But the important thing, right, is this 1500. So the Ethernet length is only 1500 bytes, right? But our IP packet can be up to 65,000 bytes, right? So that's where we have that mismatch. So Ethernet, just like a brief rundown. It's very widely used. Everybody has plugged in a computer into Ethernet. I hope it's really annoying when this computer does not have an Ethernet port and I have to carry around a stupid adapter in my bag so that that way I can plug it in. But anyway, it's very fast, very efficient for networking people. It does what they call carrier sense, multi-axis with collision detection, which means when you're actually transmitting over the Ethernet link, you're listening to see if anybody else is transmitting. And then if you are, you will stop and try to restart and try again. So this way you don't have collisions like with 802.11, right, and wireless. It's really easy because of the physical capabilities, right? We could both be on opposite sides of the router, such that I don't see your signal and you don't see mine. So you never know that we're overlapping. So destination address is 48 bits as we saw. It's represented like this. So if you've never seen what the colon dotted Ethernet addresses, MAC addresses, right, it'll look like source address for 48 bits, the type, some data, and check, CRC check. Okay, now the question is going back to our diagram, right? We want to send a packet, we're on a local network. So now we're not even talking about routing or trying to get our packet from one area of the internet to the other. It's just the local internet, right? We want to get a packet from one machine to the other. So what piece of information, what do we need to know to send an IP packet from one machine to another here? Let's say you're one to one. What do you need to know? Is that something I want? The physical address. The physical address of what? Your physical address? The physical address. We can get something to do here. Before that, before that. Sorry. Well, first you need to know the IP address, right? It has the same network prefix. Yeah, and then we see it has the same network prefix. Then the router table that you read. Which we looked at, yeah. So we know this is our subnet, so we can know that this is clearly in our subnet. But yeah, then we need to know the destination, right? We want to send this yellow packet here. Well, this yellow packet has our physical internet address, which is easy to find out. And, but we want to send this to somebody else's. But all we know about them is their IP address. We have been able to show that our item has a mapping with the physical and our IP address. Close, it's not the router, but yes. But the idea is we need, so these things, even though they're completely different protocols, right? So even though IP is completely separate from Ethernet, right, here we get more coupling where, okay, we're kind of chicken and egg problem. It's like, okay, I know what your IP address is, so I want to talk to you. But to talk to you, I need your physical MAC address, like your physical Ethernet address. But if I knew that, then I, so I could send a packet to talk to you on your physical MAC address to ask what it is. But if I knew that, then I could just send it to you in the first place, right? And then I would have to go through this thing. So they have a protocol specifically, ARP is what's called an address resolution protocol, and this is actually incredibly security critical. So this turns basically IP addresses into Ethernet addresses. And so that's the basic idea. It gives us a way to say, hey, what's the MAC address for, I forgot the network, 11, 10, 20, 121, good memories. Yeah, so we want to say, hey, who has this MAC address? And then that node will respond and say, hey, I'm this net, I'm this host, I have this IP address, here's my MAC address, and now we can start an IP conversation. Before that, we have no idea where to send that packet to. It broadcasts in the subnet, right? I will say, but yeah, it would be a broadcast, right? We'll get to it. Talking out of track, can you read it? I guess, I feel like in this group. Yeah, yeah, yeah, yeah, yeah, yeah, yeah, yeah, yeah. We'll get to it, don't worry, don't worry. So, so it's actually sort of a link level. So that's why when we saw the Ethernet frames, right? Depending on the different type. So there's type of IP address, there's type of ARP, type of reverse ARP, or RARP. And so when the type is one of those ARP replies, sorry, when the type is ARP, then that means that we're making some kind of request. So, you know, but now we're also kind of a chicken and egg problem here, right? It's like, okay, we need to ask essentially everybody on the network, if they know on our subnet, right, who has this IP address, right? And so the way to do that, there's a special address to broadcast, which means, okay, here's an Ethernet packet, send it out to everybody as possible. We want to figure out, I have a message to deliver to everybody. And so everybody gets this packet, and then the host that you're trying to talk to with that IP address responds and says, yes, here's my link level address. And then, so if we did this every time we wanted to send a packet, that would be incredibly slow and inefficient, right? We, our network would be flooded for every one packet you wanted to send, you'd have to send two packets, right? Say, who has this? And then they'd say, I have this, right? So you'd have to send two to every one, which would just be outrageous. So that's why we keep a cache. So, host A will keep that answer in the cache, and so net going forward, anytime upon talks to host B, it knows the Ethernet frame. And so it's kind of another optimization. So basically, when A sends its request, it returns, it includes its own IP address. How does this act as an optimization? And host B, it's going to have to do all their fifths of operation as well. Exactly. Yeah, that way, and not only host B, but any other host, right? Be like, me shouting, like, I don't know. I'm trying to talk to B, I'm A, and I have this physical address. And now everybody who hears it can write that down and they can know exactly how to talk to me and we can skip a step. Send its own IP address or its own physical address? Ballroom, because you need that mapping, right? That's what an ARP maps IP addresses to physical addresses, exactly. Yeah, from A, A is sending what's the request, its own IP address and its own host? Yes. So it says IP address because it includes its IP address in there. The ARP request itself has the source that it came from. So that's how we're going to extract that mapping. Okay, so then we're going to look at the format of an ARP message. So there's first the hardware type, there's different types of hardware, protocol type, the size, the protocol size, and it specifies the link addresses to be mapped. The op field says if it's a reply or a request. Yeah, go back. Say situations are very different systems, are you using the same IP address? So how would the ARP resolve that situation? S, very terribly, if you remember that situation. So I've, at my lab in Santa Barbara we frequently would have those problems where, and the symptoms are very annoying because it's like intermittent SSH access that will sometimes go down and then you try pinging it and it'll come up. Essentially what happens, it would be like we have any overlaps of names, but it would be like if I said, I don't know, who's Adam? And like two of you said, I'm Adam, the first person that told me they were Adam is whoever I talked to. It's the same thing that happens here. So I say, hey, who's host B? And I get two packets back that say, I'm host B and I'm host B. Well the table only has one entry so I just put the last entry I got in there. I put that in the table and then that's who I talked to. And so it's very, very annoying. So what if an attacker actually sends you the packet last and make sure that you map his physical address to the IP? We'll see what happens. Okay. That's what we're talking about. Okay. There's a hand over it. Like a networking question, what does MAC addresses give that IP card? I mean, why would we actually need MAC addresses? Because just asking IP should have also a good question. Oh, it's in the room. Why do we need MAC addresses? Why do we not have IP addresses? Or the other way around, why do we need, why do we need, yeah, why do we need, yeah, why do we get rid of MACs and just use IPs? Because MACs are probably, they're probably attached to your system and IPs are connected to your device. So the MAC is the physical address, right? What's the other reason? Yeah, it's hard burn address on the PC or the machine, but IP keeps on changing. Once you go out of the network and connect it again, we might be getting a different IP address. Do we need it? Do we need it? Do we need it? We can still go to a different network and give us an IP address and then we just use that IP address. Why do we need a MAC address? Yeah, but it needs a handshake connection again. They just stop by this machine. What was that? You need to identify each machine and even for the same address. Yes, you can change your MAC address. You can change whatever you want. But it's illegal, I guess. Is it? That's my machine, why would I? It's the same as changing the IMEI number of phones. So on internet, there will be two MAC address of the same, yeah, two network of the same MAC address. So I guess we need to identify each machine I guess we need to make a point. So the MAC address, who needs to know about my MAC address? On the same network, just my subnet. So one reason would be, nobody else needs to know about my MAC address. MAC only use to talk to the people in your subnet, nobody else. Everybody on that physical link with you. Once it goes outside of there, then IP takes over and that's how your packet gets from one host to the other. But we can still use IP to go on the same subnet, right? What was that? We can still use IP to go on the same subnet, right? Sure, okay, you can study this idea. So maybe it's an encapsulation thing. We don't necessarily want to use IP as the upper protocol. Exactly. I think that's more the reason. I feel like it goes more in that direction where it's the physical protocol could completely change, right? The physical protocol can be wired, it can be Ethernet, it can be wireless, it could be over a serial link, it could be over a fiber optic cable, right? The point is that IP address is a higher level of abstraction over that and the MAC address is something different. Plus, oh, and I was going to say the other thing, well, maybe one of you is going to say this, so I don't want to say it, but the other thing that came to my mind was, well, you can have one MAC address, right, with multiple IP addresses, right? And so then you can also go the other way. Can you go the other way? No, you don't want to go that way. Yeah. But you can have one machine with multiple MAC addresses, each with different IP addresses, right? Plus the linker protocol provides other services like CRC, which the IP address doesn't provide. Those are essential for data communication without errors and stuff. Yeah, it adds other stuff. Potentially created separately as well. Good question. I think so. Even if it came a little bit later, there's like Token Ring and a bunch of other older network technologies. Wait, just like Token Ring. No, yeah. Because you've got the star networks and all sorts of other different ways that they use to connect different things. Yeah, it used to be, what was it? Token Ring where you would get a packet and then pass it on to the person in your class because that's how your packet would get on the local network. Right, go around. It's all like BNC connectors. They run physically together and then they have to pass away. Crazy, yeah. Yeah, okay. What would it be for the security purpose like you can write down which machine has to go through which thing because IP keeps on changing. You have the IP address, you can connect to the network, but the administrator don't have a knowledge which machine is using or which machine is accessing what things. I think it's what it's used for. I wouldn't say it was necessarily designed for that, but yeah, that's what they will frequently do if you're caught abusing something, right? The way to prove that is to say, look, we got these packets of you, of this certain Ethernet running a torrent stream on ASU's network, and they'd go and be like, hmm, your computer has this exact same MAC address, right? They don't. They're very clever. You can follow your friends. They don't get that. It's not ethical ring. Cool. All right. Okay, so then we want to send, okay, so we put our, you know, when we make a request, we put our IP address in there, right, to speed up into that optimization. You know, we don't know the target Ethernet address. We also don't know, or the target IP is the IP that we're trying to map, right? We want to know who has this physical address. So now what it looks like. So on your machines, you can do this on a Linux machine. So ARP is the command to look at and manipulate your routing table in, I'm saying most Unix machines, but definitely Linux machines. So ARP.A in this case lists your routing table. It lists all the entries in your routing table. And in this case, there's nothing. So we start off, there's absolutely nothing. So we're on host A, right? Host A's IP address is 192.168.1.100, and it wants to talk to host B, which is 192.168.1.10. So it knows it's MAC address, right? But it doesn't know host B's MAC address. So it's going to, so what's the ping command do? It's a level on mark. Yeah, so it's actually an IP level thing. So it's sending an IP packet with an ICMP message type to say, hey, are you up? And then if that puts up, it's supposed to reply back with what we sent to that host. So the ping command uses this ICMP message to test if a host is able to receive us. It's a networking tool. It's not 100% always reliable, just because the other machine doesn't have to actually reply to our pangs. So it's not actually a great indicator that the machine is down. They just drop the ICMP packets. Actually, I think Google. If you're pinged, Google, you won't get the reply back. I think it's other way around. You usually can ping Google, you can't ping Microsoft. The problem is if you do it from ASU's network, ASU drops all of it. I don't know if it's a request or a reply, but... Yeah, I did it from my home. It was dropping the mic. I use Google.com to ping all the time. Yeah, that's the problem is it depends on your network, right? It's not a definitive indicator that things are actually up. It's just an evidence that... Okay, so when we do this ping, right, the very first packet that's going to be sent is an ARP request. So this is a TCP output of this. So the first thing that we need to do is we say, okay, we know the IP address of the machine we want to talk to. We know this machine's on our subnetwork, right? Because we're on the subnet of 192.168.1. We didn't say anywhere, but we'll say it here. So now we need to send an ARP request, a broadcast ARP request. So this is how when you see this all Fs here, what does that mean bit-wise? All ones. Yeah, all ones, and that means go to everybody. And the important thing here, right, is this is link layer, so it's Ethernet. So this means all the switches on the hubs in between also understand this, and when they get a packet, an Ethernet packet destination of all ones, they send it out to every machine as possible. They try to broadcast it as widely as possible. So we can read this, we can, you know, we can decode this pretty well. We can say I'm 804874A3, right? I want to send a broadcast, an ARP packet of who is or a request, and I want to know who is 192.168.1.10. I am 192.168.1.100, right? So now we've given them all the information they need to be able to reply back to us. So we send out this ARP request, right? And on our simple little free network diagram here, both host B and C get this request. So why is that? Broadcast, yeah, sending it everywhere, exactly. That's the whole nature. If the host C didn't get it, then they're basically not on our submit. So now host B is going to reply, and it says I'm 013, whatever, 1D98V8. This is a message for 804874A3. How did that know who to reply to? Yeah, because we gave it an ARP, Ethernet ARP request, right? I'm this, this is an ARP message. It's an ARP reply. I'm replying to 192.168.1.10, or I'm saying that I am 192.168.1.10, and I'm at physical address 0131D98V8. We get that reply, and then we, yeah, and then we can start pinging. So I guess I didn't set this up quite right. We can start pinging, so these are pinging messages. So these are IP pings from, the way to read this is 192.168.1.100 to 192.168.1.10. This is an IMC echo request. So this is requesting them to respond to us, and this is their response back where they respond, hey, this is 192.168.1.10 responding back to 1.100. Here's the reply. And if we look on host A and we run the ARP command to look at its table, now we can see that actually host B, 192.168.1.10, is at this location, at this MAC address. So our host A has cached the location of A's MAC address, and also host B has also cached, and knows where host A is. Specifically, so only two we have a request, a broadcast request, and one reply, right? It wasn't like the host B had to then set its own broadcast to figure out how to respond and then be able to respond. Everybody get how this works? So now it's attacking. So what are our goals? What do we want to try to break here? What kind of things can we break? I mean, get into the routing cables of hosts. That our goal though, that our end goal. It's our end goal. It could be a trusted computer on the network. To be a trusted computer on the network? It's a good goal. Overwhelm the table. Maybe overwhelm, yeah. You can think about maybe it's an Alice service attack against the table. Yeah, it's a good one. Imports the next time other hosts on the network. Yeah, maybe I can try to impersonate to take advantage of the trust relationship between two hosts, yeah. Ultimately attack everyone in that line. What was it? Ultimately attack everyone in that line. We attack everyone in the local area network. Definitely one option, yeah. So we may want to say how do we figure out who's on the network? Man in the middle. Man in the middle, what's that mean? It means that you're having all traffic forwarded through you. Yeah, so that could be one thing, right? We want to maybe not disrupt anything, right? Or maybe not attack anything. But we want to essentially snoop on all the traffic that happens in between us. You can bring the line down. Was that? Yeah. Sending the dummy packets inside the line so we can bring all the load on the line. Yeah, you can think, you know, if you somehow got into the New York Stock Exchange local area network, you could like take down a host at a very particular time and like sell the stock and the stock drops or something like that, right? That could be a good attack, yeah. It was made to be the DNA of the network Yeah, you could. And that's kind of goes back to the trust, right? So you impersonate a trusted host on the network and then now you're that host, you know, that trust. Yeah, so we want to impersonate a host. We do title of service attacks, right? We can access information. We can tamper with some of the delivery mechanisms, which we'll see. One thing is, right, so what about just listening? What can you do is just listening, sniffing called sniffing, but, you know, listening, is that useful? Is that a security? Oh, yeah. Oh, yeah, why? On prediction information can be on prediction information can be a listening access. Yeah. Conventional creation, unencrypted packets, poorly encrypted packets, maybe they're using a version of something that's vulnerable. Yeah, you know, you think about, it really is information, right? But the whole point is, right, what were the three things about security that you care about? Confidentiality, integrity, availability, right? So, yeah, so sniffing gets around confidentiality, right? I don't know, maybe I have stock market things on the mind, but, you know, if you're able to get on a network and be able to, you're being overtly malicious, but you're sniffing and able to find out, hey, that their quarterly results are going to be so-and-so before everybody else, right? That's, like, actionable information, or if you find out that, I don't know, the network administrator is cheating on his wife with so-and-so, you can then go to him and, like, blackmail him to get more access into the network, right? And, like, you know, leverage that information for however you will. You could, hey, you can do all kinds of stuff. There's actually all these attacks now that email, the goal is they'll try and email CFOs, like the chief financial officers in medium-sized companies, like 100 to 500, and they'll say, that is a really important deal, like, we have to sign this thing with this client, I need 50K transferred to this bank account, like, make it happen. And oftentimes they do it, and once you do, like, a wire transfer, that money's gone. So, if you could sniff, write the network, see the emails that are being sent, you could actually impersonate the CEO really well, right? You could include his or her little tag at the bottom, right, or whatever they do. You could see what other crazy, urgent demands they've done in the past and do it similarly like that, like, do they type all uppercase? Do they swear? What do they do in their emails so they can more effectively fish money out of these people? Yeah, we could want to spoof, we could want to pretend to be somebody else. We may want to hijack somebody's connection in the middle thing. So what's the big difference? So now we're on the local area network, right? So now we got to kind of move into the hardware. Like, what is actually wanting a local area network? So what's the difference between a hub and a switch? I'm going to take a role into that. Hubs are just kind of like, it's interesting to take a look. Yes, it's a good way to think about it. Can't remember. Is it also that a switch is typically a gateway from one network to another where the hub's... Not necessarily. I'd say that's more of a router. A router usually has it on the screen. And all switches are very intelligent, they're complicated so you can configure them probably in that way. Actually, I think you have to have a dedicated router. We've gone away from using hubs mostly now. Yes, yes. But it's important to talk about it, yeah. Yeah, switch works on the network here while hub works on the data here. That's another good way to think about it, right? The hub is just basically a done repeater. Right, so... I wish I had a switch around here. Switch around here. Just ports, you plug it in. Anything that comes in one port comes out all the other ports. Right, so super done hub. One packet comes in and just sends everything out. But even the switch works in data link layer and you know that it will do. Switching around here works on the network. Switching and routing. We'll look at that. So, just to verify router's work on layer 3s which is work on layer 2 and work on layer 1. Yes, but why and what do they do and how is it important to this? That's one of the things I care about. Hubs, they kind of share bandwidth so you plug 100 meg Ethernet into a hub and it has 10 ports. It will share 10 megs out each port and as you mentioned the data is sent out all the ports. Switches segment the network 100 meg Ethernet port and it has 10 ports. Each of those get 100 meg Ethernet. That's a big upstream hub, right? What if you're just talking about a local area network? Plug it in. I don't know. The important thing from our perspective is where do the packets go? So in a switch we can control, we can create virtual lands and stuff but in hubs we can't do all those stuff. Yeah, we can do all kinds of crazy stuff and switches, yeah, definitely. For our purposes, we're a malicious person on the local area network, right? All traffic is broadcast to all ports. So anybody that comes in, regardless of if it's a broadcast packet, that's the key thing. So that's another way to think of it. It's just the link layer. It's kind of like plugging all those computers just together. Modern switches. So switches bring it up a little bit and they're a little bit more intelligent. The idea is they're keeping track of which MAC addresses are coming from which ports and that way when they get a MAC Ethernet packet in it says, hey, this is a packet to a certain MAC address. They know exactly which port to send it out of. And so they're continually mutting their tables of this is the MAC address basically so the switch keeps track of MAC addresses to ports, to physical ports. But the important thing to remember, all broadcast traffic is sent to all connected hosts at some point. Directing traffic is targeted specifically to an individual port that it's seen a packet coming from that network. So they're going to be multiple Ethernet or they're going to be multiple MAC addresses associated with each port. You can connect these switches and hubs and basically all types of crazy configurations. So just because one port does not mean one host. Okay, so we'll stop there and we'll come back and talk about network sending. It was very fun.