 I am doing pretty good. I'm, yeah, we're getting close to the end of network security. I'm excited, a little bit sad, because this is stuff that I really like. Okay, and let's get started. How do we do that? Professor, when can we expect our next homework assignment? I'm on content from the class. Undecided as to exactly yet. The goal is to give you a little bit of break after the midterm, so. Much appreciated. Yeah, I know. Tough not having spring breaks. You had a spring break of no homework in this class. So sorry, that's the best we could do right now. And the other thing we decided to do is offer extra credit. So if you want to get extra credit on a homework assignment, so basically the way this will count for is basically 10 points of extra credit on one homework assignment. So you don't have to worry about which one because it doesn't matter, they're all, each homework assignment is weighted equally. You'll get that. I don't know how many homeworks you're going to have it all depends on the pace of the course and things like that. So it's something in the syllabus where there'll be three to seven. So we've already hit three. So, you know, I think probably two more ish is a rough estimate and the final, but you know, we'll see how that goes. Cool. So there's opportunity for extra credit. Check out the symposium. I think if you're interested in this stuff at all, the symposium will be super cool. We have a wider range of, we have a professor from, from academia that's going to talk to us, who's a professor from the University of Texas at Dallas. She does really cool research. We have a head of the security team at Samsung Research, who also has a PhD talking about the challenges that they face. So we have some things in there. And then we'll have a. Harry Adams is going to give a talk. She is an RPI alum who works with DARPA and does really cool stuff. So she's going to give us a really interesting talk. Yeah, about from the industry perspective. So we have kind of three cool views here and then followed at the end by lightning talks, like 10 minute research talks. You know, come. Write a report, get some extra credit. But, you know, if. I don't know, stay for all the talks. It's a cool opportunity to see what these interesting people have to say. Yeah. And oh, assignment three will be graded by tomorrow. I'll probably end up talking about it at the start of. Maybe the start of the class there, or maybe I'll wait and do the whole recap. At the on Monday. So that should be fun. Yeah. And we'll, you'll get your. Basically the way I like to do it is to just email you each individually your grades. So you'll get an email with exactly what we have for your scores of. For all the assignments in the midterm. And of course, at this point, you know, every single grade you have in this class except for assignment three. So all right. Cool. And I think people are asking in chat if we can crank out. Four more assignments in five weeks. So who knows. Anything is possible, especially if people are clamoring and asking for it. I know. I'm sorry. It's so fun to mess with you all sometimes. But you're good sports about it. So it's okay. Right. Cool. Okay. Now we're going to. So we, we looked at how TCP works, right? We looked at literally the underpinnings of the internet, how data gets from one machine to the other. We started off with the TCP three way handshake. What are the three ways of the handshake? What are the flags that have to get set on each. On each of the. Packets of that three way handshake. Thank you. Excellent. So yeah, be sure to burn that into your brain. It is important. Okay. So then. Okay. Do we did that exchange? We'll do shutdown because we did that very briefly. So again, TCP is a bi-directional stream. So either side can send data. And we saw that the acts are how that data gets acknowledged. And then the server will get shut down when one side tells the other, Hey, I will no longer send you any more data. So here the client by sending a packet with that fin flag set. Means that it will not be sending any more data. And then the server will acknowledge it, maybe send some more data, whatever it wants. It can do anything at this point. And then finally the server will say, okay, I'm done. I will no longer send you any data. It'll send a fin packet to in this case of the client. And finally the client will acknowledge that it received that. And then at this point, basically. That four tuple is now gone poof vanished. This connection no longer exists. Questions on shutdown. Cool. So just like before when we talked about, I want to make sure. Notability. I'm ready to go. Class notes. Good. Okay. Hello. Cool. So just like before. With UDP. We want to figure out what services are available on a specific. On a specific port. So we just like with UDP, we have a way of doing. Of port scanning. We want to try to determine which TCP services are available on a specific victim host. And just like we saw with UDP, there's a list on most UNIX type machines in slash ETC slash services that associates the service name with the port. And the really cool thing what is that with TCP port scanning, seeing what's open, there's actually a number of different ways to do this. And they have different kind of trade-offs. Between the, Between what? Oh, is that highlight? That's kind of cool. Huh. Did that by accidentally. Touching the pad there. Anyways, I guess if I do like this. Ooh, that's cool. So you guys can all see that. My laser pointer, right? Please say yes. So I'm in the chat. I'm going to keep doing this. Okay. Thanks. Okay. It's like a prisoner's dilemma in here. You all want to keep the cats. You want to watch the laser move around until. Somebody says yes. Cool. Okay. Back to the TCP. So there's a number of different ways that we can actually try to determine when a TCP P port is open. So let's look at one of the most basic ones. So let's go back to our flow here where we were establishing a connection. So if we're. My machine and we want to see in this case, if port 80 is open on Bing, what we can try to do is do exactly what we did before and send the start the three way handshake. What will we. So what do we know when we've completed the three way handshake. With Bing on port 80. So we sent a send packet to port 80. We got back a sin act packet. We sent an act packet. Yeah. So that that port is open, right? There is a service on port 80 running on there. We went through that three way handshake. What we didn't cover is what happens if there's no service running. Actually, maybe we did briefly touch on it. Essentially what will happen is either be, we'll just drop that packet and not do anything or it will send back a reset packet and RST. So we can use this one bit of information. What happens if I try to establish a TCP connection to the server Bing, I can do that all through here. So with and the, the simplest form basically uses the connect here is referring to the operating system, CIS call that the application calls and to ask the operating system, Hey, please connect to this. So it takes essentially an IP and port and then we'll return either yes, here's a socket. You can now send out on this socket or we'll return an error and say, Hey, I couldn't connect to that service. So you can write a really easy program that is basically the equivalent of four int I is zero. I is less than six, five, five, three, five, probably six, maybe I plus plus. Int result is equal to connect. Comnect connect IP port. And then you say something like if results is equal to zero usually in C that means port open. Otherwise, I would say port close. So I just wrote incredibly simple. So this is a TTV support support scanning. I guess I let's, let's actually do this slightly better. Oh, there shouldn't be port. There should be I because I'm iterating over it and that's the iteration variable anyways. So we know right and the cool thing about board, scanning is we only need one bit of information for each port. We want to know is the service up or not. Right. That's a bit the most fundamental basic building block of computing. We don't need to be root connect doesn't need any root privileges to do the disadvantages if we look at this. So, for every packet for every port that's open how many packets am I sending. So for every single port for 65,000 ports. I'm going to send a sin packet. If nothing's there I'll get a reset back. If something is there. Then I'll get a sin act back and then I will send an act back. So this can actually be pretty noisy let's. You want to see this work. I think this will happen much faster. Oh, by the way, here are the results from the previous one. This was our UDP port scan. You can see that there was only one port open when we did this port scan and it was port 17,500 which if you Google that it is not db dash lsp dash disk whatever that is. It's actually Dropbox so this is Dropbox trying to sync. It's the land sync option of Dropbox where basically it broadcasts the packet out on that port to every device on the network to basically say what other Dropbox clients are there, and then they can respond on that port. So if I look for the word connect, I can see it'll tell me there aha dash lowercase dash capital T should be a connect scan. So I can use. If you don't know the, or, you know, there's a lot of cool tricks to operating the command line effectively. One nice one is the arrow keys so arrow up and arrow down will go through your history of commands so you can easily go to the last command you've looked for. The other really cool thing is if you do control are you can search interactively back through your history. So you can search and then keep hitting control are to go to the next one and then when you're there you can either hit enter or. I usually do command E because it goes to the end of the line command a to go to the front or control sorry not command to do that so. We can see here that to do the connect scan I need I already forgot what it was somebody remember what it was I think it was dash T it's on this slide so I can cheat. Good s capital T. Let's do all ports why not 6535. All right. There we go look how much faster that was we scanned a ton ports. Oh it also so if. Oh no, I don't know how to scroll. That does that. Anyways, if we went back up it took an hour an entire hour to do that original UDP port scan. Did somebody have their hand up one to ask a question. Okay. Cool so we can see that on this machine I have a number of ports up I have port 22, which is the SSH port and actually let's let's I said. Yeah so let's do TCP dump. On the local host. Run this and map scan again. And so we can actually see all the flags, all the TCP packets so we can see. So the way to parse this is, can you all see my cursor when I'm like I have my cursor over something at the bottom can you actually see that. Yeah. Okay. Super weird why would it capture that because it's not my cursor on the Mac. It's not my cursor on the thing anyways who cares but you can see it that's good. So the flags here tell you where to look so this flag is S for sin. So we can see 127 001 46908. So we have a TCP sin packet from local host 127 001 port 946908 to 127 000 port 308078. And what does it send us back, it sends us back a reset packet so that's what it's saying hey I don't know what you're talking about go away. So if we want to look at port 22 will show us what it looks like when it sees something that's open. So we can look back here and we can see aha we got a we sent a sin packet. We got a sin and a sin and the dot is an act so that means acknowledgement. And the cool thing is that we can see the sequence number so in case you didn't believe me before the initial sequence number is wow that's weird. I'm going to read it 2473259454. And we get an acknowledgement back from the other side of 24372594 55 so one more than before with our own sequence number of 574787530. And then finally we get the act back, where we get an act packet back of where. And at this point so it says an act of one, because it's TCP dump is normalizing our TCP stream so it's starting each of them from these values but if you dug into the, and this is a summarized version of the packets that are going on. But anyways that's cool to see basically the difference here so we can see that it does a sin a sin act and act and then we send a reset to basically say nope, done with this conversations this is coming from our side. Cool, so I have as a job in, I have port 17500 is the TCP port on on that Dropbox client, and I would guess, given the similarity of these numbers these are also Dropbox ports but I can't be certain about that. Cool. So here's what it would look like on something where there's a lot of ports open. But there's actually better ways of doing this port scanning and specifically here I want to go here. So we saw that for each of those for every sin packet I sent I send a sin packet, the other side sends a sin act I send an act and then I send a reset so it's basically for packets when it's open to packets when it's closed, but the other thing is, the way to think about is remember we we saw and we talked about that well, you know, what we're actually trying to do is not talk to the server be right because being is just an IP address what we're trying to talk to is on port 80. This web server is actually who we're trying to talk to. So an interesting thing about doing a connect scan when you do a full connect the operating system tells the application hey somebody just completed the three way TCP handshake. You got a new connection go do your thing. And so it then tries to process that connection so it actually knows that somebody tried to connect. And we may not want that because that application may be logging every connection that it gets, and then it just logged our IP address somewhere so we'd like to try to avoid that if we can. So, let's think about the case where this port is open. At what stage of this process. Does an M know that be has a service listening on port 80. Yeah, when it receives the sin act so how can it distinguish remember it we said it's a binary value. So it gets a packet back. In which case doesn't know that the port is closed and nothing is listening a reset. Yes, exactly. And then how does it know when it's open. The sin act great. So yeah that's exactly it so this is how we get that one bit of information, and there's no actual need. Like, I don't need to make the rest of these packets, I can just never respond. Right, or I can send a reset packet and just say hey I don't know what you're talking about and then the other side will go that's weird and then just eliminate it. But the packets never actually go up to the original application. So, and this is called TCP sin scanning leave them on read that's pretty good. Yeah, so we're basically another way is calling half open scanning because you're leaving the connection in the half open state because you never completed the third part of that three way handshake. So we send a sin, the attacker answers with either a sin act packet in the case that it's open or a reset packet if the port is closed. And then to be nice we could send a reset packet instead of the final act or we can send nothing. And the connections never open the event is never logged by the operating system because it never actually made a full connection. So, I believe the command is dash capital S. Let's check the man page because I make a big deal about this. Yeah, so scan techniques so we can see dash lowercase s dash capital S. So let's do that. And let's go over to the other terminal let's capture. I want to capture port 80 or port 2222. So, that way we can see what happens when a port is open and what happens when a port is not open. So I run that it should run. Cool, so let's look at this example. So here we have a case where we sent up a TCP packet to port 22. We sent a sin packet. They sent us back a sin act packet just like they should do because we know it's open. And then at this point we sent them a reset. And then at this point the other side says hey that's weird, because so you can think of what would be a normal, what would be a realistic case like something to think about it should we log this because this is a clear port scan it means somebody is trying to test our systems. Where's this something that could maybe happen. Yeah what if let's say what if this other side. So if a packet wasn't received. So what'll happen is we didn't talk about that because there's it's part of all this redundancy built in a TCP. But for instance if I send a sin, and I never get a sin act back. Usually there's a timeout when I'll try again so I'll send another sin maybe 10 seconds later and hopefully that one gets through if the sin act is the reason that is dropping. Right so it wouldn't be because of that, but maybe I send a sin packet, right after I send it my machine dies. And another machine on the network on my network assumes that IP address. So the sin act comes back to a different machine. That machine is not expecting this packet so it says go away reset. Right so this is a case that's unlikely but still could happen given the protocols. So this is why this isn't an event that's now this event happening for every single port on your machine yeah that's a little suspicious right but one maybe not so important. So we send that reset going like hey what are you talking about and then at that point the other side never replies to that reset. And then we can look at what happens in the case of a port that's not open so here port 2222 again a sin packet. So that's 61843 to 2222 we send a sin packet and they send a reset. So we can see the two different cases here and now it's super cool so we've been able to scan. Oh, I should have done something else first. Cool, so let's look at some difference here between these two. So this is the connect scan. I'm running my nice little connect scan I get everything back I then say okay great that connect scan I want to try a sin scan. And it's saying telling me that I requested a scan type which requires root privileges why does doing a sin scan require root privileges. What do you think. So in all these diagrams who handles this communication this three way handshake and all that stuff. Who's sending those TCP packets. Our machine technically ascending it. But remember, so the way this is actually working. So we talked about there's a machine over here that's listening on port, an application that's running that's listening on port 80. Similarly, it's not our machine that's doing it right there's some brown I'm using some browser like Chrome, that's running on my machine that wants to talk to Bing. Yeah, the operating system right. So, the way this works otherwise think about how annoying it would be for every application to write its own TCP stack and, and handle IP and handle fragmentation and handle window sizes of TCP if you didn't get into. So all of this is actually handled by the operating system. So Chrome asked the operating system this is the connect system call, where Chrome asked the operating system hey please make this connection to this IP address and port. And then the kernel is the one that sends out all these packets. And it says great, I can send this out I'll do the three way handshake and I'll let you know when I'm done. And then the kernel manages the operating system manages everything. So this is why, when we originally ran the connect scan, we don't need to be root because the operating system does connect for us. But if you want to break this cycle right the operating system will not send a reset in response to a Sineq if you want to craft packets by hand. You have to basically ask for permission from the operating system and so you need root root privileges for that so to be able to do anything fancy. You need root privileges here and that's why this requires me to use pseudo, which runs and map as root. I think there's a good I am root joke in there but I'll let you fill that in. Here's another example of TCP traffic traffic dump that you can look at that you can tell the difference between ports being open or not with this TCP send scanning. Cool. And there's all other types of scanning this is, you know I don't have slides on this but I do want you to show you this really quickly, because it is so cool. So here is me failing to scroll there we go. Okay this is still running. So when I look at the end map SS. Okay, so there's a bunch of different scans there's a sin connect act window. I don't even know what that my mom is. There's other cool ones there's TCP. No, TCP fin TCP X miss scans to the X miss scans that sounds fun. S capital X. Let's see what it looks like so starting a end map. It's running. Let's check the progress because we actually don't care what the results are. Of course I wasn't running TCP dump. That's fun. There we go you see I used control R to search through my history and reverse. Cool. So a Christmas tree attack is a crazy type of scanning where you set all the flags so it's like a Christmas tree all the like flags are set, and you just see what happens so the really cool thing is if you look at the TCP specification the RFC it doesn't say what do you do if you get a packet that has like we talked about right what happens if you get a packet that's not a sin packet do you send a reset or do you drop it or what do you do. And so these type of scans take advantage of that. And actually I'm going to just do that so maybe we can try to get over quicker. So these types of scans so a null a null scan says what if I send a packet that has no flag set zero flags. How that the operating system handles it could depend on if there's an application available or not. And if it does that's that one bit of information that I need. Excuse me in order to tell if the port is open or not. So if the, and the goal here the idea here is if this operating system implementation. I guess it's not on this side sorry because there's an OS over here. So if the operating system on this side varies its response to a packet depending on if there's a service listening or not, then you can use that one bit of information to determine if the packet is open or not it's super cool. And this idea. Yeah, exactly so the that's exactly right so the Jeremy and chat is asking about the way the operating system handles different flags isn't managed by some fancy standards so the real root of it is that the standards do not specify every possible case of what to do if you get a weird packet. Right the standard basically says when you get a sin this is how you should respond it defines a state machine that handles all kinds of stuff, but it doesn't say, it doesn't handle every case like what do I, what happens if I get a packet with all flags set, or no flag set. And if an operating system varies that's behavior based on if an application is listening to that quarter not, then you have a very cool. Essentially almost a side channel of detecting whether that port is open or not. Let's check on our scans, shall we. Okay I'm sure it'll say I don't know why it has to send like four packets it must be part of the scan but I haven't done this. I don't think I've done an excellent scan in a long time but anyways you can actually run this and check in on your stuff I do see that there's a fast mode scan scan fewer ports okay. Cool, okay. And we can actually extend this idea even further. So we just said hey the operating system depending on what I send if it changes its behavior based on if a service is listening on that port or not then I can detect if the port is listening. There's actually a more fundamental idea so something to think about. If somebody is out there running or I guess I have two systems here so I can tell. Actually that's not a good example so let's I think windows is a better example so windows. Right did so in this example so my machine right here will say is my Mac and and so the machine here is a windows machine or Windows server or whatever. Are those operating systems the same. Yeah, it's not a trick question the answer is definitely no. You can even go further and ask where they written by different people. Yes, the answer is yes. And just like we said the specification doesn't say exactly what to do so similar to the Christmas tree attack. What if, because the specification doesn't say what to do if I get a packet with a bunch of flags set. Now, what if windows sends a reset when it gets that but Mac drops the packet. What can I use that one bit of information to do. Yeah determine what operating system is running and why would I want to determine what operating system is running. Yeah, because that can tell me how to approach it right that's more information I can glean about the bank, so that I can attack it. This is actually a common theme if you think about in like every heist movie what do they have to figure out they have to figure out exactly what the security system is they have to figure out exactly what the vault is and what the lock is on the vault. Right and oftentimes in the movies they will actually buy a copy of that so they can figure out how to break into it. It's exactly the same thing right the more information I know about my target system, the better I can craft my attacks for. And so there's not just that one difference there's a ton of differences and the cool thing is over time as different operating system versions are introduced, even within a single operating system like windows. There are differences in how it responds to packets such that you can tell Windows seven from Windows eight from Windows nine from Windows 10. And so it's a super useful and really cool. I really just like this idea this idea that like differences in an implementation of a protocol allow you to fingerprint so the idea is fingerprinting just like you know your fingerprints supposed to be unique. Every was there not a windows nine did I misspeak sorry. I haven't. Yeah, anyways windows 10 go straight to 10 is there an 11 yet. I've been out of the windows game for so long. Okay. I think nine is, is nine bad luck in certain cultures is that way. Yeah I was at the, I think it was the windows seven release party was very fun. Did Steve Ballmer scream on stage at that one. Not at that one. It was like an outdoor thing that was pretty fun. He would scream at the, at the company meeting so at the company meetings at the baseball stadium in Seattle, I can't remember exactly what it's called. And he, I mean that guy was, you want to talk about motivation he was so inspiring with his energy it was crazy. And actually the thing that he did was when he ran up on stage he saw a few people that had iPhones that were trying to take pictures of him. And he was on windows had windows phone and he would take it and smash their phone on the ground. And then you'd have other people bring them a replacement windows phone. It's crazy. Yeah, it was fun. Cool. Actually the zoom anyways, yeah. It's whatever. So anyway, so always fingerprinting besides my lack of not memorizing Microsoft Windows versions. And so basically this is exactly this so like, what happens if we've never communicated before and I just send you a TCP fin packet, do you drop it or do you send a reset. Because that's kind of weird because why would the specification say what to do, because a fin packet means stop talking to me but if we've never talked to acknowledge that you don't want to talk to me. So the different flags in the TCP header are sometimes used verbatim in the reply. Weird combinations of TCP flags selection of the TCP sequence numbers can give it away the selection of the TCP window size. And if it sends you ICMP or IP error messages, the rate that it sends error messages the amount of packets that it sends when it sends an ICMP message, what TCP options it uses or sets. And the crazy thing is, so we'll see active approaches where you send packets but you can actually do this in a completely passive way so what does passive mean here. Yeah, so it's about network right so was the port scanning that we were doing passive or active. Yeah active why active. Yeah we actually sent packets right we sent packets to try to determine if something was listening or not passive would be like we were doing with the TCP dump where we're just listening. This is super cool you can fingerprint remotely what machines are you're talking to or what machines are on the internet, just in a passive way by observing traffic I mean to me that's like super cool it's like. I don't know people who can like listen to a bird call and identify exactly what kind of burn it is and the gender and all that kind of cool stuff so this can happen exactly you know on the network. And there's a tool you can check out called pof that can actually do this. Oh, and we can do this actively with nmap. So. Oh cool so here the xmas scan was able to tell that port 22 was open. Yeah, so here we can see the difference of the xmas scan so when it sent packets. Now, because of the way this operating system works, when it sent the xmas packet to port 22. It never got a response so it actually doesn't know is somebody dropping this packet like a firewall, or is it actually open, but it does know that the other ones were closed so it knows that in the case of this fpu on port 2222 it got a reset packet. The fpu is just the flags that are set so xmas must be. I actually don't even know what f stands for. I think P is the maybe the urgent pointer. I mean I don't know I'd have to look at exactly what these packets are but this is just the format of an xmas scan. And if we look at nmap and you say I want to do. Oh f is definitely probably fin yeah thank you. So the fin and I'm the pointer and urgent maybe. There we go OS detection. Cool. So we can do dash capital O to to guess the operating system. So I should really do like doing this, we can do this dash oh. And there it's going to send. Yeah so here it's it sent a bunch of and it actually is port scanning as well I guess I didn't ask it to but it did anyways. Oh and let's look at all the flags that it sends so. So it's just listening on the local host. So we can just see it sending a bunch of tack packets you can see some super weird flags in here that we never talked about. SEW so a sin. I don't know what he is or W window maybe. None no flags. So you can see it's testing the system as in terms of what does it do on each of these things. And now you can see we're getting very weird. Is that DNS traffic on there. That's weird. That's cool to just show up in my traffic. But so we can see that okay what did it learn it learned that it's running Linux version 2.6.x. And it can basically figure that out just all through those network packets. So if you run this against one of your windows hosts you'll be able to see that. There's nothing about it I don't have any other devices that I have permission to mess with so we won't do that but you can kind of see how it does it able to detect the operating system which is just super super cool. Cool. So now that we touched on port scanning. Finger printing. Let's go back and revisit our old friend of spoofing and hijacking so what was the difference between spoofing and hijacking. Yeah so good Eric in the chat so spoofing is like impersonating so I want to make a TCP connection to one thing with pretending to be a different IP address right so how's that different from hijacking. In the UDP example, UDP spoofing was when I tried to send a command to a trusted system pretending to be a different IP address. And hijacking in this case was I was actually hijacking the reply so in TCP spoofing will be I'm going to try to make a TCP connection to a remote system pretending to be a different IP address. And the hijacking is I actually want to inject data in the middle of a communication between two machines. Cool. And just like we talked about impersonating a host when establishing a TCP connection. Oftentimes there'll be IP addresses so IP address limitations. So for instance actually I can give a real example from when we were setting up the midterm CTF. And just for about a day, the practice CTF was down while we were setting up the midterm CTF. How I did that was I went into, we run it on Amazon. I went into their settings and I changed it so that only Tiffany and I's IP address could make connections to our the website, and Amazon would drop any packets from anybody else. So if you could host a TCP spoofing attack you could then trick the website into being you and you could have got a day extra accessing the website. Why was I not worried about that. I didn't teach you yet. I have such little faith. I didn't know the address of the server you know the address of the server because you're accessing it. You don't know my address so part of it is a little bit of security through obscurity and that you don't know my personal IP address so it's really difficult to spoof that. We'll look at the other reason later there's details in here but the other cool thing is this weakness of TCP was known back in 1985 in this paper if you want to check it out you can read about this potential. Okay, so just like before like so we have some trust where one system trusts another system. And let's Christian are you paying attention can we use you again as a well one of you mats can take the class next semester or the semester after that and you can opt to be the bad person. I'm happy to I'll even you know failure if you'd like or EU, if you like. Okay, so let's set it up like this actually like that we have a real example. So we have my machine is Adam machine, we have the midterm server. So just like before we'll go IPA IPM will talk about port 80 because we're talking about the. And then we have Christian is trying to get a start on his midterm. Christian knows that the website is set up so that only people coming from IPA can actually access it. Right, everyone get the situation. So what's the packet that Christian's trying to send. So we know the IP level the IP stuff is easy. The source what's the way is it easy what's the source going to be of this packet that Christian's going to try to make. Yeah, so the source is IPA and the destination is IPM thank you. And then at the TCP level. So we have the source port is doesn't matter we'll do 2222 the destination port is going to be port 80. And let's see. So what other things do we have to set. So we have to set a sequence number. So Christian will say 99 for sequence number. And what flags need to get set sin thank you. Does Christian include any data in this packet. Yeah, why not. Right because you're just establishing the connection you literally have to complete the three way handshake the other side will tell you to go away if you try to send data. So great. So this packet. It's sent out by Christian. It goes to M. What does M respond with. So let's first ask will M respond. Yes, going to respond. There is a web server listening. It's not. It'll be, I don't remember what we're running engine X or something. There's some application running on the midterm server that's listening on port 80. So it will. Okay, so what are the IP addresses here so what's the source IP of this packet. IPM thank you and the destination is IPC. It's incorrect you're supposed to let me know when I make mistakes. Thank you. You've heard that story about the professor who I did it again actually not on purpose that time. Have you heard the story about the professor who told his class at the start, every lecture there's going to be one mistake that I'm, I'm going to do in class. So that you'll have to figure it out which part of the proof that I messed up. Have you heard this story. So anyways, the class basically, you know copies all the notes and every day after class the class like gets together to go through it. And, you know, every after every class they're spotting every mistake. It's great. And then at the end. The very last lecture, he gives the lecture, and they meet and they can't find any mistake they're like racking their brain going crazy to try to find this mistake. And finally, at the end, they talk to the professor and they're like we don't understand like why like there's no mistake in here we can literally can't find it in this lecture. He's like, Oh, well the mistake from the first lecture was that there would be one mistake in every class. And then, but it got them to pay attention to the whole class so anyways that's what I always think of when I make a mistake as I say oh I'm just testing you to see if you can tell. All right. Back to at the TCP level, what's the source port. 80. Thank you. And the destination port. 2222. Great. What's the sequence number going to be. Yeah, it can be anything right specifically does not have to be 100 so that's the first thing to realize why can it be one. Yeah, because the important remember this is now the midterm machines sequence number great okay. So yeah so you guys already got the acknowledgement number is 100 so it's the sequence number plus one. Okay and the flags what flags. This is the thing you got to get. Thank you. Okay. So m sends this packet out where does it go to a. What does a do when it gets that packet. Yeah, so remember this packet comes from Christian this packet gun set from m. And now a will say, it'll say the TCP equivalent of who dis keeps the source port. Anyways, let's assume that it does that's kind of interesting. I guess it would just put yeah because the other side needs to know but it's kind of weird that does this if it doesn't know anything. And I don't think it sends anything else and it says, go away I have no idea who you are reset. And then, when a sends this packet out. And then what does m do when it receives this. It says okay the other side doesn't want to talk to me great I'm going to terminate this connection so m got to the second phase of the three way handshake. And then the connection never occurred because m never received what what is m listening for an act that final third act from a. So at this point Christian is sad because his attack didn't work. Yeah, cool. So, can Christian just be sad. So yeah at this point now what happens if Christian sends the act back. So I'll just say IP the same TCP. What happens if Christian sends and this act packet. Yeah, the other machine and we'll get that and send a reset back because it's saying what are you talking about we haven't talked right I'm. I haven't established no connection with you and now you're sending me the third part of the three way handshake, because the handshake terminates as soon as m receives this reset packet. Okay. So, I don't know anything about our real life Christian but our virtual Christian here is smart. And so Christian says aha, the solution is, I need to make sure that Adam's machine doesn't send that reset packet. How can Christian make sure that my machine doesn't send that reset packet. Yeah what if Christian Doss is my machine. So, now what's going to happen is Christian will do two things so Christian will send out packet a on the internet and then and at the same time will Doss Adam my machine such that it cannot respond to any packets. Cool. So then m sends back this sin act packet. Right. But now this act pack this reset packet never comes out it never gets sent. So, Christian can start to create the act packet right. So, again, we're spoofing the IP address of a the destination is the IP address of m the source port. Christian came up with so he knows it to to to to the destination port is port 80. What was Christian sequence number. So Christians original sequence number was 99 but we know the act will always add one to it so we can do 100. Now what does Christian put for the acknowledgement number to puts to. Does Christian know the IP address of a. Yeah, but we have a problem here. So, does Christian know the IP address of a. Yep, this Christian know the IP address of m. Yes, does Christian know the source port is to to to to yep because Christian created that does Christian know the destination port of 80 yep. So Christian sequence number yes because Christian created the original sequence number which was 99 so he knows that the sequence number will be 99 plus one. But we have a fundamental problem where how did Christian know that number. And if we look at this diagram. How can Christian know that number right that packet was sent from m to a. What how many possibilities are there what was the size of this acknowledgement so this is the key right here is the acknowledgement number. What was the size somebody go back to the slides and tell us a big number how big there's different big sizes. Yeah two to the 32 so it's a 32 bit number. Right so what's that roughly 2.4 billion, or 4.4 point yeah sorry. Okay, 4.2. What's a couple 2 billion between friends. Is it actually billion that right. Yeah okay thanks. Cool. Yeah, so Christian has a one in 4.2 billion chance to get this correct. And what happens if Christian gets it incorrect. What happens if Christian is only off by one and guesses that the acknowledgement number is three and reset go away try again Christian. Right because not only is m waiting for that packet but it that packet has to have the right acknowledgement number, because and this is a fundamental part of the robustness of the network. So we're sending a packet that somehow like what if the three Christian actually knows it's it's two, but a bit gets flipped and Christians packet for some reason and it becomes three right we don't want to have that conversation so. Okay. So what can we do. What what can we do you're now hackers figure it out. Yeah snoops we fundamentally we need to do two things right. What did, or we need to do one of two things let's say there's two ways to break this. What is saying that Christian has a one in 4.2 billion chance implicitly mean about this chosen acknowledgement number. Now we know there is a value somewhere it's random yes. Right, and that it's chosen sufficiently at random from zero to 4.2 billion. Right, and what if it's not what if we can guess it. What if we can cut it down so we can guess it to within 16 so we try this 16 times and we get right once. It's pretty good. Would you take one in 16 odds over one in 4.2 billion. Yeah for sure you would take that awesome. Cool. Okay so that's one way is we can guess it right if it is truly random then we cannot guess it and we're out of luck. So we need to do what people were just talking about we need to somehow get a copy of this packet this packet has the information that we need. So what are ways that we learned that we can snoop on other people's traffic. Yeah how do we get their traffic to look at it in the first place. Yeah, what if we're on the same local network so now if I take Christian out from here. And I say now Christian is on the same local network as m could Christian get access to that packet. Yeah what if Christian so good that he's able to get in my network. Would that also work. Yeah that would also work. Right and again like we said Christian doesn't have to be physically connected to my network he can, if he takes over my phone he's now part of my network if he takes over my smart fridge, he's now part of my network. Cool, what else are there any other places I can put Christian. Yeah, any hop in between that's got a crazy thing right this packet is traversing along this whole network. So if I can get, if I can take over any switch here if Christian actually takes over this switch, then Christian can see that packet. If I if Christian somehow gets access to a local network in there. These are ISPs I don't think you can guarantee necessarily but you can make educated guesses. And if you're let's say, if it's not Christian if it's the NSA if you think of a nation state level adversary, who's willing to spend. I don't know a couple million dollars on this. They could probably make that happen and figure out which route it's going to take. It's not hard to search for one packet going through those routes among billions. The switches do it, they can do it and we can make hardware that can do it. And if we're on the route we actually have an easier job we don't even have the DOS, my machine, we can just steal that packet, never forward it and do the response. So, the good news is in terms of security this is fundamentally similar to UDP in that UDP spoofing or it's different from UDP right there's a built in security mechanism here in that as long as that acknowledgement number sent by the server is random and unguessable, then it becomes very difficult to break TCP. But if we're able to do that then we know how to do it. Cool, that was fun. So yeah, send a sin packet to spoof it, reply with a sin act, and then try to get it guess it so we need to reply with an acknowledgement of that sequence number plus one. So we can either eavesdrop it or guess it. So this is exactly the same scenario that we talked about how we do it on time. Okay. Cool. So, similarly, Christian here, actually I'm going to do a new diagram. So I'm here. Here's the midterm server. And what Christian wants to do is, I'm actually accessing the midterm server and he wants to inject in my connection. The fact that basically a command that says set Christians grade to be 100 on the midterm. Or how about you want to really hack it Christian and give yourself 200 out of 100. You're going to settle for 110 man. All right, fine. So, okay, cool. So, what's happening is we already have a connection here. So, stop drawing the the IPs source port. Again, we'll use 2222 deport 80 sequence number 99 flags sin. So a sends that to M to start the connection. What are you all doing here go away space. And then M responds with a sin hack sequence number one. I'm going to use the same ones as before acknowledgement number 100 source port 80 deport 2222. So this is the second packet that gets sent. I guess I can number them. I don't know if that helps but. Okay, so the sin act. Now, okay 80 sequence number is now 100 we're acknowledging that we've seen to the AC flag is set. Now this packet gets sent packing number three. Cool three way handshake everything good. So now, as time goes on, each side will send each other data and now Christian would like to interject and send a packet. As if it's coming from a so the TC and I'll just do the IP here because I think it's could be useful. Okay, so Christian's going to spoof a packet with the source of IP of a destination of IP M. And then at the TCP level Christian is going to say that the source port is 2222 deport is 80. Now we have a problem. Again, similarly, we said some data has been exchanged so we don't actually know what the sequence number acknowledgement numbers is. Let's say that Christian is able to know that because Christian is somewhere along the path. So we can say Christian knows while the sequence number is 150. So basically the last. So this way is sequence number is 150. And this ways is 10. So acknowledgement number 10 flags hack. And now Christian wants to inject some data set. Do you have a cool hacker handle Christian on the website actually it's okay I don't don't don't write it in chat I don't want people to set Christian grade 200 because he's very bold. All right. Let me know how many characters that is I guess I'll count with it. So 23 characters, including the new line at the end. Okay, cool. Christian sends that packet out. Now this is has the proper again we still have the problem of getting these sequence and acknowledgement numbers but let's say that it's okay so Christian gets that packet, injects it here. I'll receive it. How will M reply to that packet. Yeah, it'll acknowledge it so it'll say great source is IPM destination is IP of a source port is 80. In this case, destination port is 2222. Now the sequence number for M is still 10 M is not sent any more data. The acknowledgement number. So now what is this going to acknowledge. What's the acknowledgement number going to be for M. So it's going to be 150 plus the size of the data that we've seen. 173 thank you. And the flags are going to be cool. So M sends us to a what does a do when it receives this packet. So it's 73 because the last sequence number from M is 150, and we sent 23 bytes. So it's not going to say reset. So it's going to say is it's going to not send a packet back. Acknowledging how much it sent so far so it'll say hey that's weird. I am IPA. I've sent a destination of IPM. 2222 deport 80. My sequence number that I last sent you was 150. And I will acknowledge up to 10. So A will send this back to M and end will say, excuse me, sir, I think it'll actually send this packet again and say actually, I've received and I'm acknowledging that I've received up to 175. And able to get that back and say, I have sent you up to 150. And this will actually, well, okay, I think I lied. Shoot, I need to make it slightly more complicated. So what M will say is. No, it's not right either. Okay, cool, we can keep it like this. I think it's fine. Okay. So essentially they're in a fight now because they don't know. They're they've gotten desynced if you remember back to that thing I just deleted of the stream. Where the sender thinks we're at 150. But the receiver thinks we're at 173. And every time the sender sends a sequence number of what it sent so far of 150. And every time it gets that the receiver will acknowledge saying hey, we're at 173 and the sender says I've sent up to 170 or 150. And they actually just keep sending that back and forth until a packet gets dropped it's called actually an act storm, because a bunch of act flags get sent. No, it doesn't do plus one the plus one, sorry for the acknowledgement number, the plus one only happens on the very first packet. So the sequence number you can think about is what bite you're expecting next so the, the 23 bytes go there, and then you're expecting 173. Cool. So you can yeah with this technique you can inject data into a stream so think about if you're able to get into my TCP, my SSH section. Right you're able to inject a command or if on the midterm website you're able to inject into somebody's connection to the server, you could inject when they're using the terminal RM dash RF star to delete all their stuff and mess with them. So the sequence acknowledgement numbers must be correct. So we have to either eavesdrop or guess. This is described here. And the other thing is you want to wait till the connection is quiet when there's not a lot of data transferred. And, but the problem is that desynchronizes the connection which is what we just looked at so let's cool so anyways they keep retransmitting this until we until we do this so anyways. So we spoof this TCP packet. It acknowledges it acknowledges and it keeps going back and forth of this acknowledgement. You can actually let's see I must know I don't have the TCP traffic. All right, I guess I cut it for time which is good because we're running out of time. So anyways. But the cool thing is if Christian actually sits in the middle of this connection. So if Christians vantage point is in the middle. Christian can control that traffic he can actually change up and fix the sequence and acknowledgement numbers so that both sides think that they each know what the other sequence of acknowledgement numbers but actually Christian is making up for that 23 right difference. Oh thank you watch I wasn't talking to you. Anyways, yeah, I think that's class right we've been going. Yeah, six. Okay, thanks everyone I appreciate it.