Basic knowledge of networks

1. OSI (Open System Interconnection)

Open System Interconnection Reference Model. It is a logical definition and specification that logically divides network protocols into seven layers. Each layer has related and corresponding physical devices. For example, a conventional router is a layer-3 switching device and a conventional switch is a layer-2 switching device. The OSI Layer-7 model is a framework design method.
The main purpose of establishing a layer-7 model is to solve compatibility issues encountered during the interconnection of heterogeneous networks. Its main function is to help different types of hosts implement data transmission. Its biggest advantage is that it separates the three concepts of services, interfaces and protocols, and enables reliable communication between different networks of different systems through seven hierarchical structure models.

1. Physical Layer: It mainly defines physical device standards, such as the interface type of the network cable, the interface type of the optical fiber, and the transmission rate of various transmission media. Its main function is to transmit the bit stream (that is, the conversion from 1, 0 to the current strength for transmission, after reaching the destination is converted to 1, 0, that is, the digital-to-analog conversion and digital-to-analog conversion ). The data at this layer is called bits. 2. data link layer: defines how to format data for transmission and how to control access to physical media. This layer usually provides error detection and correction to ensure reliable data transmission. 3. Network Layer: Provides the connection and path selection between two host systems in a network located in different geographic locations. The development of Internet greatly increases the number of users accessing information from various sites in the world, and the network layer is the layer for managing such connections. 4. transmission Layer: defines some data transmission protocols and port numbers (WWW port 80, etc.), such as TCP (transmission control protocol, low transmission efficiency, high reliability, high transmission reliability requirements, large data volume), UDP (User Datagram Protocol, which is the opposite of TCP, is used to transmit data with low reliability requirements and small data volume, for example, QQ chat data is transmitted in this way ).
Data received from the lower layer is segmented and transmitted, and then reorganized after the destination address is reached. This layer of data is often called segments. 5. Session Layer: establishes a data transmission path through the transport layer (port number: Transmission port and receiving port. It is mainly used to initiate a session or accept a session request between your systems (devices need to know each other, either an IP address, a MAC address, or a host name ). 6. Presentation Layer: ensure that the information sent by the application layer of one system can be read by the application layer of another system. For example, a PC program communicates with another computer, one of which uses an extended Gbit/s Exchange Code (ebcdic), and the other uses an American Standard ASCII code (ASCII) to indicate the same characters. If necessary, the presentation layer uses a common format to convert multiple data formats. 7. Application Layer: the OSI Layer closest to the user. This layer provides network services for your applications (such as email, file transfer, and terminal simulation.

2. Data encapsulation and unblocking

3. Protocol Reference Model

The abbreviation of Transmission Control Protocol/Internet Protocol is the Transmission Control Protocol/Internet Interconnection protocol, also known as network communication protocol. It is the most basic Internet protocol and the basis of the internet Internet, it consists of the IP protocol of the network layer and the TCP protocol of the transport layer. TCP/IP
Defines how electronic devices connect to the Internet and how data is transmitted between them. The protocol uses a layer-4 hierarchy. Each layer calls the network provided by its next layer to meet its own needs. In layman's terms: TCP is responsible for discovering transmission problems. When there is a problem, it sends a signal and requires a re-transmission until all data is securely and correctly transmitted to the destination. The IP address specifies an address for each computer on the Internet.

In terms of protocol layered model, TCP/IP consists of four layers: network interface layer, network layer, transmission layer, and application layer.

TCP/IP structure corresponds to OSI

Layers in OSI	Function	TCP/IP protocol family
Application Layer	File transmission, email, file service, virtual terminal	TFTP, HTTP, SNMP, FTP, SMTP, DNS, telnet, etc.
Presentation Layer	Translation, encryption, and Compression	No agreement
Session Layer	Control dialogs and create synchronization points (resume)	No agreement
Transport Layer	Port addressing, segment reorganization, traffic, Error Control	TCP, UDP
Network Layer	Logical addressing and Route Selection	IP, ICMP, OSPF, OSPF, IGMP, Rip, ARP, RARP
Data Link Layer	Frame formation, physical addressing, traffic, error, access control	Slip, cslip, PPP, MTU
Physical Layer	Set network topology, bit transmission, and Bit Synchronization	Iso2110, IEEE802, and 802.2

Note that TCP itself does not have the error detection function caused by noise during data transmission, but implements the error retransmission function that times out;

The physical layer of the network interface layer defines various features of the physical media:

TCP/IP structure corresponds to OSI

TCP/IP	OSI
Application Layer	Application Layer presentation layer
Host to host layer (TCP) (also known as transport layer)	Transport Layer
Network Layer (IP) (also called Internet layer)	Network Layer
Network Interface Layer (also called Link Layer)	Data Link Layer
	Physical Layer

1. Mechanical properties; 2. Electronic properties; 3. functional features; 4. procedure features. The data link layer is responsible for receiving IP data packets and sending them over the network, or receiving physical frames from the network, extracting IP data packets, and handing them over to the IP layer. Common interface layer protocols include Ethernet 802.3, Token Ring 802.5, X.25, frame relay, HDLc, and PPP.
ATM, etc. The network layer is responsible for communication between adjacent computers. Its functions include three aspects.

1. Process the packet sending request from the transport layer. After receiving the request, load the packet into an IP datagram, fill in the header, select the path to the sink, and then send the datagram to the appropriate network interface.
2. Process the input datagram: first check its validity, and then perform a path-if the datagram has arrived at the sink, remove the header and hand over the remaining part to the appropriate transmission protocol; if the datagram has not reached the destination, it is forwarded.
3. Handle problems such as path, traffic control, and congestion.

The network layer includes: IP (Internet Protocol) protocol, ICMP (Internet Control Message Protocol) protocol, ARP (Address Resolution Protocol) protocol, and RARP (reverse ARP) protocol) the reverse address translation protocol. IP address is the core of the network layer. The next IP address is encapsulated by routing and then handed over to the interface layer. IP datagram is a connectionless service. ICMP is a supplement to the network layer and can send packets back. Used to check whether the network is smooth. The Ping Command sends an icmp echo packet and tests the network by sending the echo relay. ARP is a forward Address Resolution Protocol. It uses known IP addresses to find the MAC address of the corresponding host. RARP is a Reverse Address Resolution Protocol that determines the IP address through the MAC address. For example, a diskless workstation also has a DHCP service. The transport layer provides communication between applications. Its functions include: 1. formatting information flows; 2. reliable transmission. To implement the latter, the transport layer protocol requires the receiving end to send back the confirmation, and if the group is lost, it must be re-sent, that is, the familiar "three-way handshake" process, so as to provide reliable data transmission. Transport layer protocols are mainly Transmission Control Protocol (TCP) and User Datagram Protocol (UDP ). The application layer provides users with a set of common applications, such as email, file transfer access, and remote logon. Remote logon Telnet provides interfaces registered on other hosts in the network using the Telnet protocol. The telnet session provides a character-based virtual terminal. File Transfer access FTP uses the FTP protocol to provide the file copy function between machines in the network. The application layer protocols include FTP, telnet, DNS, SMTP, NFS, and HTTP. FTP (file transfer protocol) is a File Transfer Protocol. FTP is used for uploading and downloading. The data port is 20 h and the control port is 21 h. The Telnet service is a remote Logon Service. It uses port 23 and plain code for transmission, which provides poor confidentiality and convenience. DNS (Domain Name Service) is a domain name resolution service that provides translation between domain names and IP addresses, using port 53. SMTP (Simple Mail Transfer Protocol) is a simple mail transmission protocol used to control the sending and transfer of letters. Port 25 is used. Network File System (NFS) is a network file system used for file sharing between different hosts in the network. HTTP (Hypertext Transfer Protocol) is a hypertext transfer protocol used to implement WWW services on the Internet, using port 80.

Summary

Layers in OSI	Function	TCP/IP protocol family
Application Layer	File transmission, email, file service, virtual terminal	TFTP, HTTP, SNMP, FTP, SMTP, DNS, telnet, etc.
Presentation Layer	Data formatting, code conversion, and Data Encryption	No agreement
Session Layer	Release or establish contact with other contacts	No agreement
Transport Layer	Provides end-to-end Interfaces	TCP, UDP
Network Layer	Select a route for a data packet	IP, ICMP, OSPF, OSPF, IGMP, Rip, ARP, RARP
Data Link Layer	Transmitted frame with address and Error Detection Function	Slip, cslip, PPP, MTU
Physical Layer	Transmit data on physical media in the form of binary data	Iso2110, IEEE802, and 802.2

The protocols at the network layer mainly include IP, ICMP, and IGMP. because they contain IP protocol modules, they are the core of all TCP/IP-based networks. At the network layer, the IP module completes most of the functions. ICMP, IGMP, and other protocols that support IP addresses help IP addresses complete specific tasks, such as transmitting error control information and control messages between hosts and routers. The network layer is responsible for information transmission between hosts in the network. The main protocols on the transport layer are TCP and UDP. Just as the network layer controls data transmission between hosts, the transport layer controls the data that will enter the network layer. The two protocols are the two methods for managing the data: TCP is a connection-based protocol, and UDP is the management method for the connectionless service.

IP

The IP layer receives a packet from a lower layer (network interface layer, such as an Ethernet device driver) and sends the packet to a higher layer-TCP or UDP layer, the IP layer also sends packets received from the TCP or UDP layer to the lower layer. IP packets are unreliable because the IP does not do anything to confirm that the packets are sent in order or are not damaged. An IP packet contains the address (source address) of the host that sent the packet and the address (Destination Address) of the host that received the packet ). When receiving data packets, high-level TCP and UDP services generally assume that the source address in the packet is valid. It can also be said that IP addresses form the authentication basis for many services. These services believe that data packets are sent from a valid host. IP validation contains an option called IP source routing, which can be used to specify a direct path between the source address and the destination address. For some TCP and UDP services, the IP packet using this option seems to be transmitted from the last System in the path, rather than from its real location. This option exists for testing, indicating that it can be used to fool the system for a normally prohibited connection. Therefore, many services that rely on the IP Source Address for confirmation will have problems and will be illegally infiltrated. Tcptcp is a connection-oriented communication protocol. When a connection is established through a three-way handshake, the connection must be removed when the communication is completed. Because TCP is connection-oriented, it can only be used for point-to-point communication. TCP provides a reliable data stream service, and adopts the "positive validation with retransmission" technology to achieve transmission reliability. TCP also uses a method called "Sliding Window" for traffic control. The so-called window actually represents the receiving capability, which is used to limit the sending speed of the sender. If an IP packet contains a TCP packet that has been blocked, the IP will send them to the upper layer. TCP sorts packets and checks errors to connect virtual circuits. TCP packets include serial numbers and validation, so packets not received in order can be sorted, and damaged packets can be re-transmitted. TCP sends its information to higher-level applications, such as telnet service programs and customer programs. Applications send information back to the TCP layer in turn, and the TCP layer forwards them down to the IP layer, device drivers and physical media, and finally to the receiver. Connection-oriented services (such as telnet, FTP, rlogin, X Windows, and SMTP) require high reliability, so they use TCP. In some cases, DNS uses TCP (sending and receiving domain name databases), But UDP is used to transmit information about a single host. Udpudp is a connection-free communication protocol. UDP data includes the destination port number and source port number information. As communication does not require connection, broadcast transmission can be implemented. UDP communication does not require confirmation from the receiver. It is an unreliable transmission and may cause packet loss. In practical applications, it is required to be verified by programmers. UDP and TCP are on the same layer, regardless of the packet sequence, error, or resend. Therefore, UDP is not applied to connection-oriented services that use virtual circuits. UDP is mainly used for query-oriented services, such as NFS. Compared with FTP or telnet, these services require less information to be exchanged. Services that use UDP include NTP (Network Time Protocol) and DNS (DNS also uses TCP ). Spoofing UDP packets is easier than spoofing TCP packets because UDP does not establish an initial connection (also known as a handshake) (because there is no virtual circuit between the two systems). That is to say, UDP-related services face greater risks. Icmpicmp and IP are on the same layer and are used to transmit control information of IP addresses. It is mainly used to provide information about the path to the destination address. ICMP's 'redirection' information notifies the host of a more accurate path to other systems, while the 'unreachable' information indicates that the path is faulty. In addition, if the path is unavailable, ICMP can terminate the TCP connection in a decent manner. Ping is the most common ICMP-based service.

ARP Protocol

ARP is the abbreviation of Address Resolution Protocol. In the LAN, the actual transmission is frame, and the frame contains the MAC address of the target host. In Ethernet, to directly communicate with another host, you must know the MAC address of the target host. But how can I obtain the target MAC address? It is obtained through the Address Resolution Protocol. The so-called "Address Resolution" refers to the process in which the host converts the target IP address to the target MAC address before sending the frame. The basic function of ARP is to query the MAC address of the target device through the IP address of the target device to ensure smooth communication.

ARP Protocol Utilization

I. Exchange Network sniffing
Ii. IP address conflict
3. Prevent target data packets from passing through the gateway
4. Detect nodes in hybrid mode through ARP

I. Exchange Network sniffing
ARP does not receive ARP responses only when an ARP request is sent. When a computer receives an ARP response packet, it updates the local ARP cache and stores the IP and MAC addresses in the response in the ARP cache. Therefore, assume that in the above network, B sends a self-built ARP response to a, and the data in this response is that the sender's IP address is 192.168.10.3 (C's IP address ), the MAC address is a DD-DD-DD-DD-DD-DD (the MAC address of C should have been a CC-CC-CC-CC-CC-CC, Which is forged here ). When a receives B's forged ARP response, it updates the local ARP cache and replaces the local IP-MAC table with the received data format, because all of this is automatically completed by system kernel A, A does not know it has been forged.
ARP spoofing is mainly used for sniffing in the exchange network. The sniffing of the switching network is not discussed in this article.
Ii. IP address conflict
We know that if a host with the same IP address exists in the network, an IP address conflict warning is reported. How did this happen?
For example, if host B sets the IP address to 192.168.0.1 and is in the starting state
Changing the IP address to 192.168.0.1 causes IP address conflict. The principle is: When host a connects to the network (or changes the IP address), it will send an ARP packet to broadcast its own IP address, that is, freearp. If host B with the same IP address exists in the network, B will reply the address through arp. When a receives this reply, a will jump out of the IP address conflict warning, of course, B also has a warning.
Therefore, ARP spoofing can be used to forge this arpreply, which keeps the target suffering from IP address conflict warnings.
3. Prevent target data packets from passing through the gateway
For example, in a LAN through the gateway to access the Internet, then the ARP cache connected to the external computer there is a gateway IP-MAC corresponding records. If the record is changed, the packets sent from the computer are always sent to the wrong gateway hardware address, so that the computer cannot access the Internet.
ARP spoofing is also used here. There are two ways to achieve this purpose.
1. Send forged ARP response packets to the target. The sender's IP address is the gateway address, while the MAC address is a forged IP address. When the target receives the ARP packet, it updates its ARP cache. If the spoofing continues, the target gateway cache is always a forged error record. Of course, if some people know ARP-A, they will know the problem.
2. This method is very embarrassing and spoofing the gateway. Send a forged ARP response packet to the Gateway. the sender's IP address is the destination IP address, while the MAC address is a forged IP address. In this way, the target ARP record on the gateway is incorrect, and all the data packets sent by the gateway to the target use the wrong MAC address. In this case, the target can send data to the gateway, but cannot receive any data from the gateway. At the same time, the target can view ARP-A without any problems.
4. Detect nodes in hybrid mode through ARP
In the hybrid mode, the NIC performs packet filtering differently from the normal mode. In normal mode, only the packets or broadcast (Multicast) of the local address are submitted to the system core by the NIC. Otherwise, these packets are directly discarded by the NIC. Now, the hybrid mode transfers all transmitted data packets to the system core and is then used by programs such as sniffer.
Specially designed ARP requests can be used to detect nodes in the hybrid mode to a certain extent. For example, each node in the network sends an ARP request whose MAC address is FF-FF-FF-FF-FF-FE. This is not a broadcast address (FF-FF-FF-FF-FF-FF) for NICs, so nodes in normal mode will directly discard this packet, but most operating system core Think This Is A broadcast address, if a general sniffer program exists and the NIC is set to the hybrid mode, the system core will respond, so that the system can determine whether these nodes have a sniffer.
As you can see, many ARP-based attacks are implemented through ARP spoofing. To prevent ARP spoofing, try to use static arp. For Windows, use ARP-s to set static arp. Of course, it would be better if static IP addresses and MAC addresses can be used completely, because static ARP cache is only relative.
Of course, there are some ways to detect ARP spoofing. Sets an ARP sniffer that maintains a static table of IP-MAC addresses for a local network, views all the ARP data that passes through, and checks the IP-MAC mappings among them, if the captured IP-MAC ing does not correspond to the maintained static ing, it indicates that it is a spoofing ARP packet.

4. data transmission process