Study On Transmission Control Protocol And Ip Computer Science Essay

Published:

TCP (Transmission Control Protocol) is a set of rules (protocol) used along with the Internet Protocol (IP) to send data in the form of message units between computers over the Internet. While IP takes care of handling the actual delivery of the data, TCP is a connection-oriented, end-to-end reliable protocol designed to fit into a layered hierarchy of protocols which support multi-network applications. TCP is responsible for verifying the correct delivery of data from client to server. Data can be lost in the intermediate network. TCP is known as a connection-oriented protocol, which means that a connection is established and maintained until such time as the message or messages to be exchanged by the application programs at each end have been exchanged. TCP is responsible for ensuring that a message is divided into the packets that IP manages and for reassembling the packets back into the complete message at the other end. In the Open Systems Interconnection (OSI) communication model, TCP is in layer 4, the Transport Layer. TCP adds some support to detect errors or lost data and to trigger retransmission until the data is correctly and completely received. The Transmission Control Protocol (TCP) is intended for use as a highly reliable host-to-host protocol between hosts in packet-switched computer communication networks, and in interconnected systems of such networks. The TCP provides for reliable inter-process communication between pairs of processes in host computers attached to distinct but interconnected computer communication networks. Very few assumptions are made as to the reliability of the communication protocols below the TCP layer. TCP assumes it can obtain a simple, potentially unreliable datagram service from the lower level protocols. In principle, the TCP should be able to operate above a wide spectrum of communication systems ranging from hard-wired connections to packet-switched or circuit-switched networks [1] [2] [3].see figure in appendix named as figure a.

Lady using a tablet
Lady using a tablet

Professional

Essay Writers

Lady Using Tablet

Get your grade
or your money back

using our Essay Writing Service!

Essay Writing Service

Flags are also known as Control Bits. They shelter 8 1-bit flags for various purposes are as under [6]. 

CWR - It stands for Congestion Window Reduced (CWR) flag. It is set by the sending machine to specify that it received a TCP segment with the ECE flag set. 

ECE - It stands for Explicit Congestion Notification. It specifies that the TCP peer is ECN capable during 3-way handshake. 

URG - It specifies that the URGent pointer field is important. 

ACK - It specifies that the ACKnowledgment field is important. 

PSH _ It is used for Push function. 

RST - It is used to ReSeT the connection. 

SYN - It is used to SYNchronize the sequence numbers. 

FIN - It indicates a FINish mark specifying that sender do not have any more data to transfer.

What is NetBIOS?

NetBIOS (Network Basic Input/Output System) is a set of rules that allows different computers to communicate within a local area network. The founder of NetBIOS is IBM in its early days of PC Network, later on adopted by Microsoft, and has since become a de facto industry standard. NetBIOS is used in Ethernet and token ring networks and, also as part of NetBIOS Extended User Interface (NETBEUI), in recent Microsoft Windows operating systems [4].

NetBIOS frees the application from having to understand the details of the network, including error recovery (in session mode). A NetBIOS request is provided in the form of a Network Control Block (NCB) which, among other things, specifies a message location and the name. See figure b in appendix for NetBIOS.

Packet analysis (Handshake mechanism):-

In packet analysis phase, the first three packets connect in a full duplex TCP connection develop or initialized by the client and NetBIOS is a last step in this phase just like a session request over TCP.

Following this sequence involving three exchanges the two machines are synchronized and communication can begin!

PROBLEM AND FINDINGS:

08/16-15:27:17.820587 193.63.129.192:1843 -> 193.63.129.187:139

TCP TTL:128 TOS:0x0 ID:48195 IpLen:20 DgmLen:44 DF

******S* Seq: 0xF1908361 Ack: 0x0 Win: 0x2000 TcpLen: 24

TCP Options (1) => MSS: 1460

Description: The packet was send from IPclass C address and host is 192 port a 1843 sending a SYN flag in a TCP segment to the client or client, requesting for a connection. The packet received on host of same class 187 through port 139 and here also check for avoid reputation

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

Lady using a tablet
Lady using a tablet

Comprehensive

Writing Services

Lady Using Tablet

Plagiarism-free
Always on Time

Marked to Standard

Order Now

08/16-15:27:17.820656 193.63.129.187:139 -> 193.63.129.192:1843

TCP TTL:128 TOS:0x0 ID:2676 IpLen:20 DgmLen:44 DF

***A**S* Seq: 0x7CFB7BBA Ack: 0xF1908362 Win: 0x2238 TcpLen: 24

TCP Options (1) => MSS: 1460

Description: The receiving client 187 port 139 after receiving the SYN flag, replies an Acknowledgement Ack: 0xF1908362 and server side is ready to make a link with client.

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

08/16-15:27:17.820785 193.63.129.192:1843 -> 193.63.129.187:139

TCP TTL:128 TOS:0x0 ID:48451 IpLen:20 DgmLen:40 DF

***A**** Seq: 0xF1908362 Ack: 0x7CFB7BBB Win: 0x2238 TcpLen: 20

Description: The Requested host replies the client by incrementing the sequence number (0x7CFB7BBA) by 1 to Ack: 0x7CFB7BBB. Here the connection was established through a 3-way handshake. And see figure c in appendix.

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

08/16-15:27:17.820801 193.63.129.192:1843 -> 193.63.129.187:139

TCP TTL:128 TOS:0x0 ID:48707 IpLen:20 DgmLen:112 DF

***AP*** Seq: 0xF1908362 Ack: 0x7CFB7BBB Win: 0x2238 TcpLen: 20

81 00 00 44 20 45 4B 44 45 43 4E 45 4A 46 45 46 ...D EKDECNEJFEF

43 45 4D 43 4E 44 42 44 45 43 41 43 41 43 41 43 CEMCNDBDECACACAC

41 43 41 43 41 00 20 45 4B 44 45 43 4E 45 4A 46 ACACA. EKDECNEJF

45 46 43 45 4D 43 4E 44 42 44 4A 43 41 43 41 43 EFCEMCNDBDJCACAC

41 43 41 43 41 41 41 00 ACACAAA.

Description:

The host is requesting (the end client) for the NetBIOS connection. This is a TCP packet sent by the requesting host as it a uni-cast (187) to the subnet (193.63.129). 81 00 00 44 this shows that connection is shared wanted by the receiver network. At the same time the requesting host or the client is checking if there is another computer on the network using (0x00). [7]

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

08/16-15:27:17.820875 193.63.129.187:139 -> 193.63.129.192:1843

TCP TTL:128 TOS:0x0 ID:2932 IpLen:20 DgmLen:44 DF

***AP*** Seq: 0x7CFB7BBB Ack: 0xF19083AA Win: 0x21F0 TcpLen: 20

82 00 00 00

....

Description: The first byte 82 indicates that connection successful between server and client. By the Sequence Number (0x7CFB7BBB ), it is clear that the destination host replied the client or the requesting host for the NetBIOS connection. It is called as server to client response or session Ack. (Blyth, 2010 slides)

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

08/16-15:27:17.916990 193.63.129.192:1843 -> 193.63.129.187:139

TCP TTL:128 TOS:0x0 ID:48963 IpLen:20 DgmLen:214 DF

***AP*** Seq: 0xF19083AA Ack: 0x7CFB7BBF Win: 0x2234 TcpLen: 20

00 00 00 AA FF 53 4D 42 72 00 00 00 00 18 03 00 .....SMBr.......

00 00 00 00 00 00 00 00 00 00 00 00 00 00 FE CA ................

00 00 00 00 00 87 00 02 50 43 20 4E 45 54 57 4F ........PC NETWO

52 4B 20 50 52 4F 47 52 41 4D 20 31 2E 30 00 02 RK PROGRAM 1.0..

58 45 4E 49 58 20 43 4F 52 45 00 02 4D 49 43 52 XENIX CORE..MICR

4F 53 4F 46 54 20 4E 45 54 57 4F 52 4B 53 20 31 OSOFT NETWORKS 1

2E 30 33 00 02 4C 41 4E 4D 41 4E 31 2E 30 00 02 .03..LANMAN1.0..

57 69 6E 64 6F 77 73 20 66 6F 72 20 57 6F 72 6B Windows for Work

67 72 6F 75 70 73 20 33 2E 31 61 00 02 4C 4D 31 groups 3.1a..LM1

2E 32 58 30 30 32 00 02 4C 41 4E 4D 41 4E 32 2E .2X002..LANMAN2.

31 00 02 4E 54 20 4C 4D 20 30 2E 31 32 00 1..NT LM 0.12.

Description: This packet is a client response to server. Technically it is notice by the first four bytes of SMB packet code is 0xff+S+M+B. The client is sending a series of SMB dialects to the connecting server hoping the end server to select at least one dialect. If done, the client can continue to negotiate further and maintain the connection. At this point open communication channel is formed between client and server.

The Dialects that are sent are PC Network Program 1.0, Xenix core, Microsoft Networks 1.03, Lanman 1.0, Windows for Workgroups 3.1a, LM1.2X002, Lanman 2.1, NT LM 0.12

[6]

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

08/16-15:27:17.917098 193.63.129.187:139 -> 193.63.129.192:1843

TCP TTL:128 TOS:0x0 ID:3188 IpLen:20 DgmLen:147 DF

***AP*** Seq: 0x7CFB7BBF Ack: 0xF1908458 Win: 0x2142 TcpLen: 20

00 00 00 67 FF 53 4D 42 72 00 00 00 00 98 03 00 ...g.SMBr.......

00 00 00 00 00 00 00 00 00 00 00 00 00 00 FE CA ................

00 00 00 00 11 07 00 03 32 00 01 00 04 11 00 00 ........2.......

00 00 01 00 00 00 00 00 FD 43 00 00 70 E8 2D 06 .........C..p.-.

31 45 C2 01 C4 FF 08 22 00 10 3F 5E D8 E2 24 3A 1E....."..?^..$:

26 53 00 4F 00 43 00 5F 00 53 00 45 00 43 00 55 &S.O.C._.S.E.C.U

00 52 00 49 00 54 00 59 00 00 00 .R.I.T.Y...

Description: This packet is called as server response or SMB negotiation. In this packet server side also send 8 byte challenge key after receiving challenge key client send encrypted key to hash key to a server. Since 07x00 was reserved for SMB dialect NT LM 0.12 and it was selected by the end point server from the series of dialects sent by the client. The server responds to the client representing the dialect NT LM 0.12 (07x00) (S Harris et al 2007). SOC_SECURITY is the SMB domain name and 1E represents the USER level

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

08/16-15:27:18.015822 193.63.129.192:1843 -> 193.63.129.187:139

TCP TTL:128 TOS:0x0 ID:49219 IpLen:20 DgmLen:228 DF

***AP*** Seq: 0xF1908458 Ack: 0x7CFB7C2A Win: 0x21C9 TcpLen: 20

Lady using a tablet
Lady using a tablet

This Essay is

a Student's Work

Lady Using Tablet

This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.

Examples of our work

00 00 00 B8 FF 53 4D 42 73 00 00 00 00 18 03 80 .....SMBs.......

00 00 C6 87 BA 80 0C 5F BE 6A 00 00 00 00 FE CA ......._.j......

00 00 00 00 0D 75 00 84 00 04 11 32 00 00 00 00 .....u.....2....

00 00 00 01 00 00 00 00 00 00 00 D4 00 00 00 47 ...............G

00 00 00 00 00 00 57 00 69 00 6E 00 64 00 6F 00 ......W.i.n.d.o.

77 00 73 00 20 00 4E 00 54 00 20 00 31 00 33 00 w.s. .N.T. .1.3.

38 00 31 00 00 00 00 00 57 00 69 00 6E 00 64 00 8.1.....W.i.n.d.

6F 00 77 00 73 00 20 00 4E 00 54 00 20 00 34 00 o.w.s. .N.T. .4.

2E 00 30 00 00 00 00 00 04 FF 00 00 00 00 00 01 ..0.............

00 29 00 00 5C 00 5C 00 4A 00 34 00 2D 00 49 00 .)..\.\.J.4.-.I.

54 00 52 00 4C 00 2D 00 31 00 34 00 5C 00 49 00 T.R.L.-.1.4.\.I.

50 00 43 00 24 00 00 00 49 50 43 00 P.C.$...IPC.

Description: As the SMB dialects sent by the client was approved by the client server, the client moves to the next step by sending enormous username and null passwords to get authenticated and gain a USER ID. Here used command batching to reduced bandwidth by merging two packets in one. The client is using a series of command lines to connect to the IPC$ tree. The host name of the client server is J4-ITRL-14 and the operating system running is Windows NT 4.0 and the Lan Manager in Windows NT 1.3.8.1.(Microsoft handbook)

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

08/16-15:27:18.016035 193.63.129.187:139 -> 193.63.129.192:1843

TCP TTL:128 TOS:0x0 ID:3444 IpLen:20 DgmLen:196 DF

***AP*** Seq: 0x7CFB7C2A Ack: 0xF1908514 Win: 0x2086 TcpLen: 20

00 00 00 98 FF 53 4D 42 73 00 00 00 00 98 03 80 .....SMBs.......

00 00 C6 87 BA 80 0C 5F BE 6A 00 00 01 08 FE CA ......._.j......

01 08 00 00 03 75 00 88 00 00 00 5F 00 00 57 00 .....u....._..W.

69 00 6E 00 64 00 6F 00 77 00 73 00 20 00 4E 00 i.n.d.o.w.s. .N.

54 00 20 00 34 00 2E 00 30 00 00 00 4E 00 54 00 T. .4...0...N.T.

20 00 4C 00 41 00 4E 00 20 00 4D 00 61 00 6E 00 .L.A.N. .M.a.n.

61 00 67 00 65 00 72 00 20 00 34 00 2E 00 30 00 a.g.e.r. .4...0.

00 00 53 00 4F 00 43 00 5F 00 53 00 45 00 43 00 ..S.O.C._.S.E.C.

55 00 52 00 49 00 54 00 59 00 00 00 03 FF 00 98 U.R.I.T.Y.......

00 01 00 07 00 49 50 43 00 00 00 00 .....IPC....

Description: No error arises here due to password null given by client because in this case password is not required. The Client was permitted access by the client server and the details of the Operating system and the LAN Manager and the domain name were sent to the client by the server. This packet is also called as session setup. (Codefx,2001)

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

08/16-15:27:18.113012 193.63.129.192:1843 -> 193.63.129.187:139

TCP TTL:128 TOS:0x0 ID:49475 IpLen:20 DgmLen:162 DF

***AP*** Seq: 0xF1908514 Ack: 0x7CFB7CC6 Win: 0x212D TcpLen: 20

00 00 00 76 FF 53 4D 42 25 00 00 00 00 18 03 80 ...v.SMB%.......

A8 80 00 00 00 00 00 00 00 00 00 00 01 08 20 E0 .............. .

01 08 40 00 0E 1A 00 00 00 08 00 68 10 00 00 00 ..@........h....

00 88 13 00 00 00 00 1A 00 5C 00 00 00 00 00 00 .........\......

00 37 00 00 5C 00 50 00 49 00 50 00 45 00 5C 00 .7..\.P.I.P.E.\.

4C 00 41 00 4E 00 4D 00 41 00 4E 00 00 00 00 00 L.A.N.M.A.N.....

68 00 57 72 4C 65 68 44 4F 00 42 31 36 42 42 44 h.WrLehDO.B16BBD

7A 00 01 00 68 10 FF FF FF FF z...h.....

Description: A RAP (Remote Administration Protocol) request for the NetServerEnum2 command by the client to the client server in a SMB request and the file name is PIPE\LANMAN. This transaction is through "WrLehDO" in the path and the last 4 bytes of a packet determine the types of services. This is done in an intention to get the complete list of servers connected to the client. This is also called as a client to server transaction of SMB (Microsoft handbook).

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

08/16-15:27:18.113749 193.63.129.187:139 -> 193.63.129.192:1843

TCP TTL:128 TOS:0x0 ID:3700 IpLen:20 DgmLen:216 DF

***AP*** Seq: 0x7CFB7CC6 Ack: 0xF190858E Win: 0x200C TcpLen: 20

00 00 00 AC FF 53 4D 42 25 00 00 00 00 98 03 80 .....SMB%.......

A8 80 00 00 00 00 00 00 00 00 00 00 01 08 20 E0 .............. .

01 08 40 00 0A 08 00 6C 00 00 00 08 00 38 00 00 ..@....l.....8..

00 6C 00 40 00 00 00 00 00 75 00 00 00 00 FC 0F .l.@.....u......

04 00 04 00 4A 34 2D 49 54 52 4C 2D 31 34 00 00 ....J4-ITRL-14..

00 00 00 00 04 00 0B 10 04 00 67 10 00 00 4A 34 ..........g...J4

2D 49 54 52 4C 2D 31 35 00 00 00 00 00 00 04 00 -ITRL-15........

03 10 01 00 66 10 00 00 4A 34 2D 49 54 52 4C 2D ....f...J4-ITRL-

31 38 00 00 00 00 00 00 04 00 03 10 01 00 65 10 18............e.

00 00 4A 34 2D 49 54 52 4C 2D 31 39 00 00 00 00 ..J4-ITRL-19....

00 00 04 00 03 10 03 00 64 10 00 00 00 00 00 00 ........d.......

Description: Here the client was able to view the host names as, J4-ITRL-14,15,18,19 which are the computers NetBIOS names in the network because server response contain list of all the servers which are available on a network.

CONCLUSION

Now that we've discussed some of the major components of networks and TCP/IP, you have the necessary background to examine the more critical issues of security in a converged environment. Knowing how networks are built gives you a better understanding of what physical or logical vulnerabilities are introduced by choosing one particular network design over another. Knowing how packets are formed gives you a better understanding of how they can be crafted or modified to achieve a specific purpose. Knowing how packets are transmitted and delivered gives you a better understanding of what can happen to packets as they travel from source to destination. A good understanding of the basics of networking and TCP/IP is critical to identifying, understanding, and correcting vulnerabilities in your converged environment.

Many types of evidence arise during the analysis of these packets. Most interesting part of this analysis's part is null session login process. IPC tree, PIPE/LANMAN gives more claws in the committed action. All the evidence is meaningless with out the last packet where the purpose of this dump is open and exposed. I strongly believe that there is some exploitation or flaws are present in Microsoft Windows NT 4.0 box on local network. With the help of these flaws local user check the share list, browse the list and also enumerate the domain controller.

Another point view is user level security. I know there is no need of password for legal user to use or browse the services of master servers. Now days there are many tools are available which helps the hacker and take the benefits of this null session password techniques and gain the access of master servers

References:-

Postel, J. (ed.), "Internet Protocol - DARPA Internet Program Protocol Specification", RFC 791, USC/Information Sciences Institute, September 1981.

Cerf, V., and R. Kahn, "A Protocol for Packet Network Intercommunication", IEEE Transactions on Communications, Vol. COM-22, No. 5, pp 637-648, May 1974.

TRANSMISSION CONTROL PROTOCOL DARPA INTERNET PROGRAM PROTOCOL SPECIFICATION September 1981 prepared for Defense Advanced Research Projects Agency Information Processing Techniques Office 1400 Wilson Boulevard Arlington, Virginia 22209 by Information Sciences Institute University of Southern California 4676 Admiralty Way Marina del Rey, California 90291 URL http://www.faqs.org/rfcs/rfc793.html last access on 25 oct 2010

NetBIOS all information is available on http://compnetworking.about.com/od/windowsnetworking/g/netbios.html last access on 25 oct 2010

Server Message Block Protocol is available on http://timothydevans.me.uk/nbf2cifs/x2642.html last access on 24 oct 2010

About TCP/Ip information is available on http://www.tech-faq.com/tcp.html last access on 26 0ct 2010

Microsoft hand book is available on http://msdn.microsoft.com/downloads/details.aspx last access on 30 Oct 2010.