Copy Link
Add to Bookmark
Report
System Failure 15
___________________________________
\__ _____________ ________/___________________________ _____
__/_____ \_ / /_____ \_ , , __________)/ /______
/ / / ` / / / /________/ / \/ \/ / /
/ _______________ ___________/ ______/ \__ , \ ` ` /jp
/ /______________/ /__________/_____\______/____/______________________/__
\_________________ /______________________________________/ /____/ /__/ /_/
__/ / >> system failure // issue 15
\____/
.----------------------------------------------------------------------------.
| System Failure: Issue #15 |
`----------------------------------------------------------------------------'
We suck. I know, four months ago I said we'd have another issue out in two
months. Well, so much for that idea. We've been having difficulties lately,
partially due to the laziness of a lot of people (including myself), and
partially due to our broke-ass service provider, who we've moved the hell away
from. We're hoping for things to stabilize again very soon, and I'm hoping our
next issue won't be as delayed as this one was. In the meantime, Merry
Christmas! Please rest assured that we aren't dead (as some people have been
speculating), we're just disorganized at the moment. :) Thanks to whoever
drew the opening ascii (forgive me for forgetting... I'll be happy to give you
credit in the next issue if you'll kindly step forward). Have a happy holiday,
and enjoy the issue!
--Logic Box [12/25/98]
.----------------------------------------------------------------------------.
| http://www.sysfail.org/ |
| [sysfail@syfail.org] |
`----------------------------------------------------------------------------'
"They that can give up essential liberty to obtain a little
temporary safety deserve neither liberty nor safety."
--Benjamin Franklin, 1759
.----------------------------------------------------------------------------.
| CONTENTS |
| SysInfoTrade by SysFail Staff |
| ARP Part III: Network Attacks and Denial of Service by BarKode |
| An Electricity Primer, Part I by P3nnyw1se the Clown |
| Wireless Ethernet and Its Workings by Saint skullY the Dazed |
| Hackers and the Criminal Stereotype by Mr. Sonik |
| A General Overview of Open Source Software by SlapAyoda |
| An Introduction to the ICMP Protocol by BarKode |
`----------------------------------------------------------------------------'
<-------+
| SysInfoTrade
+----------------> staff@sysfail.org
--DefCon dates are in: July 9-11, 1999 in Las Vegas, Nevada. Join in on the
fun as Sysfail launches our third annual scavenger hunt, and a frequency hunt!
If you have extra little goodies you'd like to donate to our prize bin, e-mail
staff@sysfail.org. Thanks to all who helped out last year!
--1999 RSA Data Security Conference will be held at the San Jose Convention
Center, San Jose, CA January 17-21, 1999
--Whee! The first annual LinuxWorld Conference and Expo will be held at the
San Jose Convention Center on March 1-4, 1999. Check out the webpage at
http://www.linuxworldexpo.com for more details.
--Order the "Thank You for Abusing AT&T" stickers, which were black vinyl
with white text. I also made a simple "OWNED" sticker, which is black
vinyl with white text. "Tori Do" stickers with penguins on them are also
available; white vinyl with black ink. All stickers are $1.00 each plus a
stamp.
--11/5/98: SSH Communications Security LTD admitted that there was a buffer
overflow in its ssh 1.2.26 client. Rootshell holds by their claim that their
recent break-in was not from the security hole in SSH. More info can be found
here: http://rootshell.com/archive-j457nxiqi3gq59dv/199811/sshkerb.txt.html
--Order Tori Do: The Epic from Penguin Palace. Art/Story by Pinguino.
$24.00 TORI DO: The Epic- A young penguin martial artist goes on a quest,
stepping outside his castle's gates for the first time. He is the Red
Avenger, and he is joined by a sarcastic mage, a tag-a-long imp, and a
dream, on his journey across the Antarctic terrain. The Red Avenger has
been chosen as the protector of the penguins... but can he make it past an
evil wizard to claim his title? This enhanced CD contains a soundtrack with
jungle/dark ambient songs from RE:, Miguel Q, Solo Jr., and Nick B. It is
playable in newer CD players (such as one in your stereo or car). Once you put
the CD in your computer, you can use a web browser and fully experience Tori
Do: The Epic.
--The Communications Assistance for Law Enforcement Act allows law
enforcement to wiretap lines, by June 30, 2000. The FCC is now working on
figuring out if this applies to IP telephony, since IP telephony is an
"information service" rather than a "switched service."
--Zarite Inc. and Antionline formed a partnership that gives antionline
many new toys: domains galore, an interactive bot on the web, a virtual
hacker store, and a hacker search engine based on Infoseek technology.
Zarite controls 30% of Antionline. The editor, John Vranesevich, owns 70%
plus maintains managerial control.
--Xybernaut showed off a wearable PC at Comdex; the pricetag bearing $4995
(excluding display). It's a P200MMX chip, 2gig hard drive, and 32 megs of
ram that fits into a box the size of a walkman, attached to your belt. The
display can be worn on your headset or your wrist. The unit is capable of
speech recognition, and runs both windows and linux.
--Gettysburg College: With their children's permission, parents at this
college can log on and look at their kid's college transcript, phone bills,
and student store purchases, over the web.
--11/12/98: In the Microsoft anti-trust trial, the lawyers have resulted
in name-calling. If you haven't read about the case yet, now would be the
most interesting time to do it.
--cDc releases a public beta release of BUTTSniffer, which is a packet
sniffer and network monitor for win95, win98, and NT4. It is a standalone
executable, and also a plugin for Back Orifice.
--ASSOCIATED PRESS: DENVER, Sept. 15, A 28-year-old computer expert is accused
of hacking into the US West computer system and diverting more than 2,500
machines that should have been helping answer phones to his effort to solve a
350-year-old math problem, according to documents filed in a federal court.
(Thanks to RedBoxChiliPepper for this tidbit)
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
ARP Part III: Network Attacks and Denial of Service
by BarKode (barkode@sysfail.org)
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
You glared at part one, chuckled at part two, and now we have part three of
the ARP trilogy. Today we learn how all that seemingly boring techno-babble
in the first two articles affects the security of your local ethernet, and
we'll cover the basics of some network attacks, and the always fun good o'
session hijacking.
Prerequisites for reading this:
1) You have read part one and two several times and have a good understanding
of the content, or are already familiar with ARP.
2) You have some idea about how IP-based networks function.
Acknowledging that, take into consideration that while this covers what most
would consider intermediate IP networking theory, I'm going to focus this
article towards those who probably have only read part one and two and have
a basic idea of how IP networks function. Also, know that what we're talking
about here is 50% implementation specific and 50% protocol specific. While the
general ideas here are sound and are applicable in some way to IP networks of
any type, every implementation is slightly different, and you will experience
that a method that may work fine on one operating system may not work at all
on another. For instance, ARP caching techniques vary from platform to
platform, so methods on a Linux machine with static ARP entries compared to a
Cisco router are totally different.
***************************
(Note: For all these examples, there are no switches, smart hubs, etc.,
implemented on the network in question.)
(Note 2: If you wish to actually do some of what you see here, I suggest
grabbing a copy of send_arp, an ARP forging application that's been floating
around the net, and I've modified it a bit. It should be on www.sysfail.org
soon after this article is published. If not, e-mail me.)
Situation 1: You are on a ethernet at a small office. Another employee has
picked up a copy of 2600 from the local Barnes and Noble. After spending
3 days OCRing code out of the book, he has managed to compile a copy of
teardrop on the only Linux box at the office (the dial-up server, "RAS").
He thinks it's really funny to crash the unpatched print server all day
whenever you need to queue up some invoices. Knowing that he's telnetting into
the machine and logging in as root, and also knowing that his machine is the
only machine in the office that has access to do that, you figure it would be
just keen to somehow trick the server into thinking that you are coming from
Joe's machine.
Situation 1 Low-Down: We need to spoof a connection from "joe" to "server",
and we are on "tom". We need to not take "joe" off the network or cause any
funny messages to pop up on the screen.
Here's our network layout:
Full Class C: 192.168.0.x
Netmask: 255.255.255.0
------------------------------------------------------------------------------
| | | |
| | | |
* * * *
Printer Server Tom Joe
192.168.0.5 192.168.0.1 192.168.0.2 192.168.0.3
(Linux) (Linux) (Windows)
(0:0:0:0:0:01) (0:0:0:0:0:02) (0:0:0:0:0:03)
You have made the intelligent choice to install Linux on your other drive on
"tom". Your network is working fine, and you can communicate with all your
other machines.
Somehow, you need to make "server" think that you are telnetting to it from
"joe". You've already sniffed the unencrypted root password "hork" from the
local ethernet.
Let's take a look at what happens when joe telnets to server.
****
0:0:0:0:0:03 ff:ff:ff:ff:ff:ff 0806 42 arp who-has 192.168.0.1 tell
192.168.0.3
0:0:0:0:0:01 0:0:0:0:0:03 0806 60 arp reply 192.168.0.1 is-at 0:0:0:0:0:01
0:0:0:0:0:03 0:0:0:0:0:01 0800 62: 192.168.0.3.1029 > 192.168.0.1.23: S
21441998:21441998(0) win 8192 <mss 1460,nop,nop,sackOK>
(DF) (ttl 128, id 32010)
0:0:0:0:0:01 0:0:0:0:0:03 0800 58: 192.168.0.1.23 > 192.168.0.3.1029: S
2811556923:2811556923(0) ack 2144199 win 32736 <mss 1460> (ttl 64, id 175)
***
What we have here are four separate packets initializing a telnet session.
First packet: ARP request: get HW address of IP to connect to
Second packet: ARP reply: Here's the hardware address requested from "server"
Third packet: I want to telnet to you, you listening?
Fourth packet: Sure thing bro, acking your port 23 request, let's go.
We're not concerned about the latter two packets, just the first two. The ARP
request/reply pair. If we can somehow convince server that it wants to send
packets destined for "joe" to "tom", we're in business.
Sounds easy enough, and in a way that's true. But there are several obstacles
to overcome. You might say, "let's just assume the IP address of joe." That
won't work. You'll have two machines responding to the same IP address, you
really don't want that. You don't want a message on either box complaining
that there's duplicate IPs on the network either.
When your machine sees a packet go by, it checks the hardware address stamped
on the ethernet packet header. If it's not a match, the packet isn't for us,
and we don't care about it. More specifically, the device driver never looks
at the destination IP, just the HW address (of course, there are exceptions
where some drivers dig more into the packet for various purposes). This can be
taken advantage of in numerous ways, and for ARP attacks, it can really come
in handy.
If we ifconfig up an interface on "tom" with the IP address of "joe", and
tell "server" that "joe"'s IP address is located at "tom"'s Hardware address,
then server should send packets destined for "joe" to "tom", and it will also
accept packets from "tom" thinking that it's "joe", bypassing the IP-based
security implemented on "server".
Ok. Read that again.
* We tell SERVER that the IP address of JOE is really located at the HARDWARE
ADDRESS of TOM.
Function: Packets from SERVER to JOE will be encapsulated on the ethernet with
headers sending it to TOM instead of JOE (instead of the header including the
ethernet address of JOE, it will have TOM'S address instead. This means JOE
will ignore the packet while TOM will recieve it. SERVER will not know that
TOM isn't JOE, because TOM is talking with JOE's IP).
How: We send a hand-crafted ARP packet (reply specifically, it can be a
request, but we'll get into that another time. The packet would look like
this on the wire:
0:0:0:0:0:02 0:0:0:0:0:01 0806 60 arp reply 192.168.0.3 is-at 0:0:0:0:0:02
TOM SERVER ARPREPLY IP OF JOE HWA OF TOM
Now, if you try to telnet to SERVER from TOM, you should be able to connect,
and it will allow you to log in as root.
But wait! We lit up a message on the Windows box on Joe's desk saying that
there's an IP address conflict on the network! Busted!
There are several things you must take into account:
1) You need to "ifconfig -arp eth<x>:<x>" and set up static ARP entries and
routes when you do this. You don't want that interface speaking ARP to anyone
unless you make it but you need it to know where to send packets.
2) Doing this *during* an existing session between JOE and SERVER will cause
that connection to drop, unless you work fast.
3) You need to be constantly sending poison ARP to SERVER *and* JOE during
your attack. As long as you keep telling both machines where to find (er,
where you WANT them to find) each other, they won't *ask*. And the less they
ask, the better.
Situation 2: I want to hijack joe's session to server.
How can this be done using ARP as a tool? First off, remember what we said
about accidently cutting off Joe's session earlier? Well now that's exactly
what we want to do.
During a conversation between JOE and SERVER, you inject poison ARP, telling
SERVER that you're JOE, and telling JOE that SERVER is the printer or
something. Then, you proceed to send a flood of spoofed ACKs to the SERVER,
pushing the sequence numbers out of JOE's acceptable window, and by the time
JOE finds out what happened, you've already got his end of the connection, and
SERVER hasn't even noticed anything funny (I'm not going to cover the insides
of TCP sequence numbers today, that's another article. :) ).
How this happens:
* JOE is talking to SERVER
* TOM assumes JOE's IP address.
* TOM sends out an ARP reply unicast to JOE saying SERVER is-at 0:3:1:3:3:7
or something, then immediately send a packet to SERVER saying that JOE is-at
0:0:0:0:0:2 (tom's real HW address)
* To be on the safe side, you push the sequence numbers of the session way out
of JOE's acceptable range.
* JOE is a Windows box and doesn't know what the hell is going on. He's just
sending packets looking for SERVER and probably grinding the hard drive or
showing a little animated paperclip that says "Click here to learn more about
session hijacking" which just points to a broken link on microsoft.com.
* Meanwhile, TOM is re-synching the connection to SERVER, and as far as SERVER
is concerned, the connection was just broken for a moment, and now is better,
and will gladly talk to TOM in the place of JOE, considering that the IP is
right and that TOM's HW address maps to that IP in the arp table on SERVER.
* JOE is still a Windows box and at this point Windows telnet will bring up
a message like "Lost Connection" and probably lock up telnet because it's so
poorly coded and has no emulation and... anyway....
* TOM has full control over the connection and SERVER couldn't be happier
about it. JOE just sits there and plays a neat screen saver and grinds the
hard drive every couple minutes.
I will probably be writing an article specifically on this topic, as I'm not
going to cover this more specifically in the scope of this article.
Situation 3: I just picked up 2600 at Barnes and Noble. I want to be a hacker.
My 6th grade computer teacher is a real dork and I want to
make the network not work right n stuff. I tried mashed
potatos in the power outlets but I got in trouble. What can
I do?
Well, good news for you. ARP can cause all sorts of problems on a network.
If you haven't figured out how this is possible yet, I'm not sure what to tell
you, read the article again and maybe you'll think of a way you could make
computers on a network not able to talk to each other using ARP.
I hope you enjoyed, and should you have any questions, email me.
-bk
Billy: "Mom! Sally hijacked my irc session and made me say stuff!"
References:
I. "TCP/IP Illustrated, Volume 1: The Protocols" W. Richard Stevens, January
1994. (Addison-Wesley Professional Computing Series). ISBN:0201633469
II. "Playing redir games with ARP and ICMP" MESSAGE THREAD: document sections
reviewed were authored by Yuri Yolobuev
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
An Electricity Primer, Part I
by P3nnyw1se the Clown (p3nnyw1se@hotmail.com)
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
The first of (hopefully?) many articles on electricity. Tell me what you
think. But only if you have something nice to say; didn't your mother teach
you anything?
Please, enjoy.
I will not be held responsible for your stupidity. Don't come crying to me
if you stick your tongue in an electrical outlet or decide to bring your
toaster in the shower with you. I will have absolutely no sympathy for you,
and to add insult to injury, I will laugh at you. So there.
CHAPTER 0: PREFACE
------------------
Section I - Ranting and Raving
Most people don't understand electricity. Some know a little about what to
do in a lightning storm, or how to reset their circuit breaker if a fuse
blows, but the vast majority couldn't explain to you what exactly it is or
does.
Most never even question it. They take for granted their computers,
televisions, toasters, espresso machines, hair dryers, calculators, and many
other of life's conveniences. They don't even THINK about electricity until
they get pissed off when the power goes out and they can't take their hot
shower in the morning.
In order to truly understand the electronics we use every day (and
computers, specifically), we need to at least have a good knowledge of how
electricity works and some of the main concepts.
Section II - Requirements
I think it only take about three things to learn electricity:
1. Patience. Sometimes you might not understand something right away. And
that's okay, just study the chapter again and research some more from
other books, and you should be okay.
2. Math. Teaching you algebra is WAY beyond the scope of these articles. I
will be assuming you have at least a 9th grade math level.
3. Desire. I can't make you learn anything; you have to want to.
Section III - How to Use These Articles
This is a series of articles. In each article there will usually be two or
three chapters. The chapters are split up into sections. The best way to
learn the material is to read around one chapter a day, and only continue
when you understand all of the material in the previous chapter.
CHAPTER 1: BASICS OF ELECTRICITY
--------------------------------
This chapter will introduce you to the very basics of electricity. I think
this is probably the most important chapter, because it should hopefully give
you an idea of just what and how electricity operates.
Section I - Protons, Neutrons, and Electrons
Matter is defined as anything that occupies space and has weight. Your
mother is an example of very large matter. Other examples of matter are the
air you breathe, the root beer you drink, and your pet turtle.
All matter is built with atoms. An atom is the smallest basic unit of
matter. For many years, atoms were thought to be the smallest thing in
existence. Then they discovered sub-atomic particles inside the atom.
I know what you're saying: "I learned all this crap in Mr. Smith's 8th grade
science class!" True, but you were too busy staring at the breasts of the
girl sitting next to you, so pay attention.
The atom is built with a nucleus at the center and other, much smaller,
particles called electrons circling the nucleus. The nucleus contains
positively charged particles called protons, and particles with no charge
called neutrons (get it? neutral, neutrons?). Electrons are negatively
charged.
Each atom has a different number of protons in the nucleus. The number of
protons determines its atomic number. For example, copper has 29 protons,
therefore its atomic number is 29.
Atoms also have weight. The atomic weight of an atom is determined by the
mass of the atom. Only protons and neutrons contribute to the mass. Because
a proton is approximately 1,845 times the size of an electron, the electrons
really don't affect the mass at all. Hydrogen (the only atom with no neutron
at all and only one proton) has an atomic weight of 1.0079, compared to
iron's atomic weight of 55.847.
The way the electrons orbit around the nucleus is not random. They orbit in
circles called shells. The innermost shell is designated K, and the rest,
going outward, are L, M, N, O, P, and Q. Each shell can only have a certain
number of electrons (FIGURE 2-1). If the first shell, K, has all the
electrons it can fit, the electrons go to the next shell, and so on.
.--------------------------------------------------------.
| Shell Designation | Total Number Of Electrons Possible |
|-------------------|------------------------------------|
| K | 2 |
| L | 8 |
| M | 18 |
| N | 32 |
| O | 18 |
| P | 12 |
| Q | 2 |
`--------------------------------------------------------'
FIGURE 1-1: Number of electrons each shell can hold.
The outermost shell with electrons contained within is called the valence
shell. The number of electrons this shell contains is this atom's valence.
The farther away the valence shell is from the nucleus, the weaker the
strength of the orbit is, so it's easier for an atom to gain or lose
electrons. It's also easier to gain or lose electrons if the shell isn't
full.
An atom that has the same number of protons and electrons is electrically
balanced (remember, neutrons have no charge). When an electrically balanced
atom receives or gives an electron, it is no longer electrically balanced.
When an electrically balanced atom receives an electron, it is negatively
charged, and is called a negative ion. When an electrically balanced atom
gives an electron, it is positively charged, and is called a positive ion.
This process is called ionization.
Section II - Conductors and Insulators
If these electrons in the valence shell gain enough energy from an external
force, they can leave the atom and become free electrons, moving from atom
to atom. Materials that have many free electrons are called conductors.
Many metals are examples of conductors. (FIGURE 1-2) Often times copper is
used because of its good conductance and its relatively low price.
.-----------------------------------.
| Common Conductors |
|-----------------------------------|
| Silver |
| Copper |
| Gold |
| Aluminum |
`-----------------------------------'
FIGURE 1-2: Metals are good
conductors. (Listed in the order
of their conductance)
Insulators are the exact opposite of conductors. They are materials that
have very few free electrons. Insulators can absorb electrons from other
atoms to fill their valence shell, and therefore eliminate free electrons.
(FIGURE 2-3)
.-----------------------------------.
| Common Insulators |
|-----------------------------------|
| Mica |
| Glass |
| Rubber |
| Air |
`-----------------------------------'
FIGURE 1-3: Materials used as
insulators (Listed in the order of
their insulation)
Section III - A Brief Look at Current
Electrons move from negatively charged atoms to positively charged atoms.
This movement or flow of atoms is called current. The symbol for current is
I. The amount of current is the sum of the charges of the electrons moving
past a single point.
To measure the amount of charge we use coloumbs. The symbol for the coloumb
is C. Because electrons have so little a charge, the charge of
6,280,000,000,000,000,000 (or 6.28 * 10 ^ 18) electrons is one coloumb. If
one coloumb of charge moves past a single point in one second, that is called
an ampere (or sometimes just an amp). The symbol for the ampere is A.
Current is measured in amperes.
Section IV - Use the Force, Luke (A Brief Look at Voltage)
Voltage, difference of potential, and electromotive force are all terms that
mean the same thing. Basically, when there is a group of atoms with lots of
electrons and another group of atoms with a small amount of electrons at the
other end, connected by a conductor, current will flow. The force that makes
current flow is called voltage. The work done in a circuit is the result of
voltage.
The symbol for Voltage is E (for EMF, or electromotive force). The unit for
measuring voltage is called a volt. The symbol for the volt is V. One volt
is the potential applied to a circuit to cause one ampere of current to flow
through a conductor whose resistance is one ohm (we will deal with ohms and
resistance in the next section).
Section V - A Brief Look at Resistance
Some greedy little atoms don't like to give up their electrons without a
fight. They are said to resist the flow of current. This opposition to current
flow is called resistance. The symbol for resistance is R.
There is no material that has NO resistance. However, some materials have
more resistance than others. Some materials have very little resistance, and
are called conductors. (FIGURE 1-2) Other materials have plenty of
resistance, and are called insulators. (FIGURE 1-3)
Resistance is measured in ohms. The symbol for the ohm is the Greek letter
omega. One ohm is the amount of resistance that allows one ampere of
current to flow when one volt is applied.
CHAPTER 2: SCIENTIFIC NOTATION
------------------------------
If you already know what scientific notation is and how to use it, then go
ahead and skip this chapter, but it certainly wouldn't hurt to review it.
Definetly read this if you're not familiar with scientific notation.
Section I - What is Scientific Notation, Anyway?
Scientific notation is an easy way to express very large or very small
numbers. We use these type of number many times in electricity.
The format for scientific notation is a single digit number being multiplied
by a power of ten. For example, 1002 in scientific notation is
1.002 * 10 ^ 3.
Section II - Reading and Converting Scientific Notation
Reading a number in scientific notation is as easy as a drunk cheerleader at
a high school party. First, we need to take a look at whether the exponent
is positive or negative. Positive means to move the decimal point to the
right, while negative means to move the decimal point to the left. For
example:
3.1337 * 10 ^ 4 = 31,337
All we had to do was move the decimal point to the right (the exponent was
positive) 4 places (the exponent was 4). But let's take a little trickier
number:
7 * 10 ^ -9 = .000000007
Because the exponent was negative, we move the decimal point to the left
however many times that is indicated, in this case nine times.
An ampere is a large unit of current, and is not often used in circuits.
Commonly, something smaller, such as a milliampere or microampere are used.
A milliampere is 1 / 1,000 the size of an ampere, and a microampere is
1 / 1,000,000 the size of an ampere. In other words, it would take 1,000
milliamperes to equal the amount of current as one ampere. There are many
other commonly used prefixes. (FIGURE 2-1)
.------------------------------------------------------.
| Prefix | Symbol | Value | Power Of Ten |
|--------|--------|---------------|--------------------|
| Giga | G | 1,000,000,000 | 10 ^ 9 |
| Mega | M | 1,000,000 | 10 ^ 6 |
| Kilo | k | 1,000 | 10 ^ 3 |
| Milli | m | .001 | 10 ^ -3 |
| Micro | æ | .000001 | 10 ^ -6 |
| Nano | n | .000000001 | 10 ^ -9 |
`------------------------------------------------------'
FIGURE 2-1: Commonly used prefixes; their symbols and
values.
So, for example (using FIGURE 2-1) how many volts are there in five
megavolts?
1,000,000 V X V
------------- = ------ (1,000,000 megavolts = 1 volt)
1 MV 5 MV
1,000,000 X
----------- = ---
1 5
1 * X = 5 * 1,000,000 (Cross multiply)
X = 5,000,000 V
So there are 5,000,000 volts in a megavolt.
For some more practice, how many amperes are their in 42 milliamperes?
1,000 mA 42 mA
---------- = ------- (1,000 milliamperes = 1 ampere)
1 A X A
1,000 42
------- = ----
1 X
1,000 * X = 1 * 42 (Cross multiply)
1,000 * X 1 * 42
----------- = -------- (Divide both sides by 1,000)
1,000 1,000
X = .042
So there are .042 amperes in a milliampere.
CHAPTER 3: CURRENT
------------------
Current, the movement of electrons from one atom to the next, is an important
thing to understand when working with electronics.
Section I - Laws of Electrostatic Charges
Current, as defined earlier, is the movement of electrons. The force that
moves them is voltage. Anyway, let's take a look at the laws of
electrostatic charges:
1. Unlike charges attract.
2. Like charges repel.
Easy enough. This means that an electron would be attracted to a proton, but
a proton and a proton or an electron and an electron would repel each other.
Because the negatively charged electrons are attracted to the positively
charged protons, the electrons continue orbiting the nucleus of an atom.
The centrifugal force keeps the electrons from just smacking into the
nucleus.
Because a single electron has a charge very, very, small we measure the
charges in coloumbs, which is the charge of 6.28 * 10 ^ 18 electrons (see
chapter two for a review of scientific notation if you're confused by that
number). The symbol for the coloumb is C.
Section II - The Flow of Current
When an area has lots of positively charges atoms, and another area has lots
of negatively charged atoms, and they're connected by a conductor, the
electrons will move from atom to atom. That long sentence could be shortened
by saying: When there's a difference of potential, current will flow.
The unit of measurement for current is the ampere. The symbol for the ampere
is A. An ampere is the amount of current when one coloumb of charge moves
past a point in one second. A formula we could use to describe this:
Q (I is current in amperes, Q is quantity of electrical charge in
I = --- amperes, t is time in seconds)
t
So, using the above formula, how many amperes are present in a circuit if 15
coloumbs moves past a point in 3 seconds?
15
I = ---- (Filling in the numbers for the variables)
3
I = 5
So the current would be 5 amperes.
Let's try a harder one: A circuit has 19 amperes of current. How long would
it take for 7 coloumbs to move past a point in the circuit?
7
19 = --- (Filling in the numbers for the variables)
t
19 7
---- = ---
1 t
19 * t = 1 * 7 (Cross multiply)
19 * t 1 * 7
-------- = ------- (Divide both sides by 19)
19 19
t = .368421052
So the time it would take would be about .36 seconds.
If electrons are added to one side of a conductor, and electrons can be taken
away from the other side, current will flow through the conductor. These
electrons will move from one atom to the next, bumping that electron onto the
next atom, etc, etc. So no one electron moves very far, they just knock the
next electron onto the next atom. Because of the law of electrostatic
charges, current flows from negative to positive.
Although the movement of electrons is slow, each individual electron moves
very fast (the speed of light, or 186,000 miles a second).
The device that will take electrons from the positive side and reapply them
to the negative side is called a voltage source (commonly a battery).
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Wireless Ethernet and Its Workings
by Saint skullY the Dazed (skully@sysfail.org)
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
By now most of you have probably heard about wireless ethernet devices from
companies such as Breezecom and Airolan. But you may not understand how they
work and why. The purpose of this article is to get you familiar with them
(specifically Breezecom's, which I have the most experience with) and explain
how they accomplish certain things.
1. What these devices are
-------------------------
Wireless ethernet devices are usually a little box with a power cord, 10bT
port, and an antenna port of some kind. They will usually be very dumb
(forwarding all traffic both ways), or fairly intelligent (forwarding only
certain traffic, and possibly even some firewalling abilities). Most will
forward whole ethernet segments (making the two segments transparent to one
another), although some are designed specifically for single workstations.
These will be described in detail below.
2. How they work
----------------
Since I'm very familiar with Breezecom, slightly familiar with Airolan, and
not at all familiar with other brands, I'll describe how Breezecom's devices
work. The theory is sound for all wireless ethernet devices though.
Basically, the wireless device (radio) uses a standard RJ-45 patch cable,
which is then plugged into either a machine or a hub (depending on the radio,
it will either use a straight through or crossed cable). Then, the radio
communicates with its peer via the antenna port, which can either have an
omnidirectional antenna (anywhere from 4" to 36", depending on the distance)
or an unidirectional antenna (not unlike a microwave antenna). The Conifer
DB-24 is a commonly used unidirectional antenna (24db, about 36"x12"
aluminum). The peer--usually a bridge, or in the case of Breezecom equipment,
what's known as an Access Point (AP)--can handle several radios. This bridge
then connects to the network via another RJ-45 patch cable. For those who
grill on ascii charts, here goes an attempt.
--------------- --------- ----------- ----------- --------- -----------
| Workstation |-| Radio |-| Antenna |-| Antenna |-| Radio |-| Network |
| or Hub |-| 1 |-| 1 |-| 2 |-| 2 |-| |
--------------- --------- ----------- ----------- --------- -----------
Now then, with Breezecom equipment, Radio 1 can be one of two different
radios. It will either be what's known as a Single Access radio (SA) or WAN
Bridge (WB). Now then, how do you know if you need an SA or a WB? Well, the SA
has software that checks the hardware (mac) address of the machine it's
plugged into and will not forward any packets destined for/from mac addresses
other then the one it was initially plugged into. This means that an SA can
not be plugged into a hub (using a crossover cable) and used as a WB.
The WB, on the other hand, can be plugged into a hub, and has been factory
wired to use a straight through cable for plugging into a hub. It does *not*
check mac addresses and will forward packets from any mac address to the rest
of the network and vice-versa. The WB also has it's own mac address (whereas
the SA assumes the mac address of the interface it's plugged into) and can be
assigned an IP. This makes the WB preferrable for a corporate environment,
while the SA is designed more for end-users.
Now then, Radio 2 is an AP. The AP is designed to connect to multiple SA/WB's
for the purpose of linking multiple segments to the main ethernet segment.
This allows a corporation with several buildings, for example, to have on AP
about the middle of their campus with a large omni-directional antenna and
then each building with its own WB and localnet setup. Not only does this
allow the company to avoid running expensive fiber between buildings, but it
allows them to easily add more buildings and links as necessary. This also
lets them use NetBeui or IPX/SPX transparently across segments.
3. How they're managed
----------------------
Wireless equipment, being networked devices, must be able to be configured.
Breezecom has included two ways that their radios can be managed, either
through a serial console (9600, N81, no flow control), and for the AP and
WB's, SNMP (aka, Security Not My Problem). Obviously, by using only the serial
consoles, you limit any security problems that may exist, but in a network
with many radios, that's not always practical. Fortunately, Breezecom's SNMP
traps seem to be fairly secure.
A. Serial Console
The serial console operates in much the same way serial consoles act. You
connect the terminal, fire it up, and start configuring. It's a simple menu
with most screens having options numbered sequentially. The basic functions
are as followed:
1. System Setup (IP addy, ESS ID)
2. Advanced Setup (Filtering certain protocols, SNMP on/off)
3. Maintenance (Various Logs, packets sent/received/dropped)
4. Security Level (User/Admin, password)
The menus are all self-explanatory, and after five minutes of exploring, you
should be able to find most anything you want. Obviously, if someone has
several SA's out there, they don't want their users to be able to reprogram at
will, hence the security level and optional password.
B. SNMP Management
Everything available on the serial console is also available via SNMP. As do
most SNMP-managed devices, the Breezecom radios have two communities, private
and public. Access to the private community is controlled via the password,
although everything in private is available read-only in the public community
(from what I've found, at least... I've not had time to thoroughly examine all
the SNMP stuff). In my case, I was working for an ISP using Breezecom radios
with the AP's 75 feet up a tower. SNMP management was very nice because
occasionally we'd have a WB flake out and stop forwarding packets, at which
point we'd use the SNMP software to reset it rather then driving 10 miles to
the site, climbing 75' and resetting it by hand. On the downside, SNMP is not
the most secure protocol in the world, and can be sniffed for the password.
4. Problems With Wireless
-------------------------
Wireless ethernet in and of itself has many problems, including limitations of
ethernet and protocols such as TCP/IP and ARP. The radios should be able to
limit the problems (for example, IP spoofing), but they don't. The only
problem they avoid is spoofing ARP packets (since ARP is based on the mac
address, not the IP address). You can still smurf, spoof IPs, assume others'
connections, and generally wreak havoc with the network fairly anonymously.
We'll go into a few problems and how the radios could theoretically prevent,
or at least minimize, damage that can be done.
A. Spoofed IPs
While it may not be beneficial to everyone, if the radio would monitor TCP
traffic (it has native TCP support) and only allow the traffic for a certain
IP across, as well as the mac addy, this would avoid a whole slew of problems.
Most routers are configured to not allow spoofed IPs. These radios should have
the same configuration option. Naturally, for purposes of subnets (which can
be done with SA's), you would want this off, but for the purpose of a single
workstation it should be an option. Actually, this would fix most of the
problems I was thinking of.
B. Network Sniffing
In my experience with these radios, I can see everything on the segment, just
as if I were connected directly to the hub. This can be both good and bad. Bad
in the sense that anyone can sniff the network for passwords (think you're ok
there? Do you use telnet, pop3, snmp?), but I'm sure that some paranoid admins
would like to be able to monitor their network to watch for problems. Now
then, again, this could be something that can be configured in the SA. Only
allow packets that are destined for ethernet-wide broadcast, and packets for a
particular mac address.
5. Conclusion
-------------
I do realize that this could be way more complete; however, if I start getting
complete I'd probably step on Breezecom's toes a few times. If there's enough
interest, and I think I can do it without potentially getting myself in
trouble with Breezecom's legal department, I'll write a follow-up that gets
into more detail.
If you do have a local ISP doing wireless, and they're a fairly decent ISP,
I'd heartily recommend it over DSL or cable modems. And if you're in a
corporation with multiple buildings trying to find a cost-effective way to
network them, definitely don't pass over wireless ethernet without giving it
a good look. Despite the security problems that could be avoided with better
software, they are a good way to go.
Send comments, questions, hate mail, etc. to skully@sysfail.org, as always.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Hackers and the Criminal Stereotype
by Mr. Sonik (sonik@sysfail.org)
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Sometimes I wonder what the big deal is with people who are labeled as
criminals simply for having a hobby that may dabble into some illegal areas.
Society is quick to label hackers as criminals, even if the hacker discovers a
loophole in the telephony or computer world and exploits it once for learning
purposes--not only for themselves, but for the security professionals that are
supposed to keep the telephone network and computer systems secure. Society
asks "What's the big deal? They break the law, right? They should go to jail."
Well, should a hacker get more of a sentence for stealing three dollars in
long-distance calls than say, a rapist or a drug dealer? I know I can't
influence people with my opinon alone, so I decided to give you some
information and let you be the judge. One thing has become very clear: we need
to watch out for ourselves, and more importantly, others who share the same
interests. We simply can't keep following the road that we are on, or we will
crash for sure.
So what can we do? Some of the things we can do to help change society's
perception of us is to educate people as to what exactly a hacker or phreaker
is. We are merely nothing more than hobbyists who choose to explore the outer
limits of technology. What's so bad about that? What's the problem with
wanting to understand the ins-and-outs of a computer system? Or maybe you
would like to understand how the telephone of yours really works.
Maybe you could start a computer club or hacker/phreaker club in your area.
2600 meetings are a good example of these types of public gatherings. This
also serves as an excuse to get out of the house and meet new people. Maybe
you could start a local newsletter or something similar that focuses on the
newest trends of the computer industry. Almost anything that you could think
of to generate positive attention in your community towards the hacker
subculture would be something worth doing.
I had heard of people donating their time to building computers out out of
outdated hardware to donate to local charities, schools, and needy families.
You would be suprised at how excited a poor family gets over an old 286 and a
dot matrix printer. When coupled with, say, a 2400 baud modem and free
internet access to a shell account, this could make so much more information
availible to a family that never had that ability before. And that's what
hackers are all about. The spread of information. Anytime someone helps the
community in such a way, he is usually always thought of a good person.
Imagine what it could do to reduce society's fear of hackers, and at the same
time educate them as to the difference between a hacker and a white collar
criminal. Imagine how the community would respond to a hacker who is donating
time and/or knowledge to the community by teaching computer classes, or
educating others about computers and personal security. I know I would feel a
whole lot safer if a hacker taught me things about computer security, rather
than an underpaid shmuck teaching about a subject they only read about in a
book.
I urge people to get out and donate their time to the community whenever they
can. Chances are, only respect will come your way after doing good deeds for
others. These are only some of the things that we can do to combine our
knowledge and expertise to help hackers and computer enthusiasts gain a good
reputation in the public eye. Remember, you must prove to others that you are
a responsible person in order to gain trust throughout society.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
A General Overview of Open Source Software
by SlapAyoda (vader@geekbox.net)
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Open source software is often referred to as "free software," not because of
how much it costs, but because of the way it is freely distributed. The
opposite of proprietary software, which is developed only by the company who
originally manufactured it, and prohibits unauthorized distribution, open
source software is presented with its source code, encouraging users to
distribute and contribute to the software. Contributions come in several
forms: suggestions, bug fixes, and new ideas. Choosing open source can be a
good decision for both the manufacturer and the user. Developers gain the
assistance of their user base in coding the program, and the users recieve
software that they can modify to, as Eric S. Raymond puts it, "scratch their
own itch." Open source software can be very diverse, ranging from games to
powerful internet applications that bind together "the web." Currently, open
source hardware is being developed, as well as an open source BIOS
(http://www.freiburg.linux.de/OpenBIOS/). A small debate has also arisen about
treating books with an open source-type policy. Open source software has
become a hot topic for discussion on such websites as Slashdot
(http://slashdot.org), and in essays such as the excellent "The Cathedral and
the Bazaar" by Eric S. Raymond
(http://www.redhat.com/redhat/cathedral-bazaar/cathedral-bazaar.html). This
article will attempt to give the reader an understanding of the basics of open
source software, and will also describe some popular examples of open source
software.
Linux is an open source operating system that is available for download, at
no cost, from many different locations. It is also purchasable in CD form, at
a very low price. Linux was developed by Linus Torvalds in 1991, at the
Univeristy of Helsinki in Finland. Linux is a POSIX-compliant operating
system, and is designed to be a UNIX clone. Linux is made up of two parts: the
kernel, which is the core of the operating system, and additional software.
Orignally, people installed the Linux kernel by hand, and then installed and
used other individual bits of software to do their tasks. Today, most people
use distributions, developed seperately by other companies. These distros
consist of a current version of the Linux kernel, and useful software
packages. It is also a great deal easier to install a distro than just the
kernel by itself, and some offer graphical installation programs. The three
most widely used distros are Slackware, Red Hat, and Debian, although there
are many more. There are many people who use Linux, and the number is
increasing now at a faster rate than ever before. These users often make
contributions to both the kernel and software. Most users of Linux believe
strongly in the open source philosophy. Without it, Linux might not be able to
survive. For more information on Linux, visit http://www.linux.org.
GNU software is fundamental to the UNIX community. From bash to make to zlibc,
GNU software is seen to most as the standard in quality UNIX software. GNU
software differs from other software by having its own special license that
specifically allows modifcation and distribution by any of its users, under
certain circumstances. The GNU General Public License, or GPL, states that
users may modify the software as they wish and distribute either the original
or modified copy, for a fee if they choose. The one rule that applies to the
software, however, is that the person must pass on the freedoms to the person
he distibutes the software to. This is called "Copylefting". As opposed to
copyrighting, it ensures that users recieve a program that they can modify and
distribute. Users also have a signifigant impact on development here, as
oftentimes they develop their own versions of current programs to suit their
own needs, or they might contribute thier ideas or code to the original
manufacturer. For more information on GNU software and the GNU philosophy,
visit http://www.gnu.org/gnu/gnu-history.html.
BSD, short for Berkley Systems Development, is a term that encompasses several
UNIX variants. FreeBSD, NetBSD, and OpenBSD, are three seperate packages, all
with separate software, but based on the same version of UNIX, BSD. Similar to
Linux, they are open source and POSIX-compliant, but they all vary a bit. All
of the BSDs are available for download on the internet, or for purchase on CD.
Many people also use and contribute to the BSD efforts. For more information
visit http://www.freebsd.org, http://www.netbsd.org, or
http://www.openbsd.org.
Open source development is not confined to UNIX. Netscape has recently
announced that their web browser, which runs in both Microsoft Windows and
UNIX, as well as MacOS and other platforms, will now be open source. They have
created a specific subset of their company, named Mozilla
(http://www.mozilla.org/), to deal with the integration of users' code. This
is expected to have a large impact in their continuing battle against
Microsoft's Internet Explorer, as Microsoft has decided to not make Internet
Explorer open source.
Another company that serves the more mainstream operating systems as well as
UNIX with a great open source project is Apache (http://www.apache.org/).
Apache webservers serve many of the popular websites of today, and run well in
Windows and UNIX. They offer some of the best performance around, certainly
due in part to the help of countless users who have contributed to the
project.
A first in the open source community, a small group of people are beginning
work on an open source BIOS, named appropriately OpenBIOS. They are planning
to create a product that will support a wider range of hardware and also be
more geared towards Linux. Recently, they released a very preliminary product
that will work on two different chipsets. It looks like OpenBIOS has a bright
future ahead of it. For more information, visit
http://www.freiburg.linux.de/OpenBIOS.
Microsoft is a company notorious for being opposed to open source software.
One may speculate that a monetary profit becomes difficult to attain off of
open source, as it could be copied freely at no cost to the user. Since
Microsoft has already established its primary goal as profit, their stance is
only logical. This past Halloween, an office memo of theirs was found and
released to the public on the internet. It concerned open source, and how to
combat it. It spoke a great deal of Microsoft's strategies on beating Linux,
Mozilla, and other competitors. It has been dubbed the Halloween Document, and
has caused much havoc within the computing community. For more information,
visit http://www.opensource.org/halloween.html.
Open source software has a large effect on computing daily. Every user of the
internet makes use of open source software without even knowing it. For
example, bind--a program that converts numeric IP address to hostnames.
Without it, users would have to memorize IP addresses to know which webpage is
which. Sendmail is open source software that delievers a great majority of the
internet's mail.
The future of open source can only be a postive one. Even without the support
of computing giants Apple and Microsoft, developers have shown that they can
be successful in producing a good product that will continue and progress by
constantly evolving. But open source development can not continue without the
support of the community. If you want to get involved in the open source
movement, visit one of the pages mentioned in this article. You'll be glad you
did.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
An Introduction to the ICMP Protocol
by BarKode (barkode@sysfail.org)
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Continuing the line of articles about common internet protocols, here's a
look into ICMP, or Internet Control Message Protocol. ICMP is an essential
protocol on IP-based networks, as IP is not a "reliable" protocol.
<EDITORIAL NOTE BY BARKODE>
For those of you wondering why I keep writing articles covering the basics of
standard internet protocols, it's brought on by a number of things.
One of them being that System Failure has changed its focus completely. By the
time I joined last year, the group had weeded out articles focusing on crime
and "how to rip off the phone company" and such. Gears have shifted towards a
technical, intelligent magazine for a larger, more intellectual audience. I
sincerely hope that the difference has been noticed.
Secondly, demographics (e-mails to SysFail) show a crowd that is new to the
scene, and helping those people is an important part of what System Failure
is all about.
</EDITORIAL NOTE BY BARKODE>
ICMP is essential to the operation of an IP -based network for a variey of
reasons. IP being "unreliable" (there is no guarantee an IP packet will get
to its destination), there must be an error-handling routine. ICMP is that
solution. If for some reason a machine can't handle an incoming IP packet, it
drops the packet and sends back an ICMP error message to the machine that sent
the original packet telling it something is wrong.
The most familiar function of ICMP to most people is the Echo Request/Reply
set, or "ping" as it's better known. When you ping a machine, you're sending
an ICMP message called an "echo request" to that machine. The network layer of
that machine will send you back an ICMP "echo reply," if it is so configured
to do so.
An ICMP packet looks like this:
.---------------------------------.
| IP Header | ICMP Message Data |
`---------------------------------'
20 bytes
The actual header of an ICMP packet looks like this:
0 7 8 15 16 31
.-------------------------------------------------.
| 8 Bit Type | 8 Bit Code | 16 Bit Checksum |
`-------------------------------------------------'
The rest of the packet differs between ICMP "types." An ICMP type declares
what the function of the ICMP packet is, and how it's to be dealt with by the
system.
An ICMP "code" is a subtype. For instance, ICMP type "3" code "0" is a
"network unreachable" while a type "3" code "1" is a "host unreachable". ICMP
type "3" is the "destination unreachable" type.
So, when we ping a machine, we create an ICMP "echo request" packet. The type
is "8" and code is "0". The packet is created, and assuming you were using an
ethernet for this, the packet would look similar to this:
00000000: 00 40 05 16 56 AA 00 00 b4 54 b1 BB 08 00 45 00
00000010: 00 54 54 ed 00 00 40 01 19 d9 d1 AA BB CC d1 BB
00000020: CC EE 08 00 67 74 41 2d 00 00 5a 9b 5b 36 ab 89
00000030: 03 00 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15
00000040: 16 17 18 19 1a 1b 1c 1d 1e 1f 20 21 22 23 24 25
00000050: 26 27 28 29 2a 2b 2c 2d 2e 2f 30 31 32 33 34 35
00000060: 36 37
That's what the packet would actually look like on the wire.
Let's break it down, protocol by protocol:
00000000: 00 40 05 16 56 AA 00 00 b4 54 b1 bb 08 00 -- --
|_______________| |_______________| |___|
| | |
Destination Hardware Source Hardware Protocol (16 bits)
Address Address (08 00 == IP)
(48 bits) (48 bits)
This is the ethernet layer, containing the source and destination hardware
addresses for the packet, as well as what protocol is encapsulated within it.
In this case, 08 00 means its carrying an IP packet.
____ 8 bit Type of
|| service field
00000000: -- -- -- -- -- -- -- -- -- -- -- -- -- -- 45 00
||__
(4 bits, msb) Version (ipv4 == 4) |
|
(4 bits, lsb) Num. of 32 bit words in header, normally 5
This is the IP layer, which contains information necessary to move the packet
from network to network, or machine to machine for that matter.
The first 4 bits of the first byte of the header specify what IP protocol is
in use. On today's internet, we use IPv4, so this would be a 4. The second,
least signifigant 4 bits specify how many 32-bit words are located within this
packet. You'll find this is often a 5, because there are most often 5 32-bit
words in an IP packet, without options.
The second byte is the 8-bit type of service field, which we'll dig into
deeper in another article. Assume for now that this field gives more detail as
to the application that is sending this data and how it should be handled.
16-bit total length
(in bytes)
| 3-bit flags,
| 13-bit Frag Offset
| |
| | IP Protocol Type (ICMP) (8 bits)
| (16bits) | |
| Fragment |(8bit)| (16bits) Source IP (32 bits)
| ID | TTL | Checksum | Destination IP (32 bits)
_|_ _|_ _|_ | | _|_ ____|____ _______|______
| | | | | | | | | | | | | |
00000010: 00 54 54 ed 00 00 40 01 19 d9 d1 AA BB CC d1 BB |
00000020: CC EE -- -- -- -- -- -- -- -- -- -- -- -- -- -- |
|___| |
|____________________________________________________|
The 16-bit total length is the length of the whole datagram, in bytes.
Fragment ID (sometimes just "ID"), Flags and Frag offset will be discussed
in another article.
The "Time To Live" is the maximum amount of hops this packet can go through
before it is discarded and the sender is delivered a message saying that the
packet didn't get to its destination. Each hop decrements this field by one
before sending the packet along.
The protocol type in this case is a "1", specifying ICMP as the protocol in
use. The checksum is a matter of one's complement notation against the header
on both the sending and receiving machines, and we'll look into this more
specifically in the next article.
The rest is self-explanatory.
Now for the ICMP packet itself.
ICMP Type - Echo Request (8)
| Identifier - UNIX implementations use the PID
| ICMP Code, 0 | of the calling process
| | |
| | Checksum | Sequence Number
| | _|_ ___| _|_ __________________
| | | | | | | | | |
00000020: -- -- 08 00 67 74 41 2d 00 00 5a 9b 5b 36 ab 89 |
00000030: 03 00 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15 |
00000040: 16 17 18 19 1a 1b 1c 1d 1e 1f 20 21 22 23 24 25 ---- 56 bytes of
00000050: 26 27 28 29 2a 2b 2c 2d 2e 2f 30 31 32 33 34 35 | data
00000060: 36 37 | (Variable)
___|
The first two bytes are the ICMP type and code, respectively. The checksum
works the same as it does for IP. The identfier is set to the PID on UNIX
machines, usually. Either way, it's a unique identifier for whatever purpose
the machine needs. Using the PID is a good idea, as it allows a machine to
determine what process the packet belongs to.
Anyone who has used ping knows what the sequence number is. The sequence
number is
an incrementing number for each packet sent, allowing a process, or
person for that matter, to track their packets.
The rest of the data is piggybacked onto the packet to pad it to meet the
minimum transmission unit for the network media, as well as to send some more
data with the packet in order to test speed between two places.
The echo reply is then generated, and the packets look very similar. The
exceptions being the source/destination HW and IP addresses are switched, and
the ICMP type is changed from "8" to "0" (Echo Reply).
****
We'll look more into this and other topics in the next System Failure. For
those of you that are interested in protocol analyzation, I suggest picking
up a good sniffer/network analyzer and watching what goes by on your network.
You might find some interesting things, and it's a good way to learn about
protocols and their implementation on different operating systems and
networks.
Hope you enjoyed, and keep those e-mails coming.
-bk
References:
I. "TCP/IP Illustrated, Volume 1: The Protocols" W. Richard Stevens, January
1994. (Addison-Wesley Professional Computing Series). ISBN:0201633469
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Maybe System Failure 16 will be out in early February or so. Who knows. See
you all in a couple months. I think. :)
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-E-O-F-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-