How tracert works in windows:

When we do tracert in windows it uses “echo request”, “Time exceeded TTL expired”, echo reply.

Time exceeded TTL expired is type 11 code 0
echo request is type 8 code 0
echo reply is type 0 code 0

When we do a tracert host send a icmp echo request packet with TTL as 1 the source of the packet will have the ip address of the source and the destination of the packet will have the destination to which you want to tracert. When the first L3 hop receive the packet it decrease the TTL value by 1 and finds that TTL has become 0 so it drops that packet and send a ICMP Time exceeded TTL expiredmessage to the source. Host will send three packet with TTL value as 1 and similarly the first L3 hop will reply with “Time exceeded TTL expired” messages. Now source will increase TTL value by 1 and send 3 packet. like wise the host will keep on sending packet with TTL increased by 1 until it get a echo reply from destination server.

Lets understand by an example: I have a host 192.168.0.118 and I am doing a tracert to 8.8.8.8. Trace got completed in 20 hops.

tracert8.8.8.8windows.JPG

If all hop reply properly then as we have 20 hops between source and destination we should have 20*3 icmp echo and 19*3 time-to-live exceeded and 3 icmp echo reply packets.

Lets check the first message of tracert:

tracert1st hop

First message will be as follows:

tracert-echo-repquest

The first hop will reply with time-to-live exceeded:

tracert-ttl-exceeded-1

 

Lets check the last packet:

tracrt-last-echo-request

Echo Reply from server:

tracert-echo-reply

Advertisements
Posted in Protocol | Tagged , , , , , | Leave a comment

Understanding Fragmentation

Lets take a example to understand fragmentation. I have two system Host A and Host B. IP address of host A is 192.168.3.1 and IP address of host B is 192.168.3.134

I am ping from Host A to Host B with 1460 byte of data. MTU of host A is 700.

C:\WINDOWS\system32>ping 192.168.3.134 -n 1

Pinging 192.168.3.134 with 32 bytes of data:
Reply from 192.168.3.134: bytes=32 time<1ms TTL=64

Ping statistics for 192.168.3.134:
 Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
 Minimum = 0ms, Maximum = 0ms, Average = 0ms

C:\WINDOWS\system32>ping 192.168.3.134 -n 1 -l 1460

Pinging 192.168.3.134 with 1460 bytes of data:
Reply from 192.168.3.134: bytes=1460 time<1ms TTL=64

Ping statistics for 192.168.3.134:
 Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
 Minimum = 0ms, Maximum = 0ms, Average = 0ms

We have told Host A to send 1460 byte of data to the Host B but the MTU of the interface is smaller as compare to size of the packet fragmentation is needed. We need to send 3 packets.

fragmentation-1

Now we know that IP header take minimum 20 byte so maximum data which we can send in a packet is 700-20 = 680.

Ethernet header size is 18 bytes but wireshark shows only 14 byte it doesn’t show CRC (4 bytes)

First packet:

First packet will be sent with initial 680 byte. Byte left is 1460-680= 780

fragmentation-2

Things to note is:
1> More fragment bit is set.
2> As we are fragmenting ICMP data so protocol number specified is 1 in all 3 packets.
3> Identification number will remain same for all three packets.
4> For first packet fragment offset is kept 0. This means this packet should be kept first while reassembling.

Second packet:
Now we have 780 bytes left we will send 680 byte in second packet.  Byte left is 780-680 = 100

Fragmentation-3

Things to note is:
1> More fragment bit is set.
2> As we are fragmenting ICMP data so protocol number specified is 1 in all 3 packets.
3> Identification number is same as of first packet.
4> As we have send 680 bytes (from 0 to 679) the fragment offset have value as 680.

Third packet:

Now as only 100 byte are left we can send all byte in a packet so we will send remaining 100 byte and this time we will add ICMP header in this last packet with more fragment bit as 0.

Fragmentation-4

Things to note is:
1> More fragment bit is set.
2> As we are fragmenting ICMP data so protocol number specified is 1 in all 3 packets.
3> Identification number is same as of first packet.
4> As we have send 680 + 680 bytes (from 0 to 1359) the fragment offset have value as 1360.
5> ICMP header is also added in the last fragment.

Posted in Protocol | Tagged , , , | Leave a comment

ESP[Encapsulating Security Payload ] and AH [Authentication Header ]

ESP provides confidentiality, Authentication, Integrity, Anti replay

ESP packet format:

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 |               Security Parameters Index (SPI)                 |
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 |                      Sequence Number                          |
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 |                    Payload Data* (variable)                   |
 ~                                                               ~
 |                                                               |
 +               +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 |               |     Padding (0-255 bytes)                     |
 +-+-+-+-+-+-+-+-+               +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 |                               |  Pad Length   | Next Header   |
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 |         Integrity Check Value-ICV   (variable) optional       |
 ~                     OR                                        ~
 |           Authentication Data (variable)                      |
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

ESP trailer consists of the Padding, Pad Length, and Next Header fields.

SPI: The SPI is used by a receiver to identify the SA to which an incoming packet is bound. The SPI field is mandatory.

Sequence number: This value increase by one for each packet sent and is helpful in anti replay attack. The sender’s counter and the receiver’s counter are initialized to 0
when an SA is established. The receiver checks this field to verify that a packet with this number has not been received already. If one has been received, the packet is rejected

Payload : Payload contain data (from the original IP packet) described by the Next Header field of ESP packet.

Next Header: The Next Header is a mandatory, 8-bit field that identifies the type of data contained in the Payload Data field, e.g., an IPv4 or IPv6 packet, or a next layer header and data

The ICV field is optional

Size of Initialization Vector for

AES : 16 bytes
DES : 8 bytes

Size of Authentication Data for

MD5/ SHA-1 : 12 bytes
SHA-256 : 16 bytes
SHA-384 : 24 bytes
SHA-512 : 32 bytes

Maximum Size of padding for

AES : 15 bytes
DES : 7 bytes

Transport mode:

            Before applying ESP
            ---------------------------
       IPv4 | orig IP hdr | TCP | Data |
            ----------------------------

                  After applying ESP
             -------------------------------------------------
       IPv4  |orig IP hdr  | ESP |     |      |   ESP   | ESP|
             |             | Hdr | TCP | Data | Trailer | ICV|
             -------------------------------------------------
                                 |<---- encryption ---->|
                           |<-------- integrity ------->|

Tunnel mode ESP:

            Before applying ESP
            ---------------------------
       IPv4 | orig IP hdr | TCP | Data |
            ----------------------------
                 After applying ESP

            -----------------------------------------------------------
      IPv4  | new IP hdr  |     | orig IP hdr   |   |    | ESP   | ESP|
            |             | ESP |               |TCP|Data|Trailer| ICV|
            -----------------------------------------------------------
                                |<--------- encryption --------->|
                          |<------------- integrity ------------>|

Authentication Header:

The IP Authentication Header (AH) is used to provide connectionless integrity and data origin authentication for IP datagrams:

Authentication packet format:

   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   | Next Header   |  Payload Len  |          RESERVED             |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                 Security Parameters Index (SPI)               |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                    Sequence Number Field                      |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                                                               |
   +                Integrity Check Value-ICV (variable)           |
   |                                                               |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

ICV: This field that contains the Integrity Check Value (ICV) for a packet.

Transport mode:

Before applying AH
            ---------------------------
       IPv4 | orig IP hdr | TCP | Data |
            ----------------------------

                   After applying AH
             -------------------------------------------------------
       IPv4  |    original IP hdr           | AH | TCP |    Data   |
             -------------------------------------------------------
             |<------ mutable field  ------>|<- immutable fields ->|
             |<----- authenticated except for mutable fields ----->|

Tunnel mode:

            Before applying AH

            ---------------------------
       IPv4 | orig IP hdr | TCP | Data |
            ----------------------------

            ----------------------------------------------------------------
       IPv4 |                              |    | orig IP hdr   |   |      |
            |      new IP header           | AH | (any options) |TCP| Data |
            ----------------------------------------------------------------
            |<------ mutable field  ------>|<------ immutable fields ----->|
            |<- authenticated except for mutable fields in the new IP hdr->|

AH signs the entire packet for integrity, except certain fields in the IP header which may change such as the Time To Live and Type of Service fields. If a field may be modified during transit, the value of the field is set to zero for purposes of the ICV computation.

Posted in Protocol | Tagged , , | Leave a comment

Python How to

How to do error handling in python:

try:
 b=kjk
except Exception as e:
 print(e)

output:

name 'kjk' is not defined
name 'b' is not defined

 

Posted in Python | Tagged , , | Leave a comment

Python: What is

What is the difference between import and from x import y:

With import x, you refer things in x like x.something.

WIth from x import *, you refer things in x directly just as something.

Posted in Python | Tagged , | Leave a comment

Cisco AnyConnect configuration

If you are accessing firewall via ASDM through outside interface then after configuring anyconect you will not be able to manage ASA via ASA on port 443 you need to change the management port:

http server enable 8080
http 0.0.0.0 0.0.0.0 outside

ip local pool AnyConnectPool 192.168.1.1-192.168.1.254 mask 255.255.255.0

object network AnyConnectPoolObject
subnet 192.168.1.0 255.255.255.0

ASA1(config)# webvpn
ASA1(config-webvpn)# enable outside
INFO: WebVPN and DTLS are enabled on ‘outside’.
ASA1(config-webvpn)# tunnel-group-list enable
ASA1(config-webvpn)# anyconnect image disk0:/anyconnect-win-4.3.02039-k9.pkg
ASA1(config-webvpn)# anyconnect enable
ASA1(config-webvpn)# exit

username cisco password cisco

access-list anyconnect_acl standard permit 13.13.13.0 255.255.255.0

ASA1(config)# group-policy AnyConnectGroupPolicy internal

ASA1(config)# group-policy AnyConnectGroupPolicy attributes
ASA1(config-group-policy)# vpn-tunnel-protocol ssl-client
ASA1(config-group-policy)# split-tunnel-policy tunnelspecified
ASA1(config-group-policy)# split-tunnel-network-list value anyconnect_acl

ASA1(config)# tunnel-group AnyConnectTunnelGroup type remote-access
ASA1(config)# tunnel-group AnyConnectTunnelGroup general-attributes
ASA1(config-tunnel-general)# default-group-policy AnyConnectGroupPolicy
ASA1(config-tunnel-general)# address-pool AnyConnectPool
ASA1(config-tunnel-general)# exit

ASA1(config)# tunnel-group AnyConnectTunnelGroup webvpn-attributes
ASA1(config-tunnel-webvpn)# group-alias AnyConnectTunnelGroup enable

Verification commands:

ASA1# show vpn-sessiondb anyconnect

Session Type: AnyConnect

Username : cisco Index : 8
Assigned IP : 192.168.1.1 Public IP : 192.168.3.1
Protocol : AnyConnect-Parent SSL-Tunnel DTLS-Tunnel
License : AnyConnect Premium
Encryption : AnyConnect-Parent: (1)none SSL-Tunnel: (1)AES-GCM-256 DTLS-Tunnel: (1)AES256
Hashing : AnyConnect-Parent: (1)none SSL-Tunnel: (1)SHA384 DTLS-Tunnel: (1)SHA1
Bytes Tx : 16848 Bytes Rx : 3773
Group Policy : AnyConnectGroupPolicy Tunnel Group : AnyConnectTunnelGroup
Login Time : 05:27:09 UTC Fri Nov 24 2017
Duration : 0h:01m:50s
Inactivity : 0h:00m:00s
VLAN Mapping : N/A VLAN : none
Audt Sess ID : 0b0b0b01000080005a17adad
Security Grp : none
ASA1# show conn
5 in use, 5 most used

ICMP outside 192.168.1.1:1 dmz 13.13.13.13:0, idle 0:00:00, bytes 64, flags

ASA will inject a /32 route for VPN user in routing table automatically:

S     192.168.3.0 255.255.255.0 [1/0] via 12.12.12.12, outside

Check if anyconnect image is there in flash or not:

ASA1# show flash
--#-- --length-- -----date/time------ path
 78 25180317 Nov 22 2017 06:50:58 anyconnect-win-4.3.02039-k9.pkg

 

 

Posted in ASA | Tagged , , , , , | Leave a comment

Scapy basic on ubuntu 16.04

Scapy have two versions:

Scapy v1.x.: Works with Python 2.4
Scapy v2.x.: If Scapy v2 version is <= 2.3.3 it needs Python 2.5, If Scapy v2 version is > 2.3.3 needs Python 2.7.

How to install scapy:

1> To install scapy on you ubuntu install pip first:

# apt-get install pip

2> Once pip is installed install scapy:

#pip install scapy

There are two function in scapy:

1> ls() – shows all protocol avail in scapy

2> lsc() – shows all function avail in scapy.

If you want to get details of a function use following command

>>> VRRP().show()
###[ VRRP ]###
 version= 2
 type= 1
 vrid= 1
 priority= 100
 ipcount= None
 authtype= 0
 adv= 1
 chksum= None
 addrlist= []
 auth1= 0
 auth2= 0

 

 

Posted in Python | Tagged , , , | Leave a comment