Network traffic analysis for incident response

Network traffic analysis for IR: Introduction to networking

March 2, 2020 by Lester Obbayi

Introduction

Computer networking is one of the most important skills that incident responders are required to have. Analyzing network traffic as an incident responder is about more than just noting strange activities and anomalies on the network: you need to know the ins and outs of how a network operates. 

In this article, we will introduce the important computer networking aspects that incident responders need to be aware of.

Understanding IP addressing

A computer network is made up of IP addresses, which are numbers that are assigned to each host connected to a computer network. IP addresses serve the function of identifying which hosts exist within the network and categorizing the hosts into separate networks.

IP address representation is given in human-readable format, such as 172.16.254.1 in IPv4 and 2001:db8:0:1234:0:567:8:1 in IPv6. The following sections describe the things that IRs must be aware of about IP addresses.

Classes of IP addresses

When conducting a hacking exercise, it will be very important to understand the “scope” of the operation. A hacker would not want to attack across networks that are not within the target range. In a penetration testing engagement, this would result in the hacker attacking hosts that were not intended to be attacked or that are outside the organization.

The following table shows the classes of IP addresses that exist:

Class First octet value Subnet mask
Class A 0-127 8
Class B 128-191 16
Class C 192-223 24
Class D 224-239
Class E 240-255

Class A, B and C IP addresses are used for host identification, whereas classes D and E are used for other purposes. For instance, class D is used for multicast and class E is used for various experimental purposes.

Public versus private IP addresses

Hackers need to know the difference in significance of private and public IP addressing. A public IP address is one that is issued by the ISP directly to you, while a private IP address is one issued by a router or some other device. Private IP addresses are non-accessible from the internet because they are non-routable over the internet.

Hackers need to know how to access private IPs from the internet, and how they can set up the infrastructure to do so. For this to happen, one needs to have a VPN server and a VPN client to connect into the private network from the VPN server that will be pointing into the internet. A VPN can also be used to hide your public IP address. We’ll look at VPNs below.

Subnetting

Subnetting is the process of dividing a network into smaller networks. This is determined by the number of bits that are allocated the IP address prefix. For example consider the IP address below:

  • 192.168.100.0/24

This IP address has a trailing /24. This is referred to as the CIDR notation, which specifies the number of leading bits. Here the first 24 bits are allocated for the network prefix, while the remaining 8 bits are reserved for host addressing. 

Within this network, we have hosts ranging from 192.168.100.0 to 192.168.100.255. All the hosts on the same network have the same prefix, depending on the subnet and the architecture of the network. 

The CIDR notation above can also be represented by its subnet mask as 255.255.255.0. Subnetting is important because it helps routers determine the best route for traffic to take.

Understanding networking technologies

Hackers should be able to understand how different network technologies work, since these may make the hacking exercise much simpler. Knowledge of how different topologies are constructed and how they operate will also help hackers map out the network architecture of their target. 

The following are some key technologies.

Network topologies

Network topologies describe the arrangement of network elements in order to make a computer network functional. Network elements here might be network devices such as routers, gateways, switches or even links that connect these elements together. This structure is depicted graphically but is usually understood physically or logically.

Hackers need to understand the topologies that exist because during a hacking exercise, they will need to visualize the structure of the network so as to minimize any possible errors within their hacking approach. 

The following are the network topologies that hackers should familiarize themselves with:

  • Bus: Each computer within this setup is connected to a single line or cable, commonly referred to as a backbone
  • Star: Each computer within this network connects to a single device
  • Ring: Each computer within this network is connected to two other computers, forming a ring of connected devices
  • Point-to-point: Each computer here is connected to another computer
  • Mesh: In this topology, many computers are connected to many other computers, forming a mesh

Other topologies also exist that we have not mentioned. These are tree, hybrid and daisy chain. Understanding the topology of the target network helps visualize the setup and plan for an attack approach.

Network devices

The topologies discussed make it possible for hackers to be able to understand the connection between network devices. These devices (nodes) are not limited to, but include the following:

  • Routers: Hackers need to understand how routing takes place in order to perform attacks such as man-in-the-middle
  • Switches: This device uses packet switching to receive and transfer data from one device to another. Hackers can be able to gain unauthorized access into switches and disrupt traffic. 
  • Hubs: A hub is a common connection point for network devices
  • Access points: These devices provide a wireless connection within an office for access to a WLAN. There are numerous attacks that hackers can perform via the WLAN, so this is a device that must be well understood
  • Firewalls: Firewalls vary in various application areas. Generally, they make it possible to blacklist and whitelist traffic. Hackers must master the various firewall bypasses that can enable them to avoid the blacklist

There are also other nodes that can be configured within the network. These include different servers, modems, gateways, repeaters, network storages and so on.

Dynamic Host Configuration Protocol (DHCP)

DHCP is the protocol commonly used to provide quick and automatic access and central management of IP addresses. This protocol is what is used to configure the DNS server, default gateway and subnet mask of devices within the network. 

The good thing about DHCP is there is close to no possibility of identical IP addresses within the network being assigned, as opposed to manually issuing static IP addresses. Hackers should be able to know how this protocol works and the various methods they can take to attack and defend DHCP servers.

Network Address Translation (NAT)

NAT is a method of re-mapping one IP address space into another by modifying network address information. This is usually performed within the IP header of data packets while they are in transit across a routing device. This is important because it does away with the need to remap every host within the network when the network changes. This also helps conserve the ever diminishing IPv4 global address space. 

Hackers need to be aware of how NAT works in order to take advantage of it during hacking.

Virtual Private Network (VPN)

A VPN is a private network that has been extended over a public network through a tunnel. The connected hosts within this tunnel are able to communicate as if they were within the same network VPN was intended to be a secure method of connecting hosts. Hosts authenticate via usernames, passwords or certificates. 

Hackers should be able to understand how VPNs work, since most hackers will implement them to bypass IP blacklisting (by web application firewalls) during website hacking. VPNs can also allow hackers to develop strategies during hacking for scenarios such as exfiltration of sensitive data from compromised targets.

Understanding protocols

Unless a hacker is able to understand the functionality of a protocol, they cannot properly attack it. Hackers must understand the Internet Protocol Suite (TCP/IP). They must also be able to differentiate between TCP and UDP and know how and when to apply TCP or UDP based network scans for active information gathering. 

The following are some of the other protocols that will be encountered during a hacking exercise:

  • SSH: This is the protocol that is widely used to securely connect to remote computers. It’s important to have a good understanding of this protocol and how one can use its facilities to remotely copy data from one host to another
  • ARP: This protocol is used to discover both the MAC and IP addresses of hosts within the network. By abusing this protocol, hackers can be able to perform attacks such as man-in-the-middle within a network
  • DHCP: This protocol is used to issue IP addresses within the network, as seen above. It can be abused by hackers to perform IP address spoofing within the network. Hackers must be able to understand how DHCP works so as to know when and how to apply IP address spoofing
  • RDP: This protocol works by providing a graphical user interface of a remote computer (server) to a connecting computer (client) for remote control of the remote computer. Understanding this protocol allows hackers to start RDP connections within compromised systems during a hack
  • SMB: This protocol is very important within a network as it provides shared access to files and ports and services within a network. Hackers can be able to determine misconfigured shares within a network that might end up exposing too much sensitive and confidential information

The few examples given above demonstrate what hackers are capable of achieving in a network, after understanding the functionality of protocols. There are of course numerous other protocols not discussed here that can equally be targeted by hackers.

Conclusion

Getting into cybersecurity with a proper networking background will ensure that you can understand why certain tools and approaches are taken during hacking. This article has focused on the basics that are required to understand the functionality of a computer network. 

We encourage you to go over and beyond this article and research ports, services and vulnerabilities that affect these.

 

Sources

  1. Networking Basics for Hackers, Part 1, Hackers Arise
  2. What Is Computer Networking?, Lifewire
  3. What Are Network Protocols?, Lifewire
  4. Introduction to Computer Network Topology, Lifewire
  5. Different Networking Devices And Hardware Types — Hub, Switch, Router, Modem, Bridge, Repeater, Fossbytes
Posted: March 2, 2020
Articles Author
Lester Obbayi
View Profile

Lester Obbayi is a Cyber Security Consultant with one of the largest Cyber Security Companies in East and Central Africa. He has a deep interest in Cyber Security and spends most of his free time doing freelance Penetration Tests and Vulnerability Assessments for numerous organizations.