IPV4, IPV6, TCP, UDP ICMP For Pentesting

Basics IPv4

IP header includes many relevant information including Version Number, which, in this context, is 4. Other details are as follows:

Version: Version no. of Internet Protocol used (e.g. IPv4)

IHL: Internet Header Length, Length of entire IP header

DSCP: Differentiated Services Code Point, This is Type of Service.

ECN: Explicit Congestion Notification, carries information about the congestion seen in the route.

Total Length: Length of entire IP Packet (including IP header and IP Payload)

Identification: If IP packet is fragmented during the transmission, all the fragments contain same identification no. to identify original IP packet they belong to.

Flags: As required by the network resources, if IP Packet is too large to handle these ‘flags’ tell that if they can be fragmented or not. In this 3-bit flag, the MSB is always set to ‘0’.



Fragment Offset: This offset tells the exact position of the fragment in the original IP Packet.

Time to Live: To avoid looping in the network, every packet is sent with some TTL value set, which tells the network how many routers (hops) this packet can cross. At each hop, its value is decremented by one and when the value reaches zero, the packet is discarded.

Protocol: Tells the Network layer at the destination host, to which Protocol this packet belongs to, i.e. the next level Protocol. For example protocol number of ICMP is 1, TCP is 6 and UDP is 17.

Header Checksum: This field is used to keep checksum value of entire header which is then used to check if the packet is received error-free.

Source Address: 32-bit address of the Sender (or source) of the packet.

Destination Address: 32-bit address of the Receiver (or destination) of the packet.

Options: This is optional field, which is used if the value of IHL is greater than 5. These option may contain values for options such as Security, Record Route, Time Stamp etc.


Basics IPv6

The fixed header of an IPv6 packet consists of its first 40 octets (320 bits):


Version (4 bits): The constant 6 (bit sequence 0110).

Traffic Class (8 bits): The bits of this field hold two values. The 6 most-significant bits are used for differentiated services, which is used to classify packets.The remaining two bits are used for ECN;[4] priority values subdivide into ranges: traffic where the source provides congestion control and non-congestion control traffic.

Flow Label (20 bits): Originally created for giving real-time applications special service.[1] The flow label when set to a non-zero value now serves as a hint to routers and switches with multiple outbound paths that these packets should stay on the same path so that they will not be reordered. It has further been suggested that the flow label be used to help detect spoofed packets.[7]

Payload Length (16 bits): The size of the payload in octets, including any extension headers. The length is set to zero when a Hop-by-Hop extension header carries a Jumbo Payload option.[8]

Next Header (8 bits): Specifies the type of the next header. This field usually specifies the transport layer protocol used by a packet's payload. When extension headers are present in the packet this field indicates which extension header follows. The values are shared with those used for the IPv4 protocol field, as both fields have the same function (see List of IP protocol numbers).

Hop Limit (8 bits): Replaces the time to live field of IPv4. This value is decremented by one at each intermediate node visited by the packet. When the counter reaches 0 the packet is discarded.

Source Address (128 bits): The IPv6 address of the sending node.

Destination Address (128 bits): The IPv6 address of the destination node(s). In order to increase performance, and since current link layer technology is assumed to provide sufficient error detection, the header has no checksum to protect it.

OSI/ARPA LAYERS



Basics UDP

UDP Features:

  1. Is connectionless. UDP protocols work with the of best effort mentality. 
  2. Does not retransmit packages.
  3. If there is not service in the other end that no response will be received.


Basics TCP

TCP Features:




  1. Is connection oriented. TCP protocol delivers reliable and in order delivery. 
  2. Retransmits lost packages.
  3. If there is no service in the other end a response is expected. If no response is received then a firewall is filtering the port.

TCP handshake:


TCP Transmission Control Bits:

  1. URG (1 bit) – indicates that the Urgent pointer field is significant
  2. ACK (1 bit) – indicates that the Acknowledgment field is significant. All packets after the initial SYN packet sent by the client should have this flag set.
  3. PSH (1 bit) – Push function. Asks to push the buffered data to the receiving application.
  4. RST (1 bit) – Reset the connection
  5. SYN (1 bit) – Synchronize sequence numbers. Only the first packet sent from each end should have this flag set. Some other flags and fields change meaning based on this flag, and some are only valid for when it is set, and others when it is clear.
  6. FIN (1 bit) – No more data from sender



Basics ICMP

The Internet Control Message Protocol (ICMP) is one of the main protocols of the Internet Protocol Suite. It is used by network devices, like routers, to send error messages indicating, for example, that a requested service is not available or that a host or router could not be reached. ICMP can also be used to relay query messages. It is assigned protocol number 1. ICMP differs from transport protocols such as TCP and UDP in that it is not typically used to exchange data between systems, nor is it regularly employed by end-user network applications (with the exception of some diagnostic tools like ping and traceroute).

The Internet Control Message Protocol is part of the Internet Protocol Suite, ICMP messages are typically used for diagnostic or control purposes or generated in response to errors in IP operations. ICMP errors are directed to the source IP address of the originating packet.
For example, every device (such as an intermediate router) forwarding an IP datagram first decrements the time to live (TTL) field in the IP header by one. If the resulting TTL is 0, the packet is discarded and an ICMP Time To Live exceeded in transit message is sent to the datagram's source address.
Although ICMP messages are contained within standard IP packets, ICMP messages are usually processed as a special case, distinguished from normal IP processing, rather than processed as a normal sub-protocol of IP. In many cases, it is necessary to inspect the contents of the ICMP message and deliver the appropriate error message to the application that generated the original IP packet, the one that sent the packet that prompted the sending of the ICMP message. Unlike TCP and UDP, ICMP has no port numbers. ICMP uses type and code to differentiate the services in the protocol. 
RFC 792 defined special conditions for the ICMP messages:
  1. No ICMP error messages are sent in response to ICMP error messages to avoid infinite repetition.
  2. For fragmented IP datagrams, ICMP messages are only sent for errors on fragmented zero (the first fragment).
  3. ICMP error messages are never sent in response to a datagram that is destined to a broadcast or a multicast address.
  4. ICMP error messages are never sent in response to a datagram sent as a link layer broadcast.
  5. ICMP error messages are never sent in response to a datagram whose source address does not represents a unique host (the source address cannot be zero, a loopback address, a broadcast address or a multicast address).
  6. ICMP error messages are never sent in response to an IGMP message of any kind.
  7. When an ICMP message of unknown type is received, it must be silently discarded.
  8. Routers will almost always generate ICMP messages but when it comes to a destination host, the number of ICMP messages generated is implementation dependent.