Week 9.1-2 Class Notes & Activities: DNS
#networking #OSI #wireshark #dns #nslookup #tcp #ip #80211 #email #UofTBootcamp #arp
Follow-Up Questions from Class Activities
- Activity 9.2.09 on Email Security: missing emails? Why is SPF failing – can't see the email
Networking Review Activity: - What networking devices use these values for mac addresses- don't they all?
- What is the original source IP?
0.0.0.0
?? - CIDR & ip range review!!
Network Attacks Review Activity: - if this is the only data, how can you know for sure which is good/which is mac address of hacker's device?
[Duplicate IP address detected for 192.168.47.254 (00:0c:29:1d:b3:b1) - also in use by 00:50:56:f9:f5:54 (frame 2013)]
DNS
- translates
URI
into IP address - DNS zone file: actual file containing all the DNS records for a particular domain
- lives in DNS server
- contains a TTL indicating how long a DNS cache will remember the information
DNS Record Types: CONTAINED IN DNS ZONE FILE
- A Record: Translates domain to IP address
- PTR Record: Translates IP into domain
- CNAME Record: Alias record used to point one domain to another domain
- SOA record: Contains administrative details about a domain, such as: email address of the administrator, TTL value, when the domain was last updated
MX Record: mail exchange: directs emails to specific mail server; if multiple, can be set with preferences
TXT Record: created to include human-readable notes
SPF record: Sender Policy Framework: determines if email is from a trusted server
- type of TXT Record
- indicates which mail servers are allowed to send emails on behalf of a domain by checking:
- Check the sending mail server's IP address,
12.54.54.23
. - Validate the DNS record of widget.com's SPF record to confirm the sending mail server's IP address is either
23.43.54.235
or23.43.54.236
(the valid mail server IPs) - Since the sender's IP is
12.54.54.23
(not23.43.54.235
or23.43.54.236
), gadgets.com's mail server can identify the email as spam and potentially reject it or send it to the recipient's spam folder.
nslookup
nslookup
-type=[NS record type]
[domain]
look up name server records
To look up the MX record: nslookup -type=MX gadget.com
To look up the A record: nslookup -type=A gadget.com
To look up the SOA record: nslookup -type=SOA gadget.com
nslookup
Option Description
-domain=[domain-name]
Change the default DNS name.
-debug
Show debugging information.
-port=[port-number]
Specify the port for queries. The default port number is 53.
-timeout=[seconds]
Specify the time allowed for the server to respond.
-type=a
View information about the DNS A address records.
-type=any
View all available records.
-type=hinfo
View hardware-related information about the host.
-type=mx
View Mail Exchange server information.
-type=ns
View Name Server records.
-type=ptr
View Pointer records. Used in reverse DNS lookups.
-type=soa
View Start of Authority records.
Email Headers
Some of the most important fields in this raw email are:
– Return-Path: Specifies the sender's return email.
– Delivered-To: Specifies the recipients email.
– Received: Shows a list of mail servers, illustrating the path taken by the email from its source to destination.
– Message-ID: A unique string created by the sending mail server as an identifier of the email.
– Received SPF: The SPF verification field, which we will cover in more detail in the next activity.
Security Concerns for Emails
__ SPAM__: mitigate with using SPF records, matching list of known spam senders, and keyword identification
Sending Confidential Emails across encrypted channels:
– emails are typically routed across multiple mail servers
– encryption tools: PGP: Pretty Good Privacy or S/MIME: Secure/Multipurpose Internet Mail Extensions
– Email Spoofing
Detecting Email Spoofing:
(1) Check the From email header
(2) Check the Received-SPF email header
– Received-SPF uses the IP address from the Received field and determines if it's an IP of an authorized sender with pass/fail
(3) Check the Received Email Header
– look up the source IP of the mail server that sent the email
– For example, the ARIN Whois/RDAP tool.
Class Activities
Analyzing DNS Records:
MX Record:
splunk.com mail exchanger = 20 mx1.splunk.iphmx.com.
splunk.com mail exchanger = 20 mx2.splunk.iphmx.com.
Type A Record:
Non-authoritative answer:
Name: splunk.com
Address: 52.5.196.118
Name Server
Non-authoritative answer:
splunk.com nameserver = ha2.markmonitor.zone.
splunk.com nameserver = ha1.markmonitor.zone.
splunk.com nameserver = ha4.markmonitor.zone.
splunk.com nameserver = ha3.markmonitor.zone.
Bonus:
dig nmap.org txt | grep "spf"
gives us 3 servers authorized to send mail from:
nmap.org. 3600 IN TXT "v=spf1 a mx ptr ip4:45.33.49.119
ip6:2600:3c01::f03c:91ff:fe98:ff4e ip6:2600:3c01:e000:3e6::6d4e:7061
`include:_spf.google.com ~all"
Analyzing Email Headers Activity:
determine the following data points:
Email 1:
– Delivered-To: juliejones@acme.com
– Return-Path: jonathanthomas@microsoft.com
– IP address of source domain: 40.76.4.15
from:
Received-SPF: pass (google.com: domain of jonathanthomas@microsoft.com designates 40.76.4.15 as permitted sender) client-ip=40.76.4.15;
– Message-ID: 1689837351.2998569.1568044304435@mail.microsoft.com
Email 2: permitted by SPF but clearly spam
– Delivered-To: juliejones@acme.com
– Return-Path: xzvvvret34344@yahoo.com
– IP address of source domain: 74.6.130.41
from:
Received-SPF: pass (google.com: domain of xzvvvret34344@yahoo.com designates 74.6.130.41 as permitted sender) client-ip=74.6.130.41;
– Message-ID: 1689837351.2998569.1568044304435@mail.yahoo.com
Email 3:
– Delivered-To: juliejones@acme.com
– Return-Path: timmytom@widgets.com
– IP address of source domain: 34.86.130.4
from:
Received-SPF: fail (google.com: domain of timmytom@widgets.com does not designate 34.86.130.49 as permitted sender) client-ip=34.86.130.49 ;
– Message-ID: 1gytrdd9837351.987987abs9.1568044304435@mail.widgets.com
Networking Review Activity
A. Answer the following questions on HTTP:
7. What is the the port number range that this port is part of?
58424
or 62412
There are 49,152 – 65,535 dynamic and/or private ports.
- Under Ethernet II is a value of
Destination: Technico_65:1a:36 (88:f7:c7:65:1a:36)
- What does this value represent? MAC address of physical device where this is going
- Which OSI layer does this exist in? Datalink (2)
- What networking devices use these values? Don't all devices?
Part Two: ARP
- What type of networking request does ARP first make? Broadcast
B. Use a filter to find the count of ARP responses, and answer the following questions:
arp.opcode
0 Reserved [RFC5494]
1 REQUEST [RFC826][RFC5227]
2 REPLY [RFC826][RFC5227]
arp.opcode == 1
for requests
arp.opcode == 2
for responses
What is the IP of the device that is responding?
Sender MAC address: IntelCor_10:ac:c0 (a0:a4:c5:10:ac:c0)
Sender IP address: 10.0.0.32 (10.0.0.32)To what IP is the device responding to?
Target IP address: c66251b0-093d
Target MAC address: c66251b0-093d-7d9c-4f7c-c2fc9df7c3ca.local (e4:f0:42:3b:7a:de)
-7d9c-4f7c-c2fc9df7c3ca.local (10.0.0.10)Write out in simple terms what has taken place, describing the request and response.
Host makes a broadcast to find the MAC address of the IP = request. Response = information locating the MAC address.
DHCP
B. Use a filter to view the DHCP Discover, and answer the following questions on that packet:
###1. What is the original source IP? 0.0.0.0
????###
Why does it have that value?
Unknown IP – usually to indicate that the local IP address is not assigned.What is the original destination IP?
Internet Protocol Version 4, Src: 0.0.0.0 (0.0.0.0), Dst: 255.255.255.255 (255.255.255.255)What does that value signify? broadcast
C. Use a filter to view the DHCP ACK, and answer the following questions on that packet. dhcp.option.dhcp == 5
### 1. Explain in simple terms what is happening in this packet.
- DHCP
Ack
server which received the DHCP request message fro client checks if the IP address shown in the DHCP Server Identifier matches its own broadcasts a DHCP Ack message ensuring client can receive the message
-transfer net config data to client including:- IP address
- Subnet mask
- Default gateway IP address
- DNS server IP address
- Lease time (during which a client can use the IP address allocated/leased by a DHCP server)
Define the term “DHCP lease.”
Amount of time in minutes or seconds a network device can use an IP address in a network. IP is reserved for that device until expiration.What is the DHCP lease time provided in this packet?
IP Address Lease Time: (604800s) 7 days
What are the steps in a TCP connection?
SYN
,SYN-ACK
,ACK
What are the steps in a TCP termination?
FIN. ACK, FIN, ACK
What steps appear in the packets displayed? the handshake steps
What type of activity/protocol is TCP establishing a connection for? in this case
http
–TCP
is generally used to provide reliable stream delivery service, i.e. delivering data as a stream of bytes and deceiving data as a stream of bytes.What is the website name being accessed after the TCP connection?
Host: sportingnews.com\r\n
Topologies
What are the Topologies for A, B, C? Tree, Hybrid of Bus and Tree, Disconnected ring?
What are the advantages and disadvantages for each?
- Network Devices
In the network devices illustration, what are numbers one through four? Internet, Firewall, router, Switch
What does the dashed line represent in number five? firewall security?
What is a load balancer? distributes traffic across multiple servers to improve application availability and responsiveness and prevent server overload
4. Where would you place a load balancer? Between access and servers? Internet || servers or switch || servers?
- Network Routing
- Which routing protocols use distance as criteria? Distance Vector Routing Protocols:
- RIP (Routing Information protocol)
- EIGRP (Enhanced Interior Gateway Routing Protocol)
- Which routing protocols use speed as criteria?
Link-State Routing Protocols
- OSPF: Open Shortest Path First
Part Six: Network Addressing:
Define binary.
base-2 number system (0 and 1s) used to write machine codeWhat are IP addresses used for? network interface identification and location addressing
What are the two primary versions of IP addresses? IPv4 and IPv6
How many octets are in a IPV4 address?
IPv4 – 32 bits – 4 octects
IPv6 – 128 bits – 16 octetsWhat is the difference between primary and public IP addresses? private is within a network or subnet, public is on the internet and unique.
8. What is CIDR? “Classless Inter-Domain routing”
- allocating IP addesses and IP routing
9. What is the range of IP addresses in: 192.18.65.0/24
?
Network Attacks Review Activity
ARP
spoof attack – redirects trafficDHCP
starvation attack – floods with DHCP requests so runs out of IP, type of denial of serviceTCP
packets show port scanning,- Wireless Attacks:
- What are the different security types available for Wireless communications? List them in order from least to most secure.
WEP – WPA – WPA2
What is 802.11? Wifi Standard (protocol)
What is an SSID? a more recognizable format of how a networking hardware device identifies itself as broadcasting a wireless signal beacon
What is the name of the the signal a WAP sends out identifying its SSID? beacon
If a user has WEP encrypted wireless, what is a potential negative outcome? it's old and hackable easily with aircrack-ng