Understanding the OSI and TCP/IP Models from a Hacker's Perspective

Understanding the OSI and TCP/IP Models from a Hacker's Perspective

When diving into the world of cybersecurity, one of the fundamental concepts that every hacker, penetration tester, and security professional must understand is networking, specifically the OSI and TCP/IP models. These models are the backbone of how devices communicate over networks, and they offer hackers a framework to understand how data is transmitted, manipulated, and exploited.

From a hacker's perspective, knowing these models inside out can provide a roadmap for finding vulnerabilities, crafting exploits, and understanding the intricate ways in which data flows across the internet and internal networks. Let’s explore both models through the lens of a hacker and see how each layer presents unique opportunities and challenges.


The OSI Model: A Layer-by-Layer Hacker’s Guide

The OSI (Open Systems Interconnection) model is a conceptual framework that standardizes the functions of a telecommunication or computing system into seven distinct layers. Each layer serves a specific purpose and communicates with the layers directly above and below it. Here's how hackers view these layers:

1. Physical Layer (Layer 1)

This layer is all about the hardware: cables, switches, and physical transmission of data.

From a hacker’s perspective:
Physical access can mean direct access to a network. A hacker might try to intercept communications by tapping into a network cable or installing a rogue device, such as a Raspberry Pi, to sniff traffic or launch a man-in-the-middle attack. Social engineering tactics could be used to gain physical access to devices connected to the network.

This layer handles error detection and correction, and frames data for transmission over the physical medium.

From a hacker’s perspective:
At Layer 2, hackers focus on exploiting network protocols like ARP (Address Resolution Protocol). Attacks such as ARP poisoning or spoofing are common, where the attacker tricks devices into sending data to the hacker's machine instead of the intended destination. Manipulating MAC addresses and conducting VLAN hopping are other tactics used at this layer.

3. Network Layer (Layer 3)

Responsible for packet forwarding, routing, and logical addressing.

From a hacker’s perspective:
The network layer is where IP addresses come into play. Hackers often exploit vulnerabilities in routing protocols (like BGP or OSPF) or manipulate IP packets to bypass firewalls and intrusion detection systems. Techniques such as IP spoofing, ICMP flooding (Ping of Death), and exploiting misconfigured network devices happen here. Attacks targeting this layer can disrupt or manipulate traffic flows within or between networks.

4. Transport Layer (Layer 4)

This layer is responsible for end-to-end communication and error recovery, with protocols like TCP (Transmission Control Protocol) and UDP (User Datagram Protocol).

From a hacker’s perspective:
Layer 4 is a goldmine for attacks that manipulate the transport layer protocols. TCP attacks such as SYN flooding (a type of DoS attack) can overwhelm a target system, while TCP session hijacking can allow a hacker to intercept or manipulate ongoing communications. UDP attacks can include reflection and amplification attacks, where small queries elicit large responses to overwhelm a target.

5. Session Layer (Layer 5)

Manages sessions or connections between networked applications.

From a hacker’s perspective:
The session layer provides avenues for hijacking active sessions. Tools like Wireshark can capture session information, which can be replayed to gain unauthorized access. Hackers may also look for session management flaws in web applications (often crossing over with application-layer attacks) where session IDs are predictable or poorly protected.

6. Presentation Layer (Layer 6)

Responsible for data translation, encryption, and compression.

From a hacker’s perspective:
At this layer, encryption is a significant concern. A hacker may attempt to downgrade encryption protocols (forcing a client and server to use weaker cryptographic methods) or exploit vulnerabilities in encryption algorithms. Man-in-the-middle attacks that strip away SSL/TLS encryption, like SSL stripping, also come into play at this layer.

7. Application Layer (Layer 7)

The topmost layer, where end-user applications operate, such as web browsers, email clients, and database applications.

From a hacker’s perspective:
This is the layer where most vulnerabilities are found. Hackers exploit vulnerabilities in software applications (e.g., SQL injection, Cross-Site Scripting (XSS), and Remote Code Execution (RCE)) to gain unauthorized access, exfiltrate data, or compromise systems. This layer is the entry point for many attacks and can offer direct access to valuable data.

The TCP/IP Model: A Streamlined Hacker’s View

While the OSI model offers a comprehensive understanding of network communication, the TCP/IP model simplifies it into four layers: Link, Internet, Transport, and Application. This model more accurately reflects the real-world protocols and communication processes used on the internet today.

Equivalent to the OSI's Physical and Data Link layers, this layer encompasses protocols that operate on the network hardware level.

From a hacker’s perspective:
At this layer, similar attacks apply: sniffing, MAC flooding, and ARP spoofing. Wireless networks offer even more avenues for attack, including exploiting weaknesses in Wi-Fi encryption protocols (WEP, WPA2) or launching de-authentication attacks.

2. Internet Layer

This layer corresponds to the OSI’s Network layer and deals with the addressing, packaging, and routing of data.

From a hacker’s perspective:
Here, attackers often manipulate IP packets for various purposes, including evading detection or manipulating traffic. Attacks targeting DNS (like DNS poisoning or tunneling) are also prevalent here, as well as exploiting vulnerabilities in IPv4/IPv6 protocols.

3. Transport Layer

Similar to the OSI’s Transport layer, responsible for host-to-host communication.

From a hacker’s perspective:
Many familiar attacks occur here: SYN floods, TCP reset attacks, and port scanning to identify open ports for further exploitation. The Transport layer also presents opportunities for hijacking and manipulating sessions.

4. Application Layer

Combines the functions of the OSI’s Session, Presentation, and Application layers.

From a hacker’s perspective:
This is the most commonly targeted layer, where hackers exploit application vulnerabilities to gain unauthorized access, steal data, or disrupt services. From injecting malicious SQL queries to exploiting buffer overflow vulnerabilities in software applications, this layer provides countless opportunities for exploitation.


Understanding Subnetting and the Mathematics Behind It

Subnetting is a technique used to divide a single IP network into multiple smaller networks, or subnets. This practice is essential in optimizing network performance, enhancing security, and efficiently managing IP address allocation within an organization. From a hacker’s perspective, understanding subnetting is crucial for performing network reconnaissance and navigating through a target's network.

Let’s break down the concept of subnetting, the math behind it, and the steps to perform subnetting.

What is Subnetting?

In the context of IPv4, an IP address is a 32-bit number, typically written in dotted-decimal notation (e.g., 192.168.1.1). An IP address consists of two parts:

  1. Network Portion: Identifies the specific network.
  2. Host Portion: Identifies a specific device (host) within that network.

Subnetting allows you to take a single network and divide it into multiple smaller networks, effectively splitting the original network into several subnets. This division is done by borrowing bits from the host portion of the IP address to create a new subnet mask.

The Subnet Mask

A subnet mask is a 32-bit number that determines which portion of the IP address represents the network and which represents the host. For example, the default subnet mask for a Class C network is 255.255.255.0, or /24 in CIDR (Classless Inter-Domain Routing) notation. This means that the first 24 bits of the IP address represent the network portion, and the remaining 8 bits represent the host portion.

Why Subnet?

Subnetting is used for several reasons:

  • Efficient IP Management: Helps in efficient utilization of IP addresses.
  • Improved Network Performance: Reduces network congestion by segmenting broadcast domains.
  • Enhanced Security: Limits broadcast traffic and isolates segments of the network.

How Subnetting Works

To understand how subnetting works, we need to explore how bits are borrowed from the host portion to create subnets.

Step 1: Determine the Network Requirements

Consider a network with an IP range 192.168.1.0/24. This network has:

  • Default subnet mask: 255.255.255.0 (or /24), meaning 24 bits are reserved for the network portion.
  • Hosts: With 8 bits for the host portion, there are 2^8 - 2 = 254 usable IP addresses (the -2 accounts for the network address and the broadcast address).

Suppose we want to create 4 subnets. To calculate how many bits to borrow from the host portion, follow these steps:

Step 2: Calculate the Number of Subnets Needed

We need 4 subnets. To determine how many bits to borrow, use the formula:

Number of subnets=2n\text{Number of subnets} = 2^nNumber of subnets=2n

where n is the number of bits borrowed. To create 4 subnets:

2n=4  ⟹  n=22^n = 4 \implies n = 22n=4⟹n=2

So, we need to borrow 2 bits from the host portion.

Step 3: Calculate the New Subnet Mask

Borrowing 2 bits from the host portion means the subnet mask will increase by 2 bits. The original subnet mask was /24. Now, it becomes /26:

/26=255.255.255.192/26 = 255.255.255.192/26=255.255.255.192

Step 4: Determine the Number of Hosts per Subnet

After borrowing 2 bits for subnetting, 6 bits remain for the host portion:

Number of hosts per subnet=26−2=62\text{Number of hosts per subnet} = 2^6 - 2 = 62Number of hosts per subnet=26−2=62

Each subnet will now support 62 usable IP addresses.

Step 5: Identify the Subnet Ranges

With a /26 subnet mask, the new subnets will have the following IP ranges:

  1. First Subnet:
    Network Address: 192.168.1.0
    Subnet Mask: 255.255.255.192
    Range: 192.168.1.1 - 192.168.1.62
    Broadcast Address: 192.168.1.63
  2. Second Subnet:
    Network Address: 192.168.1.64
    Subnet Mask: 255.255.255.192
    Range: 192.168.1.65 - 192.168.1.126
    Broadcast Address: 192.168.1.127
  3. Third Subnet:
    Network Address: 192.168.1.128
    Subnet Mask: 255.255.255.192
    Range: 192.168.1.129 - 192.168.1.190
    Broadcast Address: 192.168.1.191
  4. Fourth Subnet:
    Network Address: 192.168.1.192
    Subnet Mask: 255.255.255.192
    Range: 192.168.1.193 - 192.168.1.254
    Broadcast Address: 192.168.1.255

Subnetting Example: How the Math Works

Let's go through a practical example to illustrate how subnetting math works.

Example Scenario

Given an IP address 192.168.10.0/24, we need to create 8 subnets.

  1. Determine the number of bits to borrow:2n=8  ⟹  n=32^n = 8 \implies n = 32n=8⟹n=3So, we need to borrow 3 bits.
  2. Calculate the new subnet mask:Original subnet mask /24 becomes /27:255.255.255.224255.255.255.224255.255.255.224
  3. Calculate the number of hosts per subnet:After borrowing 3 bits, 5 bits remain for the host portion:Number of hosts per subnet=25−2=30\text{Number of hosts per subnet} = 2^5 - 2 = 30Number of hosts per subnet=25−2=30Each subnet will have 30 usable IP addresses.
  4. Identify the subnet ranges:With a /27 subnet mask, each subnet will have an increment of 32 in the fourth octet (since 256 - 224 = 32):
  • Subnet 1: 192.168.10.0 - 192.168.10.31 (Network: 192.168.10.0, Broadcast: 192.168.10.31)
  • Subnet 2: 192.168.10.32 - 192.168.10.63 (Network: 192.168.10.32, Broadcast: 192.168.10.63)
  • Subnet 3: 192.168.10.64 - 192.168.10.95 (Network: 192.168.10.64, Broadcast: 192.168.10.95)
  • Subnet 4: 192.168.10.96 - 192.168.10.127 (Network: 192.168.10.96, Broadcast: 192.168.10.127)
  • Subnet 5: 192.168.10.128 - 192.168.10.159 (Network: 192.168.10.128, Broadcast: 192.168.10.159)
  • Subnet 6: 192.168.10.160 - 192.168.10.191 (Network: 192.168.10.160, Broadcast: 192.168.10.191)
  • Subnet 7: 192.168.10.192 - 192.168.10.223 (Network: 192.168.10.192, Broadcast: 192.168.10.223)
  • Subnet 8: 192.168.10.224 - 192.168.10.255 (Network: 192.168.10.224, Broadcast: 192.168.10.255)

Table of Common Ports to Focus on During Penetration Testing

When performing penetration testing, understanding which ports are most commonly targeted by attackers is crucial. Hackers often focus on specific ports that are known to be associated with vulnerable services or are commonly misconfigured. Here is a table of ports that penetration testers should pay close attention to during their assessments:

Port Number Protocol Service/Use Common Vulnerabilities/Reasons to Focus
21 TCP FTP (File Transfer Protocol) Cleartext transmission, anonymous FTP, buffer overflow vulnerabilities, and weak authentication.
22 TCP SSH (Secure Shell) Weak passwords, outdated SSH versions, misconfigurations (e.g., allowing root login), and lack of multi-factor authentication (MFA).
23 TCP Telnet Cleartext transmission, weak or default credentials, vulnerable to man-in-the-middle (MITM) attacks.
25 TCP SMTP (Simple Mail Transfer Protocol) Open relay configuration, email spoofing, and lack of encryption, vulnerabilities in SMTP servers (e.g., EXIM).
53 TCP/UDP DNS (Domain Name System) DNS cache poisoning, DNS amplification attacks, zone transfer vulnerabilities, and misconfigurations.
80 TCP HTTP (Hypertext Transfer Protocol) Common web vulnerabilities (e.g., XSS, SQLi), outdated or vulnerable web server software, misconfigurations, and information leakage.
110 TCP POP3 (Post Office Protocol v3) Cleartext transmission, weak passwords, and misconfigurations.
111 TCP/UDP RPC (Remote Procedure Call) Vulnerable to RPC-related exploits, such as remote code execution, and susceptible to enumeration attacks.
135 TCP/UDP Microsoft RPC Endpoint Mapper Used in various Windows attacks, including DCOM and SMB relay attacks; vulnerable to SMB-based exploits.
139 TCP NetBIOS Session Service Used in SMB-related attacks, vulnerable to NetBIOS name service poisoning, and sensitive information disclosure.
143 TCP IMAP (Internet Message Access Protocol) Weak or cleartext authentication, mail server vulnerabilities, and misconfigurations.
161/162 UDP SNMP (Simple Network Management Protocol) Default community strings, cleartext transmission, SNMP enumeration, and device information leakage.
389 TCP/UDP LDAP (Lightweight Directory Access Protocol) Cleartext transmission, weak authentication, LDAP injection attacks, and sensitive information disclosure.
443 TCP HTTPS (HTTP Secure) Common web vulnerabilities (e.g., XSS, SQLi), misconfigurations, weak SSL/TLS encryption, and outdated protocols.
445 TCP Microsoft-DS (SMB over TCP) Critical for SMB-based exploits, such as EternalBlue; vulnerable to remote code execution, lateral movement, and SMB relay attacks.
465 TCP SMTPS (Secure SMTP) Misconfigurations, vulnerable SSL/TLS versions, and lack of MFA.
514 UDP Syslog Cleartext logging, potential for log tampering, and exposure of sensitive information.
587 TCP SMTP (Submission) Misconfigurations, open relay configurations, and weak or cleartext authentication.
631 TCP/UDP IPP (Internet Printing Protocol) Misconfigurations, remote code execution vulnerabilities, and printer-related attacks (e.g., PrintNightmare).
873 TCP Rsync Weak authentication, lack of encryption, and potential for remote file access or enumeration.
993 TCP IMAPS (IMAP Secure) Misconfigurations, outdated encryption protocols, and vulnerabilities in mail servers.
995 TCP POP3S (POP3 Secure) Weak encryption, misconfigurations, and lack of MFA.
1025-1030 TCP/UDP Various Windows Services Used by different Windows services, often vulnerable to RPC and SMB exploits.
1080 TCP SOCKS Proxy Misconfigurations, anonymous proxy abuse, and potential for tunneling attacks.
1433/1434 TCP/UDP Microsoft SQL Server SQL injection attacks, weak authentication, and sensitive information disclosure.
1521 TCP Oracle Database SQL injection vulnerabilities, weak or default passwords, and misconfigurations.
2049 TCP/UDP NFS (Network File System) Exported shares, sensitive information leakage, and misconfigurations.
2121 TCP FTP (Alternative Port) Same vulnerabilities as port 21 (FTP); often used by attackers to avoid detection or monitoring.
2375/2376 TCP Docker Remote API Remote code execution, unauthorized access, and privilege escalation via misconfigured Docker daemons.
3306 TCP MySQL SQL injection, weak passwords, outdated versions, and misconfigurations.
3389 TCP RDP (Remote Desktop Protocol) Brute-force attacks, lack of MFA, man-in-the-middle attacks, and weak or outdated encryption.
5000 TCP UPnP (Universal Plug and Play) Vulnerable to UPnP exploits, port forwarding attacks, and remote code execution.
5432 TCP PostgreSQL SQL injection, weak passwords, and sensitive information disclosure.
5900-5901 TCP VNC (Virtual Network Computing) Weak authentication, lack of encryption, and remote access vulnerabilities.
5985/5986 TCP WinRM (Windows Remote Management) Exploitable for lateral movement, remote code execution, and relay attacks; commonly targeted in Active Directory environments.
6000-6005 TCP X11 (X Window System) Remote access, session hijacking, and unauthorized control over graphical interfaces.
8080/8081 TCP HTTP (Alternative Port) Same vulnerabilities as port 80 (HTTP); often used for web servers or proxies and targeted for web application attacks.
8443 TCP HTTPS (Alternative Port) Same vulnerabilities as port 443 (HTTPS); often used for secure web traffic and may have misconfigurations or weak encryption.
9001 TCP Tor ORPort Misconfigurations and traffic analysis opportunities in anonymization networks.
9200 TCP Elasticsearch Remote code execution, sensitive data exposure, and misconfigured access controls.
27017/27018 TCP MongoDB Default installations, weak authentication, and database exposure to the internet without access controls.
50000 TCP SAP Dispatcher Remote code execution, buffer overflow vulnerabilities, and misconfigurations.
50070 TCP Hadoop NameNode HTTP Misconfigurations, unauthorized access, and exposure of sensitive information.

Key Takeaways for Penetration Testers:

  • Default Credentials and Misconfigurations: Many services may still use default credentials or may be misconfigured, making them vulnerable to unauthorized access or remote exploitation.
  • Cleartext Protocols: Ports that transmit data in cleartext (e.g., FTP, Telnet) are susceptible to eavesdropping and credential theft.
  • Outdated Software: Services running on these ports may use outdated software versions with known vulnerabilities.
  • Common Exploits: Certain ports are associated with well-known exploits (e.g., SMB on port 445 with EternalBlue), which are frequently targeted by attackers.

By focusing on these ports during penetration testing, security professionals can identify potential vulnerabilities, misconfigurations, and weaknesses in the network, providing a roadmap for improving an organization's overall security posture.

Conclusion

Subnetting is a powerful tool for optimizing network performance and managing IP addresses effectively. By understanding how to manipulate IP addresses and subnet masks, network administrators and hackers alike can gain deep insights into network topology, improve network segmentation, and even identify vulnerabilities.

Understanding the math behind subnetting—calculating the number of subnets, subnet masks, and host addresses—is essential for anyone working with networks, whether for defending against attacks or performing ethical hacking assessments.

For hackers, understanding the OSI and TCP/IP models is akin to having a blueprint of the digital world's architecture. Each layer presents its unique set of challenges and opportunities, whether it’s exploiting misconfigurations, manipulating traffic, or targeting vulnerabilities in applications. A deep understanding of these models allows hackers to navigate complex networks, find hidden vulnerabilities, and carry out sophisticated attacks, emphasizing the need for robust security practices at every layer of the stack.

In the ever-evolving landscape of cybersecurity, defenders must think like attackers—examining each layer for potential weak points and building defenses that can withstand the diverse tactics employed by malicious actors.

Read more

Exploring Defensive and Offensive Cybersecurity Careers: How Learning Both Can Shape Your Path to Success

Exploring Defensive and Offensive Cybersecurity Careers: How Learning Both Can Shape Your Path to Success

The cybersecurity landscape is divided into two primary roles: defensive and offensive. Defensive cybersecurity focuses on protecting systems, data, and networks from cyber threats, while offensive cybersecurity involves simulating attacks to identify vulnerabilities. While these roles have distinct responsibilities, they often intersect and complement each other, making knowledge of both

By Hacker Noob Tips