Let’s start with a concept in Networking that is very important for pretty much everything else to happen, addressing, or specifically to start, how your computer gets addresses, and what that means.
There are 2 addresses that we will focus on for today, IP addresses and MAC addresses. MAC stands for Media Access Control, it can be equated to the house number of your computer. There are 2 parts to a MAC address, the manufacturer’s part, and another part that is unique to your individual network card. Take this example, 9c:b6:d0:90:93:d2, the first half (9c:b6:d0) is the manufacturer identifier, it will tell you that this is likely a killer wifi card. and the last half (90:93:d2) is unique to the specific wifi card this came from. We’ll go farther into this when we talk about how the addresses work together.
IP stands for Internet Protocol, and is mainly used to get traffic to the right area. Every device on a network will need an IP address. Devices get this IP address 1 of 2 ways, either they are manually assigned, being static IP addresses that will not change, or they are dynamically assigned with DHCP. DHCP stands for Dynamic Host Configuration Protocol, and is a great tool that does quite a bit. For a host to be fully configured and ready to talk it needs a few things,
- a MAC address - hard-coded or spoofed already
- an IP address
- a Subnetmask
- a Default Gateway
- DNS server addresses
If you statically assign the IP you will need to manually include all the other things that need to be assigned, like the subnetmask, gateway, and DNS servers. DHCP can also assign all of these for you.
Nice, but what does this all mean and why do I need 2 addresses, plus all this other garbage?
Glad you asked, to start let’s go though each of what’s listed above and give a brief description of what it does.
- the MAC, this will be a 100% unique address that is unique to specific network cards, we’ll go over how that’s used later in this post.
- the IP address, this is used in conjunction with the MAC to get your computer’s traffic to it, we’ll go over how that works later in this post.
- the Subnet mask - this is used to determine how much of the IP is the network identifier, and how much is the host identifier, this is a topic for a later post.
- the default gateway - this tells your computer if you don’t know exactly where to send this data, send it here.
- DNS resolved domain names to ip addresses, this is a topic for a later post as well, and super useful
Now the reason you need two addresses. Let’s compare Networks to Neighborhoods. If I wanted to send you something in the mail what would I need? Your address of course, and what does your address consist of? City, state, zipcode and house number right? So the City, State, and Zip will get me in the right area, I’ll need your house number to get it to specifically you. Same thing on networks, your IP address is like your city, state, and Zip code, and your MAC is like your house number. So what does this look like from the perspective of the computers? Well before we get to that you have to know the difference between what a router does, and what a switch does.
A router connects 2 networks together, usually a LAN and a WAN. LAN stands for Local Area Network, usually this consists of one physical location like your house or a coffee shop. WAN stands for Wide Area Network, this is usually used to connect many networks together, the biggest and best example is the Internet itself. So WANs connect LANs is a good way to think about it. Routers use IP addresses to determine what network to send traffic that they see to the correct network. Routers do this by looking at the network identifier of the destination IP address.
Ok so routers act as gateways and make sure my traffic gets to the right network, so what does a switch do? Switches take the traffic that was brought to you by the router and delivers the data to your PC. So why do I need 2 addresses then? Glad you asked, here is where your MAC address finally comes into play! See switches do their thing by figuring out the MAC address of any network interface connected to them, it keeps these MAC addresses, and the port they are connected to in a Table stored in onboard memory. Ok so here’s where the IP and MAC come together. So the router delivers the data to the switch, and the switch looks at the IP address then uses a protocol called ARP to figure out what port it needs to go out.
So how does this look? The switch gets a piece of data and looks at the IP address, if it doesn’t already know which port to send this data out it calls ARP. ARP sends a broad cast out all ports of the switch, it asks, “AY YO, WHO HAS THIS IP ADDRESS” all computers will just simply ignore this unless they have that IP then they will reply to the switch, “That’s me fam!” The switch then will put that IP on the same row in the table with the MAC address and port it found earlier. Now any more data it gets addressed to that IP will be sent out that port.
Bringing it back
So let’s tie this back to hacking. How can you misuse this information to do some fun stuff?
Let’s start with Mac addresses, as long as the MAC address isn’t spoofed you can make a reasonable guess as to what kind of device that is without scanning it, just by listening to the traffic that is flying through the air or the wire. Let’s move on to IP addresses and Subnets, if you know what IP you get, and you know what the subnetmask is you can tell what range of IP addresses will be in use, this helps you scope out your networks scans better.
ARP will get it’s own sections, cause there’s a few things we can do with ARP that’s useful. So we can use ARPscan to send out ARP requests for every ip address in the range and it’ll tell us what IPs are in use, that’s nice. We can also passively listen to the ARP requests and use that to determine what IPs are in use, also useful, and more stealthy than active scanning. Now for some REAL malicious work. We can use ARPspoof to spam ARP answers to trick devices into thinking we have other IPs than we really do. We can use this to perform man in the middle attacks and snoop on traffic that was meant for another computer.
And here we are at the end of this… long winded, easily distracted, Caffeine and alcohol fueled talk about why we have 2 addresses for each network interface.