An Introduction To The Internet And TCP/IP By Netdiablo Of 616 I have written this file because it is really pathetic how many people on the Internet call themselves "hackers" and really have no idea how the network that they "hack" on even works in the first place. This file will cover the basics of the Internet and will provide a good reference to new and intermediate users. The Internet began as the ARPANet in the 1960's. The ARPANet was a network linking together various research installations and universities across the nation that were involved in projects funded under DARPA, the Defense Advanced Research Projects Agency. Initial consultants on the ARPANet included Rand, Inc. and Bolt, Baranek, And Newman. The Internet existed, up to the early 1990's as simply a research network mainly used by universities and corporations, mostly computer companies. In the 1990's, however, the emergence of faster modems and the World Wide Web to the world at large started the Internet phenomenon known today. ------------------------------------------------------------------------------ New User Definition [TCP/IP]: Transmission Control Protocol/Internet Protocol. These are the two protocols that the Internet "runs" on. ------------------------------------------------------------------------------ On the Internet, machines are connected to networks, which are divided into subnetworks. Each machine [or device] on the network has a specific address, known as an IP address. An IP address is composed of four segments, known as octets. These octets define a unique address, with part of them describing a network and/or subnetwork, and part of them describing a particular node on a network. ------------------------------------------------------------------------------ New User Definition [Node]: The generic term for a device on the network, usually used to describe a system or a router. Other network devices, such as printers and hubs are usually not known as nodes. ------------------------------------------------------------------------------ IP addresses are organized into five classes, which are Class A through Class E. Depending on how large an organization is, it uses different classes of addresses to give to the machines on it's network. Class A networks are the largest, with a block of Class A addresses being big enough to use with up to 167772 machines. These are used for very large organizations and collections of related networks. Also, many educational institutions are grouped under a Class A address. Class B networks follow Class A networks in size, with a maximum capacity of being able to address up to 65536 machines. Class C networks are commonly used by many smaller companies. You will also see many local ISPs using one or two blocks of Class C addresses on it's network. Each block of Class C addresses is capable of addressing up to 255 machines. Class D addresses are reserved for IP Multicasting, and Class E addresses are reserved for "experimental purposes". ----------------------------------------------------------------------------- New User Definition [Octet]: An octet a component of an IP address. Each address includes four octets. Each octet can have a value ranging from 0 to 255. In a Class A network, you can use up to three of the octets on your network, in a Class B, you can use up to two, and in a Class C, you can use only the last octet for addressing machines on your network. This is shown in detail below: Class A: Example: Allocates a block, 10.0.0.1 to 10.255.255.255 Class B: Example: Allocates a block, 10.1.0.1 to 10.1.255.255 Class C: Example: Allocates a block, 10.1.1.1 to 10.1.1.255 You can see how with a Class A network, you have three octets you can use up with addresses for machines, on a Class B network, you only have two octets you can use up with addresses, and on a Class C network, you only have a single octet to use for addresses. ----------------------------------------------------------------------------- IP Addresses are designed so that you can make many smaller networks out of larger networks. For instance, you could make 255 Class B networks out of a single Class A block, and you can make 255 Class C networks out of a single Class C block. This process of making large networks into smaller networks is called subnetting. ----------------------------------------------------------------------------- New User Definition [Subnetting]: Creating smaller sub-networks from a single larger network. ----------------------------------------------------------------------------- When subnetworks are created, the concept of masking is also used. Subnet masks mask out certain bits to show where the network addresses end and the space where the addresses that can be used for hosts begin. Examples of masks are below: N=Network addresses H=Host addresses An example of a Class A netmask is: NNNNNNNN.HHHHHHHH.HHHHHHHH.HHHHHHHH Numerically, that is: 0.255.255.255 An example of a Class B netmask is: NNNNNNNN.NNNNNNNN.HHHHHHHH.HHHHHHHH Numerically, that is: 0.0.255.255 An example of a Class C netmask is: NNNNNNNN.NNNNNNNN.NNNNNNNN.HHHHHHHH Numerically, that is: 0.0.0.255 The above diagram will be somewhat confusing to you, so it will be explained below. Above, you will notice that each octet [there are four in an IP address, remember] is represented by eight letters. Each letter represents a bit in an 8-bit byte, which is an octet. This explains the fact that each octet can only hold an address up to 255, because an 8-bit byte can only hold a number up to 255. Network addresses can be pretty hard to remember, so machines on a network can also have a name. Each machine can have a name, and so can the network on which it exists. The name for a network is called a "domain name". Domain names can be registered with the InterNIC for a ridiculously high sum of money. Each network also registers into a high-level domain. These are as follows for the United States: .com: Commercial organizations. .edu: Educational institutions. .org: Nonprofit organizations. .net: Networks. .gov: Non-military governmental sites. .mil: Military sites. Each country also has an ISO top-level domain assigned to it, examples of which are listed below: United States us Russia ru United Kingdom uk Japan jp France fr Italy it Germany de Denmark dk Now that you the structure of an address and domain names have been explained, the next topic that will be covered is ports. Every server on the internet has a number of ports open. If you are having trouble understanding this, think of each port as a door into a building. Some ports are open, and some are closed. On the open ports, programs that serve certain services and protocols run. In the unix vernacular, these programs are called daemons. Examples of daemons are "telnetd", the telnet daemon, "ftpd", the FTP daemon, "sendmail", the UNIX mailer, and "httpd", the HTTP server. You can connect to ports using client programs for the certain port, or you can connect just using telnet, which will give you a raw interface to the port. Now, I will provide an overview of some of the most used services, and how to access them using UNIX. FTP: Port 21 First of all, FTP. FTP is probably the most used file transfer protocol in the world. On the server side, a host will usually be either be running the wuftpd, which was developed at Washington University, or the BSD FTP daemon. FTP is accessed using a client program, the default of which is a small UNIX program called "ftp". To open a connection to a site, you can either run "ftp" with the host you want to connect to given as an argument (i.e. "ftp anubis-gw.dyn.ml.org"), or you can also start "ftp", and then use the "open" command at the "ftp>" prompt (i.e. "open shell.complink.net"). Once you have connected to the server, you will be prompted for a username and password on the remote machine. Sometimes, a machine will also be running an "anonymous" account, this can be accessed by logging in as "anonymous" or "ftp" at the FTP login prompt. Once you have logged into the server, you can get a file using the "get" command, you can send a file using the "send" command, and you can list directories using the "ls" command and you can change directories using the "cd" command. For more information, type "?" or "help" at the "ftp>" prompt. Secure Shell: (Defaults to port 22) Secure Shell is not as much of a protocol as it is an application, but it still deserves to be included here. Secure Shell is a very useful tool for accessing hosts remotely. It resembles the 'telnet' and 'rlogin' applications, but unlike 'telnet' and 'rlogin' Secure Shell encrypts the session. Therefore, the connection cannot be sniffed, which increases security. The client for the Secure Shell protocol is called "ssh". To run the ssh application, the syntax is typically "ssh -l username host", in which host is the host that you will be accessing, and "username" is the username to login to the host as. Just typing "ssh" will make the client program print out a list of command line options. Telnet: Port 23 Now, onto the "telnet" protocol. Telnet is a protocol used to remotely login to machines over a network. UNIX includes a default client for telnet called "telnet". To connect to a host using "telnet", you can either run the telnet application using the host name as an argument (i.e. "telnet anubis-gw.dyn.ml.org"), or you can run the telnet application, and, once you are at the "telnet>" prompt, you can use the "open" command (i.e. "open anubis-gw.dyn.ml.org"). Once you are connected, you can interact with the machine as usual. If you need to get back to the telnet prompt, you can type the escape character at any time during the session. This is set by default to "^]". Once you are at the "telnet>" prompt, you can do things like disconnect or continue your session. When you log out of the machine you have telnetted to, the connection will be automatically closed. Sendmail: Port 25 The "Sendmail" protocol is one of the most common, and also most complex protocols on the Internet. Almost every site on the Internet that handles mail will be running Sendmail, or one of about two alternatives. You interact with Sendmail by using the UNIX program "mail". Usually, you invoke mail with the email address of the person you want to send mail to as an argument (i.e. "mail ndiablo@complink.net"). Once you have done that, you will be prompted for a topic, and then will be able to write the letter. Once you have finished writing the mail, you can send it by typing a "^D" or a "." on an empty line. You can abort mail by typing a "^C" anytime during the program. There are many more arguments for the "mail" program, to learn about them, refer to the "mail" online manual page. DNS: Port 53 DNS is the port that the Internet Domain Name Server Daemon (BIND) runs on. However, before the daemon is explained, you must understand the protocol. As you know, on the Internet, each host has a 'name'. Each 'name' maps to an IP address. Domain name servers contain 'tables' of these hostname- address mappings for the 'domain' they serve. These work in a 'tree' sort of configuration. For instance, each 'top level' domain (e.g. .com, .edu, .mil, etc.) has nameservers that map to all the IP addresses of the nameservers for 'second level' domains (e.g. sun.com mit.edu, etc) which have nameservers that map all the machines in their domains to IP addresses and so on. This is shown in a diagram below: .com .edu .net | | | sun.com mit.edu complink.net | | | machine1.sun.com machine1.mit.edu machine1.complink.net Therefore, this daemon runs on the domains nameservers and maps the IP addresses of the machines in the domain to hostnames in the domain. TFTP: Port 69 FTFP is the Trivial File Transfer Protocol. TFTP resembles FTP in the fact that it is used to transfer files between nodes, but unlike FTP, TFTP uses no user authentication. This really means that any user can TFTP to a host and steal any file they like if the host is running the TFTP protocol. Obviously, this is a big security risk, and no server on the Internet should be running it. The only real use for this protocol is for applications such as a boot server. If this protocol must be run, then at the least the admin should be using password shadowing, be behind a decent firewall, and use the directory limiting feature built into some versions. The client for TFTP is a simple program called "tftp". Since it is so seldom used, refer to the online manual page, or enter "?" or "help" at the "tftp>" prompt. Finger: Port 79 Finger is a protocol for retrieving information on a user on a system. A finger query will usually return the users real name, location, phone number, last login time, and the last time the user read their mail. This protocol is not really that useful, and in my opinion, should not be run, as it's only real purpose is to provide information helpful to those trying to use social engineering attacks against people. The client for the finger protocol is a application, unsurprisingly called "finger". It's syntax usually follows the pattern "user@host", for instance, "ndiablo@complink.net". You can also attempt to finger the host, showing all users logged into the system by a syntax like "@host", like "finger @complink.net". HTTP: Port 80 The HTTP protocol is a familiar one. Everyone should know about the HTTP protocol by this point in time. HTTP is the protocol that the World Wide Web is served upon. There are many clients for HTTP, but the most common text-based one is called "lynx". To connect to a site using lynx, you execute lynx with the name of the site given as an argument. For instance, "lynx http://anubis-gw.dyn.ml.org". You can also execute lynx by typing "lynx" and then entering the name of the site you wish to go to from inside the program. POP Version 3: Port 110 The POP [Post Office Protocol] is used to retrieve mail from a machine remotely. There are a few different UNIX clients for POP, including "fetchmail". These programs have a somewhat large amount of options, and there is no real 'default' syntax. For more information, refer to the online manual page of your POP client. NNTP: Port 119 The NNTP [Network News Transfer Protocol] is used, obviously, to transfer netnews between machines. There are many clients to access this, one example of which is 'tin'. For more information, refer to the online manual page for your network news client. Now, the very fundamentals of the Internet have been explained to you. IP addressing, protocols, ports, the simple theory behind domain name service, and other useful bits of knowledge. Obviously this wasnt an attempt at making a super-reference, but it should do to explain the basic concepts that one will run into while using the Internet. For more advanced information, look in issues of Phrack magazine, and perhaps look into buying a good book on TCP/IP. Any comments, feel free to email ndiablo@complink.net or also root@anubis-gw.dyn.ml.org -Netdiablo Tnx to Reality-X, Digiphreq, and Ishamael for proofreading.