First day of becoming a cyber security engineer
day1: Basic cybersecurity knowledge literacy
Learning Content:
1. Basic network standard
2. osi seven-layer model
3. TCP/IP transmission protocol stack
4. TCP protocol and UDP protocol
5, TCO and UDP, IPv4 header
1. Computer basis:
[1] Von Neumann system:
ENIAC, born on 2/14 of 1946, is the world's first general-purpose computer.
CPU (Central Processing Unit): arithmetic unit, controller, register, cache
Memory: memory, RAM (Random Access Memory) There are a large number of storage units CELL inside the memory, one CELL is 8bits, binary
8bits=1Bytes, memory The smallest storage unit is 1Byte.
The addressing of the memory is a flat
Input: commands, provides data, etc.
Output: outputs the result of data processing.
Program = instruction + data; algorithm + data structure. In
addition:
NIC: Network Interface Card, network interface card /Network adapter, is the device that the computer connects to the network.
Graphics: Video Card, Graphic Card, display interface card/display adapter, is the computer's digital-to-analog signal conversion device—carrying all network data of the
computer [2] The computer's startup process:
The computer's entire startup process is divided into four stages:
1) BIOS: Basic Input/Output System, basic input/output system, hardware self-check, pass the control right to the next stage of the
startup program—>Boot Sequence )
2) the master boot record, MBR (master boot record), 512 bytes.
3) Hard disk boot: Tell the computer which partition the operating system is in.
4) Operating system: After the control is transferred to the operating system, the operating system's kernel is loaded into the memory
[3] Some DOS commands (windows+R, cmd enter)
dxdiag View computer configuration information
systeminfo View computer system information
wmic memorychip View memory information
ipconfig View computer IP address information
ipconfig/all View all computer network card information
netsh interface ipv4 show interfaces View Computer network card status
wmic memorychip list brief View the number of memory modules
start msinfo32 View system information
[4] Number system
Binary: Base 0-1
Decimal: Base 0-9
Octal: Base 0-7
Hexadecimal: Base 0-9, ABCDEF
Binary to decimal: expand and add by weight
Decimal to binary: short division
2. OSI seven-layer reference model
1. OSI seven-layer reference model (Open System Interconnect)
The OSI seven-layer reference model, namely the open system interconnection, was formulated by the ISO international organization.
Application layer : Provide a variety of service
presentation layer through the human-computer interaction interface : Solve user information syntax problems for upper users, encode, decode, encrypt, and decrypt
Session layer : Establish an end link between two nodes to provide dialogue Control mechanism to establish, maintain, and terminate the session process.
Transport layer : Different upper layer service data segmentation is distinguished by port number. TCP (connection-oriented)/UDP (connection-oriented)
provides a reliable transmission mechanism to confirm the retransmission sequence and flow control
network layer : IP, through the IP address for logical addressing, to establish a connection between two nodes IP address router
data link layer : CPU, logical link control layer LLC to provide services for the upper layer to provide FCS check data framed
media access control layer MAC—Physical Address: Forty-eight-bit binary code.
Physical layer : Defines electrical, voltage, optical characteristics, interface specifications, repeater/hub to transmit bit stream
The following is a popular reference model
Application layer : Human language where the application/service resides<—> Coding
Representation layer : Coding<—> Binary
session layer : Management session, data encryption and decryption
Transport layer : TCP/UDP, port number-identifies the application or service
0-65535, Among them, 0-1023 famous ports, 1024-65535 high ports/dynamic ports-local meaning
Network layer : IP 4&6 router-logical addressing based on IPv4 address
Data link layer : CPU, bridge
physical layer : NIC, HUB
The well-known service port in the port number of the transport layer:
HTTP: Hypertext Transfer Protocol TCP 80
HTTPS: Secure Hypertext Transfer Protocol TCP 443
DNS: Domain Name Resolution Service TCP&UDP 53~~~
8.8.8.8 (Silicon Valley, USA) 114.114.114.114 (Nanjing, Jiangsu)
FTP: File Transfer Protocol TCP 20/ 21
TFTP:
telnet: remote login TCP 23
DHCP: dynamic host configuration protocol-send IP address UDP 67-s/68-c
Tencent's private data transmission port: 8000
Convert the reference model into a hierarchical structure model during use:
TCP/IP protocol stack: layered structure
Application layer
-data transmission layer-data segment
Network layer-data packet
Data link layer-data frame
Physical layer-data flow
Encapsulation of data packets: according to the OSI seven-layer reference model, the process of adding corresponding header information layer by layer from the data
Message encapsulation and decapsulation:
Take the user browsing a website as an example to illustrate the process of data encapsulation and decapsulation.
Data packaging 
unit conversion
bit 1B=8bit
Byte 1KB
=1024Byte KB 1MB=1024B
MB. . . . . .
GB. . . . . .
TB. . . . . .
PB. . . . . .
TCP: Transmission Control Protocol-a reliable connection-oriented transmission protocol
1. Port number: used to identify different application processes of the same computer.
1) Source port: The function of the source port and IP address is to identify the return address of the message.
2) Destination port: The port indicates the application program interface on the recipient's computer.
The source port number and destination port number in the TCP header are the same as the source IP and destination IP in the IP datagram to uniquely determine a TCP connection.
2. Sequence number and confirmation number: It is the key part of TCP reliable transmission. The sequence number is the sequence number of the first byte of the data group sent in this segment. In the stream transmitted by TCP, each byte has a sequence number. For example, the sequence number of a message segment is 300, and the data part of this message segment has a total of 100 bytes, so the sequence number of the next message segment is 400. Therefore, the sequence number ensures the orderliness of TCP transmission. The acknowledgment number, namely ACK, indicates the sequence number of the next expected byte, indicating that all data before the sequence number has been received correctly. The confirmation number is valid only when the ACK flag is 1. For example, when a connection is established, the ACK flag bit of the SYN message is 0.
3. Data offset/header length: 4bits. Since the header may contain optional content, the length of the TCP header is uncertain. If the header does not contain any optional fields, the length is 20 bytes. The maximum value that the 4-bit header length field can represent is 1111, which is converted into a decimal The system is 15, 15*32/8 = 60, so the maximum length of the header is 60 bytes. The header length is also called the data offset, because the header length actually indicates the starting offset value of the data area in the message segment.
4. Reserved: reserved for future definitions of new uses, generally set to 0 now.
5. Control bits: URG ACK PSH RST SYN FIN, there are 6 in total, and each flag bit represents a control function.
1) URG: Emergency pointer flag, when it is 1, it means the emergency pointer is valid, and when it is 0, the emergency pointer is ignored.
2) ACK: Acknowledgment sequence number flag, when it is 1, it means the confirmation number is valid, and 0 means that the message does not contain confirmation information, and the confirmation number field is ignored.
3) PSH: push flag, 1 means data with push flag, indicating that the receiver should deliver the message segment to the application as soon as possible after receiving the segment, instead of queuing in the buffer.
4) RST: Reset connection flag, used to reset the connection that has been wrong due to host crash or other reasons. Or used to reject illegal segments and reject connection requests.
5) SYN: Synchronization sequence number, used to establish the connection process. In the connection request, SYN=1 and ACK=0 indicate that the data segment does not use the piggybacked confirmation field, and the connection response piggybacks an acknowledgement, namely SYN=1 and ACK= 1.
6) FIN: Finish mark, used to release the connection, when it is 1, it means that the sender has no data to send, that is, close the data stream of the local party.
6. Window: The size of the sliding window is used to inform the sender of the receiving end of the buffer size, so as to control the rate at which the sender sends data, so as to achieve flow control. The window size is a 16bit field, so the maximum window size is 65535.
7. Checksum: Parity check. This checksum is calculated in 16-bit words for the entire TCP message segment, including TCP header and TCP data. Calculated and stored by the sender, and verified by the receiver.
8. Emergency pointer: The emergency pointer is valid only when the URG flag is set to 1. The emergency pointer is a positive offset, which is added to the value in the sequence number field to indicate the sequence number of the last byte of the emergency data. TCP's emergency mode is a way for the sender to send urgent data to the other end.
9. Options and padding: The most common optional field is the longest message size, also known as MSS (Maximum Segment Size). Each connecting party is usually in the first message segment of the communication (set for establishing a connection) This option is specified in the segment with the SYN flag as 1, which indicates the length of the largest segment that can be accepted by the local end. The option length is not necessarily an integer multiple of 32 bits, so add padding bits, that is, add extra zeros in this field to ensure that the TCP header is an integer multiple of 32.
10. Data part: The data part in the TCP segment is optional. When a connection is established and a connection is terminated, the message segment exchanged by both parties has only the TCP header. If one party has no data to send, it also uses the header without any data to confirm the received data. In many cases when processing timeouts, segments without any data are also sent.
Connection-oriented-TCP three-way handshake, four-way handshake disconnection Reliable: reliable transmission mechanism-confirmation, retransmission, flow control, sequencing
TCP 3-way handshake: 
ACK : The TCP protocol stipulates that it is valid only when ACK=1. It also stipulates that the ACK of all messages sent after the connection is established must be 1
SYN (SYNchronization) : Used to synchronize the sequence number when the connection is established. When SYN=1 and ACK=0, it indicates that this is a connection request message. If the other party agrees to establish a connection, it should set SYN=1 and ACK=1 in the response message. Therefore, setting SYN to 1 means that this is a connection request or connection acceptance message.
**FIN (finis)** is finished, the meaning of termination: used to release a connection. When FIN = 1, it indicates that the data of the sender of this message segment has been sent, and the connection is required to be released.
TCP 4 disconnection: The local end and the opposite end each send a request and confirmation.
When client A has nothing to send, the connection on the side of A will be released, and A will send a message (no data), where FIN is set to 1. , Server B will send a letter to the application after receiving it. At this time, the connection on A side has been closed, that is, A no longer sends information (but can still receive information). After receiving the confirmation from B, A enters the waiting state and waits for B to request to release the connection. After B's data transmission is completed, it requests the connection to be released from A, which is also represented by FIN=1 and ack = u+1 (as shown in the figure), After arriving, reply a confirmation message and enter the TIME_WAIT state, waiting for 2MSL time.
UDP: Non-connection-oriented unreliable transport protocol
8Byte header
| Field | length | description |
|---|---|---|
| Source Port | 2 bytes | Identifies which application sends (sending process). |
| Destination Port | 2 bytes | Identifies which application receives (receiving process). |
| Length | 2 bytes | UDP header plus the number of bytes of UDP data, the minimum is 8. |
| Checksum | 2 bytes | Overwriting the UDP header and UDP data is optional. |
| data octets | lengthen | UDP payload, optional. |
MTU: The default maximum transmission unit is 1500B
Network layer: IP protocol IP protocol: three-layer equipment to view 20B
Version: The version of the IP protocol. The current IP protocol version number is 4, and the next generation IP protocol version number is 6.
Header length: the length of the IP header. The sum of the length of the fixed part (20 bytes) and the length of the variable part. A total of 4 people. The maximum is 1111, which is 15 in decimal, which means that the maximum length of the IP header can be 15 32bits (4 bytes), that is, the maximum length can be 15*4=60 bytes, excluding the fixed part of the length of 20 bytes , The maximum length of the variable part is 40 bytes.
Service type: Type Of Service.
Total length: the total length of IP packets. The sum of the length of the header and the length of the data part.
Identification: Uniquely identifies each datagram sent by the host. Usually every time a message is sent, its value is increased by one. When the length of an IP packet exceeds the MTU (Maximum Transmission Unit) of the transmission network, it must be fragmented. The value of this identification field is copied to the identification field of all data fragments, so that these fragments can be identified according to the identification when they reach the final destination. The content of the field reconstitutes the original data.
Logo: 3 digits in total. Three digits of R, DF and MF. Currently, only the last two bits are valid. DF bit: 1 means no fragmentation, 0 means fragmentation. MF: 1 means "more slices", 0 means this is the last slice.
Fragment displacement: the offset of this fragment relative to the first position in the original data message. (Need to be multiplied by 8)
Time to live: the maximum number of routers that an IP packet can pass through. Each time a router passes through, the TTL is reduced by 1. When it is 0, the router discards the datagram. The TTL field is an 8-bit field initially set by the sender. The recommended initial value is specified by the assigned number RFC, and the current value is 64. When sending ICMP echo responses, TTL is often set to the maximum value of 255.
Protocol: Indicate which protocol is used for the data carried in the IP message, so that the IP layer of the destination host can know which process to deliver the data message to (different protocols have different processes for processing). Similar to the port number, the protocol number is used here, the protocol number of TCP is 6, and the protocol number of UDP is 17. The protocol number of ICMP is 1, and the protocol number of IGMP is 2.
Header checksum: Calculate the checksum of the IP header and check the integrity of the IP header.
Source IP address: Identifies the source device of the IP datagram.
Destination IP address: Identifies the destination address of the IP datagram.
TTL time to live 0-255 Every time a router passes by -1 When it is 0, the router directly discards the
protocol TCP 6 identifies the upper layer protocol
UDP 17
EIGRP 88
OSPF 89
Similarities: Both are modeled and hierarchical. The
lower layer provides service support to the upper layer.
Each layer of agreement is independent of each other.
Difference: OSI has a model before a protocol, TCP/IP has a protocol before a model, and the
TCP/IP protocol stack is only applicable to TCP/IP networks
. The number of layers is different.
IPv4 address:
32-bit binary, divided into network bit and host bit (the network bit identifies the network segment where the host bit uniquely identifies a host)
. A complete IP address requires a network mask—32-bit binary, which corresponds to each bit of the IP address and consists of consecutive 1 and continuous 0 constitute. A mask of 1 indicates that this bit of IP is a network bit, and a mask of 0 indicates that this bit of IP is a host bit.
2^32=4294967296 4.2 billion addresses
IPV6 128w bits 2^128
Divided into five categories of ABCDE, the main network
By default, the category can be distinguished by the first 8 bits;
A 0 0000000—0 1111111 0-127
B 10 000000—10 111111 128-191
C 110 00000—110 11111 192-223
D 1110 0000—1110 1111 224- 239
E 1111 0000----1111 1110 240-254
Unicast address: ABC one-to-one
multicast address: D
Scientific research use: E
The default mask:
A The first 8 bits are the network bits and the last 24 bits are the host bits 2^24-2 Available addresses
B 16 16 2^16-2
C 24 8 2^8-2
There are also private and public address classifications in unicast addresses:
public address: global uniqueness requires payment to use
private address: local uniqueness without payment
Private address:
A: 10.0.0.0/8
B: 172.16.0.0/16-172.31.0.0/16
C: 192.168.0.0/24-192.168.255.0/24
Special IPv4 address:
1) 0.0.0.0/0 invalid address/default address
2) 255.255.255.255 restricted broadcast address
3) 127.0.0.1/8 local loopback address to test whether the TCP/IP protocol stack works normally (generally It also represents this machine)
4) For
example , the host bits are all 0s : 192.168.1.00000000/24 represents all hosts in this network segment, which means a network range
5) The host bits are all 1
example: 192.168.1.11111111/24 represents the host in this network segment Broadcast address
6) 169.254.0.0/16 local private address, when the PC cannot get the address by automatically obtaining the IP address, the PC randomly assigns it
Subnet division: By borrowing from the host bit to the network bit, a large network can be divided into some small networks. The
loaned bit is called the subnet bit, which determines the number of subnet ranges that can be divided.
VLSM: Variable Long subnet mask
Example: There is a large network range, 172.16.0.0/22, and I hope to meet the condition of 6 network ranges. Write out the subnet range and available IP address range
172.16.0.0/22
network bit host bit
10101100 00010000 00000000 00000000----IP address
11111111 11111111 11111100 00000000----net mask (255.255.252.0)
analysis:
because 6 A network range, so the concept of determining the number of subnets based on the loaned subnets requires at least 3 digits. Borrow 3 digits from the last digit of the original network position. The final mask is /25.
借出的子网位(蓝色)
10101100 00010000 00000000 00000000
constitutes the subnet: the blue part of the permutation and combination—
000 001 010 011 100 101 110 111—8 subnet ranges The
final result is: the
subnet range available IP address range
172.16.0.0/25
0.1—0.126 172.16 .0.128/25 0.129—0.254
172.16.1.0/25 1.1—1.126 172.16.1.128/25
1.129—1.254
172.16.2.0/25 2.1—2.126
172.16.2.128/25 2.129—2.254
172.16.3.0/25 3.1—3.126
172.16.3.128 /25 3.129—3.254
Subnet summary: converge some small networks into a large network. The
summary must meet the conditions: 1) the same mother network 2) the same mask.
Summary method: take the same bit and go to the different bit.
Example:
172.16.1.0/24
172.16.14.0/ 24
172.16.35.0/24
172.16.99.0/24 After
summary:
172.16.0 0000001.0/24
172.16.0 0001110.0/24
172.16.0 0100011.0/24
172.16.0 110001.0/24
A total of 17 digits are the same, after summary 172.16.0.0/17
Supernet: post- summarization mask <main class mask – 192.168.0.0/17 CIDR: post-summarization mask> main class mask – 172.16.0.0/17