Windows API Use in SpyEye Banking Trojan

Why am I breaking down Malware API use? Not to get into blue teamwork but to understand how we make our red team endeavours even better. And btw, I got this info from a great write-up!

First, the bot checks if it is running in a directory it wants by using GetModuleFileNameA. GetModuleFileName is a function that retrieves the fully qualified path for the file that contains the specified module.

DWORD GetModuleFileNameA(HMODULE hModule, LPSTR lpFilename, DWORD   nSize);

Next, if it is not running where it wants to it creates a home directory with CreateDirectoryA.

BOOL CreateDirectoryA(LPCSTR lpPathName, LPSECURITY_ATTRIBUTES lpSecurityAttributes);

CreateDirectoryA creates a new directory. If the underlying file system supports security on files and directories, the function applies a specified security descriptor to the new directory.

After this, it downloads the latest executable with:

InternetOpenA(“Microsoft Internet Explorer”), InternetOpenUrlA(INTERNET_FLAG_NO_CACHE_WRITE), InternetQueryDataAvailable, and InternetReadFile.

InternetOpenA initializes an application’s use of the WinINet functions. InternetOpenUrlA opens a resource specified by a complete FTP or HTTP URL. InternetQueryDataAvailable queries the server to determine the amount of data available. InternetReadFile reads data from a handle opened by the InternetOpenUrl, FtpOpenFile, orHttpOpenRequest function.

After the update, the bot calls CreateMutexA in order toforce any running instances of the bot to unload.

CreateMutexA("__CLEANSWEEP_UNINSTALL__")

Next, it uses CreateProcessA to launch a new process with the updates binary.

BOOL CreateProcessA(
LPCSTR lpApplicationName,
LPSTR lpCommandLine,
LPSECURITY_ATTRIBUTES lpProcessAttributes,
LPSECURITY_ATTRIBUTES lpThreadAttributes,
BOOL bInheritHandles,
DWORD dwCreationFlags,
LPVOID lpEnvironment,
LPCSTR lpCurrentDirectory,
LPSTARTUPINFOA lpStartupInfo,
LPPROCESS_INFORMATION lpProcessInformation
);

CreateProcessA creates a new process and its primary thread. The new process runs in the security context of the calling process.

Next, or if the bot was running where it wanted to be it discovers processes of interest using CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS), Process32First, and Process32Next.

allProcesses = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);

CreateToolhelp32Snapshot takes a snapshot of the specified processes, as well as the heaps, modules, and threads used by these processes.

Process32First retrieves information about the first process encountered in a system snapshot.

Process32Next retrieves information about the next process recorded in a system snapshot.

CreateRemoteThread creates a thread that runs in the virtual address space of another process.

TBC…

Windows API for Pentesting (Part 1)

What is the Windows API?

The Windows API, informally WinAPI, is Microsoft’s core set of application programming interfaces (APIs) available in the Microsoft Windowsoperating systems. The name Windows API collectively refers to several different platform implementations that are often referred to by their own names (for example, Win32 API); see the versions section. Almost all Windows programs interact with the Windows API. On the Windows NT line of operating systems, a small number (such as programs started early in the Windows startup process) use the Native API.

Why do we care about Windows API?

The Windows API, with the right token privileges, allows the program to read other users memory, execute code in a higher privileges context, enumerate system, kill AV etc and much more.

Adversary simulation and pen-testing are commonplace in large enterprises, this has led to defenders improving their ability to detect and block standard tools like Metasploit with ease. However, modern adversaries have the means to carry out very advanced attacks spending years targeting an adversary with custom code.

The Windows API, with the right token privileges, allows the program to read other users memory, execute code in a higher privileges context, enumerate system, kill AV etc and much more. Using custom code calling Windows API means no fluff, no code bloat, our exploit is tightly coupled with the target environment and we can emulate powerful adversary tactics.

SE_PRIVILEGE_ENABLED token priviledge is king, we can read other users memory when this is enabled and so much more!

With debug privs we can, for example:

  • Read/write anything in memory
  • Search for and recover sensitive info like passwords, hashes and tokens

We will be looking at the following API functions to start with…

AdjustTokenPrivileges

The AdjustTokenPrivileges function enables or disables privileges in the specified access token. Enabling or disabling privileges in an access token requires TOKEN_ADJUST_PRIVILEGES access.

AdjustTokenPrivileges

The NewState parameter can specify privileges that the token does not have, without causing the function to fail. In this case, the function adjusts the privileges that the token does have and ignores the other privileges so that the function succeeds. Call the GetLastError function to determine whether the function adjusted all of the specified privileges. The PreviousState parameter indicates the privileges that were adjusted.

AdjustTokenPrivileges function
Enables or disables privileges in the specified access token. Enabling or disabling privileges in an access token…docs.microsoft.com

GetTokenInformation

The GetTokenInformation function retrieves a specified type of information about an access token. The calling process must have appropriate access rights to obtain the information.

To determine if a user is a member of a specific group, use the CheckTokenMembership function. To determine group membership for app container tokens, use the CheckTokenMembershipEx function.

GetTokenInformation(processToken, TokenPrivileges, NULL, 0, &structSize);

ShellExecuteEx

Performs an operation on a specified file.

Below you will find a reference for ShellExecuteEx info. Interestingly though, runas verb does not appear there._SHELLEXECUTEINFOA
Contains information used by ShellExecuteEx.msdn.microsoft.com

ShellExecute/Ex() with the "runas" verb is the only official way to start an elevated process programmably, especially if the executable being run does not have its own UAC manifest to invoke elevation.

info.cbSize = sizeof(SHELLEXECUTEINFO);
info.fMask = SEE_MASK_DEFAULT;
info.hwnd = NULL;
info.lpVerb = _T("runas");
info.lpFile = fileName;
info.lpParameters = NULL;
info.lpDirectory = NULL;
info.nShow = SW_SHOWNORMAL;
ShellExecuteEx(&info);  // Also try the simpler ShellExecute

GetModuleFilename

Returns path of current process executable

// https://msdn.microsoft.com/en-us/library/windows/desktop/ms683197(v=vs.85).aspx
GetModuleFileName(NULL, fileName, pathLen);

CreateToolhelp32Snapshot

Takes a snapshot of the specified processes, as well as the heaps, modules, and threads used by these processes.

Toolhelp32ReadProcessMemory

Copies memory allocated to another process into an application-supplied buffer.

Toolhelp32ReadProcessMemory

Copies memory allocated to another process into an application-supplied buffer.

WriteProcessMemory

Writes data to an area of memory in a specified process. The entire area to be written to must be accessible or the operation fails.

WTSEnumerateProcessesEx

Retrieves information about the active processes on the specified Remote Desktop Session Host (RD Session Host) server or Remote Desktop Virtualization Host (RD Virtualization Host) server.

WTSFreeMemoryEx

Frees memory that contains WTS_PROCESS_INFO_EX or WTS_SESSION_INFO_1 structures allocated by a Remote Desktop Services function.

LookupPrivilegeValue

The LookupPrivilegeValue function retrieves the locally unique identifier (LUID) used on a specified system to locally represent the specified privilege name.

GetCurrentProcess

Retrieves a pseudo handle for the current process.

OpenProcessToken

The OpenProcessToken function opens the access token associated with a process.

LookupAccountSid

The LookupAccountSid function accepts a security identifier (SID) as input. It retrieves the name of the account for this SID and the name of the first domain on which this SID is found.

ConvertSidToStringSidA

The ConvertSidToStringSid function converts a security identifier (SID) to a string format suitable for display, storage, or transmission.

To convert the string-format SID back to a valid, functional SID, call the ConvertStringSidToSid function.

For now, this is just a bit of info on the functions we will use, next post we will write some programs to remain stealthy!

Application Layer Protocols and Known Security Issues

Description

The application layer contains a variety of protocols that are commonly needed by users. One widely used application protocol is HTTP (HyperText Transfer Protocol), which is the basis for the World Wide Web. When a browser wants a Web page, it sends the name of the page it wants to the server hosting the page using HTTP. The server then sends the page back. Other application protocols are used for file transfer, electronic mail, and network news.

Network Data Unit

Data

Main Security Issues

  • Remote Code Execution
  • Command Spoofing
  • Process Hijacking
  • Lateral Movement
  • DDoS/DoS
  • CVE Vulnerabilities
  • Command Injection
  • File Includes
  • Local File Read/Write
  • Privilege Escalation
  • Host Takeover

Protocol Examples

Application Layer OpSec

This is quite in-depth and will be posted in a special blog on securing later 7.

Presentation Layer Protocols and Known Security Issues

Description

Unlike the lower layers, which are mostly concerned with moving bits around, the presentation layer handles the syntax and semantics of the information transmitted. To make it possible for computers with different internal data representations to communicate, the data structures to be exchanged can be defined abstractly, along with a standard encoding to be used ‘‘on the wire.’’ The presentation layer manages these abstract data structures and allows higher-level data structures (e.g., banking records) to be defined and exchanged.

Network Data Unit

Data

Main Security Issues

  • Decryption Attacks
  • Encryption Downgrade Attacks
  • Parsing/Character/Uncompress Exploits
  • Encoding Attacks
  • Type Confusion

Services

Protocol Examples

Other protocols sometimes considered at this level (though perhaps not strictly adhering to the OSI model) include:

Presentation Layer OpSec

Layer 6 OpSec is quite in-depth and will be covered in a unique blog on securing later 6.

Session Layer Protocols and Known Security Issues

Description

The session layer allows users on different machines to establish sessions between them. Sessions offer various services, including dialog control (keeping track of whose turn it is to transmit), token management (preventing two parties from attempting the same critical operation simultaneously), and synchronisation (checkpointing long transmissions to allow them to pick up from where they left off in the event of a crash and subsequent recovery).

Session Data Unit

Data

Main Security Issues

  • Session Hijacking
  • Man in the Middle
  • Sniffing
  • Session Downgrade Attacks

Protocol Examples

Session Layer OpSec

This is quite in-depth and will be posted in a special blog on securing later 5.

Transport Layer Protocols and Known Security Issues

Description

The basic function of the transport layer is to accept data from above it, split it up into smaller units if need be, pass these to the network layer, and ensure that the pieces all arrive correctly at the other end. Furthermore, all this must be done efficiently and in a way that isolates the upper layers from the inevitable changes in the hardware technology over the course of time. The transport layer also determines what type of service to provide to the session layer, and, ultimately, to the users of the network. The most popular type of transport connection is an error-free point-to-point channel that delivers messages or bytes in the order in which they were sent.

Network Data Unit

Segment

An application data stream can be broken into segments. A segment is carried over a datagram, then segments are reassembled into the original application stream. This is typically done by the TCP layer. So in TCP we have application stream over TCP segment over IP datagram over data-link frame. In UDP there is no segmentation, so the UDP datagram is one-to-one mapped onto the IP datagram.

Main Security Issues

  • Fingerprinting
  • Information Gathering (Scanning)
  • Interception
  • Downgrade Attacks
  • Cryptographic Attacks
  • Data Spoofing
  • Denial of Service (DoS)
  • Remote Code Execution (Protocol CVE)

Protocol Examples

This list shows some protocols that are commonly placed in the transport layers of the Internet protocol suite, the OSI protocol suite, NetWare’s IPX/SPX, AppleTalk, and Fibre Channel.

Transport Layer OpSec

This is quite in-depth and will be posted in a special blog on securing later 4.

Network Layer Protocols and Known Security Issues

Description

The network layer controls the operation of the subnet. A key design issue is determining how packets are routed from source to destination. Routes can be based on static tables that are ‘‘wired into’’ the network and rarely changed, or more often they can be updated automatically to avoid failed components. They can also be determined at the start of each conversation, for example, a terminal session, such as a login to a remote machine. Finally, they can be highly dynamic, being determined anew for each packet to reflect the current network load. If too many packets are present in the subnet at the same time, they will get in one another’s way, forming bottlenecks. Handling congestion is also a responsibility of the network layer, in conjunction with higher layers that adapt the load they place on the network. More generally, the quality of service provided (delay, transit time, jitter, etc.) is also a network layer issue. When a packet has to travel from one network to another to get to its destination, many problems can arise. The addressing used by the second network may be different from that used by the first one. The second one may not accept the packet at all because it is too large. The protocols may differ, and so on. It is up to the network layer to overcome all these problems to allow heterogeneous networks to be interconnected. In broadcast networks, the routing problem is simple, so the network layer is often thin or even nonexistent.

The network layer is the third level of the Open Systems Interconnection Model (OSI Model) and the layer that provides data routing paths for network communication. Data is transferred in the form of packets via logical network paths in an ordered format controlled by the network layer.

Logical connection setup, data forwarding, routing and delivery error reporting are the network layer’s primary responsibilities.

Network Data Unit

Packet

A network packet is a formatted unit of data carried by a packet-switched network. A packet consists of control information and user data,[1] which is also known as the payload. Control information provides data for delivering the payload, for example: source and destination network addresses, error detection codes, and sequencing information. Typically, control information is found in packet headers and trailers.

Main Security Issues

  • Fingerprinting
  • Information Gathering (Scanning)
  • Interception
  • Routing Table Poisoning
  • IP Spoofing
  • Denial of Service (DoS)
  • Remote Code Execution (Protocol CVE)

Protocol Examples

Network protocols provide what are called “link services”. These protocols handle addressing and routing information, error checking, and retransmission requests. Network protocols also define rules for communicating in a particular networking environment such as Ethernet or Token Ring.

Network Layer OpSec

This is quite in-depth and will be posted in a special blog on securing later 3.

Data Link Protocols and Known Security Issues

Description

The main task of the data link layer is to transform a raw transmission facility into a line that appears free of undetected transmission errors. It does so by masking the real errors so the network layer does not see them. It accomplishes this task by having the sender break up the input data into data frames (typically a few hundred or a few thousand bytes) and transmit the frames sequentially. If the service is reliable, the receiver confirms correct receipt of each frame by sending back an acknowledgement frame. Another issue that arises in the data link layer (and most of the higher layers as well) is how to keep a fast transmitter from drowning a slow receiver in data. Some traffic regulation mechanism may be needed to let the transmitter know when the receiver can accept more data. Broadcast networks have an additional issue in the data link layer: how to control access to the shared channel. A special sublayer of the data link layer, the medium access control sublayer, deals with this problem.

Data Link Layer Duties

  • It handles problems that occur as a result of bit transmission errors.
  • It ensures data flows at a pace that doesn’t overwhelm sending and receiving devices.
  • It permits the transmission of data to Layer 3, the network layer, where it is addressed and routed.

Data Link Layer — Physical Addressing

Physical addressing is different from network addressing. Network addresses differentiate between nodes or devices in a network, allowing traffic to be routed or switched through the network. In contrast, physical addressing identifies devices at the link-layer level, differentiating between individual devices on the same physical medium. The primary form of physical addressing is the media access control (MAC) address.

Data Link Layer — Network Topology

Network topology specifications identify how devices are linked in a network. Some media allow devices to be connected by a bus topology, while others require a ring topology. The bus topology is used by Ethernet technologies, which are supported on Juniper Networks devices.

Data Link Layer — Error Notification

The Data Link Layer provides error notifications that alert higher layer protocols that an error has occurred on the physical link. Examples of link-level errors include the loss of a signal, the loss of a clocking signal across serial connections, or the loss of the remote endpoint on a T1 or T3 link.

Data Link Layer — Frame Sequencing

The frame sequencing capabilities of the Data Link Layer allow frames that are transmitted out of sequence to be reordered on the receiving end of a transmission. The integrity of the packet can then be verified by means of the bits in the Layer 2 header, which is transmitted along with the data payload.

Data Link Layer — Flow Control

Flow control within the Data Link Layer allows receiving devices on a link to detect congestion and notify their upstream and downstream neighbors. The neighbour devices relay the congestion information to their higher layer protocols so that the flow of traffic can be altered or rerouted.

Data Link Layer — Data Link Sublayers

The Data Link Layer is divided into two sublayers: logical link control (LLC) and media access control (MAC). The LLC sublayer manages communications between devices over a single link of a network. This sublayer supports fields in link-layer frames that enable multiple higher layer protocols to share a single physical link.

The MAC sublayer governs protocol access to the physical network medium. Through the MAC addresses that are typically assigned to all ports on a device, multiple devices on the same physical link can uniquely identify one another at the Data Link Layer. MAC addresses are used in addition to the network addresses that are typically configured manually on ports within a network.

Data Link Layer — MAC Addressing

A MAC address is the serial number permanently stored in a device adapter to uniquely identify the device. MAC addresses operate at the Data Link Layer, while IP addresses operate at the Network Layer. The IP address of a device can change as the device is moved around a network to different IP subnets, but the MAC address remains the same, because it is physically tied to the device.

Within an IP network, devices match each MAC address to its corresponding configured IP address by means of the Address Resolution Protocol (ARP). ARP maintains a table with a mapping for each MAC address in the network.

Most Layer 2 networks use one of three primary numbering spaces — MAC-48, EUI-48 (extended unique identifier), and EUI-64 — which are all globally unique. MAC-48 and EUI-48 spaces each use 48-bit addresses, and EUI-64 spaces use a 64-bit addresses, but all three use the same numbering format. MAC-48 addresses identify network hardware, and EUI-48 addresses identify other devices and software.

The Ethernet and ATM technologies supported on devices use the MAC-48 address space. IPv6 uses the EUI-64 address space.

MAC-48 addresses are the most commonly used MAC addresses in most networks. These addresses are 12-digit hexadecimal numbers (48 bits in length) that typically appear in one of the following formats:

  • MM:MM:MM:SS:SS:SS
  • MM-MM-MM-SS-SS-SS

The first three octets (MM:MM:MM or MM-MM-MM) are the ID number of the hardware manufacturer. Manufacturer ID numbers are assigned by the Institute of Electrical and Electronics Engineers (IEEE). The last three octets (SS:SS:SSor SS-SS-SS) make up the serial number for the device, which is assigned by the manufacturer. For example, an Ethernet interface card might have a MAC address of 00:05:85:c1:a6:a0.

Protocol Data Unit

Frame

In computer networking, an Ethernet frame is a data link layer protocol data unit and uses the underlying Ethernet physical layer transport mechanisms. In other words, a data unit on an Ethernet link transports an Ethernet frame as its payload.

Main Security Issues

  • MAC Flooding
  • ARP Spoofing
  • Port Hijacking
  • DHCP Attacks
  • Layer 2-based Broadcasting
  • Denial of Service (DoS)
  • MAC Cloning

Protocol Examples

See also: Bit-sequence independence

Physical Layer OpSec

This is quite in-depth and will be posted in a special blog on securing later 2.

OSI Physical Layer Protocols and Known Security Issues

Description

The physical layer transmits raw bits over a communication channel, this layer needs to make sure that when one side sends a 1 bit it is received by the other side as a 1 bit, not as a 0 bit. Includes, but not limited to cables, jacks, and hubs. The physical layer can include everything from the cable type, radio frequency link (as in an 802.11 wireless systems), as well as the layout of pins, voltages and other physical requirements.

Protocol Data Unit

Bits

The bit is a basic unit of information used in computing and digital communications. A binary digit can only have one of two values, and may be physically represented with a two-state device. These state values are most commonly represented as either a 0 or 1.

Main Security Issues

  1. Malicious Firmware
  2. Supply Chain Security
  3. Loss of Power
  4. Loss of Environmental Control
  5. Physical Theft of Data and Hardware
  6. Physical Damage or Destruction of Data And Hardware
  7. Unauthorised changes to the functional environment (data connections, removable media, adding/removing resources)
  8. Disconnection of Physical Data Links Undetectable Interception of Data
  9. Keystroke & Other Input Logging

Protocols

Uses the Protocols 100BaseT & 1000 Base-X and uses Hubs, patch panels, & RJ45 Jacks as devices.

Physical Layer OpSec

Practice defence in-depth tactics, use access controls, accountability, and auditing to track and control physical assets.

Understanding the OSI Model

Note: I was very rushed to edit this, this will turn into the ultimate OSI model guide so please be patient for now while I improve this guide. Thank you!

The Open Systems Interconnection model (OSI model) is a conceptual model that characterises and standardises the communication functions of a telecommunication or computing system without regard to its underlying internal structure and technology. Its goal is the interoperability of diverse communication systems with standard protocols. The model partitions a communication system into abstraction layers. The original version of the model defined seven layers.

The Physical Layer

The physical layer transmits raw bits over a communication channel, this layer needs to make sure that when one side sends a 1 bit it is received by the other side as a 1 bit, not as a 0 bit.

Typical Design Issues

  • What electrical signals should be used to represent a 1 and a 0
  • How many nanoseconds a bit lasts, whether transmission may proceed simultaneously in both directionsH
  • How the initial connection is established
  • How it is torn down when both sides are finished
  • How many pins the network connector has, and what each pin is used for.

These design issues largely deal with mechanical, electrical, and timing interfaces, as well as the physical transmission medium, which lies below the physical layer.

Physical Layer Duties

  • Modulates the process of converting a signal from one form to another so that it can be physically transmitted over a communication channel
  • Bit-by-bit delivery
  • Line coding, which allows data to be sent by hardware devices that are optimised for digital communications that may have discreet timing on the transmission link
  • Bit synchronisation for synchronous serial communications
  • Start-stop signalling and flow control in asynchronous serial communication
  • Circuit switching and multiplexing hardware control of multiplexed digital signals
  • Carrier sensing and collision detection, whereby the physical layer detects carrier availability and avoids the congestion problems caused by undeliverable packets
  • Signal equalisation to ensure reliable connections and facilitate multiplexing
  • Forward error correction/channel coding such as error correction code
  • Bit interleaving to improve error correction
  • Auto-negotiation
  • Transmission mode control

Example Protocols that use Physical Layer

  • Digital Subscriber Line
  • Integrated Services Digital Network
  • Infrared Data Association
  • Universal Serial Bus
  • Bluetooth
  • Controller Area Network
  • Ethernet

The Data Link Layer

The main task of the data link layer is to transform a raw transmission facility into a line that appears free of undetected transmission errors. It does so by masking the real errors so the network layer does not see them. It accomplishes this task by having the sender break up the input data into data frames (typically a few hundred or a few thousand bytes) and transmit the frames sequentially. If the service is reliable, the receiver confirms correct receipt of each frame by sending back an acknowledgement frame. Another issue that arises in the data link layer (and most of the higher layers as well) is how to keep a fast transmitter from drowning a slow receiver in data. Some traffic regulation mechanism may be needed to let the transmitter know when the receiver can accept more data. Broadcast networks have an additional issue in the data link layer: how to control access to the shared channel. A special sublayer of the data link layer, the medium access control sublayer, deals with this problem.

The data link layer’s first sublayer is the media access control (MAC) layer. It is used for source and destination addresses. The MAC layer allows the data link layer to provide the best data transmission vehicle and manage data flow control.

The data link layer’s second sublayer is the logical link control. It manages error checking and data flow over a network.

Data Link Layer Duties

  • It handles problems that occur as a result of bit transmission errors.
  • It ensures data flows at a pace that doesn’t overwhelm sending and receiving devices.
  • It permits the transmission of data to Layer 3, the network layer, where it is addressed and routed.

Data Link Layer — Physical Addressing

Physical addressing is different from network addressing. Network addresses differentiate between nodes or devices in a network, allowing traffic to be routed or switched through the network. In contrast, physical addressing identifies devices at the link-layer level, differentiating between individual devices on the same physical medium. The primary form of physical addressing is the media access control (MAC) address.

Data Link Layer — Network Topology

Network topology specifications identify how devices are linked in a network. Some media allow devices to be connected by a bus topology, while others require a ring topology. The bus topology is used by Ethernet technologies, which are supported on Juniper Networks devices.

Data Link Layer — Error Notification

The Data Link Layer provides error notifications that alert higher layer protocols that an error has occurred on the physical link. Examples of link-level errors include the loss of a signal, the loss of a clocking signal across serial connections, or the loss of the remote endpoint on a T1 or T3 link.

Data Link Layer — Frame Sequencing

The frame sequencing capabilities of the Data Link Layer allow frames that are transmitted out of sequence to be reordered on the receiving end of a transmission. The integrity of the packet can then be verified by means of the bits in the Layer 2 header, which is transmitted along with the data payload.

Data Link Layer — Flow Control

Flow control within the Data Link Layer allows receiving devices on a link to detect congestion and notify their upstream and downstream neighbors. The neighbour devices relay the congestion information to their higher layer protocols so that the flow of traffic can be altered or rerouted.

Data Link Layer — Data Link Sublayers

The Data Link Layer is divided into two sublayers: logical link control (LLC) and media access control (MAC). The LLC sublayer manages communications between devices over a single link of a network. This sublayer supports fields in link-layer frames that enable multiple higher layer protocols to share a single physical link.

The MAC sublayer governs protocol access to the physical network medium. Through the MAC addresses that are typically assigned to all ports on a device, multiple devices on the same physical link can uniquely identify one another at the Data Link Layer. MAC addresses are used in addition to the network addresses that are typically configured manually on ports within a network.

Data Link Layer — MAC Addressing

A MAC address is the serial number permanently stored in a device adapter to uniquely identify the device. MAC addresses operate at the Data Link Layer, while IP addresses operate at the Network Layer. The IP address of a device can change as the device is moved around a network to different IP subnets, but the MAC address remains the same, because it is physically tied to the device.

Within an IP network, devices match each MAC address to its corresponding configured IP address by means of the Address Resolution Protocol (ARP). ARP maintains a table with a mapping for each MAC address in the network.

Most Layer 2 networks use one of three primary numbering spaces — MAC-48, EUI-48 (extended unique identifier), and EUI-64 — which are all globally unique. MAC-48 and EUI-48 spaces each use 48-bit addresses, and EUI-64 spaces use a 64-bit addresses, but all three use the same numbering format. MAC-48 addresses identify network hardware, and EUI-48 addresses identify other devices and software.

The Ethernet and ATM technologies supported on devices use the MAC-48 address space. IPv6 uses the EUI-64 address space.

MAC-48 addresses are the most commonly used MAC addresses in most networks. These addresses are 12-digit hexadecimal numbers (48 bits in length) that typically appear in one of the following formats:

  • MM:MM:MM:SS:SS:SS
  • MM-MM-MM-SS-SS-SS

The first three octets (MM:MM:MM or MM-MM-MM) are the ID number of the hardware manufacturer. Manufacturer ID numbers are assigned by the Institute of Electrical and Electronics Engineers (IEEE). The last three octets (SS:SS:SSor SS-SS-SS) make up the serial number for the device, which is assigned by the manufacturer. For example, an Ethernet interface card might have a MAC address of 00:05:85:c1:a6:a0.

Link Layer Protocols

The link layer in the TCP/IP model is a descriptive realm of networking protocols that operate only on the local network segment (link) that a host is connected to. Such protocol packets are not routed to other networks. The link layer includes the protocols that define communication between local (on-link) network nodes which fulfil the purpose of maintaining link states between the local nodes, such as the local network topology, and that usually use protocols that are based on the framing of packets specific to the link types.

The core protocols specified by the Internet Engineering Task Force (IETF) in this layer are the Address Resolution Protocol (ARP), the Reverse Address Resolution Protocol (RARP), and the Neighbour Discovery Protocol (NDP), which is a facility delivering similar functionality as ARP for IPv6. Since the advent of IPv6, Open Shortest Path First (OSPF) is considered to operate on the link level as well, although the IPv4 version of the protocol was considered at the Internet layer.[citation needed]

IS-IS (RFC 1142) is another link-state routing protocol that fits into this layer when considering TCP/IP model, however it was developed within the OSI reference stack, where it is a Layer 2 protocol. It is not an Internet standard.

The Network Layer

The network layer controls the operation of the subnet. A key design issue is determining how packets are routed from source to destination. Routes can be based on static tables that are ‘‘wired into’’ the network and rarely changed, or more often they can be updated automatically to avoid failed components. They can also be determined at the start of each conversation, for example, a terminal session, such as a login to a remote machine. Finally, they can be highly dynamic, being determined anew for each packet to reflect the current network load. If too many packets are present in the subnet at the same time, they will get in one another’s way, forming bottlenecks. Handling congestion is also a responsibility of the network layer, in conjunction with higher layers that adapt the load they place on the network. More generally, the quality of service provided (delay, transit time, jitter, etc.) is also a network layer issue. When a packet has to travel from one network to another to get to its destination, many problems can arise. The addressing used by the second network may be different from that used by the first one. The second one may not accept the packet at all because it is too large. The protocols may differ, and so on. It is up to the network layer to overcome all these problems to allow heterogeneous networks to be interconnected. In broadcast networks, the routing problem is simple, so the network layer is often thin or even nonexistent.

The network layer is the third level of the Open Systems Interconnection Model (OSI Model) and the layer that provides data routing paths for network communication. Data is transferred in the form of packets via logical network paths in an ordered format controlled by the network layer.

Logical connection setup, data forwarding, routing and delivery error reporting are the network layer’s primary responsibilities.

Example Protocols that use Network Layer

Network protocols provide what are called “link services”. These protocols handle addressing and routing information, error checking, and retransmission requests. Network protocols also define rules for communicating in a particular networking environment such as Ethernet or Token Ring.

IP — This is short for Internet Protocol which works at the OSI network layer and is a routed protocol for forwarding layer 3 packets.

IPX — NetWare’s protocol for packet forwarding and routing.

The Transport Layer

The basic function of the transport layer is to accept data from above it, split it up into smaller units if need be, pass these to the network layer, and ensure that the pieces all arrive correctly at the other end. Furthermore, all this must be done efficiently and in a way that isolates the upper layers from the inevitable changes in the hardware technology over the course of time. The transport layer also determines what type of service to provide to the session layer, and, ultimately, to the users of the network. The most popular type of transport connection is an error-free point-to-point channel that delivers messages or bytes in the order in which they were sent. However, other possible kinds of transport service exist, such as the transporting of isolated messages with no guarantee about the order of delivery, and the broadcasting of messages to multiple destinations. The type of service is determined when the connection is established. (As an aside, an error-free channel is completely impossible to achieve; what people really mean by this term is that the error rate is low enough to ignore in practice.) The transport layer is a true end-to-end layer; it carries data all the way from the source to the destination. In other words, a program on the source machine carries on a conversation with a similar program on the destination machine, using the message headers and control messages. In the lower layers, each protocols is between a machine and its immediate neighbours, and not between the ultimate source and destination machines, which may be separated by many routers.

Services

Transport layer services are conveyed to an application via a programming interface to the transport layer protocols. The services may include the following features:

  • Connection-oriented communication: It is normally easier for an application to interpret a connection as a data stream rather than having to deal with the underlying connection-less models, such as the datagram model of the User Datagram Protocol (UDP) and of the Internet Protocol (IP).
  • Same order delivery: The network layer doesn’t generally guarantee that packets of data will arrive in the same order that they were sent, but often this is a desirable feature. This is usually done through the use of segment numbering, with the receiver passing them to the application in order. This can cause head-of-line blocking.
  • Reliability: Packets may be lost during transport due to network congestion and errors. By means of an error detection code, such as a checksum, the transport protocol may check that the data is not corrupted, and verify correct receipt by sending an ACK or NACK message to the sender. Automatic repeat request schemes may be used to retransmit lost or corrupted data.
  • Flow control: The rate of data transmission between two nodes must sometimes be managed to prevent a fast sender from transmitting more data than can be supported by the receiving data buffer, causing a buffer overrun. This can also be used to improve efficiency by reducing buffer underrun.
  • Congestion avoidance: Congestion control can control traffic entry into a telecommunications network, so as to avoid congestive collapse by attempting to avoid oversubscription of any of the processing or link capabilities of the intermediate nodes and networks and taking resource reducing steps, such as reducing the rate of sending packets. For example, automatic repeat requests may keep the network in a congested state; this situation can be avoided by adding congestion avoidance to the flow control, including slow-start. This keeps the bandwidth consumption at a low level in the beginning of the transmission, or after packet retransmission.
  • Multiplexing: Ports can provide multiple endpoints on a single node. For example, the name on a postal address is a kind of multiplexing, and distinguishes between different recipients of the same location. Computer applications will each listen for information on their own ports, which enables the use of more than one network service at the same time. It is part of the transport layer in the TCP/IP model, but of the session layer in the OSI model.

Transport Layer Protocols

This list shows some protocols that are commonly placed in the transport layers of the Internet protocol suite, the OSI protocol suite, NetWare’s IPX/SPX, AppleTalk, and Fibre Channel.

The Session Layer

The session layer allows users on different machines to establish sessions between them. Sessions offer various services, including dialog control (keeping track of whose turn it is to transmit), token management (preventing two parties from attempting the same critical operation simultaneously), and synchronisation (checkpointing long transmissions to allow them to pick up from where they left off in the event of a crash and subsequent recovery).

Session Layer Protocols

The Presentation Layer

Unlike the lower layers, which are mostly concerned with moving bits around, the presentation layer is concerned with the syntax and semantics of the information transmitted. In order to make it possible for computers with different internal data representations to communicate, the data structures to be exchanged can be defined in an abstract way, along with a standard encoding to be used ‘‘on the wire.’’ The presentation layer manages these abstract data structures and allows higher-level data structures (e.g., banking records) to be defined and exchanged.

Services

The Application Layer

The application layer contains a variety of protocols that are commonly needed by users. One widely used application protocol is HTTP (HyperText Transfer Protocol), which is the basis for the World Wide Web. When a browser wants a Web page, it sends the name of the page it wants to the server hosting the page using HTTP. The server then sends the page back. Other application protocols are used for file transfer, electronic mail, and network news.

Protocols

Main source:Computer Networks : Andrew S. Tanenbaum : 9780132126953
Computer Networks by Andrew S. Tanenbaum, 9780132126953, available at Book Depository with free delivery worldwide.www.bookdepository.com