OSI model

• Not every network uses all of the model’s layers.  ISO’s intent in creating the OSI model

wasn’t to describe every network but to give protocol designers a map to follow to aid in
design.  This model is useful  for conceptualizing network components to demonstrate
how they fit together to help the computers within the network communicate.
The OSI reference model was formulated as a template for the structure of communications systems.  It was not intended that there should be stand
ard protocols associated with each layer.  Instead, a number of different protocols have been developed each offering a different functionality


Physical layer. Nmap unavoidably uses this layer, though it is not usually concerned with it. It doesn't matter if you are using Cat 5 cable, 2.4 GHz radio, or coaxial cable—you can't use a network without having a physical layer. Nmap has no idea what it is, either; the firmware in your network card handles that.

Data link layer. Here again, Nmap has to use this layer or nothing gets sent to the destination. But there are some cases where Nmap is aware of what layer-2 protocols are in use. These all require root privileges to work:
    On Windows, Nmap can't send raw IP packets (more on this in the next layer), so it falls back to sending raw Ethernet (layer 2) frames instead. This means that it can only work on Ethernet-like data links—WiFi is fine, but PPTP doesn't work.
    There are some NSE scripts that probe layer-2 protocols: lltd-discovery, broadcast-ospf2-discovery, sniffer-detect, etc.
    If the target is on the same data link, Nmap will use ARP to determine if the IP address is responsive. It will then report the MAC address of the target. For IPv6 targets, Neighbor Discovery packets are used instead.

Network layer. Nmap supports both IPv4 and IPv6 network layer protocols. For port scans (except -sT TCP Connect scan), Nmap builds the network packet itself and sends it out directly, bypassing the OS's network stack. This is also where --traceroute happens, by sending packets with varying small Time To Live (TTL) values to determine the address where each one expires. Finally, part of the input into OS detection comes from the network layer: initial TTL values, IP ID analysis, ICMP handling, etc.


Transport layer. This is where the "port scanner" core of Nmap works. A port is a transport layer address; some of them may be used by services on the target ("open" ports), and others may be unused ("closed" ports). Nmap can scan 3 different transport layers protocols: TCP, UDP, and SCTP. The majority of inputs to OS detection come from here: TCP options, sequence number analysis, window size, etc.

Application layer. This is where version detection (-sV) takes over, sending various strings of data (probes) to open services to get them to respond in unique ways. SSL/TLS is handled specially, since other services may be layered over it (in which case it provides something like an OSI Session Layer). This is also where the vast majority of NSE scripts do their work, probing services like HTTP, FTP, SSH, RDP, and SMB.

Obviously layer 1 packets are sent, but nmap isn't really aware of them
When on the same local network, nmap pays attention to MAC addresses and ARP. This helps with vendor detection, as well as giving you network distance information
layer 3 (network layer) is used for sending packets, for detecting whether the host is up.
the transport layer (layer 4) is used for things like SYN scans, and to detect which ports are open. Sequence number detection, which happens at layer 4 is important to OS detection.
https://stackoverflow.com/questions/47210759/which-layer-in-the-osi-model-does-a-network-scan-work-on


Trace route works on network layer of OSI Model.firstly i try to explain how trace route work.
traceroute and tracert, is a utility that maps the path between the tested hosts. The results are then displayed as a list of hops. The information provided could be used to identify a weak link along the route. If the test fails at a certain point, the IP address of the last router that responded properly is known, so the problem could then be identified more easily.
Its uses ICMP packets and relies on a function called TTL – (Time to Live) in the header of this Layer 3 protocol. The value is used to set the maximum number of hops a packet can travel. When a packet is received on a router, the TTL value is lowered by 1. When the TTL reaches 0, the packet is dropped.
The Windows command is tracert and the Linux one is traceroute.

https://www.quora.com/What-trace-route-works-on-which-layer

OSI Model Explained | Real World Example

• Connection-Oriented and Connectionless Protocols in TCP/IP

Looking again at TCP/IP, it has two main protocols that operate at the transport layer of the OSI Reference Model. One is the Transmission Control Protocol (TCP), which is connection-oriented; the other, the User Datagram Protocol (UDP), is connectionless. TCP is used for applications that require the establishment of connections (as well as TCP’s other service features), such as FTP

Even though a TCP connection can be used to send data back and forth between devices, all that data is indeed still being sent as packets; there is no real circuit between the devices. This means that TCP must deal with all the potential pitfalls of packet-switched communication, such as the potential for data loss or receipt of data pieces in the incorrect order. Certainly, the existence of connection-oriented protocols like TCP doesn't obviate the need for circuit switching technologies

The principle of layering also means that there are other ways that connection-oriented and connectionless protocols can be combined at different levels of an internetwork.

Just as a connection-oriented protocol can be implemented over an inherently connectionless protocol, the reverse is also true

a connectionless protocol can be implemented over a connection-oriented protocol at a lower level. In a preceding example, I talked about Telnet (which requires a connection) running over IP (which is connectionless). In turn, IP can run over a connection-oriented protocol like ATM.

http://www.tcpipguide.com/free/t_ConnectionOrientedandConnectionlessProtocols-3.htm

• a basic understanding of the layered nature of modern networking architecture,The Open System Interconnection (OSI) Reference Model

Even though packets may be used at lower layers for the mechanics of sending data, a higher-layer protocol can create logical connections through the use of messages sent in those packets.

Circuit-switched networking technologies are inherently connection-oriented, but not all connection-oriented technologies use circuit switching. Logical connection-oriented protocols can in fact be implemented on top of packet switching networks to provide higher-layer services to applications that require connections.

http://www.tcpipguide.com/free/t_ConnectionOrientedandConnectionlessProtocols-2.htm

Data Encapsulation OSI TCPIP

 

OSI Encapsulation

 

Understanding the OSI Reference Model: Cisco Router Training 101

• What is OSI model?

OSI stands for = Open Systems Interconnection (OSI) model

OSI model is a reference model containing 7 layers such as physical layer, data link layer, network layer, transport layer, session layer, presentation layer and application layer.

It is a prescription of characterizing and standardizing the functions of a communications system in terms of abstraction layers. Similar communication functions are grouped into logical layers. A layer serves the layer above it and is served by the layer below it

What is TCP/IP model?

TCP/IP model is an implementation of OSI reference model. It has five layers. They are: Network layer, Internet layer, Transport layer and Application layer.

What are the differences between OSI and TCP/IP model?

Important differences are:

OSI is a reference model and TCP/IP is an implementation of OSI model.

OSI has 7 layers whereas TCP/IP has only 4 layers The upper 3 layers of the OSI model is combined on the TCP/IP model.

OSI has: physical layer, data link layer, network layer, transport layer, session layer, presentation layer and application layer

TCP/IP has : Network layer, Internet layer, transport layer and application layer.

Explain in detail the process of sending a piece of information from a host on subnet A to a host on subnet B.

What I'm looking for:

Some knowledge of the OSI model

The concept of layers, layer units, and encapsulation.

The concept of MTU/fragmentation (not required, but nice if they know it)

The address resolution process at layer 3 (DNS)

The determination of local vs. non-local addresses (subnet masks/what are subnets/when to use a default gateway)

The address resolution process at layer 2 (ARP)

At least a vague understanding of layer 1 and associated issues

Protocols according to layers

Data Link Layer

ARP/RARP Address Resolution Protocol/Reverse Address

Network Layer

DHCP Dynamic Host Configuration Protocol

ICMP/ICMPv6 Internet Control Message Protocol

IP Internet Protocol version 4

IPv6 Internet Protocol version 6

Transport Layer

TCP Transmission Control Protocol

UDP User Datagram Protocol

Session Layer

DNS Domain Name Service

NetBIOS/IP NetBIOS/IP for TCP/IP Environment

LDAP Lightweight Directory Access Protocol

Application Layer

FTP File Transfer Protocol

HTTP Hypertext Transfer Protocol

IMAP4 Internet Message Access Protocol rev 4

NTP Network Time Protocol

POP3 Post Office Protocol version 3

SMTP Simple Mail Transfer Protocol

SNMP Simple Network Management Protocol

SOCKS Socket Secure (Server)

TELNET TCP/IP Terminal Emulation Protocol

References:

http://rancidtaste.hubpages.com/hub/OSI-Reference-Model-and-TCP-IP-Model-Interview-Questions-and-Answers

http://www.protocols.com/pbook/tcpip1.htm

1. please-physical layer-Bits-Hubs,Repeater live
2. do-Data link layer-Frames-Switches,Bridges live-MAC,Physical addressing
3. not -Network layer-Packets-Routers live,IP Addressing,logical addressing
4. throw-Transport layer-Segments-TCP,UDP
5. sausage-Session Layer-data
6. pizza-presentation layer-data
7. away-application layer-data

• OSI Model Explained CCNA - Part 1

1. please-physical layer-Bits-Hubs,Repeater
2. do-Data link layer-Frames-atm,frame relay,switches,
3. not -Network layer-Packets or Datagrams-IP,IPV4,IPV6,IPSEC,IPX,routers
4. throw-Transport layer-Segments-TCP,UDP
5. sausage-Session Layer-data-sessions between local and remote hosts
6. pizza-presentation layer-data-ascii,jpeg,mpeg etc deals with data formating
7. away-application layer-data- ftp,http,telnet,dns,dhcp etc deals with protocols

OSI Model quick and dirty

• Problems with TCP/IP

2.1 Built for the Wide Area

TCP/IP was originally designed, and is usually implemented, for wide-area networks. While TCP/IP is usable on a local-area network, it is not optimized for this domain. For example, TCP uses an in-packet checksum for end-to-end reliability, despite the presence of per-packet CRC's in most modern network hardware. But computing this checksum is expensive, creating a bottleneck in packet processing. IP uses header fields such as `Time-To-Live' which are only relevant in a wide-area environment. IP also supports internetwork routing and in-flight packet fragmentation and reassembly, features which are not useful in a local-area environment. The TCP/IP model assumes communication between autonomous machines that cooperate only minimally. However, machines on a local-area network frequently share a common administrative service, a common file system, and a common user base. It should be possible to extend this commonality and cooperation into the network communication software.

2.2 Multiple Layers

Standard implementations of the Sockets interface and the TCP/IP protocol suite separate the protocol and interface stack into multiple layers. The Sockets interface is usually the topmost layer, sitting above the protocol. The protocol layer may contain sub-layers: for example, the TCP protocol code sits above the IP protocol code. Below the protocol layer is the interface layer, which communicates with the network hardware. The interface layer usually has two portions, the network programming interface, which prepares outgoing data packets, and the network device driver, which transfers data to and from the network interface card (NIC).

This multi-layer organization enables protocol stacks to be built from many combinations of protocols, programming interfaces, and network devices, but this flexibility comes at the price of performance. Layer transitions can be costly in time and programming effort. Each layer may use a different abstraction for data storage and transfer, requiring data transformation at every layer boundary. Layering also restricts information transfer. Hidden implementation details of each layer can cause large, unforeseen impacts on performance.Also, the number of programming interfaces and protocols is small: there are two programming interfaces (Berkeley Sockets and the System V Transport Layer Interface) and only a few data transfer protocols (TCP/IP and UDP/IP) in widespread usage. This paucity of distinct layer combinations means that the generality of the multi-layer organization is wasted. Reducing the number of layers traversed in the communications stack should reduce or eliminate these layering costs for the common case of data transfer.

2.3 Complicated Memory Management

Current TCP/IP implementations use a complicated memory management mechanism. This system exists for a number of reasons. First, a multi-layered protocol stack means packet headers are added (or removed) as the packet moves downward (or upward) through the stack. This should be done easily and efficiently, without excessive copying. Second, buffer memory inside the operating system kernel is a scarce resource; it must be managed in a space-efficient fashion.

https://www.usenix.org/legacy/publications/library/proceedings/ana97/full_papers/rodrigues/rodrigues_html/node2.html

• The term PDU is used to refer to the packets in different layers of the OSI model. Thus PDU gives an abstract idea of the data packets. The PDU has a different meaning in different layers still we can use it as a common term. To give a clear picture:-

    The PDU of Transport Layer is called as a Segment.

    The PDU of Network Layer is called as a Packet.

    The PDU of the Data-Link Layer is called Frames.

https://www.geeksforgeeks.org/difference-between-segments-packets-and-frames/

The 80-20 Rule

• Good Network Design: The 80-20 Rule

In a properly designed small to medium-sized network environment, 80 percent of the traffic on a given network segment is local (destined for a target in the same workgroup), and not more than 20 percent of the network traffic should need to move across a backbone (the spine that connects various segments or “subnetworks”). Backbone congestion can indicate that traffic patterns are not meeting the 80-20 rule. In this case, rather than adding switches or upgrading hubs, it may be easier to improve network performance by doing one of the following:
• Moving resources (applications, software programs, and files from one server to another, for example) to contain traffic locally within a workgroup
• Moving users (logically, if not physically) so that the workgroups more closely reflect the actual traffic patterns
• Adding servers so that users can access them locally without having to cross the backbone
http://surenthinknetworks.blogspot.com.tr/2013/02/good-network-design-80-20-rule.html

Windows Security

• How To Secure A Server in 4 Simple Steps

Step 1
The first thing to do is make sure that you have a secure password for your root and administrator users.
Step 2
If a group of people is going to be using it, then you probably already have a username convention that you use elsewhere.
 In windows give the user administrator access, and add the user to the Remote Desktop Users group, or if using Linux, add the user to sudoers. Log-out and then log-in as your newly created user and check that you do have sufficient administrator/root access
Step 3
Remove remote access from the default root/administrator accounts. In Linux this is simply done by editing the /etc/ssh/sshd_config file and setting PermitRootLogin to ‘no’. In windows, this is a more complicated process involving setting the local security policy to block logins by the administrator user group.
Step 4
The next step is to configure your firewall rules for remote access. For the most part, you want to only allow access to remote access services such as RDP and SSH to IPs you know trusted users are going to use.
https://www.vps.net/community/knowledgebase/display/vpsfeatures/How+To+Secure+A+Server+in+4+Simple+Steps

• The Windows Server Hardening Checklist

What     Why
1. User Configuration     Protect your credentials.
2. Network Configuration     Establish communications.
3. Features and Roles Configuration     Add what you need, remove what you don't.
4. Update Installation     Patch vulnerabilities.
5. NTP Configuraiton     Prevent clock drift.
6. Firewall Configuration     Minimize your external footprint.
7. Remote Access Configuration     Harden remote administration sessions.
8. Service Configuration     Minimize your attack surface.
9. Further Hardening     Protect the OS and other applicaitons.
10. Logging and Monitoring     Know what's happening on your system.
https://www.upguard.com/blog/the-windows-server-hardening-checklist

• How To Remotely Enable Remote Desktop (RDP) Using PsExec

3.) Just copy PsExec.exe from the extracted location into your executable path “C:\Windows\System32”.
4.) Open the prompt command line (start -> Run and type “cmd” + OK) and enter the following:
psexec -u {username} -p {password} \\{iP-Address} reg add “hklm\system\currentcontrolset\control\terminal server” /f /v fDenyTSConnections /t REG_DWORD /d 0

whereby:

{username} = Administrator (must be administrator)

{password} = Administrator’s password

{IP-Address} = System IP Address

If not already enabled, use the following commands to enable RDP traffic through the windows firewall:

psexec \\ {iP-Address} netsh firewall set service remoteadmin enable

psexec \\ {iP-Address} netsh firewall set service remotedesktop enable

http://blog.omotech.com/?p=1019

• PsExec v2.2

Utilities like Telnet and remote control programs like Symantec's PC Anywhere let you execute programs on remote systems, but they can be a pain to set up and require that you install client software on the remote systems that you wish to access. PsExec is a light-weight telnet-replacement that lets you execute processes on other systems, complete with full interactivity for console applications, without having to manually install client software. PsExec's most powerful uses include launching interactive command-prompts on remote systems and remote-enabling tools like IpConfig that otherwise do not have the ability to show information about remote system
https://docs.microsoft.com/en-us/sysinternals/downloads/psexec

• When a domain administrator logs in to a compromised workstation interactively (via keyboard, remote desktop, or command-line tools such as the PsExec utility), their password is stored in the credential cache. Using popular credential-theft tools such as Mimikatz, an attacker with local administrator privileges can dump the cache and read the password and/or its hash (which is as effective as the password, given how Windows authentication works). 

https://www.secureworks.com/blog/dcept

• 10 steps you can take to secure a laptop

1.Use a password
2.Disable booting from CD or USB
3.Encrypt your hard drive
4.Use a virtual private network (VPN)
http://www.techradar.com/news/mobile-computing/laptops/10-ways-to-secure-a-laptop-1148348/2

• LM hash (also known as LanMan hash or LAN Manager hash) is a compromised password hashing function that was the primary hash that Microsoft LAN Manager and Microsoft Windows versions prior to Windows NT used to store user passwords. 

The LM hash is computed as (taken from Wikipedia):

    The user’s password is converted to uppercase.
    This password is null-padded to 14 bytes.
    The “fixed-length” password is split into two 7-byte halves.
    These values are used to create two DES keys, one from each 7-byte half, by converting the seven bytes into a bit stream, and inserting a parity-bit after every seven bits. This generates the 64 bits needed for the DES key.
    Each of these keys is used to DES-encrypt the constant ASCII string “KGS!@#$%”, resulting in two 8-byte ciphertext values. The DES CipherMode should Set to ECB, and PaddingMode should set to NONE.
    These two ciphertext values are concatenated to form a 16-byte value, which is the LM hash.

Firstly, passwords are limited to a maximum of only 14 characters, giving a theoretical maximum keyspace of 95 14 ≈ 2 92 {\displaystyle 95^{14}\approx 2^{92}} 95^{{14}}\approx 2^{{92}} with the 95 ASCII printable characters.
Secondly, passwords longer than 7 characters are divided into two pieces and each piece is hashed separately; this weakness allows each half of the password to be attacked separately at exponentially lower cost than the whole.
The LM hash also does not use cryptographic salt, a standard technique to prevent pre-computed dictionary attacks. A time–memory tradeoff cryptanalysis attack, such as a rainbow table, is therefore feasible. In addition, any password that is shorter than 8 characters will result in the hashing of 7 null bytes, yielding the constant value of 0xAAD3B435B51404EE, hence making it easy to identify short passwords on sight. In 2003, Ophcrack, an implementation of the rainbow table technique, was published. It specifically targets the weaknesses of LM encryption, and includes pre-computed data sufficient to crack virtually all alphanumeric LM hashes in a few seconds. Many cracking tools, e.g. RainbowCrack, L0phtCrack and Cain, now incorporate similar attacks and make cracking of LM hashes fast and trivial.
https://en.wikipedia.org/wiki/LAN_Manager

• Windows Internals Interview Questions and Answers

1. What are the most important components of Windows?

The most important components of Windows are the kernel, the device drivers, and the user interface.

The kernel is responsible for managing the system’s resources and for providing the basic services that all other components rely on

The device drivers provide the interface between the hardware and the rest of the system

the user interface provides the means by which users interact with the system.

2. Can you explain what a process is in the context of an operating system?

A process is a program that is running on a computer. 

Every process has its own memory space and can have multiple threads.

3. Can you give me some examples of the internal structure of a typical Windows process?

The internal structure of a typical Windows process is made up of a number of different objects,

a process object, 

a thread object, 

an environment block, 

a security context, 

and a number of other objects.

4. How do you think processes communicate with each other on Windows?

The most common way is through shared memory, where one process can write data to a memory location that another process can then read.

Processes can also communicate through named pipes, which are essentially virtual channels that can be used to send data back and forth

processes can also communicate through sockets, which provide a more low-level way to send data between processes

5. What’s the difference between a thread and a process?

A process is an instance of a running program, while a thread is a single sequence of execution within that process. 

6. What role does the kernel play in managing threads?

The kernel is responsible for managing threads by allocating the necessary resources for each thread, scheduling when each thread should run, and handling any synchronization between threads

7. What are semaphores?

Semaphores are a synchronization object that can be used to limit the number of threads that can have access to a resource. Semaphores can be used to implement critical sections, to protect resources that can only be used by one thread at a time.

8. What types of objects can be used for synchronization?

The types of objects that can be used for synchronization in Windows are mutexes, semaphores, events, and critical sections.

9. What is the difference between critical sections, mutexes, and semaphores?

Critical sections are a mechanism for protecting a section of code from being executed by more than one thread at a time.

A mutex is a mutual exclusion object that can be used to protect a section of code from being executed by more than one thread at a time

semaphore is a synchronization object that can be used to protect a section of code from being executed by more than one thread at a time.

10. How do you debug a deadlock condition on Windows?

Windows Debugger tool. 

This tool will allow you to see what processes are currently running and what resources they are holding. 

From there, you can try to determine which process is causing the deadlock and take steps to resolve the issue

11. Can you explain how virtual memory works?

Virtual memory is a memory management technique that is used by operating systems to provide each process with its own private address space. 

This address space is created by the operating system when the process is created, and it is destroyed when the process is terminated. 

The process can only access the memory within its own address space.

12. What is the Global Descriptor Table (GDT) and why is it necessary to use one?

The Global Descriptor Table is a data structure used by the Intel x86 architecture to define the characteristics of the various segments in a program’s address space. 

The GDT is necessary to use because it provides a way for the processor to keep track of the various segments in a program’s address space.

Without the GDT, the processor would not be able to properly handle the different segments in a program’s address space.

13. Can you explain what page tables are?

Page tables are a data structure used by the operating system to store information about the virtual memory of a process. 

This information includes the mapping of virtual addresses to physical addresses, as well as other information about the memory such as permissions and caching.

14. When might you encounter a “page fault” error message?

A page fault error message can occur when a process tries to access a page of memory that is not currently mapped to any physical memory.

This can happen if the process is trying to access a page that has been swapped out to disk,

or if the process is trying to access a page that does not exist.

15. What happens when a program tries to access a resource that it doesn’t have permission to access?

When a program tries to access a resource that it doesn’t have permission to access, Windows will generate a security exception.

This exception will be caught by the Windows kernel, which will then invoke the security subsystem.

The security subsystem will determine whether or not the program should be allowed to access the resource, and if not, will block the program from accessing it.

16. What is a Thread Control Block (TCB)?

A Thread Control Block (TCB) is a data structure in the Windows operating system that contains information about a particular thread

This information includes the thread’s identifier, its priority, its scheduling information, and its current state.

The TCB is used by the operating system to keep track of threads and to ensure that they are properly scheduled and managed

18. Can you give me some examples of different types of hard disk partitions available on Windows?

There are three main types of hard disk partitions available on Windows: primary, extended, and logical

A primary partition is the first partition on a hard drive and is typically used to store the operating system

An extended partition is a partition that can be used to store multiple logical partitions.

A logical partition is a partition that is contained within an extended partition.

19. What is the architecture of Windows file systems like NTFS or FAT32?

The Windows file system architecture is designed around the concept of a file system driver. 

This driver is responsible for providing access to the file system, and it is typically implemented as a kernel-mode device driver. 

20. What is the Registry and what is its purpose?

The Registry is a database that stores configuration settings and options for the Windows operating system and for applications that run on Windows.

https://climbtheladder.com/windows-internals-interview-questions/