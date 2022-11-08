Now, what does that mean for how we do our day-to-day computing? Well, I want to show you something called the three-way handshake.This is again, a fundamental concept that if you know it and understand it when you come into a cybersecurity boot camp, it's going to put you a lag ahead of where people are that don't know this particular thing. What three-way handshake is, is when you get ready to connect to a device, you have to tell it that you want to connect. You also have to tell it the parameters that you want to connect within. For example, if I wanted to connect to this server which is running an FTP service on port 21, which is what FTP servers run on by default, I would have to tell it that and then do my FTP commands. If I wanted to connect to it over something called Telnet, I would have to tell it that and then connect to it over that port and then do Telnet commands. As a matter of fact, what we're going to do now is I will show you that process. I'm going to start the Telnet service. Now that the Telnet service has started, this machine is the IP of 192168248187. I'm going to now run Wireshark. Remember IP addresses are like phone numbers for your computer, and every computer has a unique one as you connect to the internet and things like that. I'm going to create a filter. Remember I showed you these filters earlier and said you probably wouldn't be able to type this because you don't type it every day. Well, I do type these everyday. What I want to do to keep me from seeing a whole bunch of other traffic here. I'm going to create a filter that only shows me traffic to and from this Linux machine, which is 192168248251. This Windows machine, which is a 247 address or actually 187 address. See, everybody makes mistakes. So to do that filter, it would look like this. Now this should look familiar to one of those things I showed you earlier in the course or in these paths here, I'm going to say 251, and this machine which is 187. Since we haven't tried to connect, there's no traffic that meets that criteria. Therefore, all the noise goes away. Now I'm going to come to this machine and do a Telnet session to the other. I'm connected. Now I'm going to log in. Now I'm logged in. I'll do a directory command and then I will exit the Telnet session. What just happened there? Well, let's go look at the traffic. Very first thing that happened is the Linux machine, which is 251, sent a packet to the Windows machine here. Now what is a packet? Well, let's look at that. Again you get to see some of my amazing Microsoft paint work. A packet is like a piece of data. If I'm going to send you a block that looks that big, I can't send that across a network because no network cable or no network connection is wide enough or doesn't have enough bandwidth to handle that. What do I have to do if my pipe or the hose that I'm trying to send my data across is this thick. But the data that I'm trying to send is like this, how do I get this data from this side to this side? Well, the way I do that is I take this big piece of data and I break it down into a whole bunch of little pieces that look like this. Those pieces are called packets. Now I can send those packets across a medium that can actually handle them. Eventually, they make it to the other side like this. Well, what's happening here is the first machine just sent an actual packet to the other side saying, look, I want to connect to you. This packet is only to let you know I want to connect to you on port 23. Then if you look at the IPs here 251187187251, the second packet is 187 responding saying, hey, you're saying you want to connect, I'm responding back saying I'm acknowledging that. Then the next packet is the original machine responding back to that saying, I'm acknowledging that you have acknowledged that you want to connect and therefore the connection happens at that point. After that connection, you can see there's a bunch of data going on. Then at the very end, when one side said, I don't want to talk anymore. It literally said that hey, FIN, ACK, which means I'm done talking. That's coming from 251.Then 187 says, hey, ACK I'm acknowledging that you don't want to talk to me. Then 187 says, and guess what, if you don't want to talk to me, FIN, ACK right back at you, buddy, I don't want to talk to you either. Then finally, the original machine says, Okay, I've acknowledged that you've acknowledged that I don't want to talk to you. I've also acknowledged that you don't want to talk to me and then at that point the session is over. This is built into the protocol. Every device in the world that connects. When you connect to a website, when you connect to a router, when your TV connects to Netflix, every device in the world that connects over the Internet or network does so this way. At least in your world as far as what we're talking about now, every time this happens. For example, if you go on to be a forensic investigator or a incident response person, it is going to be paramount that you're able to look at a packet capture like this and look for connections. Well, how do you know a connection happened? Well, if there's a SYN, SYN-ACK, ACK pattern, 100 percent guarantee that a connection happened. It's not even debatable. If there's a three-way handshake, that's a connection. People have went to prison over that handshake. When we prosecute people for cybercrimes, for connecting the sites, sets a felony and connect to, you know, how we prove they connected, we prove that they committed a three-way handshake. This is one of those fundamental things. This is a true foundational thing that you're never, ever going to get away from no matter how far you go into cybersecurity. You need to get comfortable and understand. Three-way handshake happens every time it's part of a TCP connection. Generally, when you disconnect from a device, you will always do it with the four-way combo that says, I don't want to talk. This is actually exactly how we talk to each other as humans. If I were talking to you on the phone. Let's pretend like your name is Tux, and we're having a phone conversation and I say, you know what Tux? It's been nice talking to you, but I got to get back to work. That's me saying FIN, ACK. Then Tux responds with an ACK and says, I understand that. That makes sense. Because honestly, I got to get back to work too and that's Tux saying FIN, ACK back at you, I've got to get to work as well. Then finally I say, well, good talking to you, talk to you later. Click and I hang up and that's the final act. That's the end of the session. While this protocol sounds very chatty, the reason, it's like that is because it was actually built by us. It's based on the same way that we communicate with each other. That's part of the flaws that you're going to go on to learn about as you progress in the cybersecurity. The fact that it's built to communicate like us is part of why it gets hacked every single day.