Typical CS network exercises seldom start with having to discover such facts about a network as what hosts and services are actually available on it, what kinds of packets get filtered on entry ("ingress") or exit ("egress"), etc. Instead, they center on particular APIs or client—server libraries, and assume that the transaction endpoint(s) are known in advance and available, i.e., communications are not hindered, fully or partially, by router access lists, firewall settings, server configuration, and the like.

In contrast, hackers concentrate on failure modes of network communications, because distinguishing between different kinds of and reasons for transaction failures is key to network reconnaissance, in particular, to identifying targets and obstacles to exploitation. For example, scanning tools such as nmap crucially depend on interpreting signs of connection failure, firewall probing tools such as firewalk imitate routing failures, and so on.


Network Scanning Technologies — a good intro to the subject by Ofir Arkin

ICMP Usage in Scanning — also by Ofir, fundamental analysis of all ICMP types as applied to scanning

Beyond the socket

Typical CS curricula start with network programming APIs such as sockets (a very good tutorial: 1) and the client—server application model, and then expands "upward" to application protocols and distributed applications, and "downwards" to the details of TCP and mathematical models of congestion control. These topics, however, tend to be taught in separate courses and, as a result, tend to exist separately in the minds of most students.

Hacker analysis takes a different approach, connecting the different networking layers and programming abstractions from the outset. In particular, it is typical for a hacker to acquire an early understanding of which specific kinds of packets and OS network stack data structures result from each of systems calls involved in establishing a socket, and how different stacks differ in this regard. What comes next is the understanding of how to confuse and exploit stacks by sending packets.

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-ShareAlike 3.0 License