areas where you're gonna see fragmentation one  is when we have low mtu sizes on the network  
areas where you're gonna see fragmentation one  is when we have low mtu sizes on the network  

something less than 1500 that's where we'll see  fragmentation happen but another area to look  
something less than 1500 that's where we'll see  fragmentation happen but another area to look  

for is when we're looking for malicious scan  activity now if you've been studying nmap or  
for is when we're looking for malicious scan  activity now if you've been studying nmap or  

any type of pen testing you know that one way that  we can enumerate a network is by fragmenting our  
any type of pen testing you know that one way that  we can enumerate a network is by fragmenting our  

data sometimes that's a way that we can get by  a firewall or across an ids and basically what  
data sometimes that's a way that we can get by  a firewall or across an ids and basically what  

it comes down to is you've seen it you've been  driving down the road on the freeway and you see  
it comes down to is you've seen it you've been  driving down the road on the freeway and you see  

a truck that's really high and you can see an  overpass that's really low and you wonder how that  
a truck that's really high and you can see an  overpass that's really low and you wonder how that  

truck is going to get under that bridge well the  same idea applies with ip fragmentation basically  
truck is going to get under that bridge well the  same idea applies with ip fragmentation basically  

the idea is that the packet that we're trying to  send is too big for the maximum transmission unit  
the idea is that the packet that we're trying to  send is too big for the maximum transmission unit  

of a network interface that we're trying to send  it through that's the fundamental idea so if  
of a network interface that we're trying to send  it through that's the fundamental idea so if  

the mtu is low we need a mechanism to be able to  break up that packet that ip packet into smaller  
the mtu is low we need a mechanism to be able to  break up that packet that ip packet into smaller  

chunks to be able to continue to send that data  along to its destination i went ahead and included  
chunks to be able to continue to send that data  along to its destination i went ahead and included  

the trace files that i'm going to be demonstrating  in this video and you can get those in the link  
the trace files that i'm going to be demonstrating  in this video and you can get those in the link  

down below so let's actually draw this out to see  how it works all right so let's try to keep this  
down below so let's actually draw this out to see  how it works all right so let's try to keep this  

super simple let's just say that there's a station  here and he wants to send a packet uh through a  
super simple let's just say that there's a station  here and he wants to send a packet uh through a  

network now let's just say that there's a couple  of routers here and on the way to our server and  
network now let's just say that there's a couple  of routers here and on the way to our server and  

let's just make this very simple so this machine  here this pc it's going to send a message over  
let's just make this very simple so this machine  here this pc it's going to send a message over  

to our server now let's just say that that packet  is 1500 bytes that's at the ip header level right  
to our server now let's just say that that packet  is 1500 bytes that's at the ip header level right  

before we put the ethernet frame information on  there that would make it a little bit bigger all  
before we put the ethernet frame information on  there that would make it a little bit bigger all  

right so here's our packet now that goes along its  way to the first router now let's just say that  
right so here's our packet now that goes along its  way to the first router now let's just say that  

the next hop has a low mtu maximum transmission  unit let's just say that it's something less than  
the next hop has a low mtu maximum transmission  unit let's just say that it's something less than  

fifteen hundred all right so imagine somebody came  in here and went okay i'm gonna set this mtu to  
fifteen hundred all right so imagine somebody came  in here and went okay i'm gonna set this mtu to  

1400. all right so here we have a situation where  the data that we want to send across that link  
1400. all right so here we have a situation where  the data that we want to send across that link  

is larger the transmission unit the packet  is larger than that link can support so what  
is larger the transmission unit the packet  is larger than that link can support so what  

this router has to do is it has to say all  right i got to make use of ip fragmentation  
this router has to do is it has to say all  right i got to make use of ip fragmentation  

so to put it simply what it'll do is i'll take  that 15 bytes it'll break it up across two packets  
so to put it simply what it'll do is i'll take  that 15 bytes it'll break it up across two packets  

and send them along so now after the fragmentation  what i'll do is i'll have a 1400 byte packet  
and send them along so now after the fragmentation  what i'll do is i'll have a 1400 byte packet  

and one following it that's 100 bytes all right  so both of those will be sent along and then the  
and one following it that's 100 bytes all right  so both of those will be sent along and then the  

receiver so ultimately when they arrive at the  server it's going to get a long one of 1400 bytes  
receiver so ultimately when they arrive at the  server it's going to get a long one of 1400 bytes  

and then it's going to get the 100 bytes it's  up to that server to reassemble that packet and  
and then it's going to get the 100 bytes it's  up to that server to reassemble that packet and  

that's called packet reassembly now within  the ip header itself are the instructions  
that's called packet reassembly now within  the ip header itself are the instructions  

of how that receiver can actually put that data  back together and that's what we're going to  
of how that receiver can actually put that data  back together and that's what we're going to  

learn about in wireshark so let's actually see  how this works by sending some large packets  
learn about in wireshark so let's actually see  how this works by sending some large packets  

so here i've got two virtual machines on the left  i've got windows 10 and on the right i've got my  
so here i've got two virtual machines on the left  i've got windows 10 and on the right i've got my  

kali linux all i'm going to do is i'm going to  send a couple of large packets over to kali linux  
kali linux all i'm going to do is i'm going to  send a couple of large packets over to kali linux  

and actually watch the fragmentation process  happen but first i want to know what the local  
and actually watch the fragmentation process  happen but first i want to know what the local  

mtu is of the interface on the windows 10 box just  to see to make sure that i understand what that  
mtu is of the interface on the windows 10 box just  to see to make sure that i understand what that  

number is all right i'm just going to run network  shell interface ipv4 and show interfaces you can  
number is all right i'm just going to run network  shell interface ipv4 and show interfaces you can  

see that command here and here i see that i have  two interfaces available on this windows 10 box  
see that command here and here i see that i have  two interfaces available on this windows 10 box  

and the second one is my ethernet interface and  it tells me that my mtu is 1500 okay so that's  
and the second one is my ethernet interface and  it tells me that my mtu is 1500 okay so that's  

my maximum transmission unit that interface will  not send anything that's larger than 1500 bytes  
my maximum transmission unit that interface will  not send anything that's larger than 1500 bytes  

so that's something for me to keep in mind so  let's go ahead and set up our ping now i'm going  
so that's something for me to keep in mind so  let's go ahead and set up our ping now i'm going  

to go ahead and type out ping but this time i'm  going to use the l switch all right that's the  
to go ahead and type out ping but this time i'm  going to use the l switch all right that's the  

length so what that allows me to do is set the  length of the ping that i'm going to send out so  
length so what that allows me to do is set the  length of the ping that i'm going to send out so  

i'm just going to do dash l i'm going to type  1600 and then i'm going to send that to my my  
i'm just going to do dash l i'm going to type  1600 and then i'm going to send that to my my  

buddy over there the kali linux box all right  so while that's happening let me just type in  
buddy over there the kali linux box all right  so while that's happening let me just type in  

my password there so on the linux box i'm  going to catch that ping and i want to see  
my password there so on the linux box i'm  going to catch that ping and i want to see  

what that looks like so i'm just going to  set up wireshark over here i'm just going to  
what that looks like so i'm just going to  set up wireshark over here i'm just going to  

start up that capture and i'm going to come over  here to my ping and i'm just going to let that  
start up that capture and i'm going to come over  here to my ping and i'm just going to let that  

guy fly so here on the sender side it looks pretty  normal right it just tells me that i have a 1600  
guy fly so here on the sender side it looks pretty  normal right it just tells me that i have a 1600  

byte ping it doesn't tell me that it's fragmenting  it when i'm sending it out but if i come over here  
byte ping it doesn't tell me that it's fragmenting  it when i'm sending it out but if i come over here  

to the receiver i'm just going to stop my capture  here i absolutely can see some fragmented traffic  
to the receiver i'm just going to stop my capture  here i absolutely can see some fragmented traffic  

so let's go ahead and take a closer look at what  those actually look like all right so first of all  
so let's go ahead and take a closer look at what  those actually look like all right so first of all  

here on my first packet that i see come in here  so this is coming in from 215 it's going to my  
here on my first packet that i see come in here  so this is coming in from 215 it's going to my  

kali linux box now if i take a look at the length  1514 remember that that also includes the ethernet  
kali linux box now if i take a look at the length  1514 remember that that also includes the ethernet  

header so if i take off 14 bytes of the ethernet  header then that just leaves me with my 1500 bytes  
header so if i take off 14 bytes of the ethernet  header then that just leaves me with my 1500 bytes  

of ip and then encompass data so if i go ahead  and expand this is my ip header of that 15 14  
of ip and then encompass data so if i go ahead  and expand this is my ip header of that 15 14  

byte packet i can come here i see total length is  1 500 remember that that's legit right my mtu was  
byte packet i can come here i see total length is  1 500 remember that that's legit right my mtu was  

1500 so if i come down to the ip flags this is  where things get interesting this is where the  
1500 so if i come down to the ip flags this is  where things get interesting this is where the  

actual fragmentation instructions happen if i come  down here i can see that there's more fragments is  
actual fragmentation instructions happen if i come  down here i can see that there's more fragments is  

set what that means is ip's saying okay take this  data but this isn't the only data that existed  
set what that means is ip's saying okay take this  data but this isn't the only data that existed  

when this originally was sent this is a fragmented  packet and there's more data to come after this  
when this originally was sent this is a fragmented  packet and there's more data to come after this  

all i got to do is take the the identification  number and then i look for another packet with  
all i got to do is take the the identification  number and then i look for another packet with  

that same ipid and that's going to contain the  other part of the data that was originally sent  
that same ipid and that's going to contain the  other part of the data that was originally sent  

all right so let's just keep that in the back of  our mind 53154 that's my ipid more fragments and  
all right so let's just keep that in the back of  our mind 53154 that's my ipid more fragments and  

fragment offset so this is saying how far in of  the data does this data begin so since this was  
fragment offset so this is saying how far in of  the data does this data begin so since this was  

the first packet in the fragmentation the offset  here is zero all right so this is the data that  
the first packet in the fragmentation the offset  here is zero all right so this is the data that  

starts at zero but there's more fragments to come  now how much data are we talking about well if we  
starts at zero but there's more fragments to come  now how much data are we talking about well if we  

come down to the encapsulated data you can  see that i've got 1480 bytes encapsulated  
come down to the encapsulated data you can  see that i've got 1480 bytes encapsulated  

20 bytes are for the ip header itself but the  actual data payload is 1480. okay so now let's  
20 bytes are for the ip header itself but the  actual data payload is 1480. okay so now let's  

go to the next packet this is also from 215.  but check this out the ipid is the same if i  
go to the next packet this is also from 215.  but check this out the ipid is the same if i  

come down here no more fragments are to come after  this this is the last packet or the last fragment  
come down here no more fragments are to come after  this this is the last packet or the last fragment  

that's a part of that whole original data set all  right so the first fragment was from 0 to 1479  
that's a part of that whole original data set all  right so the first fragment was from 0 to 1479  

and this one's from 1480 and then all the way up  to 1600 and this is where wireshark actually helps  
and this one's from 1480 and then all the way up  to 1600 and this is where wireshark actually helps  

us out if we go down to the second packet here  if i expand this out i can see that i have two  
us out if we go down to the second packet here  if i expand this out i can see that i have two  

fragments frame one is from zero to 1479 and  frame two carries from 1480 to 1607. now that  
fragments frame one is from zero to 1479 and  frame two carries from 1480 to 1607. now that  

1607 that includes a few bytes for the actual  icmp header itself not the encompassed payload  
1607 that includes a few bytes for the actual  icmp header itself not the encompassed payload  

all right so the idea here is that when  the receiver receives these two fragments  
all right so the idea here is that when  the receiver receives these two fragments  

it glues them back together and then passes that  data up the stack so fragmentation that allows us  
it glues them back together and then passes that  data up the stack so fragmentation that allows us  

to get around if we have a low mtu somewhere  along the path or any other reason to break up our  
to get around if we have a low mtu somewhere  along the path or any other reason to break up our  

data along the way now while we're talking about  fragmentation something else to know is that a lot  
data along the way now while we're talking about  fragmentation something else to know is that a lot  

of protocols these days actually use the do not  fragment bits set with ip and if we come down to  
of protocols these days actually use the do not  fragment bits set with ip and if we come down to  

the flags you can see do not fragment is not set  so in this ping that i sent out i didn't set the  
the flags you can see do not fragment is not set  so in this ping that i sent out i didn't set the  

do not fragment bit what that means is i'm telling  the network along the way or any other interface  
do not fragment bit what that means is i'm telling  the network along the way or any other interface  

that may break it up hey don't touch this data  don't break it up go ahead and keep it whole so  
that may break it up hey don't touch this data  don't break it up go ahead and keep it whole so  

i'm going to run into a problem if i ever have an  interface where i'm trying to send more data then  
i'm going to run into a problem if i ever have an  interface where i'm trying to send more data then  

that interface can pass along then that's where  that interface will drop that traffic and it's  
that interface can pass along then that's where  that interface will drop that traffic and it's  

going to return with an icmp hey i wanted to send  your packet but your do not fragment bit was set  
going to return with an icmp hey i wanted to send  your packet but your do not fragment bit was set  

so that's where i would look for an icmp  packet coming back to me from a router  
so that's where i would look for an icmp  packet coming back to me from a router  

warning me that i ran into a low mtu but just to  show you how that works if i come back to my ping  
warning me that i ran into a low mtu but just to  show you how that works if i come back to my ping  

i'm just going to go ahead and just say  ping okay i'm going to leave that length  
i'm just going to go ahead and just say  ping okay i'm going to leave that length  

1600 but this time i'm going to say dash f and  notice what happens when i hit enter there so  
1600 but this time i'm going to say dash f and  notice what happens when i hit enter there so  

basically my machine is saying hey packet needs to  be fragmented but the do not fragment bit is set  
basically my machine is saying hey packet needs to  be fragmented but the do not fragment bit is set  

and my local interface is actually the one that's  saying that it's like hey i've got a 1500 byte mtu  
and my local interface is actually the one that's  saying that it's like hey i've got a 1500 byte mtu  

you're trying to send 1 600 bytes sorry pal if  you want me to send this i can but you got to  
you're trying to send 1 600 bytes sorry pal if  you want me to send this i can but you got to  

let go of that do not fragment bit so at times  when we're dealing with secure protocols a lot  
let go of that do not fragment bit so at times  when we're dealing with secure protocols a lot  

of times we'll see the do not fragment bit because  we don't want some attacker to be able to insert  
of times we'll see the do not fragment bit because  we don't want some attacker to be able to insert  

to go ahead and run an end map just against my  local gateway i know that there's port 80 and  
to go ahead and run an end map just against my  local gateway i know that there's port 80 and  

a couple other things open there and that'll be  interesting to take a look at within map all right  
a couple other things open there and that'll be  interesting to take a look at within map all right  

so i have this set up here and also notice in  the background i've went ahead and just filtered  
so i have this set up here and also notice in  the background i've went ahead and just filtered  

on traffic going to and from my gateway and i  went ahead and said no ssdp for now all right  
on traffic going to and from my gateway and i  went ahead and said no ssdp for now all right  

so and actually you know what just for grins i'm  just going to say and no dns so just give me this  
so and actually you know what just for grins i'm  just going to say and no dns so just give me this  

nmap traffic that's all i want to see going to and  from here in my gateway all right so let's go and  
nmap traffic that's all i want to see going to and  from here in my gateway all right so let's go and  

go back to my terminal all right so let's go nmap  and what we're going to do is we're going to just  
go back to my terminal all right so let's go nmap  and what we're going to do is we're going to just  

do just a stealth scan and i'm going to go ahead  and say just one port so let's just do port 80  
do just a stealth scan and i'm going to go ahead  and say just one port so let's just do port 80  

and the dash f is actually fragmentation  all right so what i want to do you know  
and the dash f is actually fragmentation  all right so what i want to do you know  

what before we do that let's just take a look at  this working normally 192 168 4.1 all right let's  
what before we do that let's just take a look at  this working normally 192 168 4.1 all right let's  

go ahead and hit it wait nmap is saying hold on  there pal the kind of scan you're doing requires  
go ahead and hit it wait nmap is saying hold on  there pal the kind of scan you're doing requires  

root privileges so let's go ahead and back up  just going to come back here and just say sudo  
root privileges so let's go ahead and back up  just going to come back here and just say sudo  

and it's going to ask me for my password all right  so i went ahead and ran this scan uh we can see  
and it's going to ask me for my password all right  so i went ahead and ran this scan uh we can see  

over here on wireshark so this is just it was the  stealth scan right so i'm just doing sin synack  
over here on wireshark so this is just it was the  stealth scan right so i'm just doing sin synack  

i heard back from my gateway and i went ahead  and said reset that's what a stealth scan does  
i heard back from my gateway and i went ahead  and said reset that's what a stealth scan does  

are you there yes you are cool i'm not gonna  finish the handshake here with that final  
are you there yes you are cool i'm not gonna  finish the handshake here with that final  

packet of the three-way handshake that  final ack more on that in another video  
packet of the three-way handshake that  final ack more on that in another video  

but basically i'm just going to reset it so we're  going to act like nothing happened all right so  
but basically i'm just going to reset it so we're  going to act like nothing happened all right so  

now let's do the same thing but this time let's  fragment it all right so i'm going to just hit  
now let's do the same thing but this time let's  fragment it all right so i'm going to just hit  

up barrel and i'm just going to come over here and  just say dash f all right so that finished and my  
up barrel and i'm just going to come over here and  just say dash f all right so that finished and my  

state is open so let's come over here to wireshark  and take a look at what that looked like all right  
state is open so let's come over here to wireshark  and take a look at what that looked like all right  

so what i'm going to do for you guys i'm going to  save and share this trace file with you but just  
so what i'm going to do for you guys i'm going to  save and share this trace file with you but just  

keep in mind that you're going to have different  frame numbers than me just because i'm going to  
keep in mind that you're going to have different  frame numbers than me just because i'm going to  

save off just the frames that you see here alright  so you can follow along with just what i see just  
save off just the frames that you see here alright  so you can follow along with just what i see just  

remember different frame numbers for you all right  so here i can see on this package just the one  
remember different frame numbers for you all right  so here i can see on this package just the one  

that's just after the reset this says fragmented  iprotocol fragmented ip protocol and then finally  
that's just after the reset this says fragmented  iprotocol fragmented ip protocol and then finally  

i see a sin so basically what wireshark does is it  takes these three fragments and then in the info  
i see a sin so basically what wireshark does is it  takes these three fragments and then in the info  

area i can see it's basically reassembled it tells  me what the function of that packet is and there i  
area i can see it's basically reassembled it tells  me what the function of that packet is and there i  

see that it's a sin but let's take a closer look  at that fragmentation let's go into that first  
see that it's a sin but let's take a closer look  at that fragmentation let's go into that first  

fragment and here i can see that the total length  of this packet is 28 bytes of that 20 of it is my  
fragment and here i can see that the total length  of this packet is 28 bytes of that 20 of it is my  

header itself that ip header itself i can come  down here it says there's more fragments to come  
header itself that ip header itself i can come  down here it says there's more fragments to come  

now this fragment offset take this 8 bytes of  data start at zero so this will be from zero  
now this fragment offset take this 8 bytes of  data start at zero so this will be from zero  

to fragment offset seven so the next one is gonna  start at eight let's go ahead and take a look at  
to fragment offset seven so the next one is gonna  start at eight let's go ahead and take a look at  

that let's go to the next fragment more fragments  are coming so this is not the last fragment  
that let's go to the next fragment more fragments  are coming so this is not the last fragment  

that's in this chain here we're starting  our offset at 8 and we're going to go to 15  
that's in this chain here we're starting  our offset at 8 and we're going to go to 15  

and then the next one will start at 16. so  let's go ahead and take a look at that final one  
and then the next one will start at 16. so  let's go ahead and take a look at that final one  

so our fragment offset is 16 but notice at this  time there's no more fragments this is the last  
so our fragment offset is 16 but notice at this  time there's no more fragments this is the last  

one so you can go ahead and take those fragments  crunch them all back together and reassemble them  
one so you can go ahead and take those fragments  crunch them all back together and reassemble them  

now remember if any of these arrive out of order  then the receiving ipstack knows how to put them  
now remember if any of these arrive out of order  then the receiving ipstack knows how to put them  

back together because of that offset this shows  me where that data goes in that whole packet and  
back together because of that offset this shows  me where that data goes in that whole packet and  

if i come down here wireshark teaches me how  to put them back together right so the payload  
if i come down here wireshark teaches me how  to put them back together right so the payload  

0 to 7 8 to 15 and then 16 to 23 and then that's  all of the bytes all 24 bytes that i was sending  
0 to 7 8 to 15 and then 16 to 23 and then that's  all of the bytes all 24 bytes that i was sending  

in my payload so you can see how it literally took  that 24 bytes of the tcp header and the sin and it  
in my payload so you can see how it literally took  that 24 bytes of the tcp header and the sin and it  

broke it up into three packets it made them real  small and that's what nmap does it takes a huge ip  
broke it up into three packets it made them real  small and that's what nmap does it takes a huge ip  

packet if you have one fragmentation will break  it up into smaller chunks much smaller chunks  
packet if you have one fragmentation will break  it up into smaller chunks much smaller chunks  

which again the hope is that this will  slip by an ids or maybe even a firewall  
which again the hope is that this will  slip by an ids or maybe even a firewall  

and it'll help us to enumerate a system in  a different way now we can see here that the  
and it'll help us to enumerate a system in  a different way now we can see here that the  

receiver pieced it together it took all of those  fragments pieced them together pushed it up to tcp  
receiver pieced it together it took all of those  fragments pieced them together pushed it up to tcp  

and then it we went ahead and got a response  on port 80. so this device said great i'm here  
and then it we went ahead and got a response  on port 80. so this device said great i'm here  

good snack and then nmap went ahead and did  that reset all right so basically remember  
good snack and then nmap went ahead and did  that reset all right so basically remember  

how ip fragmentation works it's just taking a  payload and breaking it up into smaller chunks  
how ip fragmentation works it's just taking a  payload and breaking it up into smaller chunks  

and then allowing the receiver on the other end  giving it some instructions of how to put those  
and then allowing the receiver on the other end  giving it some instructions of how to put those  

back together now of course we're going to have  a problem if any of those fragments go missing  
back together now of course we're going to have  a problem if any of those fragments go missing  

if they arrive out of order the instructions  are there the receiver can go ahead and put  
if they arrive out of order the instructions  are there the receiver can go ahead and put  

them back together but that's basically  how ipfragmentation works thanks for  
them back together but that's basically  how ipfragmentation works thanks for  

stopping by i hope this helped you understand ip  fragmentation and i'll see you on another video
stopping by i hope this helped you understand ip  fragmentation and i'll see you on another video

you
you