null pune meet - understanding tcp/ip and network intrusion
Post on 15-May-2015
1.305 Views
Preview:
DESCRIPTION
TRANSCRIPT
Overview
The TCP/IP Stack.
The Link Layer (L2).
The Network Layer (L3).
The Transport Layer (L4).
Port scanning & OS/App detection techniques.
Evasion and Intrusion Techniques.
The Tools.
The TCP/IP Stack
The TCP/IP Stack
Each OS vendor has a different implimentation
of TCP/IP Stack.
Each layer of TCP/IP Stack of an OS, exhibits a
different behaviour.
Properties of TCP/IP stack can be used for OS,
Hardware detection, port scanning, Intrusion &
Evasion.
The Link Layer (L2)
L2 packet comprises of the MAC addresses of
source and destination machine.
MAC Address has 6 Bytes. Its first 3 Bytes are
Organizationally Unique Identifier (OUI).
OUIs are unique to the manufacturers of
network cards.
In MAC address “00-08-74-4C-7F-1D”, OUI
“00-08-74” is unique to Dell Computer Corp.
Network Layer (L3)
IPv4 header
layout
Network Layer (L3)
The initial TTL value observed for various OS
are : Windows = 128, Linux = 64 & AIX = 255.
IP Layer supports TCP Fragmentation.
“Dont Fragment” flag is set in some responses
for Windows and not set in Linux machines.
IP- Identification field is used in a special port
scanning technique called Idle or Zomby scan.
TCP (L4)
TCP header
layout
TCP Layer (L4)
TCP uses 3 way hand shake protocol :
SYN->
<-SYN/ACK
ACK->.
Different combination of SYN, ACK and FIN
flags brings out different behaviour of different
OSs.
TCP Layer (L4)
Initial SEQUENCE number is seen different for
different OSs.
Checking the window size on returned packets,
helps to identify AIX (0x3F25), Windows and
BSD (0x402E) systems.
ACK Value in response to FIN, is used to
Identify some windows versions.
TCP Layer (L4)
TCP Options are generally optional.
Still, every OS sends out different value &
sequence of : WindowScale (W); NOP (N);
MaxSegmentSize (M); TimeStamp (T); & End of
Option (E)
The TCP Options echoed varies with OSs, for
Solaris = “NNTNWME ”, Linux =“MENNTNW”.
UDP (L4)
UDP header layout
UDP Layer (L4)
UDP packet sent to non existent port is replied
back with ICMP-Destination Unreachable
packet.
The ICMP-Destination Unreachable packet
has the copy of UDP packet which resulted in
the ICMP error.
Different OS mess up with this copy of UDP
packet in different style.
Idle Scan
Host Zombi
Target
Probe packet (SYN)
IPID =43210SYN/ACK
SrcIP = Zombi/Port = 80 (SYN)
SYN/ACK
RST, IPID = 43211
IPID =43212SYN/ACK
Idle scan completes
Exploiting Exchange
HOSTExchange
Server
XEXCH50 -1 2
XEXCH50 -1 2 \r\n
IPS/IDS
IF “XEXCH50 -1 2”
DROP
Exploit Blocked
XEXCH50 -1 2 \r\n
MS05-043
Evasion Techniques
HOSTExchange
Server
XEXCH50
TTL = 10
XEXCH50
TTL = 9
-1 2 \r\n
TTL = 10
-1 2 \r\n
TTL = 9
XEXCH50 -1 2
IPS/IDS
IF “XEXCH50 -1 2”
DROPMS05-043
IP Fragmentation
Evasion Techniques
HOSTExchange
Server
XEXCH50
TTL = 10
XEXCH50
TTL = 9
JUNK
TTL = 1TTL Expired
-1 2 \r\n
TTL = 10
-1 2 \r\n
TTL = 9 XEXCH50 -1 2
IPS/IDS
IF “XEXCH50 -1 2”
DROPMS05-043
Resultant String “XEXCH50 JUNK -1 2”
Traffic Insertion
Prevent to get detected For Windows
- OSfucate
- sec_clock
For Linux
- grsec
- iplog
For BSD Unix
- blackhole
- Fingerprint Fucker
TOOLS
Network Scanners :
Nmap, Nessus.
Misc :
Netcat.
SimpleTools :
Ping, traceroute.
Packet Sniffers :
WireShark, tcpdump
Packet Crafter :
hping2
Reference
http://nmap.org/nmap-fingerprinting-article.txt http://www.zog.net/Docs/nmap.html http://www.grsecurity.net/
Murtuja Bharmal
(bharmal.murtuja@gmail.com)
top related