null Pune meet - Understanding TCP/IP and Network Intrusion
-
Upload
nu-the-open-security-community -
Category
Technology
-
view
1.302 -
download
1
description
Transcript of null Pune meet - Understanding TCP/IP and Network Intrusion
![Page 1: null Pune meet - Understanding TCP/IP and Network Intrusion](https://reader036.fdocuments.in/reader036/viewer/2022062307/5555a120d8b42a8e1f8b523b/html5/thumbnails/1.jpg)
![Page 2: null Pune meet - Understanding TCP/IP and Network Intrusion](https://reader036.fdocuments.in/reader036/viewer/2022062307/5555a120d8b42a8e1f8b523b/html5/thumbnails/2.jpg)
Overview
The TCP/IP Stack.
The Link Layer (L2).
The Network Layer (L3).
The Transport Layer (L4).
Port scanning & OS/App detection techniques.
Evasion and Intrusion Techniques.
The Tools.
![Page 3: null Pune meet - Understanding TCP/IP and Network Intrusion](https://reader036.fdocuments.in/reader036/viewer/2022062307/5555a120d8b42a8e1f8b523b/html5/thumbnails/3.jpg)
The TCP/IP Stack
![Page 4: null Pune meet - Understanding TCP/IP and Network Intrusion](https://reader036.fdocuments.in/reader036/viewer/2022062307/5555a120d8b42a8e1f8b523b/html5/thumbnails/4.jpg)
The TCP/IP Stack
Each OS vendor has a different implimentation
of TCP/IP Stack.
Each layer of TCP/IP Stack of an OS, exhibits a
different behaviour.
Properties of TCP/IP stack can be used for OS,
Hardware detection, port scanning, Intrusion &
Evasion.
![Page 5: null Pune meet - Understanding TCP/IP and Network Intrusion](https://reader036.fdocuments.in/reader036/viewer/2022062307/5555a120d8b42a8e1f8b523b/html5/thumbnails/5.jpg)
The Link Layer (L2)
L2 packet comprises of the MAC addresses of
source and destination machine.
MAC Address has 6 Bytes. Its first 3 Bytes are
Organizationally Unique Identifier (OUI).
OUIs are unique to the manufacturers of
network cards.
In MAC address “00-08-74-4C-7F-1D”, OUI
“00-08-74” is unique to Dell Computer Corp.
![Page 6: null Pune meet - Understanding TCP/IP and Network Intrusion](https://reader036.fdocuments.in/reader036/viewer/2022062307/5555a120d8b42a8e1f8b523b/html5/thumbnails/6.jpg)
Network Layer (L3)
IPv4 header
layout
![Page 7: null Pune meet - Understanding TCP/IP and Network Intrusion](https://reader036.fdocuments.in/reader036/viewer/2022062307/5555a120d8b42a8e1f8b523b/html5/thumbnails/7.jpg)
Network Layer (L3)
The initial TTL value observed for various OS
are : Windows = 128, Linux = 64 & AIX = 255.
IP Layer supports TCP Fragmentation.
“Dont Fragment” flag is set in some responses
for Windows and not set in Linux machines.
IP- Identification field is used in a special port
scanning technique called Idle or Zomby scan.
![Page 8: null Pune meet - Understanding TCP/IP and Network Intrusion](https://reader036.fdocuments.in/reader036/viewer/2022062307/5555a120d8b42a8e1f8b523b/html5/thumbnails/8.jpg)
TCP (L4)
TCP header
layout
![Page 9: null Pune meet - Understanding TCP/IP and Network Intrusion](https://reader036.fdocuments.in/reader036/viewer/2022062307/5555a120d8b42a8e1f8b523b/html5/thumbnails/9.jpg)
TCP Layer (L4)
TCP uses 3 way hand shake protocol :
SYN->
<-SYN/ACK
ACK->.
Different combination of SYN, ACK and FIN
flags brings out different behaviour of different
OSs.
![Page 10: null Pune meet - Understanding TCP/IP and Network Intrusion](https://reader036.fdocuments.in/reader036/viewer/2022062307/5555a120d8b42a8e1f8b523b/html5/thumbnails/10.jpg)
TCP Layer (L4)
Initial SEQUENCE number is seen different for
different OSs.
Checking the window size on returned packets,
helps to identify AIX (0x3F25), Windows and
BSD (0x402E) systems.
ACK Value in response to FIN, is used to
Identify some windows versions.
![Page 11: null Pune meet - Understanding TCP/IP and Network Intrusion](https://reader036.fdocuments.in/reader036/viewer/2022062307/5555a120d8b42a8e1f8b523b/html5/thumbnails/11.jpg)
TCP Layer (L4)
TCP Options are generally optional.
Still, every OS sends out different value &
sequence of : WindowScale (W); NOP (N);
MaxSegmentSize (M); TimeStamp (T); & End of
Option (E)
The TCP Options echoed varies with OSs, for
Solaris = “NNTNWME ”, Linux =“MENNTNW”.
![Page 12: null Pune meet - Understanding TCP/IP and Network Intrusion](https://reader036.fdocuments.in/reader036/viewer/2022062307/5555a120d8b42a8e1f8b523b/html5/thumbnails/12.jpg)
UDP (L4)
UDP header layout
![Page 13: null Pune meet - Understanding TCP/IP and Network Intrusion](https://reader036.fdocuments.in/reader036/viewer/2022062307/5555a120d8b42a8e1f8b523b/html5/thumbnails/13.jpg)
UDP Layer (L4)
UDP packet sent to non existent port is replied
back with ICMP-Destination Unreachable
packet.
The ICMP-Destination Unreachable packet
has the copy of UDP packet which resulted in
the ICMP error.
Different OS mess up with this copy of UDP
packet in different style.
![Page 14: null Pune meet - Understanding TCP/IP and Network Intrusion](https://reader036.fdocuments.in/reader036/viewer/2022062307/5555a120d8b42a8e1f8b523b/html5/thumbnails/14.jpg)
Idle Scan
Host Zombi
Target
Probe packet (SYN)
IPID =43210SYN/ACK
SrcIP = Zombi/Port = 80 (SYN)
SYN/ACK
RST, IPID = 43211
IPID =43212SYN/ACK
Idle scan completes
![Page 15: null Pune meet - Understanding TCP/IP and Network Intrusion](https://reader036.fdocuments.in/reader036/viewer/2022062307/5555a120d8b42a8e1f8b523b/html5/thumbnails/15.jpg)
Exploiting Exchange
HOSTExchange
Server
XEXCH50 -1 2
XEXCH50 -1 2 \r\n
IPS/IDS
IF “XEXCH50 -1 2”
DROP
Exploit Blocked
XEXCH50 -1 2 \r\n
MS05-043
![Page 16: null Pune meet - Understanding TCP/IP and Network Intrusion](https://reader036.fdocuments.in/reader036/viewer/2022062307/5555a120d8b42a8e1f8b523b/html5/thumbnails/16.jpg)
Evasion Techniques
HOSTExchange
Server
XEXCH50
TTL = 10
XEXCH50
TTL = 9
-1 2 \r\n
TTL = 10
-1 2 \r\n
TTL = 9
XEXCH50 -1 2
IPS/IDS
IF “XEXCH50 -1 2”
DROPMS05-043
IP Fragmentation
![Page 17: null Pune meet - Understanding TCP/IP and Network Intrusion](https://reader036.fdocuments.in/reader036/viewer/2022062307/5555a120d8b42a8e1f8b523b/html5/thumbnails/17.jpg)
Evasion Techniques
HOSTExchange
Server
XEXCH50
TTL = 10
XEXCH50
TTL = 9
JUNK
TTL = 1TTL Expired
-1 2 \r\n
TTL = 10
-1 2 \r\n
TTL = 9 XEXCH50 -1 2
IPS/IDS
IF “XEXCH50 -1 2”
DROPMS05-043
Resultant String “XEXCH50 JUNK -1 2”
Traffic Insertion
![Page 18: null Pune meet - Understanding TCP/IP and Network Intrusion](https://reader036.fdocuments.in/reader036/viewer/2022062307/5555a120d8b42a8e1f8b523b/html5/thumbnails/18.jpg)
Prevent to get detected For Windows
- OSfucate
- sec_clock
For Linux
- grsec
- iplog
For BSD Unix
- blackhole
- Fingerprint Fucker
![Page 19: null Pune meet - Understanding TCP/IP and Network Intrusion](https://reader036.fdocuments.in/reader036/viewer/2022062307/5555a120d8b42a8e1f8b523b/html5/thumbnails/19.jpg)
TOOLS
Network Scanners :
Nmap, Nessus.
Misc :
Netcat.
SimpleTools :
Ping, traceroute.
Packet Sniffers :
WireShark, tcpdump
Packet Crafter :
hping2
![Page 20: null Pune meet - Understanding TCP/IP and Network Intrusion](https://reader036.fdocuments.in/reader036/viewer/2022062307/5555a120d8b42a8e1f8b523b/html5/thumbnails/20.jpg)
Reference
http://nmap.org/nmap-fingerprinting-article.txt http://www.zog.net/Docs/nmap.html http://www.grsecurity.net/