1 / 21

Overview

Overview. The TCP/IP Stack. The Link Layer (L2). The Network Layer (L3). The Transport Layer (L4). Port scanning & OS/App detection techniques. Evasion and Intrusion Techniques. The Tools. The TCP/IP Stack. The TCP/IP Stack. Each OS vendor has a different implimentation of TCP/IP Stack.

barrington
Download Presentation

Overview

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Overview • The TCP/IP Stack. • The Link Layer (L2). • The Network Layer (L3). • The Transport Layer (L4). • Port scanning & OS/App detection techniques. • Evasion and Intrusion Techniques. • The Tools.

  2. The TCP/IP Stack

  3. The TCP/IP Stack • Each OS vendor has a different implimentation of TCP/IP Stack. • Each layer of TCP/IP Stack of an OS, exhibits a different behaviour. • Properties of TCP/IP stack can be used for OS, Hardware detection, port scanning, Intrusion & Evasion.

  4. The Link Layer (L2)‏ • L2 packet comprises of the MAC addresses of source and destination machine. • MAC Address has 6 Bytes. Its first 3 Bytes are Organizationally Unique Identifier (OUI). • OUIs are unique to the manufacturers of network cards. • In MAC address “00-08-74-4C-7F-1D”, OUI “00-08-74” is unique to Dell Computer Corp.

  5. Network Layer (L3)‏ IPv4 header layout

  6. Network Layer (L3)‏ • The initial TTL value observed for various OS are : Windows = 128, Linux = 64 & AIX = 255. • IP Layer supports TCP Fragmentation. • “Dont Fragment” flag is set in some responses for Windows and not set in Linux machines. • IP- Identification field is used in a special port scanning technique called Idle or Zomby scan.

  7. TCP (L4)‏ TCP header layout

  8. TCP Layer (L4)‏ • TCP uses 3 way hand shake protocol : SYN-> <-SYN/ACK ACK->. • Different combination of SYN, ACK and FIN flags brings out different behaviour of different OSs.

  9. TCP Layer (L4)‏ • Initial SEQUENCE number is seen different for different OSs. • Checking the window size on returned packets, helps to identify AIX (0x3F25), Windows and BSD (0x402E) systems. • ACK Value in response to FIN, is used to Identify some windows versions.

  10. TCP Layer (L4)‏ • TCP Options are generally optional. • Still, every OS sends out different value & sequence of : WindowScale (W); NOP (N); MaxSegmentSize (M); TimeStamp (T); & End of Option (E) • The TCP Options echoed varies with OSs, for Solaris = “NNTNWME”, Linux =“MENNTNW”.

  11. UDP (L4)‏ UDP header layout

  12. UDP Layer (L4)‏ • UDP packet sent to non existent port is replied back with ICMP-Destination Unreachable packet. • The ICMP-Destination Unreachable packet has the copy of UDP packet which resulted in the ICMP error. • Different OS mess up with this copy of UDP packet in different style.

  13. Probe packet (SYN) SYN/ACK SYN/ACK IPID =43210 IPID =43212 SYN/ACK SrcIP = Zombi/Port = 80 (SYN) RST, IPID = 43211 Idle Scan Host Zombi Target Idle scan completes

  14. Exchange Server IPS/IDS HOST XEXCH50 -1 2 \r\n XEXCH50 -1 2 \r\n IF “XEXCH50 -1 2” DROP Exploiting Exchange XEXCH50 -1 2 Exploit Blocked MS05-043

  15. Exchange Server IPS/IDS HOST XEXCH50 XEXCH50 -1 2 \r\n -1 2 \r\n TTL = 10 TTL = 9 TTL = 10 TTL = 9 IF “XEXCH50 -1 2” DROP Evasion Techniques IP Fragmentation XEXCH50 -1 2 MS05-043

  16. Exchange Server IPS/IDS HOST XEXCH50 XEXCH50 JUNK -1 2 \r\n -1 2 \r\n TTL = 9 TTL = 10 TTL = 9 TTL = 10 TTL = 1 IF “XEXCH50 -1 2” DROP Evasion Techniques Traffic Insertion Resultant String “XEXCH50 JUNK -1 2” TTL Expired XEXCH50 -1 2 MS05-043

  17. Prevent to get detected • For Windows - OSfucate - sec_clock • For Linux - grsec - iplog • For BSD Unix - blackhole - Fingerprint Fucker

  18. TOOLS • Network Scanners : • Nmap, Nessus. • Misc : • Netcat. • SimpleTools : • Ping, traceroute. • Packet Sniffers : • WireShark, tcpdump • Packet Crafter : • hping2

  19. Reference • http://nmap.org/nmap-fingerprinting-article.txt • http://www.zog.net/Docs/nmap.html • http://www.grsecurity.net/

  20. Murtuja Bharmal(bharmal.murtuja@gmail.com)

More Related