290 likes | 423 Views
Lecture 24: Network Primer. 7/16/2003 CSCE 590 Summer 2003. tcpdump. Packet capture and analysis utility Default number of bytes captured: 68 Change with the snaplength option –S 1518 If a packet is truncated, “|” symbol is used in output Does not show frame header by default
E N D
Lecture 24: Network Primer 7/16/2003 CSCE 590 Summer 2003
tcpdump • Packet capture and analysis utility • Default number of bytes captured: 68 • Change with the snaplength option –S 1518 • If a packet is truncated, “|” symbol is used in output • Does not show frame header by default • To enable that, -e • To see hexadecimal output: -x • To see hexadecimal output with ASCII sidebar: -X
tcpdump • To write trace to a file instead of standard output, use –w filename • To read from a trace file, use –r filename • To choose a network interface to sniff traffic from, use –i inteface • To force tcpdump not to resolve machine names with DNS, use –n • To force it to also not translate TCP/UDP service port number from /etc/services file, add an ‘n’: -nn
tcpdump Filters • There are given keywords or macros for commonly accessed headers in filtering • To reference a type of header in a packet: • ip, tcp, icmp, udp • To reference a particular byte within that header, use a byte displacement with type: • ip[0] – first byte offset of IP header (numbering starts from zero) • tcp[13] - tcp header length
Filters vs. Macros • Macros are predefined filters • Must use filters where there are no macros • Filter format • <protocol header>[offset:length] <relation><value> • Macro format • <macro> <value> • Example: • ip[9] = 1 • Ninth byte of IP header is Protocol type, and a value of 1 = ICMP • Icmp
More Examples • tcp[0:2] < 53 • Starting at byte 0 of the TCP header, for 2 bytes (source port field) with a value less than 53 • tcp and src port < 53 (NOT!!!) can’t do relational with macros, only give it a value • udp[6:2] != 0 • ? Your turn • icmp[0] = 8 • ? Your turn
Common Macros • host • net (129.252) • port • src can modify host, net, and port • dst can modify host, net, and port • icmp • tcp • Udp • Also: and (&&), not (!), or (||)
Bits and Bytes • Sometimes you don’t want a whole byte (looking at just a flag) • So we turn to bit masking (math, eeeww!) • “AND” unwanted bits with 0 to clear them • “AND” wanted bits with 1 to keep them • tcpdump works in hexadecimal however, so there is some conversion involved
12 13 U R G A C K P S H R S T S Y N F I N Hdr Len Reserved Bit Masking Example • Let’s check for the TCP ACK bit turned on • It is byte 13 so we have tcp[13] • From our TCP header: • Byte 13 = 0x12 = 0 0 0 1 0 0 1 0 AND _ _ _ _ _ _ _ _ mask 0 0 0 1 0 0 0 0 = 0x10 • Complete filter: (tcp[13]&0x10) != 0 • tcpdump -i eth0 -s 1518 ‘(tcp[13] & 0x10) != 0‘ • What kind of packets with: (tcp[13] & 0x10) = 0
Bit Masking Examples • What do these masks check for? • (tcp[13] & 0x02) != 0 • tcp[13] = 0xff • (ip[6] & 0x20) != 0 • Write one to check for either the SYN or FIN bit set
Another Game of What’s Weird? 22:08:38.495489 dns.querier.1745 > dns.nl.53: 42371+ (31) 22:08:48.150706 dns.nl > dns.querier: (frag 63694:30@400) 22:08:48.154481 dns.nl.53 > dns.querier.1745: 42371 6/8/8 (72)(frag 63694:80@0+) 22:08:48.154481 dns.nl > dns.querier: (frag 63694:80@320+) 22:08:48.154490 dns.nl > dns.querier: (frag 63694:80@240+) 22:08:48.156737 dns.nl > dns.querier: (frag 63694:80@160+) 22:08:48.156745 dns.nl > dns.querier: (frag 63694:80@80+) 22:09:08.612886 dns.querier > dns.nl: icmp: ip reassembly time exceeded [tos 0xc0]
What’s Weird? 2:19:30.481578 somewhere.nl > 129.252.176.255: icmp: echo request (ttl 246, id 5134) 2:19:31.478737 somewhere.au > 129.252.176.255: icmp: echo request (ttl 246, id 5134) 2:19:32.478824 somewhere.de > 129.252.176.255: icmp: echo request (ttl 246, id 5134) 2:19:33.478916 somewhere.edu > 129.252.176.255: icmp: echo request (ttl 246, id 5134)
What’s Weird? 23:12:26.100485 hostA.48776 > machineB.25: . ack 0 win 2048 <wscale 10,nop,mss 265,timestamp 1061109567 0,eol>
Another Trace 23:30:32.704057 beav.32772 > www.sc.edu.33435: [udp sum ok] udp 10 [ttl 1] (id 20523, len 38) 23:30:32.707533 beav.32772 > www.sc.edu.33436: [udp sum ok] udp 10 [ttl 1] (id 20524, len 38) 23:30:32.707760 beav.32772 > www.sc.edu.33437: [udp sum ok] udp 10 [ttl 1] (id 20525, len 38) 23:30:32.708017 beav.32772 > www.sc.edu.33438: [udp sum ok] udp 10 (ttl 2, id 20526, len 38) 23:30:32.712804 beav.32772 > www.sc.edu.33439: [udp sum ok] udp 10 (ttl 2, id 20527, len 38) 23:30:32.713351 beav.32772 > www.sc.edu.33440: [udp sum ok] udp 10 (ttl 2, id 20528, len 38) 23:30:32.713961 beav.32772 > www.sc.edu.33441: [udp sum ok] udp 10 (ttl 3, id 20529, len 38) 23:30:32.719796 beav.32772 > www.sc.edu.33442: [udp sum ok] udp 10 (ttl 3, id 20530, len 38) 23:30:32.720618 beav.32772 > www.sc.edu.33443: [udp sum ok] udp 10 (ttl 3, id 20531, len 38)
What’s This? 23:49:23.440874 host.57839 > fozzie.32787: udp 0 23:49:23.440901 host.57839 > fozzie.32775: udp 0 23:49:23.440932 host.57839 > fozzie.32788: udp 0 23:49:23.440943 host.57839 > fozzie.32789: udp 0 23:49:23.440986 host.57839 > fozzie.32791: udp 0 23:49:23.441009 host.57839 > fozzie.32799: udp 0 23:49:23.441027 host.57839 > fozzie.32774: udp 0 23:49:23.441059 host.57839 > fozzie.32781: udp 0 23:49:23.441072 host.57839 > fozzie.32772: udp 0 23:49:23.441080 host.57839 > fozzie.32789: udp 0 23:49:23.441105 host.57839 > fozzie.32800: udp 0 23:49:23.441215 fozzie > host: icmp: fozzie udp port 32788 unreachable (DF) 23:49:23.441269 fozzie > host: icmp: fozzie udp port 32791 unreachable (DF) 23:49:23.441288 fozzie > host: icmp: fozzie udp port 32781 unreachable (DF) 23:49:23.441310 fozzie > host: icmp: fozzie udp port 32789 unreachable (DF)
And This? 23:46:40.529581 map.edu.39344 > 129.252.41.16.143: S 698192483:698192483(0) win 8192 23:46:41.509678 map.edu.39345 > 129.252.41.15.143: S 698735981:698735981(0) win 8192 23:46:53.518688 map.edu.39378 > 129.252.41.14.143: S 698654463:698654463(0) win 8192 23:46:53.923679 map.edu.39379 > 129.252.41.13.143: S 699129230:699129230(0) win 8192 23:46:53.970672 map.edu.39639 > 129.252.41.11.143: S 699129300:699129300(0) win 8192 23:46:53.989649 map.edu.39777 > 129.252.41.10.143: S 699129740:699129740(0) win 8192 23:46:53.994699 map.edu.39791 > 129.252.41.12.143: S 699129768:6991292768(0) win 8192 23:46:53.999670 map.edu.39812 > 129.252.41.9.143: S 699129901:699129901(0) win 8192
What’s Weird? 23:46:40.529581 map.net.0 > 129.252.41.99.110: SF 698192483:698192483(0) win 512 23:46:41.509678 map.net.0 > 129.252.41.27.110: SF 698192483:698192483(0) win 512 23:46:53.518688 map.net.0 > 129.252.41.56.110: SF 698192483:698192483(0) win 512 23:46:53.923679 map.net.0 > 129.252.41.33.110: SF 698192483:698192483(0) win 512 23:46:53.970672 map.net.0 > 129.252.41.119.110: SF 698192483:698192483(0) win 512 23:46:53.989649 map.net.0 > 129.252.41.76.110: SF 698192483:698192483(0) win 512 23:46:53.994699 map.net.0 > 129.252.41.200.110: SF 698192483:698192483(0) win 512 23:46:53.999670 map.net.0 > 129.252.41.15.110: SF 698192483:698192483(0) win 512
What’s Strange? 23:46:40.529581 ack.org.23 > 129.252.41.99.23: . ack 698192483 win 512 23:46:41.509678 ack.org.23 > 129.252.37.4.23: . ack 698192483 win 512 23:46:53.518688 ack.org.143 > 129.252.41.99.143: . ack 698192483 win 512 23:46:53.923679 ack.org.143 > 129.252.37.4.143: . ack 698192483 win 512 23:46:53.970672 ack.org.110 > 129.252.41.99.110: . ack 698192483 win 512 23:46:53.989649 ack.org.110 > 129.252. 37.4.110: . ack 698192483 win 512 23:46:53.994699 ack.org.23 > 129.252.33.7.23: . ack 698192483 win 512 23:46:53.999670 ack.org.23 > 129.252.4.213.23: . ack 698192483 win 512
Anything Unusual? 23:46:40.529581 scan.net.25820 > 129.252.41.76.23: S 698192483:698192483(4) win 4096 23:46:41.509678 scan.net.25820 > 129.252.136.76.23: S 698197881:698197881(4) win 4096 23:46:53.518688 scan.net.47521 > 10.20.98.76.23: S 378192499:378192499(4) win 4096 23:46:53.923679 scan.net.25820 > 129.252.11.76.23: S 69821387:69821387(4) win 4096 23:46:53.970672 scan.net.47521 > 10.20.54.76.23: S 378212490:378212490(4) win 4096 23:46:53.989649 scan.net.47521 > 10.20.223.76.23: S 378212787:378212787(4) win 4096 23:46:53.994699 scan.net.25820 > 129.252.209.76.23: S 69822345:69822345(4) win 4096 23:46:53.999670 scan.net.47521 > 10.20.90.76.23: S 37827658:37827658(4) win 4096
What’s Scary? 23:46:40.529581 scanner.net > dns.my.edu: ip-proto-54 44 23:46:41.509678 scanner.net > dns.my.edu: ip-proto-54 44 23:46:53.518688 scanner.net > dns.my.edu: ip-proto-54 44 23:46:53.923679 scanner.net > firewall.my.edu: ip-proto-54 44 23:46:53.970672 scanner.net > firewall.my.edu: ip-proto-54 44 23:46:53.989649 scanner.net > firewall.my.edu: ip-proto-54 44 23:46:53.994699 scanner.net > ids.my.edu: ip-proto-54 44 23:46:53.999670 scanner.net > ids.my.edu: ip-proto-54 44 23:46:53.999691 scanner.net > ids.my.edu: ip-proto-54 44 (ip-proto-54 = usually ATM: Next Hop Resolution Protocol) But that’s beside the scary point.
Huh? router1.com > 129.252.49.0: icmp: time exceeded in-transit router1.com > 129.252.21.0: icmp: time exceeded in-transit router1.com > 129.252.78.0: icmp: time exceeded in-transit router1.com > 129.252.52.0: icmp: time exceeded in-transit router2.com > 129.252.109.0: icmp: time exceeded in-transit [tos 0xc0] router2.com > 129.252.1.0: icmp: time exceeded in-transit [tos 0xc0] router2.com > 129.252.243.0: icmp: time exceeded in-transit [tos 0xc0] router2.com > 129.252.43.0: icmp: time exceeded in-transit [tos 0xc0] router2.com > 129.252.66.0: icmp: time exceeded in-transit [tos 0xc0] router2.com > 129.252.31.0: icmp: time exceeded in-transit [tos 0xc0] router2.com > 129.252.200.0: icmp: time exceeded in-transit [tos 0xc0] router2.com > 129.252.212.0: icmp: time exceeded in-transit [tos 0xc0] router2.com > 129.252.79.0: icmp: time exceeded in-transit [tos 0xc0] router3.com > 129.252.55.0: icmp: time exceeded in-transit router3.com > 129.252.111.0: icmp: time exceeded in-transit router3.com > 129.252.83.0: icmp: time exceeded in-transit router1.com > 129.252.16.0: icmp: time exceeded in-transit router1.com > 129.252.156.0: icmp: time exceeded in-transit
WinNuke nuker.com.334455 > victim.edu.139: FP 0:3(3) ack 1 win 8760 urg3 (DF) nuker.com.334455 > victim.edu.139: FP 0:3(3) ack 1 win 8760 urg3 (DF) nuker.com.334455 > victim.edu.139: FP 0:3(3) ack 1 win 8760 urg3 (DF) nuker.com.334455 > victim.edu.139: FP 0:3(3) ack 1 win 8760 urg3 (DF) nuker.com.334455 > victim.edu.139: FP 0:3(3) ack 1 win 8760 urg3 (DF) nuker.com.334455 > victim.edu.139: FP 0:3(3) ack 1 win 8760 urg3 (DF)
And This? 3:46:41.529581 dos.com > 129.252.49.0: (frag 54190:1480@4440+) 3:46:41.579678 dos.com > 129.252.49.0: (frag 54190:1480@2960+) 3:46:53.518688 dos.com > 129.252.49.0: (frag 54190:1480@1480+) 3:46:53.923679 dos.com > 129.252.49.0: (frag 54190:1480@1480+) 3:46:53.970672 dos.com > 129.252.49.0: (frag 54190:1480@2960+) 3:46:53.989649 dos.com > 129.252.49.0: (frag 54190:1480@5920+) 3:46:53.994699 dos.com > 129.252.49.0: (frag 54190:1480@1480+) 3:46:53.999670 dos.com > 129.252.49.0: (frag 54190:1480@2960+) 3:46:53.999670 dos.com > 129.252.49.0: (frag 54190:1480@4440+) 3:46:53.999670 dos.com > 129.252.49.0: (frag 54190:1480@1480+) 3:46:53.999670 dos.com > 129.252.49.0: (frag 54190:1480@1480+) http://www.cisco.com/warp/public/770/nifrag.shtml
Bad Network Traffic in Other places • Web logs • Traffic monitoring graphs • Firewall logs • Intrusion detection systems • Router syslogs • I even see attempts against my SSH tunnels!
Slammer 02:06:31.017088 150.140.142.17.3047 > 24.193.37.212.ms-sql-m: udp 376 02:06:31.017244 24.193.37.212 > 150.140.142.17: icmp: 24.193.37.212 udp port ms-sql-m unreachable [tos 0xc0]
Nimda 129.3.1.40 - - [12/Apr/2002:12:01:31 -0400] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 403 - 129.3.1.40 - - [12/Apr/2002:12:01:31 -0400] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 403 - 129.3.1.40 - - [12/Apr/2002:12:01:31 -0400] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 403 - 129.3.1.40 - - [12/Apr/2002:12:01:31 -0400] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 403 - 129.3.1.40 - - [12/Apr/2002:12:01:31 -0400] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 403 - 129.3.1.40 - - [12/Apr/2002:12:01:31 -0400] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 403 - 129.3.1.40 - - [12/Apr/2002:12:01:31 -0400] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 403 - 129.3.1.40 - - [12/Apr/2002:12:01:31 -0400] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - 129.3.1.40 - - [12/Apr/2002:12:01:31 -0400] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 403 - 129.3.1.40 - - [12/Apr/2002:12:01:31 -0400] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 403 – 129.3.1.40 - - [12/Apr/2002:12:01:32 -0400] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 215 129.3.1.40 - - [12/Apr/2002:12:01:32 -0400] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 215 129.3.1.40 - - [12/Apr/2002:12:01:32 -0400] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 403 - 129.3.1.40 - - [12/Apr/2002:12:01:32 -0400] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 403 -
References • Highly recommend: • http://www.sans.org/resources/tcpip.pdf