Packets and Protocols Chapter 4 Chapter Four Using Wireshark.
Packets and Protocols Chapter Seven Real World Packet Captures.
-
Upload
samuel-marple -
Category
Documents
-
view
224 -
download
0
Transcript of Packets and Protocols Chapter Seven Real World Packet Captures.
Packets and ProtocolsPackets and ProtocolsChapter 7Chapter 7
ScanningScanning– Usually done by a hacker (white hat or black Usually done by a hacker (white hat or black
hat) to find vulnerabilitieshat) to find vulnerabilities– Can also be part of a worm or other attackCan also be part of a worm or other attack– Attacks are often preceded with a pingAttacks are often preceded with a ping
Packets and ProtocolsPackets and ProtocolsChapter 7Chapter 7
Reference Capture file scan1.logReference Capture file scan1.log– TCP Connect Scan AttackTCP Connect Scan Attack
Look for a large number of TCP resets using Look for a large number of TCP resets using the same source port (52218)the same source port (52218)
Filter on <syn ack> Filter on <syn ack> tcp.flags.syn==1&&tcp.flags.ack==1
or tcp.flags==18
Packets and ProtocolsPackets and ProtocolsChapter 7Chapter 7
Same port used over and over and overSame port used over and over and over
Packets and ProtocolsPackets and ProtocolsChapter 7Chapter 7
Reference Capture file scan1.logReference Capture file scan1.log– SYN Flood AttackSYN Flood Attack
An intruder sends a SYN packet and analyzes the response. If an RST/ACK is received, it indicates that the port is closed. If a SYN/ACK is received, it indicates that the port is open and listening.
Look for a large number of TCP resets and Look for a large number of TCP resets and incrementing port numbersincrementing port numbers
– Filter on <rst ack> Filter on <rst ack> tcp.flags == 0x14
Packets and ProtocolsPackets and ProtocolsChapter 7Chapter 7
Does this Does this look look normal???normal???
Packets and ProtocolsPackets and ProtocolsChapter 7Chapter 7
Reference Capture file scan1.logReference Capture file scan1.log– XMAS ScanXMAS Scan
“The XMAS scan determines which ports are open by sending packets with invalid flag settings to a target device. It is considered a stealth scan because it may be able to bypass some firewalls and IDS’s more easily than the SYN scans. This XMAS scan sends packets with the Finish (FIN), Push (PSH), and Urgent (URG) flags set.”
Harder to detect, but the key is to look for patterns
Works well against Windows systems
Packets and ProtocolsPackets and ProtocolsChapter 7Chapter 7
tcp.flags == 0x29 (i.e. fin, psh, urg)tcp.flags == 0x29 (i.e. fin, psh, urg)
Packets and ProtocolsPackets and ProtocolsChapter 7Chapter 7
Reference Capture file scan1.logReference Capture file scan1.log– NULL ScanNULL Scan
“The Null scan determines which ports are open by sending packets with invalid flag settings to a target device. It is considered a stealth scan because it may be able to bypass some firewalls and IDS’s more easily than the SYN scans. This Null scan sends packets with all flags turned off. Closed ports will respond with an RST/ACK, and open ports will drop the packet and not respond.”
Harder to detect, but the key is to look for patterns
Not affective against Windows systems, but works on Cisco, HP UX MVS, etc
Packets and ProtocolsPackets and ProtocolsChapter 7Chapter 7
tcp.flags == 0x0 (i.e. no TCP flags)tcp.flags == 0x0 (i.e. no TCP flags)
Packets and ProtocolsPackets and ProtocolsChapter 7Chapter 7
Reference Capture file scan2.logReference Capture file scan2.log– Remote Access Trojan Horse ScansRemote Access Trojan Horse Scans
Subseven legend scanSubseven legend scan– Very common, easy to detect, but there Very common, easy to detect, but there
are many variationsare many variations– Attacks a windows backdoor vulnerabilityAttacks a windows backdoor vulnerability
Packets and ProtocolsPackets and ProtocolsChapter 7Chapter 7
Exploits port 27374 (tcp.dstport == 27374)Exploits port 27374 (tcp.dstport == 27374)
Packets and ProtocolsPackets and ProtocolsChapter 7Chapter 7
Reference Capture file netbus.logReference Capture file netbus.log– Remote Access Trojan Horse ScansRemote Access Trojan Horse Scans
Netbus scanNetbus scan– Very common, easy to detect, but there Very common, easy to detect, but there
are many variationsare many variations– Attacks a windows backdoor vulnerabilityAttacks a windows backdoor vulnerability
Packets and ProtocolsPackets and ProtocolsChapter 7Chapter 7
Exploits port 12345 and 12346 (tcp.dstport == 27374)Exploits port 12345 and 12346 (tcp.dstport == 27374)
Packets and ProtocolsPackets and ProtocolsChapter 7Chapter 7
Reference Capture file scan2.logReference Capture file scan2.log– RST.bRST.b
Affects LINUX systemsAffects LINUX systems– Look for the word “DOM” in the payloadLook for the word “DOM” in the payload
Packets and ProtocolsPackets and ProtocolsChapter 7Chapter 7
Search for “DOM” with the find toolSearch for “DOM” with the find tool
Packets and ProtocolsPackets and ProtocolsChapter 7Chapter 7
Worms!Worms!– Becoming more Becoming more
commoncommon– Getting Getting
smarter smarter – Multiple Multiple
vulnerabilitiesvulnerabilities
– Ability to propagate faster than everAbility to propagate faster than ever
Packets and ProtocolsPackets and ProtocolsChapter 7Chapter 7
SQL/SlammerSQL/SlammerReference Capture file scan3.log Reference Capture file scan3.log
January 25, 2003.It exploits a vulnerability in the Resolution
Service of Microsoft SQL Server 2000 and Microsoft Desktop Engine (MSDE) 2000
Packets and ProtocolsPackets and ProtocolsChapter 7Chapter 7
Reference Capture file scan3.logReference Capture file scan3.log– SlammerSlammer
Affects LINUX systemsAffects LINUX systems– Look for the word “DOM” in the payloadLook for the word “DOM” in the payload
Packets and ProtocolsPackets and ProtocolsChapter 7Chapter 7
Reference Capture file:Reference Capture file: CodeRed_Stage1CodeRed_Stage1
and and
CodeRed_Stage2CodeRed_Stage2
– Code RedCode RedSeveral variantsSeveral variantsAttacks IIS web servers and causes a Attacks IIS web servers and causes a
buffer overflowbuffer overflow
Packets and ProtocolsPackets and ProtocolsChapter 7Chapter 7
Look for the string “GET /default.ida?NNNNNNNN”Look for the string “GET /default.ida?NNNNNNNN”
Packets and ProtocolsPackets and ProtocolsChapter 7Chapter 7
Reference Capture file Reference Capture file ramenattack.gz– RamenRamen
Targets Red Hat Linux 6.2 and Red Hat Linux 7.0
Easy to detect, make no attempt at Easy to detect, make no attempt at stealthstealth
Search for the word “ramen”Search for the word “ramen”
Packets and ProtocolsPackets and ProtocolsChapter 7Chapter 7
Attempts to create a /usr/scr.poop Attempts to create a /usr/scr.poop directorydirectory
Encourages people to eat ramen noodlesEncourages people to eat ramen noodles
Packets and ProtocolsPackets and ProtocolsChapter 7Chapter 7
Active responses to attacksActive responses to attacks– Snort and other IDS systems can stop Snort and other IDS systems can stop
attacks by sending a TCP fin to the attacks by sending a TCP fin to the attacker and closing the TCP streamattacker and closing the TCP stream It can then notify the administrator of an It can then notify the administrator of an
attackattack
– Firewalls can stop the attacks by Firewalls can stop the attacks by trashing the packetstrashing the packets It can then notify the administrator of an It can then notify the administrator of an
attackattack
Packets and ProtocolsPackets and ProtocolsChapter 7Chapter 7
Kowalski Virus mitigation theoryKowalski Virus mitigation theory– DisconnectDisconnect– Filter at the borderFilter at the border– Clean the LAN(s)Clean the LAN(s)– Reopen the borderReopen the border– Monitor, monitor, monitorMonitor, monitor, monitor
Packets and ProtocolsPackets and ProtocolsChapter 7Chapter 7
Virus detection tips:Virus detection tips:– Look for patternsLook for patterns
Same portSame port Incrementing portIncrementing port
– Look for unusual TCP flagsLook for unusual TCP flags Fin – rst – pshFin – rst – psh No flagsNo flags
– Sniffer companies will post filters for your use Sniffer companies will post filters for your use so you can detect if you are infectedso you can detect if you are infected
– Look for unusual protocolsLook for unusual protocols
Packets and ProtocolsPackets and ProtocolsChapter 7Chapter 7
Virus Prevention TipsVirus Prevention Tips– Most attacks can be thwarted by Most attacks can be thwarted by
keeping your patches up to datekeeping your patches up to date– Some viruses have common embedded Some viruses have common embedded
stings and are easy to detectstings and are easy to detect– Use a firewall or IDSUse a firewall or IDS– TURN OFF OR BLOCK WHAT YOU DO TURN OFF OR BLOCK WHAT YOU DO
NOT NEED!NOT NEED!