Packets and ProtocolsPackets and Protocols

Recognizing Attacks with the protocol analyzer

Packets and ProtocolsPackets and ProtocolsRecognizing attacksRecognizing attacks

Hacker tools– Many tools exist– Most are freeware– Many are simply adaptations of existing

features/tools in the operating systemPingTrace routeNbtstatnslookup

Packets and ProtocolsPackets and ProtocolsRecognizing attacksRecognizing attacks

Ping– Uses ICMP

Many options exist for the ping command

C:\WINDOWS>pingC:\WINDOWS>ping

Usage: ping [-t] [-a] [-n count] [-l size] [-f] [-i TTL] [-v TOS]Usage: ping [-t] [-a] [-n count] [-l size] [-f] [-i TTL] [-v TOS] [-r count] [-s count] [[-j host-list] | [-k host-list]][-r count] [-s count] [[-j host-list] | [-k host-list]] [-w timeout] target_name[-w timeout] target_name

Options:Options: -t Ping the specified host until stopped.-t Ping the specified host until stopped. To see statistics and continue - type Control-Break;To see statistics and continue - type Control-Break; To stop - type Control-C.To stop - type Control-C. -a Resolve addresses to hostnames.-a Resolve addresses to hostnames. -n count Number of echo requests to send.-n count Number of echo requests to send. -l size Send buffer size.-l size Send buffer size. -f Set Don't Fragment flag in packet.-f Set Don't Fragment flag in packet. -i TTL Time To Live.-i TTL Time To Live. -v TOS Type Of Service.-v TOS Type Of Service. -r count Record route for count hops.-r count Record route for count hops. -s count Timestamp for count hops.-s count Timestamp for count hops. -j host-list Loose source route along host-list.-j host-list Loose source route along host-list. -k host-list Strict source route along host-list.-k host-list Strict source route along host-list. -w timeout Timeout in milliseconds to wait for each reply.-w timeout Timeout in milliseconds to wait for each reply.

Packets and ProtocolsPackets and ProtocolsRecognizing attacksRecognizing attacks

Packets and ProtocolsPackets and ProtocolsRecognizing attacksRecognizing attacks

Trace route – Uses ICMP Type 8, type 0 and TTLUses ICMP Type 8, type 0 and TTL

Sends type 8 w/TTL=1Sends type 8 w/TTL=1Receives TTL expiredReceives TTL expiredSends type 8 w/TTL=2Sends type 8 w/TTL=2Received TTL expiredReceived TTL expired

Packets and ProtocolsPackets and ProtocolsRecognizing attacksRecognizing attacks

NBTStat– Displays protocol statistics and current

TCP/IP connections using NBT (NetBIOS over TCP/IP).

– Yet another way a hacker can gather data to be used against you

Packets and ProtocolsPackets and ProtocolsRecognizing attacksRecognizing attacks

Nslookup– DNS tool used to look resolve IP

addresses to names and to give the DNS server servicing the request.

Similar to ping -a

Packets and ProtocolsPackets and ProtocolsRecognizing attacksRecognizing attacks

There are many tools already written that bring together these common utilities– Common hacker tools can be found at – Sourceforge

Packets and ProtocolsPackets and ProtocolsRecognizing attacksRecognizing attacks

Sam Spade– GUI tool

used for gathering information from Websites

Packets and ProtocolsPackets and ProtocolsRecognizing attacksRecognizing attacks

Ping sweep tools– Used to

discover IP addresses on networks by using ICMP and ARP

Packets and ProtocolsPackets and ProtocolsRecognizing attacksRecognizing attacks

Port scan tools– Used to find

what ports are open on what devices

– Can scan sequentially or random

Packets and ProtocolsPackets and ProtocolsRecognizing attacksRecognizing attacks

Cain and AbleCain and Able– Good multipurpose tool for cross platform Good multipurpose tool for cross platform

vulnerability checksvulnerability checks

Packets and ProtocolsPackets and ProtocolsRecognizing attacksRecognizing attacks

ZenMapZenMap– Another Another

multipurpose multipurpose tool to tool to gather gather information information against against network network nodesnodes

Packets and ProtocolsPackets and ProtocolsRecognizing attacksRecognizing attacks

SNMP Sweeps– Two types

Brute force– Simple guessing program

Starts with the password of a then b -> z then aa, ab, ac ->zz then aaa, aab etc

Dictionary – Uses a pre-made list of common words or

phrases

Packets and ProtocolsPackets and ProtocolsRecognizing attacksRecognizing attacks

Brute Force

Packets and ProtocolsPackets and ProtocolsRecognizing attacksRecognizing attacks

Dictionary Attack

Packets and ProtocolsPackets and ProtocolsRecognizing attacksRecognizing attacks

What to look for:– Ping sweep

Look for an inordinate amount of ICMP traffic

– Port ScanLook for incrementing destination ports

– SNMP AttackLook for a sudden bust of SNMP traffic and

monitor the community field in the capture

Packets and ProtocolsPackets and ProtocolsRecognizing attacksRecognizing attacks

How to defend:– Ping

Filter out unwanted ICMP types

– Port ScanLock down devices and turn off unneeded

applications and ports

– SNMP attacks Use strong passwords

Packets and ProtocolsPackets and ProtocolsRecognizing attacksRecognizing attacks

Packets and ProtocolsPackets and ProtocolsRecognizing attacksRecognizing attacks

The best solution? The best solution? – Get an IDS/IPSGet an IDS/IPS

Intrusion detection system – passiveIntrusion detection system – passive Intrusion prevention system - activeIntrusion prevention system - active