Packets and Protocols Recognizing Attacks with the protocol analyzer.
-
Upload
rudolf-jacobs -
Category
Documents
-
view
241 -
download
3
Transcript of Packets and Protocols Recognizing Attacks with the protocol analyzer.
Packets and ProtocolsPackets and Protocols
Recognizing Attacks with the protocol analyzer
Packets and ProtocolsPackets and ProtocolsRecognizing attacksRecognizing attacks
Hacker tools– Many tools exist– Most are freeware– Many are simply adaptations of existing
features/tools in the operating systemPingTrace routeNbtstatnslookup
Packets and ProtocolsPackets and ProtocolsRecognizing attacksRecognizing attacks
Ping– Uses ICMP
Many options exist for the ping command
C:\WINDOWS>pingC:\WINDOWS>ping
Usage: ping [-t] [-a] [-n count] [-l size] [-f] [-i TTL] [-v TOS]Usage: ping [-t] [-a] [-n count] [-l size] [-f] [-i TTL] [-v TOS] [-r count] [-s count] [[-j host-list] | [-k host-list]][-r count] [-s count] [[-j host-list] | [-k host-list]] [-w timeout] target_name[-w timeout] target_name
Options:Options: -t Ping the specified host until stopped.-t Ping the specified host until stopped. To see statistics and continue - type Control-Break;To see statistics and continue - type Control-Break; To stop - type Control-C.To stop - type Control-C. -a Resolve addresses to hostnames.-a Resolve addresses to hostnames. -n count Number of echo requests to send.-n count Number of echo requests to send. -l size Send buffer size.-l size Send buffer size. -f Set Don't Fragment flag in packet.-f Set Don't Fragment flag in packet. -i TTL Time To Live.-i TTL Time To Live. -v TOS Type Of Service.-v TOS Type Of Service. -r count Record route for count hops.-r count Record route for count hops. -s count Timestamp for count hops.-s count Timestamp for count hops. -j host-list Loose source route along host-list.-j host-list Loose source route along host-list. -k host-list Strict source route along host-list.-k host-list Strict source route along host-list. -w timeout Timeout in milliseconds to wait for each reply.-w timeout Timeout in milliseconds to wait for each reply.
Packets and ProtocolsPackets and ProtocolsRecognizing attacksRecognizing attacks
Packets and ProtocolsPackets and ProtocolsRecognizing attacksRecognizing attacks
Trace route – Uses ICMP Type 8, type 0 and TTLUses ICMP Type 8, type 0 and TTL
Sends type 8 w/TTL=1Sends type 8 w/TTL=1Receives TTL expiredReceives TTL expiredSends type 8 w/TTL=2Sends type 8 w/TTL=2Received TTL expiredReceived TTL expired
Packets and ProtocolsPackets and ProtocolsRecognizing attacksRecognizing attacks
NBTStat– Displays protocol statistics and current
TCP/IP connections using NBT (NetBIOS over TCP/IP).
– Yet another way a hacker can gather data to be used against you
Packets and ProtocolsPackets and ProtocolsRecognizing attacksRecognizing attacks
Nslookup– DNS tool used to look resolve IP
addresses to names and to give the DNS server servicing the request.
Similar to ping -a
Packets and ProtocolsPackets and ProtocolsRecognizing attacksRecognizing attacks
There are many tools already written that bring together these common utilities– Common hacker tools can be found at – Sourceforge
Packets and ProtocolsPackets and ProtocolsRecognizing attacksRecognizing attacks
Sam Spade– GUI tool
used for gathering information from Websites
Packets and ProtocolsPackets and ProtocolsRecognizing attacksRecognizing attacks
Ping sweep tools– Used to
discover IP addresses on networks by using ICMP and ARP
Packets and ProtocolsPackets and ProtocolsRecognizing attacksRecognizing attacks
Port scan tools– Used to find
what ports are open on what devices
– Can scan sequentially or random
Packets and ProtocolsPackets and ProtocolsRecognizing attacksRecognizing attacks
Cain and AbleCain and Able– Good multipurpose tool for cross platform Good multipurpose tool for cross platform
vulnerability checksvulnerability checks
Packets and ProtocolsPackets and ProtocolsRecognizing attacksRecognizing attacks
ZenMapZenMap– Another Another
multipurpose multipurpose tool to tool to gather gather information information against against network network nodesnodes
Packets and ProtocolsPackets and ProtocolsRecognizing attacksRecognizing attacks
SNMP Sweeps– Two types
Brute force– Simple guessing program
Starts with the password of a then b -> z then aa, ab, ac ->zz then aaa, aab etc
Dictionary – Uses a pre-made list of common words or
phrases
Packets and ProtocolsPackets and ProtocolsRecognizing attacksRecognizing attacks
Brute Force
Packets and ProtocolsPackets and ProtocolsRecognizing attacksRecognizing attacks
Dictionary Attack
Packets and ProtocolsPackets and ProtocolsRecognizing attacksRecognizing attacks
What to look for:– Ping sweep
Look for an inordinate amount of ICMP traffic
– Port ScanLook for incrementing destination ports
– SNMP AttackLook for a sudden bust of SNMP traffic and
monitor the community field in the capture
Packets and ProtocolsPackets and ProtocolsRecognizing attacksRecognizing attacks
How to defend:– Ping
Filter out unwanted ICMP types
– Port ScanLock down devices and turn off unneeded
applications and ports
– SNMP attacks Use strong passwords
Packets and ProtocolsPackets and ProtocolsRecognizing attacksRecognizing attacks
Packets and ProtocolsPackets and ProtocolsRecognizing attacksRecognizing attacks
The best solution? The best solution? – Get an IDS/IPSGet an IDS/IPS
Intrusion detection system – passiveIntrusion detection system – passive Intrusion prevention system - activeIntrusion prevention system - active