Transcript packet_gen_scan

Packet
Manuplation
CE 340/S. Kondakcı,
IEU, Computer Engineering
Topics Covered
• Scapy
• Nmap
• Nping
• tcpdump
UDP Packet Header
IP Packet Header
Datalink/Pyhsical (MAC) Packet
Scapy Packet Manipulation
•
•
•
•
Creating a packet
Send/Receiving packets
Basic Scapy commands
Capturing packets (and reading packet capture
files into Scapy)
• Layering packets
• More Examples
The First Step
1. Install Python 3.5+
2. Download and install Scapy
3. (Optional): Install additional software for
special features.
4. Run Scapy with root privileges.
Hello World
send(IP(dst= 127.0.0.1 )/ICMP()/ HelloWorld )
• send - this tells Scapy that you want to send a packet
(just a single packet)
• IP - the protocol of the packet you want to create
• (dst= 127.0.0.1 ) - the destination IP to send the
packet to
• /ICMP() - Create an ICMP packet with the default
values provided by Scapy
• / HelloWorld - the payload to include in the ICMP
packet
Wireshark Capture
Scapy command: send(IP(dst= 127.0.0.1
)/ICMP()/ HelloWorld )
Wireshark capture:
Internet Protocol Version 4, Src: 127.0.0.12
(127.0.0.12), Dst: 127.0.0.1 (127.0.0.1)
Protocol: ICMP
Data: 48656c6c6f576f726c64 or HelloWorld
Example: Fabricate an ICMP Packet
send(IP(src= 127.0.0.1 , dst= 127.0.0.1 , ttl=128)/ICMP()/ HelloWorld )
Wireshark:
Internet Protocol Version 4, Src: 127.0.0.1 (127.0.0.1), Dst: 127.0.0.1
(127.0.0.1) Time to live: 128
What does this ICMP packet mean?
Internet Protocol Version 4, Src: 127.0.0.1 (127.0.0.1), Dst: 127.0.0.1
(127.0.0.1) Internet Control Message Protocol
Type: 0 (Echo (ping) reply)
Sending a ping packet
ip=IP() # Creates an IP header
ip.src=’192.168.1.25′ # Source address in the IP header with local IP
ip.dst =’ 192.168.1.100′ # Destination address in the IP header.
icmp=ICMP() # Creates an ICMP header
icmp.type=8 # Type value inserted in ICMP header as 8 for ping
icmp.code=0 # Code value inserted in ICMP header as 0 for ping
send(ip/icmp) # Sending ping packet.
Sending a ping packet with random source
IP
ip=IP() # Creates an IP header
ip.src=RandIP() # The source address in the IP header with a random IP
ip.dst =’ 192.168.1.100′ # Destination address in the IP header.
icmp=ICMP() # Creates an ICMP header
icmp.type=8 # Type value inserted in ICMP header as 8 for ping crafting
icmp.code=0 # Code value inserted in ICMP header as 0 for ping crafting.
send(ip/icmp) # Sending ping packet.
Sending & Receiving Layer 3 and 2
Packets
• sr() – This function sends packets and receives
answers. It returns a couple of packet and answers,
and the unanswered packets.
• sr1() - This function is a variant that only returns one
packet which answered the sent packet sent.
• Exp: Simple ICMP packet (layer 3)
h=sr1(IP(dst= 127.0.0.1 )/ICMP()/ Hello World )
• srp() - This function does the same for layer 2
packets (Ethernet, 802.3, etc).
Show the Packet Contents
•
•
h=sr1(IP(dst= 127.0.0.1 )/ICMP()/ Hello World )
h.show()
###[ IP ]###
version= 4L
ihl= 5L
tos= 0x0
len= 38
id= 7395
flags=
frag= 0L
ttl= 64
proto= icmp
chksum= 0x83d7
src= 127.0.0.1
dst= 127.0.0.1
\options\
###[ ICMP ]###
type= echo-reply
code= 0
chksum= 0x0
id= 0x0
seq= 0x0
###[ Raw ]###
load= 'HelloWorld'
###[ Padding ]###
load=
'\x00\x00\x00\x00\xe7\x03N\x99'
>>>
Show the TTL of the ICMP reply packet
ip=IP() # Create an IP header
ip.src=’192.168.1.25′ # Source address in the IP header is the loca IP
ip.dst =’ 192.168.1.100′ # Destination address in the IP header.
icmp=ICMP() # Create an ICMP header
icmp.type=8 # Type value inserted in ICMP header as 8 for ping crafting
icmp.code=0 # Code value inserted in ICMP header as 0 for ping crafting.
p=sr1(ip/icmp) # Send and receive the packet in the variable p
p.ttl # Displays the TTL value in the received IP header of the packet.
Create an ARP request
ether=Ether() # Creates an ethernet header
ether.src=’00:e0:1c:3c:22:b4′ # Source MAC address in the ethernet header
ether.dst=’FF:FF:FF:FF:FF:FF’ # Destination MAC address
arp=ARP() # Create an ARP header
arp.op=1 # Set the ARP type as 1
arp.hwsrc=’00:e0:1c:3c:22:b4′ # Set the sender MAC address for local IP
arp.psrc=’192.168.1.25′ # Set the sender IP address for that MAC addr.
arp.pdst=’192.168.1.100′ # Set the target IP address
arp.hwdst=’00:00:00:00:00:00′ # Set the target MAC address as NULL
p=srp1(ether/arp) # Send the packet at layer 2 using the command srp1,
appending the ether and arp headers.
TCP Connection Establishment
Normal TCP Handshake
Client
SYN 
Client  SYN/ACK
Client
ACK 
Server
Server
Server
After this, you are ready to send data
20
SYN Port Scan
Client
SYN 
Client  SYN/ACK
Client
RST 
Server
Server
Server
The server is ready, but the client decided not
to complete the handshake
21
UDP Scanning
• No handshake, so less useful than TCP scans
• Much more powerful in newer versions of
Nmap
• Sends valid UDP requests to well-known ports
– Send a DNS query to port 53, etc.
• Response indicates open UDP port
TCP Packets
p=sr(IP(dst= 127.0.0.1 )/TCP(dport=23))
Begin emission:
.Finished to send 1 packets.
*
Received 2 packets, got 1 answers, remaining 0 packets
>>> p
(<Results: TCP:1 UDP:0 ICMP:0 Other:0>, <Unanswered: TCP:0 UDP:0 ICMP:0 Other:0>)
>>>
If you try and use p.show() you now get an error message:
>>> p.show()
Traceback (most recent call last):
File <console> , line 1, in <module>
AttributeError: 'tuple' object has no attribute 'show'
>>> ans.summary()
IP / TCP 127.0.0.1:ftp_data > 127.0.0.1:telnet S ==> IP / TCP 127.0.0.1:telnet > 127.0.0.1:ftp_data
RA / Padding
TCP Packets
a=sr(IP(dst= 127.0.0.1 )/TCP(dport=[23,80,53]))
Begin emission:
.**Finished to send 3 packets.
*
Received 4 packets, got 3 answers, remaining 0 packets
>>> a
(<Results: TCP:3 UDP:0 ICMP:0 Other:0>,
<Unanswered: TCP:0 UDP:0 ICMP:0 Other:0>)
>>>
TCP SYN to port 80
tcp=TCP() # Create a TCP header
tcp.dport=80 # The destination port in the TCP header is 80.
tcp.flags=’S’ # Set the flag in the TCP header with the SYN bit.
ip=IP() # Create an IP header
ip.src=’192.168.1.25′ # Source address in the IP header is local IP address
ip.dst =’ 192.168.1.100′ # Destination address in the IP header.
send(ip/tcp) # Send the crafted tcp packet.
Details of the TCP packet
>>> p
(<Results: TCP:3 UDP:0 ICMP:0 Other:0>, <Unanswered: TCP:0 UDP:0 ICMP:0 Other:0>)
>>>
>>> ans,unans=_
>>> ans.summary()
IP / TCP 127.0.0.1:ftp_data > 127.0.0.1:telnet S ==> IP / TCP 127.0.0.1:telnet >
127.0.0.1:ftp_data
RA / Padding
IP / TCP 127.0.0.1:ftp_data > 127.0.0.1:http S ==> IP / TCP 127.0.0.1:http >
127.0.0.1:ftp_data SA /
Padding
IP / TCP 127.0.0.1:ftp_data > 127.0.0.1:domain S ==> IP / TCP 127.0.0.1:domain >
127.0.0.1:ftp_data SA / Padding
>>>
The http (port 80) packet
IP / TCP 127.0.0.15:ftp_data > 127.0.0.1:http S ==> IP / TCP
127.0.0.1:http > 127.0.0.15:ftp_data SA /
Padding
S = SYN from client (request from the client))
SA = SYN-ACK from the server (reply from the server)
The telnet (port 23) Packet
IP / TCP 127.0.0.1:ftp_data > 127.0.0.1:telnet S ==> IP /
TCP 127.0.0.1:telnet > 127.0.0.1:ftp_data RA /
Padding
SYN Sent from the source
Destination responded with a RSTACK (RA) which is a
RESet & ACKnowledge flag in the TCP packet telling
the source to reset the connection
Port Scan (TCP-SYN Scan)
a=sr(IP(dst= 127.0.0.1
)/TCP(sport=666,dport=[22,80,21,443], flags=
S ))
Source port=666
Destination ports: 22,80,21,and 443
flags= S = SYN scan
Port Scan (TCP-SYN Scan) cont’d
>>> p=sr(IP(dst= 127.0.0.1 )/TCP(sport=666,dport=[22,80,21,443], flags= S ))
Begin emission:
***Finished to send 4 packets.
*
Received 4 packets, got 4 answers, remaining 0 packets
>>> p
(<Results: TCP:4 UDP:0 ICMP:0 Other:0>, <Unanswered: TCP:0 UDP:0 ICMP:0 Other:0>)
>>> ans,unans=_
>>> ans.summary()
IP / TCP 127.0.0.15:666 > 127.0.0.1:ssh S ==> IP / TCP 127.0.0.1:ssh > 127.0.0.15:666 SA / Padding
IP / TCP 127.0.0.15:666 > 127.0.0.1:http S ==> IP / TCP 127.0.0.1:http > 127.0.0.15:666 SA / Padding
IP / TCP 127.0.0.15:666 > 127.0.0.1:ftp S ==> IP / TCP 127.0.0.1:ftp > 127.0.0.15:666 RA / Padding
IP / TCP 127.0.0.15:666 > 127.0.0.1:https S ==> IP / TCP 127.0.0.1:https > 127.0.0.15:666 RA /
Padding
>>>
TCP ACK flag sent after SYN flag
>>> p=sr(IP(dst= 127.0.0.1 )/TCP(sport=888,dport=[21,22,80,443], flags= A ))
Begin emission:
.***Finished to send 4 packets.
*
Received 5 packets, got 4 answers, remaining 0 packets
>>> p
(<Results: TCP:4 UDP:0 ICMP:0 Other:0>, <Unanswered: TCP:0 UDP:0 ICMP:0 Other:0>)
>>> ans,unans=_
>>> ans.summary()
IP / TCP 127.0.0.15:888 > 127.0.0.1:ftp A ==> IP / TCP 127.0.0.1:ftp > 127.0.0.15:888 R / Padding
IP / TCP 127.0.0.15:888 > 127.0.0.1:ssh A ==> IP / TCP 127.0.0.1:ssh > 127.0.0.15:888 R / Padding
IP / TCP 127.0.0.15:888 > 127.0.0.1:http A ==> IP / TCP 127.0.0.1:http > 127.0.0.15:888 R / Padding
IP / TCP 127.0.0.15:888 > 127.0.0.1:https A ==> IP / TCP 127.0.0.1:https > 127.0.0.15:888 R / Padding
>>>
Notice:
• the A (ACK) flag on the sent packet, with a R (RST) flag on the response, why?
• Because we sent a packet that it's only supposed to receive after a SYN-ACK packet and so it's reset
by the destination.
DNS Query
sr1(IP(dst= 127.0.0.1
)/UDP()/DNS(rd=1,qd=DNSQR(qname=
www.ieu.edu.tr )))
dst=27.0.0.1 = destionation IP (DNS server)
/UDP() = DNS uses UDP protocol
/DNS = This is a DNS packet
rd=1 = Telling Scapy that recursion is desired
qd=DNSQR(qname= www.ieu.edu.tr ) = Get the
DNS info about www.ieu.edu.tr
Traceroute
traceroute ([ www.google.com ], maxttl=20)
Begin emission:
..*Finished to send 20 packets.
*****************
Received 20 packets, got 18 answers, remaining 2 packets
74.125.132.99:tcp80
1 172.1.16.2 11
3 80.3.129.161 11
4 212.43.163.221 11
5 62.252.192.157 11
6 62.253.187.178 11
17 74.125.132.99 SA
18 74.125.132.99 SA
19 74.125.132.99 SA
20 74.125.132.99 SA
(<Traceroute: TCP:7 UDP:0 ICMP:11 Other:0>, <Unanswered: TCP:2 UDP:0 ICMP:0 Other:0>)
>>>
ARP Scan on A Network
>>> arping( 172.1.16.* )
***Finished to send 256 packets.
*
Received 4 packets, got 4 answers, remaining 252 packets
30:46:9a:83:ab:70 172.1.16.2
00:25:64:8b:ed:1a 172.1.16.18
00:26:55:00:fc:fe 172.1.16.12
d8:9e:3f:b1:29:9b 172.1.16.22
(<ARPing: TCP:0 UDP:0 ICMP:0 Other:4>, <Unanswered:
TCP:0 UDP:0 ICMP:0 Other:252>)
ICMP, TCP, and UDP Ping:
ans,unans=sr(IP(dst= 172.1.1-254 )/ICMP())
ans,unans=sr( IP(dst= 172.1.1.* )/TCP(dport=80, flags= S ) )
ans,unans=sr( IP(dst= 172.1.1.* /UDP(dport=0) )
Packet Sniffing
sniff()
CTRL-C (to stop sniffing) get something like
<Sniffed: TCP:43 UDP:24 ICMP:2 Other:0>
a=_
a.nsummary()
0003 Ether / IP / UDP / DNS Qry daisy.ubuntu.com.
0004 Ether / IP / UDP / DNS Qry daisy.ubuntu.com.
0005 Ether / IP / UDP / DNS Qry daisy.ubuntu.com.
0006 Ether / IP / UDP / DNS Qry daisy.ubuntu.com.
0007 Ether / IP / UDP / DNS Qry daisy.ubuntu.com.
0008 Ether / IP / UDP / DNS Ans 91.189.95.54
0009 Ether / IP / UDP / DNS Ans 91.189.95.54
0010 Ether / IP / UDP / DNS Ans 91.189.95.54
0011 Ether / IP / UDP / DNS Ans 91.189.95.55
ICMP traffic through eth0 interface
sniff(iface= eth0 , filter= icmp , count=10)
a=_
>>> a.nsummary()
0000 Ether / IP / ICMP / IPerror / UDPerror / DNS Ans 91.189.95.55
0001 Ether / IP / ICMP / IPerror / UDPerror / DNS Ans 91.189.95.54
0002 Ether / IP / ICMP 10.1.99.25 > 74.125.132.103 echo-request 0 / Raw
0003 Ether / IP / ICMP 74.125.132.103 > 10.1.99.25 echo-reply 0 / Raw
0004 Ether / IP / ICMP 10.1.99.25 > 74.125.132.103 echo-request 0 / Raw
0005 Ether / IP / ICMP 74.125.132.103 > 10.1.99.25 echo-reply 0 / Raw
0006 Ether / IP / ICMP 10.1.99.25 > 74.125.132.103 echo-request 0 / Raw
0007 Ether / IP / ICMP 74.125.132.103 > 10.1.99.25 echo-reply 0 / Raw
0008 Ether / IP / ICMP / IPerror / UDPerror / DNS Ans wb-in-f103.1e100.net.
0009 Ether / IP / ICMP / IPerror / UDPerror / DNS Ans wb-in-f103.1e100.net.
a[2]
<Ether dst=30:46:9a:83:ab:70 src=00:22:19:e7:90:ae type=0x800 |<IP version=4L ihl=5L tos=0x0
len=84 id=0 flags=DF frag=0L ttl=64 proto=icmp chksum=0xfeaa src=10.1.99.25 dst=74.125.132.103
Writing a Python Script
pcap file from tcpdump
Script output
nmap
Nmap (network mapper) is an open source tool for network
traffic analysis and security auditing. It uses raw network
packets to determine:
• what hosts are available on networks,
• what services (application name and versions),
• what operating systems and OS versions they are running,
• what type of packet filters/firewalls are in use,
• and many more ...
Single Target Scanning
• ### Scan a single ip address ###
– nmap 192.168.1.1
• ## Scan a host name ###
– nmap www.google.com
• ## Scan a host name with more info###
– nmap –v myhost.ieu.edu.tr
Multiple Target Scanning
• nmap 192.168.1.1 192.168.1.2 192.168.1.3
– nmap 192.168.1.1,2,3
• ## You can scan a range of IP address:
– nmap 192.168.1.1-20
• ## IP address range using a wildcard:
– nmap 192.168.1.*
• ## Read list of hosts/networks from a file:
– namp –iL ./hosts.txt
More Nmap Commands
•
•
•
•
•
•
•
•
## Detect OS and OS version
nmap -A 192.168.1.254
nmap -v -A 192.168.1.1
nmap -A -iL /tmp/scanlist.txt
## Is a host/network protected by a firewall
nmap -sA 192.168.1.254
## Scan it when protected by the firewall
nmap -PN 192.168.1.1
More Nmap Commands
• ## host discovery or ping scan:
– nmap -sP 192.168.1.0/24
• ## perform a fast scan
– nmap -F 192.168.1.1
• ## Show only open ports
– nmap --open 192.168.1.1
• ## Show all packets sent and received
– nmap --packet-trace 192.168.1.1
• Show host interfaces and routes
– nmap --iflist
More Nmap Commands
• Show host interfaces and routes
– nmap --iflist
Scan Specific ports
•
•
•
nmap -p [port] hostName
## Scan port 80
nmap -p 80 192.168.1.1
•
•
## Scan TCP port 80
nmap -p T:80 192.168.1.1
•
•
## Scan UDP port 53
nmap -p U:53 192.168.1.1
•
•
## Scan two ports ##
nmap -p 80,443 192.168.1.1
•
•
## Scan port ranges ##
nmap -p 80-200 192.168.1.1
Scan Specific ports
•
•
•
## Combine all options ##
– nmap -p U:53,111,137,T:21-25,80,139,8080 192.168.1.1
– nmap -v -sU -sT -p U:53,111,137,T:21-25,80,139,8080 192.168.1.254
## Scan all ports with * wildcard:
– nmap -p * 192.168.1.1
## Scan top 10 most common ports ##
– nmap --top-ports 10 192.168.1.1
Host Discovery (1)
• ## host discovery or ping scan:
– nmap -sP 192.168.1.0/24
Host 192.168.1.1 is up (0.00035s latency).
MAC Address: BC:AE:C5:C3:16:93 (Unknown)
Host 192.168.1.2 is up (0.0038s latency).
MAC Address: 74:44:01:40:57:FB (Unknown)
Host 192.168.1.5 is up.
Host nas03 (192.168.1.12) is up (0.0091s latency).
MAC Address: 00:11:32:11:15:FC (Synology Incorporated)
Nmap done: 256 IP addresses (4 hosts up) scanned in 2.80
second
Host Discovery (2)
nmap -O 192.168.1.1
nmap -O --osscan-guess 192.168.1.1
nmap -v -O --osscan-guess 192.168.1.1
Starting Nmap 5.00 ( http://nmap.org ) at 2012-11-27 01:29 IST
NSE: Loaded 0 scripts for scanning.
Initiating ARP Ping Scan at 01:29
Scanning 192.168.1.1 [1 port]
Completed ARP Ping Scan at 01:29, 0.01s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 01:29
Completed Parallel DNS resolution of 1 host. at 01:29, 0.22s elapsed
Initiating SYN Stealth Scan at 01:29
Scanning 192.168.1.1 [1000 ports]
Discovered open port 80/tcp on 192.168.1.1
Discovered open port 22/tcp on 192.168.1.1
Completed SYN Stealth Scan at 01:29, 0.16s elapsed (1000 total ports)
Initiating OS detection (try #1) against 192.168.1.1
Retrying OS detection (try #2) against 192.168.1.1
Retrying OS detection (try #3) against 192.168.1.1
Retrying OS detection (try #4) against 192.168.1.1
Retrying OS detection (try #5) against 192.168.1.1
Host 192.168.1.1 is up (0.00049s latency).
Interesting ports on 192.168.1.1:
Not shown: 998 closed ports
Host Discovery (3)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
MAC Address: BC:AE:C5:C3:16:93 (Unknown)
Device type: WAP|general purpose|router|printer|broadband router
Running (JUST GUESSING) : Linksys Linux 2.4.X (95%), Linux 2.4.X|2.6.X (94%), MikroTik RouterOS 3.X (92%), Lexmark embedded (90%), Enterasys
embedded (89%), D-Link Linux 2.4.X (89%), Netgear Linux 2.4.X (89%)
Aggressive OS guesses: OpenWrt White Russian 0.9 (Linux 2.4.30) (95%), OpenWrt 0.9 - 7.09 (Linux 2.4.30 - 2.4.34) (94%), OpenWrt Kamikaze 7.09 (Linux
2.6.22) (94%), Linux 2.4.21 - 2.4.31 (likely embedded) (92%), Linux 2.6.15 - 2.6.23 (embedded) (92%), Linux 2.6.15 - 2.6.24 (92%), MikroTik
RouterOS 3.0beta5 (92%), MikroTik RouterOS 3.17 (92%), Linux 2.6.24 (91%), Linux 2.6.22 (90%)
No exact OS matches for host (If you know what OS is running on it, see http://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=5.00%D=11/27%OT=22%CT=1%CU=30609%PV=Y%DS=1%G=Y%M=BCAEC5%TM=50B3CA
OS:4B%P=x86_64-unknown-linux-gnu)SEQ(SP=C8%GCD=1%ISR=CB%TI=Z%CI=Z%II=I%TS=7
OS:)OPS(O1=M2300ST11NW2%O2=M2300ST11NW2%O3=M2300NNT11NW2%O4=M2300ST11NW2%O5
OS:=M2300ST11NW2%O6=M2300ST11)WIN(W1=45E8%W2=45E8%W3=45E8%W4=45E8%W5=45E8%W
OS:6=45E8)ECN(R=Y%DF=Y%T=40%W=4600%O=M2300NNSNW2%CC=N%Q=)T1(R=Y%DF=Y%T=40%S
OS:=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%R
OS:D=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=
OS:0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=N)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID
OS:=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)
Uptime guess: 12.990 days (since Wed Nov 14 01:44:40 2012)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=200 (Good luck!)
IP ID Sequence Generation: All zeros
Read data files from: /usr/share/nmap
OS detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.38 seconds
Raw packets sent: 1126 (53.832KB) | Rcvd: 1066 (46.100KB)
Nping
Nping is an open source tool for
• network packet generation,
• response analysis and response time measurement.
• Nping can generate network packets for a wide range of protocols,
allowing users full control over protocol headers.
Syntax:
nping [Probe mode] [Options] {target specification}
Example:
nping blabla.com.tr
Starting Nping 0.6.01 ( http://nmap.org/nping ) at 2012-06-20 20:27 CEST
SENT (0.1879s) ICMP 192.168.60.129 > 199.83.132.66 Echo request (type=8/code=0) ttl=64
id=53514 iplen=28
SENT (1.1890s) ICMP 192.168.60.129 > 199.83.132.66 Echo request (type=8/code=0) ttl=64
id=53514 iplen=28
SENT (2.1901s) ICMP 192.168.60.129 > 199.83.132.66 Echo request (type=8/code=0) ttl=64
id=53514 iplen=28
Nping Modes/TCP Probe Modes
Nping Modes/UDP & ICMP Probe Modes
Nping Modes/ARP & IPv4 Probe Modes
Nping Modes/Echo Client/server Probe
Modes
Nping Output
Nping Using TCP Flags
nping --tcp -p 80 --flags rst -c 3 aldeid.com
nping --tcp -p 80 --flags syn -c 3 aldeid.com
Nping Using TCP Flags
nping --tcp -p 80 --flags ack -c 3 aldeid.com
Nping Echo Client/Server
nping --echo-server pass123 -e eth0 -vvv
nping --echo-client pass123 192.168.1.18 --tcp -p1-30 --flags ack
tcpdump
•Tcpdump captures packets of network traffic
on a given network interface
•It uses command line arguments for selecting
specific destinations, sources, protocols, etc
•It can also use filter files containing
command line arguments. Filters are used to
restrict analysis to packets of interest
•Output from tcpdump is called dump
Example Dump
• Ran tcpdump on the machine
xanadu.ieu.edu.tr
• First few lines of the output:
01:46:28.808262 IP xanadu.ieu.edu.tr.ssh > adsl-69-228-2307.dsl.pltn13.pacbell.net.2481: . 2513546054:2513547434(1380) ack
1268355216 win 12816
01:46:28.808271 IP xanadu.ieu.edu.tr.ssh > adsl-69-228-2307.dsl.pltn13.pacbell.net.2481: P 1380:2128(748) ack 1 win 12816
01:46:28.808276 IP xanadu.ieu.edu.tr.ssh > adsl-69-228-2307.dsl.pltn13.pacbell.net.2481: . 2128:3508(1380) ack 1 win 12816
01:46:28.890021 IP adsl-69-228-230-7.dsl.pltn13.pacbell.net.2481 >
xanadu.ieu.edu.tr.ssh: P 1:49(48) ack 1380 win 16560
Closer look at a tcpdump line?
01:46:28.808262 IP xanadu.ieu.edu.tr.ssh >
adsl-69-228-230-7.dsl.pltn13.pacbell.net.2481: .
2513546054:2513547434(1380) ack 1268355216 win 12816
Command line use
• Syntax:
tcpdump [options] [filter expression]
• tcpdump tcp port 22
• tcpdump –A –c 5 dst xanadu.ieu.edu.tr
Simple Filters-I
Use filters to capture only packets of interest.
Example: Capture only packets given by protocol names
tcpdump udp
tcpdump tcp
tcpdump ip
Refer to tcpdump
tcpdump icmp
manual for writing
tcpdump arp
filters
Filters-II
1. Capture only UDP packets with destination port 53
(DNS requests)
•
tcpdump udp dst port 53
2. Capture only UDP packets with source port 53 (DNS
replies)
•
tcpdump udp src port 53
3. Capture only UDP packets with source or
destination port 53 (DNS requests and replies)
•
tcpdump udp port 53
Filters -III
Capture only packets destined to xanadu.ieu.edu.tr
tcpdump dst host xanadu.ieu.edu.tr
Capture both DNS packets and TCP packets to/from
xanadu.ieu.edu.tr
tcpdump (tcp and host xanadu.ieu.edu.tr) or udp port 53
tcpdump -w myfile.dump -i eth0
tcpdump -r myfile.dump
tcpdump less 1024 -w less.dump
tcpdump –i eth0 greater 2048
Writing Filters
• Specifying the hosts we are interested in
– dst host <name/IP>
– src host <name/IP>
– host <name/IP> (either source or destination is name/IP)
• Specifying the ports we are interested in
–
–
–
–
dst port <number>
src port <number>
port <number>
Makes sense only for TCP and UDP packets
Combining Filters Options
• Combining filters
– and (&&)
– or (||)
– not (!)
• Example:
– All tcp packets which are not from or to host
xanadu.ieu.edu.tr
tcpdump tcp and ! host xanadu.ieu.edu.tr
– Just type man tcpdump can find more examples
Some Useful Options
• -n Don’t convert host addresses to names. Avoids DNS
lookups. It can save you time.
• -w <filename> Write the raw packets to the specified file
instead of parsing and printing them out.
• -r <filename> Read packets from the specified file instead of
live capture.
• -q Quiet output. Prints less information per output line
• -s 0 This option ensures that the entire packet is stored and
analyzed.
• -A (or –X in some versions) Print each packet in ASCII. Useful
when capturing web pages.
• -vvv increased verbose Print more information.
Some Wireshark Filters - I
Some Wireshark Filters - II
Wireshark Filter Protocols
Wireshark IP Filters
Wireshark IP Filter Examples
Wireshark TCP Filters
Wireshark TCP Filters
Wireshark UDP Filters
Wireshark UDP Filter Examples
Protocolos In the IP Header
Routing Protocolos
More on Scanning
• How does it differ from footprinting
(reconnaissance )?
–
Footprinting did not necessarily attempt to access
the target system(s) directly
• Direct examination of target systems
–
–
–
–
Determine if system is alive – network ping sweep
Determining which services are up
Determining OS type/version
Determining protocol stack versions
Determining if system is alive
- Purpose
– Find out which IP addresses have live hosts on them
– No point in detailed examination of empty address!
- Network Ping sweep
– ARP Host discovery
– ICMP Host discovery
– OS Utilities
– Network discovery tools
– TCP/UDP Host discovery
ARP Host discovery - 1
- Address Resolution Protocol
–
Works on top of layer 2, in parallel with network layer
• Has its own ethertype value
–
Needed for “plug-and-play” autoconfiguration and mobility
–
Request is broadcast to all hosts on LAN
–
Host with matching address is required to respond
–
Attacker needs to be on same LAN
- Nmap by Fyodor (nmap.org)
ARP Host discovery - 2
- Nmap by Fyodor (nmap.org)
–
De facto tool of choice
•
Works on Linux, Windows, Mac
–
Does much more than ARP scanning
–
ARP scan through -PR <CIDR address> option
–
Turn off port scan using -sn option
–
Reports IP address, MAC address, OUI's name, and latency
- CAIN (oxid.it/cain.html)
–
Windows tool
–
Does much more than ARP scanning
–
GUI-based tool
- Limitations of ARP scanning
–
Targets on distant network segments
CAIN
ICMP Host discovery - 1
- Internet Control Message Protocol (ICMP) intended uses
– Diagnostics and trouble shooting needed on internet
– ICMP used for diagnostics, error reporting,
management, etc.
- Some ICMP messages
– Echo request/reply (ping)
– Destination unreachable
– Source quench
– Redirect
– Time exceeded (TTL reached 0)
– Timestamp/reply (used in enumeration)
– Information request/reply
– Address mask request/reply (used in enumeration)
ICMP Host discovery - 2
- OS ping utility uses ICMP echo request/reply
messages
–
–
If receive request, must reply
Can also be used in smurf attack (using
broadcast)
- host may be configured not to respond to echo
requests
–
May still respond to other messages
- Nmap
–
–
–
–
–
–
Network discovery tools - 1
Beside ICMP ping sweep also does ARP sweep and
TCP pings
Limit activity (to avoid detection by IDS) using -sn (no
port scan), -PE (use echo request), and --send-ip (no
ARP scan)
If on different subnet, --send-ip not needed
Individual and CIDR subnet addressing
Gives responding host IP, MAC, OUI name, latency
Has -PM option for address mask and -PP option for
timestamp
• In case host configured to ignore ECHO
REQUEST messages
Network discovery tools - 2
- hping3 and nping
–
Very flexible tools
• Select flags, message types
• Spoof source address (IP and MAC)
• Set number of messages to send
–
nping ships with nmap
- superscan
–
Windows tool
–
Free from Foundstone
–
Fast ping sweep
–
GUI with options for echo request, timestamp, address mask, and
information request messages
–
Also supports UDP and TCP port scans and more
–
Can give HTML output
TCP/UDP Host discovery - 1
- Especially useful when ICMP responses are limited
- Servers provide services over network
– Must be able to take clients
– May be open through firewall
- May have to probe multiple ports to find open service
– Any response indicates host is alive
– More probing = higher visibility to IDS
- Local hosts (not servers) may also have services
– File sharing
– Remote desktop
– Management tools
– Often have local firewall
TCP/UDP Host discovery - 2
- nmap
–
–
–
–
-sn option also include port 80 (www)
-Pn option for 1000 common ports
-p <portnumber> option to specify one particular port
--open option to suppress IP addresses that don't
respond
- nping
– Also provides port scan option
– Output noisier
- superscan
– Also provides options to probe particular ports or port
ranges
– Can take file with list of IP addresses to scan
Determining services that are up
- Port scanning
– Send packets to TCP and UDP ports to find listening
servers
– Find live hosts
– Determine which services are open
– Help identify OS type, version
– Identify specific applications/versions of particular
service
Scan Types - 1
- TCP connect scan
– Completes 3-way handshake
– Takes longer
– Can be run as regular user
- TCP SYN scan (half-open scan)
– Sends SYN, waits for SYN-ACK
– SYN-ACK = open, RST = not open (usually)
– Stealthier
– Can produce DOS attack on target
- TCP FIN scan
– Sends FIN
– Should receive RST (see RFC 793)
– Usually works on Unix-based stacks
Scan Types - 2
- TCP Xmas tree scan
– Sends FIN, URG, and PUSH TCP packet
– Should receive RST on closed ports
- TCP Null scan
– Sends TCP segment with no flags set
– Should receive RST on closed ports
- TCP ACK scan
– Sends packet with ACK set
– Helps determine firewall policies, capabilities
- TCP Windows scan
– Looks at how rwnd is handled with RST to ACK
segment
- TCP RPC scan
- UDP scan
Scan Types - 3
- TCP RPC scan
– Many Unix systems implement portmapper
– Used with RPC/RMI to find services
– Server registers service with portmapper (with
pgm/version)
– Client contacts portmapper to request service, gets
port #
- UDP scan
– Connectionless
– Send ICMP “port unreachable” message if not listening
– May be up if error message not received
Window Scan Operation -1
A RST frame response from a closed port responds with a window size of zero
A RST frame response from a closed port responds with a window size of zero
# nmap -v -sW 192.168.0.67
[192.168.0.8] [192.168.0.67] TCP: D=25 S=62405 ACK=0 WIN=2048
[192.168.0.67] [192.168.0.8] TCP: D=62405 S=25 RST WIN=0
Window Scan Operation -2
A RST frame response from a closed port responds with a window size of zero
When an open port is sent an ACK frame, the destination station responds with a
RST frame, but the window size is a non-zero meaning that the destination is
using this port (port is open).
# nmap -v -sW 192.168.0.67
[192.168.0.8] [192.168.0.67] TCP: D=23 S=62405 ACK=0 WIN=3072
[192.168.0.67] [192.168.0.8] TCP: D=62405 S=23 RST WIN=4096
Identifying Services - 1
- TCP SYN port scan using nmap
–
Use -sS option
–
Use -oN <file> to save human readable output
–
Use -oG <file> to save tab-delimited version
–
Use -oX <file> to save XML
–
-oA saves in all formats
–
Lists open ports with nominal services
–
-f option to fragment packets
•
Some firewalls will not reassemble fragments, just pass packet
•
May make it harder for IDS to detect scan
–
-D option provides for decoy source addresses
•
Burdens target with having to track down all scans
•
Take care to use real IP addresses to avoid SYN attack DOS
–
-b option to use FTP bounce scanning
•
Uses older FTP servers to reflect packets
Identifying Services - 2
- SuperScan (Foundstone.com)
–
Windows/GUI-based alternative to nmap
–
Port scans in addition to ICMP and ARP scans
–
Select port or port range to scan, and protocol
–
Select special techniques for TCP, UDP
–
UDP data+ICMP method
•
Multiple UDP packets to a port
•
May overwhelm ICMP response capability
•
Very accurate, but slow
- ScanLine
–
Windows/command-line tool (also Foundstone)
–
Single executable
•
Easier to load onto compromised system
–
Many options
- Netcat (http://netcat.sourceforge.net/)
–
Older, command-line tool - reads and writes data across network
connections, using the TCP/IP protocol
Detecting the OS - 1
- Banner grabbing
-
banner grabber which connects to an open TCP port and prints out
anything sent by the listening service
nmap -sS -sV -p 80 -v -n -Pn --script banner dst-IP
- Available ports signature
– Some systems use particular ports for services
- Active Stack Fingerprinting
– Responses to probes is implementation dependent
– Multiple types of probes used to narrow field
–
See https://nmap.org/book/osdetect.html
–
–
https://nmap.org/nmap-fingerprinting-article.txt
https://nmap.org/misc/defeat-nmap-osdetect.html
Banner grabbing
nmap -sS -sV -p 80 -v -n -Pn --script banner xx.xx.xx.xx
Detecting the OS - 2
Active Stack Fingerprinting Probes
- FIN probe
–
Correct not to respond, but some send FIN/ACK
- Bogus flag probe (in SYN packet)
–
Correct to ignore, but some set flag in SYN-ACK
- Initial Sequence Number (ISN) sampling
–
Patterns may be found in ISNs for connections that depend on OS
- DF bit monitoring
–
Some OS's may set DF in IP header to improve performance
- TCP initial window size
–
Some systems have characteristic initial rwnd size
–
Note that rwnd is indication of buffer space at receiver, set by OS
- ACK value
–
May use last SN (less common) or last SN+1 (usual)
Detecting the OS - 3
- ICMP error message quenching
–
Systems may limit the number of ICMP error messages (RFC 1812)
–
Send UDP packets to random port, determine rate of ICMP unreachable
port messages
-ICMP message quoting
–
ICMP error messages include some initial portion of the offending
datagram
–
Amount of data included varies according to system
- ICMP error message-echoing integrity
–
Some systems change IP headers quoted in ICMP error messages
- TOS on ICMP port unreachable message
–
Usually TOS=0, but may vary
- Fragmentation handling
–
Observe how probe packets with overlapping fragments are reassembled
- TCP options
–
Which options set (e.g., RFC 793, or 1323 also) varies
Detecting the OS - 4
Passive OS Detection
- Less obtrusive than active OS fingerprinting
- Monitor traffic to/from target
–
Requires favorable position
- Passive signatures
–
–
–
–
TTL on outbound datagrams
Initial window size (rwnd)
DF (don't fragment) bit set?
Siphon tool (packetstormsecurity.org)