Upload
owasp
View
110
Download
1
Tags:
Embed Size (px)
Citation preview
Detecting Reconnaissance Through Packet Forensics
Shashank Nigam
Target Audience
Network Analysts
Network Admins
Security Engg.
Security Researchers and Enthusiasts
Anyone who is interested
• S3cu4ity Enthusi@astic and S3cu4ity C0n5ult@nt for Security Compass
• Love to Expl0r3 the W0rld of s3cu4ity
• Have a Blog of my 0wn
• http://securityissuesrevealed.blogspot.in/
• Contact me:
• https://www.linkedin.com/pub/shashank-nigam/21/30/3bb
• Email: [email protected]
• What is Reconnaissance ???
• Network Packet Analysis
• Analyzing network packets for detecting various Reconnaissance activity in your network ; example TCP /UDP Port scan , Application Fingerprinting, OS fingerprinting, trace route .
• Detecting unusual traffic into your cabling system
• Identifying packets in depth
• How Does TCP IP Communication Occurs ????????
• Windows Box (win7 or win xp)
• A Linux or attacker’s machine with nmap
• KF Sensor (A honeypot running on Windows Box)
• Wireshark ( network protocol Analyzer on windows box)
• Other recommended Tools
Xprobe Hping Nmap
• Some virus or worm trying to establish a remote shell
• Clear text information travelling across the cabling system
• Some unusual port activity (Dynamic ports )
• No spoofed Address
• No scan activity like port scan , OS scan etc.
• Examples: BLASTER WORM, TCP/UDP PORTSCAN, Connectivity tests etc.
Analyzing Blaster worm:
• Blaster is worm that exploits DCOM RPC vulnerability discovered in August 2003
• It download msblast.exe file to %WinDir%\system32 and executes it.
• uses cmd.exe to create hidden remote shell process which listens on TCP port 4444.
• This allows an attacker to send commands on an infected machine.
Some more unusual traffic:
• Character generator traffic (port 19)
• Data sent to chargen port (19), we can find data echoing back with some sequence of random character
• Basically performed for some connectivity test
• Such traffic should not be present on cabling system unless chargen is purposefully used.
• Reconnaissance is a way to gather information about target before actually planning for an attack
• Success of an attack depends largely upon the reconnaissance made
• TCP or UDP port scan
• Application fingerprinting
• OS fingerprinting
• Illegally formed scans etc.
• TCP three way handshake involves TCP SYN, SYN ACK AND ACK packets exchanged between client and server.
• For a TCP port scan system send a TCP SYN packet to destination port.
• If server supports the service it replies with SYN ACK packet , otherwise TCP RST packet is send across cabling system
If we see a lot of RST packets on the network and don’t find a DATA exchange between two nodes , it signifies a PORT Scan.
• For a UDP Scan client sends a UDP packet over a destination port.
• If server does not supports particular service requested in packet it replies back with ICMP type3/code3 packet.
• This ICMP Type3/code3 packet is unusual to find on network traffic.
• Code 3 signifies Destination Unreachable/Port unreachable
If we find a lot of ICMP type3/code3 packets in traffic it signifies UDP port scan is going ahead and requires attention.
• Sometimes identifying packets is difficult task.
• TCP flags comes to rescue .
• Basically six types of TCP flags can be found in the packet.
URGENT (URG) ACKNOWLEDGEMENT (ACK) PUSH (PSH) RESET (RST) SYNCHRONIZE (SYN) FINISH (FIN)
• Some uncommon and absurd combination of these flags in the packet reveals an illegally formed packet
• IP Scan is usually done to find key services and protocols that sits after IP header.
• It involves various routing protocols.
• In IP scan process scanner will alter the protocol values to check for various supporting protocols on target system.
• What is Reconnaissance Process
• Analyzed TCP Port scan (3-way handshake and RST packets)
• Analyzed UDP Port scan (ICMP type 3 code 3 packet)
• Unusual Blaster and chargen traffic used for connectivity test
• Illegally formed scan packets with combinations of different FLAG bits
• IP scan process looking for various routing Protocols.
• Usually a process of identifying the services running on port
• Does not merely works by identifying ports but send commands to services.
• Useful where services running on custom ports.
• It identifies the banner or response from the service to identify the services
• Try to analyze the packet for commands sent and data transferred across network like application response , banner etc.
• Very important protocol for network Analyst
• RFC 792 at www.ietf.org
• ICMP packet can be used to perform OS fingerprinting and connectivity test on you network.
• ICMP packet has three constant fields
ICMP Type ICMP code Checksum
• Details of ICMP type and code refer to www.iana.org
Type 0 Echo reply Type 3 Destination UnreachableType8 Echo Request Type 11 Time Exceeded //Trace routeType 13 Timestamp requestType14 Time Stamp replyType 15 Information Request Type 16 Information reply packetType 17 Address mask request Type 18 Address mask reply
Reference : www.iana.org
OS fingerprinting
• ICMP based connectivity test
• Works with ICMP ECHO REQUEST packet (Type8) and ICMP ECHO REPLY packet (Type 0)
• Trace route uses ping process
• Client A send Echo request packet (ping packet) with TTL 1
• Trace Route illustrated
Client A
Client B
1
TTL=1
12
TTL=2
3
TTL=3
Time Exceeded in Transit
Time Exceeded in Transit
R1
R2
R3
TTL=4
4
Echo Reply
• To identify the remote platform or Operating system
• Active Fingerprinting
TCP Stack Querying (ICMP, SNMP, TCP etc) Banner grabbing (FTP, TELNT , HTTP) Port Probing ( 135, 137, 445, 524)
• Key ICMP packets seen over Active OS fingerprinting are
ICMP Type 13 Timestamp ICMP Type 17 Address mask
(These packets specific to Xprobe2)
• Key ICMP packets seen over Active OS fingerprinting are
ICMP Type 13 Timestamp ICMP type 15 Information ICMP Type 17 Address mask
• Together these three type of packet signifies OS fingerprinting
• Order of packet is important to identify the tool used to OS fingerprint .
• Type13 • Type17 • Type 15
Xprobe tool
• Nmap is network scanning tool
• OS fingerprinting is module loaded with –A switch for OS identification
• Nmap sends a series of Six packets to a known open ports.
• All these packets have
Timestamp value of (Tsval) of 4294967295
Tsecr value of 0
• All packet except 3rd packet have selective ACK (SACK) permitted
• Packet #1: Window scale (10) , NOP, MSS, (1460), windows field:1
• Packet #2: MSS (1400), Windows Scale(0), Windows field(63).
• Packet#3: NOP, NOP, Windows scale (5) , NOP, MSS (640). Windows field:4
• Packet#4: Windows Scale (10) . Windows field (4).
• Packet #5: MSS (536), Windows scale (10), Windows field: 16.
• Packet #6: MSS (265) , windows field: 512
Reply packets undergo a large variety of additional tests
Test for ISN , Sequence counter rate , Sequence predictability
• Application fingerprinting
• Various ICMP packet type and codes
• How a trace route operation works (Echo Request and Reply )
• ICMP Based OS Fingerprinting (Type 13 and type 17 packets )
• SYN packet based OS fingerprinting ( nmap )
• Wireshark University Course on Network security and Forensics
• http://iana.org
• http://ietf.org
• http://keyfocus.net
• TCP IP fingerprinting supported by Nmap
• http://wiki.wireshark.org/
• Familiarize and study more about these topics
• Can analyze the packet logs of your switch and router.
• Research about various different attack fingerprints
• Start with network forensics course.
• Research and study about various other packets types and structures i.e. DNS, SMTP, FTP, NETBIOS etc.