Detecting Reconnaissance Through Packet Forensics

Shashank Nigam

Target Audience

Network Analysts

Network Admins

Security Engg.

Security Researchers and Enthusiasts

Anyone who is interested

• S3cu4ity Enthusi@astic and S3cu4ity C0n5ult@nt for Security Compass

• Love to Expl0r3 the W0rld of s3cu4ity

• Have a Blog of my 0wn

• http://securityissuesrevealed.blogspot.in/

• Contact me:

• https://www.linkedin.com/pub/shashank-nigam/21/30/3bb

• Email: shasha.nigam@gmail.com

shashank@securitycompass.com

• What is Reconnaissance ???

• Network Packet Analysis

• Analyzing network packets for detecting various Reconnaissance activity in your network ; example TCP /UDP Port scan , Application Fingerprinting, OS fingerprinting, trace route .

• Detecting unusual traffic into your cabling system

• Identifying packets in depth

• How Does TCP IP Communication Occurs ????????

• Windows Box (win7 or win xp)

• A Linux or attacker’s machine with nmap

• KF Sensor (A honeypot running on Windows Box)

• Wireshark ( network protocol Analyzer on windows box)

• Other recommended Tools

Xprobe Hping Nmap

• Some virus or worm trying to establish a remote shell

• Clear text information travelling across the cabling system

• Some unusual port activity (Dynamic ports )

• No spoofed Address

• No scan activity like port scan , OS scan etc.

• Examples: BLASTER WORM, TCP/UDP PORTSCAN, Connectivity tests etc.

Analyzing Blaster worm:

• Blaster is worm that exploits DCOM RPC vulnerability discovered in August 2003

• It download msblast.exe file to %WinDir%\system32 and executes it.

• uses cmd.exe to create hidden remote shell process which listens on TCP port 4444.

• This allows an attacker to send commands on an infected machine.

Some more unusual traffic:

• Character generator traffic (port 19)

• Data sent to chargen port (19), we can find data echoing back with some sequence of random character

• Basically performed for some connectivity test

• Such traffic should not be present on cabling system unless chargen is purposefully used.

• Reconnaissance is a way to gather information about target before actually planning for an attack

• Success of an attack depends largely upon the reconnaissance made

• TCP or UDP port scan

• Application fingerprinting

• OS fingerprinting

• Illegally formed scans etc.

• TCP three way handshake involves TCP SYN, SYN ACK AND ACK packets exchanged between client and server.

• For a TCP port scan system send a TCP SYN packet to destination port.

• If server supports the service it replies with SYN ACK packet , otherwise TCP RST packet is send across cabling system

If we see a lot of RST packets on the network and don’t find a DATA exchange between two nodes , it signifies a PORT Scan.

• For a UDP Scan client sends a UDP packet over a destination port.

• If server does not supports particular service requested in packet it replies back with ICMP type3/code3 packet.

• This ICMP Type3/code3 packet is unusual to find on network traffic.

• Code 3 signifies Destination Unreachable/Port unreachable

If we find a lot of ICMP type3/code3 packets in traffic it signifies UDP port scan is going ahead and requires attention.

• Sometimes identifying packets is difficult task.

• TCP flags comes to rescue .

• Basically six types of TCP flags can be found in the packet.

URGENT (URG) ACKNOWLEDGEMENT (ACK) PUSH (PSH) RESET (RST) SYNCHRONIZE (SYN) FINISH (FIN)

• Some uncommon and absurd combination of these flags in the packet reveals an illegally formed packet

• IP Scan is usually done to find key services and protocols that sits after IP header.

• It involves various routing protocols.

• In IP scan process scanner will alter the protocol values to check for various supporting protocols on target system.

• What is Reconnaissance Process

• Analyzed TCP Port scan (3-way handshake and RST packets)

• Analyzed UDP Port scan (ICMP type 3 code 3 packet)

• Unusual Blaster and chargen traffic used for connectivity test

• Illegally formed scan packets with combinations of different FLAG bits

• IP scan process looking for various routing Protocols.

• Usually a process of identifying the services running on port

• Does not merely works by identifying ports but send commands to services.

• Useful where services running on custom ports.

• It identifies the banner or response from the service to identify the services

• Try to analyze the packet for commands sent and data transferred across network like application response , banner etc.

• Very important protocol for network Analyst

• RFC 792 at www.ietf.org

• ICMP packet can be used to perform OS fingerprinting and connectivity test on you network.

• ICMP packet has three constant fields

ICMP Type ICMP code Checksum

• Details of ICMP type and code refer to www.iana.org

Type 0 Echo reply Type 3 Destination UnreachableType8 Echo Request Type 11 Time Exceeded //Trace routeType 13 Timestamp requestType14 Time Stamp replyType 15 Information Request Type 16 Information reply packetType 17 Address mask request Type 18 Address mask reply

Reference : www.iana.org

OS fingerprinting

• ICMP based connectivity test

• Works with ICMP ECHO REQUEST packet (Type8) and ICMP ECHO REPLY packet (Type 0)

• Trace route uses ping process

• Client A send Echo request packet (ping packet) with TTL 1

• Trace Route illustrated

Client A

Client B

1

TTL=1

12

TTL=2

3

TTL=3

Time Exceeded in Transit

Time Exceeded in Transit

R1

R2

R3

TTL=4

4

Echo Reply

• To identify the remote platform or Operating system

• Active Fingerprinting

TCP Stack Querying (ICMP, SNMP, TCP etc) Banner grabbing (FTP, TELNT , HTTP) Port Probing ( 135, 137, 445, 524)

• Key ICMP packets seen over Active OS fingerprinting are

ICMP Type 13 Timestamp ICMP Type 17 Address mask

(These packets specific to Xprobe2)

• Key ICMP packets seen over Active OS fingerprinting are

ICMP Type 13 Timestamp ICMP type 15 Information ICMP Type 17 Address mask

• Together these three type of packet signifies OS fingerprinting

• Order of packet is important to identify the tool used to OS fingerprint .

• Type13 • Type17 • Type 15

Xprobe tool

• Nmap is network scanning tool

• OS fingerprinting is module loaded with –A switch for OS identification

• Nmap sends a series of Six packets to a known open ports.

• All these packets have

Timestamp value of (Tsval) of 4294967295

Tsecr value of 0

• All packet except 3rd packet have selective ACK (SACK) permitted

• Packet #1: Window scale (10) , NOP, MSS, (1460), windows field:1

• Packet #2: MSS (1400), Windows Scale(0), Windows field(63).

• Packet#3: NOP, NOP, Windows scale (5) , NOP, MSS (640). Windows field:4

• Packet#4: Windows Scale (10) . Windows field (4).

• Packet #5: MSS (536), Windows scale (10), Windows field: 16.

• Packet #6: MSS (265) , windows field: 512

Reply packets undergo a large variety of additional tests

Test for ISN , Sequence counter rate , Sequence predictability

• Application fingerprinting

• Various ICMP packet type and codes

• How a trace route operation works (Echo Request and Reply )

• ICMP Based OS Fingerprinting (Type 13 and type 17 packets )

• SYN packet based OS fingerprinting ( nmap )

• Wireshark University Course on Network security and Forensics

• http://iana.org

• http://ietf.org

• http://keyfocus.net

• TCP IP fingerprinting supported by Nmap

• http://wiki.wireshark.org/

• Familiarize and study more about these topics

• Can analyze the packet logs of your switch and router.

• Research about various different attack fingerprints

• Start with network forensics course.

• Research and study about various other packets types and structures i.e. DNS, SMTP, FTP, NETBIOS etc.