Packets and Protocols Recognizing Attacks with the protocol analyzer
Packets and Protocols Recognizing attacks Hacker tools – –Many tools exist – –Most are freeware – –Many are simply adaptations of existing features/tools in the operating system Ping Trace route Nbtstat nslookup
Packets and Protocols Recognizing attacks Ping – –Uses ICMP Many options exist for the ping command
C:\WINDOWS>ping Usage: ping [-t] [-a] [-n count] [-l size] [-f] [-i TTL] [-v TOS] [-r count] [-s count] [[-j host-list] | [-k host-list]] [-r count] [-s count] [[-j host-list] | [-k host-list]] [-w timeout] target_name [-w timeout] target_nameOptions: -t Ping the specified host until stopped. -t Ping the specified host until stopped. To see statistics and continue - type Control-Break; To see statistics and continue - type Control-Break; To stop - type Control-C. To stop - type Control-C. -a Resolve addresses to hostnames. -a Resolve addresses to hostnames. -n count Number of echo requests to send. -n count Number of echo requests to send. -l size Send buffer size. -l size Send buffer size. -f Set Don't Fragment flag in packet. -f Set Don't Fragment flag in packet. -i TTL Time To Live. -i TTL Time To Live. -v TOS Type Of Service. -v TOS Type Of Service. -r count Record route for count hops. -r count Record route for count hops. -s count Timestamp for count hops. -s count Timestamp for count hops. -j host-list Loose source route along host-list. -j host-list Loose source route along host-list. -k host-list Strict source route along host-list. -k host-list Strict source route along host-list. -w timeout Timeout in milliseconds to wait for each reply. -w timeout Timeout in milliseconds to wait for each reply. Packets and Protocols Recognizing attacks
Trace route –Uses ICMP Type 8, type 0 and TTL Sends type 8 w/TTL=1 Receives TTL expired Sends type 8 w/TTL=2 Received TTL expired
Packets and Protocols Recognizing attacks NBTStat – –Displays protocol statistics and current TCP/IP connections using NBT (NetBIOS over TCP/IP). – –Yet another way a hacker can gather data to be used against you
Packets and Protocols Recognizing attacks Nslookup – –DNS tool used to look resolve IP addresses to names and to give the DNS server servicing the request. Similar to ping -a
Packets and Protocols Recognizing attacks There are many tools already written that bring together these common utilities – –Common hacker tools can be found at – –Sourceforge
Packets and Protocols Recognizing attacks Sam Spade – –GUI tool used for gathering information from Websites
Packets and Protocols Recognizing attacks Ping sweep tools – –Used to discover IP addresses on networks by using ICMP and ARP
Packets and Protocols Recognizing attacks Port scan tools – –Used to find what ports are open on what devices – –Can scan sequentially or random
Packets and Protocols Recognizing attacks Cain and Able –Good multipurpose tool for cross platform vulnerability checks
Packets and Protocols Recognizing attacks ZenMap –Another multipurpose tool to gather information against network nodes
Packets and Protocols Recognizing attacks SNMP Sweeps – –Two types Brute force – –Simple guessing program Starts with the password of a then b -> z then aa, ab, ac ->zz then aaa, aab etc Dictionary – –Uses a pre-made list of common words or phrases
Packets and Protocols Recognizing attacks Brute Force
Packets and Protocols Recognizing attacks Dictionary Attack
Packets and Protocols Recognizing attacks What to look for: – –Ping sweep Look for an inordinate amount of ICMP traffic – –Port Scan Look for incrementing destination ports – –SNMP Attack Look for a sudden bust of SNMP traffic and monitor the community field in the capture
Packets and Protocols Recognizing attacks How to defend: – –Ping Filter out unwanted ICMP types – –Port Scan Lock down devices and turn off unneeded applications and ports – –SNMP attacks Use strong passwords
Packets and Protocols Recognizing attacks
The best solution? –Get an IDS/IPS Intrusion detection system – passive Intrusion prevention system - active