Presentation is loading. Please wait.

Presentation is loading. Please wait.

Overview The TCP/IP Stack. The Link Layer (L2). The Network Layer (L3). The Transport Layer (L4). Port scanning & OS/App detection techniques. Evasion.

Published byKyla Merrell Modified over 10 years ago

Similar presentations

Presentation on theme: "Overview The TCP/IP Stack. The Link Layer (L2). The Network Layer (L3). The Transport Layer (L4). Port scanning & OS/App detection techniques. Evasion."— Presentation transcript:

1

2 Overview The TCP/IP Stack. The Link Layer (L2). The Network Layer (L3). The Transport Layer (L4). Port scanning & OS/App detection techniques. Evasion and Intrusion Techniques. The Tools.

3 The TCP/IP Stack

4 Each OS vendor has a different implimentation of TCP/IP Stack. Each layer of TCP/IP Stack of an OS, exhibits a different behaviour. Properties of TCP/IP stack can be used for OS, Hardware detection, port scanning, Intrusion & Evasion.

5 The Link Layer (L2)‏ L2 packet comprises of the MAC addresses of source and destination machine. MAC Address has 6 Bytes. Its first 3 Bytes are Organizationally Unique Identifier (OUI). OUIs are unique to the manufacturers of network cards. In MAC address “00-08-74-4C-7F-1D”, OUI “00- 08-74” is unique to Dell Computer Corp.

6 Network Layer (L3)‏ IPv4 header layout

7 Network Layer (L3)‏ The initial TTL value observed for various OS are : Windows = 128, Linux = 64 & AIX = 255. IP Layer supports TCP Fragmentation. “Dont Fragment” flag is set in some responses for Windows and not set in Linux machines. IP- Identification field is used in a special port scanning technique called Idle or Zomby scan.

8 TCP (L4)‏ TCP header layout

9 TCP Layer (L4)‏ TCP uses 3 way hand shake protocol : SYN-> <-SYN/ACK ACK->. Different combination of SYN, ACK and FIN flags brings out different behaviour of different OSs.

10 TCP Layer (L4)‏ Initial SEQUENCE number is seen different for different OSs. Checking the window size on returned packets, helps to identify AIX (0x3F25), Windows and BSD (0x402E) systems. ACK Value in response to FIN, is used to Identify some windows versions.

11 TCP Layer (L4)‏ TCP Options are generally optional. Still, every OS sends out different value & sequence of : WindowScale (W); NOP (N); MaxSegmentSize (M); TimeStamp (T); & End of Option (E) The TCP Options echoed varies with OSs, for Solaris = “NNTNWME ”, Linux =“MENNTNW”.

12 UDP (L4)‏ UDP header layout

13 UDP Layer (L4)‏ UDP packet sent to non existent port is replied back with ICMP-Destination Unreachable packet. The ICMP-Destination Unreachable packet has the copy of UDP packet which resulted in the ICMP error. Different OS mess up with this copy of UDP packet in different style.

14 Idle Scan Host Zombi Target Probe packet (SYN) IPID =43210 SYN/ACK SrcIP = Zombi/Port = 80 (SYN) SYN/ACK RST, IPID = 43211 IPID =43212 SYN/ACK Idle scan completes

15 Exploiting Exchange HOSTExchange Server XEXCH50 -1 2 XEXCH50 -1 2 \r\n IPS/IDS IF “XEXCH50 -1 2” DROP Exploit Blocked XEXCH50 -1 2 \r\n MS05-043

16 Evasion Techniques HOSTExchange Server XEXCH50 TTL = 10 XEXCH50 TTL = 9 -1 2 \r\n TTL = 10 -1 2 \r\n TTL = 9 XEXCH50 -1 2 IPS/IDS IF “XEXCH50 -1 2” DROP MS05-043 IP Fragmentation

17 Evasion Techniques HOSTExchange Server XEXCH50 TTL = 10 XEXCH50 TTL = 9 JUNK TTL = 1 TTL Expired -1 2 \r\n TTL = 10 -1 2 \r\n TTL = 9 XEXCH50 -1 2 IPS/IDS IF “XEXCH50 -1 2” DROP MS05-043 Resultant String “XEXCH50 JUNK -1 2” Traffic Insertion

18 Prevent to get detected For Windows - OSfucate - sec_clock For Linux - grsec - iplog For BSD Unix - blackhole - Fingerprint Fucker

19 TOOLS Network Scanners :  Nmap, Nessus. Misc :  Netcat. SimpleTools :  Ping, traceroute. Packet Sniffers :  WireShark, tcpdump Packet Crafter :  hping2

20 Reference http://nmap.org/nmap-fingerprinting-article.txt http://www.zog.net/Docs/nmap.html http://www.grsecurity.net/

21 Murtuja Bharmal (bharmal.murtuja@gmail.com)

Download ppt "Overview The TCP/IP Stack. The Link Layer (L2). The Network Layer (L3). The Transport Layer (L4). Port scanning & OS/App detection techniques. Evasion."

Similar presentations

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
Computer Networks21-1 Chapter 21. Network Layer: Address Mapping, Error Reporting, and Multicasting 21.1 Address Mapping 21.2 ICMP 21.3 IGMP 21.4 ICMPv6.

Computer Networks21-1 Chapter 21. Network Layer: Address Mapping, Error Reporting, and Multicasting 21.1 Address Mapping 21.2 ICMP 21.3 IGMP 21.4 ICMPv6.
 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,

 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,
COEN 252 Computer Forensics Using TCPDump / Windump for package analysis.

COEN 252 Computer Forensics Using TCPDump / Windump for package analysis.
Internet Control Protocols Savera Tanwir. Internet Control Protocols ICMP ARP RARP DHCP.

Internet Control Protocols Savera Tanwir. Internet Control Protocols ICMP ARP RARP DHCP.
TCP/IP Fundamentals A quick and easy way to understand TCP/IP v4.

TCP/IP Fundamentals A quick and easy way to understand TCP/IP v4.
NMAP Scanning Options. EC-Council NMAP  Nmap is the most popular scanning tool used on the Internet.  Cretead by Fyodar (http://www.insecure.org), it.

NMAP Scanning Options. EC-Council NMAP  Nmap is the most popular scanning tool used on the Internet.  Cretead by Fyodar ( it.
Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning.

Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning.
Scanning CS391. Overview  The TCP protocol: quick overview  Scanning  Fingerprinting  OS Detection.

Scanning CS391. Overview  The TCP protocol: quick overview  Scanning  Fingerprinting  OS Detection.
IP Network Scanning.

IP Network Scanning.
CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Scanning.

CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Scanning.
1 The Attack and Defense of Computers Dr. 許 富 皓. 2 Port Scanning.

1 The Attack and Defense of Computers Dr. 許 富 皓. 2 Port Scanning.
Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning Last updated 9-18-08.

Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning Last updated
Scanning Determining if the system is alive IP Scanning Port Scanning War Dialing.

Scanning Determining if the system is alive IP Scanning Port Scanning War Dialing.
Hacking Exposed 7 Network Security Secrets & Solutions Chapter 2 Scanning 1.

Hacking Exposed 7 Network Security Secrets & Solutions Chapter 2 Scanning 1.
CSCI 4550/8556 Computer Networks Comer, Chapter 23: An Error Reporting Mechanism (ICMP)

CSCI 4550/8556 Computer Networks Comer, Chapter 23: An Error Reporting Mechanism (ICMP)
Scanning slides (c) 2012 by Richard Newman based on Hacking Exposed 7 by McClure, Scambray, and Kurtz.

Scanning slides (c) 2012 by Richard Newman based on Hacking Exposed 7 by McClure, Scambray, and Kurtz.
The Network Layer Chapter 5. The IP Protocol The IPv4 (Internet Protocol) header.

The Network Layer Chapter 5. The IP Protocol The IPv4 (Internet Protocol) header.
Scanning February 23, 2010 MIS 4600 – MBA 5880 - © Abdou Illia.

Scanning February 23, 2010 MIS 4600 – MBA © Abdou Illia.
Examining IP Header Fields

Examining IP Header Fields

Similar presentations

Ads by Google