Presentation is loading. Please wait.

Presentation is loading. Please wait.

Overview The TCP/IP Stack. The Link Layer (L2). The Network Layer (L3). The Transport Layer (L4). Port scanning & OS/App detection techniques. Evasion.

Similar presentations


Presentation on theme: "Overview The TCP/IP Stack. The Link Layer (L2). The Network Layer (L3). The Transport Layer (L4). Port scanning & OS/App detection techniques. Evasion."— Presentation transcript:

1

2 Overview The TCP/IP Stack. The Link Layer (L2). The Network Layer (L3). The Transport Layer (L4). Port scanning & OS/App detection techniques. Evasion and Intrusion Techniques. The Tools.

3 The TCP/IP Stack

4 Each OS vendor has a different implimentation of TCP/IP Stack. Each layer of TCP/IP Stack of an OS, exhibits a different behaviour. Properties of TCP/IP stack can be used for OS, Hardware detection, port scanning, Intrusion & Evasion.

5 The Link Layer (L2)‏ L2 packet comprises of the MAC addresses of source and destination machine. MAC Address has 6 Bytes. Its first 3 Bytes are Organizationally Unique Identifier (OUI). OUIs are unique to the manufacturers of network cards. In MAC address “ C-7F-1D”, OUI “ ” is unique to Dell Computer Corp.

6 Network Layer (L3)‏ IPv4 header layout

7 Network Layer (L3)‏ The initial TTL value observed for various OS are : Windows = 128, Linux = 64 & AIX = 255. IP Layer supports TCP Fragmentation. “Dont Fragment” flag is set in some responses for Windows and not set in Linux machines. IP- Identification field is used in a special port scanning technique called Idle or Zomby scan.

8 TCP (L4)‏ TCP header layout

9 TCP Layer (L4)‏ TCP uses 3 way hand shake protocol : SYN-> <-SYN/ACK ACK->. Different combination of SYN, ACK and FIN flags brings out different behaviour of different OSs.

10 TCP Layer (L4)‏ Initial SEQUENCE number is seen different for different OSs. Checking the window size on returned packets, helps to identify AIX (0x3F25), Windows and BSD (0x402E) systems. ACK Value in response to FIN, is used to Identify some windows versions.

11 TCP Layer (L4)‏ TCP Options are generally optional. Still, every OS sends out different value & sequence of : WindowScale (W); NOP (N); MaxSegmentSize (M); TimeStamp (T); & End of Option (E) The TCP Options echoed varies with OSs, for Solaris = “NNTNWME ”, Linux =“MENNTNW”.

12 UDP (L4)‏ UDP header layout

13 UDP Layer (L4)‏ UDP packet sent to non existent port is replied back with ICMP-Destination Unreachable packet. The ICMP-Destination Unreachable packet has the copy of UDP packet which resulted in the ICMP error. Different OS mess up with this copy of UDP packet in different style.

14 Idle Scan Host Zombi Target Probe packet (SYN) IPID =43210 SYN/ACK SrcIP = Zombi/Port = 80 (SYN) SYN/ACK RST, IPID = IPID =43212 SYN/ACK Idle scan completes

15 Exploiting Exchange HOSTExchange Server XEXCH XEXCH \r\n IPS/IDS IF “XEXCH ” DROP Exploit Blocked XEXCH \r\n MS05-043

16 Evasion Techniques HOSTExchange Server XEXCH50 TTL = 10 XEXCH50 TTL = \r\n TTL = \r\n TTL = 9 XEXCH IPS/IDS IF “XEXCH ” DROP MS IP Fragmentation

17 Evasion Techniques HOSTExchange Server XEXCH50 TTL = 10 XEXCH50 TTL = 9 JUNK TTL = 1 TTL Expired -1 2 \r\n TTL = \r\n TTL = 9 XEXCH IPS/IDS IF “XEXCH ” DROP MS Resultant String “XEXCH50 JUNK -1 2” Traffic Insertion

18 Prevent to get detected For Windows - OSfucate - sec_clock For Linux - grsec - iplog For BSD Unix - blackhole - Fingerprint Fucker

19 TOOLS Network Scanners :  Nmap, Nessus. Misc :  Netcat. SimpleTools :  Ping, traceroute. Packet Sniffers :  WireShark, tcpdump Packet Crafter :  hping2

20 Reference

21 Murtuja Bharmal


Download ppt "Overview The TCP/IP Stack. The Link Layer (L2). The Network Layer (L3). The Transport Layer (L4). Port scanning & OS/App detection techniques. Evasion."

Similar presentations


Ads by Google