Presentation on theme: "Overview The TCP/IP Stack. The Link Layer (L2). The Network Layer (L3). The Transport Layer (L4). Port scanning & OS/App detection techniques. Evasion."— Presentation transcript:
Overview The TCP/IP Stack. The Link Layer (L2). The Network Layer (L3). The Transport Layer (L4). Port scanning & OS/App detection techniques. Evasion and Intrusion Techniques. The Tools.
The TCP/IP Stack
Each OS vendor has a different implimentation of TCP/IP Stack. Each layer of TCP/IP Stack of an OS, exhibits a different behaviour. Properties of TCP/IP stack can be used for OS, Hardware detection, port scanning, Intrusion & Evasion.
The Link Layer (L2) L2 packet comprises of the MAC addresses of source and destination machine. MAC Address has 6 Bytes. Its first 3 Bytes are Organizationally Unique Identifier (OUI). OUIs are unique to the manufacturers of network cards. In MAC address “ C-7F-1D”, OUI “ ” is unique to Dell Computer Corp.
Network Layer (L3) IPv4 header layout
Network Layer (L3) The initial TTL value observed for various OS are : Windows = 128, Linux = 64 & AIX = 255. IP Layer supports TCP Fragmentation. “Dont Fragment” flag is set in some responses for Windows and not set in Linux machines. IP- Identification field is used in a special port scanning technique called Idle or Zomby scan.
TCP (L4) TCP header layout
TCP Layer (L4) TCP uses 3 way hand shake protocol : SYN-> <-SYN/ACK ACK->. Different combination of SYN, ACK and FIN flags brings out different behaviour of different OSs.
TCP Layer (L4) Initial SEQUENCE number is seen different for different OSs. Checking the window size on returned packets, helps to identify AIX (0x3F25), Windows and BSD (0x402E) systems. ACK Value in response to FIN, is used to Identify some windows versions.
TCP Layer (L4) TCP Options are generally optional. Still, every OS sends out different value & sequence of : WindowScale (W); NOP (N); MaxSegmentSize (M); TimeStamp (T); & End of Option (E) The TCP Options echoed varies with OSs, for Solaris = “NNTNWME ”, Linux =“MENNTNW”.
UDP (L4) UDP header layout
UDP Layer (L4) UDP packet sent to non existent port is replied back with ICMP-Destination Unreachable packet. The ICMP-Destination Unreachable packet has the copy of UDP packet which resulted in the ICMP error. Different OS mess up with this copy of UDP packet in different style.