Presentation is loading. Please wait.

Presentation is loading. Please wait.

Packets and Protocols Chapter Seven Real World Packet Captures.

Published bySamuel Marple Modified over 9 years ago

Similar presentations

Presentation on theme: "Packets and Protocols Chapter Seven Real World Packet Captures."— Presentation transcript:

1 Packets and Protocols Chapter Seven Real World Packet Captures

2 Packets and Protocols Chapter 7  Scanning –Usually done by a hacker (white hat or black hat) to find vulnerabilities –Can also be part of a worm or other attack –Attacks are often preceded with a ping

3 Packets and Protocols Chapter 7  Reference Capture file scan1.log –TCP Connect Scan Attack  Look for a large number of TCP resets using the same source port (52218)  Filter on  Filter on   tcp.flags.syn==1&&tcp.flags.ack==1 or   tcp.flags==18

4 Packets and Protocols Chapter 7  Same port used over and over and over

5 Packets and Protocols Chapter 7  Reference Capture file scan1.log –SYN Flood Attack   An intruder sends a SYN packet and analyzes the response. If an RST/ACK is received, it indicates that the port is closed. If a SYN/ACK is received, it indicates that the port is open and listening.  Look for a large number of TCP resets and incrementing port numbers –Filter on –Filter on   tcp.flags == 0x14

6 Packets and Protocols Chapter 7  Does this look normal???

7 Packets and Protocols Chapter 7  Reference Capture file scan1.log –XMAS Scan “The XMAS scan determines which ports are open by sending packets with invalid flag settings to a target device. It is considered a stealth scan because it may be able to bypass some firewalls and IDS’s more easily than the SYN scans. This XMAS scan sends packets with the Finish (FIN), Push (PSH), and Urgent (URG) flags set.”   Harder to detect, but the key is to look for patterns   Works well against Windows systems

8 Packets and Protocols Chapter 7  tcp.flags == 0x29 (i.e. fin, psh, urg)

9 Packets and Protocols Chapter 7  Reference Capture file scan1.log –NULL Scan “The Null scan determines which ports are open by sending packets with invalid flag settings to a target device. It is considered a stealth scan because it may be able to bypass some firewalls and IDS’s more easily than the SYN scans. This Null scan sends packets with all flags turned off. Closed ports will respond with an RST/ACK, and open ports will drop the packet and not respond.”   Harder to detect, but the key is to look for patterns   Not affective against Windows systems, but works on Cisco, HP UX MVS, etc

10 Packets and Protocols Chapter 7  tcp.flags == 0x0 (i.e. no TCP flags)

11 Packets and Protocols Chapter 7  Reference Capture file scan2.log –Remote Access Trojan Horse Scans  Subseven legend scan –Very common, easy to detect, but there are many variations –Attacks a windows backdoor vulnerability

12 Packets and Protocols Chapter 7  Exploits port 27374 (tcp.dstport == 27374)

13 Packets and Protocols Chapter 7  Reference Capture file netbus.log –Remote Access Trojan Horse Scans  Netbus scan –Very common, easy to detect, but there are many variations –Attacks a windows backdoor vulnerability

14 Packets and Protocols Chapter 7  Exploits port 12345 and 12346 (tcp.dstport == 27374)

15 Packets and Protocols Chapter 7  Reference Capture file scan2.log –RST.b  Affects LINUX systems –Look for the word “DOM” in the payload

16 Packets and Protocols Chapter 7  Search for “DOM” with the find tool

17 Packets and Protocols Chapter 7  Worms! –Becoming more common –Getting smarter –Multiple vulnerabilities –Ability to propagate faster than ever

18 Packets and Protocols Chapter 7  SQL/Slammer Reference Capture file scan3.log   January 25, 2003.   It exploits a vulnerability in the Resolution Service of Microsoft SQL Server 2000 and Microsoft Desktop Engine (MSDE) 2000

19 Packets and Protocols Chapter 7  Reference Capture file scan3.log –Slammer  Affects LINUX systems –Look for the word “DOM” in the payload

20 Packets and Protocols Chapter 7  udp.dstport == 1434

21 Packets and Protocols Chapter 7  Reference Capture file: CodeRed_Stage1 CodeRed_Stage1andCodeRed_Stage2 –Code Red  Several variants  Attacks IIS web servers and causes a buffer overflow

22 Packets and Protocols Chapter 7  Look for the string “GET /default.ida?NNNNNNNN”

23 Packets and Protocols Chapter 7  Reference Capture file  Reference Capture file ramenattack.gz –Ramen   Targets Red Hat Linux 6.2 and Red Hat Linux 7.0  Easy to detect, make no attempt at stealth  Search for the word “ramen”

24 Packets and Protocols Chapter 7  Attempts to create a /usr/scr.poop directory  Encourages people to eat ramen noodles

25 Packets and Protocols Chapter 7  Active responses to attacks –Snort and other IDS systems can stop attacks by sending a TCP fin to the attacker and closing the TCP stream  It can then notify the administrator of an attack –Firewalls can stop the attacks by trashing the packets  It can then notify the administrator of an attack

26 Packets and Protocols Chapter 7  Kowalski Virus mitigation theory –Disconnect –Filter at the border –Clean the LAN(s) –Reopen the border –Monitor, monitor, monitor

27 Packets and Protocols Chapter 7  Virus detection tips: –Look for patterns  Same port  Incrementing port –Look for unusual TCP flags  Fin – rst – psh  No flags –Sniffer companies will post filters for your use so you can detect if you are infected –Look for unusual protocols

28 Packets and Protocols Chapter 7  Virus Prevention Tips –Most attacks can be thwarted by keeping your patches up to date –Some viruses have common embedded stings and are easy to detect –Use a firewall or IDS –TURN OFF OR BLOCK WHAT YOU DO NOT NEED!

Download ppt "Packets and Protocols Chapter Seven Real World Packet Captures."

Similar presentations

Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.

Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.
By Hiranmayi Pai Neeraj Jain

By Hiranmayi Pai Neeraj Jain
TCP/IP Fundamentals A quick and easy way to understand TCP/IP v4.

TCP/IP Fundamentals A quick and easy way to understand TCP/IP v4.
Review For Exam 2 March 9, 2010 MIS 4600 – MBA 5880 - © Abdou Illia.

Review For Exam 2 March 9, 2010 MIS 4600 – MBA © Abdou Illia.
Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition
NMAP Scanning Options. EC-Council NMAP  Nmap is the most popular scanning tool used on the Internet.  Cretead by Fyodar (http://www.insecure.org), it.

NMAP Scanning Options. EC-Council NMAP  Nmap is the most popular scanning tool used on the Internet.  Cretead by Fyodar ( it.
Network Security of Labnet ******. Introduction Test the network security of the servers on our Labnet domain Find Potential Weaknesses Find Security.

Network Security of Labnet ******. Introduction Test the network security of the servers on our Labnet domain Find Potential Weaknesses Find Security.
UDP & TCP Where would we be without them!. UDP User Datagram Protocol.

UDP & TCP Where would we be without them!. UDP User Datagram Protocol.
1 Reading Log Files. 2 Segment Format

1 Reading Log Files. 2 Segment Format
Hands-On Ethical Hacking and Network Defense Second Edition Chapter 5 Port Scanning.

Hands-On Ethical Hacking and Network Defense Second Edition Chapter 5 Port Scanning.
Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning.

Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning.
CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Scanning.

CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Scanning.
Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning Last updated 9-18-08.

Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning Last updated
Scanning Determining if the system is alive IP Scanning Port Scanning War Dialing.

Scanning Determining if the system is alive IP Scanning Port Scanning War Dialing.
1 Topic 1 – Lesson 3 Network Attacks Summary. 2 Questions ► Compare passive attacks and active attacks ► How do packet sniffers work? How to mitigate?

1 Topic 1 – Lesson 3 Network Attacks Summary. 2 Questions ► Compare passive attacks and active attacks ► How do packet sniffers work? How to mitigate?
Hacking Linux Based on Hacking Linux Exposed Hatch, Lee, and Kurtz ISBN 0-07-212773-2.

Hacking Linux Based on Hacking Linux Exposed Hatch, Lee, and Kurtz ISBN
Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.

Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.
Web Server Administration TEC 236 Securing the Web Environment.

Web Server Administration TEC 236 Securing the Web Environment.
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems. Beyond Intrusion Detection - Prevention & Protection.

© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems. Beyond Intrusion Detection - Prevention & Protection.
 Population: N=100,000  Scan rate  = 4000/sec, Initially infected: I 0 =10  Monitored IP space 2 20, Monitoring interval:  = 1 second Infected hosts.

 Population: N=100,000  Scan rate  = 4000/sec, Initially infected: I 0 =10  Monitored IP space 2 20, Monitoring interval:  = 1 second Infected hosts.

Similar presentations

Ads by Google