1. CE 340/S. Kondakcı, IEU, Computer Engineering
Packet Manuplation
CE 340/S. Kondakcı,
IEU, Computer Engineering

2. Topics Covered
Network Protocol Headers
Scapy
Nmap
Nping
tcpdump

3. Network Protocol Headers: TCP, IP, UDP, ICMP, MAC

5. UDP Packet Header

6. IP Packet Header

8. Datalink/Pyhsical (MAC) Packet

9. TCP Connection Establishment

10. Normal TCP Handshake After this, you are ready to send data
Client SYN  Server
Client  SYN/ACK Server
Client ACK  Server
After this, you are ready to send data 10 10

11. SYN Port Scan Client SYN  Server Client  SYN/ACK Server
Client RST  Server
The server is ready, but the client decided not to complete the handshake 11 11

12. Scapy Packet Manipulation
Creating a packet
Send/Receiving packets
Basic Scapy commands
Capturing packets (and reading packet capture files into Scapy)
Layering packets
More Examples

13. The First Step
1. Install Python Download and install Scapy 3. (Optional): Install additional software for special features. 4. Run Scapy with root privileges.

14. Hello World send(IP(dst= 127.0.0.1 )/ICMP()/ HelloWorld )
send - this tells Scapy that you want to send a packet (just a single packet)
IP - the protocol of the packet you want to create
(dst= ) - the destination IP to send the packet to
/ICMP() - Create an ICMP packet with the default values provided by Scapy
/ HelloWorld - the payload to include in the ICMP packet

15. Wireshark Capture
Scapy command: send(IP(dst= )/ICMP()/ HelloWorld ) Wireshark capture: Internet Protocol Version 4, Src: ( ), Dst: ( ) Protocol: ICMP Data: 48656c6c6f576f726c64 or HelloWorld

16. Example: Fabricate an ICMP Packet
send(IP(src= , dst= , ttl=128)/ICMP()/ HelloWorld ) Wireshark: Internet Protocol Version 4, Src: ( ), Dst: ( ) Time to live: 128 What does this ICMP packet mean? Internet Protocol Version 4, Src: ( ), Dst: ( ) Internet Control Message Protocol Type: 0 (Echo (ping) reply)

17. Sending a ping packet
ip=IP() # Creates an IP header ip.src=’ ′ # Source address in the IP header with local IP ip.dst =’ ′ # Destination address in the IP header. icmp=ICMP() # Creates an ICMP header icmp.type=8 # Type value inserted in ICMP header as 8 for ping icmp.code=0 # Code value inserted in ICMP header as 0 for ping send(ip/icmp) # Sending ping packet.

18. Sending a ping packet with random source IP
ip=IP() # Creates an IP header ip.src=RandIP() # The source address in the IP header with a random IP ip.dst =’ ′ # Destination address in the IP header. icmp=ICMP() # Creates an ICMP header icmp.type=8 # Type value inserted in ICMP header as 8 for ping crafting icmp.code=0 # Code value inserted in ICMP header as 0 for ping crafting. send(ip/icmp) # Sending ping packet.

19. Sending & Receiving Layer 3 and 2 Packets
sr() – This function sends packets and receives answers. It returns a couple of packet and answers, and the unanswered packets.
sr1() - This function is a variant that only returns one packet which answered the sent packet sent.
Exp: Simple ICMP packet (layer 3)
h=sr1(IP(dst= )/ICMP()/ Hello World )
srp() - This function does the same for layer 2 packets (Ethernet, 802.3, etc).

20. Show the Packet Contents
h=sr1(IP(dst= )/ICMP()/ Hello World )
h.show()
###[ IP ]###
version= 4L
ihl= 5L
tos= 0x0
len= 38
id= 7395
flags=
frag= 0L
ttl= 64
proto= icmp
chksum= 0x83d7
src=
dst=
\options\
###[ ICMP ]###
type= echo-reply
code= 0
chksum= 0x0
id= 0x0
seq= 0x0
###[ Raw ]###
load= 'HelloWorld'
###[ Padding ]###
load= '\x00\x00\x00\x00\xe7\x03N\x99'
>>>

21. Show the TTL of the ICMP reply packet
ip=IP() # Create an IP header ip.src=’ ′ # Source address in the IP header is the loca IP
ip.dst =’ ′ # Destination address in the IP header.
icmp=ICMP() # Create an ICMP header icmp.type=8 # Type value inserted in ICMP header as 8 for ping crafting icmp.code=0 # Code value inserted in ICMP header as 0 for ping crafting. p=sr1(ip/icmp) # Send and receive the packet in the variable p p.ttl # Displays the TTL value in the received IP header of the packet.

22. Create an ARP request
ether=Ether() # Creates an ethernet header ether.src=’00:e0:1c:3c:22:b4′ # Source MAC address in the ethernet header
ether.dst=’FF:FF:FF:FF:FF:FF’ # Destination MAC address arp=ARP() # Create an ARP header arp.op=1 # Set the ARP type as 1 arp.hwsrc=’00:e0:1c:3c:22:b4′ # Set the sender MAC address for local IP arp.psrc=’ ′ # Set the sender IP address for that MAC addr. arp.pdst=’ ′ # Set the target IP address arp.hwdst=’00:00:00:00:00:00′ # Set the target MAC address as NULL p=srp1(ether/arp) # Send the packet at layer 2 using the command srp1, appending the ether and arp headers.

23. UDP Scanning No handshake, so less useful than TCP scans
Much more powerful in newer versions of Nmap
Sends valid UDP requests to well-known ports
Send a DNS query to port 53, etc.
Response indicates open UDP port

24. TCP Packets
p=sr(IP(dst= )/TCP(dport=23)) Begin emission: .Finished to send 1 packets. * Received 2 packets, got 1 answers, remaining 0 packets >>> p (<Results: TCP:1 UDP:0 ICMP:0 Other:0>, <Unanswered: TCP:0 UDP:0 ICMP:0 Other:0>) >>> If you try and use p.show() you now get an error message: >>> p.show() Traceback (most recent call last): File <console> , line 1, in <module> AttributeError: 'tuple' object has no attribute 'show' >>> ans.summary() IP / TCP :ftp_data > :telnet S ==> IP / TCP :telnet > :ftp_data RA / Padding

25. TCP Packets
a=sr(IP(dst= )/TCP(dport=[23,80,53])) Begin emission: .**Finished to send 3 packets. * Received 4 packets, got 3 answers, remaining 0 packets >>> a (<Results: TCP:3 UDP:0 ICMP:0 Other:0>, <Unanswered: TCP:0 UDP:0 ICMP:0 Other:0>) >>>

26. TCP SYN to port 80
tcp=TCP() # Create a TCP header tcp.dport=80 # The destination port in the TCP header is 80. tcp.flags=’S’ # Set the flag in the TCP header with the SYN bit. ip=IP() # Create an IP header ip.src=’ ′ # Source address in the IP header is local IP address ip.dst =’ ′ # Destination address in the IP header.
send(ip/tcp) # Send the crafted tcp packet.

27. Details of the TCP packet
(<Results: TCP:3 UDP:0 ICMP:0 Other:0>, <Unanswered: TCP:0 UDP:0 ICMP:0 Other:0>)
>>>
>>> ans,unans=_
>>> ans.summary()
IP / TCP :ftp_data > :telnet S ==> IP / TCP :telnet > :ftp_data
RA / Padding
IP / TCP :ftp_data > :http S ==> IP / TCP :http > :ftp_data SA /
Padding
IP / TCP :ftp_data > :domain S ==> IP / TCP :domain >
:ftp_data SA / Padding

28. The http (port 80) packet
IP / TCP :ftp_data > :http S ==> IP / TCP :http > :ftp_data SA / Padding S = SYN from client (request from the client)) SA = SYN-ACK from the server (reply from the server)

29. The telnet (port 23) Packet
IP / TCP :ftp_data > :telnet S ==> IP / TCP :telnet > :ftp_data RA / Padding SYN Sent from the source Destination responded with a RSTACK (RA) which is a RESet & ACKnowledge flag in the TCP packet telling the source to reset the connection

30. Port Scan (TCP-SYN Scan)
a=sr(IP(dst= )/TCP(sport=666,dport=[22,80,21,443], flags= S )) Source port=666 Destination ports: 22,80,21,and 443 flags= S = SYN scan

31. Port Scan (TCP-SYN Scan) cont’d
>>> p=sr(IP(dst= )/TCP(sport=666,dport=[22,80,21,443], flags= S )) Begin emission: ***Finished to send 4 packets. * Received 4 packets, got 4 answers, remaining 0 packets >>> p (<Results: TCP:4 UDP:0 ICMP:0 Other:0>, <Unanswered: TCP:0 UDP:0 ICMP:0 Other:0>) >>> ans,unans=_ >>> ans.summary() IP / TCP :666 > :ssh S ==> IP / TCP :ssh > :666 SA / Padding IP / TCP :666 > :http S ==> IP / TCP :http > :666 SA / Padding IP / TCP :666 > :ftp S ==> IP / TCP :ftp > :666 RA / Padding IP / TCP :666 > :https S ==> IP / TCP :https > :666 RA / Padding >>>

32. TCP ACK flag sent after SYN flag
>>> p=sr(IP(dst= )/TCP(sport=888,dport=[21,22,80,443], flags= A ))
Begin emission:
.***Finished to send 4 packets. *
Received 5 packets, got 4 answers, remaining 0 packets
>>> p
(<Results: TCP:4 UDP:0 ICMP:0 Other:0>, <Unanswered: TCP:0 UDP:0 ICMP:0 Other:0>)
>>> ans,unans=_
>>> ans.summary()
IP / TCP :888 > :ftp A ==> IP / TCP :ftp > :888 R / Padding
IP / TCP :888 > :ssh A ==> IP / TCP :ssh > :888 R / Padding
IP / TCP :888 > :http A ==> IP / TCP :http > :888 R / Padding
IP / TCP :888 > :https A ==> IP / TCP :https > :888 R / Padding
>>>
Notice:
the A (ACK) flag on the sent packet, with a R (RST) flag on the response, why?
Because we sent a packet that it's only supposed to receive after a SYN-ACK packet and so it's reset by the destination.

33. DNS Query
sr1(IP(dst= )/UDP()/DNS(rd=1,qd=DNSQR(qname= ))) dst= = destionation IP (DNS server) /UDP() = DNS uses UDP protocol /DNS = This is a DNS packet rd=1 = Telling Scapy that recursion is desired qd=DNSQR(qname= ) = Get the DNS info about

34. Traceroute
traceroute ([ ], maxttl=20) Begin emission: ..*Finished to send 20 packets. ***************** Received 20 packets, got 18 answers, remaining 2 packets :tcp SA SA SA SA (<Traceroute: TCP:7 UDP:0 ICMP:11 Other:0>, <Unanswered: TCP:2 UDP:0 ICMP:0 Other:0>) >>>

35. ARP Scan on A Network
>>> arping( * ) ***Finished to send 256 packets. * Received 4 packets, got 4 answers, remaining 252 packets 30:46:9a:83:ab: :25:64:8b:ed:1a :26:55:00:fc:fe d8:9e:3f:b1:29:9b (<ARPing: TCP:0 UDP:0 ICMP:0 Other:4>, <Unanswered: TCP:0 UDP:0 ICMP:0 Other:252>)

36. ICMP, TCP, and UDP Ping: ans,unans=sr(IP(dst= 172.1.1-254 )/ICMP())
ans,unans=sr( IP(dst= * )/TCP(dport=80, flags= S ) )
ans,unans=sr( IP(dst= * /UDP(dport=0) )

37. Packet Sniffing
sniff() CTRL-C (to stop sniffing) get something like <Sniffed: TCP:43 UDP:24 ICMP:2 Other:0> a=_ a.nsummary() 0003 Ether / IP / UDP / DNS Qry daisy.ubuntu.com Ether / IP / UDP / DNS Qry daisy.ubuntu.com Ether / IP / UDP / DNS Qry daisy.ubuntu.com Ether / IP / UDP / DNS Qry daisy.ubuntu.com Ether / IP / UDP / DNS Qry daisy.ubuntu.com Ether / IP / UDP / DNS Ans Ether / IP / UDP / DNS Ans Ether / IP / UDP / DNS Ans Ether / IP / UDP / DNS Ans

38. ICMP traffic through eth0 interface
sniff(iface= eth0 , filter= icmp , count=10)
a=_
>>> a.nsummary()
0000 Ether / IP / ICMP / IPerror / UDPerror / DNS Ans
0001 Ether / IP / ICMP / IPerror / UDPerror / DNS Ans
0002 Ether / IP / ICMP > echo-request 0 / Raw
0003 Ether / IP / ICMP > echo-reply 0 / Raw
0004 Ether / IP / ICMP > echo-request 0 / Raw
0005 Ether / IP / ICMP > echo-reply 0 / Raw
0006 Ether / IP / ICMP > echo-request 0 / Raw
0007 Ether / IP / ICMP > echo-reply 0 / Raw
0008 Ether / IP / ICMP / IPerror / UDPerror / DNS Ans wb-in-f103.1e100.net.
0009 Ether / IP / ICMP / IPerror / UDPerror / DNS Ans wb-in-f103.1e100.net.
a[2]
<Ether dst=30:46:9a:83:ab:70 src=00:22:19:e7:90:ae type=0x800 |<IP version=4L ihl=5L tos=0x0
len=84 id=0 flags=DF frag=0L ttl=64 proto=icmp chksum=0xfeaa src= dst=

39. Writing a Python Script

40. pcap file from tcpdump

41. Script output

42. nmap
Nmap (network mapper) is an open source tool for network traffic analysis and security auditing. It uses raw network packets to determine:
what hosts are available on networks,
what services (application name and versions),
what operating systems and OS versions they are running,
what type of packet filters/firewalls are in use,
and many more ...

43. Single Target Scanning
### Scan a single ip address ###
nmap
## Scan a host name ###
nmap
## Scan a host name with more info###
nmap –v myhost.ieu.edu.tr

44. Multiple Target Scanning
nmap
nmap ,2,3
## You can scan a range of IP address:
nmap
## IP address range using a wildcard:
nmap *
## Read list of hosts/networks from a file:
namp –iL ./hosts.txt

45. More Nmap Commands ## Detect OS and OS version nmap -A 192.168.1.254
nmap -v -A
nmap -A -iL /tmp/scanlist.txt
## Is a host/network protected by a firewall
nmap -sA
## Scan it when protected by the firewall
nmap -PN

46. More Nmap Commands ## host discovery or ping scan:
nmap -sP /24
## perform a fast scan
nmap -F
## Show only open ports
nmap --open
## Show all packets sent and received
nmap --packet-trace
Show host interfaces and routes
nmap --iflist

47. More Nmap Commands
Show host interfaces and routes
nmap --iflist

48. Scan Specific ports nmap -p [port] hostName ## Scan port 80
## Scan TCP port 80
nmap -p T:
## Scan UDP port 53
nmap -p U:
## Scan two ports ##
nmap -p 80,
## Scan port ranges ##
nmap -p

49. Scan Specific ports ## Combine all options ##
nmap -p U:53,111,137,T:21-25,80,139,
nmap -v -sU -sT -p U:53,111,137,T:21-25,80,139,
## Scan all ports with * wildcard:
nmap -p *
## Scan top 10 most common ports ##
nmap --top-ports

50. Host Discovery (1) ## host discovery or ping scan:
nmap -sP /24
Host is up ( s latency).
MAC Address: BC:AE:C5:C3:16:93 (Unknown)
Host is up (0.0038s latency).
MAC Address: 74:44:01:40:57:FB (Unknown)
Host is up.
Host nas03 ( ) is up (0.0091s latency).
MAC Address: 00:11:32:11:15:FC (Synology Incorporated)
Nmap done: 256 IP addresses (4 hosts up) scanned in 2.80 second

51. Host Discovery (2) nmap -O 192.168.1.1
nmap -O --osscan-guess
nmap -v -O --osscan-guess
Starting Nmap 5.00 ( ) at :29 IST
NSE: Loaded 0 scripts for scanning.
Initiating ARP Ping Scan at 01:29
Scanning [1 port]
Completed ARP Ping Scan at 01:29, 0.01s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 01:29
Completed Parallel DNS resolution of 1 host. at 01:29, 0.22s elapsed
Initiating SYN Stealth Scan at 01:29
Scanning [1000 ports]
Discovered open port 80/tcp on
Discovered open port 22/tcp on
Completed SYN Stealth Scan at 01:29, 0.16s elapsed (1000 total ports)
Initiating OS detection (try #1) against
Retrying OS detection (try #2) against
Retrying OS detection (try #3) against
Retrying OS detection (try #4) against
Retrying OS detection (try #5) against
Host is up ( s latency).
Interesting ports on :
Not shown: 998 closed ports

52. Host Discovery (3) PORT STATE SERVICE 22/tcp open ssh 80/tcp open http
MAC Address: BC:AE:C5:C3:16:93 (Unknown)
Device type: WAP|general purpose|router|printer|broadband router
Running (JUST GUESSING) : Linksys Linux 2.4.X (95%), Linux 2.4.X|2.6.X (94%), MikroTik RouterOS 3.X (92%), Lexmark embedded (90%), Enterasys embedded (89%), D-Link Linux 2.4.X (89%), Netgear Linux 2.4.X (89%)
Aggressive OS guesses: OpenWrt White Russian 0.9 (Linux ) (95%), OpenWrt (Linux ) (94%), OpenWrt Kamikaze 7.09 (Linux ) (94%), Linux (likely embedded) (92%), Linux (embedded) (92%), Linux (92%), MikroTik RouterOS 3.0beta5 (92%), MikroTik RouterOS 3.17 (92%), Linux (91%), Linux (90%)
No exact OS matches for host (If you know what OS is running on it, see ).
TCP/IP fingerprint:
OS:SCAN(V=5.00%D=11/27%OT=22%CT=1%CU=30609%PV=Y%DS=1%G=Y%M=BCAEC5%TM=50B3CA
OS:4B%P=x86_64-unknown-linux-gnu)SEQ(SP=C8%GCD=1%ISR=CB%TI=Z%CI=Z%II=I%TS=7
OS:)OPS(O1=M2300ST11NW2%O2=M2300ST11NW2%O3=M2300NNT11NW2%O4=M2300ST11NW2%O5
OS:=M2300ST11NW2%O6=M2300ST11)WIN(W1=45E8%W2=45E8%W3=45E8%W4=45E8%W5=45E8%W
OS:6=45E8)ECN(R=Y%DF=Y%T=40%W=4600%O=M2300NNSNW2%CC=N%Q=)T1(R=Y%DF=Y%T=40%S
OS:=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%R
OS:D=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=
OS:0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=N)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID
OS:=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)
Uptime guess: days (since Wed Nov 14 01:44: )
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=200 (Good luck!)
IP ID Sequence Generation: All zeros
Read data files from: /usr/share/nmap
OS detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in seconds
Raw packets sent: 1126 (53.832KB) | Rcvd: 1066 (46.100KB)

53. Nping Nping is an open source tool for network packet generation,
response analysis and response time measurement.
Nping can generate network packets for a wide range of protocols, allowing users full control over protocol headers.
Syntax:
nping [Probe mode] [Options] {target specification}
Example:
nping blabla.com.tr
Starting Nping ( ) at :27 CEST
SENT (0.1879s) ICMP > Echo request (type=8/code=0) ttl=64 id=53514 iplen=28
SENT (1.1890s) ICMP > Echo request (type=8/code=0) ttl=64 id=53514 iplen=28
SENT (2.1901s) ICMP > Echo request (type=8/code=0) ttl=64 id=53514 iplen=28

54. Nping Modes/TCP Probe Modes

55. Nping Modes/UDP & ICMP Probe Modes

56. Nping Modes/ARP & IPv4 Probe Modes

57. Nping Modes/Echo Client/server Probe Modes

58. Nping Output

59. Nping Using TCP Flags nping --tcp -p 80 --flags rst -c 3 aldeid.com
nping --tcp -p 80 --flags syn -c 3 aldeid.com

60. Nping Using TCP Flags
nping --tcp -p 80 --flags ack -c 3 aldeid.com

61. Nping Echo Client/Server
nping --echo-server pass123 -e eth0 -vvv
nping --echo-client pass tcp -p flags ack

62. tcpdump
Tcpdump captures packets of network traffic on a given network interface
It uses command line arguments for selecting specific destinations, sources, protocols, etc
It can also use filter files containing command line arguments. Filters are used to restrict analysis to packets of interest
Output from tcpdump is called dump

63. Example Dump Ran tcpdump on the machine xanadu.ieu.edu.tr
First few lines of the output:
01:46: IP xanadu.ieu.edu.tr.ssh > adsl dsl.pltn13.pacbell.net.2481: : (1380) ack win 12816
01:46: IP xanadu.ieu.edu.tr.ssh > adsl dsl.pltn13.pacbell.net.2481: P 1380:2128(748) ack 1 win 12816
01:46: IP xanadu.ieu.edu.tr.ssh > adsl dsl.pltn13.pacbell.net.2481: :3508(1380) ack 1 win 12816
01:46: IP adsl dsl.pltn13.pacbell.net.2481 > xanadu.ieu.edu.tr.ssh: P 1:49(48) ack 1380 win 16560

64. Closer look at a tcpdump line?
01:46: IP xanadu.ieu.edu.tr.ssh >
adsl dsl.pltn13.pacbell.net.2481: : (1380) ack win 12816

65. tcpdump [options] [filter expression]
Command line use
Syntax:
tcpdump [options] [filter expression]
tcpdump tcp port 22
tcpdump –A –c 5 dst xanadu.ieu.edu.tr
Depending on the kind of traffic, make some general observations – sources, destinations, kinds of traffic, DNS requests etc. Too much of output.

66. Simple Filters-I Use filters to capture only packets of interest.
Example: Capture only packets given by protocol names
tcpdump udp
tcpdump tcp
tcpdump ip
tcpdump icmp
tcpdump arp
Refer to tcpdump manual for writing filters

67. Filters-II
Capture only UDP packets with destination port 53 (DNS requests)
tcpdump udp dst port 53
Capture only UDP packets with source port 53 (DNS replies)
tcpdump udp src port 53
Capture only UDP packets with source or destination port 53 (DNS requests and replies)
tcpdump udp port 53

68. Filters -III Capture only packets destined to xanadu.ieu.edu.tr
tcpdump dst host xanadu.ieu.edu.tr
Capture both DNS packets and TCP packets to/from xanadu.ieu.edu.tr
tcpdump (tcp and host xanadu.ieu.edu.tr) or udp port 53
tcpdump -w myfile.dump -i eth0
tcpdump -r myfile.dump
tcpdump less w less.dump
tcpdump –i eth0 greater 2048
Ping xanadu.ieu.edu.tr.
Demonstrates the use of or

69. Writing Filters Specifying the hosts we are interested in
dst host <name/IP>
src host <name/IP>
host <name/IP> (either source or destination is name/IP)
Specifying the ports we are interested in
dst port <number>
src port <number>
port <number>
Makes sense only for TCP and UDP packets

70. Combining Filters Options
and (&&)
or (||)
not (!)
Example:
All tcp packets which are not from or to host xanadu.ieu.edu.tr
tcpdump tcp and ! host xanadu.ieu.edu.tr
Just type man tcpdump can find more examples

71. Some Useful Options
-n Don’t convert host addresses to names. Avoids DNS lookups. It can save you time.
-w <filename> Write the raw packets to the specified file instead of parsing and printing them out.
-r <filename> Read packets from the specified file instead of live capture.
-q Quiet output. Prints less information per output line
-s 0 This option ensures that the entire packet is stored and analyzed.
-A (or –X in some versions) Print each packet in ASCII. Useful when capturing web pages.
-vvv increased verbose Print more information.

72. Some Wireshark Filters - I

73. Some Wireshark Filters - II

74. Wireshark Filter Protocols

75. IP Packet Header

76. Wireshark IP Filters

77. Wireshark IP Filter Examples

78. TCP Packet header

79. Wireshark TCP Filters

80. Wireshark TCP Filters

81. UDP Packet Header

82. Wireshark UDP Filter Examples

83. Wireshark UDP Filters

84. Protocolos In the IP Header

85. More on Scanning
How does it differ from footprinting (reconnaissance )?
Footprinting did not necessarily attempt to access the target system(s) directly
Direct examination of target systems
Determine if system is alive – network ping sweep
Determining which services are up
Determining OS type/version
Determining protocol stack versions

86. Determining if system is alive
- Purpose
Find out which IP addresses have live hosts on them
No point in detailed examination of empty address!
- Network Ping sweep
ARP Host discovery
ICMP Host discovery
OS Utilities
Network discovery tools
TCP/UDP Host discovery

87. ARP Host discovery - 1 - Address Resolution Protocol
Works on top of layer 2, in parallel with network layer
Has its own ethertype value
Needed for “plug-and-play” autoconfiguration and mobility
Request is broadcast to all hosts on LAN
Host with matching address is required to respond
Attacker needs to be on same LAN
- Nmap by Fyodor (nmap.org)

88. ARP Host discovery - 2 - Nmap by Fyodor (nmap.org)
De facto tool of choice
Works on Linux, Windows, Mac
Does much more than ARP scanning
ARP scan through -PR <CIDR address> option
Turn off port scan using -sn option
Reports IP address, MAC address, OUI's name, and latency
- CAIN (oxid.it/cain.html)
Windows tool
GUI-based tool
- Limitations of ARP scanning
Targets on distant network segments

89. CAIN

90. ICMP Host discovery - 1
- Internet Control Message Protocol (ICMP) intended uses
Diagnostics and trouble shooting needed on internet
ICMP used for diagnostics, error reporting, management, etc.
- Some ICMP messages
Echo request/reply (ping)
Destination unreachable
Source quench
Redirect
Time exceeded (TTL reached 0)
Timestamp/reply (used in enumeration)
Information request/reply
Address mask request/reply (used in enumeration)

91. ICMP Host discovery - 2
- OS ping utility uses ICMP echo request/reply messages
If receive request, must reply
Can also be used in smurf attack (using broadcast)
- host may be configured not to respond to echo requests
May still respond to other messages

92. Network discovery tools - 1
- Nmap
Beside ICMP ping sweep also does ARP sweep and TCP pings
Limit activity (to avoid detection by IDS) using -sn (no port scan), -PE (use echo request), and --send-ip (no ARP scan)
If on different subnet, --send-ip not needed
Individual and CIDR subnet addressing
Gives responding host IP, MAC, OUI name, latency
Has -PM option for address mask and -PP option for timestamp
In case host configured to ignore ECHO REQUEST messages

93. Network discovery tools - 2
- hping3 and nping
Very flexible tools
Select flags, message types
Spoof source address (IP and MAC)
Set number of messages to send
nping ships with nmap
- superscan
Windows tool
Free from Foundstone
Fast ping sweep
GUI with options for echo request, timestamp, address mask, and information request messages
Also supports UDP and TCP port scans and more
Can give HTML output

94. TCP/UDP Host discovery - 1
- Especially useful when ICMP responses are limited
- Servers provide services over network
Must be able to take clients
May be open through firewall
- May have to probe multiple ports to find open service
Any response indicates host is alive
More probing = higher visibility to IDS
- Local hosts (not servers) may also have services
File sharing
Remote desktop
Management tools
Often have local firewall

95. TCP/UDP Host discovery - 2
- nmap
-sn option also include port 80 (www)
-Pn option for 1000 common ports
-p <portnumber> option to specify one particular port
--open option to suppress IP addresses that don't respond
- nping
Also provides port scan option
Output noisier
- superscan
Also provides options to probe particular ports or port ranges
Can take file with list of IP addresses to scan

96. Determining services that are up
- Port scanning
Send packets to TCP and UDP ports to find listening servers
Find live hosts
Determine which services are open
Help identify OS type, version
Identify specific applications/versions of particular service

97. Scan Types - 1 - TCP connect scan Completes 3-way handshake
Takes longer
Can be run as regular user
- TCP SYN scan (half-open scan)
Sends SYN, waits for SYN-ACK
SYN-ACK = open, RST = not open (usually)
Stealthier
Can produce DOS attack on target
- TCP FIN scan
Sends FIN
Should receive RST (see RFC 793)
Usually works on Unix-based stacks

98. Scan Types - 2 - TCP Xmas tree scan
Sends FIN, URG, and PUSH TCP packet
Should receive RST on closed ports
- TCP Null scan
Sends TCP segment with no flags set
- TCP ACK scan
Sends packet with ACK set
Helps determine firewall policies, capabilities
- TCP Windows scan
Looks at how rwnd is handled with RST to ACK segment
- TCP RPC scan
- UDP scan

99. Scan Types - 3 - TCP RPC scan Many Unix systems implement portmapper
Used with RPC/RMI to find services
Server registers service with portmapper (with pgm/version)
Client contacts portmapper to request service, gets port #
- UDP scan
Connectionless
Send ICMP “port unreachable” message if not listening
May be up if error message not received

100. Window Scan Operation -1
A RST frame response from a closed port responds with a window size of zero
A RST frame response from a closed port responds with a window size of zero
# nmap -v -sW
[ ] [ ] TCP: D=25 S=62405 ACK=0 WIN=2048 [ ] [ ] TCP: D=62405 S=25 RST WIN=0

101. Window Scan Operation -2
A RST frame response from a closed port responds with a window size of zero
When an open port is sent an ACK frame, the destination station responds with a RST frame, but the window size is a non-zero meaning that the destination is using this port (port is open).
# nmap -v -sW
[ ] [ ] TCP: D=23 S=62405 ACK=0 WIN=3072 [ ] [ ] TCP: D=62405 S=23 RST WIN=4096

102. Identifying Services - 1
- TCP SYN port scan using nmap
Use -sS option
Use -oN <file> to save human readable output
Use -oG <file> to save tab-delimited version
Use -oX <file> to save XML
-oA saves in all formats
Lists open ports with nominal services
-f option to fragment packets
Some firewalls will not reassemble fragments, just pass packet
May make it harder for IDS to detect scan
-D option provides for decoy source addresses
Burdens target with having to track down all scans
Take care to use real IP addresses to avoid SYN attack DOS
-b option to use FTP bounce scanning
Uses older FTP servers to reflect packets

103. Identifying Services - 2
- SuperScan (Foundstone.com)
Windows/GUI-based alternative to nmap
Port scans in addition to ICMP and ARP scans
Select port or port range to scan, and protocol
Select special techniques for TCP, UDP
UDP data+ICMP method
Multiple UDP packets to a port
May overwhelm ICMP response capability
Very accurate, but slow
- ScanLine
Windows/command-line tool (also Foundstone)
Single executable
Easier to load onto compromised system
Many options
- Netcat (
Older, command-line tool - reads and writes data across network connections, using the TCP/IP protocol

104. Detecting the OS - 1 https://nmap.org/nmap-fingerprinting-article.txt
- Banner grabbing
banner grabber which connects to an open TCP port and prints out anything sent by the listening service
nmap -sS -sV -p 80 -v -n -Pn --script banner dst-IP
- Available ports signature
Some systems use particular ports for services
- Active Stack Fingerprinting
Responses to probes is implementation dependent
Multiple types of probes used to narrow field
See

105. Banner grabbing
nmap -sS -sV -p 80 -v -n -Pn --script banner xx.xx.xx.xx

106. Active Stack Fingerprinting Probes
Detecting the OS - 2
Active Stack Fingerprinting Probes
- FIN probe
Correct not to respond, but some send FIN/ACK
- Bogus flag probe (in SYN packet)
Correct to ignore, but some set flag in SYN-ACK
- Initial Sequence Number (ISN) sampling
Patterns may be found in ISNs for connections that depend on OS
- DF bit monitoring
Some OS's may set DF in IP header to improve performance
- TCP initial window size
Some systems have characteristic initial rwnd size
Note that rwnd is indication of buffer space at receiver, set by OS
- ACK value
May use last SN (less common) or last SN+1 (usual)

107. Detecting the OS - 3 - ICMP error message quenching
Systems may limit the number of ICMP error messages (RFC 1812)
Send UDP packets to random port, determine rate of ICMP unreachable port messages
-ICMP message quoting
ICMP error messages include some initial portion of the offending datagram
Amount of data included varies according to system
- ICMP error message-echoing integrity
Some systems change IP headers quoted in ICMP error messages
- TOS on ICMP port unreachable message
Usually TOS=0, but may vary
- Fragmentation handling
Observe how probe packets with overlapping fragments are reassembled
- TCP options
Which options set (e.g., RFC 793, or 1323 also) varies

108. Detecting the OS - 4 Passive OS Detection
- Less obtrusive than active OS fingerprinting
- Monitor traffic to/from target
Requires favorable position
- Passive signatures
TTL on outbound datagrams
Initial window size (rwnd)
DF (don't fragment) bit set?
Siphon tool (packetstormsecurity.org)