Overview <ul><li>The TCP/IP Stack. </li></ul><ul><li>The Link Layer (L2). </li></ul><ul><li>The Network Layer (L3). </li><...
The TCP/IP Stack
The TCP/IP Stack <ul><li>Each OS vendor has a different implimentation of TCP/IP Stack. </li></ul><ul><li>Each layer of TC...
The Link Layer (L2) ‏ <ul><li>L2  packet comprises of the  MAC  addresses of source and destination machine. </li></ul><ul...
Network Layer (L3) ‏ IPv4 header layout
Network Layer (L3) ‏ <ul><li>The initial  TTL  value observed for various OS are :  Windows  =  128 ,  Linux  =  64  &  AI...
TCP (L4) ‏ TCP header layout
TCP Layer (L4) ‏ <ul><li>TCP  uses 3 way hand shake protocol :  </li></ul><ul><ul><ul><li>SYN -> </li></ul></ul></ul><ul><...
TCP Layer (L4) ‏ <ul><li>Initial  SEQUENCE  number is seen different for different OSs. </li></ul><ul><li>Checking the win...
TCP Layer (L4) ‏ <ul><li>TCP Options are generally optional. </li></ul><ul><li>Still, every OS sends out different value &...
UDP (L4) ‏ UDP header layout
UDP Layer (L4) ‏ <ul><li>UDP  packet sent to non existent port is replied back with  ICMP-Destination Unreachable  packet....
Idle Scan Host Zombi Target Idle scan completes Probe packet (SYN)  IPID =43210 SYN/ACK SrcIP = Zombi/Port = 80 (SYN) SYN/...
Exploiting Exchange XEXCH50 -1 2 Exploit Blocked MS05-043 HOST Exchange Server XEXCH50 -1 2 
 IPS/IDS IF  “ XEXCH50 -1 2”...
Evasion Techniques XEXCH50 -1 2 MS05-043 IP Fragmentation HOST Exchange Server XEXCH50 TTL = 10 XEXCH50 TTL = 9 -1 2 
 TT...
Evasion Techniques TTL Expired XEXCH50 -1 2 MS05-043 Resultant String “XEXCH50 JUNK -1 2” Traffic Insertion HOST Exchange ...
Prevent to get detected <ul><li>For Windows </li></ul><ul><li>-  OSfucate </li></ul><ul><li>-  sec_clock </li></ul><ul><li...
TOOLS <ul><li>Network Scanners :  </li></ul><ul><ul><li>Nmap, Nessus. </li></ul></ul><ul><li>Misc : </li></ul><ul><ul><li>...
Reference <ul><li>http://nmap.org/nmap-fingerprinting-article.txt </li></ul><ul><li>http://www.zog.net/Docs/nmap.html </li...
Murtuja Bharmal (bharmal.murtuja@gmail.com)
Upcoming SlideShare
Loading in...5
×

null Pune meet - Understanding TCP/IP and Network Intrusion

1,337

Published on

null Pune meet - Understanding TCP/IP and Network Intrusion – By Murtuja Bharmal
http://null.co.in

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,337
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
74
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

null Pune meet - Understanding TCP/IP and Network Intrusion

  1. 2. Overview <ul><li>The TCP/IP Stack. </li></ul><ul><li>The Link Layer (L2). </li></ul><ul><li>The Network Layer (L3). </li></ul><ul><li>The Transport Layer (L4). </li></ul><ul><li>Port scanning & OS/App detection techniques. </li></ul><ul><li>Evasion and Intrusion Techniques. </li></ul><ul><li>The Tools. </li></ul>
  2. 3. The TCP/IP Stack
  3. 4. The TCP/IP Stack <ul><li>Each OS vendor has a different implimentation of TCP/IP Stack. </li></ul><ul><li>Each layer of TCP/IP Stack of an OS, exhibits a different behaviour. </li></ul><ul><li>Properties of TCP/IP stack can be used for OS, Hardware detection, port scanning, Intrusion & Evasion. </li></ul>
  4. 5. The Link Layer (L2) ‏ <ul><li>L2 packet comprises of the MAC addresses of source and destination machine. </li></ul><ul><li>MAC Address has 6 Bytes. Its first 3 Bytes are O rganizationally U nique I dentifier ( OUI ). </li></ul><ul><li>OUI s are unique to the manufacturers of network cards. </li></ul><ul><li>In MAC address “ 00-08-74-4C-7F-1D ”, OUI “ 00-08-74 ” is unique to Dell Computer Corp . </li></ul>
  5. 6. Network Layer (L3) ‏ IPv4 header layout
  6. 7. Network Layer (L3) ‏ <ul><li>The initial TTL value observed for various OS are : Windows = 128 , Linux = 64 & AIX = 255 . </li></ul><ul><li>IP Layer supports TCP Fragmentation. </li></ul><ul><li>“ Dont Fragment ” flag is set in some responses for Windows and not set in Linux machines. </li></ul><ul><li>IP- Identification field is used in a special port scanning technique called Idle or Zomby scan . </li></ul>
  7. 8. TCP (L4) ‏ TCP header layout
  8. 9. TCP Layer (L4) ‏ <ul><li>TCP uses 3 way hand shake protocol : </li></ul><ul><ul><ul><li>SYN -> </li></ul></ul></ul><ul><ul><ul><li><- SYN / ACK </li></ul></ul></ul><ul><ul><ul><li>ACK ->. </li></ul></ul></ul><ul><li>Different combination of SYN , ACK and FIN flags brings out different behaviour of different OSs. </li></ul>
  9. 10. TCP Layer (L4) ‏ <ul><li>Initial SEQUENCE number is seen different for different OSs. </li></ul><ul><li>Checking the window size on returned packets, helps to identify AIX (0x3F25), Windows and BSD (0x402E) systems. </li></ul><ul><li>ACK Value in response to FIN , is used to Identify some windows versions. </li></ul>
  10. 11. TCP Layer (L4) ‏ <ul><li>TCP Options are generally optional. </li></ul><ul><li>Still, every OS sends out different value & sequence of : WindowScale ( W ); NOP ( N ); MaxSegmentSize ( M ); TimeStamp ( T ); & End of Option ( E ) </li></ul><ul><li>The TCP Options echoed varies with OSs, for Solaris = “ NNTNWME ”, Linux =“ MENNTNW ”. </li></ul>
  11. 12. UDP (L4) ‏ UDP header layout
  12. 13. UDP Layer (L4) ‏ <ul><li>UDP packet sent to non existent port is replied back with ICMP-Destination Unreachable packet. </li></ul><ul><li>The ICMP-Destination Unreachable packet has the copy of UDP packet which resulted in the ICMP error. </li></ul><ul><li>Different OS mess up with this copy of UDP packet in different style. </li></ul>
  13. 14. Idle Scan Host Zombi Target Idle scan completes Probe packet (SYN) IPID =43210 SYN/ACK SrcIP = Zombi/Port = 80 (SYN) SYN/ACK RST, IPID = 43211 IPID =43212 SYN/ACK
  14. 15. Exploiting Exchange XEXCH50 -1 2 Exploit Blocked MS05-043 HOST Exchange Server XEXCH50 -1 2 IPS/IDS IF “ XEXCH50 -1 2” DROP XEXCH50 -1 2
  15. 16. Evasion Techniques XEXCH50 -1 2 MS05-043 IP Fragmentation HOST Exchange Server XEXCH50 TTL = 10 XEXCH50 TTL = 9 -1 2 TTL = 10 -1 2 TTL = 9 IPS/IDS IF “ XEXCH50 -1 2” DROP
  16. 17. Evasion Techniques TTL Expired XEXCH50 -1 2 MS05-043 Resultant String “XEXCH50 JUNK -1 2” Traffic Insertion HOST Exchange Server XEXCH50 TTL = 10 XEXCH50 TTL = 9 JUNK TTL = 1 -1 2 TTL = 10 -1 2 TTL = 9 IPS/IDS IF “ XEXCH50 -1 2” DROP
  17. 18. Prevent to get detected <ul><li>For Windows </li></ul><ul><li>- OSfucate </li></ul><ul><li>- sec_clock </li></ul><ul><li>For Linux </li></ul><ul><li>- grsec </li></ul><ul><li>- iplog </li></ul><ul><li>For BSD Unix </li></ul><ul><li>- blackhole </li></ul><ul><li>- Fingerprint Fucker </li></ul>
  18. 19. TOOLS <ul><li>Network Scanners : </li></ul><ul><ul><li>Nmap, Nessus. </li></ul></ul><ul><li>Misc : </li></ul><ul><ul><li>Netcat. </li></ul></ul><ul><li>SimpleTools : </li></ul><ul><ul><li>Ping, traceroute. </li></ul></ul><ul><li>Packet Sniffers : </li></ul><ul><ul><li>WireShark, tcpdump </li></ul></ul><ul><li>Packet Crafter : </li></ul><ul><ul><li>hping2 </li></ul></ul>
  19. 20. Reference <ul><li>http://nmap.org/nmap-fingerprinting-article.txt </li></ul><ul><li>http://www.zog.net/Docs/nmap.html </li></ul><ul><li>http://www.grsecurity.net/ </li></ul>
  20. 21. Murtuja Bharmal (bharmal.murtuja@gmail.com)
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×