Lecture 23 network primer
Download
1 / 25

Lecture 23: Network Primer - PowerPoint PPT Presentation


  • 96 Views
  • Uploaded on

Lecture 23: Network Primer. 7/15/2003 CSCE 590 Summer 2003. Source Port. Destination Port. Sequence Number. Acknowledgement Number. U R G. A C K. P S H. R S T. S Y N. F I N. Hdr Len. Reserved. Window Size. TCP Packet Checksum. Urgent Pointer.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Lecture 23: Network Primer' - faye


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Lecture 23 network primer

Lecture 23: Network Primer

7/15/2003

CSCE 590

Summer 2003


Tcp header

Source Port

Destination Port

Sequence Number

Acknowledgement Number

U

R

G

A

C

K

P

S

H

R

S

T

S

Y

N

F

I

N

Hdr Len

Reserved

Window Size

TCP Packet Checksum

Urgent Pointer

Options (Variable length padded with 0’s)

0

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

16

4

12

20

0

8

5

9

13

21

1

17

10

22

6

2

18

14

23

15

19

11

7

3

TCP Header


Tcp fields
TCP Fields

  • Source port and Destination port:

    • 16 bit fields valid values (0)1-65535

    • Destination port, some listening server

    • Source port – random, usually chosen above 1023 and called ephemeral

    • Source ports should change with each new session/connection


What s weird
What’s Weird?

22:08:48.495489 129.252.41.100.62505 > 129.252.176.4.890: S 3938526924:3938526924(0) win 4096

22:08:48.495588 129.252.41.100.62505 > 129.252.176.4.627: S 3938526924:3938526924(0) win 4096

22:08:48.495616 129.252.41.100.62505 > 129.252.176.4.461: S 3938526924:3938526924(0) win 4096

22:08:48.495643 129.252.41.100.62505 > 129.252.176.4.1000: S 3938526924:3938526924(0) win 4096

22:08:48.495668 129.252.41.100.62505 > 129.252.176.4.199: S 3938526924:3938526924(0) win 4096

22:08:48.495693 129.252.41.100.62505 > 129.252.176.4.265: S 3938526924:3938526924(0) win 4096

22:08:48.495718 129.252.41.100.62505 > 129.252.176.4.7597: S 3938526924:3938526924(0) win 4096

22:08:48.495743 129.252.41.100.62505 > 129.252.176.4.826: S 3938526924:3938526924(0) win 4096

22:08:48.495768 129.252.41.100.62505 > 129.252.176.4.645: S 3938526924:3938526924(0) win 4096

22:08:48.495793 129.252.41.100.62505 > 129.252.176.4.84: S 3938526924:3938526924(0) win 4096


What s weird1
What’s Weird?

22:19:30.481578 129.252.41.10.2140 > 129.252.176.4.0: S 1860807593:1860807593(0) win 512

22:19:31.478737 129.252.41.10.2141 > 129.252.176.4.0: S 1456794212:1456794212(0) win 512

22:19:32.478824 129.252.41.10.2142 > 129.252.176.4.0: S 2100191735:2100191735(0) win 512

22:19:33.478916 129.252.41.10.2143 > 129.252.176.4.0: S 1628560220:1628560220(0) win 512

22:19:34.478995 129.252.41.10.2144 > 129.252.176.4.0: S 1658245839:1658245839(0) win 512

22:19:35.479099 129.252.41.10.2145 > 129.252.176.4.0: S 858387126:858387126(0) win 512

22:19:36.479179 129.252.41.10.2146 > 129.252.176.4.0: S 1898100889:1898100889(0) win 512

22:19:37.479293 129.252.41.10.2147 > 129.252.176.4.0: S 164501792:164501792(0) win 512

22:19:38.479382 129.252.41.10.2148 > 129.252.176.4.0: S 1225583647:1225583647(0) win 512

22:19:39.479463 129.252.41.10.2149 > 129.252.176.4.0: S 324333867:324333867(0) win 512


Sequence numbers
Sequence Numbers

  • Uniquely identifies the intial byte of each TCP segment sent

  • Keeps track of all data sent and received

  • Should change for all new TCP segments sent (retries have the same since they are duplicates)

  • ISN – Initial Sequence Number – 1st sequence number in session (each side picks one)


Isn prediction
ISN Prediction

  • Can fingerprint operating systems by how they generate ISNs

  • If it is a predictable pattern, can hijack a session

  • Nmap keeps an OS fingerprint database and with the –O option and judges how difficult TCP Sequence Prediction might be


Now what s weird
Now What’s Weird?

22:08:48.495489 129.252.41.100.62505 > 129.252.176.4.890: S 3938526924:3938526924(0) win 4096

22:08:48.495588 129.252.41.100.62505 > 129.252.176.4.627: S 3938526924:3938526924(0) win 4096

22:08:48.495616 129.252.41.100.62505 > 129.252.176.4.461: S 3938526924:3938526924(0) win 4096

22:08:48.495643 129.252.41.100.62505 > 129.252.176.4.1000: S 3938526924:3938526924(0) win 4096

22:08:48.495668 129.252.41.100.62505 > 129.252.176.4.199: S 3938526924:3938526924(0) win 4096

22:08:48.495693 129.252.41.100.62505 > 129.252.176.4.265: S 3938526924:3938526924(0) win 4096

22:08:48.495718 129.252.41.100.62505 > 129.252.176.4.7597: S 3938526924:3938526924(0) win 4096

22:08:48.495743 129.252.41.100.62505 > 129.252.176.4.826: S 3938526924:3938526924(0) win 4096

22:08:48.495768 129.252.41.100.62505 > 129.252.176.4.645: S 3938526924:3938526924(0) win 4096

22:08:48.495793 129.252.41.100.62505 > 129.252.176.4.84: S 3938526924:3938526924(0) win 4096


Acknowledgement numbers
Acknowledgement Numbers

  • Receiving host must tell sending host it got the data with an acknowledgement (ack)

  • 32 bit number representing the next byte of data receiving host expects = last received sequence number + 1

  • Has to be > 0, zero is impossible

    22:08:48.495489 129.252.41.10.62677 > 129.252.176.4.80: S 3938526924:3938526924(0) win 2048

    22:08:48.495588 129.252.176.4.80 > 129.252.41.10.62677: S 373851632:373851632(0) ack 3938526925 win 8576 <mss 1460? (DF)


What s weird2
What’s Weird?

23:12:26.100485 hostA.48776 > machineB.25: . ack 0 win 2048 <wscale 10,nop,mss 265,timestamp 1061109567 0,eol>


Tcp flags
TCP Flags

  • Tells the state of a TCP segment

    • SYN – session establishment (tcpdump = S)

    • FIN – session termination (F)

    • RST – session abort (R)

    • ACK – acknowledgement of received data (ack)

    • PUSH – send buffered data up to application (P)

    • URG – send data with higher priority (interrupts like <CTRL-C>) (urg)

  • Flags only make sense in particular combinations


Tcp three way handshake

Host B

Host A

Send SYN seq = x

Receive SYN

Send SYN seq = y; ACK = x+1

Receive SYN + ACK

Send ACK = y+1

Receive ACK

TCP Three-Way Handshake


Tcp three way handshake1
TCP Three-Way Handshake

  • SYN

  • SYN + ACK

  • ACK

  • Thereafter SYN + ACKs


Tcp three way handshake2
TCP Three-Way Handshake

23:49:23.440874 129.252.41.10.57839 > 129.252.41.2.80: S440460922:440460922(0)win 5840 <mss 1460,sackOK,timestamp 114681793 0,nop,wscale 0> (DF)

23:49:23.441040 129.252.41.2.80 > 129.252.41.10.57839: S431660388:431660388(0)ack440460923 win 5792 <mss 1460,sackOK,timestamp 2458279816 114681793,nop,wscale 0> (DF)

23:49:23.441084 129.252.41.10.57839 > 129.252.41.2.80: .ack431660389 win 5840 <nop,nop,timestamp 114681793 2458279816> (DF)


Tcp three way handshake3
TCP Three-Way Handshake

23:49:23.440874 129.252.41.10.57839 > 129.252.41.2.80: S440460922:440460922(0)win 5840 <mss 1460,sackOK,timestamp 114681793 0,nop,wscale 0> (DF)

23:49:23.441040 129.252.41.2.80 > 129.252.41.10.57839: S431660388:431660388(0)ack440460923 win 5792 <mss 1460,sackOK,timestamp 2458279816 114681793,nop,wscale 0> (DF)

23:49:23.441084 129.252.41.10.57839 > 129.252.41.2.80: .ack1 win 5840 <nop,nop,timestamp 114681793 2458279816> (DF)

23:49:23.441212 129.252.41.10.57839 > 129.252.41.2.80: P1:104(103) ack1 win 5840 <nop,nop,timestamp 114681793 2458279816> (DF)

23:49:23.441370 129.252.41.2.80 > 129.252.41.10.57839: .ack104 win 5792 <nop,nop,timestamp 2458279816 114681793> (DF)

23:49:23.442322 129.252.41.2.80 > 129.252.41.10.57839: .1:1449(1448) ack104 win 5792 <nop,nop,timestamp 2458279816 114681793> (DF)

23:49:23.442354 129.252.41.10.57839 > 129.252.41.2.80: .ack1449 win 8688 <nop,nop,timestamp 114681793 2458279816> (DF)


Gracefully ending a connection
Gracefully Ending a Connection

  • Gracefully – FIN

    • One side sends a FIN/ACK

    • The other side sends an ACK (One side closed)

    • Then the other side sends a FIN/ACK

    • And the first side sends an ACK (Two sides closed)

  • Both sides should close their half of the full duplex connection

  • Sometimes they don’t.


Gracefully ending a connection1
Gracefully Ending a Connection

23:49:23.443343 129.252.41.10.57839 > 129.252.41.2.80: F 440461026:440461026(0)ack 431662073 win 8688 <nop,nop,timestamp 114681793 2458279816> (DF)

23:49:23.443489 129.252.41.2.80 > 129.252.41.10.57839: F 431662073:431662073(0)ack440461027 win 5792 <nop,nop,timestamp 2458279817 114681793> (DF)

23:49:23.443532 129.252.41.10.57839 > 129.252.41.2.80: .ack431662074 win 8688 <nop,nop,timestamp 114681793 2458279817> (DF)


Abruptly ending a connection
Abruptly Ending a Connection

  • RESET halts it abruptly

    00:20:30.427166 129.252.41.2.22 > 129.252.41.10.57878: P 2398201982:2398202990(1008) ack 2394778362 win 16704 <nop,nop,timestamp 2458466499 114868474> (DF)

    00:20:30.427265 129.252.41.10.57878 > 129.252.41.2.22: R 2394778362:2394778362(0) win 0 (DF)


Invalid flag combinations

U

R

G

A

C

K

P

S

H

R

S

T

S

Y

N

F

I

N

Hdr Len

Reserved

Window Size

Invalid Flag Combinations

  • Why?

    • Evading detection systems

    • Network mapping

    • Port scanning

    • OS fingerprinting

    • Could just be a corrupt packet

  • Ex. Can’t start and end a session in the same packet

  • Reserved bits are used for fingerprinting too


What s weird3
What’s Weird?

23:12:26.100477 129.252.41.10.48775 > 129.252.176.4.25: SFP 1933921669:1933921669(0) win 2048 urg 0 <wscale 10,nop,mss 265,timestamp 1061109567 0,eol>

23:12:26.100850 129.252.176.4.25 > 129.252.41.10.48775: S 4253896955:4253896955(0) ack 1933921670 win 65535 <mss 1260,nop,wscale 0,nop,nop,timestamp 0 0> (DF)

23:12:26.100866 129.252.41.10.48775 > 129.252.176.4.25: R 1933921670:1933921670(0) win 0 (DF)


Tcp retries
TCP Retries

  • What if a packet doesn’t get acknowledged?

  • Eventually sender resends the exact packet

  • Waits a little longer between each retry:

    • 3seconds, 6 seconds, 12 seconds, etc

    • Different Oses use different backoff algorithms

  • What might cause retries?

    • Destination host went down, ICMP message didn’t get through

    • Packet filtering device silently dropping

    • RESET sent, but we didn’t get it


Tcp retries guess which
TCP Retries – Guess Which

23:46:04.527781 10.10.33.4.1140 > 129.252.41.16.22: S 698192483:698192483(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)

23:46:07.509678 10.10.33.4.1140 > 129.252.41.16.22: S 698192483:698192483(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)

23:46:13.518688 10.10.33.4.1140 > 129.252.41.16.22: S 698192483:698192483(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)

23:46:25.537689 10.10.33.4.1140 > 129.252.41.16.22: S 698192483:698192483(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)

-------------------------------------------------------------------

23:46:40.529581 10.10.33.4.39344 > 129.252.41.16.22: S 698192483:698192483(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)

23:46:41.509678 10.10.33.4.39345 > 129.252.41.16.22: S 698735981:698735981(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)

23:46:53.518688 10.10.33.4.39378 > 129.252.41.16.22: S 698654463:698654463(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)

23:46:53.923679 10.10.33.4.39379 > 129.252.41.16.22: S 699129230:699129230(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)


Tcp options
TCP Options

  • At the end of the header

    • MSS: Maximum Segment Size

    • Window Scale: allows window receive buffers to be > 65535

    • Timestamp: carries a timestamp for each segment

    • Selective Acknowledgement: non-contiguous segments can be acknowledged

    • No Operation: NOP, padding to 4-byte boundaries

    • End of List Option: pad final option to 4 byte boundary

  • More OS fingerprinting possibilities

    • Not all OSes support all options

    • OSes list options in different orders


Tcp window size
TCP Window Size

  • Receiving host’s TCP buffer size for connection

  • Flow control

    • Window size changes dynamically as data is received

    • Size of zero means stop sending data for a while

    • Gtes bigger than zero when it can take more data

  • Initial window sizes can be used for OS fingerprinting (surprise!)

  • Labeled with a “win” in tcpdump


References
References

  • Highly recommend:

  • http://www.sans.org/resources/tcpip.pdf