packets and protocols
Download
Skip this Video
Download Presentation
Packets and Protocols

Loading in 2 Seconds...

play fullscreen
1 / 28

Packets and Protocols - PowerPoint PPT Presentation


  • 85 Views
  • Uploaded on

Packets and Protocols. Chapter Seven Real World Packet Captures. Packets and Protocols Chapter 7. Scanning Usually done by a hacker (white hat or black hat) to find vulnerabilities Can also be part of a worm or other attack Attacks are often preceded with a ping.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' Packets and Protocols' - germaine-jordon


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
packets and protocols

Packets and Protocols

Chapter Seven

Real World

Packet Captures

packets and protocols chapter 7
Packets and ProtocolsChapter 7
  • Scanning
    • Usually done by a hacker (white hat or black hat) to find vulnerabilities
    • Can also be part of a worm or other attack
    • Attacks are often preceded with a ping
packets and protocols chapter 71
Packets and ProtocolsChapter 7
  • Reference Capture file scan1.log
    • TCP Connect Scan Attack
      • Look for a large number of TCP resets using the same source port (52218)
      • Filter on
          • tcp.flags.syn==1&&tcp.flags.ack==1

or

          • tcp.flags==18
packets and protocols chapter 72
Packets and ProtocolsChapter 7
  • Same port used over and over and over
packets and protocols chapter 73
Packets and ProtocolsChapter 7
  • Reference Capture file scan1.log
    • SYN Flood Attack
      • An intruder sends a SYN packet and analyzes the response. If an RST/ACK is received, it indicates that the port is closed. If a SYN/ACK is received, it indicates that the port is open and listening.
      • Look for a large number of TCP resets and incrementing port numbers
        • Filter on
          • tcp.flags == 0x14
packets and protocols chapter 74
Packets and ProtocolsChapter 7
  • Does this look normal???
packets and protocols chapter 75
Packets and ProtocolsChapter 7
  • Reference Capture file scan1.log
    • XMAS Scan

“The XMAS scan determines which ports are open by sending packets with invalid flag settings to a target device. It is considered a stealth scan because it may be able to bypass some firewalls and IDS’s more easily than the SYN scans. This XMAS scan sends packets with the Finish (FIN), Push (PSH), and Urgent (URG) flags set.”

      • Harder to detect, but the key is to look for patterns
      • Works well against Windows systems
packets and protocols chapter 76
Packets and ProtocolsChapter 7
  • tcp.flags == 0x29 (i.e. fin, psh, urg)
packets and protocols chapter 77
Packets and ProtocolsChapter 7
  • Reference Capture file scan1.log
    • NULL Scan

“The Null scan determines which ports are open by sending packets with invalid flag settings to a target device. It is considered a stealth scan because it may be able to bypass some firewalls and IDS’s more easily than the SYN scans. This Null scan sends packets with all flags turned off. Closed ports will respond with an RST/ACK, and open ports will drop the packet and not respond.”

      • Harder to detect, but the key is to look for patterns
      • Not affective against Windows systems, but works on Cisco, HP UX MVS, etc
packets and protocols chapter 78
Packets and ProtocolsChapter 7
  • tcp.flags == 0x0 (i.e. no TCP flags)
packets and protocols chapter 79
Packets and ProtocolsChapter 7
  • Reference Capture file scan2.log
    • Remote Access Trojan Horse Scans
      • Subseven legend scan
        • Very common, easy to detect, but there are many variations
        • Attacks a windows backdoor vulnerability
packets and protocols chapter 710
Packets and ProtocolsChapter 7
  • Exploits port 27374 (tcp.dstport == 27374)
packets and protocols chapter 711
Packets and ProtocolsChapter 7
  • Reference Capture file netbus.log
    • Remote Access Trojan Horse Scans
      • Netbus scan
        • Very common, easy to detect, but there are many variations
        • Attacks a windows backdoor vulnerability
packets and protocols chapter 712
Packets and ProtocolsChapter 7
  • Exploits port 12345 and 12346 (tcp.dstport == 27374)
packets and protocols chapter 713
Packets and ProtocolsChapter 7
  • Reference Capture file scan2.log
    • RST.b
      • Affects LINUX systems
        • Look for the word “DOM” in the payload
packets and protocols chapter 714
Packets and ProtocolsChapter 7
  • Search for “DOM” with the find tool
packets and protocols chapter 715
Packets and ProtocolsChapter 7
  • Worms!
    • Becoming more common
    • Getting smarter
    • Multiple vulnerabilities
  • Ability to propagate faster than ever
packets and protocols chapter 716
Packets and ProtocolsChapter 7
  • SQL/Slammer

Reference Capture file scan3.log

      • January 25, 2003.
      • It exploits a vulnerability in the Resolution Service of Microsoft SQL Server 2000 and Microsoft Desktop Engine (MSDE) 2000
packets and protocols chapter 717
Packets and ProtocolsChapter 7
  • Reference Capture file scan3.log
    • Slammer
      • Affects LINUX systems
        • Look for the word “DOM” in the payload
packets and protocols chapter 719
Packets and ProtocolsChapter 7
  • Reference Capture file:

CodeRed_Stage1

and

CodeRed_Stage2

    • Code Red
      • Several variants
      • Attacks IIS web servers and causes a buffer overflow
packets and protocols chapter 720
Packets and ProtocolsChapter 7
  • Look for the string “GET /default.ida?NNNNNNNN”
packets and protocols chapter 721
Packets and ProtocolsChapter 7
  • Reference Capture file ramenattack.gz
    • Ramen
      • Targets Red Hat Linux 6.2 and Red Hat Linux 7.0
      • Easy to detect, make no attempt at stealth
      • Search for the word “ramen”
packets and protocols chapter 722
Packets and ProtocolsChapter 7
  • Attempts to create a /usr/scr.poop directory
  • Encourages people to eat ramen noodles
packets and protocols chapter 723
Packets and ProtocolsChapter 7
  • Active responses to attacks
    • Snort and other IDS systems can stop attacks by sending a TCP fin to the attacker and closing the TCP stream
      • It can then notify the administrator of an attack
    • Firewalls can stop the attacks by trashing the packets
      • It can then notify the administrator of an attack
packets and protocols chapter 724
Packets and ProtocolsChapter 7
  • Kowalski Virus mitigation theory
    • Disconnect
    • Filter at the border
    • Clean the LAN(s)
    • Reopen the border
    • Monitor, monitor, monitor
packets and protocols chapter 725
Packets and ProtocolsChapter 7
  • Virus detection tips:
    • Look for patterns
      • Same port
      • Incrementing port
    • Look for unusual TCP flags
      • Fin – rst – psh
      • No flags
    • Sniffer companies will post filters for your use so you can detect if you are infected
    • Look for unusual protocols
packets and protocols chapter 726
Packets and ProtocolsChapter 7
  • Virus Prevention Tips
    • Most attacks can be thwarted by keeping your patches up to date
    • Some viruses have common embedded stings and are easy to detect
    • Use a firewall or IDS
    • TURN OFF OR BLOCK WHAT YOU DO NOT NEED!
ad