1 / 29

Lecture 24: Network Primer

Lecture 24: Network Primer. 7/16/2003 CSCE 590 Summer 2003. tcpdump. Packet capture and analysis utility Default number of bytes captured: 68 Change with the snaplength option –S 1518 If a packet is truncated, “|” symbol is used in output Does not show frame header by default

sierra
Download Presentation

Lecture 24: Network Primer

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Lecture 24: Network Primer 7/16/2003 CSCE 590 Summer 2003

  2. tcpdump • Packet capture and analysis utility • Default number of bytes captured: 68 • Change with the snaplength option –S 1518 • If a packet is truncated, “|” symbol is used in output • Does not show frame header by default • To enable that, -e • To see hexadecimal output: -x • To see hexadecimal output with ASCII sidebar: -X

  3. tcpdump • To write trace to a file instead of standard output, use –w filename • To read from a trace file, use –r filename • To choose a network interface to sniff traffic from, use –i inteface • To force tcpdump not to resolve machine names with DNS, use –n • To force it to also not translate TCP/UDP service port number from /etc/services file, add an ‘n’: -nn

  4. tcpdump Filters • There are given keywords or macros for commonly accessed headers in filtering • To reference a type of header in a packet: • ip, tcp, icmp, udp • To reference a particular byte within that header, use a byte displacement with type: • ip[0] – first byte offset of IP header (numbering starts from zero) • tcp[13] - tcp header length

  5. Filters vs. Macros • Macros are predefined filters • Must use filters where there are no macros • Filter format • <protocol header>[offset:length] <relation><value> • Macro format • <macro> <value> • Example: • ip[9] = 1 • Ninth byte of IP header is Protocol type, and a value of 1 = ICMP • Icmp

  6. More Examples • tcp[0:2] < 53 • Starting at byte 0 of the TCP header, for 2 bytes (source port field) with a value less than 53 • tcp and src port < 53 (NOT!!!) can’t do relational with macros, only give it a value • udp[6:2] != 0 • ? Your turn • icmp[0] = 8 • ? Your turn

  7. Common Macros • host • net (129.252) • port • src can modify host, net, and port • dst can modify host, net, and port • icmp • tcp • Udp • Also: and (&&), not (!), or (||)

  8. Bits and Bytes • Sometimes you don’t want a whole byte (looking at just a flag) • So we turn to bit masking (math, eeeww!) • “AND” unwanted bits with 0 to clear them • “AND” wanted bits with 1 to keep them • tcpdump works in hexadecimal however, so there is some conversion involved

  9. 12 13 U R G A C K P S H R S T S Y N F I N Hdr Len Reserved Bit Masking Example • Let’s check for the TCP ACK bit turned on • It is byte 13 so we have tcp[13] • From our TCP header: • Byte 13 = 0x12 = 0 0 0 1 0 0 1 0 AND _ _ _ _ _ _ _ _ mask 0 0 0 1 0 0 0 0 = 0x10 • Complete filter: (tcp[13]&0x10) != 0 • tcpdump -i eth0 -s 1518 ‘(tcp[13] & 0x10) != 0‘ • What kind of packets with: (tcp[13] & 0x10) = 0

  10. Bit Masking Examples • What do these masks check for? • (tcp[13] & 0x02) != 0 • tcp[13] = 0xff • (ip[6] & 0x20) != 0 • Write one to check for either the SYN or FIN bit set

  11. Another Game of What’s Weird? 22:08:38.495489 dns.querier.1745 > dns.nl.53: 42371+ (31) 22:08:48.150706 dns.nl > dns.querier: (frag 63694:30@400) 22:08:48.154481 dns.nl.53 > dns.querier.1745: 42371 6/8/8 (72)(frag 63694:80@0+) 22:08:48.154481 dns.nl > dns.querier: (frag 63694:80@320+) 22:08:48.154490 dns.nl > dns.querier: (frag 63694:80@240+) 22:08:48.156737 dns.nl > dns.querier: (frag 63694:80@160+) 22:08:48.156745 dns.nl > dns.querier: (frag 63694:80@80+) 22:09:08.612886 dns.querier > dns.nl: icmp: ip reassembly time exceeded [tos 0xc0]

  12. What’s Weird? 2:19:30.481578 somewhere.nl > 129.252.176.255: icmp: echo request (ttl 246, id 5134) 2:19:31.478737 somewhere.au > 129.252.176.255: icmp: echo request (ttl 246, id 5134) 2:19:32.478824 somewhere.de > 129.252.176.255: icmp: echo request (ttl 246, id 5134) 2:19:33.478916 somewhere.edu > 129.252.176.255: icmp: echo request (ttl 246, id 5134)

  13. What’s Weird? 23:12:26.100485 hostA.48776 > machineB.25: . ack 0 win 2048 <wscale 10,nop,mss 265,timestamp 1061109567 0,eol>

  14. Another Trace 23:30:32.704057 beav.32772 > www.sc.edu.33435: [udp sum ok] udp 10 [ttl 1] (id 20523, len 38) 23:30:32.707533 beav.32772 > www.sc.edu.33436: [udp sum ok] udp 10 [ttl 1] (id 20524, len 38) 23:30:32.707760 beav.32772 > www.sc.edu.33437: [udp sum ok] udp 10 [ttl 1] (id 20525, len 38) 23:30:32.708017 beav.32772 > www.sc.edu.33438: [udp sum ok] udp 10 (ttl 2, id 20526, len 38) 23:30:32.712804 beav.32772 > www.sc.edu.33439: [udp sum ok] udp 10 (ttl 2, id 20527, len 38) 23:30:32.713351 beav.32772 > www.sc.edu.33440: [udp sum ok] udp 10 (ttl 2, id 20528, len 38) 23:30:32.713961 beav.32772 > www.sc.edu.33441: [udp sum ok] udp 10 (ttl 3, id 20529, len 38) 23:30:32.719796 beav.32772 > www.sc.edu.33442: [udp sum ok] udp 10 (ttl 3, id 20530, len 38) 23:30:32.720618 beav.32772 > www.sc.edu.33443: [udp sum ok] udp 10 (ttl 3, id 20531, len 38)

  15. What’s This? 23:49:23.440874 host.57839 > fozzie.32787: udp 0 23:49:23.440901 host.57839 > fozzie.32775: udp 0 23:49:23.440932 host.57839 > fozzie.32788: udp 0 23:49:23.440943 host.57839 > fozzie.32789: udp 0 23:49:23.440986 host.57839 > fozzie.32791: udp 0 23:49:23.441009 host.57839 > fozzie.32799: udp 0 23:49:23.441027 host.57839 > fozzie.32774: udp 0 23:49:23.441059 host.57839 > fozzie.32781: udp 0 23:49:23.441072 host.57839 > fozzie.32772: udp 0 23:49:23.441080 host.57839 > fozzie.32789: udp 0 23:49:23.441105 host.57839 > fozzie.32800: udp 0 23:49:23.441215 fozzie > host: icmp: fozzie udp port 32788 unreachable (DF) 23:49:23.441269 fozzie > host: icmp: fozzie udp port 32791 unreachable (DF) 23:49:23.441288 fozzie > host: icmp: fozzie udp port 32781 unreachable (DF) 23:49:23.441310 fozzie > host: icmp: fozzie udp port 32789 unreachable (DF)

  16. And This? 23:46:40.529581 map.edu.39344 > 129.252.41.16.143: S 698192483:698192483(0) win 8192 23:46:41.509678 map.edu.39345 > 129.252.41.15.143: S 698735981:698735981(0) win 8192 23:46:53.518688 map.edu.39378 > 129.252.41.14.143: S 698654463:698654463(0) win 8192 23:46:53.923679 map.edu.39379 > 129.252.41.13.143: S 699129230:699129230(0) win 8192 23:46:53.970672 map.edu.39639 > 129.252.41.11.143: S 699129300:699129300(0) win 8192 23:46:53.989649 map.edu.39777 > 129.252.41.10.143: S 699129740:699129740(0) win 8192 23:46:53.994699 map.edu.39791 > 129.252.41.12.143: S 699129768:6991292768(0) win 8192 23:46:53.999670 map.edu.39812 > 129.252.41.9.143: S 699129901:699129901(0) win 8192

  17. What’s Weird? 23:46:40.529581 map.net.0 > 129.252.41.99.110: SF 698192483:698192483(0) win 512 23:46:41.509678 map.net.0 > 129.252.41.27.110: SF 698192483:698192483(0) win 512 23:46:53.518688 map.net.0 > 129.252.41.56.110: SF 698192483:698192483(0) win 512 23:46:53.923679 map.net.0 > 129.252.41.33.110: SF 698192483:698192483(0) win 512 23:46:53.970672 map.net.0 > 129.252.41.119.110: SF 698192483:698192483(0) win 512 23:46:53.989649 map.net.0 > 129.252.41.76.110: SF 698192483:698192483(0) win 512 23:46:53.994699 map.net.0 > 129.252.41.200.110: SF 698192483:698192483(0) win 512 23:46:53.999670 map.net.0 > 129.252.41.15.110: SF 698192483:698192483(0) win 512

  18. What’s Strange? 23:46:40.529581 ack.org.23 > 129.252.41.99.23: . ack 698192483 win 512 23:46:41.509678 ack.org.23 > 129.252.37.4.23: . ack 698192483 win 512 23:46:53.518688 ack.org.143 > 129.252.41.99.143: . ack 698192483 win 512 23:46:53.923679 ack.org.143 > 129.252.37.4.143: . ack 698192483 win 512 23:46:53.970672 ack.org.110 > 129.252.41.99.110: . ack 698192483 win 512 23:46:53.989649 ack.org.110 > 129.252. 37.4.110: . ack 698192483 win 512 23:46:53.994699 ack.org.23 > 129.252.33.7.23: . ack 698192483 win 512 23:46:53.999670 ack.org.23 > 129.252.4.213.23: . ack 698192483 win 512

  19. Anything Unusual? 23:46:40.529581 scan.net.25820 > 129.252.41.76.23: S 698192483:698192483(4) win 4096 23:46:41.509678 scan.net.25820 > 129.252.136.76.23: S 698197881:698197881(4) win 4096 23:46:53.518688 scan.net.47521 > 10.20.98.76.23: S 378192499:378192499(4) win 4096 23:46:53.923679 scan.net.25820 > 129.252.11.76.23: S 69821387:69821387(4) win 4096 23:46:53.970672 scan.net.47521 > 10.20.54.76.23: S 378212490:378212490(4) win 4096 23:46:53.989649 scan.net.47521 > 10.20.223.76.23: S 378212787:378212787(4) win 4096 23:46:53.994699 scan.net.25820 > 129.252.209.76.23: S 69822345:69822345(4) win 4096 23:46:53.999670 scan.net.47521 > 10.20.90.76.23: S 37827658:37827658(4) win 4096

  20. What’s Scary? 23:46:40.529581 scanner.net > dns.my.edu: ip-proto-54 44 23:46:41.509678 scanner.net > dns.my.edu: ip-proto-54 44 23:46:53.518688 scanner.net > dns.my.edu: ip-proto-54 44 23:46:53.923679 scanner.net > firewall.my.edu: ip-proto-54 44 23:46:53.970672 scanner.net > firewall.my.edu: ip-proto-54 44 23:46:53.989649 scanner.net > firewall.my.edu: ip-proto-54 44 23:46:53.994699 scanner.net > ids.my.edu: ip-proto-54 44 23:46:53.999670 scanner.net > ids.my.edu: ip-proto-54 44 23:46:53.999691 scanner.net > ids.my.edu: ip-proto-54 44 (ip-proto-54 = usually ATM: Next Hop Resolution Protocol) But that’s beside the scary point.

  21. Huh? router1.com > 129.252.49.0: icmp: time exceeded in-transit router1.com > 129.252.21.0: icmp: time exceeded in-transit router1.com > 129.252.78.0: icmp: time exceeded in-transit router1.com > 129.252.52.0: icmp: time exceeded in-transit router2.com > 129.252.109.0: icmp: time exceeded in-transit [tos 0xc0] router2.com > 129.252.1.0: icmp: time exceeded in-transit [tos 0xc0] router2.com > 129.252.243.0: icmp: time exceeded in-transit [tos 0xc0] router2.com > 129.252.43.0: icmp: time exceeded in-transit [tos 0xc0] router2.com > 129.252.66.0: icmp: time exceeded in-transit [tos 0xc0] router2.com > 129.252.31.0: icmp: time exceeded in-transit [tos 0xc0] router2.com > 129.252.200.0: icmp: time exceeded in-transit [tos 0xc0] router2.com > 129.252.212.0: icmp: time exceeded in-transit [tos 0xc0] router2.com > 129.252.79.0: icmp: time exceeded in-transit [tos 0xc0] router3.com > 129.252.55.0: icmp: time exceeded in-transit router3.com > 129.252.111.0: icmp: time exceeded in-transit router3.com > 129.252.83.0: icmp: time exceeded in-transit router1.com > 129.252.16.0: icmp: time exceeded in-transit router1.com > 129.252.156.0: icmp: time exceeded in-transit

  22. WinNuke nuker.com.334455 > victim.edu.139: FP 0:3(3) ack 1 win 8760 urg3 (DF) nuker.com.334455 > victim.edu.139: FP 0:3(3) ack 1 win 8760 urg3 (DF) nuker.com.334455 > victim.edu.139: FP 0:3(3) ack 1 win 8760 urg3 (DF) nuker.com.334455 > victim.edu.139: FP 0:3(3) ack 1 win 8760 urg3 (DF) nuker.com.334455 > victim.edu.139: FP 0:3(3) ack 1 win 8760 urg3 (DF) nuker.com.334455 > victim.edu.139: FP 0:3(3) ack 1 win 8760 urg3 (DF)

  23. And This? 3:46:41.529581 dos.com > 129.252.49.0: (frag 54190:1480@4440+) 3:46:41.579678 dos.com > 129.252.49.0: (frag 54190:1480@2960+) 3:46:53.518688 dos.com > 129.252.49.0: (frag 54190:1480@1480+) 3:46:53.923679 dos.com > 129.252.49.0: (frag 54190:1480@1480+) 3:46:53.970672 dos.com > 129.252.49.0: (frag 54190:1480@2960+) 3:46:53.989649 dos.com > 129.252.49.0: (frag 54190:1480@5920+) 3:46:53.994699 dos.com > 129.252.49.0: (frag 54190:1480@1480+) 3:46:53.999670 dos.com > 129.252.49.0: (frag 54190:1480@2960+) 3:46:53.999670 dos.com > 129.252.49.0: (frag 54190:1480@4440+) 3:46:53.999670 dos.com > 129.252.49.0: (frag 54190:1480@1480+) 3:46:53.999670 dos.com > 129.252.49.0: (frag 54190:1480@1480+) http://www.cisco.com/warp/public/770/nifrag.shtml

  24. Bad Network Traffic in Other places • Web logs • Traffic monitoring graphs • Firewall logs • Intrusion detection systems • Router syslogs • I even see attempts against my SSH tunnels!

  25. Slammer 02:06:31.017088 150.140.142.17.3047 > 24.193.37.212.ms-sql-m: udp 376 02:06:31.017244 24.193.37.212 > 150.140.142.17: icmp: 24.193.37.212 udp port ms-sql-m unreachable [tos 0xc0]

  26. Nimda 129.3.1.40 - - [12/Apr/2002:12:01:31 -0400] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 403 - 129.3.1.40 - - [12/Apr/2002:12:01:31 -0400] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 403 - 129.3.1.40 - - [12/Apr/2002:12:01:31 -0400] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 403 - 129.3.1.40 - - [12/Apr/2002:12:01:31 -0400] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 403 - 129.3.1.40 - - [12/Apr/2002:12:01:31 -0400] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 403 - 129.3.1.40 - - [12/Apr/2002:12:01:31 -0400] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 403 - 129.3.1.40 - - [12/Apr/2002:12:01:31 -0400] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 403 - 129.3.1.40 - - [12/Apr/2002:12:01:31 -0400] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - 129.3.1.40 - - [12/Apr/2002:12:01:31 -0400] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 403 - 129.3.1.40 - - [12/Apr/2002:12:01:31 -0400] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 403 – 129.3.1.40 - - [12/Apr/2002:12:01:32 -0400] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 215 129.3.1.40 - - [12/Apr/2002:12:01:32 -0400] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 215 129.3.1.40 - - [12/Apr/2002:12:01:32 -0400] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 403 - 129.3.1.40 - - [12/Apr/2002:12:01:32 -0400] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 403 -

  27. Firewall Logs

  28. Intrusion Detection Systems

  29. References • Highly recommend: • http://www.sans.org/resources/tcpip.pdf

More Related