Overview

The TCP/IP Stack.

The Link Layer (L2).

The Network Layer (L3).

The Transport Layer (L4).

Port scanning & OS/App detection techniques.

Evasion and Intrusion Techniques.

The Tools.

The TCP/IP Stack

The TCP/IP Stack

Each OS vendor has a different implimentation

of TCP/IP Stack.

Each layer of TCP/IP Stack of an OS, exhibits a

different behaviour.

Properties of TCP/IP stack can be used for OS,

Hardware detection, port scanning, Intrusion &

Evasion.

The Link Layer (L2)

L2 packet comprises of the MAC addresses of

source and destination machine.

MAC Address has 6 Bytes. Its first 3 Bytes are

Organizationally Unique Identifier (OUI).

OUIs are unique to the manufacturers of

network cards.

In MAC address “00-08-74-4C-7F-1D”, OUI

“00-08-74” is unique to Dell Computer Corp.

Network Layer (L3)

IPv4 header

layout

Network Layer (L3)

The initial TTL value observed for various OS

are : Windows = 128, Linux = 64 & AIX = 255.

IP Layer supports TCP Fragmentation.

“Dont Fragment” flag is set in some responses

for Windows and not set in Linux machines.

IP- Identification field is used in a special port

scanning technique called Idle or Zomby scan.

TCP (L4)

TCP header

layout

TCP Layer (L4)

TCP uses 3 way hand shake protocol :

SYN->

<-SYN/ACK

ACK->.

Different combination of SYN, ACK and FIN

flags brings out different behaviour of different

OSs.

TCP Layer (L4)

Initial SEQUENCE number is seen different for

different OSs.

Checking the window size on returned packets,

helps to identify AIX (0x3F25), Windows and

BSD (0x402E) systems.

ACK Value in response to FIN, is used to

Identify some windows versions.

TCP Layer (L4)

TCP Options are generally optional.

Still, every OS sends out different value &

sequence of : WindowScale (W); NOP (N);

MaxSegmentSize (M); TimeStamp (T); & End of

Option (E)

The TCP Options echoed varies with OSs, for

Solaris = “NNTNWME ”, Linux =“MENNTNW”.

UDP (L4)

UDP header layout

UDP Layer (L4)

UDP packet sent to non existent port is replied

back with ICMP-Destination Unreachable

packet.

The ICMP-Destination Unreachable packet

has the copy of UDP packet which resulted in

the ICMP error.

Different OS mess up with this copy of UDP

packet in different style.

Idle Scan

Host Zombi

Target

Probe packet (SYN)

IPID =43210SYN/ACK

SrcIP = Zombi/Port = 80 (SYN)

SYN/ACK

RST, IPID = 43211

IPID =43212SYN/ACK

Idle scan completes

Exploiting Exchange

HOSTExchange

Server

XEXCH50 -1 2

XEXCH50 -1 2 \r\n

IPS/IDS

IF “XEXCH50 -1 2”

DROP

Exploit Blocked

XEXCH50 -1 2 \r\n

MS05-043

Evasion Techniques

HOSTExchange

Server

XEXCH50

TTL = 10

XEXCH50

TTL = 9

-1 2 \r\n

TTL = 10

-1 2 \r\n

TTL = 9

XEXCH50 -1 2

IPS/IDS

IF “XEXCH50 -1 2”

DROPMS05-043

IP Fragmentation

Evasion Techniques

HOSTExchange

Server

XEXCH50

TTL = 10

XEXCH50

TTL = 9

JUNK

TTL = 1TTL Expired

-1 2 \r\n

TTL = 10

-1 2 \r\n

TTL = 9 XEXCH50 -1 2

IPS/IDS

IF “XEXCH50 -1 2”

DROPMS05-043

Resultant String “XEXCH50 JUNK -1 2”

Traffic Insertion

Prevent to get detected For Windows

- OSfucate

- sec_clock

For Linux

- grsec

- iplog

For BSD Unix

- blackhole

- Fingerprint Fucker

TOOLS

Network Scanners :

Nmap, Nessus.

Misc :

Netcat.

SimpleTools :

Ping, traceroute.

Packet Sniffers :

WireShark, tcpdump

Packet Crafter :

hping2

Reference

http://nmap.org/nmap-fingerprinting-article.txt http://www.zog.net/Docs/nmap.html http://www.grsecurity.net/

Murtuja Bharmal

(bharmal.murtuja@gmail.com)