Common Network Attacks - CiteSeerX

< > - +

Common Network Attacks

David J. Marchette

[email protected]

Common Network Attacks – p.1/96

< > - +

Outline

Some Common Attacks

SHADOW

EMERALD

ADAM

Utilities


< > - +

Terminology

Active. Requires action on the part of the person or system togather information.

Passive. Relies on information gathered without any action (e.g.without sending any packets).

Fingerprinting. Determining the Operating System of a machineby investigating packets/responses from the machine.


< > - +

Terminology

Stateful. A system (intrusion detection, firewall, etc) is stateful if itretains information of the state of TCP sessions.


< > - +

References

Northcutt, Network Intrusion Detection: An Analyst’s Handbook.

www.nswc.navy.mil/ISSEC/CID

www.sans.org

www.cert.org


< > - +

Outline of an Attack

Find out what machines are on the net: IP scan.

Find out what OS/version they are running: Fingerprinting.

Find out what services they are running: Portscan.

Attack the vulnerable.


< > - +

Comments on Attack Outline

Not all attacks follow all these steps.

Some attacks skip all of them (denial of service).

Attacks that follow the pattern are usually trivial to detect.

Attacks that follow the pattern sometimes still succeed! Evenwhen the pattern has been detected!


< > - +

Attack Types

Denial of Service (DOS).

Probes and Network Mapping.

Fingerprinting.

TCP Hijacking.

Other ways to gain access.


< > - +

DOS: Land Attack

A single packet attack.

A packet is sent with both the source and destination IP addressset to the target machine.

Locks up the machine (only works on older systems).

Note: This, like most attacks, requires the attacker to carefullycraft packets.

This attack only worked because of a bug in the IP stack of someoperating systems.


< > - +

DOS: Ping of Death

Another single packet attack.

A ping (ICMP echo request) is sent to the target machine with anillegally long payload (greater than 64K).


Note: some versions of ping allowed one to do this. So novicescould use this attack without any coding skills.


< > - +

DOS: Teardrop

Another single packet attack.

A UDP packet is sent fragmented, with the fragments overlapping.



< > - +

More Attacks with Fragments

Suppose a TCP packet has been fragmented, and the attackerknows the IP ID.

The attacker can send new fragments with the same IP ID,overwriting the legitimate data.

The TCP header is left alone, so it is a legitimate packet as far asthe receiving computer knows.

The attacker must take care that the checksum is correct.


< > - +

DOS: UDP Storm

Another single packet attack, in principle.

Was the “attack-du-jour” for a while in 1999.

A UDP packet is sent with:

Source IP victim1.

Destination IP victim2.

Source port 7 (echo).

Destination port 19 (chargen).

Causes the two victim machines to “attack” each other.


< > - +

Notes on “Old Attacks”

These attacks “only work on older systems”.

This does not mean they will never work again.

These take advantage of errors (bugs) in the programming of theoperating systems. This illustrates the basic idea of many attacks:find an error and exploit it.


< > - +

Notes on “Old Attacks”

Note that code reuse and poor programming habits can makesome old attacks viable again.

How might one have designed a system that would detect theabove attacks before they were known?


< > - +

DOS: SYN Flood

Send a lot of SYN packets to the target.

These start half-open connections.

If enough connections are started before they start to time out, theconnection table can fill up.

The machine crashes, or cannot service legitimate connections.


< > - +

DOS: SYN Flood

Note that the packets needn’t have the source address of theattacker. In fact, they should have an unreachable source toensure that the SYN/ACKs are never answered.

In actual implementations, the attack usually does not useunreachable sources, but rather selects the sources at random (orarbitrarily).


< > - +

DOS: Process Table

Similar to the SYN flood. Initiate a lot of TCP connections.

Requires an application that will accept the connections.

Each connection forks a process. If enough connections areforked the process table fills up.


< > - +

DOS: Process Table Notes

Note that the attacker must appear in the source IP address, sinceit must answer the SYN/ACKs. But if it’s clever, it need not forkany processes.

This is a good attack to implement as a distributed denial ofservice. By using many compromised computers, the attackerhides his identity while multiplying the effectiveness of the attack.


< > - +

DOS: Targa3

Send a lot of malformed packets:

Invalid fragmentation, protocol, packet size, or IP headervalues;

Invalid options;

Invalid TCP segments;

Invalid routing flags.

These either crash the system, or use up resources while dealingwith the strange packets.


< > - +

DOS: Targa3 Notes

The attacker need not appear in the source IP, since it doesn’tneed to handle any responses.

There need be no particular pattern to the malformed packets.

However, patterns in these might provide a way to fingerprint theattack software.


< > - +

DOS: Smurf

Send a lot of ping packets (echo requests) to an intermediarynetwork with the victim as source IP.

These all generate echo replies, which all get sent to the victim.

Using broadcast (255) greatly magnifies the effect (assuming theintermediary network doesn’t ignore broadcasts).


< > - +

DOS: Smurf Picture

Intermediary Network

172.16.x.x

Attacker Target

ICMP echo requests

From: Target (spoofed)

To: 172.16.255.255

ICMP echo replies

From 1000s of

machines

Target goes down

under the flood.

Note: Attacker is invisible

to the target.


< > - +

DOS: Smurf Picture


172.16.x.x

Attacker Target

ICMP echo requests


To: 172.16.255.255

ICMP echo replies

From 1000s of

machines

Target goes down

under the flood.


to the target.


< > - +

DOS: Smurf Picture


172.16.x.x

Attacker Target

ICMP echo requests


To: 172.16.255.255

ICMP echo replies

From 1000s of

machines

Target goes down

under the flood.


to the target.


< > - +

DOS: Syslogd

There are innumerable attacks that utilize a bug in an application.

Old versions of the syslogd daemon on Solaris would crash if senta packet from a source with no DNS entry.

Who would let a syslog packet in from outside the firewallanyway? This attack is from the good old days, before firewallswere common.


< > - +

DOS Notes

There are two generic types of denial of service attacks:

Ones in which the attacker takes an active (and detectable) part.

Spoofing attacks, where the attacker does not show up on thepackets sent to the victim.

How can one determine who the attacker is?

How does one stop such attacks?


< > - +

Network Mapping

How do you find a victim to attack?

Some are well known: ebay, amazon, Microsoft, etc.

Sometimes the attacker is after a specific individual/organization.

Even if you know you want to attack Widgets-R-Us, how do youdecide which machines are vulnerable?

One answer is to scan/map the network.


< > - +

Network Mapping Light

ping 10.10.255.255.

If this works, every machine on 10.10.xxx.xxx will respond.

It probably won’t work.

Many organizations don’t allow broadcast packets through theirfirewalls.

If it did work, it would probably flood your machine, and produce adenial of service against yourself!


< > - +

Network Mapping the Hard Way

ping 10.10.1.1.

ping 10.10.1.2.

ping 10.10.1.3. · · ·

Can be automated, and will work, assuming it isn’t blocked by afirewall.

It is extremely easy to detect.

It can take a while to go through all the possible addresses.

To this day people (script kiddies) will do this.


< > - +

Stealthy Network Mapping

There are several ways to make the mapping harder to detect:

1. Use packets that people expect to see, and will ignore (echorequests used to work here).

2. Use packets that are not normally logged. (example: TCPSYN/ACK)

3. Randomizing the IPs scanned.

4. Spreading out the timing (low and slow scans).

5. Using multiple source IPs.


< > - +

Stealthy Network Mapping

6. Using different packets for the scan (some icmp, some udp, etc.).

7. Only scan a subset of the network.


< > - +

Inverse MappingUses the Internet error mechanism to the attacker’s advantage.

Example:

Send a TCP packet with the RESET flag set.

If the packet reaches its destination, the packet is dropped.

If the final router cannot deliver the packet, it sends back a“host unreachable” (ICMP) error message.

The packets that don’t generate a response went to machines thatexist.


< > - +

Inverse Mapping Example

A

V1

V2

V3

V4

V5

V6

Attacker sends RESET packets.


< > - +


A

V1

V2

V3

V4

V5

V6

Router sends Host Unreachable responses.


< > - +


A

V1

V2

V3

V4

V5

V6

X

X

Attacker knows the victim’s machines.


< > - +

Inverse Mapping Notes

The attacker knows nothing about the machines on the victimsnetwork except which ones are there.

The victim’s machines each receive a single RESET packet.

Intrusion detection systems often ignore RESET packets.

RESET packets happen all the time, and unless one has a statefulsystem, one cannot tell if a single RESET packet is normal.

Even stateful firewall may have time-outs that are short relative tothe times observed in real networks, and may flag normalRESETs (hence may be ignored).


< > - +

Inverse Mapping Notes

Look for many RESET packets from the same machine to manymachines.

Drop RESET packets without a response if they are to IPaddresses that aren’t populated.


< > - +

Port Mapping

The attacker is looking for specific services.

There are several variations:

Brute force: scan all 65,536 ports (UDP and TCP).

Be selective: scan for a few services such as ssh, telnet, ftp,web, etc.

Be very selective: scan for a single service.


< > - +

Port Mapping

Sometimes this is done by a program, such as a trojan or worm.

Once a machine is found running a given service, that informationis retained for future targeting.

Brute force is easy to detect.

To detect slow scans you need to study how often machinesnormally send packets to closed ports.


< > - +

Stealthy Port Mapping

One way to avoid getting caught at port mapping is to make sureyour IP address does not appear in the packet.

This seems problematic however: how do you find out if the port isopen?

Recal that if the port is open, a SYN/ACK is sent in response to aSYN.

If it is closed, a RST is sent.

Note also that if an unsolicited SYN/ACK packet is received, aRST packet is sent, while unsolicited RST packets are ignored.


< > - +

Patsies (Idle Scan)

Suppose you can find a computer that increments its IP IDnumber in a predictable manner. Call this machine Patsy.

You want to determine if another machine, Victim, has a particularport open, port P.

Start pinging Patsy (ICMP echo requests, for example). Eachreply shows the IP ID incremented.

Send a SYN packet to port P on Victim, with Patsy as the source.

If the port is open, a SYN/ACK is sent to Patsy, Patsy sends aRST, and you observe a skip in the IP ID in your ping stream.

If the port is open, a RST is sent to Patsy, and there is no skip inIP IDs.


< > - +

What to do about Patsies

“The good neighbor” approach: don’t be a patsy:

Make your IP ID unpredictable.

This can be done by adding a (small) random number to theIP ID instead of incrementing it.

The “don’t be a victim” approach:

Change the TCP stack so that when a SYN is received at aclosed port, you send a RST followed by an ACK.

The ACK packet will generate the RST that increments the IPID.

Note: firewalls can’t help, since the whole point is that closedports don’t cause an effect.


< > - +

Downsides

“The good neighbor” approach requires everyone to change,which can be a problem, especially with entrenched systems.

The “don’t be a victim” approach adds packets, and thusdecreases efficiency.

A combination of the two is what we have, and is probably thebest.


< > - +

Fingerprinting (Active)

Fingerprinting uses the fact that implementations are free to makechoices about how to react to certain types of packets (e.g.improperly formed ones).

The idea is to send a series of crafted packets, and see what theresponse is.

Based on the responses to the packets, a determination can bemade as to the operating system of the target.


< > - +

Fingerprinting (Active)

This is used by attackers to determine the best attack to use.

System admins use this to see if machines meet theiraccreditation specs.

This assumes the target system hasn’t been modified to simulateanother OS.

It is not perfect, but most active fingerprinting programs are prettygood.


< > - +

Fingerprinting (Passive)

Operating systems also make choices when they send packetsout.

For example:

Initial Time-to-live value.

Source port range.

Sequence number generation algorithm.

Options.

DF flag set?

Type of Service

Window Size.


< > - +

Fingerprinting (Passive)

These can, to some extent, be used to determine the operatingsystem of a machine passively.

No packets need be sent to the machine, so there is no way to tellif you have been (passively) fingerprinted.

This is truly a statistical problem.


< > - +

A Comment about TTL

Note that you never see the TTL value set by the remote machine.

You see the TTL decremented by an unknown number of routers.

So, you observe T − δ where T is the original TTL and δ is arandom positive integer.


< > - +

A Comment about Source Ports

Different operating systems/applications choose different sourceport ranges.

However, for any session, you only see one source port.

Thus, source port range is only useful over a long time.

How do you estimate the source port range?


< > - +

TCP Hijacking

Made famous by Kevin Mitnick.

Uses a quirk of TCP sessions to allow an attacker to take over asession between two computers.

Relies on information gathered about the machines by theattacker.

Relies on sequence number algorithms that are easy to predict.For example: use the next number in the sequence, or add 1007to the previous sequence number.


< > - +

TCP Hijacking Setup

Setup: Machine A and machine B have a trust relationship,allowing machine B to log into machine A without requiring apassword.

Attacker must first determine the sequence number algorithmmachine A uses.

This can be accomplished by sending a bunch of SYN packets toA and see what the responding sequence numbers look like. Ifthese are predictable, then the hijacking has a chance.


< > - +

TCP Hijacking Details

Attacker SYN floods machine B to make sure it doesn’t respond toanything from A.

Attacker sends a SYN packet to A spoofed to appear to be from B.

A responds to B with a SYN/ACK.

Attacker then sends an ACK packet with the correct (inferred)acknowledgment number. A thinks this is part of the session andproceeds as if it were talking to B.


< > - +

TCP Hijacking Details

The attacker could in principle carry on this hijacked session as ifit were a real session.

Instead, the attacker sends the commands to put “++” in the.rhosts file.

This makes the victim trust everyone, and the attacker can nowaccess the machine remotely.


< > - +

TCP Hijacking Example

Machine A Machine B

Attacker

Attacker sends SYN packets to A to determine it’ssequence number generator.

X


< > - +


Machine A Machine B

Attacker

Attacker SYN floods Machine B.

X


< > - +


Machine A Machine B

Attacker

X

Machine B goes down.


< > - +


Machine A Machine B

Attacker

X

Attacker sends SYN packet to Aspoofed as if from B.


< > - +


Machine A Machine B

Attacker

X

A sends SYN/ACK to Bwhich is ignored since B is down.


< > - +


Machine A Machine B

Attacker

X

Attacker sends ACK packet to Acompleting the handshake.


< > - +


Machine A Machine B

Attacker

X

A thinks it has an open session

with a trusted machine.


< > - +


Machine A Machine B

Attacker

X

Attacker sets A to trust his machine.

echo “++” > .rhosts


< > - +

Stopping Hijacking

Don’t be trusting.

Use a hard to predict sequence number generator.

Watch for sequence number guessing attempts.

Block all access to attackers at the firewall (if it SYN floods, blockit).

This last is potentially dangerous (what if the SYN flood appearsto come from your ISP?).


< > - +

Are Sequence Numbers Predictable?

si+1 − si × si+2 − si+1

−2e+09 −1e+09 0e+00 1e+09 2e+09 3e+09 4e+09

−3e+

09−2

e+09

−1e+

090e

+00

1e+0

92e

+09

y[,1]

y[,2

]


< > - +


si+1 − si × si+2 − si+1

−4e+09 −2e+09 0e+00 2e+09

−3e+

09−2

e+09

−1e+

090e

+00

1e+0

92e

+09

y[,1]

y[,2

]


< > - +


si+1 − si × si+2 − si+1

−2e+09 −1e+09 0e+00 1e+09 2e+09 3e+09 4e+09

−2e+

09−1

e+09

0e+0

01e

+09

2e+0

93e

+09

4e+0

9

y[,1]

y[,2

]


< > - +

SHADOW

Secondary Heuristic Analysis for Defensive Online Warfare

Guess which came first, the acronym or the name.

Uses a tcpdump sensor outside (and/or inside) a firewall to collectall the packet headers within one hour.

Sensor files transfered each hour (via SSH) to an analysis station.


< > - +

SHADOW

Headers filtered with tcpdump filters and perl scripts and sent to aweb page.

Analyst reviews the web page and reports attacks or suspiciousactivity.

Includes ability to search past data, do whois lookups, and nmapmachines.


< > - +

SHADOW

Collects some statistics on traffic.

Newest version allows some reduction:

10.10.10.31 -> 192.78.[1-255].[1-78].22

10.10.10.31 -> 192.78.8.52.[0-65535]

Automates some of the tedium of generating reports.

Relies on the analyst for all decisions.

Not “real time”. Always at least 1 hour after the fact. Does not takeany action. Purely a monitoring system.


< > - +

Typical SHADOW Installation

Sensor Analysis

Internet

Firewall

Internal Network


< > - +

SHADOW AdvantagesIt’s free.

It is easily configurable to one’s network.

It looks at all the traffic (headers) coming in or going out of thenetwork.

Simple web interface for the analyst.

SANS has many classes that are based around the SHADOWidea.

Quickly points out misconfigurations on your network.

Supports multiple sensors.


< > - +

SHADOW Disadvantages

No support. You are on your own.

Not “real time”.

Does not look at content, hence many attacks are not detectable.However, one can easily add a snort sensor alongside thetcpdump.

You MUST know your network well in order to use this well (somewould call this an advantage).


< > - +

SHADOW Disadvantages

Since no processing is done on the sensor, the transfer of thedata can impact the network, unless a subnet is used between thesensor and the analysis station.


< > - +

EMERALD

Event Monitoring Enabling Responses to Live Disturbances.

Environment for scalable, distributed ID and network monitoring.

Hierarchical model, highly modular.

Employs anomaly detection engines utilizing probabilistic modelsof normal, attack and anomalous behavior.


< > - +

EMERALD

Three basic levels of processing:

Service Monitors.

Domain Monitors.

Enterprise-wide Monitors.


< > - +

EMERALD Monitors

Four computational units:

Signature based IDS.

Statistical profiling/anomaly detection.

Resolver, for fusing alerts, responding to attacks, andcommunicating to other monitors.

Resource object, for configuration management.


< > - +

EMERALD Monitors

These tend to be stand-alone and self contained.

May be passive (reading logs, monitoring network) or active(scanning and probing).


< > - +

Signature Engine

Analogous to a set of SHADOW filters or snort ruleset.

Utilizes a set of rules defining a signature of a known attack.

Can be configured individually to the situation.


< > - +

Profiler

Statistical anomaly detector.

Uses NIDES (next-generation intrusion detection expert system)to statistically profile the network or host.

Allows the detection of new attacks, since they presumably look“different” than normal traffic.


< > - +

Resolver

Coordinator between the other monitors and IDS systems.

Correlates results from profiler and signature engine.

Communicates detections to higher levels in the hierarchy.


< > - +

Resource Object

Contains all the information about data feeds, rule sets, etc.

Essentially the configuration mechanism for the module.


< > - +

Service Monitors

Lowest level of the hierarchy.

Individual ID systems or sensors.

Host-based IDS or network monitors for small networks.

Communicate to the domain monitors, and to other servicemonitors.


< > - +

Domain Monitors

Correlate the results from the Service Monitors.

Same basic components as the Service Monitors.

Provide an overall picture of the health of the site.

Look for higher level correlations that are not visible at the lowerlevel.


< > - +

Enterprise Monitors

Correlate the results from the Domain Monitors.

Same basic components as the Service Monitors.

Provide an overall picture of the health of the entire organization,across several sites.

Look for network-wide threats like worms, distributed attacks, etc.


< > - +

ADAM

Audit Data Analysis and Mining, GMU.

Network based anomaly detector.

TCP/IP monitor, looks for DOS, scans.

Data mining: mining association rules.


< > - +

Association Rules

An association rule is a way of expressing a relationship of theform “If A then B”, written as A → B.

Network based anomaly detector.

Given a data set X, look for patterns where:

A and B both occur together.

A → B has support s if they occur s% of the time.

A → B has confidence c if c% of the times that A occurs, B

does as well.


< > - +

Association Rules

This provides a way of encoding patterns.

These association rules are “learned” from the data.


< > - +

ADAM Processing

Three modules:

Preprocessing engine.

Data Mining (rule set extraction) engine.

Classification Engine.

Involves a training phase and a detection phase.


< > - +

ADAM Processing

Looks for “static” rules: things that have high support in the wholedata set. Global patterns.

Also looks for “dynamic” rules: uses a sliding window to look forlocal patterns.

Uses header fields:

Time.

Source/Destination IP.

Source/Destination port.

TCP flags.


< > - +

Performance

Emerald and ADAM were first and second in the 1999 DARPAevaluation (by some measures).

This was a test on simulated data.

Researchers were given a data set with truth (attacks and normaltraffic notated).

Researchers were then given a test set without truth, and had todetect the attacks.

No system performed perfectly. One could argue that noneperformed adequately.


< > - +

SANS Top 20 List

http://www.sans.org/top20/


< > - +

An Example Microsoft FAQ

What is the scope of the vulnerability?

This is a remote code execution vulnerability. An attacker whosuccessfully exploited this vulnerability could remotely take completecontrol of an affected system. An attacker could then install programs;view, change, or delete data; or create new accounts with full userrights. However, attempts to exploit this vulnerability could most likelyresult in a denial of service condition.What causes the vulnerability?

An unchecked buffer in the Print Spooler service.


< > - +

Continued

What is Print Spooler service?

The Print Spooler service, Spoolsv.exe, is an executable file that isinstalled as a service. The spooler is loaded when the operatingsystem starts, and it continues to run until the operating system is shutdown. The Print Spooler service manages the printing process, whichincludes such tasks as retrieving the location of the correct printerdriver, loading that driver, spooling high-level function calls into a printjob, and scheduling print jobs. When the tasks for a particular print jobare complete, the Print Spooler service passes the job to the printrouter. For more information about the Print Spooler service, visit thefollowing Web site.


< > - +

Continued

What might an attacker use the vulnerability to do?

An attacker who successfully exploited this vulnerability for remotecode execution could take complete control of the affected system. OnWindows XP Service Pack 2 and Windows Server 2003 this issuewould result in a denial of service condition. On other operatingsystem versions, attempts to exploit this vulnerability would most likelyresult in a denial of service condition. However remote code executioncould be possible.


< > - +

Continued

Who could exploit the vulnerability?

On Windows 2000 and Windows XP Service Pack 1, any anonymoususer who could deliver a specially crafted message to the affectedsystem could try to exploit this vulnerability. On Windows XP ServicePack 2 and Windows Server 2003, this vulnerability is restricted toauthenticated users. An authenticated attacker may also be able to logon locally to a system and attempt to exploit this vulnerability on allaffected operating system versions.


< > - +

Continued

How could an attacker exploit the vulnerability?

An attacker could try to remotely exploit the vulnerability by creating aspecially crafted message and sending the message to an affectedsystem. The message could then cause the affected system toexecute code on operating system versions and configurations thatwere vulnerable to remote attack vectors. By default, Windows 2000and Windows XP Service Pack 1 are vulnerable remotely. A remoteattack vector cannot be created on Windows XP SP2 or on WindowsServer 2003 unless a user who has appropriate permission shares aprinter or tries to connect to a shared printer.To locally exploit this vulnerability on all operating system versions, anattacker would first have to log on to the system. An attacker could thenrun a specially-crafted application that could exploit the vulnerability.


< > - +

Continued

What systems are primarily at risk from the vulnerability?

Windows 2000 and Windows XP Service Pack 1 are primarily at riskfrom this vulnerability. Windows XP Service Pack 2 and WindowsServer 2003 systems are at a reduced risk because of the additionalmitigating factors that exist on these operating system versions.However, systems configured as Printer Servers are especially at riskto this vulnerability.Could the vulnerability be exploited over the Internet?

Yes. An attacker could try to exploit this vulnerability over the Internet.Firewall best practices and standard default firewall configurations canhelp protect against attacks that originate from the Internet. Microsofthas provided information about how you can help protect your PC. Endusers can visit the Protect Your PC Web site. IT professionals can visitthe Security Guidance Center Web site.


< > - +

Continued

What does the update do?

The update removes the vulnerability by modifying the way that Print

Spooler service validates the length of a message before it passes the

message to the allocated buffer.


< > - +

Utilities

nmap.

p0f.

snort.


< > - +

Nmap

A powerful network scanner.

Can:

scan for open ports

perform active fingerprinting

evaluate vulnerabilities

act stealthy in the scans

spoof IP address to make it difficult to determine the scanner

Useful tool for security analysis.

Useful tool for an attacker.


< > - +

Nmap Example

nmap -sS -v -O localhost


< > - +

Nmap Example

Adding TCP port 25 (state Open).Adding TCP port 13 (state Open).Adding TCP port 1024 (state Open).Adding TCP port 9 (state Open).Adding TCP port 111 (state Open).Adding TCP port 513 (state Open).Adding TCP port 515 (state Open).Adding TCP port 80 (state Open).Adding TCP port 21 (state Open).Adding TCP port 22 (state Open).


< > - +

Nmap Example

Adding TCP port 22 (state Open).Adding TCP port 37 (state Open).Adding TCP port 514 (state Open).Adding TCP port 841 (state Open).Adding TCP port 1 (state Open).Adding TCP port 23 (state Open).The SYN scan took 0 seconds to scan 1068 ports.For OSScan assuming that port 1 is open and port31200 is closed and neither are firewalled


< > - +

Nmap Example

Port State Protocol Service1 open tcp tcpmux9 open tcp discard13 open tcp daytime21 open tcp ftp22 open tcp ssh23 open tcp telnet25 open tcp smtp37 open tcp time80 open tcp www111 open tcp sunrpc513 open tcp login


< > - +

Nmap Example

TCP Sequence Prediction: Class=trivial time dependency Difficulty=26(Easy)Sequence numbers: 799148C0 799229C0 799339A0 7994358079952B20 79961440Remote operating system guess: IRIX 6.4 - 6.5Nmap run completed - 1 IP address (1 host up) scanned in 1 second


< > - +

p0f

Passive fingerprinting off of TCP SYN packets.

Uses time-to-live (TTL) (etc) to determine likely operating system.

Has extensive database of operating systems.

Must estimate TTL.

http://lcamtuf.coredump.cx/p0f.shtml


< > - +

snort

Light weight network intrusion detection system.

Uses tcpdump-like filters, plus content.

Extensible through plug-ins.

http://www.snort.org


Date post:	05-Apr-2023
Category:	Documents
Upload:	khangminh22
View:	0 times
Download:	0 times

Common Network Attacks - CiteSeerX

Documents