Working Connections

Intermediate Security

1
 Daily Plan
• Schedule
– Start / Stop
– Breaks
– Lunch
– Announcements
• Facilities
• Misc

2
 Intros
• Mike Trammel • Cisco Secure PIX
• mtrammel@dtae.org Firewall Advanced
• 770-786-9522 x5301 (CSPFA)
• TechForce Georgia • Cisco Networking
– Net+ Academy
– A+ – CCNA
– Server+ – IT Essn I+II CCAI
– Security+ – FNS
– CIW Security Professional • MCSE (NT & 2000)
– SANS GIAC Security • MCSA
Essentials Certified
(GSEC) • MCT
– SANS GIAC GCFW • Limited Linux Exposure
coursework complete – Mandatory for security pros
– SANS Mentor Program
GSEC
– CCNA 3
 Intros
• Who are you
• Where are you from
• What you do there
• What security exposure have you had

4
 GOALS
• My goal is to show At Least one thing that
you will take back with you and implement
feeling confident in its deployment.

5
Where are we going this week?
By the end of the week, I hope you will be able to
look at network traffic on a packet sniffer and
feel confident that you know what your seeing or
know how to figure it out if its new.
Using that knowledge, you will be able to monitor
the network yourself and/or with the aid of
helpers like syslogs, IDS, and perimeter devices.
If you see something unusual, you’ll be able to
recognize it and then tweak your syslogs, IDS,
and perimeter devices to better allow or deny
said unusual traffic
6
 Class based on Windows
• Most of us are probably operating in a Windows
based environment
• Most of Linux is used on infrastructure as end
users fear it
• Most of the bad “nasty bugs” are Windows
based
• Linux security tools are well documented while
Windows Security is only recently being stressed
(see bad nasty bugs)
• While MCSEs are a dime a dozen, someone
who can secure windows is worth gold

7
IP Behavior

8
 Geek Humor
There are only 10 types of people in the
world…

Those that understand binary and those that

don’t.

9
10
 Term…Non - Promiscuous
• Non Promiscuous Mode –
– “””When a data packet is transmitted in non-
promiscuous mode, all the LAN devices
"listen to" the data to determine if the network
address included in the data packet is theirs.
If it isn't, the data packet is passed onto the
next LAN device until the device with the
correct network address is reached. That
device then receives and reads the data.”””
http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci518283,00.html

11
 Term…Promiscuous
• In an Ethernet local area network,
promiscuous mode is a mode of operation in
which every data packet transmitted can be
received and read by a network adapter.
Promiscuous mode must be supported by
each network adapter as well as by the
input/output driver in the host operating
system. Promiscuous mode is often used to
monitor network activity.
• http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci518283,00.html

12
 Getting NIC into Promiscuous
Mode
• WinPcap
• Obtained from http://winpcap.polito.it/
• Is a Promiscuous Adapter driver for most
all Windows platforms from Win95-
Win2003
• Based on and is compatible with libPcap,
a well known Unix capture library.

13
 WinPcap intros 2 new .dlls
• Packet.dll
– is an API that can be used to directly access the
functions of the packet driver, offering a programming
interface independent from the Microsoft OS.
• Wpcap.dll
– exports a set of high level capture primitives that are
compatible with libpcap, the well known Unix capture
library. These functions allow to capture packets in a
way independent from the underlying network
hardware and operating system.

14
 Action:
Load and install WinPcap from classroom FTP
server.

Obtained from http://winpcap.polito.it/

Note: while is it more realistic to download and install from the
internet…some degree of consistency of versions must be
maintained for instructor sanity. Loading from FTP will ensure this.
Care is taken to ensure that latest-greatest stable versions are
used. Last FTP update was 8/1/03

All download sites are included in this presentation which is on your

CD. Software may be included when it is legal by license.

15
 Now what…
• WinPcap is loaded but wont “do” anything
as it is only a driver for the NIC card and
we have no software installed to
understand its output……so…..

16
 WinDump
• WinDump is the porting to the Windows platform of
tcpdump, the most used network sniffer/analyzer for
UNIX. Porting is currently based on version 3.5.2.
WinDump is fully compatible with tcpdump and can be
used to watch and diagnose network traffic according to
various complex rules. It can run under Windows
95/98/ME, and under Windows NT/2000/XP.
• WinDump uses a libpcap-compatible library for
Windows, WinPcap, that is freely downloadable from the
WinPcap site.
• WinDump is free and is released under a BSD-style
license.
• http://windump.polito.it/

17
 Why Windump
• WinDump is not user friendly, is not GUI, is
clunky, is not pretty, or fancy, or intelligent, and
doesn’t have spiffy features.
• It is free, easy to install, and helps visualize
what’s happening on the wire.
• It is elementary enough to require thought on the
users part. Not a bad thing given all the ways to
spoof or otherwise fool more intelligent software.
• Think of learning multiplication tables and then
using a calculator. Some may never use
anything more advanced….

18
 Action
Load WinDump
(no install needed)
Located on classroom FTP

Obtained from
http://windump.polito.it/install/default.htm

19
 What now?
• We are now ready to sniff packets off the
network.
• But first a word from out packet analyzer…

20
 “How To” WinDump
• What follows is adapted from the file
“WinDump Manual.doc” found on your CD.
• This document is from the Unix man
pages on TCPDump, WinDump’s Unix
cousin…both operate much the same
way.

21
 Syntax
• Windump has two parts
– Switches
– Expressions
• windump [ -aBdDeflnNOpqRStvxX ]
[ -c count ] [ -F file ]
[ -i interface ] [ -m module ] [ -r file ]
[ -s snaplen ] [ -T type ] [ -w file ]
[ -E algo:secret ] [ expression ]

22
 How to execute
• WinDump is command line driven.
• To access, open the command prompt
shell and “cd” to the directory where you
saved it. You must be in the directory
where it resides to execute it.
– Okay, okay…can be added to the path
statement…details details

23
 Figure out the hardware
• There may be more than one NIC in your
machine
• Default setup is to listen on the first Ethernet NIC
encountered. (in tests I find it likes wire based
NICs over wireless)
• Make sure you are at command prompt and in
the directory that contains windump…
• windump –D
• Which card are you active on?
– Ahhum…may require physical action to determine
• (that is…inspect where the wire’s plugged in and determine
which card that is)

24
 First dump!!!!!!
• windump –i x
– Where x equals the interface from the –D list that you
determined to be active.
• If your not seeing traffic
– You may be on an inactive NIC
– There may not be traffic right now…
• Connect to FTP server to generate traffic then flip back to
windump to view

• Ain’t that COOL!

• Use <ctrl> <c> to stop.
25
Just when you thought it was safe!
SWITCHES
• Try
– windump –i x –vvv
• Again x equals interface number

• Review (these are case sensitive)

– Use –D to list interfaces by id numbers
– Use –i to specify interface to listen on
– Use –v to list a little extra than the default
– Use –vv to get even more
– Use –vvv to just get flat nosey!

26
 More useful Options
• Use –n to not convert addresses or ports to
names (handy for spoofs, port redirection…etc
• Use –N to not list FQDN just hostname
• -r reads packets from files
• -w writes packets to file
• -S print absolute, rather than relative, seq
numbers
• -t suppress timestamps
• -tt print unformatted timestamp on each line
• -X when printing in hex, print ascii also
• -B default buffer size is 1 MB…-B is used to
change buffer size.
• -e shows link level header
– There are other’s listed in the “WinDump Manual.doc” on your
27
CD
 Quality vs Quantity
• Up till now, we’ve looked at switches
which let us chose how to see the packets
captured.
• By default, windump shows us everything
captured
• We can alter this by using expressions
• Only packets for which the expression is
‘true’ will be dumped

28
 Expressions
• Expressions are made up of primitives
• Primitives are usually preceded by one or
more qualifiers
• We will examine some of the primitives
and all of the qualifiers in the next few
slides.
– For complete list, again, see the “windump
manual.doc” on your cd.

29
 Qualifiers
(modify primitives) (There are 3) (precede primitives)
• Type
– Host (default) host x
– Net net 128.3
– Port port 53
• Dir
– Src src hostname or ip
– Dst dst hostname or ip
– src or dst (default)
– src and dst
• Note: on point to point protocols, inbound or outbound may be used
• Proto
– Default is to show all proto ip
– Ether, fddi, tr, ip, ip6, arp, rarp, decnet, tcp, udp

30
 Primitives
• Primitives can be conjoined by using AND,
OR, and NOT.
• Most follow a pattern but there are some
exceptions (gateway, less, greater,
broadcast)
• I apologize in advance for some of the
busy slides upcoming.
• Prepare to be …um…’dumped’ on
– Pun intended ;}

31
 Primitive -Host
• (excerpt from WinDump Manual)
– dst host host
• True if the IPv4/v6 destination field of the packet is host,
which may be either an address or a name.
– src host host
• True if the IPv4/v6 source field of the packet is host.
– host host
• True if either the IPv4/v6 source or destination of the packet
is host. Any of the above host expressions can be prepended
with the keywords, ip, arp, rarp, or ip6 as in:
– ip host host which is equivalent to:
• ether proto \ip and host host If host is a name with multiple
IP addresses, each address will be checked for a match.

32
 Primitive - ehost
• (excerpt from WinDump Manual)
– ether dst ehost
• True if the Ethernet destination address is ehost. Ehost may
be either a name from /etc/ethers or a number (see
ethers(3N) for numeric format).
– ether src ehost
• True if the ethernet source address is ehost.
– ether host ehost
• True if either the ethernet source or destination address is
ehost.
– ether host ehost and not host host which can be
used with either names or numbers for host / ehost.)
• This syntax does not work in IPv6-enabled configuration at
this moment.
33
 Primitive - gateway
• (excerpt from WinDump Manual)
– gateway host
• True if the packet used host as a gateway. I.e., the
ethernet source or destination address was host
but neither the IP source nor the IP destination
was host. Host must be a name and must be found
in both /etc/hosts and /etc/ethers. (An equivalent
expression is

34
 Primitive – net (& len)
• (excerpt from WinDump Manual)
• dst net net
– True if the IPv4/v6 destination address of the packet has a
network number of net. Net may be either a name from
/etc/networks or a network number (see networks(4) for details).
• src net net
– True if the IPv4/v6 source address of the packet has a network
number of net.
• net net
– True if either the IPv4/v6 source or destination address of the
packet has a network number of net.
• net net mask mask
– True if the IP address matches net with the specific netmask.
May be qualified with src or dst. Note that this syntax is not valid
for IPv6 net.
• net net/len
– True if the IPv4/v6 address matches net a netmask len bits wide.
May be qualified with src or dst.
35
 Primitive - port
• You guessed it… (excerpt from WinDump Manual)
• dst port port
– True if the packet is ip/tcp, ip/udp, ip6/tcp or ip6/udp and has a
destination port value of port. The port can be a number or a
name used in /etc/services (see tcp(4P) and udp(4P)). If a name
is used, both the port number and protocol are checked. If a
number or ambiguous name is used, only the port number is
checked (e.g., dst port 513 will print both tcp/login traffic and
udp/who traffic, and port domain will print both tcp/domain and
udp/domain traffic).
• src port port
– True if the packet has a source port value of port.
• port port
– True if either the source or destination port of the packet is port.
Any of the above port expressions can be prepended with the
keywords, tcp or udp, as in:
• tcp src port port
– which matches only tcp packets whose source port is port.
36
 Primitives – less and greater
• less length
– True if the packet has a length less than or equal to
length. This is equivalent to:
• len <= length.
• greater length
– True if the packet has a length greater than or equal
to length. This is equivalent to:
• len >= length.

• (excerpt from WinDump Manual)

37
 Primitive - Protocol
• ip proto protocol
– True if the packet is an IP packet (see ip(4P)) of protocol type protocol. Protocol can be a
number or one of the names icmp, icmp6, igmp, igrp, pim, ah, esp, udp, or tcp. Note that the
identifiers tcp, udp, and icmp are also keywords and must be escaped via backslash (\),
which is \\ in the C-shell. Note that this primitive does not chase protocol header chain.
• ip6 proto protocol
– True if the packet is an IPv6 packet of protocol type protocol. Note that this primitive does
not chase protocol header chain.
• ip6 protochain protocol
– True if the packet is IPv6 packet, and contains protocol header with type protocol in its
protocol header chain. For example,
• ip6 protochain 6
– matches any IPv6 packet with TCP protocol header in the protocol header chain. The packet
may contain, for example, authentication header, routing header, or hop-by-hop option
header, between IPv6 header and TCP header. The BPF code emitted by this primitive is
complex and cannot be optimized by BPF optimizer code in tcpdump, so this can be
somewhat slow.
• ip protochain protocol
– Equivalent to ip6 protochain protocol, but this is for IPv4.
• ether proto protocol
– True if the packet is of ether type protocol. Protocol can be a number or one of the names
ip, ip6, arp, rarp, atalk, aarp, decnet, sca, lat, mopdl, moprc, or iso. Note these identifiers are
also keywords and must be escaped via backslash (\). [In the case of FDDI (e.g., `fddi
protocol arp'), the protocol identification comes from the 802.2 Logical Link Control (LLC)
header, which is usually layered on top of the FDDI header. Tcpdump assumes, when
filtering on the protocol identifier, that all FDDI packets include an LLC header, and that the
LLC header is in so-called SNAP format. The same applies to Token Ring.]
• (excerpt from WinDump Manual)
38
 Primitives – Multicast and
Broadcast
• (excerpt from WinDump Manual)
• ether broadcast
– True if the packet is an ethernet broadcast packet. The ether keyword is
optional.
• ip broadcast
– True if the packet is an IP broadcast packet. It checks for both the all-
zeroes and all-ones broadcast conventions, and looks up the local
subnet mask.
• ether multicast
– True if the packet is an ethernet multicast packet. The ether keyword is
optional.
• ip multicast
– True if the packet is an IP multicast packet.
• ip6 multicast
– True if the packet is an IPv6 multicast packet.

39
 primitives
• Good news…
• That about covers the most notables
• There are many more perhaps useful ones listed
in the Windump Manual.doc on your cd
• Such as…
– (excerpt from WinDump Manual)
– vlan [vlan_id]
• True if the packet is an IEEE 802.1Q VLAN packet. If
[vlan_id] is specified, only true is the packet has the specified
vlan_id. Note that the first vlan keyword encountered in
expression changes the decoding offsets for the remainder
of expression on the assumption that the packet is a VLAN
packet.

• That’s a present for all Cisco FNS students

40
 notes
• Whatever OS you choose will have characters that are
metacharacters (those illegal to use in file names, for
example)
• We mentioned AND, OR, and NOT earlier.
• These can be shortened to
– AND and &&
– NOT not !
– OR or ||
• Since these are possible illegal characters in some OS
shells, they need to be placed inside single quotes or
backslashes to ‘hide’ them from the shell and prevent the
shell from interpreting them.

41
 Examples
What would happen if these
commands were issued?
• Windump –i 1 host sundown
• Windump ‘host helios and (hot || ace)’
• tcpdump 'gateway snup and (port ftp or
ftp-data)'
• tcpdump ip and not net localnet
• Windump –i1 –s0 –x –X –nn –vvv –S

42
 Output Formatting
• Sometimes simply changing output formats will make
things clearer.

Windump, windump –n, windump -e

arp who-has csam tell rtsgarp
arp reply csam is-at CSAM
Vs.
arp who-has 128.3.254.6 tell 128.3.254.68
arp reply 128.3.254.6 is-at 02:07:01:00:01:c4
Vs.
RTSG Broadcast 0806 64: arp who-has csam tell rtsg
CSAM RTSG 0806 64: arp reply csam is-at CSAM
43
 TCP Packets
• Out of class “Need to Read” assignment
• RFC 793
– TRANSMISSION CONTROL PROTOCOL
– DARPA INTERNET PROGRAM
– PROTOCOL SPECIFICATION
– September 1981
• Included on the CD as “RFC on TCP”
• This doc will assist in a more complete
understanding of TCP packet analysis
44
 TCP packet General Format
Windump format:
src > dst: flags data-seqno ack window urgent options

Actual data arrangement by byte:

45
 Here is the opening portion of an
rlogin from host rtsg to host csam.

rtsg.1023 > csam.login: S 768512:768512(0) win 4096 <mss 1024>

csam.login > rtsg.1023: S 947648:947648(0) ack 768513 win 4096 <mss 1024>
rtsg.1023 > csam.login: . ack 1 win 4096
rtsg.1023 > csam.login: P 1:2(1) ack 1 win 4096
csam.login > rtsg.1023: . ack 2 win 4096
rtsg.1023 > csam.login: P 2:21(19) ack 1 win 4096
csam.login > rtsg.1023: P 1:2(1) ack 21 win 4077
csam.login > rtsg.1023: P 2:3(1) ack 21 win 4077 urg 1
csam.login > rtsg.1023: P 3:4(1) ack 21 win 4077 urg 1

(excerpt from WinDump Manual)

We’ll get more serious about analyzing output later
46
• The first line says that tcp port 1023 on rtsg sent a packet to port login on csam. The S indicates
that the SYN flag was set. The packet sequence number was 768512 and it contained no data.
(The notation is `first:last(nbytes)' which means `sequence numbers first up to but not including
last which is nbytes bytes of user data'.) There was no piggy-backed ack, the available receive
window was 4096 bytes and there was a max-segment-size option requesting an mss of 1024
bytes.
• Csam replies with a similar packet except it includes a piggy-backed ack for rtsg's SYN. Rtsg
then acks csam's SYN. The `.' means no flags were set. The packet contained no data so there
is no data sequence number. Note that the ack sequence number is a small integer (1). The
first time tcpdump sees a tcp `conversation', it prints the sequence number from the packet. On
subsequent packets of the conversation, the difference between the current packet's sequence
number and this initial sequence number is printed. This means that sequence numbers after
the first can be interpreted as relative byte positions in the conversation's data stream (with the
first data byte each direction being `1'). `-S' will override this feature, causing the original
sequence numbers to be output.
• On the 6th line, rtsg sends csam 19 bytes of data (bytes 2 through 20 in the rtsg -> csam side of
the conversation). The PUSH flag is set in the packet. On the 7th line, csam says it's received
data sent by rtsg up to but not including byte 21. Most of this data is apparently sitting in the
socket buffer since csam's receive window has gotten 19 bytes smaller. Csam also sends one
byte of data to rtsg in this packet. On the 8th and 9th lines, csam sends two bytes of urgent,
pushed data to rtsg.
• If the snapshot was small enough that tcpdump didn't capture the full TCP header, it interprets
as much of the header as it can and then reports ``[|tcp]'' to indicate the remainder could not be
interpreted. If the header contains a bogus option (one with a length that's either too small or
beyond the end of the header), tcpdump reports it as ``[bad opt]'' and does not interpret any
further options (since it's impossible to tell where they start). If the header length indicates
options are present but the IP datagram length is not long enough for the options to actually be
there, tcpdump reports it as ``[bad hdr length]''.
• (excerpt from WinDump Manual)

47
 Flag combination captures
• There are 6 basic flags
worth investigating
– Urgent
– Acknowledge
– Push
– Reset
– Synchronization
– Final
• Located in the 13th octet
of the TCP header
– Note that first two bits are
not set for our purposes

48
 Setting Flags

The bits in the 13th octet are shown on the right.

They are numbered 0-7 as any good byte should
be. In this example, the S bit is “on” as indicated
by the 1 in the S position (bit 1). This indicates
this is a SYN packet

We can convert this value to decimal

49
 Flag expressions
• So if the decimal value of a SYN packet is
2 and the flags are in the 13th octet…

• Then we can tell windump that we only

want to see packets that are SYN packets
by using the expression
– tcp[13]==2
– The command would be
• Windump –i1 tcp[13]==2

50
 To capture all SYN packets
• If we want to see any packet with the SYN
bit set, then we need to keep in mind that
there are other options that will not equal 2
but will still have the SYN bit.
– SYN ACK
– SYN RST
– SYN FIN
– Etc

51
 ANDing
Lets look back to our flag positions for
a minute…

Take a SYN-ACK packet with the binary

value of 00010010 and convert that to
decimal. The result is 18
If we use tcp[13]==18 then we will only capture SYN ACK packets
However, we want all packets that have a SYN bit set. So…

We need to take whatever value come in on byte 13 of a packet and

AND it logically with the value of the SYN packet (2).

Remember that only a 1 AND 1 =1 in ANDing. 0+0, 1+0, and 0+1 all
equal 0.
52
 ANDing (2)
• When we AND 18 and 2
– 00010010 = SYN ACK
– 00000010 = SYN
– 00000010 = SYN
• We therefore will see all packets that have the
SYN bit on regardless of the other bit settings!
• The command would be
– Windump –i1 “tcp[13]&2==2”
• The quotes hide the illegal “&” character from the shell

53
 Review
• Set up windump to capture all packets that
have the FIN bit set and then think of ways
to trigger this FIN bit occurrence.

• Set up windump to capture all packets that

contain a FIN bit whether it is the only bit
set or not

54
 Review Answers
• Windump –i1 tcp[13]==1
• Windump –i1 “tcp[13]&1==1”

55
 HEADS UP!!!
• Write the windump command that will result in
the capture of echo reply packets only

• Write the windump command that will result in

the capture of echo reply and echo request
packets only

• Write the command that will capture all ICMP

traffic except for echo reply and echo request

56
 HEADS UP AGAIN!
• Scenario
• You are on a host with IP address
192.168.0.2
• You Issue the following command
– Windump –i1 icmp[0]==0 or icmp[0]==8 and
dst host 192.168.0.1
• On your own host, you open a second
command shell and ping 192.168.0.1

57
 Answers – Heads UP
• Windump –i1 icmp[0]==0
• Windump –i1 icmp[0]==0 or icmp[0]==8
• Windump –i1 “icmp[0]!=0 and icmp[0]!=8”

58
 Answers - Heads Up Again
• The only packets captured would be echo
requests
– Echo reply was not dst host 192.168.0.1

59
 One Last Thinker
• Pick a partner
– Or make things interesting and work in threes
• Config windump to capture only traffic
between your machine and your partner(s)
machine
• Answer? YMMV

60
 To see traffic on a port…
(review)
• Use the src or dst port expressions
• Windump –i1 tcp port http

61
 Pst…wanna see something cool?
• Windump –i1 –X –x –vvv –s 0

• -s tells windump how much of the packet

we want to see. We are now looking at
the entire packet, not just header info.
Zero after –s indicates capture all info.

• Enough data…
• Now back to the IP portion…
62
What is the output format?

63
 Quick, Name that Hex
• 0–0 The contents of the header can be displayed in hex as
• 1–1 seen before. But how is that helpful?
• 2–2
• 3–3
• 4–4 First a basic refresher on binary to hex conversion…
• 5–5
• 6–6 Take a series of hex output like c0a8 0505
• 7–7 One hex “digit” represents 4 binary bits (as 24=16)
• 8–8
• 9–9 Since we know C=12 and 0=0 in decimal, we can covert
• A – 10 decimal to binary and combine the two digits that each
• B – 11 represent 4 bits…into one byte
• C – 12
• D – 13
• 12 = 1100 in binary
E - 14
• F - 15 0 = 0000 in binary
Combine these and get 11000000 = 192
So what are the rest of the digits indicating?
64
 So, Let’s decode a packet

How much does this ip header tell

us?

65
First, we need to know how an IP
header is formatted…

66
then just map data to
corresponding fields

67
 WARNING!
• OSI ALERT!
• Please look away

68
 I just gotta do it…
• You know Application, and Presentation and Session
and Cupid, and Donner, and Blitzen….
• But do you recall, that they map to the 4 layer TCP/IP
model?
– Application
– Transport
– Network
– Link
• And that each one adds to the next
• App header
• App header + transport header
• App header + transport header + network header…
• We’ve seen this before, but here’s how it relates here…

69
 Its over and safe to look

Note: -e switch shows the mac address in the standard output

SO…TCP really is a suite and there really is a TCP (or UDP) and an
IP section and an App section and a link section in there!
70
 Traffic Analysis

Establishing Expected Patterns

71
 Address Resolution Protocol
• Perspective point

• TCP/IP makes WANS and inter-LAN traffic

go round

• But MAC addresses rule the world.

72
ARP Review

73
 Name Resolution Types and
databases
• Name Resolution
– Computer or Host name (netbios name)
– IP Address
– Media Access Control Address

• The database has to have a unique identifier

• Means ARP is important

• Corrupt MAC resolution and you will throw most
admins for a loop. (not expected)

74
 How does MAC get corrupted?
• dsniff is a collection of tools for network auditing and
penetration testing. dsniff, filesnarf, mailsnarf, msgsnarf,
urlsnarf, and webspy passively monitor a network for
interesting data (passwords, e-mail, files, etc.). arpspoof,
dnsspoof, and macof facilitate the interception of network
traffic normally unavailable to an attacker (e.g, due to layer-
2 switching). sshmitm and webmitm implement active
monkey-in-the-middle attacks against redirected SSH and
HTTPS sessions by exploiting weak bindings in ad-hoc PKI.
• I wrote these tools with honest intentions - to audit my own
network, and to demonstrate the insecurity of most network
application protocols. Please do not abuse this software.
– Doug Song - http://www.monkey.org/~dugsong/dsniff/

75
 How it works…
sorry…Windows users usually need not apply
• Many people think that once they use a switch
for connecting their local network they're safe
from network sniffing. Basically this is right
because the traditional way of sniffing where a
host can read all network packets just by
accepting them (the so called "promiscous
mode") is not possible.

• This and next few slides are quotes from following web site…
http://su2.info/doc/arpspoof.php

76
• However there are other means to achieve
the same and because maybe some
SysAdmins think they're safe from sniffing
thus designing their network a bit more
open it's even more dangerous.

The tool used here is called arpspoof and

is distributed in the dsniff package.

77
• What we do is the following: We constantly send the
victim computer ARP answers telling him that the MAC
address belonging to the IP of the gateway machine
(router) is our MAC address. After some time the victim
computer will believe us and makes a wrong entry in his
ARP cache. Next time the victim wants to send an IP
packet to the gateway he sends the ethernet frame to
our MAC address so actually we get the IP packet. We
do the same thing with the gateway machine just the
other way round.
RFC 1027 describes the ARP protocol.

78
In order to tell the victim host that now we (our MAC
address) are the one belonging to the IP of the gateway
enter the following command:
# arpspoof -t victim gateway
In a seperate shell we start the matching command to
fool gateway to belive we are victim.
# arpspoof -t gateway victim
Don't forget to enable IP forwarding on your host so that
the traffic goes through your host. Otherwise victim will
loose connectivity. ( or not)
# echo 1 > /proc/sys/net/ipv4/ip_forward
Now watch all the traffic between the victim host and the
outside network going through your machine
# tcpdump host victim and not arp
Frightening easy...

79
• SysAdmins beware of that threat! If you have users on
your network you can't trust (e.g. in universities) use
tools like arpwatch to monitor the changes of the MAC /
IP address tables.
• End quote

• For exact details and further study on this see SANS

Reading Room paper, “finding dsniff on your
network.pdf” located on the CD
• RFC 1027 is also included as “RFC on ARP”
• We will see this again later

80
 But for now…back to packets…..
So, recognizing ‘normal’ ARP traffic
is desirable

This traffic should more or less be 1 for one.

High occurrences of arp reply could be indicative of
a problem.

Note: we mentioned dsniff but should also mention another arp baddie…
fragrouter…but that’s another story
Good site for info on these and other such gadgets is monkey.org
81
 ICMP
• Works at network layer
• Is included in an IP header as protocol 1
• Reports on non-transient problems
– Problems on the end-points
• Can be used for simple info exchanges
– Such as Ping

82
 Never send ICMP when…
• There is another ICMP error
– Crafted packet transmitted that includes non-
existent UDP source and destination
addresses
– Fake senders gateway reports destination
port unreachable and returns to sender…….
– Receiving gateway sends back a destination
port unreachable and returns to fake sender
Mike you got stuck here…..do better

83
 Never…
• A destination broadcast
• A source broadcast or loopback address
• Any fragment received other than the first

84
ICMP Message

85
Another ICMP message w/ Error

Note the underlined part…

Intrest is from hacker perspective not yours (you knew who you pinged)
86
Error Messages contain Embedded
information

This is how the responding host tells the sending host to which protocol and
application this error message needs to be delivered to
87
 TCP
• IP header id is 6
• Reliable
• Sequence numbered packets
• 90% of traffic is TCP
• Supports unicast traffic only
• See “RFC on TCP” on your cd for
complete details

88
 TCP packet

Notes
SYN set
Contains no payload (start seq = end seq)
Id = 6
Windows size = 8192 (101 telling 100 not to send more than that w/o rec. ACK
20 byte IP header and 20 byte TCP header (28 in this case since includes options
89
 Telltale TCP pattern
• 3 way handshake • 4 way tear down

• A SYN B • A FIN ACK B

• A SYN ACK B • A ACK B
• A ACK B • A FIN ACK B
• A ACK B

• Actually 3 but takes 4

90
 Possible Flags
• SYN – Establish connections
• ACK – Acknowledge receipt of data
• PUSH – send data
• RESET – Abort TCP connection
• FIN – Graceful termination of session
• URG – Urgent data to be sent
• ECN – Explicit Congestion Notification
– reduces traffic sent in effort to reduce congestion on a
network see rfc 3168 on cd for more details

91
Sample 3 way handshake showing
flags

92
 Ports
• Ports 1-1023 are “Well Known Ports”
– These do not change
• Ports above 1023 are “Ephemeral” Ports
– Change per connection

• Sender uses an unused ephemeral port to

sent data to the well known port of the
receiver
• Entire session uses these ports
93
Sample 3 way handshake showing
Ports

94
 TCP Sequence numbers
• Data gets streamed to other machine in
segments
• Each segment is identified by a sequence
number that shows order
• Sequence is a 32 bit number
– 4,294,967,296 possibilities
• Used to reorder segments into data
stream on other end.

95
 TCP Acknowledgements
• 32 bit number
• Acknowledges last piece of data received
that fits in order
• ACK number is last sequence number
received plus 1
• That represents the next sequence
number expected from sender

96
Sample 3 way handshake showing
Seq and Ack numbers

Note switch from absolute to truncated output. To maintain absolute

numbers use the –S switch
Remember SYN only used once per connection

97
 What if…
• Packet gets lost or delayed in route
– We’ll see duplicate ack numbers from receiver

• No Ack from receiver

– The retransmission timeout value will be
reached triggering a retransmission of the
packet…assumes receiver did not receive

98
 Lost or delayed packet

Note: What would next ack number be

99
 Retransmission timer

Number of retries depends on OS

10 0
 UDP
• Support for unicast, multicast, and broadcast
addresses
• Low overhead, lightweight
• Not reliable…”send n pray”
• No message ordering
• No flow control
• Identified as IP header protocol number 17
• (um…that’s 11 in hex…don’t let that fool you!)
• See RFC on UDP on CD

10 1
 UDP Packet

Note Windump understands some protocols like DNS use UDP packets. If it
sees DNS it will say DNS instead of UDP even though its still UDP 10 2
 Fragmentation
• Occurs when MTU is smaller than
datagram size
• Can be used to bypass routers, IDS or
FWs
• Fragments are reassembled by receiver
• Each fragment is encapsulated by IP
header

10 3
 Fragmentation Rules
• All Fragments must follow these rules
– Must share common fragmentation number
– Must tell the offset from the original start
position in the datagram
– Must tell length of payload
– Must tell if more fragments follow this one

10 4
 Packaging of a Fragment
• If MTU = 1500 and we have a 4000 byte
packet…it will be fragmented
• The fragments will have the standard 20byte IP
header followed by 1480 bytes of data until the
last byte is sent.
• In the event of subheaders, which are almost
always present…say ICMP with an 8 byte
header… the first byte data payload may be
smaller.
• The subheader is only included in the first
packet
– 20+8+1472
– 20+1480
– 20+1048
• 1472+1480+1048 = 4000 bytes
10 5
We would expect the previous to
look like this in WinDump

10 6
 What if….
• A packet arrives that is fragmented
• The first packet carries the ICMP subheader and this is
seen by the packet filter set to block ICMP, this fragment
is dropped
• The second packet arrives w/o the subheader, if the
packet filter device maintains state, then the packet is
matched with the first frag and dropped
• If not the packet is allowed to pass
• Receiver wonders what its supposed to do with this
partial traffic and sends a complaint (ICMP) to the
sender asking what in the world?
• The sender now knows the receiver behind the firewall
exists and is listening….MuHAha
• Watch Out Check Point FW-1 lovers, stateful is not the
default and older versions are not even capable!
– GET NG NOW!
10 7
 New Flag - DF
• Its possible to set a DF flag which means
Don’t fragment.
• Any router with a MTU smaller than the
packet will fragment the packet to fit its
MTU and forward. Unless DF is set
• If DF is set and packet exceeds MTU then
the router will drop the packet and send an
ICMP error to the sender that the packet
was too big and it can’t fragment

10 8
Nasty Frags

10 9
 POD
• Ping O’ Death
• Packet size exceeds 65565 bytes in length
• Wigs out some older TCP/IP stacks
especially Windows
• Uses a ping packet with the –l switch set
to exceed 65565
• Looks like this

11 0
65120 + 1480 = 66600! 11 1
 Tear Drop Attack

This windump shows a teardrop attack pattern.

Note that first fragment is 36 bytes long….that’s
0-35

The second fragment says it starts in the

sequence at byte 24 and is 4 bytes long

Do you see the problem?

Makes some older TCP/IP stacks wig out 11 2
 HEADS UP
• What’s wrong here?

11 3
 Heads Up solution
• There is a gap
• Could it be a missing fragment?
– Yes, but probably not
• RFC says frags should be divisible by 8

11 4
 Quiz

ttft 11 5
 More Quiz

ffttf
11 6
 More Quiz

ttff
11 7
 ICMP

Lightweight protocol
Or
Massive attack dog?

11 8
 ICMP Attack or Scan Techniques
• ICMP
– Has no port numbers
– No notion of client server
– No reliability
– Sometimes doesn’t expect a response
– Can be broadcast
• These traits and its low profile make it a
valuable tool for would be intruders

11 9
 ICMP Source Quench
• ICMP can send a message stating that you are
talking to fast and to please slow down.
(receiver can’t process or buffer your input fast
enough to prevent data loss)
• We can trick a machine
• Send an ICMP source quench message with
source of loopback address and dest as IP
address of the same host
– May be reversed and may use 2 ip addresses if in a
dual nic system
• Interpreted as “hey, I’m talking to myself to fast”
• Effect = DOS
12 0
 ICMP and Routers
• Routers try to be polite
• If a packet destined for a host arrives at a router and the
router has an ACL that prevents that packet…some
routers will respond with an ICMP admin prohibited
message
• However, if a packet destined for a host arrives at a
router and the router determines the host does not exist,
it will return a ICMP host unreachable.
• Some routers (such as Cisco pre 12.2) will check for a
hosts existence before applying access-lists.
• In such cases, what info can be obtained…could this
network be mapped?

12 1
 ICMP Power Ping
• ICMP can send an echo request to a
remote network.
• Every listening host will respond unless
prevented.
• Can you spell mapping?

12 2
 HEADS UP
What’s going one here

Noisy scan, lights up IDSs, but extremely effective against soft networks 12 3
 What about here

Power Ping scan – why 0 and 255?

255 = broadcast in most TCP/IP stacks except Unix BSD based stacks
PS Windows scores a point here, they fixed windows to ignore this long back 12 4
 Smart Mapper

Note that the gaps span 64 IP addresses and this is the gap that would be used
if this network was subnetted into 4 networks…note also that these specific
addresses would be the broadcast and network addresses for those subnets.
12 5
Somebody’s thinking.
 Lets take it easy
• ICMP type 17 & 18
• Check out your sheets and see what they
are?
• Was the previous mapping technique all
that savoy after all?

• Results are like this…

12 6
 Address Mask Request

Should this be blocked?

12 7
 Timestamp Request/Reply
• For when two machines need clocks
sync’d up
• Also used to set time in replay attacks.
• Also used in DOS attacks called time-outs

12 8
 Host Unreachable
• Sender sends traffic to a host that is not
answering
– May be off
– Down
– Whatever
• Router gets the traffic and returns a Host
unreachable message on behalf of the
missing host
• Can you spell mapping

12 9
 Port unreachable
• Same as host only port specific

13 0
 Admin Prohibited
• Note about this
• If your firewall is dropping packets and sending
out this message and logging it.
• Keep in mind that embedded in the hex is at
least 8 bytes from the protocol that triggered the
ACL to drop it
• Just be careful before you strike back, it may be
spoofed address and you may be attacking a
innocent website…and you will be taught a
lesson if you attack a government computer…
spoofed or not (hackers favorite tricks)

13 1
 TTL
• Time to Live
• When = zero packet gets whomped
• Neat note on TTL is that most OS flavors start
with a different TTL. If you get a packet from an
attacker or send a packet to the attacker…
aspects of the packet can be checked to
“fingerprint” your OS.
• This is an important step in figuring out which
exploits will work against you….MuHaha

13 2
So where’s ICMP’s byte? (uh bite)

How about Recon

13 3
 But Once your recon’d

Identify this attack….hint they are small and blue 13 4

 Win Freeze

Poor victim is so busy applying all these optimal route changes it has no time for
Itself…..DOS!
13 5
 Tribe Flood Network TFN
• Uses a trojan installed on a vulnerable
machine to give commands to the
machine to have it attack specific victims.
• Can include UDP floods, TCP SYN scans,
ICMP echo request floods, or Smurf
attacks
• Typical result is a DOS situation

13 6
TFN set up

13 7
 Loki
• Loki is a Client/Server app that work through a
trojan implanted on your computer.
• Until Loki, admins assumed ICMP to be
harmless noise that was annoying but not
capable of much other than DOS
• Loki changes this, it used port application
mapping to essentially run a telnet type interface
through the ICMP port with admin rights!
• When the attacker said cat etc/passwd or
copied the SAM database off your machine…
your computer said okay and handed it over.

13 8
 Loki – Norse god of mischief
• Characteristic of a Loki attack is a echo request
(containing the telnet type commands)
• Followed by echo reply, reply, reply,etc

• ICMP should be between 38-60 bytes and not

larger.
• Echo requests should equal echo replies
• There should never be a request, reply, reply,
reply

13 9
 Loki

This is an attack via covert channel

14 0
 Stimulus Response

Knowing how it should respond

gives really valuable insight

14 1
 What is normal
How to we know what we see is
what we should?
• RFCs!

14 2
 Telnet Server
• When connecting to a listening telnet server we
can expect to see the normal 3 way handshake
and then data flow

14 3
Non-listening telnet server

14 4
Non-existent telnet server

14 5
 What we learn
• We try to connect and get
– Syn Ack
• Its alive and talking to us
– Rst Ack
• Its alive but wont talk to us
– Host unreachable
• Its not there move on
– What if telnet is blocked by router and the
router talks?
– What if the router is gagged?
14 6
 telnet blocked by router

Cool thing here is you know its alive…just don’t use telnet to attack it
14 7
What if the router is blocking and is
gagged

Remember the command to do this on Cisco is “no ip unreachables” 14 8

 Note
• Results of telnet typical of most all tcp
connections

14 9
 UDP – Listening DNS server

51007 is the DNS id number used to pair request responses

1/0/0 indicates 1 resource record was returned but no authority or other
records were included.

15 0
Non-listening DNS server

15 1
 There’s always the exceptions

Looks like Ping, smells like ping….but aint ping

Only like this in windows – Unix needs a switch to make it work this way 15 2
And what about this?

Active mode allows 2 way sessions in and out

Passive only allows outbound 15 3
 Cats and Dogs sleeping together

UDP and ICMP working together? What can it be

Default behavior for Unix based traceroute…use the –I switch if you want Windows
Style

15 4
 DNS Normal
• Based on UDP
• Allows payloads up to 512 bytes
• If payload exceeds 512 bytes DNS will use
tcp instead

15 5
DNS possibilites

15 6
 Low numbered ephemeral ports

RFC says ephemeral should be above 1024, but that doesn’t mean its so
ISAKMP 500, NETBIOS name service 137, and NETBIOS datagrams 138 use
identical port numbers on client and server
The BootP protocol uses client port 68 and a server port of 67
These are not crafted though have been mistaken as such by the unaware 15 7
Other Irregulars

15 8
 SYN/FIN scan

Some older IDS don’t look for this combo…make sure you’re up to date 15 9
FIN scan

16 0
 Firewalking

We expect udp packets to port 53 so maybe we don’t notice this abuse.

Unix allows its traceroute default behavior to be altered. Here its redirected to
port 53 and is essentially doing a ping sweep. While this shows only one host,
imagine if the destination addresses included a whole range…we walked right
through the front interface of the firewall to do this… hence the name 16 1
 Jolt2
• Sends echo request stream (default) fragmented with the
same fragment ID but no fragment zero
• Remember that the first fragment (zero) carried the extra
8 byte ICMP subheader showing type and code and the
following fragments only carry the IP header indicating
ICMP but no type or code.
• Unix sees this and assumes your crazy and ignores it.
Windows up to Windows 2000 w/o service packs will
totally wig-out. It will slow to a proverbial crawl and
eventually stop responding to the keyboard while it
becomes consumed with packet reassembly.
• Once the Jolt2 stream is stopped, the Windows machine
will return to normal w/o needing a reboot!

16 2
Jolt 2

16 3
 Syn/Ack scan or spoof result
You are on the 172.16 network

16 4
This is probably spoof since we are not
sending syn packets out. Someone else
has spoofed our hosts and sent a syn
packet and we see the syn ack

16 5
 Suppose you get this…
• Someone spoofs an address that happens
to be yours.
• They ping a host…will they get the
response?

16 6
You will get the response that you
did not request.

16 7
 OS Fingerprinting
• With all the possible exploits and all the possible flavors
and versions of OSs. Matching the right exploit and the
right OS can be hard on a hacker.
• If we can determine the OS to within a few versions, the
number of exploits we need to try against that target are
much better odds of fast success!
• For full details see “Nmap Remote OS Detection” article
on cd.
– From
http://www.insecure.org/nmap/nmap-fingerprinting-article.html
– More on this later
– Also look at the NmapNT doc called fingerprints
• It tells exact responses to its fingerprint scan for each OS…COOL!

16 8
 OS Fingerprinting
• While they can vary so it does not make sense
to list them (see OS fingerprinting article for
possible lists)
• The basic premise is to send a series of bogus
crafted packets to a victim and check out the
results. Usually there are 6 -11 packets in the
series and few OSs will respond in the same
way.
• Thus your OS will be revealed and the exploits
specific to it will be utilized.

16 9
 Playtime

Traffic generation / capture

17 0
 SuperScan
• First Grab Super Scan from the FTP or the Instructor’s
key and do a quick install. (Click the red box to launch
install)

• Sorry to *nix folks for the nice pretty GUI on this one…Its
not available in Commanding form so this will have to
do….but wait…*nix will get last laugh when Nmap comes
to town

17 1
Super Scan Options

17 2
Port List Setup

17 3
 Prepare to launch a scan
• Turn on WinDump w/o any switches
except to specify interface

• NOTE: Rule of thumb says about 12

Windows machines performing scans will
DOS a network. This may not be good
capture so use as little switches as
possible and close any extra programs….
• MuHaha

17 4
Launch a scan and hang on to
something

17 5
Analyze that!

17 6
 But wait…
More scary than Discovery
Channel Shark Week

Intro To
NmapNT
“&”
NmapNTFE
17 7
 Nmap…but first a word from the
uh…switches

• And you think WinDump was crazy

17 8
• Nmap is designed to allow system
administrators and curious individuals to scan
large networks to determine which hosts are up
and what services they are offering.
• NMAP supports a large number of scanning
techniques such as:
– UDP,
– TCP connect()
– TCP SYN (half open)
– ftp proxy (bounce attack)
– Reverse-ident
– ICMP (ping sweep)
– FIN, ACK sweep
– Xmas Tree
– SYN sweep
– IP Protocol
– Null scan.
• See the Scan Types section for more details.
• NAMP also offers a number of advanced
features such as
– remote OS detection via TCP/IP fingerprinting
– stealth scanning
– dynamic delay and retransmission calculations
– parallel scanning
– detection of down hosts via parallel pings
– decoy scanning
– port filtering detection
– direct (non-portmapper) RPC scanning
– fragmentation scanning
– flexible target and port specification.
17 9
 OPTIONS
• Options that make sense
together can generally
be combined. Some
options are specific to
certain scan modes.
NMAP tries to catch and
warn the user about
psychotic or unsupported
option combinations.
• You can run nmap -h
for a quick reference
page listing all the
options.

18 0
 Scan Types
• What follows is explanations
of the many scans NmapNT is
able to perform and why you’d
use each

• The explanations are from the

Nmap User Manual from the
Man Pages.
• Nmap can be freely
downloaded at
• http://www.insecure.org/nmap/

18 1
-sS

18 2
-sT

18 3
-sF -sX -sN

More ->

18 4
-sF -sX -sN

18 5
-sP

18 6
-sU

18 7
-sO

18 8
 And the list goes on
• Shortcut to Nmap
network security scanner man page.doc

18 9
 Okay, more Play Time
• nmap -v target.example.com
– This option scans all reserved TCP ports on the
machine target.example.com . The -v means turn on
verbose mode.

• nmap -sS -O target.example.com/24

– Launches a stealth SYN scan against each machine
that is up out of the 255 machines on class "C" where
target.example.com resides. It also tries to determine
what operating system is running on each host that is
up and running. This requires root privileges because
of the SYN scan and the OS detection.

19 0
• nmap -sX -p 22,53,110,143,4564
198.116.*.1-127
– Sends an Xmas tree scan to the first half of
each of the 255 possible 8 bit subnets in the
198.116 class "B" address space. We are
testing whether the systems run sshd, DNS,
pop3d, imapd, or port 4564. Note that Xmas
scan doesn't work on Microsoft boxes due to
their defi- cient TCP stack. Same goes with
CISCO, IRIX, HP/UX, and BSDI boxes.

19 1
• nmap -v --randomize_hosts -p 80 *.*.2.3-5
– Rather than focus on a specific IP range, it is
sometimes interesting to slice up the entire Internet
and scan a small sample from each slice. This
command finds all web servers on machines with IP
addresses ending in .2.3, .2.4, or .2.5 find more
interesting machines starting at 127. so you might
want to use "127-222" instead of the first asterisks
because that section has a greater density of
interesting machines (IMHO).

19 2
• nmap -O 192.168.0.2
– O This is the option to be used to determine
the operating system of the given target. It
can be used in conjunction with our above
mentioned scan types or by itself. Nmap uses
what is called TCP/IP fingerprinting to try and
accurately determine the OS of the given
target.

19 3
 Now more Fun
NmapNTFE
• Grab and install.

• I think even *.nix fans would agree…

– This is a good place to put a gui up!
– They even wrote one for Nmap!

19 4