CEIC 2011 Kessler ProtocolAnalysis

3/16/11
1
Cary C. kessler
vermonL lnLerneL Crlmes AgalnsL Chlldren 1ask lorce
Cary kessler AssoclaLes/norwlch unlverslLy
2011, C.C. kessler
1C/l roLocol Analysls
Cary C. kessler
2011, C.C. kessler
Cvervlew
1he 1C/l roLocol SulLe
Lncapsulauon and lnLerpreLauon
1he 8ole of ackeL Snlers
Lcpdump/Wlnuump
LLhereal/WlreShark
ngrep
3/16/11
2
Cary C. kessler
1C/l roLocols, Lncapsulauon,
and lnLerpreLauon
1C/l roLocols, Lncapsulauon,
and lnLerpreLauon
Cary C. kessler
2011, C.C. kessler
1he lnLerneL and 1C/l
1C/l ls
1he communlcauons proLocol sulLe LhaL holds
Lhe lnLerneL LogeLher
non-proprleLary, supporLed by all vendors on
all soware plauorms
"we teject kloqs, pteslJeots, ooJ vouoq. we
belleve lo tooqb cooseosos ooJ toooloq
coJe." (u. Clark, abouL Lhe lL1l)
1be fotote ptotocol fot volce ooJ vlJeo??
GCk, 1998
3/16/11
3
Cary C. kessler
A Layered roLocol
2011, C.C. kessler
-k84
1be "cbess-by-moll" ltotocol
1o: 8ob
lrom: Allce
ALlCA1lCn
"18AnSC81"
"nL1WC8k"
"ACCLSS"
Allce 8ob
-k84
1o: 8ob
lrom: Allce
Move envelopes vla car, Lruck, van, plane, shlp, ....
Cary C. kessler
A Layered roLocol ArchlLecLure
2011, C.C. kessler
!"# %&'() %*)# %#+ ,'&-&.&(
ALICA1ICN
1kANSCk1
NL1WCkk
ACCLSS
C||ent Server
IIS]Apache
Move packets us|ng k.2S, frame re|ay, A1M, Lthernet, ...
runn|ng over 11, hber, w|re|ess, ...
n11
message
1C
segment
I I I
packet]datagram
b|ts, bytes, frames
3/16/11
4
Cary C. kessler
2011, C.C. kessler
n11 I1 1e|net I|nger DNS DNS SNM kI
C3]IMA SM1 Gopher 8G kADIUS Arch|e |ng
1|me]N1 Who|s 1ACACS+ SSn traceroute utp tracert
NN1 SSL]1LS (hups, etc.) SCCkS DnC kerberos
Lthernet]802.3 1oken k|ng (802.S) SNA]802.2 k.2S IDDI ISDN
Irame ke|ay SMDS A1M W|re|ess 802.x I|bre Channe| xDSL
Cab|e modem DS0]11]13 SCNL1]SDn DWDM nDLC SLI]CSLI
I Ak
GkL
1C UD ICM CSI
Isec
App||canon
Layer
1ransport
Layer
Internetwork
Layer
Network
Access
rotoco|s
Cary C. kessler
2011, C.C. kessler
Pow 1hls All llLs 1ogeLher
App||canon
Data
Message
nex Dump of a C3 message:
50 41 53 53 20 73 65 63 72 65
74 0D 0A
1C
neader
1C Segment
06 B0 00 6E 23 7D 3B 26 09 A5 90 F7 50 18
21 F6 67 E7 00 00
I
neader
I acket
45 00
00 35 2C 31 40 00 20 06 22 EC 83 6B 02 08 83 6B
02 C8
Lthernet
neader
Lthernet
1ra||er
Lthernet Irame
00 90 27 8E A0 B2 00 AA 00 BB DE E8 08 00
A0 1B C2 3D
3/16/11
3
Cary C. kessler
MAC and l Addresses
192.168.1.10
10:10:10:0S:6b:cf
192.168.1.S0
10:10:10:b8:97:21
192.168.1.S2
10:10:10:34:2f:1a
192.168.1.1
10:10:10:9f:22:ca
1.2.3.6
10:10:10:0S:6b:cf
CA1v access Lo lnLerneL (1.2.3.0/24 subneL)
1.2.3.S
10:10:10:1a:2b:3c
l addresses are soware
addresses, asslgned Lo each
communlcauons porL
MAC addresses are
hardware addresses
2011, C.C. kessler
Cary C. kessler
MAC and l Addresses
192.168.1.1
10:10:10:9f:22:ca
1.2.3.6
10:10:10:0S:6b:cf
1.2.3.S
10:10:10:1a:2b:3c
192.168.1.S0
10:10:10:b8:97:21
2.4.6.10
10:10:10:a1:b2:c3
2.4.6.9
10:10:10:6d:7f:8a
nop 1
nop 2
nop N
SCLNAkIC: Laptop (192.168.1.S0) commun|canng w|th Server (2.4.6.9)
/&0 1 23444 567811 %*'#(#99 :';<# = 3, 0;.>#-?
Source MAC -- 10:10:10:b8:97:21 Source I -- 192.168.1.S0
Dest MAC -- 10:10:10:9f:22:ca Dest I -- 2.4.6.9
/&0 7 23444 5678@A4-"#'B#- :';<# = 3, 0;.>#-?
Source MAC -- 10:10:10:0S:6b:cf Source I* -- 1.2.3.6
Dest MAC -- 10:10:10:1a:2b:3c Dest I -- 2.4.6.9
: (* noLe LhaL nA1 has occurred)
/&0 C 23444 5678@A4-"#'B#- :';<# = 3, 0;.>#-?
Source MAC -- 10:10:10:a1:b2:c3 Source I -- 1.2.3.6
Dest MAC -- 10:10:10:6d:7f:8a Dest I -- 2.4.6.9
IN1LkNL1
2011, C.C. kessler
3/16/11
6
Cary C. kessler
SldenoLe: MAC Addresses
MAC
addresses
are burned
lnLo Lhe
hardware
8uL Lhey
be
changed!!
2011, C.C. kessler
Cary C. kessler
Address 8esoluuon roLocol
A8 maps soware (l) addresses Lo hardware
(MAC) addresses
An l packeL on Lhe local neLwork
ConLalns Lhe l address of Lhe ulumaLe desunauon
ls carrled ln a LAn proLocol (e.g., LLherneL) frame
addressed Lo Lhe rouLer's MAC address
C:\> arp -a
Interface: 192.168.1.100 --- 0x5
Internet Address Physical Address Type
192.168.1.1 55-55-55-6f-0d-87 dynamic
192.168.1.40 55-55-55-b2-db-d8 dynamic
192.168.1.50 55-55-55-70-67-8f dynamic
192.168.1.103 55-55-55-6c-01-de dynamic
C:\>
2011, C.C. kessler
3/16/11
7
Cary C. kessler
A Common Scenarlo
192.168.1.10
10:10:10:0S:6b:cf
192.168.1.101
10:10:10:b8:97:21
192.168.1.102
10:10:10:34:2f:1a
192.168.1.1
10:10:10:9f:22:ca
1.2.3.6
10:10:10:0S:6b:cf
192.168.1.101
10:10:10:ab:cd:12
192.168.1.10S
10:10:10:fe:dc:76
1.2.3.22
10:10:10:S6:78:ab
CA1v access Lo lnLerneL (1.2.3.0/24 subneL)
192.168.1.1
10:10:10:d1:3f:4S
Apt. 1 Apt. 2
192.168.1.103
10:10:10:9a:SS:a0
192.168.1.104
10:10:10:12:da:b0
2011, C.C. kessler
Cary C. kessler
ackeL uecode (LLherneL lrame)
2011, C.C. kessler
Hex Binary
00 0000 0000
90 1001 0000 Destination MAC address
27 0010 0111 (OUI = 0x00-90-27 = Intel)
8E 1000 1110
A0 1010 0000
B2 1011 0010
00 0000 0000
AA 1010 1010 Source MAC address HEADER
00 0000 0000 (OUI = 0x00-AA-00 = Intel)
BB 1011 1011
DE 1101 1110
E8 1110 1000
08 0000 1000 EtherType (IP)
00 0000 0000
A0 1010 0000
1B 0001 1011 Frame Check Sequence TRAILER
C2 1100 0010
3D 0011 1101
lLLL Cul and Company_ld AsslgnmenLs
bup.//stooJotJs.leee.otq/teqootb/ool/
lAnA roLocol numbers
bup.//www.looo.otq/osslqomeots
/etbetoet-oombets
3/16/11
8
Cary C. kessler
2011, C.C. kessler
l ackeL lormaL
Bit Number
1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
Version IHL Type of Service Total Length
Identification Flags Fragment Offset
Time to Live Protocol Header Checksum
Source Address
Destination Address
Options (optional)
Higher layer protocol data
8ef: 8lC 791 (S1u 3)
Cary C. kessler
ackeL uecode (l ackeL)
2011, C.C. kessler
Hex Binary
45 0100 .... IP version number (4)
.... 0101 IP header length (5 32-bit words/20 bytes)
00 000. .... Precedence (Routine)
...0 .... Delay (Normal)
.... 0... Throughput (Normal)
.... .0.. Reliability (Normal)
.... ..0. Cost (Normal)
.... ...0 Reserved
00 0000 0000
35 0011 0101 Total packet length (53 bytes)
2C 0010 1100
31 0011 0001 Packet identifier (11313)
40 0... .... Reserved
.1.. .... Don't Fragment flag (don't fragment)
..0. .... More Fragments flag (last fragment)
...0 0000
00 0000 0000 Fragment offset (0)
3/16/11
9
Cary C. kessler
ackeL uecode (l ackeL, con'L.)
2011, C.C. kessler
Hex Binary
20 0010 0000 Time to live (32)
06 0000 0110 Protocol (TCP)
22 0010 0010
EC 1110 1100 Header checksum
83 1000 0011
6B 0110 1011
02 0000 0010
08 0000 1000 Source address (131.107.2.8)
83 1000 0011
6B 0110 1011
02 0000 0010
C8 1100 1000 Destination address (131.107.2.200)
Cary C. kessler
2011, C.C. kessler
orLs
ort No. rotoco| App||canon
7 uu echo
13 1C dayume
19 uu chargen
20 1C p-daLa
21 1C p-conLrol
22 1C ssh
23 1C LelneL
23 1C smLp
37 uu ume
43 1C whols
33 1C/uu dns
67 uu booLps
68 uu booLpc
69 uu uLp
70 1C gopher
79 1C nger
ort No. rotoco| App||canon
80 1C hup
110 1C pop3
111 1C sunrpc
113 1C auLh
119 1C nnLp
123 uu nLp
137 uu neLblos-ns
138 uu neLblos-dgm
139 1C neLblos-ssn
143 1C lmap
161 uu snmp
162 uu snmp-Lrap
179 1C bgp
443 1C hups (hup/ssl)
314 uu syslog
320 uu rlp
3/16/11
10
Cary C. kessler
2011, C.C. kessler
1C SegmenL lormaL
Bit Number
1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
Source Port Destination Port
Sequence Number
Acknowledgment Number
Offset (reserved) Flags Window
Checksum Urgent Pointer
Options (optional)
8ef: 8lC 793 (S1u 7)
Cary C. kessler
ackeL uecode (1C SegmenL)
2011, C.C. kessler
Hex Binary
06 0000 0110
B0 1011 0000 Source port (1712)
00 0000 0000
6E 0110 1110 Destination port (110/POP3)
23 0010 0011
7D 0111 1101
3B 0011 1011
26 0010 0110 Sequence number (595409702)
09 0000 1001
A5 1010 0101
90 1001 0000
F7 1111 0111 Acknowledgement number (161845495)
50 0101 .... Data offset (5 32-bit words/20 bytes)
.... 0000 Reserved
3/16/11
11
Cary C. kessler
ackeL uecode (1C SegmenL, con'L.)
2011, C.C. kessler
Hex Binary
18 00.. .... Reserved
..0. .... Urgent pointer significant (no)
...1 .... Acknowledgement field significant (yes)
.... 1... Push data (yes)
.... .0.. Reset (no)
.... ..0. Synchronize sequence numbers (no)
.... ...0 Finish flag (no)
21 0010 0001
F6 1111 0110 Window size (8694 bytes)
C7 1100 0111
E7 1110 0111 Checksum
00 0000 0000
00 0000 0000 Urgent pointer (0)
Cary C. kessler
2011, C.C. kessler
normal 1C Connecuon
CLIENT SERVER
src_port: 3306, dest_port: 22
SEQ=800, ACK=0, WIN=500
syn (Data = 0)
SEQ=801, ACK=1509, WIN=500
ack (Data = 0)
SEQ=1508, ACK=801, WIN=500
syn, ack (Data = 0)
CLILN1 auempts to connect to SLkVLk port 22 (SSn). SLkVLk has an SSn daemon
so |t |s ||sten|ng on port 22.
SEQ = sequence # syn = synchronization flag
ACK = acknowledgement # ack = acknowledgement-valid flag
WIN = Window size reset = connection-reset flag
3/16/11
12
Cary C. kessler
2011, C.C. kessler
PosL noL LlsLenlng on 1C orL
CLIENT SERVER
SEQ=800, ACK=0, WIN=500
syn (Data = 0)
SEQ=0, ACK=801, WIN=500
reset, ack (Data = 0)
CLILN1 auempts to connect to SLkVLk port 22 (SSn). SLkVLk does not have an
SSn daemon, so |t |s not ||sten|ng on port 22.
Cary C. kessler
2011, C.C. kessler
PosL uoes noL LxlsL
CLIENT ROUTER
SEQ=800, ACK=0, WIN=500
syn (Data = 0)
ICMP
host SERVER unreachable
CLILN1 auempts to connect to SLkVLk port 22 (SSn). SLkVLk |s, for some
reason, not "on" the network so |ts I address does not ex|st on any network.
3/16/11
13
Cary C. kessler
2011, C.C. kessler
uu uaLagram lormaL
Bit Number
1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
Source Port Destination Port
Length Checksum
8ef: 8lC 768 (S1u 6)
Cary C. kessler
2011, C.C. kessler
normal uu Communlcauon
CLIENT SERVER
Query, HOST_NAME, SEQ=5103
Response, IP_ADDRESS, SEQ=5103
CLILN1 auempts to connect to SLkVLk port S3 (DNS). SLkVLk runs 8IND so |t
responds to the name query.
3/16/11
14
Cary C. kessler
2011, C.C. kessler
PosL noL LlsLenlng on uu orL
CLIENT SERVER
ICMP
SERVER port DOMAIN unreachable
CLILN1 auempts to connect to SLkVLk port S3 (DNS). SLkVLk does not run 8IND,
so |t |s not ||sten|ng on port S3.
Cary C. kessler
2011, C.C. kessler
PosL uoes noL LxlsL
CLIENT ROUTER
ICMP
host SERVER unreachable
CLILN1 auempts to connect to SLkVLk port S3 (DNS). SLkVLk |s, for some
reason, not "on" the network so |ts I address does not ex|st on any network.
3/16/11
13
Cary C. kessler
ackeL uecode (C3 Message)
2011, C.C. kessler
Hex Binary
50 0101 0000 ASCII "P"
41 0100 0001 ASCII "A"
53 0101 0011 ASCII "S"
53 0101 0011 ASCII "S"
20 0010 0000 ASCII " "
73 0111 0011 ASCII "s"
65 0110 0101 ASCII "e"
63 0110 0011 ASCII "c"
72 0111 0010 ASCII "r"
65 0110 0101 ASCII "e"
74 0111 0100 ASCII "t"
0D 0000 1101 ASCII <CR>
0A 0000 1010 ASCII <LF>
Cary C. kessler
2011, C.C. kessler
lCM Message lormaL
Bit Number
1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
Type Code Checksum
Message-specific information.........
TYPE (CODES)
0 Echo Reply
3 Destination Unreachable (0=net, 1=host, 2=protocol, 3=port)
4 Source Quench
5 Redirect (0=network redirect, 1=host redirect)
8 Echo Request
11 Time Exceeded (0=TTL exceeded, 1=fragment reassembly time exceeded)
12 Parameter Problem
13 Timestamp
14 Timestamp Reply
17 Address Mask Request
18 Address Mask Reply 8ef: 8lC 792 (S1u 3)
3/16/11
16
Cary C. kessler
ackeL Snlers
ackeL Snlers
Cary C. kessler
Sources of neLwork uaLa
luS and rewall logs
Server logs
neLwork appllcauon logs
ArufacLs and remnanLs of Lramc on compuLer
hard drlve
Llve Lramc uslng a packeL snler
2011, C.C. kessler
3/16/11
17
Cary C. kessler
2011, C.C. kessler
WhaL Are ackeL Snlers?
ackeL snlers are hardware devlces or soware
appllcauons LhaL read neLwork Lramc
asslve (and dlmculL Lo deLecL lf used surrepuuously)
Can capLure all broadcasL Lramc
arucular LhreaL on wlreless or hubbed neLworks
WlLh A8 spoong, can capLure swlLched LAn Lramc
MosL common soware snlers use llbpcap
(Llnux/unlx) or Wlncap (Wlndows)
CLl: Lcpdump, Wlnuump, ngrep
Cul: WlreShark, LLhereal, Analyzer, lrls
Cary C. kessler
Cauuon When uslng a
ackeL Snler
ackeL snlers work besL when Lhey can "see" all
Lramc on Lhe neLwork
Pub
Pu8 - 8roadcasL
8uS - 8roadcasL
8Cu1L8/SWl1CP - AdmlnlsLrauve orL
WLAn - romlscuous WLAn nlC
2011, C.C. kessler
3/16/11
18
Cary C. kessler
2011, C.C. kessler
lnsLallauon
See bup.//www.qotykesslet.oet/JowolooJ/
tcplp/sol[ets.btml
Insta|| ||bpcap]W|ncap hrst!
lnsLallauon lnsLrucuons can be found aL Lhe slLes
referenced above
Cary C. kessler
2011, C.C. kessler
Lcpdump and Wlnuump
Lcpdump ls a llbpcap-based packeL snler
8uns on any Llnux/unlx sysLem wlLh a nlC LhaL
can operaLe ln promlscuous mode
Comes sLandard on many Llnux dlsLrlbuuons
Wlnuump ls a Wlncap-based snler
Wlndows porL of Lcpdump
8oLh are command llne uullues
3/16/11
19
Cary C. kessler
2011, C.C. kessler
1C Pandshake & uaLa Lxchange
1. 14:05:27.083238 altamont.sover.net.1057 > ftp.ex.edu.21:
S 1484414:1484414(0) win 8192 <mss 536,nop,nop,sackOK> (DF)
2. 14:05:27.250587 ftp.ex.edu.21 > altamont.sover.net.1057:
S 3037133697:3037133697(0) ack 1484415 win 9112 <mss 536>
(DF)
. ack 1 win 8576 (DF)
P 1:88(87) ack 1 win 9112 (DF) [tos 0x10]
. ack 88 win 8489 (DF)
Cary C. kessler
2011, C.C. kessler
1lmesLamp: 14:05:27.083238
Source l and orL: altamont.sover.net.1057 (l or hosLname)
uesunauon l and orL: ftp.ex.edu.21 (l or hosLname)
llags: S (S?n)
lnlual Sequence number and 8yLes of uaLa ln ayload: 1484414:1484414(0)
(semng sequence number for byLe counung by cllenL)
Wlndow Slze ln 8yLes: win 8192
1C Cpuons:
Maxlmum SegmenL Slze ln 8yLes: mss 536
no Cpuon 8yLe ads: nop,nop
Selecuve AcknowledgmenL Allowed: sackOK
uon'L lragmenL 8lL resenL: (DF)
S 1484414:1484414(0) win 8192 <mss 536,nop,nop,sackOK> (DF)
Pandshake, arL 1
3/16/11
20
Cary C. kessler
2011, C.C. kessler
Source l and orL: ftp.ex.edu.21
uesunauon l and orL: ftp.client.edu.1057
llags: S (S?n) and ack
ack 1484415 means p.ex.edu expecLs Lhe nexL daLa byLe from
p.cllenL.edu Lo be numbered 1484413
1484415 ls alLamonL.sover.neL's lnlual synchronlzauon number 1484414 + 1
lnlual Sequence number and 8yLes ln uaLa ayload:
3037133697:3037133697(0)
Wlndow Slze ln 8yLes: win 9112
1C Cpuons:
Maxlmum SegmenL Slze ln 8yLes: mss 536
S 3037133697:3037133697(0) ack 1484415 win 9112 <mss 536> (DF)
Pandshake, arL 2
Cary C. kessler
2011, C.C. kessler
. ack 1 win 8576 (DF)
llags: . ack 1
. (doL) means nelLher Lhe S?n, lln, 8S1, nor SP ags are seL
ack means LhaL Lhe ACk ag ls seL
1 ls a relauve sequence number" for easler readlng, so ack 1 ls equlvalenL Lo ack
3037133698
3037133698 ls p.ex.edu's lnlual sequence number 3037133697 + 1
AlLhough noL a slngle byLe of payload daLa has been passed from Lhe alLamonL.sover.neL
Lo p.ex.edu, Lhe cllenL's sequence numbers have lncremenLed from 3037133697 Lo
3037133698
1C Wlndow Slze ln 8yLes: win 8576
Pandshake, arL 3
3/16/11
21
Cary C. kessler
2011, C.C. kessler
ackeL 4: P 1:88(87) ack 1
P ls SP (ush) ag
1:88(87) means LhaL Lhere are 87 byLes of daLa ln Lhe packeL sLarung aL
sequence number 1, byLe 88 wlll be senL nexL
ack 1: p.ex.edu expecLs Lhe nexL byLe from alLamonL.sover.neL Lo be number 1
[tos 0x10] denoLes l 1ype of Servlce ls mlnlmlze delay"
ackeL 3: . ack 88
. (doL) means nelLher Lhe S?n, lln, 8S1, nor SP ags are seL
ack 88 means alLamonL.sover.neL expecLs byLe 88 nexL from p.ex.edu,
acknowledglng recelpL of byLes 1 Lo 87
P 1:88(87) ack 1 win 9112 (DF) [tos 0x10]
. ack 88 win 8489 (DF)
uaLa Lxchange
Cary C. kessler
2011, C.C. kessler
ackets 6 to 12 de|eted for brev|ty...
P 31:37(6) ack 183 win 8394 (DF)
P 183:197(14) ack 37 win 9112 (DF) [tos 0x10]
F 197:197(0) ack 37 win 9112 (DF) [tos 0x10]
. ack 198 win 8380 (DF)
F 37:37(0) ack 198 win 8380 (DF)
. ack 38 win 9112 (DF) [tos 0x10]
1C Connecuon 1ermlnauon
3/16/11
22
Cary C. kessler
2011, C.C. kessler
LasL Lxchange of uaLa
ackeL 13: 31:37(6) ack 183
31:37(6): 6 byLes of daLa ln packeL sLarung aL 31, byLe 37 wlll be senL
nexL
ack 183: alLamonL.sover.neL nexL expecung byLe 183 from p.ex.edu
ackeL 14: 183:197(14) ack 37
183:197 (14): 14 byLes of daLa ln packeL sLarung aL 183, byLe 197 wlll
be nexL
ack 37: p.ex.edu expecLs nexL byLe from alLamonL.sover.neL Lo be
number 37
P 31:37(6) ack 183 win 8394 (DF)
P 183:197(14) ack 37 win 9112 (DF) [tos 0x10]
Cary C. kessler
2011, C.C. kessler
ackeL 13 from p.ex.edu has Lhe lln ag (l) seL, meanlng LhaL Lhere ls no more
daLa Lo send. 1hls packeL conLalns no daLa.
ackeL 16 ls alLamonL's acknowledgemenL, Lhe connecuon ls now half-closed.
ackeL 17 from alLamonL has Lhe lln ag seL Lo shuL down Lhls dlrecuon.
ackeL 18 ls p.ex.edu's acknowledgemenL and Lhe 1C connecuon ls now closed.
F 197:197(0) ack 37 win 9112 (DF) [tos 0x10]
. ack 198 win 8380 (DF)
F 37:37(0) ack 198 win 8380 (DF)
. ack 38 win 9112 (DF) [tos 0x10]
Craceful ShuLdown
3/16/11
23
Cary C. kessler
Lcpdump/Wlnuump 1uLorlal
Lcpdump/Wlnuump 1uLorlal
Cary C. kessler
2011, C.C. kessler
Wlnuump Command Llne
3/16/11
24
Cary C. kessler
2011, C.C. kessler
Some Lcpdump/Wlnuump SwlLches
-D CbLaln llsL of neLwork lnLerfaces
-e ulsplay llnk layer (LLherneL) header
-F lllLer dlsplay/capLure
-h Pelp
-i CeL lnpuL form specled lnLerface
-n Lnable name resoluuon
-r CeL lnpuL from a le
-s Snaplen (lrame dlsplay slze)
-w Send ouLpuL Lo a le
-x Pexadeclmal ouLpuL
Cary C. kessler
2011, C.C. kessler
Pexadeclmal CuLpuL (-x)
gck# tcpdump -x
11:55:52.069484 192.168.143.5 >
192.168.143.101: icmp: echo request
4500 003c 064b 0000 4001 bc12 c0a8 8f05
c0a8 8f65 0800 620a 850a 0000 6162 6364
6566 6768 696a 6b6c 6d6e 6f70 7172 7374
7576 7761 6263
I header
Lmbedded protoco| data: abcdefghijklmnopqrstuvwabc
(Note: 1hese are from the 32 bytes sent by a W|ndows p|ng)
ICM neader rotoco| = 0x01 (ICM)
3/16/11
23
Cary C. kessler
2011, C.C. kessler
snaplen
snaplen denes Lhe number of byLes capLured
uefaulL = 68
8uL why do we see only 34 byLes of daLa?
4500 003c 064b 0000 4001 bc12 c0a8 8f05 (16)
c0a8 8f65 0800 620a 850a 0000 6162 6364 (32)
6566 6768 696a 6b6c 6d6e 6f70 7172 7374 (48)
7576 7761 6263 (54)
Answer: LLherneL header = 148 (noL dlsplayed)
Cary C. kessler
2011, C.C. kessler
Semng snaplen (-s)
LLherneL maxlmum frame slze = 1314 8
gck# tcpdump -x -s 1514
11:55:52.069484 192.168.143.5 >
4500 003c 064b 0000 4001 bc12 c0a8 8f05 (16)
c0a8 8f65 0800 620a 850a 0000 6162 6364 (32)
6566 6768 696a 6b6c 6d6e 6f70 7172 7374 (48)
7576 7761 6263 6465 6667 6869 (60)
I packet
|ength = 0x3c
= 608
Lmbedded protoco| data: abcdefghijklmnopqrstuvwabcdefghi
(Note: 1hese are the ennre 32 bytes sent by a W|ndows p|ng)
3/16/11
26
Cary C. kessler
2011, C.C. kessler
ulsplaylng Lhe lrame Peader (-e)
gck# tcpdump -e
20:55:48.520619 0:10:b5:39:c6:93
0:10:b5:19:25:9a ip 74 192.168.143.5 >
Source MAC Address (68): 0:10:b5:39:c6:93
uesunauon MAC Address (68): 0:10:b5:19:25:9a
roLocol 1ype (28): ip (0x0800)
lrame LengLh: 74B (calculated)
Cary C. kessler
2011, C.C. kessler
Wrlung/8eadlng 8aw uaLa (-r, -w)
gck# tcpdump -w /tmp/dump1101081306
gck# tcpdump -r /tmp/dump1101081306
/tmp/dump1101081306
3/16/11
27
Cary C. kessler
2011, C.C. kessler
lllLerlng uaLa (-l)
Cnly dlsplay 1C Lramc:
gck# tcpdump 'tcp'
gck\windump> windump "tcp"
ulsplay Lramc per Lhe lLer expresslon ln le tcp.fltet:
gck# tcpdump -F /home/gck/tcp.filter
Cary C. kessler
2011, C.C. kessler
Lnabllng name/orL 8esoluuon (-n)
gck# tcpdump
12:09:45.987469 27-5.example.edu.1105 >
doggie.example.edu.ftp: S
2175981658:2175981658(0) win 32120 <mss
1460,sackOK,timestamp 4855695> (DF)
gck# tcpdump -n
12:10:32.404176 192.233.5.27.1106 >
198.112.67.32.21: S 2222946726:2222946726
(0) win 32120 <mss 1460,sackOK,timestamp
4860337> (DF)
3/16/11
28
Cary C. kessler
2011, C.C. kessler
Changlng lnLerfaces (-u, -l)
Lcpdump/Wlnuump wlll defaulL Lo use Lhe
lowesL numbered, currenLly avallable lnLerface
(noL lncludlng Lhe loopback lnLerface)
In Un|x]L|nux:
- Use ifconfig -a or tcpdump -D to get |nterface |nformanon
- Use tcpdump -i int_name to use a parncu|ar |nterface
- L.g.: tcpdump -i ppp0
In W|ndows:
- Use windump -D to get |nterface |nformanon
- Use windump -i int_number to use a parncu|ar |nterface
- L.g.: windump -i 2
Cary C. kessler
2011, C.C. kessler
l Peader LengLh
4500 0054 064b 0000 4001 bc12 c0a8 8f05 (16)
c0a8 8f65 0800 620a 850a 0000 889f 4b39 (32)
510f 0100 0809 0a0b 0c0d 0e0f 1011 1213 (48)
1415 1617 1819 (54)
I neader Length: S I|ve 32-b|t words = S*4 bytes = 20 bytes
3/16/11
29
Cary C. kessler
2011, C.C. kessler
l uaLagram LengLh
4500 0054 064b 0000 4001 bc12 c0a8 8f05 (16)
c0a8 8f65 0800 620a 850a 0000 889f 4b39 (32)
510f 0100 0809 0a0b 0c0d 0e0f 1011 1213 (48)
1415 1617 1819 (54)
I Datagram Length: 0xS4 (S * 16
1
) + (4 * 16
0
)

= 80 + 4 = 84 bytes
Cary C. kessler
2011, C.C. kessler
l Cpuons
20:55:48.520619 192.168.143.5 > 192.168.143.101:
icmp: echo request
4e00 004c 05d9 0000 4001 d970 c0a8 8f05 (16)
c0a8 8f65 4424 0d03 c0a8 8f05 0033 1828 (32)
c0a8 8f65 0000 0000 c0a8 8f65 0000 0000 (48)
c0a8 8f05 0000 0000 0800 21a2 bd02 0100 (64)
0033 1828 0000 0000 0000 0000 (76)
I neader Length: 0xe = 14 14 32-b|t words = 14*4 bytes = S6 bytes
I opnon type: 0x44 = 68 = nmestamp opnon
I opnon |ength: 6D7E = 36 bytes
3/16/11
30
Cary C. kessler
2011, C.C. kessler
lragmenLauon
Maxlmum l daLagram slze = 63,333 (2
16
-1)
Maxlmum fragmenL oseL = 8,191 (2
13
-1)
lragmenL CseL eld measures ln unlLs of 8
(2
3
) byLes
lragmenL ldenucauon eld used Lo
assoclaLe fragmenLs for reassembly
More lragmenLs ag lndlcaLes when
reassembly ls compleLe
Cary C. kessler
2011, C.C. kessler
lragmenLauon Lxample: Lcho
ICM data
20 8 4000 byLes of lCM daLa
4028 bytes |s tota| |ength of pre-fragmented I datagram
1472 byLes of lCM daLa 1480 byLes of lCM daLa 1048 8 lCM
1S00 1S00 1068
1472 + 1480 + 1048 = 4000 byLes of lCM daLa
= 20 byte I header
MI=1 MI=1 MI=0
3/16/11
31
Cary C. kessler
2011, C.C. kessler
lragmenLauon-8elaLed values
---- FRAGMENT ----- ORIGINAL
1 2 3 DATAGRAM
Fragment Ident. 21223 21223 21223
Fragment Offset 0 1480 2960 0
Offset in 8B units (0) (185) (370) (0)
More Fragments flag 1 1 0 0
Packet length 1500 1500 1068 4028
IP Header info 20 20 20 20
ICMP Header info 8 0 0 8
ICMP data 1472 1480 1048 4000
Cary C. kessler
2011, C.C. kessler
Lcpdump and lragmenLauon
altamont.sover.net > foo.ex.edu: icmp: echo request (frag
21223:1480@0+)
altamont.sover.net> foo.ex.edu: (frag 21223:1480@1480+)
altamont.sover.net> foo.ex.edu: (frag 21223:1048@2960)
Iragment
Idennhcanon
Number of bytes
|n fragment
Cset |nto the
or|g|na|
datagram
More Iragments
ag
3/16/11
32
Cary C. kessler
2011, C.C. kessler
Lcpdump and lragmenLauon (hex)
altamont.sover.net > foo.ex.edu: icmp: echo request (frag
21223:1480@0+)
4500 05dc 52e7 2000 4001 a83d c0a8 8f05
c0a8 8f65 0800 f827 2a05 0300 6162 6364
:
altamont.sover.net > foo.ex.edu: (frag 21223:1480@1480+)
4500 05dc 52e7 20b9 4001 13f2 c0a8 8f05
c0a8 8f65 7374 7576 7778 797a 7b7c 7d7e
:
altamont.sover.net > foo.ex.edu: (frag 21223:1048@2960)
4500 042c 52e7 0172 4001 70f1 c0a8 8f05
c0a8 8f65 6768 696a 6b6c 6d6e 6f70 7172
:
Cary C. kessler
2011, C.C. kessler
1C Peader LengLh
15:43:40.705372 altamont.sover.net.63220 >
foo.ex.edu.netbios-ssn: S
776342897:776342897(0) win 3072
4500 0028 e34f 0000 3a06 e534 c0a8 8f05
c0a8 8f65 f6f4 008b 2e46 0d71 0000 0000
5002 0c00 b85f 0000
1C header |ength = S * 4 = 20 bytes
Iound |n h|gh-order n|bb|e of 13
th
byte (byte #12) |n the 1C header
3/16/11
33
Cary C. kessler
2011, C.C. kessler
1C Peader LengLh WlLh Cpuons
15:48:24.620314 verbo.3088 > win98.netbios-ssn: S
1212214992:1212214992(0) win 32120 <mss
1460,sackOK,timestamp 7748460 0,nop,wscale 0> (DF)
4500 003c 11a8 4000 4006 70c8 c0a8 8f05
c0a8 8f65 0c10 008b 4840 eed0 0000 0000
a002 7d78 92b4 0000 0204 05b4 0402 080a
0076 3b6c 0000 0000 0103 0300
1C header |ength = 10 * 4 = 40 bytes
Cpnons:
2 (MSS), |ength = 4 bytes, va|ue = 1460 (0xSb4)
4 (SACk perm|ued), |ength = 2 bytes
8 (nmestamp), |ength = 10 bytes, va|ues = 7748460 (0x00763b6c), 0 (0x00000000)
1 (No Cp.)
3 (W|ndows sca|e), |ength = 3 bytes, va|ue = 0
Cary C. kessler
2011, C.C. kessler
4500 0060 893c 0000 8011 f904 c0a8 8f05
c0a8 8f65 0089 0089 004c 1fd7 0d42 4000
0001 0000 0000 0001 2041 4241 4346 5046
5045 4e46 4445 4346 4345 5046 4846 4445
4646 5046 5041 4341 4200 0020 0001 c00c
0020 0001 0004 93e0 0006 8000 ccf0 8f65
I neader Length (S*4) = 20 bytes
rotoco| Id. = 0x11 = 17 = UD
UD neader |s 8 bytes |n |ength
F&G'.# 0&'- and )#9HB;H&B 0&'- = 0x89 = 137 = netb|os.name
Datagram |ength = 0x4c = 76 bytes
Next 68 bytes are the contents of the UD datagram (kef. kIC 1002)
ulssecung a uu ackeL
3/16/11
34
Cary C. kessler
Analyzlng 1ramc
Analyzlng 1ramc
Cary C. kessler
2011, C.C. kessler
13:58:18.387461 foo.example.net.1565 > holmes.ftp: S 2115515674:2115515674(0)
win 32120 <mss 1460,sackOK,timestamp 126466936 0,nop,wscale 0> (DF)
13:58:18.392988 holmes.ftp > foo.example.net.1565: S 3478333904:3478333904(0)
ack 2115515675 win 10136 <nop,nop,timestamp 126470710 126466936,nop,wscale
0,nop,nop,sackOK,mss 1460> (DF)
14:00:46.999055 foo.example.net.4238 > watson.ftp: S 2262117252:2262117252(0)
win 32120 <mss 1460,sackOK,timestamp 126481796 0,nop,wscale 0> (DF)
14:00:47.029487 watson.ftp > foo.example.net.4238: S 26347543:26347543(0) ack
2262117253 win 8760 <mss 1460,nop,nop,sackOK> (DF)
Susplclous Lcpdump CuLpuL?
CS hngerpr|nnng w|th 1C opnon set (L|nux & W|ndows)
3/16/11
33
Cary C. kessler
2011, C.C. kessler
16:25:00.711083 holmes.39272 > doggie.example.edu.135: udp 0
16:25:00.712703 doggie.example.edu > holmes: icmp: doggie.example.edu udp port 140 unreachable
16:25:00.714060 holmes.39272 > doggie.example.edu.netbios-dgm: udp 0
16:25:00.715275 holmes.39272 > doggie.example.edu.netbios-ns: udp 0
16:25:00.716797 holmes.39272 > doggie.example.edu.netbios-ssn: udp 0
UD port scan
Cary C. kessler
2011, C.C. kessler
20:55:21.594616 holmes.1099 > watson.80: . ack 1 win 512
Cdd set of source port numbers...
3/16/11
36
Cary C. kessler
2011, C.C. kessler
osslble CoverL Communlcauon
Assume explolLed Web server....
Look aL source porL number
SubLracL 1000 from source porL value, converL
remalnder Lo ASCll value
8esulL: cat /etc/passwd
Merely an example, who knows whaL lL ls?
8uL Lhls mlghL ralse some eyebrows...
Cary C. kessler
2011, C.C. kessler
13:21:45.010117 holmes.4033 > watson.220: S 93266:93266(0) win 8192
13:21:45.011128 holmes.4003 > watson.ftp: S 92918:92918(0) win 8192
13:21:45.012014 holmes.4005 > watson.telnet: S 92946:92946(0) win 8192
13:21:45.016763 holmes.4021 > watson.nntp: S 93106:93106(0) win 8192
1C port scan
3/16/11
37
Cary C. kessler
2011, C.C. kessler
13:21:45.012014 foo.example.com.1090 > 198.112.67.27.80: S 92946:92946(0) win 8192
ort 80 s|te scan
Cary C. kessler
2011, C.C. kessler
foo.example.com.45820 > 192.168.209.5.23: S 4195942931:4195942935(4) win 4096
Stanc source port & syn segments w|th data
3/16/11
38
Cary C. kessler
2011, C.C. kessler
10:08:23.472378 state.example.net.1739 > watson.22: S 72549644:72549644(0) win
8192 (DF)
8192 (DF)
8192 (DF)
8192 (DF)
17:14:18.726864 foo.example.net.62555 > watson.80: S 20583734:20583734(0) win
8192 <mss 1380> (DF)
8192 <mss 1380> (DF)
8192 <mss 1380> (DF)
8192 <mss 1380> (DF)
1C connecnon retr|es (W|ndows vs. L|nux)
Cary C. kessler
2011, C.C. kessler
16:03:40.763603 foo.example.com.39344 > watson.80: S
523285584:523285584(0) win 8760 (DF)
523517577:523517577(0) win 8760 (DF)
528418601:528418601(0) win 8760 (DF)
528509044:528509044(0) win 8760 (DF)
Mu|np|e connecnon requests
3/16/11
39
Cary C. kessler
2011, C.C. kessler
[root@altamont gck]# tcpdump 'icmp'
12:03:36.016502 doggie.example.edu > 192.0.2.7: icmp: echo reply (DF)
Lcho kep||es w|thout Lcho kequests
Cary C. kessler
2011, C.C. kessler
[root@altamont gck]# tcpdump 'icmp' -x
4500 0414 0000 4000 4001 cdf9 c670 431e
cc59 9307 0000 9ca3 1a0a 0000 0000 0000
0000 0000 0000 0000 0000 0000 0000 0000
736b 696c 6c7a 0000 0000 0000 0000 0000
0000 0000 0000 0000 0000 0000 0000 0000
0000
4500 0414 0000 4000 4001 cdf9 c670 431e
cc59 9307 0000 9ca3 1a0a 0000 0000 0000
0000 0000 0000 0000 0000 0000 0000 0000
736b 696c 6c7a 0000 0000 0000 0000 0000
0000 0000 0000 0000 0000 0000 0000 0000
0000
4500 0414 0000 4000 4001 cdf9 c670 431e
cc59 9307 0000 9ca3 1a0a 0000 0000 0000
0000 0000 0000 0000 0000 0000 0000 0000
736b 696c 6c7a 0000 0000 0000 0000 0000
0000 0000 0000 0000 0000 0000 0000 0000
0000
0x73-6b-69-6c-6c-7a = "sk|||z" (Stache|draght)
3/16/11
40
Cary C. kessler
2011, C.C. kessler
foo.example.com > watson: icmp: echo request (frag 56980:1480@0+)
foo.example.com > watson: (frag 56980:1480@1480+)
:
:
foo.example.com > watson: (frag 56980:1480@65120)
|ng of Death
Cary C. kessler
2011, C.C. kessler
foo.example.com.137 > watson.137: udp 28 (frag 242:36@0+)
foo.example.com > watson: (frag 242:4@24)
1eardrop auack (fragment over|ap)
3/16/11
41
Cary C. kessler
2011, C.C. kessler
granite:~ $ ssh root:secret@doggie.example.edu
[root@networking gck]# tcpdump
09:31:15.747498 doggie.example.edu.ssh > granite.sover.net.841: P 691789802:691789850(48) ack 3378360866 win 8576 <nop,nop,timestamp
35003172 37891099> (DF) [tos 0x10]
09:31:15.747646 doggie.example.edu.ssh > granite.sover.net.841: P 48:208(160) ack 1 win 8576 <nop,nop,timestamp 35003172 37891099> (DF)
[tos 0x10]
09:31:15.968039 granite.sover.net.841 > doggie.example.edu.ssh: . 1:1(0) ack 208 win 8760 <nop,nop,timestamp 37891100 35003172> (DF) [tos
0x10]
09:31:15.968103 doggie.example.edu.ssh > granite.sover.net.841: P 208:1360(1152) ack 1 win 8576 <nop,nop,timestamp 35003194 37891100>
(DF) [tos 0x10]
(DF) [tos 0x10]
(DF) [tos 0x10]
0x10]
(DF) [tos 0x10]
0x10]
09:31:16.029247 granite.sover.net.841 > doggie.example.edu.ssh: . 1:1(0) ack 1920 win 7048 <nop,nop,timestamp 37891100 35003194> (DF)
[tos 0x10]
(DF) [tos 0x10]
(DF) [tos 0x10]
[tos 0x10]
(DF) [tos 0x10]
[tos 0x10]
(DF) [tos 0x10]
(DF) [tos 0x10]
(DF) [tos 0x10]
GCk's se|f-DoS
Cary C. kessler
Cul ackeL Snlers Cul ackeL Snlers
3/16/11
42
Cary C. kessler
2011, C.C. kessler
WlreShark
- Cul packeL snler for boLh Llnux and Wlndows
(fotmetly tbeteol)
- Pandles 1C/l, neL8lCS, and mooy more proLocol
- lnLerpreLs dlsplayed packeLs
- leaLures lnclude ablllLy Lo lLer capLure and/or
dlsplay, and packeL sLream reassembly
- bup.//www.wltesbotk.otq/
- MosL commonly used open source packeL snler
Cary C. kessler
2011, C.C. kessler
3/16/11
43
Cary C. kessler
2011, C.C. kessler
C||ent Server
n]w (MAC) addresses
S]w (I) addresses
Src: lnLel_aa:bb:cc (00:33:33:aa:bb:cc), usL: LlnksysC_77:88:99 (00:44:44:77:88:99)
Cary C. kessler
2011, C.C. kessler
As seen on prev|ous page!
3/16/11
44
Cary C. kessler
2011, C.C. kessler
C||ent Server
n]w (MAC) addresses
S]w (I) addresses
Src: lnLel_aa:bb:cc (00:33:33:aa:bb:cc), usL: LlnksysC_77:88:99 (00:44:44:77:88:99)
Cary C. kessler
2011, C.C. kessler
3/16/11
43
Cary C. kessler
2011, C.C. kessler
lllLerlng Lhe ulsplay
Cary C. kessler
2011, C.C. kessler
3/16/11
46
Cary C. kessler
2011, C.C. kessler
CLher Cul ackeL Snlers
- ackeLyzer
- lree packeL analysls Lool
- bup.//www.poqlo.com/opeosootce/pocketyzet
- Analyzer
- Cpen source proLocol analysls Lool
- bup.//ooolyzet.pollto.lt/
- lrls
- Commerclal, very powerful snler
- bup.//www.eeye.com/btml/ptoJocts/ltls/
Cary C. kessler
2011, C.C. kessler
3/16/11
47
Cary C. kessler
2011, C.C. kessler
Cary C. kessler
2011, C.C. kessler
3/16/11
48
Cary C. kessler
2011, C.C. kessler
Sample CapLure llles
l1
Secure l1
P11
P11 Cver SSL
SM1
C v3
orL scan
1elneL
SSP
lng (Llnux)
lng (Wlndows)
1racerouLe
1racerL
hlshlng
bup.//www.qotykesslet.oet/JowolooJ/tcplp/coptote_fles.zlp
Cary C. kessler
Summary, Addluonal
lnformauon, and Appendlces
Summary, Addluonal
lnformauon, and Appendlces
3/16/11
49
Cary C. kessler
Concluslons
use of packeL snlers and ablllLy Lo perform
proLocol analysls requlres undersLandlng of
neLworklng and Lhe underlylng proLocols
Lssenual sklll for lnfosec lncldenL responders,
neLwork admlnlsLraLors, and neLwork forenslc
analysLs
Many open source Lools avallable
May also be used by hackers on your neLwork and
are very dlmculL Lo deLecL because Lhey are passlve
2011, C.C. kessler
Cary C. kessler
2011, C.C. kessler
Summary
Lncapsulauon and lnLerpreLauon
1he 8ole of ackeL Snlers
Lcpdump/Wlnuump
LLhereal/WlreShark
ngrep
3/16/11
30
Cary C. kessler
2011, C.C. kessler
lor More lnformauon...
ColJe to 1cl/ll, Chappell & 1luel
1cl/ll lllosttoteJ, vol. 1, SLevens
"An Cvervlew of 1C/l roLocols and Lhe
lnLerneL"
bup.//www.qotykesslet.oet/llbtoty/tcplp.btml
Web 2.0 for packeLs
bup.//www.pcopt.oet/
Cary C. kessler
2011, C.C. kessler
uownloads
roLocol analysls soware
Analyzer bup.//ooolyzet.pollto.lt/
WlreShark bup.//www.wltesbotk.otq/
ngrep bup.//oqtep.sootcefotqe.oet/JowolooJ.btml
ackeLyzer bup.//sootcefotqe.oet/ptojects/pocketyzet/
Wlnuump bup.//www.wlopcop.otq/wloJomp/
Wlncapbup.//www.wlopcop.otq/
bup.//www.qotykesslet.oet/JowolooJ/tcplp/lename
Sample capLure les coptote_fles.zlp
1C/l pockeL gulde tcplp_ptq.pJf
3/16/11
31
Cary C. kessler
2011, C.C. kessler
Speaker ConLacL lnformauon
Cary C. kessler, h.u., CCL, ClSS
CA8? kLSSLL8 ASSCClA1LS
2 SouLhwlnd urlve
8urllngLon, v1 03401
moblle: +1 802-238-8913
e-mall: gck[garykesslet.oet
qkessletbpJvt.otq
qkessle1ootwlcb.eJo
Skype: qoty.c.kesslet
bup.//www.qotykesslet.oet
bup.//www.vuotetoetctlmes.otq
bup.//lofoossotooce.ootwlcb.eJo
Cary C. kessler
Acronyms & Abbrevlauons
2011, C.C. kessler
ACk Acknow|edgement ag (1C)
ANSI Amer|can Nanona| Standards Insntute
Ak Address keso|unon rotoco| (IL1I)
ASCII Amer|can Standard Code for Informanon
Interchange (ANSI)
A1M Asynchronous 1ransfer Mode
8 8yte (an &.-#-, 8 b|ts)
8G 8order Gateway rotoco| (IL1I)
CA1V Commun|ty access (cab|e) te|ev|s|on
CLI Command ||ne un||ty
CSLI Compressed SLI (IL1I)
DI Don't Iragment ag (I)
DnC Dynam|c nost Conhguranon rotoco| (IL1I)
DIG Doma|n Internet Groper
DNS Doma|n Name System (IL1I)
DWDM Dense Wave|ength D|v|s|on Mu|np|ex|ng
IDDI I|ber D|str|buted Data Interface (ANSI)
IIN I|n|sh ag (1C)
I1 I||e 1ransfer rotoco| (IL1I)
GkL Gener|c kounng Lncapsu|anon (IL1I)
GUI Graph|ca| user |nterface
nDLC n|gh-|eve| Data L|nk Contro| (CSI)
n1ML nypertext Markup Language (IL1I)
n11 nypertext 1ransfer rotoco| (IL1I)
hups n11 over SSL
ICM Internet Contro| Message rotoco| (IL1I)
ILLL Insntute of L|ectr|ca| and L|ectron|c Lng|neers
IL1I Internet Lng|neer|ng 1ask Iorce
InL Internet neader Length he|d (I)
IMA Internet Message Access rotoco| (IL1I)
I Internet rotoco| (IL1I)
Isec Secure I (IL1I)
ISDN Integrated Serv|ces D|g|ta| Network
ISN In|na| sequence number (1C)
I1U-1 Internanona| 1e|ecommun|canon Un|on -
1e|ecommun|canon Standard|zanon Sector
LAN Loca| area network
MAC Med|a Access Contro| (ILLL)
MI More Iragments ag (I)
MS M|crosoh
MSS Max|mum segment s|ze (1C)
NA1 Network Address 1rans|anon (IL1I)
Net8ICS Network 8as|c Input]Cutput System (MS)
NIC Network |nterface card
NN1 Network News 1ransfer rotoco| (IL1I)
N1 Network 1|me rotoco| (IL1I)
CSI Cpen Shortest ath I|rst (IL1I)
CUI Crgan|zanona||y Un|que Idennher (ILLL)
C3 ost Cmce rotoco| vers|on 3 (IL1I)
o|nt-to-o|nt rotoco| (IL1I)
3/16/11
32
Cary C. kessler
Acronyms & Abbrevlauons (con'L.)
2011, C.C. kessler
Sn ush ag (1C)
kADIUS kemote Authenncanon D|a| In User Serv|ce
kIC kequest for Comments (IL1I)
kI kounng Informanon rotoco| (IL1I)
kS1 keset ag (1C)
SACk Se|ecnve Acknow|edgement (1C)
SDn Synchronous D|g|ta| n|erarchy (I1U-1)
SLI Ser|a| L|ne Interface rotoco| (IL1I)
SMDS Sw|tched Mu|nmegab|t Data Serv|ce
SM1 S|mp|e Message 1ransfer rotoco| (IL1I)
SNA Subnetwork Access rotoco| (ILLL)
SNM S|mp|e Network Management rotoco| (IL1I)
SCNL1 Synchronous Cpnca| Network (ANSI)
SSn Secure She||
SSL Secure Sockets Layer (Netscape)
S1D Standard ser|es of kICs (IL1I)
SN Synchron|zanon ag (1C)
1ACACS+ 1erm|na| Access Contro||er Access Contro| System p|us
1C 1ransm|ss|on Contro| rotoco| (IL1I)
1I1 1r|v|a| I1 (IL1I)
1LS 1ransacnon Layer Secur|ty (IL1I)
11L 1|me-to-L|ve he|d (I)
UD User Datagram rotoco| (IL1I)
UkG Urgent ag (1C)
xDSL D|g|ta| Subscr|ber L|ne techno|ogy fam||y
Cary C. kessler
Cuesuons? CommenLs? Cuerles?
2011, C.C. kessler
3/16/11
33
Cary C. kessler
ALnulx 1
ackeL lnLerpreLauon Lxerclses
ALnulx 1
Cary C. kessler
2011, C.C. kessler
Lxerclse 1
4500 0054 b02f 0000 4001 122e 91f0 8a05
1830 6532 0800 836a cf1b 0000 ecec c339
0150 0900 0809 0a0b 0c0d 0e0f 1011 1213
1415 1617 1819 1a1b 1c1d 1e1f 2021 2223
2425 2627 2829 2a2b 2c2d 2e2f 3031 3233
1. What |s the |ength of the I header?
2. What are the source and desnnanon I addresses?
3. What |s the tota| |ength of the I datagram?
4. What |s the h|gher |ayer protoco|?
S. What type of h|gher |ayer protoco| message do we see?
6. What other re|evant deta||s can you prov|de?
3/16/11
34
Cary C. kessler
2011, C.C. kessler
Lxerclse 1 Answers
4500 0054 b02f 0000 4001 122e 91f0 8a05
1830 6532 0800 836a cf1b 0000 ecec c339
0150 0900 0809 0a0b 0c0d 0e0f 1011 1213
1415 1617 1819 1a1b 1c1d 1e1f 2021 2223
2425 2627 2829 2a2b 2c2d 2e2f 3031 3233
1. What |s the |ength of the I header? 20 bytes
2. What are the source and desnnanon I addresses? 14S.240.138.S and
24.48.101.S0
3. What |s the h|gher |ayer protoco|? ICM
4. What type of h|gher |ayer protoco| message do we see? Lcho
S. What |s the tota| |ength of the I datagram? 84 bytes
Cary C. kessler
2011, C.C. kessler
Lxerclse 2
4500 0030 df3c 4000 8006 633f ccf0 8f65
ccf0 8f05 0b64 0015 48f3 05b1 0000 0000
7002 2000 50b6 0000 0204 05b4 0101 0402
1. What |s the |ength of the I header?
2. What are the source and desnnanon I addresses?
3. What |s the tota| |ength of the I datagram?
4. What |s the h|gher |ayer protoco|?
S. What type of h|gher |ayer protoco| message do we see?
6. What other re|evant deta||s can you prov|de?
3/16/11
33
Cary C. kessler
2011, C.C. kessler
Lxerclse 2 Answers
4500 0030 df3c 4000 8006 633f ccf0 8f65
ccf0 8f05 0b64 0015 48f3 05b1 0000 0000
7002 2000 50b6 0000 0204 05b4 0101 0402
1. What |s the |ength of the I header? 20 bytes
2. What are the source and desnnanon I addresses? 204.240.143.101 and 204.240.143.S
3. What |s the h|gher |ayer protoco|? 1C
4. What type of h|gher |ayer protoco| message do we see? I1 (21]tcp)
S. What |s the tota| |ength of the I datagram? 48 bytes
6. If th|s packet |s rea||y torn apart, we m|ght guess that th|s |s the beg|nn|ng of a 3-way
handshake because the ACk he|d = 6 and there appears to be no data, th|s |s conhrmed
when we see that the I|ags he|d has the SN b|t on. 1he |ong header |ength (0x7) a|so
te||s us that there are opnons auached.
Cary C. kessler
ALnulx 2
Lcpdump/Wlndump lllLers
ALnulx 2
3/16/11
36
Cary C. kessler
2011, C.C. kessler
Lcpdump lllLers
Allows you Lo obLaln only lLems of lnLeresL
from Lcpdump ouLpuL
Can apply lLer Lo any eld ln Lhe l daLagram
uses sLandard 8erkeley ackeL lllLer (8l)
formaL
Avallable on almosL all packeL snlers
Cary C. kessler
2011, C.C. kessler
Lcpdump lllLer lormaLs
1wo dlerenL formaLs for a Lcpdump lLer
ptotocol [o[set:leoqtb telouoo voloe
lp[9 = 1 rotoco| = ICM
Lcp[2:2 20 Desnnanon port <20
udp[4:2 != 0 UD |ength ! 0
lcmp[0 = 8 ICM Lcho message
votloble voloe
porL 23 Source or desnnanon port = 23
dsL hosL 1.2.3.4 Desnnanon host = 1.2.3.4
src neL 4 Source host address has NL1_ID = 4
3/16/11
37
Cary C. kessler
2011, C.C. kessler
Locauon Speclcauon
Bit Number
1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
Version IHL Type of Service Total Length
Identification Flags Fragment Offset
Time to Live Protocol Header Checksum
Source Address
Destination Address
Options (optional)
src host
|p[1]
Cary C. kessler
2011, C.C. kessler
Lcpdump lllLer Macros
host selecL record lf elLher Lhe source or desunauon hosL maLches Lhls l address
net selecL record lf elLher Lhe source or desunauon subneL maLches
port selecL record lf elLher Lhe source or desunauon porL maLches
src host selecL record lf Lhe source hosL address maLches
dst host selecL record lf Lhe desunauon hosL address maLches
src net selecL record lf Lhe source subneL maLches
dst net selecL record lf Lhe desunauon subneL maLches
src port selecL record lf Lhe source porL maLches
dst port selecL record lf Lhe desunauon porL maLches
|cmp selecL record lf Lhe l roLocol eld (lp[9) has a value of 1
tcp selecL record lf Lhe l roLocol eld has a value of 6
udp selecL record lf Lhe l roLocol eld has a value of 17 (0x11)
3/16/11
38
Cary C. kessler
2011, C.C. kessler
lllLers and 8lL Masklng
SmallesL Lcpdump lLer unlL ls a byLe
8eference blLs wlLhln a byLe by masklng blLs
Lxamples:
l verslon number
l Peader LengLh
1C ags
Cary C. kessler
2011, C.C. kessler
l Peader LengLh
1he I neader Length |s |n the four |ow-order b|ts of the hrst byte of
an I packet. AND|ng the byte w|th 00001111 y|e|ds the InL va|ue and
masks out the rest of the byte.
ip[0]: 0 1 0 0 0 1 0 1 0x45
mask: 0 0 0 0 1 1 1 1 0x0f
--------------- ----
AND 0 0 0 0 0 1 0 1 0x05
1he parna| tcpdump h|ter express|on: ip[0] & 0x0f
L.g., keep packets on|y |f the InL |s greater than 208:
tcpdump 'ip[0] & 0x0f > 5'
3/16/11
39
Cary C. kessler
2011, C.C. kessler
l verslon
1he I Vers|on |s |n the four h|gh-order b|ts of the hrst byte of an I
packet. AND|ng the byte w|th 11110000 y|e|ds the vers|on and masks
out the rest of the byte.
ip[0]: 0 1 0 0 0 1 0 1 0x45
mask: 1 1 1 1 0 0 0 0 0xf0
--------------- ----
AND 0 1 0 0 0 0 0 0 0x40
1he parna| tcpdump h|ter express|on: ip[0] & 0xf0
L.g., keep packets on|y |f the vers|on number |s 6:
tcpdump 'ip[0] & 0xf0 = 0x60'
Cary C. kessler
2011, C.C. kessler
1C llag 8lLs
LocaLed ln Lhe 14Lh byLe of Lhe 1C
header
aka tcp[13]
1ells much abouL Lhe sLaLe of a glven
1C segmenL
Commonly examlned ln lLers
Reserved URG ACK PSH RST SYN FIN
3/16/11
60
Cary C. kessler
2011, C.C. kessler
Masklng Lhe 1C llag 8lLs
Reserved URG ACK PSH RST SYN FIN
2
3
2
2
2
1
2
0
2
3
2
2
2
1
2
0

SYN-bit mask 0 0 0 0 0 0 1 0 0x02
ACK-bit mask 0 0 0 1 0 0 0 0 0x10
Low-order byte mask 0 0 0 0 1 1 1 1 0x0f
1o get a|| packets w|th the SN-b|t set:
tcpdump 'tcp[13] & 0x02 = 2'
1o get a|| packets w|th the ACk-b|t set:
windump "tcp[13] & 0x10 = 16"
1o get a|| packets w|th any of the |ow-order ags set:
tcpdump 'tcp[13] & 0x0f != 0'
Cary C. kessler
2011, C.C. kessler
Checklng lor Muluple 8lLs SeL
Check for elLher Lhe S?n blL, lln blL, or boLh
are seL:
tcp[13] & 0x03 != 0
Check for only boLh belng seL
tcp[13] & 0x03 = 3
3/16/11
61
Cary C. kessler
2011, C.C. kessler
Advanced lllLers
More complex lLers can be creaLed by
comblnlng lndlvldual lLers wlLh 8oolean and,
or, and not operaLors
(tcp and (tcp[13] & 0x0f != 0) and not
port 25 and not port 20) or
(ip and not (tcp or igrp or dst port
520))
Cary C. kessler
ALnulx 3
ngrep
ALnulx 3
3/16/11
62
Cary C. kessler
2011, C.C. kessler
ngrep
Can use expresslons Lo conLrol dlsplay and analysls of
Lcpdump/Wlnuump Lramc
ngrep = oetwotk qet teqolot exptessloo
8eads and dlsplays packeLs ln Lcpdump formaL
Cary C. kessler
2011, C.C. kessler
ngrep
C:\windump> ngrep -I miscellaneous.acp "GET" "port 80"
input: miscellaneous.acp
filter: (ip or ip6) and ( port 80 )
match: GET
####
T 192.168.1.102:1381 -> 216.93.159.180:80 [AP]
GET /syllabus/index.html HTTP/1.1..Host: digitalforensics.champlain.edu..Us
er-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.9) Gecko/2
0050711 Firefox/1.0.5..Accept: text/xml,application/xml,application/xhtml+x
ml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5..Accept-Language: e
n-us,en;q=0.5..Accept-Encoding: gzip,deflate..Accept-Charset: ISO-8859-1,ut
f-8;q=0.7,*;q=0.7..Keep-Alive: 300..Connection: keep-alive..Referer: http:/
/digitalforensics.champlain.edu/..Cookie: __utma=267634908.433925735.111841
3029.1124165129.1125604057.4; __utmz=267634908.1124161444.2.2.utmccn=(organ
ic)|utmcsr=google|utmctr=bookstore|utmcmd=organic; WebCTTicket=username%3Dk
esslerg%26password%3DL0GhXVSZfErE2%26expiry%3D1126116666%26hash%3D5526cd346
a6ff221c7dbcf7f43446bb7..If-Modified-Since: Wed, 07 Sep 2005 15:40:56 GMT..
If-None-Match: "103276-24f3-431f0a08"....
###########
T 192.168.1.102:1382 -> 128.9.160.27:80 [AP]
GET / HTTP/1.1..Host: www.rfc-editor.org..User-Agent: Mozilla/5.0 (Windows;
U; Windows NT 5.1; en-US; rv:1.7.9) Gecko/20050711 Firefox/1.0.5..Accept:
text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q
=0.8,image/png,*/*;q=0.5..Accept-Language: en-us,en;q=0.5..Accept-Encoding:
gzip,deflate..Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7..Keep-Alive:
300..Connection: keep-alive....
##############
3/16/11
63
Cary C. kessler
2011, C.C. kessler
Some ngrep SwlLches
-i lgnore case ln lLer/regex
-d 8ead from specled Wlncap lnLerface
-F 8ead lLer from specled le
-h Pelp
-I CbLaln lnpuL from le
-L LlsL Wlncap lnLerfaces
-n Look aL only specled number of packeLs
-O Send ouLpuL Lo le
-x ulsplay ln hexadeclmal and ASCll
-X lnLerpreL maLch expresslon as a hexadeclmal sLrlng
Cary C. kessler
2011, C.C. kessler
llndlng SLrlngs WlLh ngrep
ngrep has a varleLy of opuons wlLh whlch Lo nd
sLrlngs wlLhln Lhe packeL sLream
llxed ASCll sLrlng search
ngrep "gck"
8egular expresslon search (see bup.//www.teqolot-exptessloos.lofo/)
ngrep i "GET.*\.htm" "port 80"
Pex sLrlng search
ngrep X "0x90909090"
3/16/11
64
Cary C. kessler
ALnulx 4
8ase Converslon CharL
ALnulx 4
Cary C. kessler
2011, C.C. kessler
Decimal Hexadecimal Binary Decimal Hexadecimal Binary
0 0x00 00 0000 16 0x10 01 0000
1 0x01 00 0001 17 0x11 01 0001
2 0x02 00 0010 18 0x12 01 0010
3 0x03 00 0011 19 0x13 01 0011
4 0x04 00 0100 20 0x14 01 0100
5 0x05 00 0101 21 0x15 01 0101
6 0x06 00 0110 22 0x16 01 0110
7 0x07 00 0111 23 0x17 01 0111
8 0x08 00 1000 24 0x18 01 1000
9 0x09 00 1001 25 0x19 01 1001
10 0x0a 00 1010 26 0x1a 01 1010
11 0x0b 00 1011 27 0x1b 01 1011
12 0x0c 00 1100 28 0x1c 01 1100
13 0x0d 00 1101 29 0x1d 01 1101
14 0x0e 00 1110 30 0x1e 01 1110
15 0x0f 00 1111 31 0x1f 01 1111
32 0x20 10 0000

CEIC 2011 Kessler ProtocolAnalysis

Загружено:

Сведения о документе

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

CEIC 2011 Kessler ProtocolAnalysis

Загружено:

Авторское право:

Доступные форматы

3/16/11

Вам также может понравиться