Overview

1
(No Transcript)
2
Overview

• The TCP/IP Stack.
• The Link Layer (L2).
• The Network Layer (L3).
• The Transport Layer (L4).
• Port scanning OS/App detection techniques.
• Evasion and Intrusion Techniques.
• The Tools.

3
The TCP/IP Stack
4
The TCP/IP Stack

• Each OS vendor has a different implimentation of
  TCP/IP Stack.
• Each layer of TCP/IP Stack of an OS, exhibits a
  different behaviour.
• Properties of TCP/IP stack can be used for OS,
  Hardware detection, port scanning, Intrusion
  Evasion.

5
The Link Layer (L2)?

• L2 packet comprises of the MAC addresses of
  source and destination machine.
• MAC Address has 6 Bytes. Its first 3 Bytes are
  Organizationally Unique Identifier (OUI).
• OUIs are unique to the manufacturers of network
  cards.
• In MAC address 00-08-74-4C-7F-1D, OUI
  00-08-74 is unique to Dell Computer Corp.

6
Network Layer (L3)?
IPv4 header layout
7
Network Layer (L3)?

• The initial TTL value observed for various OS are
  Windows 128, Linux 64 AIX 255.
• IP Layer supports TCP Fragmentation.
• Dont Fragment flag is set in some responses for
  Windows and not set in Linux machines.
• IP- Identification field is used in a special
  port scanning technique called Idle or Zomby scan.

8
TCP (L4)?
TCP header layout
9
TCP Layer (L4)?

• TCP uses 3 way hand shake protocol
• SYN-gt
• lt-SYN/ACK
• ACK-gt.
• Different combination of SYN, ACK and FIN flags
  brings out different behaviour of different OSs.

10
TCP Layer (L4)?

• Initial SEQUENCE number is seen different for
  different OSs.
• Checking the window size on returned packets,
  helps to identify AIX (0x3F25), Windows and BSD
  (0x402E) systems.
• ACK Value in response to FIN, is used to Identify
  some windows versions.

11
TCP Layer (L4)?

• TCP Options are generally optional.
• Still, every OS sends out different value
  sequence of WindowScale (W) NOP (N)
  MaxSegmentSize (M) TimeStamp (T) End of
  Option (E)
• The TCP Options echoed varies with OSs, for
  Solaris NNTNWME , Linux MENNTNW.

12
UDP (L4)?
UDP header layout
13
UDP Layer (L4)?

• UDP packet sent to non existent port is replied
  back with ICMP-Destination Unreachable packet.
• The ICMP-Destination Unreachable packet has the
  copy of UDP packet which resulted in the ICMP
  error.
• Different OS mess up with this copy of UDP packet
  in different style.

14
Idle Scan
Host
Zombi
Target
Idle scan completes
15
Exploiting Exchange
XEXCH50 -1 2
Exploit Blocked
MS05-043
16
Evasion Techniques
IP Fragmentation
XEXCH50 -1 2
MS05-043
17
Evasion Techniques
Traffic Insertion
Resultant String XEXCH50 JUNK -1 2
TTL Expired
XEXCH50 -1 2
MS05-043
18
Prevent to get detected

• For Windows
• - OSfucate
• - sec_clock
• For Linux
• - grsec
• - iplog
• For BSD Unix
• - blackhole
• - Fingerprint Fucker

19
TOOLS

• Network Scanners
• Nmap, Nessus.
• Misc
• Netcat.

• SimpleTools
• Ping, traceroute.
• Packet Sniffers
• WireShark, tcpdump
• Packet Crafter
• hping2

20
Reference

• http//nmap.org/nmap-fingerprinting-article.txt
• http//www.zog.net/Docs/nmap.html
• http//www.grsecurity.net/

21
Murtuja Bharmal(bharmal.murtuja_at_gmail.com)