TCP/IP

TCP/IPIPICMPTCPUDPTCP

OSITCP/IP

TCP/IP

IP

IP44515655350DFMF8

IP0255101ICMP4IP6TCP17UDPIPIP44

IP10.0.0.0 - 10.255.255.255172.16.0.0 - 172.31.255.255192.168.0.0 - 192.168.255.2551.0.0.0127.255.255.255128.0.0.0191.255.255.255192.0.0.0223.255.255.255224.0.0.0239.255.255.255240.0.0.0247.255.255.255

IP0IP

0IP

321IP

127.xx.yy.zz(loopback)

ICMPInternet Control Message ProtocolIPICMPIPICMP

ICMPICMPIPIP1ICMPICMP

ICMP0 Echo Reply3 Destination Unreachable4 Source Quench 5 Redirect 8 Echo 11 Time Exceeded12 Parameter Problem13 Timestamp 14 Timestamp Reply 15 Information Request 16 Information Reply 17 Address Mask Request 18 Address Mask Reply

ICMPICMP31112ICMP45ICMP/0813141718

ICMP Echo0Echo Reply8Echo0ID1

ICMP Time Exceeded1101IPIP+IP8

ICMP Destination Unreachable301 23IPIP+IP8

TCP

TCPIPTCPTCP4206URGURG1ACK10TCPPSHPUSH

TCPRSTSYNSYN1ACK=0SYN=1ACK=1FINMSS(Maximum Segment Size)

UDP

TCP

TCPTCP/IPSYNFINTCPRST RSTRST RSTRST ACKRST SYN SYNSYN|ACK FIN

DNS: 53/tcp,udpFTP: 20,21/tcptelnet: 23/tcpHTTP: 80/tcpNNTP: 119/tcpSMTP: 25/tcpPOP3: 110/tcpIANAport-numbers.txt

footprint

IPTCPUDPSNMP/

DNSXXXX

Web

HTML

()XX()(googleAltaVista)

whoisWhoisInternetIPClient/ServerClientServerUNIXwhoisWindowsWeb

Sam Spade

whoishttp://www.networksolution.comhttp://www.arin.netUnixwhoisfwhoisChris Cappucciohttp://www.ipswitch.comhttp://www.samspade.org comneteduorgwhoishttp://www.ripe.net IPhttp://whois.apnic.net IPhttp://whois.nic.mil

whoishttp://whois.nic.gov www.allwhois.com whois

whoisIP

FROM1998AOL

DNSDNSDNSCPUNslookupnslookupDNSDNSUNIX/LINUXhost

DNS

DNS & nslookupnslookupDNSDNSDNSIPnswwwftpISP

nslookupserver, DNSset type=XXXls, [domain name, or IP address]

DNS & nslookup(zone transfer)53TCPDNS53UDPDNSDNSDNSDNSMXWindows 2000DNSADSRVDNS

PingTraceroutePing: Packet InterNet GroperICMP EchoICMP ReplyTracerouteUDPTTLICMP Time ExceededWindowstracert

PingICMP EchoEcho Reply

PingPingactivepingtimeoutPing of deathping(>65535)

tracerouteUDP(38)TTL1ICMP Time ExceededUDP(33434)ICMP Destination Unreachable

traceroutetracerouteTraceroute

NIDS(Network Intrusion Detection System)NIDSSnortrotoroutortraceroute

TCP/IP

80ModemUNIXwar dialerSATAN: Security Administrator's Tool for Analyzing Networks 19954(HTML)X(Dan FarmerCOPSWeitse VenemaTCP_Wrapper)NmapFyodor

ICMP

ICMP Echo Request (type 8) Echo Reply (type 0) ICMP Echo Request ICMP Echo Reply PingICMP SweepPing SweepICMP Echo Request Broadcast ICMP ICMPUNIX/Linux Non-Echo ICMP ICMP131415161718

ICMP IP IPICMP Parameter Problem ErrorHeader Length IP Options

IP IPICMP Destination Unreachable

PMTU, Fragmentation Needed and Dont Fragment Bit was Set

IPIPIPICMP Host UnreachableICMP Time Exceeded IP

ICMPICMP

(Open Scanning)TCP(Half-Open Scanning)TCP(Stealth Scanning)TCP

TCP connect()Reverse-identTCP SYN()IP ID header aka dump()TCP Fin()TCP XMAS()TCP ftp proxy(bounce attack)IPSYN/FIN()UDP ICMPUDP recvfrom

TCP connect()socketconnect()

Reverse-identIdent(RFC1413)TCPTCPTCP11380identdrootident

TCP SYNSYNRSTSYN|ACKRSTUNIXrootSYN

IP ID header aka dump AntirezBugtraq IPSYNIP

TCP FinFINRSTTCPSYNWindowsRST

TCP XMASTCP UNIX/Linux/BSDTCP/IP Windows

SYNFINTCP

TCP ftp proxyFTP bounce attackPORTftp server"425 Can't build data connection: Connection refused." Ftp(,)ftp server

UDP ICMPUDPUDPACKUDPUDPICMP Port UnreachUDPICMProotICMP Port UnreachSolarisrpcbind(UDP)32770

UDP recvfrom() & write()rootICMP Port UnreachLinuxUDPwrite()ICMPUDPrecvfrom()EAGAIN()ECONNREFUSED()

SYNFINUnixlinux/etc/inetd.confWindowsServicesIIS

(social engineering)telnethttpftpTCP/IPDNSOS

TelnetHttpFtp

ftp

TCP/IPOSCheckos, by ShokQueso, by SavageNmap, by Fyodor

OSOS

FINTCPTCPACKTCP1TCPDF(Don't Fragment bit )IPDF

()ICMPICMPUDPICMPIP+8ICMPICMPTOSTCP(RFC793RFC1323)Query-Reply

()SYN flooding SYN 8

Nmapnmap-os-fingerprints.txt# TEST DESCRIPTION:# Tseq is the TCP sequenceability test# T1 is a SYN packet with a bunch of TCP options to open port# T2 is a NULL packet w/options to open port# T3 is a SYN|FIN|URG|PSH packet w/options to open port# T4 is an ACK to open port w/options# T5 is a SYN to closed port w/options# T6 is an ACK to closed port w/options# T7 is a FIN|PSH|URG to a closed port w/options# PU is a UDP packet to a closed port

Nmap()Fingerprint Linux kernel 2.2.13TSeq(Class=RI%gcd=

Nmap()Fingerprint Windows 2000/XP/METSeq(Class=RI%gcd=

Nmap1.TSeq class---sequence Csequence 64Ksequence64000 800isequence800 TDtime dependantsequence RIrandom incrementalsequence TRture randomsequence val---classCsequence gcd---sequenceclassRITD SI---nmapsequencesequenceclassRITD

Nmap2.TCP(T1-T7): Resp---,'Y''N' DF---'Y''N' W---tcp->th_win ACK--- S : ack == syn S++ : ack == syn + 1 O : Flags---tcp: B Bogus (64, not a real TCP flag) U Urgent A Acknowledgement P Push R Reset S Synchronize F Final SYNtcpbogus2.0.35linux

Nmap2.TCP(T1-T7):Ops---TCP: L End of List N No Op M MSS E MSSMSS W Window Scale T Timestamp 3.UDPpu Resp---,'Y''N' DF---'Y''N' TOS--- IPLEN---IP RIPTL---"IP" RID---"IP_ID"

Nmap3.UDPpuRIPCK---"IP_checksum" 0checksum0 E F UCK---"IP_udp_checksum" 0checksum0 E F ULEN---"IP_udp_len" DAT---IP EUDPE F

Nmap

TCP/IPTTLDFTOSSiphonhttp://siphon.datanerds.net/ osprints.conf

telnet 192.168.102.245192.168.102.155 snort192.168.102.245:23-> 192.168.102.155:2300 TCP TTL:255 TOS:0x0 ID:58955 DF**S***A* Seq:0xD3B709A4 Ack:0xBE09B2B7 Win:0x2798 TCP Options => NOP NOP TS:9688775 9682347 NOP WS:0 MSS:1460osprints.conf 192.168.102.245Solaris 2.6-2.7

OSOS

IDS

nmapBy FyodornmapCThe Art of Port ScanningRemote OS detection via TCP/IP Stack FingerPrinting

Nmap

Nmap()

X-scan

SATANSAINTSSSStrobeX-Scan

ISS ()PingerPortscanSuperscan

(enumeration)

(banner)

Windows NT/2000Windows NTCIFS/SMB(Common Internet File System/Server Message Block)NetBIOSWindows 2000NTWindowsNTRK(NT Resource Kit)2000 ServerSupport\Tools

Windows NT/2000Windows NT/2000NetBIOSTCP139TCP139net use \\192.168.102.230\IPC$ "" /USER: "" Windows 2000SMB445

NT/2000 NetBIOSNT/2000nbtstatNetBIOS

NT/2000 NetBIOSnbtscannbtstat

NT/2000 NetBIOS net viewnet view

NT/2000 NetBIOS legionNATLegion

NT/2000 NetBIOS NAT

NT/2000 NetBIOS NTRKnltestrmtsharesrvchecksrvinfo netdomepdumpgetmacnetviewxenumdumpsec

NT/2000 NetBIOS 50%NATenumdumpsecRudnyisid2useruser2sidSID(Security Identifier)SIDWhat is a SID http://www.windows2000faq.com/Articles/Index.cfm?ArticleID=14781

NT/2000telnetnc()c:\telnet 192.168.102.155 80

NT/2000nc v 192.168.102.233 80

NT/2000WindowsNT/2000AdministratorHKEY_Local_Machine\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winregregdumpdumpsec

NT/2000TCPUDP1351392000445

NT/2000Hkey_Local_Machine\SYSTEM\CurrentControlSet\Control\LSARestrictAnonymousREG_DWORDNT1200022000||(RestrictAnonymous2)

NT/2000netcat

Unix/LinuxUnix/LinuxTCP/IPNetBIOSUnix/LinuxshowmountNFS(2049)NISfingerfinger79

Unix/LinuxrusersrwhoSMTPvrfyexpn

Unix/LinuxNT/2000telnetncrpcinfoportmapper111

Unix/Linux79

139

administrator1234

nc

nc

LibpcapWinPcap

(sniffer)

/(CSMA/CD, carrier sense multiple access with collision detection)CSMA/CD

MAC(48)ARPMACIPipconfig/ifconfigMACMAC()

sniffer

HUB

MAC-

UNIXAPIPacket socketBPF

WindowsWinPcap

Packet socket(promiscuous)ioctl()packet socketpacket_socket = socket(PF_PACKET, int socket_type, int protocol); socket(PF_INET, SOCK_PACKET, protocol)UNIXLinuxsocket(open)ioctl()setsockopt()

BPF(Berkeley Packet Filter)BSDBPFNetwork TapKernel BufferUser bufferLibpcap()BPFLibpcapLibpcapBPFOS(BSD)

BPFlibpcap

libpcapAPIC1.10BPFProgramming with pcap http://www.tcpdump.org/pcap.htm

libpcap char *pcap_lookupdev(char *errbuf); pcap_t *pcap_open_live(char *device, int snaplen, int promisc, int to_ms, char *ebuf); packet capture descriptorsnaplenpcap_dumper_t *pcap_dump_open(pcap_t *p, char *fname); savefiledumppcap_t *pcap_open_offline(char *fname, char *ebuf); savefile

Libpcap: filterint pcap_lookupnet(char *device, bpf_u_int32 *netp, bpf_u_int32 *maskp, char *errbuf)

int pcap_compile(pcap_t *p, struct bpf_program *fp,char *str, int optimize, bpf_u_int32 netmask) str

int pcap_setfilter(pcap_t *p, struct bpf_program *fp)

Libpcap: int pcap_dispatch(pcap_t *p, int cnt, pcap_handler callback, u_char *user) int pcap_loop(pcap_t *p, int cnt, pcap_handler callback, u_char *user) cntpcap_handlerpcap_loopreadvoid pcap_dump(u_char *user, struct pcap_pkthdr *h, u_char *sp) pcap_dump_open()

WindowsWindowssnifferWinPcaplibpcapWindows

WinPcapWinPcapNPF(Netgroup Packet Filter)packet.dllwin32WindowsPacket.dllPacket.dllWindows Wpcap.dllpacket.dllWpcap.dllpacket.dllWpcap.dll

WinPcapNPF

WindowsNDIS(Network Driver Interface Specification)NPF

WinPcaplibpcapUNIXlibpcapNPFhttp://winpcap.polito.it/

ARPGW1 BIP2 BarpA,GWIP3 AB4 BGWdsniffarpredirectAB

LibnetLibnetLibnet50C API()(IP)

Libnetlibnet_init_packet();libnet_open_raw_sock();libnet_build_ip();libnet_build_tcp();libnet_do_checksum();libnet_write_ip();libnet_close_raw_sock();libnet_destroy_packet();

SnifferSSHARPARP

DNSDNSLinuxMACLinux IPIPIPICMP ECHO()()Windows 9x/NTMAC0xff

()L0phtAntiSniff

WindowssnifferButtsnifferWindows NTNetMonNetXRayWinPcapWinDump(tcpdumpWindows)Analyzer

Windump

SnifferPro

UNIX/Linuxsnifferdsnifflinux_snifferSnorttcpdumpsniffit

tcpdump

Computer NetworksHackers Beware 2002Hacking ExposedRemote OS detection via TCP/IP Stack FingerPrintinghttp://www.insecure.org/nmap/nmap-fingerprinting-article.htmlThe Art of Port Scanning, http://www.insecure.org/nmap/nmap_doc.htmlWebUNIX/Linux Programmers ManualWinPcap, http://winpcap.polito.it/default.htmLibnet, http://www.packetfactory.net/Projects/Libnet/STAT, http://www.cs.ucsb.edu/~rsg/STATSnort, http://www.snort.org/http://www.tucows.com/