These definitions is must-know !
- TCP (Transmission Control Protocol)
- UDP (User Datagram Protocol)
- ARP
- ICMP
- Ping Sweep: mass ICMP echo (ping) message
- SSDP
- DHCP
- DNS
- UPnP
SYN: Initiates a connection between two hosts to facilitate communicationACK: Acknowledge the receipt of a packetURG: Indicates that the data contained in the packet is urgent and should process it immediatelyPSH: Instructs the sending system to send all buffered data immediatelyFIN: Tells te remote system about the end of the communication. In essence, this gracefully closes the connectionRST: Reset a connection
- Establish a TCP connection
| Computer1 | Direction | Computer2 |
|---|---|---|
| SYN | -> | |
| <- | SYN+ACK | |
| ACK | -> |
| Layer | Name | Example protocols |
|---|---|---|
| 7 | Application layer | HTTP, SNMP |
| 6 | Presentation layer | MIME, ASCII |
| 5 | Session layer | SOCKS, NetBIOS |
| 4 | Transport layer | TCP, UDP |
| 3 | Network layer | IP, ICMP |
| 2 | Data link layer | MAC, ARP |
| 1 | Physical layer | ethernet, Wi-Fi |
| Layer | Name | Example protocols |
|---|---|---|
| 4 | Application layer | HTTP, SNMP |
| 3 | Transport layer | TCP, UDP |
| 2 | Internet layer | IP, ICMP |
| 1 | Link layer | ARP, MAC |
- Three-way handshake
- Completed connection
- Logged and detected
- Don't need ROOT
- nmap:
-sT
Open port:
| Attacker | Direction | Target |
|---|---|---|
| SYN | -> | |
| <- | SYN+ACK | |
| ACK | -> | |
| RST | -> |
Closed port:
| Attacker | Direction | Target |
|---|---|---|
| SYN | -> | |
| <- | RST |
Example:
nmap -sT danielgorbe.com- Half Three-way Handshake
- Nmap:
-sS
Open Port:
| Attacker | Direction | Target |
|---|---|---|
| SYN | -> | |
| <- | SYN+ACK | |
| RST | -> |
Closed port:
| Attacker | Direction | Target |
|---|---|---|
| SYN | -> | |
| <- | RST |
Example:
nmap -sS danielgorbe.com- Send TCP probe with TCP flags (i.e. FIN, URG, PSH, without flag)
- Xmas and Null scan
- PSH+URG+FIN flag or ALL flag
- Create abnormal situation
- Nmap:
-sX
Open port:
| Attacker | Direction | Target |
|---|---|---|
| FIN+URG+PSH | -> | |
| <- | No response |
Closed port:
| Attacker | Direction | Target |
|---|---|---|
| FIN+URG+PSH | -> | |
| <- | RST |
Example:
nmap -sX danielgorbe.com- No flag
- Easy to detect
- Nmap:
-sN
Open port:
| Attacker | Direction | Target |
|---|---|---|
| NULL | -> | |
| <- | No response |
Closed port:
| Attacker | Direction | Target |
|---|---|---|
| NULL | -> | |
| <- | RST |
Example:
nmap -sT danielgorbe.com- FIN scan work with RFC-793 based TCP/IP (before Win XP)
- Only FIN flag
- Probably pass firewalls
- Nmap:
-sF
Open port:
| Attacker | Direction | Target |
|---|---|---|
| FIN | -> | |
| <- | No response |
Closed port:
| Attacker | Direction | Target |
|---|---|---|
| FIN | -> | |
| <- | RST |
Example:
nmap -sF danielgorbe.com- Only ACK flag
- The response is always an RST
- Examine the RST header (i.e. TTL, WINDOW), the decide if port open or not
- Help identify filtering system: RST mean no firewall, No response mean there is a firewall
- Nmap:
-sA
Example:
nmap -sA danielgorbe.com- Remaining low profile
- Scanning done by a zombie
- Based on Full Open scan
- The unsolicited SYN+ACK packet is ignored or responded with RST
- Every IP packet has Fragment Identification Number (IPID)
- OS increment IPID for each packet
- Nmap:
-sI <zombie host[:probeport]> - Explanation on Nmap's website
- Connectionless protocol
- nmap:
-sU
Open port:
| Attacker | Direction | Target |
|---|---|---|
| UPD Port probe | -> | |
| <- | No response |
Closed port:
| Attacker | Direction | Target |
|---|---|---|
| UPD Port probe | -> | |
| <- | ICMP Port Unreachable |
Example:
nmap -sA danielgorbe.com- Packet fragmentation:
- Nmap:
-f - The IDS have to reassemble the packets to detect an attack
- Sending packet with delay
Example:
nmap -f danielgorbe.com- Nmap:
-O - Send TCP and UDP packets and observe the response from the host
Example:
nmap -O danielgorbe.com- Detail assessment of the traffic (TTL, TCP Window Size)
- Common values:
| OS | TTL | TCP Window Size |
|---|---|---|
| Linux | 64 | 5840 |
| Windows XP | 128 | 65535 |
| Windows 2008 | 128 | 8192 |
| FreeBSD | 64 | 5840 |
- More values here
- Determine the service
- Typically uses Telnet
Example:
nmap -sV danielgorbe.com- System between the attacker and the target
- Hiding source IP address
- Impersonating
- Hide identity
- Using multiple proxy server
- Most used proxy chains: Tor
- Modify packet header
- nmap has a decoy scan option, this option send packets with spoofed source IP to cloak the your address.
Example:
nmap -D 192.168.1.1,192.168.1.2 danielgorbe.comThis option sends 3 packets with source IP:
- 192.168.1.1
- 192.168.1.2
- Your IP
- Direct TTL probe (on same subnet)
- IP Identification Number