Detecting Reconnaissance Through Packet Forensics by Shashank Nigam

Detecting Reconnaissance Through Packet Forensics

Shashank Nigam

Target Audience

Network Analysts

Network Admins

Security Engg.

Security Researchers and Enthusiasts

Anyone who is interested

• S3cu4ity Enthusi@astic and S3cu4ity C0n5ult@nt for Security Compass

• Love to Expl0r3 the W0rld of s3cu4ity

• Have a Blog of my 0wn

• http://securityissuesrevealed.blogspot.in/

• Contact me:

• https://www.linkedin.com/pub/shashank-nigam/21/30/3bb

• Email: [email protected]

[email protected]

• What is Reconnaissance ???

• Network Packet Analysis

• Analyzing network packets for detecting various Reconnaissance activity in your network ; example TCP /UDP Port scan , Application Fingerprinting, OS fingerprinting, trace route .

• Detecting unusual traffic into your cabling system

• Identifying packets in depth

• How Does TCP IP Communication Occurs ????????

• Windows Box (win7 or win xp)

• A Linux or attacker’s machine with nmap

• KF Sensor (A honeypot running on Windows Box)

• Wireshark ( network protocol Analyzer on windows box)

• Other recommended Tools

Xprobe Hping Nmap

• Some virus or worm trying to establish a remote shell

• Clear text information travelling across the cabling system

• Some unusual port activity (Dynamic ports )

• No spoofed Address

• No scan activity like port scan , OS scan etc.

• Examples: BLASTER WORM, TCP/UDP PORTSCAN, Connectivity tests etc.

Analyzing Blaster worm:

• Blaster is worm that exploits DCOM RPC vulnerability discovered in August 2003

• It download msblast.exe file to %WinDir%\system32 and executes it.

• uses cmd.exe to create hidden remote shell process which listens on TCP port 4444.

• This allows an attacker to send commands on an infected machine.

Some more unusual traffic:

• Character generator traffic (port 19)

• Data sent to chargen port (19), we can find data echoing back with some sequence of random character

• Basically performed for some connectivity test

• Such traffic should not be present on cabling system unless chargen is purposefully used.

• Reconnaissance is a way to gather information about target before actually planning for an attack

• Success of an attack depends largely upon the reconnaissance made

• TCP or UDP port scan

• Application fingerprinting

• OS fingerprinting

• Illegally formed scans etc.

• TCP three way handshake involves TCP SYN, SYN ACK AND ACK packets exchanged between client and server.

• For a TCP port scan system send a TCP SYN packet to destination port.

• If server supports the service it replies with SYN ACK packet , otherwise TCP RST packet is send across cabling system

If we see a lot of RST packets on the network and don’t find a DATA exchange between two nodes , it signifies a PORT Scan.

• For a UDP Scan client sends a UDP packet over a destination port.

• If server does not supports particular service requested in packet it replies back with ICMP type3/code3 packet.

• This ICMP Type3/code3 packet is unusual to find on network traffic.

• Code 3 signifies Destination Unreachable/Port unreachable

If we find a lot of ICMP type3/code3 packets in traffic it signifies UDP port scan is going ahead and requires attention.

• Sometimes identifying packets is difficult task.

• TCP flags comes to rescue .

• Basically six types of TCP flags can be found in the packet.

URGENT (URG) ACKNOWLEDGEMENT (ACK) PUSH (PSH) RESET (RST) SYNCHRONIZE (SYN) FINISH (FIN)

• Some uncommon and absurd combination of these flags in the packet reveals an illegally formed packet

• IP Scan is usually done to find key services and protocols that sits after IP header.

• It involves various routing protocols.

• In IP scan process scanner will alter the protocol values to check for various supporting protocols on target system.

• What is Reconnaissance Process

• Analyzed TCP Port scan (3-way handshake and RST packets)

• Analyzed UDP Port scan (ICMP type 3 code 3 packet)

• Unusual Blaster and chargen traffic used for connectivity test

• Illegally formed scan packets with combinations of different FLAG bits

• IP scan process looking for various routing Protocols.

• Usually a process of identifying the services running on port

• Does not merely works by identifying ports but send commands to services.

• Useful where services running on custom ports.

• It identifies the banner or response from the service to identify the services

• Try to analyze the packet for commands sent and data transferred across network like application response , banner etc.

• Very important protocol for network Analyst

• RFC 792 at www.ietf.org

• ICMP packet can be used to perform OS fingerprinting and connectivity test on you network.

• ICMP packet has three constant fields

ICMP Type ICMP code Checksum

• Details of ICMP type and code refer to www.iana.org

Type 0 Echo reply Type 3 Destination UnreachableType8 Echo Request Type 11 Time Exceeded //Trace routeType 13 Timestamp requestType14 Time Stamp replyType 15 Information Request Type 16 Information reply packetType 17 Address mask request Type 18 Address mask reply

Reference : www.iana.org

OS fingerprinting

• ICMP based connectivity test

• Works with ICMP ECHO REQUEST packet (Type8) and ICMP ECHO REPLY packet (Type 0)

• Trace route uses ping process

• Client A send Echo request packet (ping packet) with TTL 1

• Trace Route illustrated

Client A

Client B

1

TTL=1

12

TTL=2

3

TTL=3

Time Exceeded in Transit

Time Exceeded in Transit

R1

R2

R3

TTL=4

4

Echo Reply

• To identify the remote platform or Operating system

• Active Fingerprinting

TCP Stack Querying (ICMP, SNMP, TCP etc) Banner grabbing (FTP, TELNT , HTTP) Port Probing ( 135, 137, 445, 524)

• Key ICMP packets seen over Active OS fingerprinting are

ICMP Type 13 Timestamp ICMP Type 17 Address mask

(These packets specific to Xprobe2)

• Key ICMP packets seen over Active OS fingerprinting are

ICMP Type 13 Timestamp ICMP type 15 Information ICMP Type 17 Address mask

• Together these three type of packet signifies OS fingerprinting

• Order of packet is important to identify the tool used to OS fingerprint .

• Type13 • Type17 • Type 15

Xprobe tool

• Nmap is network scanning tool

• OS fingerprinting is module loaded with –A switch for OS identification

• Nmap sends a series of Six packets to a known open ports.

• All these packets have

Timestamp value of (Tsval) of 4294967295

Tsecr value of 0

• All packet except 3rd packet have selective ACK (SACK) permitted

• Packet #1: Window scale (10) , NOP, MSS, (1460), windows field:1

• Packet #2: MSS (1400), Windows Scale(0), Windows field(63).

• Packet#3: NOP, NOP, Windows scale (5) , NOP, MSS (640). Windows field:4

• Packet#4: Windows Scale (10) . Windows field (4).

• Packet #5: MSS (536), Windows scale (10), Windows field: 16.

• Packet #6: MSS (265) , windows field: 512

Reply packets undergo a large variety of additional tests

Test for ISN , Sequence counter rate , Sequence predictability

• Application fingerprinting

• Various ICMP packet type and codes

• How a trace route operation works (Echo Request and Reply )

• ICMP Based OS Fingerprinting (Type 13 and type 17 packets )

• SYN packet based OS fingerprinting ( nmap )

• Wireshark University Course on Network security and Forensics

• http://iana.org

• http://ietf.org

• http://keyfocus.net

• TCP IP fingerprinting supported by Nmap

• http://wiki.wireshark.org/

• Familiarize and study more about these topics

• Can analyze the packet logs of your switch and router.

• Research about various different attack fingerprints

• Start with network forensics course.

• Research and study about various other packets types and structures i.e. DNS, SMTP, FTP, NETBIOS etc.