Showing posts with label tcp/ip. Show all posts
Showing posts with label tcp/ip. Show all posts

Friday, April 30, 2010

TCPDump Flags

I was trying to capture some data the other day and was using TCPDump. This is really for my own needs but I like to share when I can.
Here are a few flags to use when trying to capture certain data types in TCP.
There are more and you can read online to find more if needed.

Sniff all SYN flagged packets:

root@bt:~# tcpdump 'tcp[13] & 2 != 0'

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
^C
ctrl+c: Indicates that I stopped the capture.
0 packets captured
0 packets received by filter
0 packets dropped by kernel

With the above resulting output.

Sniff all PSH flagged packets:
root@bt:~# tcpdump 'tcp[13] & 8 != 0'

Sniff all URG flagged packets:
root@bt:~# tcpdump 'tcp[13] & 32 != 0'

Sniff all RST flagged packets:
root@bt:~# tcpdump 'tcp[13] & 4 != 0'

Sniff all ACK flagged packets:
root@bt:~# tcpdump 'tcp[13] & 16 != 0'

Sniff all FIN flagged packets:
root@bt:~# tcpdump 'tcp[13] & 1 != 0'

Sniff all SYN-ACK flagged packets:
root@bt:~# tcpdump 'tcp[13] = 18'

Monday, May 26, 2008

Multipart PortScanning Tutorial Part 7

Multipart PortScanning Tutorial Part 7

In this edition we will be looking at the results of some Xmas Tree scans.

Disclaimer: This information is for educational purposes only and not to commit a crime!
If you do something that causes you to hose your box don't come kicking and screaming on the forums!
All IP Address' MAC Address' etc. have been munged!

[b]
OK so first things first If you are not up to speed here are the other tutorials I have done on nmap.[/B]
[url="http://forums.remote-exploit.org/showthread.php?t=11001"]Part1[/url]
[URL="http://forums.remote-exploit.org/showthread.php?t=11003"]Part2[/URL]
[URL="http://forums.remote-exploit.org/showthread.php?t=11010"]Part3[/URL]
[URL="http://forums.remote-exploit.org/showthread.php?t=11025"]Part4[/URL]
[url="http://forums.remote-exploit.org/showthread.php?t=11216"]Part5[/url]
[url="http://forums.remote-exploit.org/showthread.php?t=14195]Part6[/url]

OK so let's look at what a Xmas Tree scan is.
[quote]Xmas scan (-sX)

Sets the FIN, PSH, and URG flags, lighting the packet up like a Christmas tree.
[b]From the nmap online documentation. [/b] [/quote]

So what does this mean?
Well for starters we know about the three-way handshake with TCP/IP. So what we are doing is sending packets out that have the "FIN", "PSH" and "URG" flags set.
So let's look at these flags. The first one "FIN" tells the target that we are finished with our connection. And normally it would send back and "ACK" Packet.
The second is the "PSH" or push packet. TCP designates data being sent to an application by using the "PSH" flag. To ensure that data sent from a node has been received TCP uses an "ACK" flag that specifies which "PSH" packets have been received. "ACK"s are sent in response to "PSH" data grams in two different scenarios:
1. When data has been received by a node.
2. When the "ACK" delay has been reached.
The third flag is the "URG" flag. The "URG" flag is used to tell a node that information needing immediate attention is present within a packet.
A "URG" also tells a receiving node that the sender requests all buffered data to be passed to the application. Normally TCP holds data in a memory buffer until enough is collected then it is passed to the application needing said data. With the "URG" flag TCP sends the data immediately. Ok so now might be a good idea to take a break!

Now that we know what the packets mean let's take a look at why this can be important to the pen-tester.

First when we do a Xmas tree scan and the target sends us a "RST" or reset packet then we know that a target port is closed. But if the target port is open then there will be silence. This is the same thing when doing a "FIN" scan. All of this takes place due to RFC 793 Transmission Control Protocol.
During a Xmas tree scan nmap categorizes the response as either closed or open|filtered. The open|filtered result is combined because firewalls often drop these packets. Because it's impossible to determine if a missing response was due to an open port or a filtered network connection, there's no way to tell the difference between an open or filtered port. Different implementations of the TCP/IP stack will handle these scans in different ways. Windows for example will reply with a "RST" regardless of the status of the port. If an open|filtered port is picked up then the node is not windows based. Special attention must be given when the results show all ports as closed as this may not be true.
Ok so now if you are still with me let's take a look at some scans.
First in the default mode with a look at the flags.
[code]
#nmap -sX -v -v 192.168.1.5 [/code]
-sX xmas tree scan
-v verbosity
[b] And our results. [/b]
[code]

Starting Nmap 4.62 ( http://nmap.org ) at 2008-05-01 13:30 EDT
Initiating ARP Ping Scan at 13:30
Scanning 192.168.1.5 [1 port]
Completed ARP Ping Scan at 13:30, 0.02s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 13:30
Completed Parallel DNS resolution of 1 host. at 13:30, 0.05s elapsed
Initiating XMAS Scan at 13:30
Scanning 192.168.1.5 [1715 ports]
Increasing send delay for 192.168.1.5 from 0 to 5 due to 21 out of 70 dropped probes since last increase.
Completed XMAS Scan at 13:30, 16.56s elapsed (1715 total ports)
Host 192.168.1.5 appears to be up ... good.
All 1715 scanned ports on 192.168.1.5 are closed
MAC Address: 00:12:34:56:AA:FF (Cisco-Linksys)
Read data files from: /usr/local/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 17.024 seconds
Raw packets sent: 1821 (72.842KB) | Rcvd: 1718 (79.024KB)
[/code]
As you can see we really didn't learn much about our target. The only thing that we learned is that the ports all appear to be closed.
But this is not really the case. I know that there are open ports because the target is actually a print server.

[b]This time lets look more in depth at our target.[/b]
[code]
#nmap -sV -v -v -F -sX -O 192.168.1.5
[/code]
-sV service version
-O Operating system
-F Only scan ports listed on services.

[b] Now the relevant results[/b]
[code] Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: storage-misc|printer
Running: Hotway embedded, IBM embedded, Packard Bell embedded
OS details: Hotway HDC-U2LA NAS device, IBM 6400 Printer (software version 7.0.9.6), Packard Bell NetStore 3500
OS Fingerprint:
Purposely removed [/code]
This time we can see that nmap returned us a print server. The device type is still incorrect. This can mean the difference between accessing the network and being shut out.
This print server like most usually have TCP ports 515, 631 open. There is usually one or two more like http or telnet open as well.

So we see that even though the two scans are not 100% accurate we did gain some valuable information about our target. Again a lot of devices will not respond to this type of scanning but there are some that will. Using the Xmas tree scan we can also help mask our intentions from a IDS. But remember most system administrators worth their weight in salt will ensure that there IDS's pick up this type of scan. There are ways around this as well.
Try playing with this type of scan and see what kind of results you get.

Drop a line if this has helped or hindered you.

Sunday, May 25, 2008

Multipart PortScanning Tutorial Part 6

Because there has been some interest I will try to do a couple more tutorials on [URL="http://nmap.org/"]nmap[/URL]. I am using the latest version available.

[B]In this edition we will be looking at the results of some "ACK" Scans[/B].

Disclaimer: This information is for educational purposes only and not to commit a crime! If you do something that causes you to hose your box don't cry to me. All IP Address' MAC Address' etc. have been munged!
[B]
OK so first things first If you are not up to speed here are the other tutorials I have done on nmap.[/B]
[url="http://forums.remote-exploit.org/showthread.php?t=11001"]Part1[/url]
[URL="http://forums.remote-exploit.org/showthread.php?t=11003"]Part2[/URL]
[URL="http://forums.remote-exploit.org/showthread.php?t=11010"]Part3[/URL]
[URL="http://forums.remote-exploit.org/showthread.php?t=11025"]Part4[/URL]
[url="http://forums.remote-exploit.org/showthread.php?t=11216"]Part5[/url]

[B]Next lets talk a minute about what a "ACK" scan is.[/B]
[quote]-sA (TCP ACK scan)
This scan is different than the others discussed so far in that it never determines open (or even open|filtered) ports. It is used to map out firewall rulesets, determining whether they are stateful or not and which ports are filtered.
The ACK scan probe packet has only the ACK flag set (unless you use --scanflags). When scanning unfiltered systems, open and closed ports will both return a RST packet. Nmap then labels them as unfiltered, meaning that they are reachable by the ACK packet, but whether they are open or closed is undetermined. Ports that don't respond, or send certain ICMP error messages back (type 3, code 1, 2, 3, 9, 10, or 13), are labeled filtered.
[URL="http://nmap.org/docs.html"]From the nmap online documentation[/URL]. [/quote]

So what does this mean to us. First when dealing with TCP/IP we all know how the connections work, so when a connection is finished one would normally see an ACK or Acknowledgment. Meaning that the connection was made and a transfer of some sort took place. So when we scan for hosts by sending out ACK packets what we are doing is telling the target machine that we have "received the transmission". But since this is our first real communication with said target. It will not no how to respond. This is turn will generate RST or reset packets. Now if we look above we see that nmap will label them as unfiltered, and in turn they are reachable. This second part is really the only part we care about. By sending out ACK packets we can then determine if a host is alive and possibly not set of IDS alarms. Now there is a caveat to this. If there are a lot of ACK packets hitting a target then an IDS will most likely see this and of course set off the alarm.
There are several ways we can mitigate this with nmap. Which I will show more of in a later tutorial.
[b]So our first default scan should look something like this.[/b]
[code]#nmap -v -v -sA 192.168.1.5 [/code]
Now I included the -v -v for verbosity level two just to get all of the information out of this basic scan that we can.
[b]Now lets look at the results. [/b]
[code]
Starting Nmap 4.62 ( http://nmap.org ) at 2008-05-00 12:26 EDT
Initiating ARP Ping Scan at 12:26
Scanning 192.168.1.5 [1 port]
Completed ARP Ping Scan at 12:26, 0.02s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 12:26
Completed Parallel DNS resolution of 1 host. at 12:26, 0.05s elapsed
Initiating ACK Scan at 12:26
Scanning 192.168.1.5 [1715 ports]
Increasing send delay for 192.168.1.5 from 0 to 5 due to 40 out of 133 dropped probes since last increase.
Completed ACK Scan at 12:26, 15.39s elapsed (1715 total ports)
Host 192.168.1.5 appears to be up ... good.
All 1715 scanned ports on 192.168.1.5 are unfiltered
MAC Address: 00:12:34:45:AA:FF (Cisco-Linksys)
Read data files from: /usr/local/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 15.828 seconds
Raw packets sent: 1836 (73.442KB) | Rcvd: 1716 (78.932KB)[/code]

Now the only thing that we learned is that the target is there, which we should already have known before we started scanning it. Blindly scanning a target is how we set off alarms!
Ok now lets look at it again only this time we will be trying to find out some info on the OS and what services are running.
But remember we do not want to trip the alarm so we are going to be a little sneaky with our throttling. Note this may or may not hide us, That is not the real point here.
[code]
#nmap -sV -v -v -F -T Paranoid -sA -O -PN 192.168.1.5
[/code]
This time we have several flags set.
-sV for service versions.
-v -v again verbosity level 2
-F to only scan the ports listed on the service version scan. No sense scanning all possible ports as this could trigger alarms.
-T Paranoid again to help mask what we are doing.
-sA is for the ACK scan itself.
-O for OS detection
-PN so that we do not ping the target before scanning. Again to mask what we are doing from the target itself.
[b]And of course the output[/b]
[code]
Starting Nmap 4.62 ( http://nmap.org ) at 2008-05-00 13:04 EDT
Initiating ARP Ping Scan at 13:04
Scanning 192.168.1.5 [1 port]
Completed ARP Ping Scan at 13:04, 0.01s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 13:04
Completed Parallel DNS resolution of 1 host. at 13:04, 0.05s elapsed
Initiating ACK Scan at 13:04
Scanning 192.168.1.5 [1276 ports]
Increasing send delay for 192.168.1.5 from 0 to 5 due to 45 out of 150 dropped probes since last increase.
Completed ACK Scan at 13:04, 11.45s elapsed (1276 total ports)
Initiating Service scan at 13:04
Initiating OS detection (try #1) against 192.168.1.5
SCRIPT ENGINE: Initiating script scanning.
Host 192.168.1.5 appears to be up ... good.
All 1276 scanned ports on 192.168.1.5 are unfiltered
MAC Address: 00:12:34:45:AA:FF(Cisco-Linksys)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: storage-misc|printer
Running: Hotway embedded, IBM embedded, Packard Bell embedded
OS details: Hotway HDC-U2LA NAS device, IBM 6400 Printer (software version 7.0.9.6), Packard Bell NetStore 3500
OS Fingerprint:
Purposely Removed
Network Distance: 1 hop
Read data files from: /usr/local/share/nmap
OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.866 seconds
Raw packets sent: 1343 (55.504KB) | Rcvd: 1283 (59.160KB) [/code]

So this time we picked up a bit more detail. I will say that what was reported by the scan's OS details is incorrect but they device type is. Also note that the mac address is listed as Cisco-Linksys. This along with the device type is the most relevant info we have gained. In order for us to actually penetrate the target we need more information. Which I will leave up to you to learn about.

So again we have covered using an ACK scan with nmap. There are more options, reasons, and ways of using this type of scan. I have showed you only the basics.
When I get the chance I will be showing more options for IDS spoofing and evasion techniques. I have purposely left this info out of this tutorial!

If this has helped or hindered you say something. :)

Sunday, January 6, 2008

Using Dmitry in Backtrack

This is a small tutorial on using DMITRY in Backtrack.
Disclaimer: This information is for educational purposes only and not to commit a crime.
If you do something that causes you to hose your box don't come kicking and screaming on the forums.

First off a little background info. DMITRY aka Deep Magic Information Gathering Tool is a GNU/Linux command line application that's coded in C.
It has the ability to give as much info as possible about a host. It is open source, can be used to perform Internet Number whois lookups, Possible to retrieve up time system and server data. The ability to perform SubDomain searches on a target. Perform Email search on a target, and TCP port scanning as well.
(Source http://www.moh-pah.net/index.php?file=projects/dmitry)
Ok now on to the tool.
There are two ways to access the tool either through the menus K>Backtrack>Information Gathering>All>Dmitry or from the command line, either way works the same,
[code]
#dmitry [/code]
OK now we need to be able to use the program so let's first look at the switches presented
-o allows us to specify with a given name our output the default is host.txt you could name it anything you want.
-i allows us to perform a whois lookup of the IP address of a host, this tells us that if we only no the name that dmitry will find the IP for us.
-w will perform a whois lookup on the domain name of a host.
-n will give us Netcraft.com information on a host (if you don't know about netcraft.com then go have a look you won't be disappointed).
-s performs a search for possible subdomains (www.yournetwork.com being a top level domain and www.yoursite.yournetwork.com being a subdomain.)
-e will perform a search for possible email addresses. (youremail@yournetwork.com)
-p will perform a TCP port scan on a host
*-f will perform a TCP port scan on a host showing output reporting filtered ports (useful if there is a firewall in place)
*-b will report to you a banner received from a scanned port (Note this will only work if the port sends us a banner when scanned).
(This may reveal some type of software running on a given port.)
*-t 0-9 is used to set the TTL in seconds when scanning the default is 2
The * means that the -p flag must also be set in order to work.

So now that we know what the flags mean let look at an example usage of the command.
[code]
#dmitry -winsepffb -o hosts.txt www.yournetwork.com[/code]

Ok so we see that we are going to use all of the flags available to us to gather as much information about our target as possible and write the info to a file called
hosts.txt The next part is the domain name of our target.

Now for the good part the first thing we will see is that dmitry is writing the output to our file.
Next we should see:
[code]
HostIP:192.168.1.1
HostName:www.yournetwork.com [/code]
Next we will see :[code]
Gathered Inet-whois information for 192.168.1.1 [/code]
You will be provided lots of whois info about the IP address
I will not print it all here for you but rather, whois should give you the Organization's name and address info. As well as info about the network itself
You should see the net ranges for example the netnames and their registration date.
Next you should see: [code]
Gathered Inic-whois information for www.yournetwork.com
---------------------------------
Domain Name: YOURNETWORK.COM
Registrar: The Registrars info here
Whois Server: whois.example.com
Referral URL: http://www.example.com
Name Server: NS1.YOURNETWORK.COM
Name Server: NS2.YOURNETWORK.COM
Name Server: NS3.YOURNETWORK.COM
Name Server: NS4.YOURNETWORK.COM
Status: clientDeleteProhibited
Status: clientTransferProhibited
Status: clientUpdateProhibited
Updated Date: 10-apr-2006
Creation Date: 15-sep-1997
Expiration Date: 14-sep-2011
>>> Last update of whois database: Sun, 23 Dec 2007 06:42:27 UTC [/code]
Again this provides more information about our target network. Now we have the names servers as well and the name of the registrar.
All of this is useful when we are "reconning" our target.
Next up netcraft with: [code]
Gathered Netcraft information for www.yournetwork.com
---------------------------------
Retrieving Netcraft.com information for www.yournetwork.com
Operating System: winblows server edition2007
WebServer: winblowswebserver v1.0
No uptime reports available for host: www.yournetwork.com
Netcraft.com Information gathered
[/code]
Now if our target network was using something other than the poorly coded Winblows Server Edition 2007
Then it might not get presented here for us. Same thing with the webserver info.
And because it’s so poorly coded we see that there is not uptime because it’s only on for about an hour before a reboot is needed.
[code]
Gathered Subdomain information for yournetwork.com
---------------------------------
Searching Google.com:80...
HostName:images.yournetwork.com
HostIP:192.168.1.2
HostName:maps.yournetwork.com
HostIP:192.168.1.3
HostName:news.yournetwork.com
HostIP:192.168.1.100
HostName:www.yournetwork.com
HostIP:192.168.1.1
HostName:mail.yournetwork.com
HostIP:192.168.1.5
Found 5 possible subdomain(s) for host yournetwork.com, Searched 1 pages containing 1 result. [/code]
And on and on until it has searched through all the subdomains that it finds.
Next we will see: [code]
Gathered E-Mail information for yournetwork.com
admin AT yournetwork DOT com
joeuser AT yournetwork DOT com
[/code]
And finally the output from our TCP scan [code]
Gathered TCP Port information for 192.168.1.1
---------------------------------
Port State
20 Open
21 Open
80 Open
[/code]
Etc, Etc, Etc, because www.yournetwork.com is running winblows server edition 2007 and left all the common ports open by default!
So I hope that this tutorial gets you going and you can start using dmitry to do some "reconning".
BTW All names and IP address have been changed to protect me!
If you feed in private block numbers like 192..... Then the data for whois will tell you that it is for internal network use only.
The only useful part of the entire scan will be port scanning!