tcpdump and windump - central authentication gmarin/cse5636/tcpdumpsection2.pdf · pdf...

Click here to load reader

Post on 04-Jun-2018

223 views

Category:

Documents

0 download

Embed Size (px)

TRANSCRIPT

  • Network Security 1-1

    TCPDump and WinDump

    Section 2 of SWE5900This material is intended for students of this course only. No further reproduction or distribution is authorized.

  • Network Security 1-2

    TCPDump

    UNIX tool that collects network data and displays it in specified format. It may be run live on a specified interface but only if authorized.It may read data from a file that has previously been saved using TCPDump. It offers a number of filtering capabilities.Must be downloaded with libcap or the windows equivalent. (Do this by next class!)

  • Network Security 1-3

    Man Page

    If not on unix system go to http://www.rt.com/man/tcpdump.1.htmlNAME tcpdump - dump traffic on a network SYNOPSIS tcpdump [ -adeflnNOpqStvx ] [ -ccount ] [ -F file ] [ -i interface ] [ -r file ] [ -ssnaplen ] [ -T type ] [ -w file ] [ expression ] DESCRIPTION Tcpdump prints out the headers of packets on a network interface that match the boolean expression.

    http://www.rt.com/man/tcpdump.1.html

  • Network Security 1-4

    TCPDump Traffic Capture

  • Network Security 1-5

    Type of Service Field

    Bits 0-2: Precedence. Bit 3: 0 = Normal Delay, 1 = Low Delay. Bit 4: 0 = Normal Throughput, 1 = High Throughput. Bit 5: 0 = Normal Relibility, 1 = High Relibility. Bits 6-7: Reserved for Future Use.

    0 1 2 3 4 5 6 7+-----+-----+-----+-----+-----+-----+-----+-----+ | | | | | | ||PRECEDENCE| D | T | R | 0 | 0 || | | | | |+-----+-----+-----+-----+-----+-----+-----+-----+

  • Network Security 1-6

    TCPDump Traffic Capture cont

    00:28:24.573542 blackwidow.se.fit.edu.ssh > 163.118.231.25.3197: P 536784:536912(128) ack7073 win 19872 (DF) [tos 0x10]

    00:28:24.573542 time packet was receivedblackwidow.se.fit.edu.ssh source host and port. In this case the port is SSH or 22> - direction of the traffic163.118.231.25.3197 destination IP and portP flag set, in this case is P for push. Pushes data from the sending host to the receiving host536784:536912 beginning and ending sequence numbers. This is used to order the data that is received.(128) bytes in the packetack 7073 TCP flag, ACK represents the acknowledgement of data received. The 7073 is the acknowledgement numberWin 18872 this is the windows size. This means that the client has a window size or incoming buffer of 18872 bytes. (DF) dont fragment. This flag is used if and when the size of the datagram to be sent exceeds the maximum amount allowed by the route.[tos 0x10] type of service. This this case is 10 which stands for minimize delay

  • Network Security 1-7

    IP datagram format

    ver length

    32 bits

    data (variable length,typically a TCP

    or UDP segment)

    16-bit identifierInternetchecksum

    time tolive

    32 bit source IP address

    IP protocol versionnumber

    header length(bytes)

    max numberremaining hops

    (decremented at each router)

    forfragmentation/reassembly

    total datagramlength (bytes)

    upper layer protocolto deliver payload to

    head.len

    type ofservice

    type of data flgs fragmentoffsetupperlayer

    32 bit destination IP address

    Options (if any) E.g. timestamp,record routetaken, specifylist of routers to visit.

  • Network Security 1-8

    TCP segment structure

    source port # dest port #

    32 bits

    applicationdata

    (variable length)

    sequence numberacknowledgement number

    Receive windowUrg data pnterchecksum

    FSRPAUheadlennot

    used

    Options (variable length)

    URG: urgent data (generally not used)

    ACK: ACK #valid

    PSH: push data now(generally not used)

    RST, SYN, FIN:connection estab(setup, teardown

    commands)

    # bytes rcvr willingto accept

    Internetchecksum

    (as in UDP)

    countingby bytes of data(not segments!)

  • Network Security 1-9

    WELL KNOWN PORT NUMBERS The Well Known Ports are assigned by the IANA and on most systems can only be used by system (or root) processes or by programs executed by privileged users. Ports are used in the TCP [RFC793] to name the ends of logical connections which carry long term conversations. For the purpose of providing services to unknown callers, a service contact port is defined. This list specifies the port used by the server process as its contact port. The contact port is sometimes called the "well-known port". To the extent possible, these same port assignments are used with the UDP [RFC768]. The range for assigned ports managed by the IANA is 0-1023.

  • Network Security 1-10

    Port Examples:chargen 19/tcp Character Generatorchargen 19/udp Character Generator ftp-data 20/tcp File Transfer [Default Data] ftp-data 20/udp File Transfer [Default Data] ftp 21/tcp File Transfer [Control] ftp 21/udp File Transfer [Control]ssh 22/tcp SSH Remote Login Protocol ssh 22/udp SSH Remote Login Protocol telnet 23/tcp Telnet telnet 23/udp Telnet24/tcp any private mail system 24/udp any private mail systemsmtp 25/tcp Simple Mail Transfer smtp 25/udp Simple Mail Transfer26/tcp Unassigned # 26/udp Unassigned

  • Network Security 1-11

    Absolute and Relative Seq Nos

    Consider the following:client.com.38060 > telnet.com.telnet: S 3774957990:3774957990(0) win 8760 (DF)telnet.com.telnet > client.com.38060: S 2009600000:2009600000(0) ack 3774957991 win 1024

    client.com.38060 > telnet.com.telnet: . ack 1 win 8760 (DF)client.com.38060 > telnet.com.telnet: P 1:28(27) ack 1 win 8760 (DF)

    Note use of relative sequence numbers beginning with 3rd packet.

  • Network Security 1-12

    Ethereal Traffic Capture

  • Network Security 1-13

    Ethereal Traffic Capture

  • Network Security 1-14

    TCP 3-way Handshake

    tclient.net.39904 > telnet.com.23: S 733381829:733381829(0) win 8760 (DF)telnet.com.23 > tclient.net.39904: S 1192930639:1192930639(0) ack733381830 win 1024 (DF)tclient.net.39904 > telnet.com.23: . Ack 1 win 8760 (DF)

  • Network Security 1-15

    TCP Takedown

    tclient.net.39904 > telnet.com.23: F 14:14(0) ack 186 win 8760 (DF)telnet.com.23 > tclient.net.39904: . ack 15 win 1024 (DF)Server next initiates a FIN and client acksto finally close the connection. Abrupt version uses reset:

    tclient.net.39904 > telnet.com.23: R 28:28(0) ack 1 8760 (DF)

  • Network Security 1-16

    Rudimentary Analysis

    Was the three-way handshake completed between two hosts?Were data transmitted?Who began and/or ended the connection?Recall Syn Flood (Neptune) Attack

  • Network Security 1-17

    SYN Flood (Neptune)

    Leverages TCP 3-way HandshakeAttacker sends opening SYNTarget responds with SYN/ACK and builds a record in a data structure to hold connection informationThe attack consists of many SYN packets being sent from unreachable sources (non-existent) so that handshake is not completed and data structure overflows.

  • Network Security 1-18

    Observations

    No sure way to filter at single packet levelCharacteristics:

    Unusually large number of TCP SYNs directed at a single destination addressUnusually large number of destination unreachable responses to SYN/ACKsUnusual source address patterns

  • Network Security 1-19

    Ack Scan (page 39 of NID)Attacker sends lone ack to probe specific ports

    Live hosts respond with reset to unexpected ack.May be used by hacker to determine location of live hosts.

    Note that lone ack should be found as follows:

    Final transmission of 3-way handshakeAcknowledgement of received data or data in progressAcknowledgement of received FINDo you see evidence of any such normal use?

  • Network Security 1-20

    TCP Session Hijacking

    Objective is to intercept an established TCP session and capture (impersonate) one end of the connection.Nontrivial effort that must maintain:

    IP numberEstablished port numbersProper sequence number incrementsProper ack increments.

  • Network Security 1-21

    Fragmentation

    Fragmentation allows an IPV4 datagram to cross a network that has an MTU smaller than the IP datagram.

    Recall that MTU is the max payload of the link layer frame. Fragment IDOffset number (13 bits)Fragment LengthMore Fragments Flag

  • Network Security 1-22

    IP datagram format

    ver length

    32 bits

    data (variable length,typically a TCP

    or UDP segment)

    16-bit identifierInternetchecksum

    time tolive

    32 bit source IP address

    IP protocol versionnumber

    header length(bytes)

    max numberremaining hops

    (decremented at each router)

    forfragmentation/reassembly

    total datagramlength (bytes)

    upper layer protocolto deliver payload to

    head.len

    type ofservice

    type of data flgs fragmentoffsetupperlayer

    32 bit destination IP address

    Options (if any) E.g. timestamp,record routetaken, specifylist of routers to visit.

  • Network Security 1-23

    IP Fragmentation & Reassemblynetwork links have MTU (max.transfer size) - largest possible link-level frame.

    different link types, different MTUs

    large IP datagram divided (fragmented) within net

    one datagram becomes several datagramsreassembled only at final destinationIP header bits used to identify, order related fragments

    fragmentation: in: one large datagramout: 3 smaller datagrams

    reassembly

  • Network Security 1-24

    IP Fragmentation and ReassemblyID=x

    offset=0

    fragflag=0

    length=4000

    I

View more