1 1 Network Traffic Analysis Using tcpdump Judy Novak Judy Novak Johns Hopkins University Applied Physics Laboratory jhnovak@ix.netcom.com Examination of Datagram Fields I All material Copyright  Novak, 2000, 2001. All rights reserved. 2 2 Examination of Datagram Fields • Introduction to tcpdump • Writing tcpdump Filters • Examination of Datagram Fields • Beginning Analysis • Real World Examples • Step by Step Analysis This page intentionally left blank. 3 3 Objectives • Look at different IP datagram fields • What is normal behavior/values for fields? • Why and how might values might be altered? This page intentionally left blank. 4 4 Why are Packets ”Crafted”? • Attempt to fingerprint remote operating system • Elude detection by IDS • Send covert messages/channels • Elicit a response for mapping live hosts Why would someone craft traffic to be abnormal or different in some way? We’ll examine this topic in this section as we see mutations that are done to the IP datagram. Some of the reasons for this are: Fingerprinting: The intent is to send an unexpected stimulus of some sort by altering the datagram and detecting how a target host responds. If enough deviant stimuli are sent and responses gathered, it is possible to identify the operating system of the target host. This is done to better know how to target a future attack. Evasion: If the intent is to scan hosts or do some kind of reconnaissance for a future attack or attack a host, why not try to send traffic that will scan yet, at the same time elude notice by an intrusion detection system? Covert messages/channels: It is possible to alter fields or protocol operations in an attempt to send secret traffic between hosts. Fields or methods have to be selected that are not likely to attract attention. Elicit a response for mapping: If live host mapping cannot be done in a more classic sense with echo requests and replies, perhaps because of access control lists; there are less conventional ways to map. Some of these ways include sending traffic to a host and having it respond with some kind of error message. This is enough to indicate that the host is alive. 5 5 How are Packets “Crafted”? • Normally, IP datagram assembled by layers of TCP/IP stack • Different means of crafting packets • Application Programming Interfaces (API) • Unix sockets • Unix libnet interface • Tools • nmap • hping2 • ISIC A good paper is available that discusses Unix sockets – it is entitled “Raw IP Networking FAQ” and is found at www.whitefang.com/rin. Both socket and libnet routines are used in programs such as C or perl. The user must decide what values to use to construct the packet and use the routines to fashion and send the packet. There are many software packages available to craft packets. These are easier to use than the API’s because all you need to do is select command line options and the packet is crafted for you. Here is where to go to get the software mentioned in the slide: libnet – www.packetfactory.net nmap – www.insecure.org hping2 – packetstorm.securify.com - hping2-beta54.tar.gz ISIC – packetstorm.securify.com - isic-0.05.tar.gz “Libnet is a collection of routines to help with the construction and handling of network packets. It provides a portable framework for low-level network packet shaping, handling and injection. Libnet features portable packet creation interfaces at the IP layer and link layer, as well as a host of supplementary and complementary functionality. “ 6 6 nmap • “Network exploration tool and security scanner” • Scans network/hosts to determine: • Live hosts • Services running on hosts • Operating system running on hosts Straight from the man page for nmap, the description of the tool is “network exploration tool and security scanner”. nmap is one of the most sophisticated tools available for remote scanning of a host. Through overt and stealthy means, it can map a network for live hosts, map hosts for services running, and send hosts connections that are intended to elicit responses to assist in determining how they are unique and therefore figuring out the operating system of the scanned host. nmap has a bevy of command line options to alter its behavior. It can scan in stealth modes so as to evade notice or attempt to elude detection. It can send “decoy” traffic as it scans and fires off traffic to the scanned host with a spoofed source ip(s) so that the receiving host or network will not know the real source of the traffic from the bogus traffic. This is a truly remarkable and useful tool; the author is Fyodor. 7 7 hping2 • “A network tool able to send custom ICMP/UDP/TCP packets and display target replies” • Can be used to test firewall rules • Scan ports of hosts • Test network performance hping2 is a very useful tool in scanning and crafting traffic to send to remote hosts. Some of its capabilities are: • sending spoofed source IP addresses • setting a default initial TTL • setting an IP ID number • fragmenting packets • setting TOS field • setting source port • setting TCP window size • sending data with TCP transmission • setting any TCP flag The author of hping2 is antirez. 8 8 ISIC • “Intended to test the integrity of an IP stack and its component stacks (TCP, UDP, ICMP)” • Suite of tools: isic, tcpsic, udpsic, icmpsic • Test firewall ability to block unusual values in packets • Test IDS ability to detect isic is used to generate random mutations to the IP header. tcpsic, udpsic, and icmpsic generate mutant packets for TCP, UDP, and ICMP portions of the datagram. The intention is to test how the receiving host’s TCP/IP stack responds to very strange traffic. Some of the capabilities of this tool suite are: • corrupt fields in the IP header such as: •IP version • header length •protocol • send strange fragments • corrupt fields in the TCP header such as: •flag fields • header length • acknowledgement numbers • checksum • corrupt fields in the UDP header such as: • header length • checksum • corrupt fields in the ICMP header such as: •ICMP type • ICMP code • checksum The author of ISIC is Mike Frantzen. 9 9 How Does nmap do OS Fingerprinting? In the next several slides, we’ll examine how nmap determines a remote host’s operating system. It does a series of tests against the remote host and matches responses with a file that contains expected responses per operating system. Different TCP/IP stacks respond differently to the same stimulus. 10 10 nmap-os-fingerprints • nmap comes with a file nmap-os-fingerprints • Scanning host sends remote host many different connections: • 9 different “tests” are examined • File contains expected responses for various different operating systems nmap comes with a fingerprinting file which lists hundreds of variations of operating systems and the expected responses of each OS to 9 different tests. nmap probes remote systems for responses that differ among operating systems. Some of these tests send unexpected stimuli to see how the remote host will respond. Using a combination of these tests, nmap accurately distinguishes not only operating system types, but actual releases of the same operating system. There is a wonderful article that comes with nmap that discusses what the operating system fingerprinting attempts to accomplish and how it does so. This is located in the file nmap- fingerprinting-article.txt. This can also be found at the nmap site, www. insecure.org . [...]... it to be 0x76af, the IP header is considered to be valid If the checksum is anything other than this value, the datagram is silently discarded If the IP header checksum is correct, when the UDP layer of win98.com receives the datagram, it will validate the UDP checksum In this case, it must be 0x1797 to be considered valid If it isn’t, it is silently discarded If this happens, it is up to the sending... will reject the overflow data The NID would have to be aware of exactly how much data the destination host window can receive at any given moment While keeping track of a lot of this information is feasible for the NID, understand that as you require the NID to perform more functions and duties, the slower the NID will become in processing all traffic It is a tradeoff of functionality and speed Additionally,... complements of 16-bit fields, we arrive at the binary value of 0111 0011 0001 0111 which is a hexadecimal 7317 – the original value we found in the IP datagram header 29 How is IP Checksum Used? • If IP checksum invalid, datagram discarded • Every router examines IP checksum • If valid, decrements ttl value and recomputes new checksum • IP checksum ensures integrity of IP header data only Router 1 Datagram IP... written in 1998 called “Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection” In it, the authors Thomas Ptacek and Timothy Newsham discuss attacks that can elude detection by the NID by using methods of sending traffic that will cause the NID and the destination host to view packets sent differently The paper is an excellent treatise of different conditions that can cause a NID... seen by the NID, yet they will never reach the destination host or if they do, the destination will reject them as faulty The NID and the destination host see different traffic A second attack is known as evasion This involves the same idea of sending a set of streams of data to the destination host, yet this time the destination host will see all the traffic that the NID does, but it will evaluate... NID This is an oversimplified discussion of this attack TCP sequence numbers need to be synchronized correctly for this to work against the target host Some NIDs do not track sequence numbers and just accept the TCP segments in the order in which they arrive, which is not necessarily the order in which they were sent 19 Evasion NID destination Data on SYN S S NID NID destination T T NID sees T Destination... checksum, it is exactly the same A datagram with 16-bit fields swapped is a vastly different datagram in meaning and resolution when fields are swapped So, this is a drawback of using this computation Why not use a more complicated and reliable algorithm for the checksum? This computation is done for each packet that a router receives The simpler the algorithm, the quicker the computation time The checksum... obfuscation of strings to launch a series of attacks against web servers is known as whisker written by Rain Forest Puppy Here is what he says about eluding a NID: “Anti-Intrusion Detection System (IDS) tactics were one of the original key features of my whisker web scanner The goal of any anti-IDS tactic is to mutate a request so much that the ID systems will get confused.” The phf command was included in... Let’s consider a packet that was examined by a sensor using tcpdump tcpdump finds a problem with it when doing its own integrity check This is a momentary digression from checksums, but we will examine the possibility of packet corruption in the context of checksums in the next slide So, tcpdump reports a bad header length This refers to the TCP header length See if you can examine fields in this datagram. .. of the TCP/IP stacks that differ among operating systems Additionally, there are timing issues of seeing connections at different times than the destination host does and not knowing exactly how it will respond For instance, TCP has a receive buffer known as a window that is responsible for flow control to the destination host If the destination host receives more data than the window can handle, it . ICMP)” • Suite of tools: isic, tcpsic, udpsic, icmpsic • Test firewall ability to block unusual values in packets • Test IDS ability to detect isic is used. their theory. Along with the denial of service of a NID, the paper basically discusses the idea of individual attacks to confuse the NID. The first is