1 1 Network Traffic Analysis Using tcpdump Judy Novak Judy Novak Johns Hopkins University Applied Physics Laboratory jhnovak@ix.netcom.com Examination of Datagram Fields II All material Copyright  Novak, 2000, 2001. All rights reserved. 2 2 IP Header Fields This page intentionally left blank. 3 This page intentionally left blank. 3 IP Header 0 15 16 31 20 bytes 4-bit 4-bit IP 8-bit TOS 16-bit total length (in bytes) version header length 16-bit IP identification number 3-bit flags 13-bit fragment offset 8-bit time to live (TTL) 8-bit protocol 16-bit header checksum 32-bit source IP address 32-bit destination IP address options (if any) data 4 4 IP Version • Found in first nibble of first byte offset of IP header • Valid value 4 (IPv4) – future value of 6 (IPv6) • Receiving host must check this value • If not valid, silently discarded • Possible insertion attack if NID does not reject This field must be validated by a receiving host and if not valid, the datagram will be discarded and no error message will be sent to the sending host. RFC 1121 states that the datagram must be silently discarded if an invalid value is discovered. So, crafting a datagram with an invalid IP version would serve no purpose other than to test if the receiving host complies with the RFC. If a packet arrives at a router with an invalid IP version, it should be rejected. So using this as a means of an insertion attack would be rather difficult unless the attacker is on the same network where the NID is. If that happens and a series of packets are sent to the end host, with an invalid IP version and a NID does not reject them, this would be an insertion attack – something the NID accepts that the destination host should surely reject. 5 5 Mutant IP Version • isic software can generate bad IP versions • Done to test the integrity of receiving host IP stack isic -s 10.10.10.10 -d 1.1.1.1 -p 10 -V 100 source IP dest IP #packets %bad IP versions 15:44:34.376749 10.10.10.10 > 1.1.1.1: ip-proto-117 1260 [tos 0x83] 0 383 04f8 0001 0000 0675 0383 0a0a 0a0a 01010 0101 b91e 6f98 55d4 5c7c a64b 3367 72c8 e1c4 5c03 7fc1 5cd9 ea3e d96a 1207 c293 e28c 9cb5 version = 0 The isic software is intended to test the integrity of a receiving host’s IP stack. It can also be used to see how firewalls or intrusion detection systems react to mutant packets. We generate the command and specify a source IP of 10.10.10.10 and specify a target host of 1.1.1.1. The source IP is a decoy host, while the destination IP is an actual host. We can specify the number of packets to be sent using the –p option – in this case 10. And, using the –V option we can specify the number of packets that will have bad IP versions – in this case, all of the packets. We have captured the output sent using tcpdump. Because standard tcpdump doesn’t reveal the IP version, we have to examine it by looking at the output in hexadecimal. We see that a bogus version of 0 has been generated. 6 6 Filter Writing Exercise • What would the tcpdump filter be to find a value in the IP version field that is not equal 4? IP Version IP header length high-order nibble low-order nibble First byte of the IP header (0 offset) Suppose you wanted to write a filter that would examine the IP version number and spit out any records that did not have a value of 4 in this field. The IP version is found in the high-order in the 0 offset byte of the IP header. Remember, you will have to mask out the low order nibble. 7 7 Answer • What would the tcpdump filter be to find a value in the IP version field that is not equal 4? IP Version IP header length high-order nibble low-order nibble 1 1 1 1 0 0 0 0 Mask byte ip[0] & 0xf0 != 0x40 ip[0] & 0xf0 != 64 2 7 2 6 2 5 2 4 2 3 2 2 2 1 2 0 Because we are dealing with only the high-order nibble of the first byte, we want to preserve all original bits found in this field and discard all bits found in the low-order nibble. So, if we chose a mask of all 1’s in the high-order nibble and all 0’s in the low-order nibble, that ought to accomplish this. Next, we figure out that this mask byte is a hex f0 and we must do a boolean AND operation of this mask byte with the original byte. Hence, the filter becomes ip[0] & 0xf0 != 0x40. Remember, because we are dealing with the high-order nibble, we are really dealing with a factor of 16. A 4 in the high order nibble would fall in the 2 6 position in the entire byte which is 64. So, you can represent this as a 0x40 or you could even say 64 decimal. 8 8 IP Protocol Number • Found in 9 th byte offset of IP header • Indicates the type of embedded protocol • List of supported protocols found at: ftp://ftp.isi.edu/in-notes/iana/assignments/protocol-numbers • If tcpdump doesn’t know name of protocol, displays as ip-proto-# 15:44:34.376749 10.10.10.10 > 1.1.1.1: ip-proto-117 1260 [tos 0x83] 0383 04f8 0001 0000 0675 0383 0a0a 0a0a 01010 0101 You have already learned that the IP protocol number indicates the type of service that follows the IP header. tcpdump will know the more common of these protocols and will often display them with the standard display – such as icmp or udp. But, if tcpdump doesn’t know the name of the embedded protocol, it will display it as ip-proto-#, where # is the decimal representation of the protocol. In the output above, tcpdump found a 0x75 value in the protocol field and presents it on output as ip-proto-117. 9 9 Scanning IP Protocols • nmap can scan all 256 possible protocol numbers • Determines what protocols are active on a host • Negative responses can be used for host mapping nmap -sO target Starting nmap V. 2.54BETA1 by fyodor@insecure.org ( www.insecure.org/nmap/ ) Interesting protocols on myhost.net (192.168.5.5): (The 250 protocols scanned but not shown below are in state: closed) Protocol State Name 1 open icmp 2 open igmp 6 open tcp 17 open udp Conveniently, later versions of nmap have the ability to scan a host for open protocols. This is done using the –sO option. The target host is scanned for all 256 possibilities of protocols. Protocols are deemed as open when no ICMP error message is returned to say that they are unreachable. 10 10 Output of Protocol Scan 07:30:31.405513 scanner.net > target.com: ip-proto-134 0 (DF) 07:30:31.405581 scanner.net > target.com: ip-proto-100 0 (DF) 07:30:31.405647 scanner.net > target.com: ip-proto-15 0 (DF) 07:30:31.405899 target.com > scanner.net: icmp: target.com protocol 124 unreachable (DF) 07:30:31.788701 scanner.net > target.com: ip-proto-132 0 (DF) 07:30:32.119538 target.com > scanner.net: icmp: target.com protocol 166 unreachable (DF) 07:30:34.098715 scanner.net > target.com: ip-proto-109 0 (DF) 07:30:34.098782 scanner.net > target.com: ip-proto-129 0 (DF) 07:30:34.098849 scanner.net > target.com: ip-proto-229 0 (DF) 07:30:32.779583 target.com > scanner.net: icmp: target.com protocol 236 unreachable (DF) 07:30:34.099557 target.com > scanner.net: icmp: target.com protocol 109 unreachable (DF) The nmap scan will scan all 256 different protocol types. A host that receives this type of scan should respond with a protocol unreachable message to any protocols that it doesn’t support. While the supported protocols of a host are mildly interesting, the more important reconnaissance from this type of scan is that the host is alive. This is a more stealthy type of scan that may not cause an intrusion detection system to alarm. However, if the site has a “no ip unreachable” statement on the outbound interfaces of the gateway router or blocks outbound ICMP, this information will not be leaked to the scanner. In that instance, the scan will be useless. [...]... just to eliminate this vestige of the true origin of the datagram 28 Using the –vv Option • More verbose format of tcpdump output • Displays: • Time to Live (TTL) • IP header identification number • Can help uncover “spoofed” source IP’s 29 It turns out that the –vv option of tcpdump can be used to help us investigate if a datagram or multiple datagrams have been spoofed If the IP ID field and the... higher the priority of the packet This, of course, assumes that a router is capable of analyzing and handling this field 12 TOS Future Versions Differentiated Services Byte ECN-capable (0x02) Explicit Congestion Notification (ECN) Bits Congestion Experienced (0x01) 13 It seems that the Type of Service byte has undergone several rounds of alterations since its incipient purpose One of these alterations... IP number of a different address space, it is either being spoofed or there is a misconfiguration problem with a host In either case, this traffic should not be allowed to leave your network This will prevent hosts in your network participating in distributed denial of service attacks since participant hosts usually use spoofed source IP number so that they cannot be located Other types of scans use... fragment ID 24 The IP identification value is found in bytes 4-7 of the IP header For each new datagram that a host sends, it must generate a unique IP ID number This value is typically incremented by 1 for each new datagram sent by the host This unique value is required in case the datagram becomes fragmented All fragments from the datagram will share this same IP ID number This is also referred to... reliability (0x04) 12 The Type of Service (TOS) field is byte 1 of the IP header The 3 high-order bits are used to represent a 3-bit preference field that prioritizes the traffic The unused bit must be 0 Only one of the TOS bits should be set A value of all zero’s means normal service RFC 1349 discusses the TOS in detail An application or protocol sets a TOS and routers make decisions of how to route packets... probably were spoofed A hop count back to the source IP that varies widely from the expected hop count is a better indication that the source IP was spoofed Also, if the actual hop counts back to the three different source IP’s differed more substantially from each other, this too would be a better lone indicator of spoofing You may be unable to do traceroutes to/from your network because of router/firewall... the selected datagram size of the discovery packet is used for subsequent packets If an ICMP message is returned with an unreachable error – need to frag message and the MTU is included, then the protocol resizes the datagram so that fragmentation does not occur Some operating system TCP/IP stacks set the DF flag on certain types of packets and nmap will use this as one of the tests to try to fingerprint... last fragment • Fragmentation identified by: • MF = 1 • Non-zero fragment offset 17 The more fragments (MF) is one of the fields that tells about a fragment train All fragments except the final one should have the MF flag set The way that a receiving host will detect fragmentation is that this flag is set or that the fragment offset field in the IP header is non-zero 17 Mapping Using Incomplete Fragments... network numbers • Unnatural values for destination IP numbers leaving network • Broadcast addresses A 23 The source IP number is located in the 12th-15th bytes offset of the IP header; the destination IP number is located in the 16th-19th bytes offset of the IP header If you see an IP number entering your network that purports to be from your network, there is a problem Most likely someone has crafted this... be few instances of legitimate protocol unreachable messages 11 Type of Service Byte Precedence used by router to determine which packet to send first when several packets are queued for transmission to the same output interface maximize throughput (0x08) Precedence bits Type of service used by router to select routing path when multiple paths are available minimize cost (0x02) Type of Service Bits . jhnovak@ix.netcom.com Examination of Datagram Fields II All material Copyright  Novak, 2000, 2001. All rights reserved. 2 2 IP Header Fields This page intentionally. 4 4 IP Version • Found in first nibble of first byte offset of IP header • Valid value 4 (IPv4) – future value of 6 (IPv6) • Receiving host must check