1 1 Network Traffic Analysis Using tcpdump Judy Novak Judy Novak Johns Hopkins University Applied Physics Laboratory jhnovak@ix.netcom.com Examination of Datagram Fields III All material Copyright  Novak, 2000, 2001. All rights reserved. 2 2 TCP Fields This page intentionally left blank. 3 3 TCP Header 0 15 16 31 20 bytes options (if any) data (if any) 16-bit source port number 16-bit destination port number 32-bit sequence number 32-bit acknowledgement number 4-bit header length reserved (6-bits) U A P R S F R C S S Y I G K H T N N 16-bit window size 16-bit checksum 16-bit urgent pointer This page intentionally left blank. 4 4 TCP Ports • 16-bit fields representing source and destination ports • Valid values 1 – 65535 • Initial source port ephemeral range > 1023 • Multiple connections attempted, source ports should change The port fields are two separate 16-bit fields in the TCP header, one for source and another for destination ports. The valid range of values is between 1 and 65535; the use of port 0 is typically a “signature” of some sort. When a source host wishes to connect to a destination host, an ephemeral port is typically selected in the range of ports greater than 1023. For each new sending connection that the host attempts that is not a retry, a different ephemeral port should be selected. 5 5 Source Port Mutation nmap –sS sparky 09:40:43.964215 verbo.47247 > sparky.1548: S 2401927088:2401927088(0) win 2048 09:40:43.964412 verbo.47247 > sparky.24: S 2401927088:2401927088(0) win 2048 09:40:43.964465 verbo.47247 > sparky.1547: S 2401927088:2401927088(0) win 2048 09:40:43.964553 verbo.47247 > sparky.2564: S 2401927088:2401927088(0) win 2048 09:40:43.964604 verbo.47247 > sparky.1484: S 2401927088:2401927088(0) win 2048 09:40:43.964642 verbo.47247 > sparky.1460: S 2401927088:2401927088(0) win 2048 09:40:43.964695 verbo.47247 > sparky.628: S 2401927088:2401927088(0) win 2048 09:40:43.964748 verbo.47247 > sparky.1112: S 2401927088:2401927088(0) win 2048 This is output from running nmap with the option of sending a host a SYN scan. You’ll notice that nmap uses a default behavior of using a static source port for this scan. This is a signature of this scan; if this followed normal behavior, you would expect to see the source port numbers incrementing in the ephemeral port range. 6 6 Destination Port Mutation hping2 –S sparky 09:44:13.882207 verbo.1788 > sparky.0 : S 1553132317:1553132317(0) win 512 09:44:14.876837 verbo.1789 > sparky.0 : S 1894028093:1894028093(0) win 512 09:44:15.876836 verbo.1790 > sparky.0 : S 2032501562:2032501562(0) win 512 09:44:16.876832 verbo.1791 > sparky.0 : S 851202745:851202745(0) win 512 09:44:17.876843 verbo.1792 > sparky.0 : S 1659659021:1659659021(0) win 512 09:44:18.876836 verbo.1793 > sparky.0 : S 731953738:731953738(0) win 512 Now, look at the default behavior that hping2 exhibits doing a SYN scan. It increments the source port as we expect, however it uses destination port 0 as its default target. The intent of this type of scan obviously is not to find a listening port. This type of scan would be used to elicit a RESET response to see if a host is alive and in so doing perhaps examine other traits of the responding datagram. 7 7 Sequence Numbers • 32-bit number that uniquely identifies the initial byte of segment data • Should change for each new (non-retry) TCP segment sent • Initial sequence number (ISN) represents first sequence number in TCP exchange • ISN used to fingerprint operating system The TCP sequence numbers are used to uniquely identify the beginning byte of each TCP segment that is sent. This is a way to keep track of all the TCP data that is sent and all that is received in a TCP stream. Most times, there is more TCP data than can be sent with one TCP segment. Since TCP is a connection-oriented, reliable protocol, we have to have a mechanism to account for data being sent and received. In part, that is done using TCP sequence numbers. These sequence numbers should not be repeated unless there is a retry of the same connection. The initial sequence number (ISN) is the first sequence number that is used in the TCP exchange between the sending hosts. Each host in the exchange selects a unique initial sequence number when sending the initial SYN connection to the other host. The formula that hosts use to select their initial sequence number is examined by nmap to help fingerprint the operating system. There is a file that comes with nmap, nmap-os-fingerprints, that has a list of different operating systems. Given a set of tests that will be executed by nmap against a target host, if the received values exactly match the ones listed for the OS, it is classified as that particular OS. The first test executed by an OS fingerprinting nmap scan is one that examines the initial sequence numbers generated from sending connections to a listening port. Different TCP/IP stacks use different formulas to generate the ISN. Some of the older operating systems used a predictable increment for each new connection, but someone watching and sniffing could hijack a connection using this information as was done in the infamous Mitnick attack. Other operating systems have a time-dependent formula that predictably increases the ISN based on a given time change. 8 8 Sequence Number Prediction nmap –O win98 (The 1522 ports scanned but not shown below are in state: closed) Port State Service 139/tcp open netbios-ssn TCP Sequence Prediction: Class=trivial time dependency Difficulty=1 (Trivial joke) Remote operating system guess: Windows NT4 / Win95 / Win98 Using nmap to scan the host win98 and identify the operating system using the –O option, it discovers that the generation of initial sequence numbers is based on a formula using a “trivial time dependency”. And, it reports that predicting a new TCP sequence number would be a “trivial joke”. Windows NT, Windows 95 and Windows 98 all use this same formula. The best type of formula for generating unpredictable sequence numbers is one that is truly random which is what operating systems such as Linux 2.0 kernels use. 9 9 Sequence Number Mutation nmap –sS sparky 09:40:43.964215 verbo.47247 > sparky.1548: S 2401927088:2401927088(0) win 2048 09:40:43.964412 verbo.47247 > sparky.24: S 2401927088 :2401927088(0) win 2048 09:40:43.964465 verbo. 47247 > sparky.1547: S 2401927088:2401927088(0) win 2048 09:40:43.964553 verbo.47247 > sparky.2564: S 2401927088 :2401927088(0) win 2048 09:40:43.964604 verbo.47247 > sparky.1484: S 2401927088 :2401927088(0) win 2048 09:40:43.964642 verbo.47247 > sparky.1460: S 2401927088 :2401927088(0) win 2048 09:40:43.964695 verbo.47247 > sparky.628: S 2401927088 :2401927088(0) win 2048 09:40:43.964748 verbo.47247 > sparky.1112: S 2401927088 :2401927088(0) win 2048 Looking at the nmap output again that does a SYN scan of a host, we see it has a signature of a static TCP sequence number along with the static source port number. 10 10 Acknowledgement Numbers • TCP is a connection-oriented protocol • Sending host knows receiving host has gotten data by an acknowledgement • ACK number is 32-bit number • Represents the next byte of data receiving host expects: (last received sequence number + 1) • Valid value should be greater than 0 07:48:09.134305 verbo.62638 > win98.netbios-ssn: S 3742735770:3742735770(0) win 2048 07:48:09.134515 win98.netbios-ssn > verbo.62638: S 3982854:3982854(0) ack 3742735771 win 8576 <mss 1460> (DF) The method that TCP uses to ensure that data is received is via an acknowledgement. This is done using the acknowledgement number which is a validation that the receiving host did indeed get the data. The acknowledgement number sent by the receiving host actually represents the next expected sequence number. Because a SYN connection consumes one sequence number, and since the acknowledgement value is one more than this sequence number, a valid acknowledgement number must be greater than 0. nmap can attempt to identify live hosts by sending a remote host a TCP connection with an unsolicited ACK flag set. The desired response to this is a RESET from the remote host which indeed indicates that the remote host is alive regardless of whether the scanned port is listening or not. Current versions of nmap have a telltale signature because the ACK flag is set, yet the acknowledgement number is 0. Above the sending host verbo, has an initial sequence number of 3742735770. The receiving host, win98, acknowledges this by indicating that the next sequence number it expects to receive is 374173577. [...]... Let’s examine the middle of a session between a Linux host known as sambaserver and a Windows 98 host We come in right after the 3-way handshake We see that that the Windows host has a window size of 8760 and the Linux host has a window size of 32120 On the second line, the Linux host sends the Windows host 80 bytes of data On the next line, you see the acknowledgement of receipt of this data, but you... round-trip time measurements and load balancing to offer better services A more stealthy use of this might be to elude detection and analysis of the content of the payload that accompanies the SYN 28 RTT Measurement • 3DNS software attempts to measure RTT to DNS server 209.67.78.202.2202 > mydns.com.53: S 997788921:997788985(64) win 2048 29 We’ll cover the 3DNS software in much more detail in the section on... are not ECN-capable One of the tests that nmap conducts is setting one of the “bogus” TCP flag bits to see how the receiving host responds This is really nothing more than operating system fingerprinting So, tcpdump is really reporting a “false alarm” of the ECN-echo bit being set If this were an actual case of true ECN flag setting, the packet would have to have a non-zero Type of Service (TOS) value... this will be an insertion attack of the NID On the other hand, if the end-host accepts it, yet the NID rejects it, it will be an evasion attack of the NID hping2 was used to generate this output The options used are –a to spoof the source IP, –p to send it to destination port 21, -S to send a SYN, and –d to send 8 bytes of data to destination IP 10.10.10.10 30 UDP Fields 31 This page intentionally... Ports • 16-bit fields representing source and destination ports • Valid values 1 – 65535 • Initial source port ephemeral range > 1023 • Multiple connections attempted, source ports should change 33 Just as with TCP ports, UDP port fields are two separate 16-bit fields in the TCP header, one for source and another for destination ports The valid range of values is between 1 and 65535; the use of port 0 is... Upon receipt of a TCP segment with the ECN-echo bit set, the sender will reduce its congestion window (loosely speaking – the size of the sending buffer) by half Once it reacts in this manner, it will turn on the Congestion Window Reduced (CWR) bit to inform the other side of the conversation that remedial action to reduce congestion has occurred This bit is found in the high-order bit of the TCP byte... bytes of data back to the Linux host The Linux host acknowledges receipt of this data, but its window size doesn’t decrease; it processed the data immediately The remainder of the session is very similar Data is pushed back and forth; the Linux host appears to process what it receives immediately because we see no change in the window size But the Windows host appears to be waiting for some type of trigger... this The RFC suggests using the two high-order bits of the TCP flag byte as fields for ECN The bit to the right of the high-order bit will be known as the ECN-echo bit This bit will be turned on when TCP receives a packet that has the TOS ECN-capable bit and the Congestion Experienced bits both set in the IP header This assumes that both end-points of the TCP conversation are ECN capable and that is... host to which to send the traffic One of the methods employed is to send a SYN connection to TCP destination port 53 of the DNS server In order to get a more accurate measurement or one that is likely to simulate an average web transfer, 64 bytes of zero-data/padding are sent This activity is not considered malicious, but it is definitely considered invasive It sets off many IDS – no wonder, TCP port... This is another set of retries, but the time interval at which each new attempt is made is fairly constant at about half a second This seems to make less sense than the previous backoff algorithm By doubling the time between retries, if the destination host is suffering some kind of temporary problem, it may respond if we continue to wait This algorithm has a more insistent approach of not really waiting . jhnovak@ix.netcom.com Examination of Datagram Fields III All material Copyright  Novak, 2000, 2001. All rights reserved. 2 2 TCP Fields This page intentionally. change The port fields are two separate 16-bit fields in the TCP header, one for source and another for destination ports. The valid range of values is between