Detecting Reconnaissance Through Packet Forensics by Shashank Nigam @ Combined null/OWASP Delhi meet on 20/09/2015

1. Detecting Reconnaissance
Through Packet Forensics
Shashank Nigam

2. Target Audience
 Network Analysts
 Network Admins
 Security Engg.
 Security Researchers and Enthusiasts
 Anyone who is interested

3. • S3cu4ity Enthusi@astic and S3cu4ity C0n5ult@nt for Security
Compass
• Love to Expl0r3 the W0rld of s3cu4ity
• Have a Blog of my 0wn
• http://securityissuesrevealed.blogspot.in/
• Contact me:
• https://www.linkedin.com/pub/shashank-nigam/21/30/3bb
• Email: shasha.nigam@gmail.com
shashank@securitycompass.com

4. • What is Reconnaissance ???
• Network Packet Analysis
• Analyzing network packets for detecting various
Reconnaissance activity in your network ; example TCP /UDP
Port scan , Application Fingerprinting, OS fingerprinting, trace
route .
• Detecting unusual traffic into your cabling system
• Identifying packets in depth

5. • How Does TCP IP Communication Occurs ????????

6. • Windows Box (win7 or win xp)
• A Linux or attacker’s machine with nmap
• KF Sensor (A honeypot running on Windows Box)
• Wireshark ( network protocol Analyzer on windows box)
• Other recommended Tools
 Xprobe
 Hping
 Nmap

7. • Some virus or worm trying to establish a remote shell
• Clear text information travelling across the cabling system
• Some unusual port activity (Dynamic ports )
• No spoofed Address
• No scan activity like port scan , OS scan etc.
• Examples: BLASTER WORM, TCP/UDP PORTSCAN, Connectivity
tests etc.

8. Analyzing Blaster worm:
• Blaster is worm that exploits DCOM RPC vulnerability
discovered in August 2003
• It download msblast.exe file to %WinDir%system32 and
executes it.
• uses cmd.exe to create hidden remote shell process which
listens on TCP port 4444.
• This allows an attacker to send commands on an infected
machine.

9. Some more unusual traffic:
• Character generator traffic (port 19)
• Data sent to chargen port (19), we can find data echoing back
with some sequence of random character
• Basically performed for some connectivity test
• Such traffic should not be present on cabling system unless
chargen is purposefully used.

10. • Reconnaissance is a way to gather information about target
before actually planning for an attack
• Success of an attack depends largely upon the reconnaissance
made
• TCP or UDP port scan
• Application fingerprinting
• OS fingerprinting
• Illegally formed scans etc.

11. • TCP three way handshake involves TCP SYN, SYN ACK AND ACK
packets exchanged between client and server.
• For a TCP port scan system send a TCP SYN packet to
destination port.
• If server supports the service it replies with SYN ACK packet ,
otherwise TCP RST packet is send across cabling system
If we see a lot of RST packets on the network and don’t
find a DATA exchange between two nodes , it signifies
a PORT Scan.

13. • For a UDP Scan client sends a UDP packet over a destination
port.
• If server does not supports particular service requested in
packet it replies back with ICMP type3/code3 packet.
• This ICMP Type3/code3 packet is unusual to find on network
traffic.
• Code 3 signifies Destination Unreachable/Port unreachable
If we find a lot of ICMP type3/code3 packets in traffic it
signifies UDP port scan is going ahead and requires
attention.

14. • Sometimes identifying packets is difficult task.
• TCP flags comes to rescue .
• Basically six types of TCP flags can be found in the packet.
 URGENT (URG)
 ACKNOWLEDGEMENT (ACK)
 PUSH (PSH)
 RESET (RST)
 SYNCHRONIZE (SYN)
 FINISH (FIN)
• Some uncommon and absurd combination of these flags in the
packet reveals an illegally formed packet

16. • IP Scan is usually done to find key services and protocols that
sits after IP header.
• It involves various routing protocols.
• In IP scan process scanner will alter the protocol values to
check for various supporting protocols on target system.

17. • What is Reconnaissance Process
• Analyzed TCP Port scan (3-way handshake and RST packets)
• Analyzed UDP Port scan (ICMP type 3 code 3 packet)
• Unusual Blaster and chargen traffic used for connectivity test
• Illegally formed scan packets with combinations of different
FLAG bits
• IP scan process looking for various routing Protocols.

18. • Usually a process of identifying the services running on port
• Does not merely works by identifying ports but send commands
to services.
• Useful where services running on custom ports.
• It identifies the banner or response from the service to identify
the services
• Try to analyze the packet for commands sent and data
transferred across network like application response , banner etc.

19. • Very important protocol for network Analyst
• RFC 792 at www.ietf.org
• ICMP packet can be used to perform OS fingerprinting and
connectivity test on you network.
• ICMP packet has three constant fields
 ICMP Type
 ICMP code
 Checksum
• Details of ICMP type and code refer to www.iana.org

20. Type 0 Echo reply
Type 3 Destination Unreachable
Type8 Echo Request
Type 11 Time Exceeded //Trace route
Type 13 Timestamp request
Type14 Time Stamp reply
Type 15 Information Request
Type 16 Information reply packet
Type 17 Address mask request
Type 18 Address mask reply
Reference : www.iana.org
OS fingerprinting

21. • ICMP based connectivity test
• Works with ICMP ECHO REQUEST packet (Type8) and ICMP
ECHO REPLY packet (Type 0)
• Trace route uses ping process
• Client A send Echo request packet (ping packet) with TTL 1
• Trace Route illustrated

22. Client A
Client B
1
TTL=1
12
TTL=2
3
TTL=3
Time Exceeded
in Transit
Time Exceeded
in Transit
R1
R2
R3
TTL=4
4
Echo
Reply

23. • To identify the remote platform or Operating system
• Active Fingerprinting
 TCP Stack Querying (ICMP, SNMP, TCP etc)
 Banner grabbing (FTP, TELNT , HTTP)
 Port Probing ( 135, 137, 445, 524)
• Key ICMP packets seen over Active OS fingerprinting are
 ICMP Type 13 Timestamp
 ICMP Type 17 Address mask
(These packets specific to Xprobe2)

24. • Key ICMP packets seen over Active
OS fingerprinting are
 ICMP Type 13 Timestamp
 ICMP type 15 Information
 ICMP Type 17 Address mask
• Together these three type of
packet signifies OS fingerprinting
• Order of packet is important to
identify the tool used to OS
fingerprint .
• Type13
• Type17
• Type 15
Xprobe tool

25. • Nmap is network scanning tool
• OS fingerprinting is module loaded with –A switch for OS
identification
• Nmap sends a series of Six packets to a known open ports.
• All these packets have
 Timestamp value of (Tsval) of 4294967295
 Tsecr value of 0
• All packet except 3rd packet have selective ACK (SACK)
permitted

26. • Packet #1: Window scale (10) , NOP, MSS, (1460), windows field:1
• Packet #2: MSS (1400), Windows Scale(0), Windows field(63).
• Packet#3: NOP, NOP, Windows scale (5) , NOP, MSS (640). Windows
field:4
• Packet#4: Windows Scale (10) . Windows field (4).
• Packet #5: MSS (536), Windows scale (10), Windows field: 16.
• Packet #6: MSS (265) , windows field: 512
 Reply packets undergo a large variety of additional tests
 Test for ISN , Sequence counter rate , Sequence predictability

27. • Application fingerprinting
• Various ICMP packet type and codes
• How a trace route operation works (Echo Request and Reply )
• ICMP Based OS Fingerprinting (Type 13 and type 17 packets )
• SYN packet based OS fingerprinting ( nmap )

28. • Wireshark University Course on Network security and
Forensics
• http://iana.org
• http://ietf.org
• http://keyfocus.net
• TCP IP fingerprinting supported by Nmap
• http://wiki.wireshark.org/

29. • Familiarize and study more about these topics
• Can analyze the packet logs of your switch and router.
• Research about various different attack fingerprints
• Start with network forensics course.
• Research and study about various other packets types and
structures i.e. DNS, SMTP, FTP, NETBIOS etc.