Tuesday, March 31, 2020

Real world packet analysis for network security

Real world packet analysis is done on network traffic for security reasons.  This could be the responsibility of an intrusion analyst reviewing network traffic from potential intruders, or of a forensic investigator attempting to ascertain the extent of a malware infection on a compromised host.  An intrusion analyst generally covers network reconnaissance, malicious traffic redirection, and system exploitation.  We will address each of these.

Reconnaissance

The first step that an attacker takes is to perform in-depth research on the target system.  This step, commonly known as footprinting, is often accomplished using various publicly available resources, such as the target company's website or Google.  Once this research is completed, the attacker will typically begin scanning the IP address (or DNS name) of its target for open ports or running services.

This scanning allows the attacker to determine whether the target is alive and reachable, and also on which ports the target is listening.  

SYS Scan

The type of scanning often done first against a system is a TCP SYN scan, also known as a stealth scan or half-open scan.  A SYN scan is the most common type for several reasons:

  • It is very fast and reliable
  • It is accurate on all platforms, regardless of TCP stack implementation
  • It is less noisy than other scanning techniques

The TCP SYN scan relies on the three-way handshake process to determine which ports are open on a target host.  The attacker sends a TCP SYN packet to a range of ports on the victim, as if trying to establish a channel for normal communication on the ports.  Once this packet is received by the victim, one of a few things may happen, as shown in the diagram below.



If a service on the victim's machine is listening on a port that receives the SYN packet, it will reply to the attacker with a TCP SYN/ACK packet, the second part of the TCP handshake.  Then the attacker knows that that port is open and a service is listening on it.  Under normal circumstances, a final TCP ACK would be sent in order to complete the connection handshake, but in this case the attacker does not want that to happen, since he will not be communicating with the host further at this point.  So the attacker does not attempt to complete the TCP handshake.  

If no service is listening on a scanned port, the attacker will not receive a SYN/ACK.  Depending on the configuration of the victim's operating system the attacker could receive an RST packet in return, indicating that the port is closed.  Alternatively, the attacker may receive no response at all.  That could mean that the port is filtered by an intermediate device, such as a firewall or the host itself.  On the other hand, it could just be that the response was lost in transit.  This result typically indicates that the port is closed, but it's ultimately inconclusive.

Operating System Fingerprinting

An attacker puts a great deal of value on knowing his target's operating system.  Knowledge of the operating system in use ensures that all of the attack methods employed by the attacker are configured correctly for that system.  This also allows the attacker to know the location of certain critical files and directories within the target file system, should he actually succeed in accessing the system.

Operating system fingerprinting is the name given to a group of techniques used to determine the operating system running on a system without actually having physical access to that system.  There are two types of operating system fingerprinting: passive and active.

Passive fingerprinting:   Using passive fingerprinting, you examine certain fields within packets sent from the target in order to determine the operating system in use.  The technique is considered passive because you only listen to the packets the target host is sending and don't actively send any packets to the host yourself.  This is the most ideal type of operating system fingerprinting for attackers because it allows them to be stealthy.

Active fingerprinting:  When passively monitoring traffic doesn't yield the desired results, a more direct approach may be required.  This approach is called active fingerprinting.  It involves the attacker actively sending specifically crafted packets to the victim in order to elicit replies that will reveal the operating system in use on the victim's machine.  Of course, since this approach involves communicating directly with the victim, it is not the least bit stealthy, but it can be highly effective.

Exploitation

Every attacker lives for the exploitation phase.  The attacker has done his research, performed reconnaissance on the target, and found a vulnerability that he is prepared to exploit in order to gain access to the target system.  We will look at various exploitation techniques.

Operation Aurora



No comments:

Post a Comment