Anda di halaman 1dari 18

Advanced Network Exploitation Research and Networking Concepts.

September 2009 Written by Nicholas Lemonias


www.AISecurityOnline.com
Copyright 2009 Advanced Information Security Online.

Basic Networking Concepts


A Network Infrastructure refers to different sets of physical and logical components,
which provide the basis, mainly for connectivity, security, routing, management,
access to resources and other features integral to a network, while a Physical
Infrastructure refers to a networks topology or physical design, such as the routers,
switches, bridges, hubs and other physical components , composing a networks
design.

A logical Infrastructure refers to the shared software components that allow


computers to communicate over a networks physical topology. Elements of a
networks logical infrastructure incorporate shared network protocols, an
addressing mechanism, a name resolution system, and network services.

As you may know, in all modern networks communication among computers is


based on the TCP/IP Protocol suite, a protocol design which provides addressing , a
naming system , routing, interoperability with the internet, but also many other
features for network communication.

Definition of the TCP/IP Protocol as described in Wikipedia.org

TCP/IP defines a set of rules to enable computers to communicate over a network,


specifying how data should be packaged, addressed, shipped, routed and delivered to the
right destination. The specification defines protocols for different types of
communication between computers and provides a framework for more detailed
standards.
TCP/IP is generally described as having four 'layers', or five if you include the bottom
Physical Layer. The layer view of TCP/IP is based on the seven-layer OSI Refernce.
Model written long after the original TCP/IP specifications, and is not officially
recognized. Regardless, it makes a good analogy for how TCP/IP works and comparison
of the models is common.

The TCP/IP Model and related protocols are currently maintained by the Internet
Engineering Task Force (IETF).

The four Layers of TCP/IP Protocol suite.


| Application Layer |
This particular facet or layer of communication handles the context and information of
the particular application utilized in a TCP/IP connection. Many common application:
Telnet, FTP, SNMP.
| Transport Layer |
This particular layer of communication provides the workflow of communicative
data between the sender and the receiver, thus providing us with either the
transportation protocols of TCP (Transmission Control Protocol) or User Datagram
Protocol (UDP).

Differences between UDP and TCP in the workflow of data:


1. TCP provides a reliable workflow of communicative data between HOST A
and HOST B , providing a reliable flow of data with data organisation (into
appropriate size chunks) thus preparing data for the encapsulation onto the
next layer (Network Layer), prior to submission. The TCP protocol also
provides guaranteed delivery, through a mechanism of of reliable flow: a)
setting timeouts, acknowledging received packets from (HOST B), and
setting timeouts to make certain the other end acknowledges packets, that
are sent on, and therefore the application layer does not have to process this
information.
2. The UDP protocol provides a much convenient and simpler service through the
application layer. It just sends packets of diagrams from HOST A to HOST B but
with no guarantees that the datagrams will reach the other end, as there is no
retransmission and guaranteed delivery mechanisms , unlike TCP.
| Network Layer|
The Network Layer or otherwise the Internet Layer Handles the movement of packets
around the network. This facet handles the routing of packets, whereby the:

IP (Internet Protocol)
ICMP (Internet Control Message Protocol)
IGMP (Internet Group Management Protocol)

These protocol operated under the Network Layer of communication thus providing
the Internet Control Messaging (Error Reporting for Bad packets), Routing of
Packets and Retransmission of packets.
|Link Layer|
The Link Layer , sometimes called the data-link layer or network interface layer ,
normally includes the device driver in the operating system and the corresponding
network interface card in the computer, thus handling the hardware and physical
interfacing with the cable.

TCP provides a reliable transport layer, even though the service it uses (IP) is
unreliable. IP is the main protocol and network layer, used by both UDP and TCP.
Every bit of information transferred around an internet it goes through the IP layer
at both the sender and the recipient, and through every immediate router system. In
rare occasions it is also possible that an application could access the ICMP protocol
directly, from the Application Layer (Older routing protocols are utilized this way.)
ICMP is an adjunct to the IP. It is predominantly used by the IP Layer to
exchange error messages and other vital information with the IP layer in another
host or computer.

IGMP is the Internet Group Management Protocol. It is used for multicasting


(sending a UDP datagram to multiple hosts.

ARP and RARP (Address Resolution Protocol / Reverse Address Resolution


Protocol) are specialized protocols utilized under certain types of network interfaces
such as Ethernet, in order to convert between the addresses used by the IP Layer
and the addresses used by a network interface (Interface Addressees Ref: MAC
address).

Encapsulation of Information & Demultiplexing.


Encapsulation is the process where the application sends data using TCP, and the
data is sent down the protocol stack, through each layer, until the encapsulated
stream of information is tied-up together, having the information and data
utilization of every facet of communication, thus sending the outcome as a stream of
bits to our destination.
Demultiplexing is the opposite of Encapsulation. When a network frame (Ethernet
frame) is received at the destination host it starts its way up the protocol stack, thus
removing all the information tied-up during encapsulation, reading the stream of
bits sent across, in that order. Each protocol looks at certain identifiers in its header
to determine which box in the next upper layer, receives the data. This is what we
call Demultiplexing .
As you may find out, the demultiplexing of incoming segments using the destination
port number and source ip address and source port number, positions the streams
of information as ordered by the sender.

Client-Server Model
Most Networking applications are written supposing that one side or X side is the
client and Y side is the server. The purpose of the application is for the server to
provide services to the client.

Servers can be subdivided into iterative or either concurrent, thus meaning that an
iterative server follows through the following steps:
A. Wait for a client request to arrive
B. Process the client request.
C. Send the response back to the client that sends the request.
D. Wait for a client request to arrive (Ref: Step A).\

The only different between an iterative server and a concurrent server is that
during the time of servicing (processing a clients request), no other clients are
serviced, whilst a concurrent server follows the following order:
A. Wait for a client request to arrive.
B. Start a New server to handle the clients request. (Creating a New process in
task, or thread, depending on what the underlying operating systems
supports. How this step is performed depends on what the underlying
operating system.

C. Wait for a client request to arrive (Ref: Step 1).

Port Numbers
TCP and UDP protocols identify applications using 16-bit port numbers. Servers
are normally known by their well-known port numbers.
Until 1992 the well-known ports were between 1 and 255. Ports between 256 and
1023 were normally used by Unix systems for Unix specific services.
The Internet Assigned Numbers Authority (IANA) now manages ports between 1
and 1023.
A client usually doesnt care what port number it uses on its end, and the choice is
randomly chosen. Client port numbers are called ephemeral ports or ports that are
short-lived, because these types of ports only last while the application is executed,
thus the application binding a random client port.
UNIX Ports
The well-known port numbers are contained in the file /etc/services.

% grep telnet /etc/services


telnet 23/tcp
%grep domain /etc/services
domain 53/udp
domain 53/tcp

Request for Comment (RFCs)


To: rfc-info@ISI.EDU
Subject: getting rfcs
Internet Official Protocol Standards, RFC 1600 [Postel 1994].
Host Requirements RFCs [1112 and 1123] [Braden 1989a, 1989b].
All the Official Standards in the Internet Community are published as a Request for
Comment or RFC.

Internet Protocol

IP is the main subprotocol or the workhorse protocol of the TCP/IP sutie. All the
information encapsulated through the TCP, UDP, ICMP and IGMP data gets
transmitted as IP datagrams. Although IP is an unreliable connectionless datagram
delivery service The term connectionless meaning that IP does not maintain any
state information about successive datagrams (by itself), but it rather follows an
algorithm that throws away datagrams and try to send an ICMP message back to
the source, for every bad packet.

TCP/IP v4
IP HEADER

0_______________________15 16_________________________________________31
4 bits | 4 bit header length | 8 bit type of service (TOS) | 16-BIT total length (in bytes)
16-bit identification | 3-bit flags | 13-bit fragment offset | 8 bit time to live (TTL) | 8bit protocol | 16-bit header checksum
32 bit source IP address
}
20 BYTES
32 bit destination IP address
Options (other options)
[Data]
AAAAAAAAAAAAAAAAAAAAAA
________________________________________________________________________

UDP HEADER
0_______________________15 16_________________________________________31
16-bit source port number | 16-bit destination port number
16-bit UDP length
|
16-bit UDP checksum
[Data]________________________________________
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

TCP HEADER
0_______________________15 16_________________________________________31
16-bit source port number | 16-bit destination port number
32 bit Sequence number _________________________________________________
32 bit acknowledgement number_________________________
4-bit header length | reserved 6 bits| U|A|P|R|S|F|_____16 BIT Window__________
|R|C|S|S|Y |I|__________ SIZE_______|
|G|K|H|T|NN|
16 bit TCP Checksum
16 BIT Urgent Pointer|
[ OPTIONS]_________________________________________
[ DATA] _____________________

ICMP: Internet Control Message Protocol.


The ICMP protocol is considered to be part of the IP Layer and it communicates the
error messages and other problems persisting within a communication. ICMP
messages are usually acted on by either the IP Layer or the higher TCP/UDP
protocols.

[ < IP DATAGRAM
[ IP HEADER |

>]
ICMP MESSAGE

20 bytes (Sample ICMP Message encapsulated within an IP datagram).

TCP - (Establishing a connection) (TCP 3 WAY Handshake).


To establish a connection, TCP uses a methodology named the 3 WAY Handshake.
Prior to the establishment of a TCP connection HOST A prompts HOST B with a
sequence of packets, thus allowing or either disallowing the connection
establishment, which follows the successful handshake between the two hosts.
[HOST A ]

SYN Packet sent to destination. (Hello HOST B)

[HOST B] a. Acknolwedging the packet received with a SYN-ACK or either


b. neglecting it using a SYN-RST thus terminating the connection.

[HOST A ]
SYN-ACK received. Sending Back an ACK packet indicating
Acknowledgement of the connection.
[HOST B]
Receiving ACK packet from client, and the connection is established.
CONNECTION ESTABLISHED
[HOST A HOST B] ACKNOWLEDGED

Network Exploitation Advanced Methodologies of Network Enumeration and


Exploitation (Breaking Through Firewall Security).

1. Remote Host Fingerprinting And Hping Fire walking Methodology:


This method demonstrates an exploitation method for trespassing Firewalls through
the ICMP and RING Half-Opening method.
[HOST A] We tend to send SYN packet to captivate the interest of our destination.

[HOST B] Replies with either SYN/ACK or SYN/RST thus telling us whether the
particular port is open or closed. Even though a misconfigured fire walled
infrastructure, could potentially lack the security for SYN scanning, avoinding the
normal Connect () method of port scanning;

2. Normal Port Knocking Scenario (NMAP)


NMAP P0 p

Normal Responses: Open/Closed (Indicating whether the port is open or closed).


Scenario Type: Syn Scan
Response Filtered Ports: Indicating that the host is possible fire walled and secured
against this type of attack, because we know that close ports respond with RST, thus
knowing the normal behavior of the TCP/IP handshake.

Hping S P <Port> -c 2 IP

Len=40 ip=127.0.0.1 TTL=180


ID=40491 sport=50 flags=RA RA - Reset Acknolwedgement thus indicating that
our port is closed!

Scenario 3 100% Complete Packet Loss (Hping)


Hping S p 50 c 10 LIFE1
{10 SYN Packets transmitted across using HPING => 0 Packets Received}
Possible Scenario for Firewall Enumeration:
10 Syn packets Sent >

|F
|I
|R
|E
|W
|A
|L
|L

| BLOCKED
|
BY
|
FIREWALL
|
|
X False.
|
|
|

As we can see our SYN packets are being filtered by the firewall technology on the
target infrastructure, thus we should endorse a different method of enumeration,
which is possible not filtered.

Scenario 4. (In case Scenario 3 fails).


/ FIN Scanning Methodology

Firewall Enumeration

Hping F p 50 LIFE1

<Flags=RA>
Indication of an RA (Reset Acknowledgement) Thus indicating that all our syn packets
might have previously been filtered, but now the utilization of A FIN packet can
actually pass-through the firewall, and our port is open.
In case that there is no response, which indicates that the port is closed.
In case that there is an RST response, once our FIN packet is accepted , that
means that the port is closed.

HPING S p 80 c2 <ip>

SYN FLAG

-S Syn Packet indication


-p Port number
-c2 number of packets to be sent.
Possible Responses:
Flags = RA
Flags = SA

HPING S p 80 ++20 <IP>


++ Indicates an incremental request.
Possible Responses:
Flags = RA
Flags = SA
*Note*: In a case of packet loss that means that the ports are firewalled.

UDP Scanning and Enumeration


A. Normal UDP Scan >

NMAP SU P <IP>

POSSIBLE STATE: OPEN | FILETERED > This indication explains that our
scanner failed to determine results.

Hping -2 p 50++ <host>

We could also utilize another advanced UNIX networking tool in order to capture
our packet responses. This new methods utilizes the use of payload through the
Hping.
#tcpdump (promiscuous mode)

#hping -2 p ++50 d 120 E file.txt (containing 120 bytes of junk data).

Illustration 1.a
Len=46
ip= 127.0.0.1 ttl=49
Id=37187 sq=3
rtt=531.0ms

Possible responses: In case that we receive an ICMP Port Unreachable response


that means that potentially our destination infrastructure utilizes the use of IPtables.

5. Network Enumeration (Ping Sweeping through ICMP)


Gathering System Information on a target infrastructure through the usage of the
following flags:
Message Type 0 Echo Reply > Packets utilized by the Ping networking tool.
Message Type 3 Destination Unreachable
The Destination Unreachable message is a message which is generated by the host or its
firewall or proxy to inform the user that the destination is not reachable. A Destination
Unreachable message may be generated as a result of a TCP , UDP or another ICMP
transmission. Unreachable TCP ports notably respond with TCP RST rather than a
Destination Unreachable code 3 as might be expected.

Code Description

Network unreachable error.

Host unreachable error.

Protocol unreachable error (the designated transport protocol is not supported).

Port unreachable error (the designated protocol is unable to inform the host of the incoming
message).

The datagram is too big. Packet fragmentation is required but the 'don't fragment' (DF) flag is on.

Source route failed error.

Destination network unknown error.

Destination host unknown error.

Source host isolated error (military use only).

The destination network is administratively prohibited.

10

The destination host is administratively prohibited.

11

The network is unreachable for Type Of Service.

12

The host is unreachable for Type Of Service.

13

Communication administratively prohibited (administrative filtering prevents packet from being


forwarded).

14

Host precedence violation (indicates the requested precedence is not permitted for the combination
of host or network and port).

15

Precedence cutoff in effect (precedence of datagram is below the level set by the network
administrators).

The Next-Hop MTU field (48 bits-63) contains the MTU of the next-hop network if a
code 4 error occurs. The additional data (bits 64-95) is included to allow the client to
match the reply with the request that caused the destination unreachable reply.

Message Type 4 Source Quench


The Source Quench is an ICMP message which requests the sender to decrease the
traffic rate of messages to a router or host. This message may be generated if the router or
host does not have sufficient buffer space to process the request, or may occur if the
router or host's buffer is approaching its limit.

Message Type 5 Redirect


Code Description
0

Redirect for Network Error.

Redirect for Host Error.

Redirect for Type of Service and Network Error.

Redirect for Type of Service and Host Error.

The ICMP type 5 contains a redirect message to send data packets on alternative route.
ICMP Redirect is a mechanism for routers to convey routing information to hosts. The
Redirect Message is an ICMP message which informs a host to redirect its routing
information (to send packets on an alternate route).
Message Type 11 Time Exceeded
. A time exceeded message may also be sent by a host if it fails to reassemble a
fragmented datagram within its time limit.
Type must be set to 11. The code, which specifies the reason for the time exceeded
message, includes the following:

Code

Description

Time-to-live exceeded in transit.

Fragment reassembly time exceeded.

Message Type 12 Parameter Problem


Ref: RFC 792, page 9:
If the gateway or host processing a datagram finds a problem with the header parameters
such that it cannot complete processing the datagram it must discard the datagram. One
potential source of such a problem is with incorrect arguments in an option. The gateway
or host may also notify the source host via the parameter problem message. This message
is only sent if the error caused the datagram to be discarded.
The pointer identifies the octet of the original datagram's header where the error was
detected (it may be in the middle of an option). For example, 1 indicates something is
wrong with the Type of Service, and (if there are options present) 20 indicates something
is wrong with the type code of the first option.

Code 0 may be received from a gateway or a host.

Message Type 13 Timestamp Request Requesting the Timestamp and Timezone


Information for the remote infrastructure or remote inbound gateway.
Message Type 14 Timestamp Reply
The Timestamp Reply is an ICMP message which replies to a Timestamp message. It
consists of the originating timestamp sent by the sender of the Timestamp as well as a
receive timestamp and a transmit timestamp.
Message Type 15 Information Request
RFC 792, page 19:
This message may be sent with the source network in the IP header source and
destination address fields zero (which means "this" network). The replying IP module
should send the reply with the addresses fully specified. This message is a way for a host
to find out the number of the network it is on.
The identifier and sequence number may be used by the echo sender to aid in matching
the replies with the requests. For example, the identifier might be used like a port in TCP
or UDP to identify a session, and the sequence number might be incremented on each
request sent. The destination returns these same values in the reply.
Code 0 may be received from a gateway or a host.

Message Type 16 Information Reply


RFC 1812, page 59:
The Information Request/Reply pair was intended to support self-configuring systems
such as diskless workstations, to allow them to discover their IP network prefixes at boot
time. However, these messages are now obsolete. The RARP and BOOTP protocols
provide better mechanisms for a host to discover its own IP address.

ICMP Enumeration Tool


Resource: www.nmrc.org/files/sunix/icmpenum-1.1.1tgz
Syntax: Icmpenum s (Spoofed Packets).

6. Network Exploitation Tactics Infrastructure Mapping


1. You can find the Time zone that the system is in utilizing an ICMP Type 13.
2. You can also find the Net mask of a particular device using the ICMP Type
17, utilizing an ADDRESS_Mask_Request and all thus to calculate all the
subnets being used within the infrastructure.
Resource: http://www.angio.net/security/icmpquery.c

Syntax: (1)
Query a Routers Time:

ICMPQUERY t 127.0.0.1
Response: 127.0.0.1 :11:36:19

ICMPQUERY m 127.0.0.1
Response: 127.0.0.1 :0Xffffffe0

Security Access Control Lists (ACL) for Firewalls


Security Advice:
ACL Security:
Allow Only:
ICMP_ECHO_REPLYs (ping)
HOST_UNREACHABLE
TIME_EXCEEDED

Overview of Network Scanning and Firewall Enumeration (IP Implementations).


Under normal circumstances the below mentioned packets are not being sent
individually to a network host, but rather they are being utilized in a
communication, in order to provide information and or delivery and establishment
and connectivity between two hosts and the intermediate systems. Although a
malicious hacker can also utilize these packets and vulnerabilities within the TCP/IP

stack in order to enumerate and gain satisfactory responses, on the state and
security of an infrastructure

Other Methods
Fin Scanning A Fin Packet is sent across to the target host.

TCP XMAS TREE A combination of Fin, URG and Push packets are sent across
to the target infrastructure. An RST response indicates closed ports.

TCP Null Scan A packet with all the flags off is sent to the target host, thus
replying with an RST for all closed port.

TCP ACK Scanning An ACK packet is sent to the destination target host.

7. Remote Operating System Detection Network Enumeration


Passive Stack Fingerprinting
Passive Stack Fingerprinting is a method of gathering network information on a
given network and comparing that information against a database of entries, thus
determining the Operating System used.
You have to be part of the same network , in order for this method to be effective.

#telnet host1.mynet.com
01/08-11:23:48.29976 192.168.1.12:23 -> 192.168.1.13:2295
TCP TTL:225 TOS:0x0 ID:58943 DF
**S***A*

Seq: 0XD3B709A4

ACK: 0XB309B2B7 WIN: 0X2798

TCP OPTIONS => NOP NOP TS: 9688775 9682347


NOP WS: 0 MSS:1460

Gathered Information

REF: TTL = 225


Windows Size= 0x2798

DF = Dont Fragment Bit

# grep I solaris osprints.conf


2328:255:1 Solaris 2.6 2.7
2238:255:1 Solaris 2.6 27
2400:255:1 Solaris 2.6 2.7
2798:255:1 Solaris 2.6 2.7
# siphon v I x10 I fingerprint_accumulation.txt
Operating System Determined against Siphons fingerprints:
Host
192.168.1.12

Port
23

TTL
225

DF
ON

OS
Solaris 2.6. - 27

Admin Prohibited Filter.


If we suppose that the remote system indication that NO SYN/ACK is received and
NO RST/ACK is received , thus no ICMP type 3 is received although you might
receive an Admin Prohibited Filter response, which oftentimes that is a response
sent from a CISCO Firewall System.
In some cases when an RST/ACK is received, it is either the OS indicating the our
port is closed or either the Firewall contains a REJECT rule within its ACL list.

Scenario 10 Firewall Enumeration through Netcat & SNMP Management, and


Advanced Firewalking.
Nc v n host.com 257
(Unknown) [127.0.0.1] 257 (?) Open
31000000 -> Indicating the Checkpoint Serial Number.

Firewalking Scenario (Discovering Open Ports behind a firewall).


This method works by generating packets with a TTL value calculated to expire one
hop past the Firewall. The theory behind this method is , that our generated
packets will pas the through the firewall and expire with an error message of
ICMP TTL expired in transmit.

In the scenario that our packets are blocked , either no response will be received or
either an ICMP type 13 message will be received.

Resource: http://packetfactory.net/projects/firewalk
Firewalk is a reconnaissance network security enumeration project, designed for the
enumeration of firewalls.
It attempts to enumerate the protocols and rules behind a firewall within its current
configuration will allow to pass through to internal hosts.
Firewalk sends out TCP or UDP packets with a TTL one greater than the targeted
gateway/firewall.
If the gateway/firewall allows the traffic, it will forward the packets to the next hop
where they will expire and elicit an ICMP_TIME_EXCEEDED message.
If the gateway host does not allow the traffic, it will likely reject our packets with no
response.
-d 1-65535 Specify initial dest port to use during the ramping phase.
-h
Program help.
-i
Interface_name Specify interface to use.
-n
Don't resolve IP's to hostnames.
-P 1-2000 Set a network writing pause, to keep firealk from flooding
the network.
-p TCP,UDP Type of scan to perform.
-r
Strict RFC 793 compliance.
-S 1-65535,... (1-130,139,1025)
Specify ports to scan. Specified in ranges, delimited by dashes,
multiple ranges may be specified, delimited by commas. Omitting the
terminating port number is shorthand for 65535.
-s 1-65535 (53)Specify the source port for the scan (both phases).
-T 1-2000 (2)Network packet reading timeout.
-t 1-25 (1)Sets initial IP TTL value (target gateway is known to be n
hops from the
source host, the TTL can be preloaded to facilitate a faster scan.
-v
Dump program version and exit.
-x
Expire vector (1)The expire vector is the number of hops
that the scanning probes will expire,past the gateway host. The binding
hopcount is the hopcount of the gateway + the expire vector.

#firewalk p tcp s135-140 10.11.3.1


As you may know, it is not possible to block ICMP TTL expired values because, if
we do that, our clients will not be able to receive information regarding their
connection.