![Page 1: Packets and Protocols Recognizing Attacks with the protocol analyzer](https://reader036.vdocuments.us/reader036/viewer/2022062314/56649e525503460f94b47dd4/html5/thumbnails/1.jpg)
Packets and ProtocolsPackets and Protocols
Recognizing Attacks with the protocol analyzer
![Page 2: Packets and Protocols Recognizing Attacks with the protocol analyzer](https://reader036.vdocuments.us/reader036/viewer/2022062314/56649e525503460f94b47dd4/html5/thumbnails/2.jpg)
Packets and ProtocolsPackets and ProtocolsRecognizing attacksRecognizing attacks
Hacker tools– Many tools exist– Most are freeware– Many are simply adaptations of existing
features/tools in the operating systemPingTrace routeNbtstatnslookup
![Page 3: Packets and Protocols Recognizing Attacks with the protocol analyzer](https://reader036.vdocuments.us/reader036/viewer/2022062314/56649e525503460f94b47dd4/html5/thumbnails/3.jpg)
Packets and ProtocolsPackets and ProtocolsRecognizing attacksRecognizing attacks
Ping– Uses ICMP
Many options exist for the ping command
![Page 4: Packets and Protocols Recognizing Attacks with the protocol analyzer](https://reader036.vdocuments.us/reader036/viewer/2022062314/56649e525503460f94b47dd4/html5/thumbnails/4.jpg)
C:\WINDOWS>pingC:\WINDOWS>ping
Usage: ping [-t] [-a] [-n count] [-l size] [-f] [-i TTL] [-v TOS]Usage: ping [-t] [-a] [-n count] [-l size] [-f] [-i TTL] [-v TOS] [-r count] [-s count] [[-j host-list] | [-k host-list]][-r count] [-s count] [[-j host-list] | [-k host-list]] [-w timeout] target_name[-w timeout] target_name
Options:Options: -t Ping the specified host until stopped.-t Ping the specified host until stopped. To see statistics and continue - type Control-Break;To see statistics and continue - type Control-Break; To stop - type Control-C.To stop - type Control-C. -a Resolve addresses to hostnames.-a Resolve addresses to hostnames. -n count Number of echo requests to send.-n count Number of echo requests to send. -l size Send buffer size.-l size Send buffer size. -f Set Don't Fragment flag in packet.-f Set Don't Fragment flag in packet. -i TTL Time To Live.-i TTL Time To Live. -v TOS Type Of Service.-v TOS Type Of Service. -r count Record route for count hops.-r count Record route for count hops. -s count Timestamp for count hops.-s count Timestamp for count hops. -j host-list Loose source route along host-list.-j host-list Loose source route along host-list. -k host-list Strict source route along host-list.-k host-list Strict source route along host-list. -w timeout Timeout in milliseconds to wait for each reply.-w timeout Timeout in milliseconds to wait for each reply.
Packets and ProtocolsPackets and ProtocolsRecognizing attacksRecognizing attacks
![Page 5: Packets and Protocols Recognizing Attacks with the protocol analyzer](https://reader036.vdocuments.us/reader036/viewer/2022062314/56649e525503460f94b47dd4/html5/thumbnails/5.jpg)
Packets and ProtocolsPackets and ProtocolsRecognizing attacksRecognizing attacks
Trace route – Uses ICMP Type 8, type 0 and TTLUses ICMP Type 8, type 0 and TTL
Sends type 8 w/TTL=1Sends type 8 w/TTL=1Receives TTL expiredReceives TTL expiredSends type 8 w/TTL=2Sends type 8 w/TTL=2Received TTL expiredReceived TTL expired
![Page 6: Packets and Protocols Recognizing Attacks with the protocol analyzer](https://reader036.vdocuments.us/reader036/viewer/2022062314/56649e525503460f94b47dd4/html5/thumbnails/6.jpg)
Packets and ProtocolsPackets and ProtocolsRecognizing attacksRecognizing attacks
NBTStat– Displays protocol statistics and current
TCP/IP connections using NBT (NetBIOS over TCP/IP).
– Yet another way a hacker can gather data to be used against you
![Page 7: Packets and Protocols Recognizing Attacks with the protocol analyzer](https://reader036.vdocuments.us/reader036/viewer/2022062314/56649e525503460f94b47dd4/html5/thumbnails/7.jpg)
Packets and ProtocolsPackets and ProtocolsRecognizing attacksRecognizing attacks
Nslookup– DNS tool used to look resolve IP
addresses to names and to give the DNS server servicing the request.
Similar to ping -a
![Page 8: Packets and Protocols Recognizing Attacks with the protocol analyzer](https://reader036.vdocuments.us/reader036/viewer/2022062314/56649e525503460f94b47dd4/html5/thumbnails/8.jpg)
Packets and ProtocolsPackets and ProtocolsRecognizing attacksRecognizing attacks
There are many tools already written that bring together these common utilities– Common hacker tools can be found at – Sourceforge
![Page 9: Packets and Protocols Recognizing Attacks with the protocol analyzer](https://reader036.vdocuments.us/reader036/viewer/2022062314/56649e525503460f94b47dd4/html5/thumbnails/9.jpg)
Packets and ProtocolsPackets and ProtocolsRecognizing attacksRecognizing attacks
Sam Spade– GUI tool
used for gathering information from Websites
![Page 10: Packets and Protocols Recognizing Attacks with the protocol analyzer](https://reader036.vdocuments.us/reader036/viewer/2022062314/56649e525503460f94b47dd4/html5/thumbnails/10.jpg)
Packets and ProtocolsPackets and ProtocolsRecognizing attacksRecognizing attacks
Ping sweep tools– Used to
discover IP addresses on networks by using ICMP and ARP
![Page 11: Packets and Protocols Recognizing Attacks with the protocol analyzer](https://reader036.vdocuments.us/reader036/viewer/2022062314/56649e525503460f94b47dd4/html5/thumbnails/11.jpg)
Packets and ProtocolsPackets and ProtocolsRecognizing attacksRecognizing attacks
Port scan tools– Used to find
what ports are open on what devices
– Can scan sequentially or random
![Page 12: Packets and Protocols Recognizing Attacks with the protocol analyzer](https://reader036.vdocuments.us/reader036/viewer/2022062314/56649e525503460f94b47dd4/html5/thumbnails/12.jpg)
Packets and ProtocolsPackets and ProtocolsRecognizing attacksRecognizing attacks
Cain and AbleCain and Able– Good multipurpose tool for cross platform Good multipurpose tool for cross platform
vulnerability checksvulnerability checks
![Page 13: Packets and Protocols Recognizing Attacks with the protocol analyzer](https://reader036.vdocuments.us/reader036/viewer/2022062314/56649e525503460f94b47dd4/html5/thumbnails/13.jpg)
Packets and ProtocolsPackets and ProtocolsRecognizing attacksRecognizing attacks
ZenMapZenMap– Another Another
multipurpose multipurpose tool to tool to gather gather information information against against network network nodesnodes
![Page 14: Packets and Protocols Recognizing Attacks with the protocol analyzer](https://reader036.vdocuments.us/reader036/viewer/2022062314/56649e525503460f94b47dd4/html5/thumbnails/14.jpg)
Packets and ProtocolsPackets and ProtocolsRecognizing attacksRecognizing attacks
SNMP Sweeps– Two types
Brute force– Simple guessing program
Starts with the password of a then b -> z then aa, ab, ac ->zz then aaa, aab etc
Dictionary – Uses a pre-made list of common words or
phrases
![Page 15: Packets and Protocols Recognizing Attacks with the protocol analyzer](https://reader036.vdocuments.us/reader036/viewer/2022062314/56649e525503460f94b47dd4/html5/thumbnails/15.jpg)
Packets and ProtocolsPackets and ProtocolsRecognizing attacksRecognizing attacks
Brute Force
![Page 16: Packets and Protocols Recognizing Attacks with the protocol analyzer](https://reader036.vdocuments.us/reader036/viewer/2022062314/56649e525503460f94b47dd4/html5/thumbnails/16.jpg)
Packets and ProtocolsPackets and ProtocolsRecognizing attacksRecognizing attacks
Dictionary Attack
![Page 17: Packets and Protocols Recognizing Attacks with the protocol analyzer](https://reader036.vdocuments.us/reader036/viewer/2022062314/56649e525503460f94b47dd4/html5/thumbnails/17.jpg)
Packets and ProtocolsPackets and ProtocolsRecognizing attacksRecognizing attacks
What to look for:– Ping sweep
Look for an inordinate amount of ICMP traffic
– Port ScanLook for incrementing destination ports
– SNMP AttackLook for a sudden bust of SNMP traffic and
monitor the community field in the capture
![Page 18: Packets and Protocols Recognizing Attacks with the protocol analyzer](https://reader036.vdocuments.us/reader036/viewer/2022062314/56649e525503460f94b47dd4/html5/thumbnails/18.jpg)
Packets and ProtocolsPackets and ProtocolsRecognizing attacksRecognizing attacks
How to defend:– Ping
Filter out unwanted ICMP types
– Port ScanLock down devices and turn off unneeded
applications and ports
– SNMP attacks Use strong passwords
![Page 19: Packets and Protocols Recognizing Attacks with the protocol analyzer](https://reader036.vdocuments.us/reader036/viewer/2022062314/56649e525503460f94b47dd4/html5/thumbnails/19.jpg)
Packets and ProtocolsPackets and ProtocolsRecognizing attacksRecognizing attacks
![Page 20: Packets and Protocols Recognizing Attacks with the protocol analyzer](https://reader036.vdocuments.us/reader036/viewer/2022062314/56649e525503460f94b47dd4/html5/thumbnails/20.jpg)
Packets and ProtocolsPackets and ProtocolsRecognizing attacksRecognizing attacks
The best solution? The best solution? – Get an IDS/IPSGet an IDS/IPS
Intrusion detection system – passiveIntrusion detection system – passive Intrusion prevention system - activeIntrusion prevention system - active