viagra alternative for viagra buy alternative to viagra best viagra best viagra alternative canada beta blockers and viagra brand viagra brand viagra over the net now brand viagra professional buy brand viagra without prescription buy sales buy branded viagra buy branded viagra online now buy discount viagra discounts buy generic viagra india rx canada buy now viagra buy pfizer viagra online buy real viagra online buy viagra buy viagra china now buy viagra in canada no prescription buy viagra mexico buy viagra on line buy viagra online buy viagra online canada buy viagra online cheap us buy viagra without prescription buying real viagra without prescription buying viagra online buying viagra in canada buying viagra without prescription can i get viagra in mexico cheap can i take viagra with beta blocker canada pharmacy viagra pfizer canada viagra canada viagra generic canadain viagra india canadian drug viagra soft canadian pharmacy discount code viagra cheap canadian pharmacy viagra germany canadian pharmacy viagra legal canadian viagra canadian viagra generic canadian women viagra cheap viagra cheap viagra canada or india germany cheap viagra generic cheap viagra no prescription cheap viagra on line cheap viagra online discounts cheap viagra or cialis cheap viagra pills cheap cheapest prices on viagra cheapest viagra fast cheapest viagra online cheapest viagra usa discounts china viagra cialis tablets vs viagra cost of viagra cost of viagra in germany usa discount real viagra discount viagra diuretics and viagra cheap female viagra female viagra pills fast gel viagra gele viagra germany generic viagra sales generic viagra 100 mg generic viagra canada fast generic viagra from china fast generic viagra india usa generic viagra made in india generic viagra made in usa cheap get viagra get viagra without a prescription herbal viagra delivery how does viagra work how much is viagra online how to buy viagra how to get cheap viagra pills how to get some viagra how to get viagra now how to get viagra no prescription i dont have a prescription for viagra germany india viagra indian viagra sales inexpensive viagra levitra vs viagra low cost canadian viagra usa low cost viagra mexico viagra fast natural viagra natural viagra pills buy next day viagra no prescription viagra non prescription viagra online once a day viagra online cheap viagra usa online viagra order usa viagra online buy ordering viagra delivery overnight canadian viagra overnight delivery viagra usa overnight viagra overnight viagra generic fast pfizer mexico viagra pfizer soft viagra pfizer viagra pfizer viagra 50 mg online pfizer viagra cheap price check 50 mg viagra purchase viagra real viagra real viagra for sale real viagra gel real viagra online real viagra without prescription rx generic viagra rx online viagra safety of buying viagra from canadian pharmacies soft gel viagra soft viagra spain female viagra sales us discount viagra overnight delivery usa generic viagra viagra 100 mg usa viagra 100 mg cheap viagra 50 mg viagra alternative germany viagra and female discounts viagra and three day delivery viagra brand viagra buy viagra buy now viagra canada usa viagra canada generic cheap viagra canada online discounts viagra canada scam viagra canadian canada viagra canadian pharmaceuticals buy viagra canadian pharmacy viagra canadian sales viagra canadian scam viagra canda viagra cheap sales viagra cheap canada viagra cheapest viagra china viagra cost usa viagra discount germany viagra discounts viagra dosage viagra dose viagra doses viagra fast delivery now viagra for cheap viagra for sale viagra for women viagra for women in india viagra from canada usa viagra from india delivery viagra from mexico viagra from the usa viagra gel fast viagra generic buy viagra generic canada viagra herbal viagra how much viagra in canada viagra in india viagra in mexico viagra india buy viagra legal discounts viagra levitra viagra made in india viagra mexico viagra more drug uses germany viagra no prescription viagra no prescriptions viagra of pfizer germany viagra on line viagra online buy viagra online 50 mgs viagra online cheap delivery viagra online pharmacy usa now viagra online without a prescription viagra online without prescription viagra or cialis germany viagra oral gel viagra order viagra overnight germany viagra overnight delivery viagra pfizer buy viagra pfizer 50 mg viagra pfizer india sales viagra pfizer online viagra pfizer viagra online viagra pharmacy in india viagra pills viagra pills canadian fast viagra pliis viagra prescription viagra price viagra prices viagra professional delivery viagra purchase discounts viagra rx viagra rx in canada discounts viagra sale viagra sales usa viagra sales in canada viagra samples discounts viagra scams canada sales viagra see what it does viagra side effect viagra side effects delivery viagra soft viagra soft gel viagra soft tablets discounts viagra soft tabs now viagra soft tabs 100 mg now viagra soft tabs 100 mg prices compare viagra sur le net germany viagra tablet delivery viagra tablets viagra tablets sale fast viagra tabs viagra taking full dose 100 mg viagra usa canada viagra where to buy it viagra without a prescription germany viagra without prescription viagra without prescription canada viagra women viagrabest viagra were can i buy viagra cheap what agency can you buy viagra what better viagra or cialis what is viagra professional now where can i purchase viagra where to buy viagra germany where to get viagra where to get viagra cheap now where to get viagra in canada canada where to purchase viagra women viagra cialis 5 mg cialis canada usa 5 mg daily cialis fast 5 mg original brand cialis 50 mg cialis dose now about cialis best cialis price cheap best price cialis buy brand cialis buy 5 mg cialis online buy cialis buy cialis 5 mg buy cialis canada buy cialis cannada buy cialis for daily use online buy cialis in canada buy cialis in usa online buy cialis on line buy cialis once daily buy cialis online buy cialis online canada delivery buy cialis online uk buy cialis online without prescription buy cialis professional buy cialis usa buy buy cialis without a prescription delivery buy daily cialis usa buying cialis in canada fast buying cialis online buying cialis without a prescription c50 cialis now can you take cialis while having epilepsy canada cialis once a day canadian cialis canadian online pharmacy cialis canadian pharmacies cialis canadian pharmacy cialis canadian pharmacy cialis without prescription cheap cialis cheap cialis fast delivery time cheap cialis from india germany cheap cialis soft fast cheap fast cialis germany cheap viagra or cialis cheapest cialis cheapest overnight cialis sales cialis 100 mg cialis 100 mg generic germany cialis 2.5 mg buy cialis 20 mg cialis 30 mg cialis 5 mg online cialis 5 mg buy cialis 5 mg italia canada cialis 50 mg cialis 50 mg dose online cialis alcohol cialis alternatives cialis alternitives cialis and women cialis atrial fibrillation now cialis brand cialis brand only cialis buy cialis buy overnight germany cialis by women delivery cialis c 50 buy cialis canada cialis canada online pharmacy sales cialis canadian cialis canadian pharmacy cialis cheap fast cialis cheap us pharmacy cheap cialis cost cialis cost canada cheap cialis cost of daily pills buy cialis daily cialis daily availability sales cialis daily canada sales cialis daily cost cialis daily dosage pharmacy cialis daily dosing cost cialis daily in canada cialis daily price cialis daily use cost cialis daliy delivery cialis discount cialis discount prices discounts cialis discounts cialis dosage delivery cialis dosage mg sales cialis dosage more for patients now cialis en discount cialis en mexico cialis fast cialis for sale cialis for women sales cialis from canada cialis from india cialis from mexico cialis generic cialis generic 100 mg discounts cialis generic canada buy cialis germany now cialis in canada cialis in mexico germany cialis india fast cialis is cialis low price fast cialis low prices cialis made in usa buy cialis more drug uses germany cialis more drug warnings recalls cialis more for patients cialis no prescription cialis no rx cialis on line cheap cialis on women cialis once daily cialis once-daily dose cheap cialis one a day cialis one day shipping usa cialis online discounts cialis order cialis order from cialis overnight germany cialis pfizer cialis pharmacy buy cialis pharmacy online next day cialis powder form cialis prescription cialis price cialis prices buy cialis professional cialis professional 100 mg cialis professional next day delivery canada cialis professional side effects cialis purchase sales cialis recommended dose cialis samples cialis samples in canada cialis small doses antidepressants cialis soft cialis soft canada sales cialis soft tabs cialis tablets cialis tablets vs viagra cialis to buy now cialis uk sales cialis usa cialis vs levitra discounts cialis without a prescription buy cialis without prescription cialis woman cialis women online cialisis for women cialisis in canada cirrhosis caused by cialis now comments on daily dosing cialis cost cialis daily use cost of 30 cialis cost of cialis cheap cost of cialis daily cost of cialis daily pills online cost of daily cialis daily cialis daily cialis cost sales daily dosage cialis buy daily use cialis cost discount canadian cialis discount cialis discount cialis india does generic cialis work dose cialis effect of cialis on women fast delivery cialis ganeric cialis delivery generic cialis discounts generic cialis canada generic cialis canadian generic cialis does it work generic cialis from india cheap generic cialis in india generic cialis india delivery generic cialis india discount usa generic cialis next day delivery generic cialis opinion generic cialis professional generic cialis soft tabs usa genuine cialis pill purchase discounts genuine cialis pills gerenic cialis get cialis fast get cialis online now how does cialis work now how much does cialis cost discounts how much does cialis cost at the pharmacy how much is cialis discounts how to get cialis how to get cialis no prescription cheap how to get cialis voucher delivery hydrochlorothiazide cialis i am an epileptic can i take cialis indian cialis cheap is cialis a blood thinner cheap is it possible to buy cialis online in canada levitra vs cialis usa map of france with cialis mexico pharmacy cialis natural cialis alternative natural cialis alternatives now non prescription cialis once daily cialis online one a day cialis one day cialis one day delivery cialis buy online cialis online pharmacy cialis original cialis 20 usa pharmacy cialis philippines pharmacy cialis generic 50 mg online price cialis price cialis canada price of cialis in canada professional cialis professional cialis online purchase cialis cheap buy purchase once daily cialis fast real cialis fast real cialis online results for cialis daily rx cialis sales cialis cheap soft cialis fast soft tab cialis us cialis pharmacy viagra or cialis what better viagra or cialis what effects does caffeine have on cialis canada what is cialis what is the cost of cialis where to buy 100 mg cialis sales where to buy cialis cheap which better viagra or cialis women cialis now

Analyzing a Hack from A to Z (Part 1)

By Don Parker

Within this article series we will both pull off a hack, and analyze its methodology. By understanding a hacker’s methodology one can better defend one’s networks.

If you would like to be notified when Don Parker releases the next part of this article series please sign up to the WindowSecurity.com Real time article update newsletter.

This article series will be based upon a network system breach. What we shall cover is the actual hack itself, from the reconnaissance stage, through to enumeration, network service exploitation, and ending with post-exploitation strategies. All of these steps will then be viewed at the packet level, and then explained. Being able to view, and understand an attack at the packet level is critically important for both system administrators (sys admin) and network security personnel. The output of firewalls, Intrusion Detection Systems (IDS) and other security devices will always in turn lead you to look at the actual network traffic. If you don’t understand what you are looking at, at the packet level, then all of the network security technology you have is utterly useless. This will then be followed by how to write a Snort signature based off of the attack traffic.

Tools used for this simulated network attack:

* Nmap
* IPEye
* Tcpdump
* Metasploit Framework
* Netcat
* SolarWinds TFTP Server
* Tftp client
* FU Rootkit

Setting the stage

There is no shortage of hostile scanning on the Internet today, not to mention worm activity, and other forms of malware, such as viruses. All of this amounts to a lot of white noise for the well protected computer network. What we shall look at is a person deliberately targeting a computer network. For the purposes of this article we shall assume that the hacker has already decided upon his victim and done earlier research such as finding out the IP address or addresses of the victim network. He may have also tried to find out other such nuggets of information, such as email addresses associated with that network. This type of information is critical in case the hacker were to find there was no way into the network after having scanned, profiled, and enumerated it. The email addresses that he may have harvested would be useful in setting up a client side attack by which he would try and lure a user to a malicious website via a link in an email. More on that type of attack in a later article series.

On with the show

We shall now view the actions of the potential hacker as he goes about the business of scanning, profiling, and enumerating the victim network. The first tool that the hacker uses is Nmap. Though Nmap has quite a few IDS signatures for it, it is still quite a useful tool, and is heavily used.

We can see via the syntax used by the hacker in the screenshot that he deliberately picks port 21 and 80, as he has several exploits he can use via the the Metasploit Framework. Not only that but those are two system services and protocols that he understands fairly well. Shown as well is that he is using a SYN scan which is also the most common port scan type. This is due to the fact if a service which uses TCP is listening on a port which is scanned with a SYN packet, then it will send back a SYN/ACK packet. That SYN/ACK packet indicates that a service is indeed listening there, and awaiting connections. The same cannot be said for UDP based services such as DNS (DNS also uses TCP though it mostly uses UDP for the bulk of its transactions).

Listed below the syntax is the output that Nmap gleans from the packets it sent, but to be more accurate, from the packets it receives as a result of the SYN scan it just did. We can see that there are seemingly both FTP and HTTP services offered. We are not really interested in the MAC address so we will ignore that. Though tools such as Nmap are not often wrong it is always good to verify your information at the packet level to ensure its accuracy. Not only that, but it is also in looking at the return packets, from the victim network, that we shall gather the host, service, and architectural information from.

Let us consult the packets

There are several programs out there today which will take packets off the wire and pull out information such as the operating system type, architectural info ie: x86 or SPARC and so on, for you. That really isn’t all that much fun, nor more importantly are we learning anything by letting a program do the work for us. On that note let’s take a look at the Nmap packet trace, and pull out some information about the victim network.
10:52:59.062500 IP (tos 0×0, ttl 43, id 8853, offset 0, flags [none], proto: ICMP (1), length: 28) 192.168.111.17 > 192.168.111.23: ICMP echo request seq 38214, length 8
0×0000: 4500 001c 2295 0000 2b01 0dd3 c0a8 6f11 E…”…+…..o.
0×0010: c0a8 6f17 0800 315a 315f 9546 ..o…1Z1_.F
10:52:59.078125 IP (tos 0×0, ttl 128, id 396, offset 0, flags [none], proto: ICMP (1), length: 28) 192.168.111.23 > 192.168.111.17: ICMP echo reply seq 38214, length 8
0×0000: 4500 001c 018c 0000 8001 d9db c0a8 6f17 E………….o.
0×0010: c0a8 6f11 0000 395a 315f 9546 0000 0000 ..o…9Z1_.F….
0×0020: 0000 0000 0000 0000 0000 0000 0000 …………..

Shown in the two packets above is the opening salvo from Nmap. What it does is send an ICMP echo request to the victim network. You will note that it is not aimed at a specific port, seeing as ICMP does not use ports, but rather is handled by the ICMP error message handler which is built into the TCP/IP protocol stack. This ICMP packet is also stamped with a unique number, 38214 in this case, in order to help the TCP/IP stack keep track of the returning traffic, and associate it with an earlier ICMP packet it sent. The packet directly above us is the response from the victim network, in the form of an ICMP echo reply. Also note it bears the sequence number of 38214. So the hacker knows that there is indeed a computer, or computer network behind that IP address.

This opening ICMP packet sequence is why Nmap has an IDS signature for it. This ICMP host discovery option can be disabled in Nmap if so desired. What kind of information can be gleaned via the resulting ICMP echo reply packet from the victim network? In reality not a ton of information is there to help us profile the network. Though we can take a preliminary stab at what the operating system family is. The time to live field and value next to it is highlighted in the packet above. A value of 128 points to the likelihood that this computer is probably a Microsoft Windows one. While this ttl value is not a definitive answer as to what the operating system is, it will hopefully be corroborated by the ensuing packets that we will look at.

Wrap up

So far in this part we have seen a malicious hacker scan a network for two specific ports using Nmap. He so far has ascertained that a computer or computer network resides at that IP address. In part two we shall go on to finish the study of our packet trace, and pull out the remaining pieces of profiling information. See you then.

About Don Parker
Don Parker specializes in matters of intrusion detection, and incident handling. He has also enjoyed a role as guest speaker at various network security conferences, and writing for various online and print media on matters of computer security. You can contact Don Parker at dparker@bridonsecurity.com

Related articles

Comments disabled

Comments on this article have been disabled.