lecture 24: network primer
DESCRIPTION
Lecture 24: Network Primer. 7/16/2003 CSCE 590 Summer 2003. tcpdump. Packet capture and analysis utility Default number of bytes captured: 68 Change with the snaplength option –S 1518 If a packet is truncated, “|” symbol is used in output Does not show frame header by default - PowerPoint PPT PresentationTRANSCRIPT
Lecture 24: Network Primer
7/16/2003
CSCE 590
Summer 2003
tcpdump
• Packet capture and analysis utility• Default number of bytes captured: 68
– Change with the snaplength option –S 1518
– If a packet is truncated, “|” symbol is used in output
• Does not show frame header by default– To enable that, -e
• To see hexadecimal output: -x• To see hexadecimal output with ASCII sidebar: -X
tcpdump
• To write trace to a file instead of standard output, use –w filename
• To read from a trace file, use –r filename• To choose a network interface to sniff traffic from,
use –i inteface • To force tcpdump not to resolve machine names
with DNS, use –n• To force it to also not translate TCP/UDP service
port number from /etc/services file, add an ‘n’: -nn
tcpdump Filters
• There are given keywords or macros for commonly accessed headers in filtering
• To reference a type of header in a packet:– ip, tcp, icmp, udp
• To reference a particular byte within that header, use a byte displacement with type:– ip[0] – first byte offset of IP header (numbering starts
from zero)
– tcp[13] - tcp header length
Filters vs. Macros
• Macros are predefined filters• Must use filters where there are no macros• Filter format
– <protocol header>[offset:length] <relation><value>
• Macro format– <macro> <value>
• Example:– ip[9] = 1– Ninth byte of IP header is Protocol type, and a value of 1 =
ICMP– Icmp
More Examples
• tcp[0:2] < 53– Starting at byte 0 of the TCP header, for 2 bytes (source
port field) with a value less than 53
– tcp and src port < 53 (NOT!!!) can’t do relational with macros, only give it a value
• udp[6:2] != 0– ? Your turn
• icmp[0] = 8– ? Your turn
Common Macros
• host• net (129.252)• port• src can modify host, net, and port• dst can modify host, net, and port• icmp• tcp• Udp• Also: and (&&), not (!), or (||)
Bits and Bytes
• Sometimes you don’t want a whole byte (looking at just a flag)
• So we turn to bit masking (math, eeeww!)
• “AND” unwanted bits with 0 to clear them
• “AND” wanted bits with 1 to keep them
• tcpdump works in hexadecimal however, so there is some conversion involved
Bit Masking Example• Let’s check for the TCP ACK bit turned on• It is byte 13 so we have tcp[13]• From our TCP header:• Byte 13 = 0x12 =0 0 0 1 0 0 1 0 AND_ _ _ _ _ _ _ _ mask0 0 0 1 0 0 0 0 = 0x10• Complete filter: (tcp[13]&0x10) != 0• tcpdump -i eth0 -s 1518 ‘(tcp[13] & 0x10) != 0‘• What kind of packets with: (tcp[13] & 0x10) = 0
12 13
URG
ACK
PSH
RST
SYN
FIN
Hdr Len Reserved
Bit Masking Examples
• What do these masks check for?– (tcp[13] & 0x02) != 0
– tcp[13] = 0xff
– (ip[6] & 0x20) != 0
• Write one to check for either the SYN or FIN bit set
Another Game of What’s Weird?
22:08:38.495489 dns.querier.1745 > dns.nl.53: 42371+ (31)
22:08:48.150706 dns.nl > dns.querier: (frag 63694:30@400)
22:08:48.154481 dns.nl.53 > dns.querier.1745: 42371 6/8/8 (72)(frag 63694:80@0+)
22:08:48.154481 dns.nl > dns.querier: (frag 63694:80@320+)
22:08:48.154490 dns.nl > dns.querier: (frag 63694:80@240+)
22:08:48.156737 dns.nl > dns.querier: (frag 63694:80@160+)
22:08:48.156745 dns.nl > dns.querier: (frag 63694:80@80+)
22:09:08.612886 dns.querier > dns.nl: icmp: ip reassembly time exceeded [tos 0xc0]
What’s Weird?
2:19:30.481578 somewhere.nl > 129.252.176.255: icmp: echo request (ttl 246, id 5134)
2:19:31.478737 somewhere.au > 129.252.176.255: icmp: echo request (ttl 246, id 5134)
2:19:32.478824 somewhere.de > 129.252.176.255: icmp: echo request (ttl 246, id 5134)
2:19:33.478916 somewhere.edu > 129.252.176.255: icmp: echo request (ttl 246, id 5134)
What’s Weird?
23:12:26.100485 hostA.48776 > machineB.25: . ack 0 win 2048 <wscale 10,nop,mss 265,timestamp 1061109567 0,eol>
Another Trace23:30:32.704057 beav.32772 > www.sc.edu.33435: [udp sum ok]
udp 10 [ttl 1] (id 20523, len 38)
23:30:32.707533 beav.32772 > www.sc.edu.33436: [udp sum ok] udp 10 [ttl 1] (id 20524, len 38)
23:30:32.707760 beav.32772 > www.sc.edu.33437: [udp sum ok] udp 10 [ttl 1] (id 20525, len 38)
23:30:32.708017 beav.32772 > www.sc.edu.33438: [udp sum ok] udp 10 (ttl 2, id 20526, len 38)
23:30:32.712804 beav.32772 > www.sc.edu.33439: [udp sum ok] udp 10 (ttl 2, id 20527, len 38)
23:30:32.713351 beav.32772 > www.sc.edu.33440: [udp sum ok] udp 10 (ttl 2, id 20528, len 38)
23:30:32.713961 beav.32772 > www.sc.edu.33441: [udp sum ok] udp 10 (ttl 3, id 20529, len 38)
23:30:32.719796 beav.32772 > www.sc.edu.33442: [udp sum ok] udp 10 (ttl 3, id 20530, len 38)
23:30:32.720618 beav.32772 > www.sc.edu.33443: [udp sum ok] udp 10 (ttl 3, id 20531, len 38)
What’s This?23:49:23.440874 host.57839 > fozzie.32787: udp 023:49:23.440901 host.57839 > fozzie.32775: udp 023:49:23.440932 host.57839 > fozzie.32788: udp 023:49:23.440943 host.57839 > fozzie.32789: udp 023:49:23.440986 host.57839 > fozzie.32791: udp 023:49:23.441009 host.57839 > fozzie.32799: udp 023:49:23.441027 host.57839 > fozzie.32774: udp 023:49:23.441059 host.57839 > fozzie.32781: udp 023:49:23.441072 host.57839 > fozzie.32772: udp 023:49:23.441080 host.57839 > fozzie.32789: udp 0 23:49:23.441105 host.57839 > fozzie.32800: udp 023:49:23.441215 fozzie > host: icmp: fozzie udp port 32788
unreachable (DF)23:49:23.441269 fozzie > host: icmp: fozzie udp port 32791
unreachable (DF)23:49:23.441288 fozzie > host: icmp: fozzie udp port 32781
unreachable (DF)23:49:23.441310 fozzie > host: icmp: fozzie udp port 32789
unreachable (DF)
And This?
23:46:40.529581 map.edu.39344 > 129.252.41.16.143: S 698192483:698192483(0) win 8192
23:46:41.509678 map.edu.39345 > 129.252.41.15.143: S 698735981:698735981(0) win 8192
23:46:53.518688 map.edu.39378 > 129.252.41.14.143: S 698654463:698654463(0) win 8192
23:46:53.923679 map.edu.39379 > 129.252.41.13.143: S 699129230:699129230(0) win 8192
23:46:53.970672 map.edu.39639 > 129.252.41.11.143: S 699129300:699129300(0) win 8192
23:46:53.989649 map.edu.39777 > 129.252.41.10.143: S 699129740:699129740(0) win 8192
23:46:53.994699 map.edu.39791 > 129.252.41.12.143: S 699129768:6991292768(0) win 8192
23:46:53.999670 map.edu.39812 > 129.252.41.9.143: S 699129901:699129901(0) win 8192
What’s Weird?
23:46:40.529581 map.net.0 > 129.252.41.99.110: SF 698192483:698192483(0) win 512
23:46:41.509678 map.net.0 > 129.252.41.27.110: SF 698192483:698192483(0) win 512
23:46:53.518688 map.net.0 > 129.252.41.56.110: SF 698192483:698192483(0) win 512
23:46:53.923679 map.net.0 > 129.252.41.33.110: SF 698192483:698192483(0) win 512
23:46:53.970672 map.net.0 > 129.252.41.119.110: SF 698192483:698192483(0) win 512
23:46:53.989649 map.net.0 > 129.252.41.76.110: SF 698192483:698192483(0) win 512
23:46:53.994699 map.net.0 > 129.252.41.200.110: SF 698192483:698192483(0) win 512
23:46:53.999670 map.net.0 > 129.252.41.15.110: SF 698192483:698192483(0) win 512
What’s Strange?
23:46:40.529581 ack.org.23 > 129.252.41.99.23: . ack 698192483 win 512
23:46:41.509678 ack.org.23 > 129.252.37.4.23: . ack 698192483 win 512
23:46:53.518688 ack.org.143 > 129.252.41.99.143: . ack 698192483 win 512
23:46:53.923679 ack.org.143 > 129.252.37.4.143: . ack 698192483 win 512
23:46:53.970672 ack.org.110 > 129.252.41.99.110: . ack 698192483 win 512
23:46:53.989649 ack.org.110 > 129.252. 37.4.110: . ack 698192483 win 512
23:46:53.994699 ack.org.23 > 129.252.33.7.23: . ack 698192483 win 512
23:46:53.999670 ack.org.23 > 129.252.4.213.23: . ack 698192483 win 512
Anything Unusual?
23:46:40.529581 scan.net.25820 > 129.252.41.76.23: S 698192483:698192483(4) win 4096
23:46:41.509678 scan.net.25820 > 129.252.136.76.23: S 698197881:698197881(4) win 4096
23:46:53.518688 scan.net.47521 > 10.20.98.76.23: S 378192499:378192499(4) win 4096
23:46:53.923679 scan.net.25820 > 129.252.11.76.23: S 69821387:69821387(4) win 4096
23:46:53.970672 scan.net.47521 > 10.20.54.76.23: S 378212490:378212490(4) win 4096
23:46:53.989649 scan.net.47521 > 10.20.223.76.23: S 378212787:378212787(4) win 4096
23:46:53.994699 scan.net.25820 > 129.252.209.76.23: S 69822345:69822345(4) win 4096
23:46:53.999670 scan.net.47521 > 10.20.90.76.23: S 37827658:37827658(4) win 4096
What’s Scary?
23:46:40.529581 scanner.net > dns.my.edu: ip-proto-54 44
23:46:41.509678 scanner.net > dns.my.edu: ip-proto-54 44
23:46:53.518688 scanner.net > dns.my.edu: ip-proto-54 44
23:46:53.923679 scanner.net > firewall.my.edu: ip-proto-54 44
23:46:53.970672 scanner.net > firewall.my.edu: ip-proto-54 44
23:46:53.989649 scanner.net > firewall.my.edu: ip-proto-54 44
23:46:53.994699 scanner.net > ids.my.edu: ip-proto-54 44
23:46:53.999670 scanner.net > ids.my.edu: ip-proto-54 44
23:46:53.999691 scanner.net > ids.my.edu: ip-proto-54 44
(ip-proto-54 = usually ATM: Next Hop Resolution Protocol)
But that’s beside the scary point.
Huh?
router1.com > 129.252.49.0: icmp: time exceeded in-transit
router1.com > 129.252.21.0: icmp: time exceeded in-transit
router1.com > 129.252.78.0: icmp: time exceeded in-transit
router1.com > 129.252.52.0: icmp: time exceeded in-transit
router2.com > 129.252.109.0: icmp: time exceeded in-transit [tos 0xc0]
router2.com > 129.252.1.0: icmp: time exceeded in-transit [tos 0xc0]
router2.com > 129.252.243.0: icmp: time exceeded in-transit [tos 0xc0]
router2.com > 129.252.43.0: icmp: time exceeded in-transit [tos 0xc0]
router2.com > 129.252.66.0: icmp: time exceeded in-transit [tos 0xc0]
router2.com > 129.252.31.0: icmp: time exceeded in-transit [tos 0xc0]
router2.com > 129.252.200.0: icmp: time exceeded in-transit [tos 0xc0]
router2.com > 129.252.212.0: icmp: time exceeded in-transit [tos 0xc0]
router2.com > 129.252.79.0: icmp: time exceeded in-transit [tos 0xc0]
router3.com > 129.252.55.0: icmp: time exceeded in-transit
router3.com > 129.252.111.0: icmp: time exceeded in-transit
router3.com > 129.252.83.0: icmp: time exceeded in-transit
router1.com > 129.252.16.0: icmp: time exceeded in-transit
router1.com > 129.252.156.0: icmp: time exceeded in-transit
WinNuke
nuker.com.334455 > victim.edu.139: FP 0:3(3) ack 1 win 8760 urg 3 (DF)
nuker.com.334455 > victim.edu.139: FP 0:3(3) ack 1 win 8760 urg 3 (DF)
nuker.com.334455 > victim.edu.139: FP 0:3(3) ack 1 win 8760 urg 3 (DF)
nuker.com.334455 > victim.edu.139: FP 0:3(3) ack 1 win 8760 urg 3 (DF)
nuker.com.334455 > victim.edu.139: FP 0:3(3) ack 1 win 8760 urg 3 (DF)
nuker.com.334455 > victim.edu.139: FP 0:3(3) ack 1 win 8760 urg 3 (DF)
And This?
3:46:41.529581 dos.com > 129.252.49.0: (frag 54190:1480@4440+)
3:46:41.579678 dos.com > 129.252.49.0: (frag 54190:1480@2960+)
3:46:53.518688 dos.com > 129.252.49.0: (frag 54190:1480@1480+)
3:46:53.923679 dos.com > 129.252.49.0: (frag 54190:1480@1480+)
3:46:53.970672 dos.com > 129.252.49.0: (frag 54190:1480@2960+)
3:46:53.989649 dos.com > 129.252.49.0: (frag 54190:1480@5920+)
3:46:53.994699 dos.com > 129.252.49.0: (frag 54190:1480@1480+)
3:46:53.999670 dos.com > 129.252.49.0: (frag 54190:1480@2960+)
3:46:53.999670 dos.com > 129.252.49.0: (frag 54190:1480@4440+)
3:46:53.999670 dos.com > 129.252.49.0: (frag 54190:1480@1480+)
3:46:53.999670 dos.com > 129.252.49.0: (frag 54190:1480@1480+)
http://www.cisco.com/warp/public/770/nifrag.shtml
Bad Network Traffic in Other places
• Web logs
• Traffic monitoring graphs
• Firewall logs
• Intrusion detection systems
• Router syslogs
• I even see attempts against my SSH tunnels!
Slammer
02:06:31.017088 150.140.142.17.3047 > 24.193.37.212.ms-sql-m: udp 376
02:06:31.017244 24.193.37.212 > 150.140.142.17: icmp: 24.193.37.212 udp port ms-sql-m unreachable [tos 0xc0]
Nimda129.3.1.40 - - [12/Apr/2002:12:01:31 -0400] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0"
403 -129.3.1.40 - - [12/Apr/2002:12:01:31 -0400] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0"
403 -129.3.1.40 - - [12/Apr/2002:12:01:31 -0400] "GET
/scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 403 -129.3.1.40 - - [12/Apr/2002:12:01:31 -0400] "GET
/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 403 -129.3.1.40 - - [12/Apr/2002:12:01:31 -0400] "GET
/_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 403 -129.3.1.40 - - [12/Apr/2002:12:01:31 -0400] "GET /msadc/..%255c../..%255c../..%255c/..
%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 403 -129.3.1.40 - - [12/Apr/2002:12:01:31 -0400] "GET
/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 403 -129.3.1.40 - - [12/Apr/2002:12:01:31 -0400] "GET
/scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 -129.3.1.40 - - [12/Apr/2002:12:01:31 -0400] "GET
/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 403 -129.3.1.40 - - [12/Apr/2002:12:01:31 -0400] "GET
/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 403 –129.3.1.40 - - [12/Apr/2002:12:01:32 -0400] "GET
/scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 215129.3.1.40 - - [12/Apr/2002:12:01:32 -0400] "GET
/scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 215129.3.1.40 - - [12/Apr/2002:12:01:32 -0400] "GET
/scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 403 -129.3.1.40 - - [12/Apr/2002:12:01:32 -0400] "GET
/scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 403 -
Firewall Logs
Intrusion Detection Systems
References
• Highly recommend:
• http://www.sans.org/resources/tcpip.pdf