Lecture 24: Network Primer 7/16/2003 CSCE 590 Summer 2003

Lecture 24: Network Primer

7/16/2003

CSCE 590

Summer 2003

tcpdump

• Packet capture and analysis utility• Default number of bytes captured: 68

– Change with the snaplength option –S 1518

– If a packet is truncated, “|” symbol is used in output

• Does not show frame header by default– To enable that, -e

• To see hexadecimal output: -x• To see hexadecimal output with ASCII sidebar: -X

tcpdump

• To write trace to a file instead of standard output, use –w filename

• To read from a trace file, use –r filename• To choose a network interface to sniff traffic from,

use –i inteface • To force tcpdump not to resolve machine names

with DNS, use –n• To force it to also not translate TCP/UDP service

port number from /etc/services file, add an ‘n’: -nn

tcpdump Filters

• There are given keywords or macros for commonly accessed headers in filtering

• To reference a type of header in a packet:– ip, tcp, icmp, udp

• To reference a particular byte within that header, use a byte displacement with type:– ip[0] – first byte offset of IP header (numbering starts

from zero)

– tcp[13] - tcp header length

Filters vs. Macros

• Macros are predefined filters• Must use filters where there are no macros• Filter format

– <protocol header>[offset:length] <relation><value>

• Macro format– <macro> <value>

• Example:– ip[9] = 1– Ninth byte of IP header is Protocol type, and a value of 1 =

ICMP– Icmp

More Examples

• tcp[0:2] < 53– Starting at byte 0 of the TCP header, for 2 bytes (source

port field) with a value less than 53

– tcp and src port < 53 (NOT!!!) can’t do relational with macros, only give it a value

• udp[6:2] != 0– ? Your turn

• icmp[0] = 8– ? Your turn

Common Macros

• host• net (129.252)• port• src can modify host, net, and port• dst can modify host, net, and port• icmp• tcp• Udp• Also: and (&&), not (!), or (||)

Bits and Bytes

• Sometimes you don’t want a whole byte (looking at just a flag)

• So we turn to bit masking (math, eeeww!)

• “AND” unwanted bits with 0 to clear them

• “AND” wanted bits with 1 to keep them

• tcpdump works in hexadecimal however, so there is some conversion involved

Bit Masking Example• Let’s check for the TCP ACK bit turned on• It is byte 13 so we have tcp[13]• From our TCP header:• Byte 13 = 0x12 =0 0 0 1 0 0 1 0 AND_ _ _ _ _ _ _ _ mask0 0 0 1 0 0 0 0 = 0x10• Complete filter: (tcp[13]&0x10) != 0• tcpdump -i eth0 -s 1518 ‘(tcp[13] & 0x10) != 0‘• What kind of packets with: (tcp[13] & 0x10) = 0

12 13

URG

ACK

PSH

RST

SYN

FIN

Hdr Len Reserved

Bit Masking Examples

• What do these masks check for?– (tcp[13] & 0x02) != 0

– tcp[13] = 0xff

– (ip[6] & 0x20) != 0

• Write one to check for either the SYN or FIN bit set

Another Game of What’s Weird?

22:08:38.495489 dns.querier.1745 > dns.nl.53: 42371+ (31)

22:08:48.150706 dns.nl > dns.querier: (frag 63694:30@400)

22:08:48.154481 dns.nl.53 > dns.querier.1745: 42371 6/8/8 (72)(frag 63694:80@0+)

22:08:48.154481 dns.nl > dns.querier: (frag 63694:80@320+)




22:09:08.612886 dns.querier > dns.nl: icmp: ip reassembly time exceeded [tos 0xc0]

What’s Weird?

2:19:30.481578 somewhere.nl > 129.252.176.255: icmp: echo request (ttl 246, id 5134)

2:19:31.478737 somewhere.au > 129.252.176.255: icmp: echo request (ttl 246, id 5134)

2:19:32.478824 somewhere.de > 129.252.176.255: icmp: echo request (ttl 246, id 5134)

2:19:33.478916 somewhere.edu > 129.252.176.255: icmp: echo request (ttl 246, id 5134)

What’s Weird?

23:12:26.100485 hostA.48776 > machineB.25: . ack 0 win 2048 <wscale 10,nop,mss 265,timestamp 1061109567 0,eol>

Another Trace23:30:32.704057 beav.32772 > www.sc.edu.33435: [udp sum ok]

udp 10 [ttl 1] (id 20523, len 38)

23:30:32.707533 beav.32772 > www.sc.edu.33436: [udp sum ok] udp 10 [ttl 1] (id 20524, len 38)

23:30:32.707760 beav.32772 > www.sc.edu.33437: [udp sum ok] udp 10 [ttl 1] (id 20525, len 38)

23:30:32.708017 beav.32772 > www.sc.edu.33438: [udp sum ok] udp 10 (ttl 2, id 20526, len 38)






What’s This?23:49:23.440874 host.57839 > fozzie.32787: udp 023:49:23.440901 host.57839 > fozzie.32775: udp 023:49:23.440932 host.57839 > fozzie.32788: udp 023:49:23.440943 host.57839 > fozzie.32789: udp 023:49:23.440986 host.57839 > fozzie.32791: udp 023:49:23.441009 host.57839 > fozzie.32799: udp 023:49:23.441027 host.57839 > fozzie.32774: udp 023:49:23.441059 host.57839 > fozzie.32781: udp 023:49:23.441072 host.57839 > fozzie.32772: udp 023:49:23.441080 host.57839 > fozzie.32789: udp 0 23:49:23.441105 host.57839 > fozzie.32800: udp 023:49:23.441215 fozzie > host: icmp: fozzie udp port 32788

unreachable (DF)23:49:23.441269 fozzie > host: icmp: fozzie udp port 32791



unreachable (DF)

And This?

23:46:40.529581 map.edu.39344 > 129.252.41.16.143: S 698192483:698192483(0) win 8192

23:46:41.509678 map.edu.39345 > 129.252.41.15.143: S 698735981:698735981(0) win 8192

23:46:53.518688 map.edu.39378 > 129.252.41.14.143: S 698654463:698654463(0) win 8192

23:46:53.923679 map.edu.39379 > 129.252.41.13.143: S 699129230:699129230(0) win 8192

23:46:53.970672 map.edu.39639 > 129.252.41.11.143: S 699129300:699129300(0) win 8192

23:46:53.989649 map.edu.39777 > 129.252.41.10.143: S 699129740:699129740(0) win 8192

23:46:53.994699 map.edu.39791 > 129.252.41.12.143: S 699129768:6991292768(0) win 8192

23:46:53.999670 map.edu.39812 > 129.252.41.9.143: S 699129901:699129901(0) win 8192

What’s Weird?

23:46:40.529581 map.net.0 > 129.252.41.99.110: SF 698192483:698192483(0) win 512

23:46:41.509678 map.net.0 > 129.252.41.27.110: SF 698192483:698192483(0) win 512

23:46:53.518688 map.net.0 > 129.252.41.56.110: SF 698192483:698192483(0) win 512

23:46:53.923679 map.net.0 > 129.252.41.33.110: SF 698192483:698192483(0) win 512

23:46:53.970672 map.net.0 > 129.252.41.119.110: SF 698192483:698192483(0) win 512

23:46:53.989649 map.net.0 > 129.252.41.76.110: SF 698192483:698192483(0) win 512

23:46:53.994699 map.net.0 > 129.252.41.200.110: SF 698192483:698192483(0) win 512

23:46:53.999670 map.net.0 > 129.252.41.15.110: SF 698192483:698192483(0) win 512

What’s Strange?

23:46:40.529581 ack.org.23 > 129.252.41.99.23: . ack 698192483 win 512

23:46:41.509678 ack.org.23 > 129.252.37.4.23: . ack 698192483 win 512

23:46:53.518688 ack.org.143 > 129.252.41.99.143: . ack 698192483 win 512

23:46:53.923679 ack.org.143 > 129.252.37.4.143: . ack 698192483 win 512

23:46:53.970672 ack.org.110 > 129.252.41.99.110: . ack 698192483 win 512

23:46:53.989649 ack.org.110 > 129.252. 37.4.110: . ack 698192483 win 512

23:46:53.994699 ack.org.23 > 129.252.33.7.23: . ack 698192483 win 512

23:46:53.999670 ack.org.23 > 129.252.4.213.23: . ack 698192483 win 512

Anything Unusual?

23:46:40.529581 scan.net.25820 > 129.252.41.76.23: S 698192483:698192483(4) win 4096

23:46:41.509678 scan.net.25820 > 129.252.136.76.23: S 698197881:698197881(4) win 4096

23:46:53.518688 scan.net.47521 > 10.20.98.76.23: S 378192499:378192499(4) win 4096

23:46:53.923679 scan.net.25820 > 129.252.11.76.23: S 69821387:69821387(4) win 4096

23:46:53.970672 scan.net.47521 > 10.20.54.76.23: S 378212490:378212490(4) win 4096

23:46:53.989649 scan.net.47521 > 10.20.223.76.23: S 378212787:378212787(4) win 4096

23:46:53.994699 scan.net.25820 > 129.252.209.76.23: S 69822345:69822345(4) win 4096

23:46:53.999670 scan.net.47521 > 10.20.90.76.23: S 37827658:37827658(4) win 4096

What’s Scary?

23:46:40.529581 scanner.net > dns.my.edu: ip-proto-54 44



23:46:53.923679 scanner.net > firewall.my.edu: ip-proto-54 44



23:46:53.994699 scanner.net > ids.my.edu: ip-proto-54 44



(ip-proto-54 = usually ATM: Next Hop Resolution Protocol)

But that’s beside the scary point.

Huh?

router1.com > 129.252.49.0: icmp: time exceeded in-transit




router2.com > 129.252.109.0: icmp: time exceeded in-transit [tos 0xc0]














WinNuke

nuker.com.334455 > victim.edu.139: FP 0:3(3) ack 1 win 8760 urg 3 (DF)






And This?

3:46:41.529581 dos.com > 129.252.49.0: (frag 54190:1480@4440+)

3:46:41.579678 dos.com > 129.252.49.0: (frag 54190:1480@2960+)

3:46:53.518688 dos.com > 129.252.49.0: (frag 54190:1480@1480+)

3:46:53.923679 dos.com > 129.252.49.0: (frag 54190:1480@1480+)

3:46:53.970672 dos.com > 129.252.49.0: (frag 54190:1480@2960+)

3:46:53.989649 dos.com > 129.252.49.0: (frag 54190:1480@5920+)

3:46:53.994699 dos.com > 129.252.49.0: (frag 54190:1480@1480+)

3:46:53.999670 dos.com > 129.252.49.0: (frag 54190:1480@2960+)

3:46:53.999670 dos.com > 129.252.49.0: (frag 54190:1480@4440+)

3:46:53.999670 dos.com > 129.252.49.0: (frag 54190:1480@1480+)

3:46:53.999670 dos.com > 129.252.49.0: (frag 54190:1480@1480+)

http://www.cisco.com/warp/public/770/nifrag.shtml

Bad Network Traffic in Other places

• Web logs

• Traffic monitoring graphs

• Firewall logs

• Intrusion detection systems

• Router syslogs

• I even see attempts against my SSH tunnels!

Slammer

02:06:31.017088 150.140.142.17.3047 > 24.193.37.212.ms-sql-m: udp 376

02:06:31.017244 24.193.37.212 > 150.140.142.17: icmp: 24.193.37.212 udp port ms-sql-m unreachable [tos 0xc0]

Nimda129.3.1.40 - - [12/Apr/2002:12:01:31 -0400] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0"

403 -129.3.1.40 - - [12/Apr/2002:12:01:31 -0400] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0"

403 -129.3.1.40 - - [12/Apr/2002:12:01:31 -0400] "GET

/scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 403 -129.3.1.40 - - [12/Apr/2002:12:01:31 -0400] "GET

/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 403 -129.3.1.40 - - [12/Apr/2002:12:01:31 -0400] "GET

/_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 403 -129.3.1.40 - - [12/Apr/2002:12:01:31 -0400] "GET /msadc/..%255c../..%255c../..%255c/..

%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 403 -129.3.1.40 - - [12/Apr/2002:12:01:31 -0400] "GET

/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 403 -129.3.1.40 - - [12/Apr/2002:12:01:31 -0400] "GET

/scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 -129.3.1.40 - - [12/Apr/2002:12:01:31 -0400] "GET

/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 403 -129.3.1.40 - - [12/Apr/2002:12:01:31 -0400] "GET

/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 403 –129.3.1.40 - - [12/Apr/2002:12:01:32 -0400] "GET

/scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 215129.3.1.40 - - [12/Apr/2002:12:01:32 -0400] "GET

/scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 215129.3.1.40 - - [12/Apr/2002:12:01:32 -0400] "GET

/scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 403 -129.3.1.40 - - [12/Apr/2002:12:01:32 -0400] "GET

/scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 403 -

Firewall Logs

Intrusion Detection Systems

References

• Highly recommend:

• http://www.sans.org/resources/tcpip.pdf

Documents

Lecture 24: Network Primer 7/16/2003 CSCE 590 Summer 2003