Hello guyz, well i am here again with few more Packet analysis content. As this post is continuation of my last POST over Detecting Reconnaissance Process through Packet Analysis.
In this post m gonna focus over IP Scanning, Application mapping , OS Fingerprinting (both TCP and ICMP based Fingerprinting)
We have a similar lab setup as discussed in previous post , so continuing from there..
In this post m gonna focus over IP Scanning, Application mapping , OS Fingerprinting (both TCP and ICMP based Fingerprinting)
We have a similar lab setup as discussed in previous post , so continuing from there..
IP Scan
IP Scan is
done to find all the critical services running and Protocols behind IP Header
.These e protocols basically include Routing Protocols . If we analyze the log
file in wireshark and open up IP header we
will observe that inside IP header there is protocol field which is
changed every time in when a new packet arrives on cabling system. This Protocol
value is changed each and every time by scanner
during scanning process to observe the response from the target and to
scan various protocols running on target
machine.
IP Scan is
performed over taget 192.168.134.131
using nmap
The entire
traffic was captured in wireshark to analyze
IP scan
Here is
above snapshot we see various numbers written
in end of each packet. These number represents different protocols being
scanned one by one. Inside the IP header
Protocol Value is changed every time which represents an IP scan performed over
192.168.134.131 for analyzing working
protocols . Results showed only TCP,ICMP,SCTP, UDP protocols running.
Application mapping:
Application
mapping is performed to know what services are running on which ports .During
application mapping it is assumed that services are running on their Non
Standard ports. Therefore to confirm the services actually running scanner sends the commands to ports and
actually monitor the response from the destination to assure that particular
services is actually running on the target machine .
In
application firstly a 3way handshake is performed between the source and
destination machine. After the 3 way handshake source machine listens for any
packet from the target machine and after that sends
the data and command specific to
particular port that is being mapped..
For
analyzing such packets if we know that application is using a non standard port
then we can use Wireshark ‘s “Decode as”
option for actually decoding the entire TCP /IP communication as actuall
service .For ex if on Port 80 we know FTP service is running , then we can
capture the traffic and decode it as FTP. It results in entire TCP stream communication being decoded as FTP.
OS Fingerprinting :
OS Fingerprinting
is performed to analyze and detect the
Operating system name and version used by destination machine. OS
fingerprinting is of 2 type basically : Active OS fingerprinting and Passive OS
Fingerprinting . During Active OS fingerprinting packets are send to target OS
and response is awaited to grab useful information disclosure from it. While in
contrast passive fingerprinting does not involves any sending of packets but it
just listens the communication over cabling system ,to capture any critical
information revealing banner and version information .
OS
Fingerprinting has two approaches to follow.
First is TCP based OS fingerprinting and Secondly ICMP Based OS fingerprinting.
TCP Based OS Fingerprinting:
For TCP
based OS finger printing scanner sends specially crafted packets to open and
closed and ports. After this it compares the response to OS fingerprinting file
(in case of nmap)and detects the Operating system. It first sends the SYN
packet to destination. Second Packet has No Flag set and considered as NULL
Scan. Third packet again has URG PSH SYN and FIN flag set . Several options In
TCP flag are interpreted differently by different operating system. So all the
results of packets are evaluated and compared to os fingerprinting file for obtaining
exact possibility of Operating system being run.
Here Packet
number 2106 represents such unsual
formed packet with URG PSH SYN and FIN flag set.
This shows
us some traces of some TCP based OS Fingerprinting.
ICMP Based OS Fingerprinting
ICMP based os fingerprinting using ICMP packet. ICMP based
os fingerprinting uses following ICMP packets:
ICMP Type 8 (ICMP
echo ping request)
ICMP Type 15 (Information request)
ICMP Type 13 (Icmp Time stamp request)
ICMP Type 17 (icmp address mask request)
IF all these four packets are visible on cabling system
together, it depicts ICMP based OS Fingerprinting in cabling system. Usually
tool such as xprobe is used to perform
icmp based OS fingerprinting.
Above log file from
packet number 34 to 39 represents same sequence of packet that represents ICMP Based os Fingerprinting.
