Debian DokuWiki

User Tools

Site Tools

Trace: sendmail generate_good_password dig apache top xfs ipxe tomcat network_security_assesment ssl
network_security_assesment

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
network_security_assesment [2009/06/08 03:06] k2patelnetwork_security_assesment [2020/08/10 02:35] (current) – external edit 127.0.0.1
Line 437: Line 437:
 </code> </code>
  
-[[91]]+== Using Specific Source Ports to Bypass Filtering == 
 +information regarding circumvention of Firewall-1 in certain\\ 
 +configurations, consult the excellent presentation from Black Hat Briefings 2000 by\\ 
 +Thomas Lopatic et al. titled “A Stateful Inspection of Firewall-1” available as a Real\\ 
 +Media video stream and PowerPoint presentation from [[ http://www.blackhat.com/html/bh-usa-00/bh-usa-00-speakers.html | Link]] 
 + 
 +=== Low-Level IP Assessment === 
 +Tools such as Nmap, Hping2, and Firewalk perform low-level IP assessment. 
 + 
 +Insight into the following areas of a network can be gleaned through low-level IP assessment: 
 + 
 +  * Uptime of target hosts (by analyzing the TCP timestamp option) 
 +  * TCP services that are permitted through the firewall (by analyzing responses to TCP and ICMP probes) 
 +  * TCP sequence and IP ID incrementation (by running predictability tests) 
 +  * The operating system of the target host (using IP fingerprinting) 
 + 
 +The TCP timestamp option is defined in RFC 1323. 
 +== Analyzing Responses to TCP Probes == 
 +A TCP probe always results in one of four responses. These responses potentially\\ 
 +allow an analyst to identify where a connection was accepted, or why and where it\\ 
 +was rejected, dropped, or lost: 
 +  * TCP SYN/ACK 
 +If a SYN/ACK packet is received, the port is considered open. 
 +  * TCP RST/ACK 
 +If an RST/ACK packet is received, the probe packet was rejected by either the\\ 
 +target host or an upstream security device (e.g., a firewall with a reject rule in its policy). 
 +  * ICMP type 3 code 13 
 +If an ICMP type 3 code 13 message is received, the host (or a device such as a\\ 
 +firewall) has administratively prohibited the connection according to an Access Control List (ACL) rule. 
 +  * Nothing 
 +If no packet is received, an intermediary security device silently dropped it. 
 + 
 +==== Simple tcpdump ==== 
 +dumping traffic with pcap_filter 
 +<code bash> 
 +tcpdump -i eth2 -s 0 -w /tmp/mar_2017.pcap host 192.168.1.86 
 +</code> 
 + 
 +Reading pcap output file 
 +<code bash> 
 +tcpdump -qns 0 -X -r /tmp/mar_2017.pcap 
 +</code> 
network_security_assesment.1244430398.txt.gz · Last modified: 2020/08/10 02:30 (external edit)