This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
network_security_assesment [2009/06/08 03:37] k2patel |
network_security_assesment [2009/06/26 08:01] k2patel |
||
---|---|---|---|
Line 443: | Line 443: | ||
Media video stream and PowerPoint presentation from [[ http://www.blackhat.com/html/bh-usa-00/bh-usa-00-speakers.html | Link]] | Media video stream and PowerPoint presentation from [[ http://www.blackhat.com/html/bh-usa-00/bh-usa-00-speakers.html | Link]] | ||
- | [[96]] | + | === Low-Level IP Assessment === |
+ | Tools such as Nmap, Hping2, and Firewalk perform low-level IP assessment. | ||
+ | |||
+ | Insight into the following areas of a network can be gleaned through low-level IP assessment: | ||
+ | |||
+ | * Uptime of target hosts (by analyzing the TCP timestamp option) | ||
+ | * TCP services that are permitted through the firewall (by analyzing responses to TCP and ICMP probes) | ||
+ | * TCP sequence and IP ID incrementation (by running predictability tests) | ||
+ | * The operating system of the target host (using IP fingerprinting) | ||
+ | |||
+ | The TCP timestamp option is defined in RFC 1323. | ||
+ | == Analyzing Responses to TCP Probes == | ||
+ | A TCP probe always results in one of four responses. These responses potentially\\ | ||
+ | allow an analyst to identify where a connection was accepted, or why and where it\\ | ||
+ | was rejected, dropped, or lost: | ||
+ | * TCP SYN/ACK | ||
+ | If a SYN/ACK packet is received, the port is considered open. | ||
+ | * TCP RST/ACK | ||
+ | If an RST/ACK packet is received, the probe packet was rejected by either the\\ | ||
+ | target host or an upstream security device (e.g., a firewall with a reject rule in its policy). | ||
+ | * ICMP type 3 code 13 | ||
+ | If an ICMP type 3 code 13 message is received, the host (or a device such as a\\ | ||
+ | firewall) has administratively prohibited the connection according to an Access Control List (ACL) rule. | ||
+ | * Nothing | ||
+ | If no packet is received, an intermediary security device silently dropped it. | ||
+ | |||
+ | [[100]] |