Differences

This shows you the differences between two versions of the page.

--- network_security_assesment [2009/06/07 22:04]
k2patel
+++ network_security_assesment [2020/08/10 02:35] (current)
@@ Line 281: / Line 281: @@
 Classless_Inter-Domain_Routing.
 </code>
 ==== TCP Port Scanning ====
@@ Line 328: / Line 327: @@
 of the sing utility) to ensure that ICMP messages are processed and responded to by\\
 the remote host, fragtest can perform three particularly useful tests:
-  * • Send an ICMP echo request message in 8-byte fragments (using the frag option)
+  * Send an ICMP echo request message in 8-byte fragments (using the frag option)
-  * • Send an ICMP echo request message in 8-byte fragments, along with a 16-byte
+  * Send an ICMP echo request message in 8-byte fragments, along with a 16-byte overlapping fragment, favoring newer data in reassembly (using the frag-new option)
-overlapping fragment, favoring newer data in reassembly (using the frag-new
+  * Send an ICMP echo request message in 8-byte fragments, along with a 16-byte
-option)
-  * • Send an ICMP echo request message in 8-byte fragments, along with a 16-byte
 overlapping fragment, favoring older data in reassembly (using the frag-old
 option)
 Here is
- an example that uses fragtest to assess responses to fragmented ICMP echo
+ an example that uses fragtest to assess responses to fragmented ICMP echo\\
 request messages with the frag, frag-new, and frag-old options:
+<code bash>
 $ fragtest frag frag-new frag-old www.bbc.co.uk
 frag: 467.695 ms
 frag-new: 516.327 ms
 frag-old: 471.260 ms
+</code>
+== Fragroute ==
+The fragroute utility intercepts, modifies, and rewrites egress traffic destined for a\\
+specific host, according to a predefined rule set. When built and installed, version 1.2\\
+comprises the following binary and configuration files:
+<code bash>
+/usr/local/sbin/fragtest
+/usr/local/sbin/fragroute
+/usr/local/etc/fragroute.conf
+</code>
+The fragroute.conf file defines the way fragroute fragments, delays, drops, duplicates,\\
+segments, interleaves, and generally mangles outbound IP traffic.\\
+Using the default configuration file, fragroute can be run from the command line in\\
+the following manner:
+<code bash>
+$ cat /usr/local/etc/fragroute.conf
+tcp_seg 1 new
+ip_frag 24
+ip_chaff dup
+order random
+print
+$ fragroute
+Usage: fragroute [-f file] dst
+$ fragroute 192.168.102.251
+fragroute: tcp_seg -> ip_frag -> ip_chaff -> order -> print
+</code>
+Egress traffic processed by fragroute is displayed in tcpdump format if the print\\
+option is used in the configuration file. When running fragroute in its default configuration,\\
+TCP data is broken down into 1-byte segments and IP data into 24-byte\\
+segments, along with IP chaffing and random reordering of the outbound packets.\\
+fragroute.conf. The fragroute man page covers all the variables that can be set within\\
+the configuration file. The type of IP fragmentation and reordering used by fragtest\\
+when using the frag-new option can be applied to all outbound IP traffic destined for\\
+a specific host by defining the following variables in the fragroute.conf file:
+<code bash>
+ip_frag 8 old
+order random
+print
+</code>
+TCP data can be segmented into 4-byte, forward-overlapping chunks (favoring\\
+newer data), interleaved with random chaff segments bearing older timestamp\\
+options (for PAWS elimination), and reordered randomly using these fragroute.conf\\
+variables:
+<code text>
+tcp_seg 4 new
+tcp_chaff paws
+order random
+print
+</code>
+I recommend testing the variables used by fragroute in a controlled environment\\
+before live networks and systems are tested. This ensures that you see decent results\\
+when passing probes through fragroute and allows you to check for adverse reactions\\
+to fragmented traffic being processed. Applications and hardware appliances\\
+alike have been known to crash and hang from processing heavily fragmented and
+mangled data!\\
 [[ http://monkey.org/~dugsong/fragroute | Nice tools from Dugsongs]]
+Using Nmap to perform a fragmented SYN scan
+<code bash>
+$ nmap -sS -f 192.168.102.251
+</code>
+Using Nmap to specify decoy addresses
+<code bash>
+$ nmap -sS -P0 -D 62.232.12.8,ME,65.213.217.241 192.168.102.251
+</code>
+== Assessing source routing vulnerabilities ==
+tools that can assess and exploit source routing vulnerabilities found in\\
+remote networks:
+  * LSRScan [[ http://www.synacklabs.net/projects/lsrscan | lsrscan ]]
+  * LSRTunnel [[ http://www.synacklabs.net/projects/lsrtunnel | lsrtunnel ]]
+LSRScan. The LSRScan tool crafts probe packets with specific source routing options\\
+to determine exactly how remote hosts deal with source-routed packets. The tool\\
+checks for the following two behaviors:
+  * Whether the target host reverses the source route when sending packets back
+  * Whether the target host can forward source-routed packets to an internal host, by setting the offset pointer to be greater than the number of hops defined in the loose hop list
+The basic usage of the tool is as follows:
+<code bash>
+$ lsrscan
+usage: lsrscan [-p dstport] [-s srcport] [-S ip]
+[-t (to|through|both)] [-b host<:host ...>]
+[-a host<:host ...>] <hosts>
+</code>
+LSRTunnel. LSRTunnel spoofs connections using source-routed packets. For the tool\\
+to work, the target host must reverse the source route (otherwise the user will not see\\
+the responses and be able to spoof a full TCP connection). LSRTunnel requires a\\
+spare IP address on the local subnet to use as a proxy for the remote host.\\
+Running LSRTunnel with no options shows the usage syntax:
+<code bash>
+$ lsrtunnel
+usage: lsrtunnel -i <proxy IP> -t <target IP> -f <spoofed IP>
+</code>
+== Using Specific Source Ports to Bypass Filtering ==
+information regarding circumvention of Firewall-1 in certain\\
+configurations, consult the excellent presentation from Black Hat Briefings 2000 by\\
+Thomas Lopatic et al. titled “A Stateful Inspection of Firewall-1” available as a Real\\
+Media video stream and PowerPoint presentation from [[ http://www.blackhat.com/html/bh-usa-00/bh-usa-00-speakers.html | Link]]
+=== Low-Level IP Assessment ===
+Tools such as Nmap, Hping2, and Firewalk perform low-level IP assessment.
+Insight into the following areas of a network can be gleaned through low-level IP assessment:
+  * Uptime of target hosts (by analyzing the TCP timestamp option)
+  * TCP services that are permitted through the firewall (by analyzing responses to TCP and ICMP probes)
+  * TCP sequence and IP ID incrementation (by running predictability tests)
+  * The operating system of the target host (using IP fingerprinting)
+The TCP timestamp option is defined in RFC 1323.
+== Analyzing Responses to TCP Probes ==
+A TCP probe always results in one of four responses. These responses potentially\\
+allow an analyst to identify where a connection was accepted, or why and where it\\
+was rejected, dropped, or lost:
+  * TCP SYN/ACK
+If a SYN/ACK packet is received, the port is considered open.
+  * TCP RST/ACK
+If an RST/ACK packet is received, the probe packet was rejected by either the\\
+target host or an upstream security device (e.g., a firewall with a reject rule in its policy).
+  * ICMP type 3 code 13
+If an ICMP type 3 code 13 message is received, the host (or a device such as a\\
+firewall) has administratively prohibited the connection according to an Access Control List (ACL) rule.
+  * Nothing
+If no packet is received, an intermediary security device silently dropped it.
+==== Simple tcpdump ====
+dumping traffic with pcap_filter
+<code bash>
+tcpdump -i eth2 -s 0 -w /tmp/mar_2017.pcap host 192.168.1.86
+</code>
+Reading pcap output file
+<code bash>
+tcpdump -qns 0 -X -r /tmp/mar_2017.pcap
+</code>
-[[87]]

Daily *Nix

User Tools

Site Tools

Differences

Page Tools