network_security_assesment
Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision | ||
|
network_security_assesment [2009/06/08 03:02] k2patel |
network_security_assesment [2020/08/10 02:35] (current) |
||
|---|---|---|---|
| Line 426: | Line 426: | ||
| [-t (to|through|both)] [-b host<:host ...>] | [-t (to|through|both)] [-b host<:host ...>] | ||
| [-a host<:host ...>] <hosts> | [-a host<:host ...>] <hosts> | ||
| + | </code> | ||
| + | LSRTunnel. LSRTunnel spoofs connections using source-routed packets. For the tool\\ | ||
| + | to work, the target host must reverse the source route (otherwise the user will not see\\ | ||
| + | the responses and be able to spoof a full TCP connection). LSRTunnel requires a\\ | ||
| + | spare IP address on the local subnet to use as a proxy for the remote host.\\ | ||
| + | Running LSRTunnel with no options shows the usage syntax: | ||
| + | <code bash> | ||
| + | $ lsrtunnel | ||
| + | usage: lsrtunnel -i <proxy IP> -t <target IP> -f <spoofed IP> | ||
| + | </code> | ||
| + | |||
| + | == Using Specific Source Ports to Bypass Filtering == | ||
| + | information regarding circumvention of Firewall-1 in certain\\ | ||
| + | configurations, consult the excellent presentation from Black Hat Briefings 2000 by\\ | ||
| + | Thomas Lopatic et al. titled “A Stateful Inspection of Firewall-1” available as a Real\\ | ||
| + | Media video stream and PowerPoint presentation from [[ http://www.blackhat.com/html/bh-usa-00/bh-usa-00-speakers.html | Link]] | ||
| + | |||
| + | === Low-Level IP Assessment === | ||
| + | Tools such as Nmap, Hping2, and Firewalk perform low-level IP assessment. | ||
| + | |||
| + | Insight into the following areas of a network can be gleaned through low-level IP assessment: | ||
| + | |||
| + | * Uptime of target hosts (by analyzing the TCP timestamp option) | ||
| + | * TCP services that are permitted through the firewall (by analyzing responses to TCP and ICMP probes) | ||
| + | * TCP sequence and IP ID incrementation (by running predictability tests) | ||
| + | * The operating system of the target host (using IP fingerprinting) | ||
| + | |||
| + | The TCP timestamp option is defined in RFC 1323. | ||
| + | == Analyzing Responses to TCP Probes == | ||
| + | A TCP probe always results in one of four responses. These responses potentially\\ | ||
| + | allow an analyst to identify where a connection was accepted, or why and where it\\ | ||
| + | was rejected, dropped, or lost: | ||
| + | * TCP SYN/ACK | ||
| + | If a SYN/ACK packet is received, the port is considered open. | ||
| + | * TCP RST/ACK | ||
| + | If an RST/ACK packet is received, the probe packet was rejected by either the\\ | ||
| + | target host or an upstream security device (e.g., a firewall with a reject rule in its policy). | ||
| + | * ICMP type 3 code 13 | ||
| + | If an ICMP type 3 code 13 message is received, the host (or a device such as a\\ | ||
| + | firewall) has administratively prohibited the connection according to an Access Control List (ACL) rule. | ||
| + | * Nothing | ||
| + | If no packet is received, an intermediary security device silently dropped it. | ||
| + | |||
| + | ==== Simple tcpdump ==== | ||
| + | dumping traffic with pcap_filter | ||
| + | <code bash> | ||
| + | tcpdump -i eth2 -s 0 -w /tmp/mar_2017.pcap host 192.168.1.86 | ||
| + | </code> | ||
| + | |||
| + | Reading pcap output file | ||
| + | <code bash> | ||
| + | tcpdump -qns 0 -X -r /tmp/mar_2017.pcap | ||
| </code> | </code> | ||
| - | [[91]] | ||
network_security_assesment.1244430179.txt.gz · Last modified: 2020/08/10 02:30 (external edit)
Page Tools
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
