TCP IP - PowerPoint PPT Presentation

1 / 31

About This Presentation

Title:

TCP IP

Description:

These scans can also tell what Operating Systems and versions ... Can scan entire subnets. Can scan stealthily. Scans hosts for ... Scans. The slow scan ... – PowerPoint PPT presentation

Number of Views:633

Avg rating:3.0/5.0

Slides: 32

Provided by: DENN238

Category:

Tags: tcp | scan

more less

Transcript and Presenter's Notes

Title: TCP IP

1
TCP IP

Fact
Fiction
Fundamentals

Dennis Pollutro CTO
2
TCP / IP History

What is TCP IP ?
Where did it come from ?
Why do we use it ?
What are the issues ?

3
What it is

Protocols adopted in 1969 as part of ARPA net
Transmission Control
Internet
Two different Layers of OSI model

4
Time Line

1969 ARPANET
1980 NSF DDS
1984 Split Unclassified Classified
1995 NSF tide shift to public
Sprint, UUNET, MCI, PSINet, Ect.

5
What it Does

Helps Network Cohesion
Easy to communicate
Helps Network Expansion
Easy to deploy distributed networks
Helps Network Insecurity
Easy to Hack

6
The IP Packet
7
TCP Header Anatomy
8
Example

3 way Handshake
C-gt S SYN ( ISN C )
S-gt C SYN ( ISN S ), ACK ( ISN C )
C-gt S ACK ( ISN S )
C-gt S data

9
QA

Next section Architecture
The Good the Bad the Ugly

10
TCP IP

The Good the Bad the Ugly

11
The good

Helps Network Cohesion
Easy to communicate
Helps Network Expansion
Easy to deploy distributed networks
Helps Network Insecurity
Easy to Hack

12
TCP the Bad

SYN/ACK stealth scan
Packet flagged as if it is the SYN/ACK reply to
a SYN connect request
No TCP connection is being verified
RST (reset) packet is sent back to source
FIN stealth scan
Packet have the FIN flag set
No TCP connection is in place to close
RST (reset) packet is sent back to source
These are considered stealthy because no
connection information is logged at target.

13
The Ugly

ISN Prediction
ISN is not really random
ISN is incremented by a constant amount once per
second, and by half that amount each time a
connection is made
Latency

14
The Ugly Continued

Passive attacks
Sniffing
Active attacks
Spoofing
Blind attacks
Session Hijacking

15
First clues of a Upcoming Attack

The first clue is often scans of your network
These scans are to map out what IP addresses are
in use
These scans can also tell what Operating Systems
and versions you are running

16
Easily found tools to scan with

PING
NMAP ( http//www.insecure.org/nmap/ )
Can scan entire subnets
Can scan stealthily
Scans hosts for ports in use
Can identify many Operating Systems
Installed as part of many Linux distributions

17
More advanced tools to scan with

SAINT ( http//www.wwdsi.com/saint/ )
Runs in a web browser
Whole subnets can be scanned
Will test all know vulnerabilities for each OS
Will even attempt some password guessing
NESSUS ( http//www.nessus.org/ )
Runs as an X-Windows program
Tests for security holes
Detailed output

18
Why pay attention to network scans?

Scans are often the scouting mission of a
possible attacker.
Scanning tools like Nmap allow the mapping out an
entire network including
IP addresses in use
Times the IP addresses are in use
Operating Systems being used
Accessible services with known vulnerabilities

19
Common Scan Tactics

Ping broadcast to a subnet
Subnet sweep looking for specific ports
Port 7 - echo
Port 21 - ftp
Port 23 - telnet
Port 25 - email
Port 80 - web
Ports 137 - NetBIOS
Port 443 - secure web

20
Harder to Detect Scans

The slow scan
Scanning each possible IP address one with a one
second or more delay between queries
Leap frog
Scanning multiple subnets at once changing subnet
queried after each IP scanned

21
QA