Analyzing an Attack (Part 3)
In part 2 of this series, we have left all the necessary information required for an attack on the victim's network.
Analyzing an Attack (Part 1)
Don Parker
This series will be based on a network vulnerability. What will be introduced in the article is a real attack, starting from reconnaissance to enumeration, exploiting network services and ending with notification exploitation strategies.
All of these steps will be viewed at the packet level, and then explained in detail. Being able to view and understand an attack at the packet level is extremely important for both sys admins and network security personnel. The output of firewalls, Intrusion Detection Systems (IDS) and other security devices will always be used to see the actual network traffic. If you don’t understand what you are seeing at the packet level, all of your network security technology is useless.
The tools used for simulating a cyber attack are:
-
IPEye
-
TFTP client
-
FU Rootkit
Setup Step
There are many scanning operations on the Internet today, not to mention the operations of worms and other forms of malware such as viruses. All of these will be harmless noise to a well-protected computer network. What we should consider is someone who is deliberately targeting a computer network. This article will assume that the attacker has already attacked his victim and has done some research beforehand such as finding out the IP address and network addresses of the victim. The attacker may also have tried to exploit information such as email addresses associated with that network. This type of information is very important in case the attacker has found but has no way to get into the network after scanning, enumerating and spoofing it. The email addresses he has collected will be useful in setting up a client-side attack by trying and inviting the user to a malicious website through a link in an email. These types of attacks will be covered in later articles.
How it works
We should observe the actions of a hacker as he scans and enumerates the victim network. The first tool that the hacker uses is Nmap. Although Nmap has few IDS signatures, it is still a very useful and widely used tool.
We can see through the syntax used by the hacker in the screenshot above, the hacker has chosen ports 21 and 80 because he has some exploits that can be used through the Metasploit Framework. Not only that but also the two system services and protocols that he understands quite well. It is clearly shown that he is using a SYN scan, which is the most commonly used type of port scan. This is also due to the fact that when a TCP service listening on a port receives a SYN packet, it will send back a SYN/ACK packet. The SYN/ACK packet indicates that a service is indeed listening and waiting for a connection. However the same problem is not the case with UDP, which relies on services like DNS (DNS also uses TCP but it mostly uses UDP for the majority of its transactions).
The syntax listed below is the output that Nmap gathers from the packets it sends, but more accurately from the packets it receives as a result of the SYN scan it performs. We can see that there appear to be FTP and HTTP services provided. We don’t really care about the MAC address so we’ll ignore that. Tools like Nmap don’t often have errors so it’s usually good to verify your information at the packet level to ensure accuracy. Not only that but it also allows you to look at the packets coming back, from the victim network, to glean architectural, service and host information from them. Look up
the packets
There are a number of programs available today that will dig into the packets and find out information like the operating system type, architectural information, such as x86 or SPARC, and more. That's not enough but it's important when we're looking at letting a program do the work for us. With that in mind, let's take a look at the Nmap packet trace and find out some information about the victim network.
10:52:59.062500 IP (tos 0x0, ttl 43, id 8853, offset 0, flags [none], proto: ICMP (1), length: 28) 192.168.111.17 > 192.168.111.23: ICMP echo request seq 38214, length 8
0x0000: 4500 001c 2295 0000 2b01 0dd3 c0a8 6f11 E..."...+.....o.
0x0010: c0a8 6f17 0800 315a 315f 9546 ..o...1Z1_.F
10:52:59.078125 IP (tos 0x0, ttl 128, id 396, offset 0, flags [none], proto: ICMP (1), length: 28) 192.168.111.23 > 192.168.111.17: ICMP echo reply seq 38214, length 8
0x0000: 4500 001c 018c 0000 8001 d9db c0a8 6f17 E.............o.
0x0010: c0a8 6f11 0000 395a 315f 9546 0000 0000 ..o...9Z1_.F....
0x0020: 0000 0000 0000 0000 0000 0000 0000 ..............Shown in the two packets above is the open sequence from Nmap. What it does is send an ICMP echo request to the victim network. You will notice that it is not equipped with a port number, because ICMP does not use ports, but is managed by the ICMP error message generator built into the TCP/IP protocol stack. This ICMP packet is also labeled with a unique number, in this case 38214, so that the TCP/IP stack can examine the return traffic, and associate it with the previous ICMP packet sent. The packet just above is the reply from the victim network, in the form of an ICMP echo reply. The sequence number 38214 is also taken into account. This is how the hacker knows that there is a computer or network behind that IP address.
This open sequence of ICMP packets is why Nmap has an IDS notation for it. The ICMP host discovery option can be disabled in Nmap if desired. What kind of information can be gleaned from the ICMP echo reply packet from the victim network? There is not much information here that can help us understand the network. However, preliminary attacks can be used in areas related to the operating system. The time to reside field and the value next to it are highlighted in the packet above. The value of 128 indicates the fact that this computer is probably a Windows computer. While the ttl value does not tell us exactly what is related to the operating system, it will be the basis for the next packet that we will look at.
Conclusion
In this part one, we looked at a scan of a network in an attack for two specific ports using Nmap. At this point, the attacker knows for sure that there is a computer or a network of computers residing at that IP address. In part 2 of this series, we'll continue our research into this packet's trace, and find out what other pieces of information we can glean.
Analyzing an Attack (Part 2)
We showed you in part one the information that can be observed while opening the packet sequence sent by Nmap. The sequence sent starts with an ICMP echo response to determine if the computer or network has been assigned an IP address.
Healthy snacks that help you lose weight
Craving for snacks but afraid of gaining weight? Dont worry, lets explore together many types of weight loss snacks that are high in fiber, low in calories without making you try to starve yourself.
What to do when you have trouble sleeping?
Prioritizing a consistent sleep schedule and evening routine can help improve the quality of your sleep. Heres what you need to know to stop tossing and turning at night.
How to add a printer to Windows 10
Adding a printer to Windows 10 is simple, although the process for wired devices will be different than for wireless devices.
The most commonly deficient nutrients in the diet
Diet is important to our health. Yet most of our meals are lacking in these six important nutrients.
How to get beautiful nails quickly
You want to have a beautiful, shiny, healthy nail quickly. The simple tips for beautiful nails below will be useful for you.
The best laptops for students in 2025
Students need a specific type of laptop for their studies. It should not only be powerful enough to perform well in their chosen major, but also compact and light enough to carry around all day.
Ways to reduce the risk of birth defects in the fetus
Birth defects are something no one wants. Although they cannot be completely prevented, you can take the following steps to reduce the risk of birth defects in your baby.
How to check RAM and check RAM errors on your computer with the highest accuracy rate
As you know, RAM is a very important hardware part in a computer, acting as memory to process data and is the factor that determines the speed of a laptop or PC. In the article below, WebTech360 will introduce you to some ways to check for RAM errors using software on Windows.
Top 5 best automatic home coffee makers
The automatic home coffee maker is a modern and professional product, bringing you and your family delicious cups of coffee with just a few quick steps.
Difference between regular TV and Smart TV
Smart TVs have really taken the world by storm. With so many great features and the ability to connect to the Internet, technology has changed the way we watch TV.
Why doesnt the freezer have a light but the refrigerator does?
Refrigerators are familiar appliances in families. Refrigerators usually have 2 compartments, the cool compartment is spacious and has a light that automatically turns on every time the user opens it, while the freezer compartment is narrow and has no light.
2 Ways to Fix Network Congestion That Slows Down Wi-Fi
Wi-Fi networks are affected by many factors beyond routers, bandwidth, and interference, but there are some smart ways to boost your network.
How to Downgrade from iOS 17 to iOS 16 without Losing Data using Tenorshare Reiboot
If you want to go back to stable iOS 16 on your phone, here is the basic guide to uninstall iOS 17 and downgrade from iOS 17 to 16.
What happens to the body when you eat yogurt every day?
Yogurt is a great food. Is it good to eat yogurt every day? What will happen to your body when you eat yogurt every day? Let's find out together!
Which type of rice is best for health?
This article discusses the most nutritious types of rice and how to maximize the health benefits of whichever rice you choose.