Analyzing an Attack (Part 3)
In part 2 of this series, we have left all the necessary information required for an attack on the victim's network.
Analyzing an Attack (Part 1)
Don Parker
This series will be based on a network vulnerability. What will be introduced in the article is a real attack, starting from reconnaissance to enumeration, exploiting network services and ending with notification exploitation strategies.
All of these steps will be viewed at the packet level, and then explained in detail. Being able to view and understand an attack at the packet level is extremely important for both sys admins and network security personnel. The output of firewalls, Intrusion Detection Systems (IDS) and other security devices will always be used to see the actual network traffic. If you don’t understand what you are seeing at the packet level, all of your network security technology is useless.
The tools used for simulating a cyber attack are:
-
IPEye
-
TFTP client
-
FU Rootkit
Setup Step
There are many scanning operations on the Internet today, not to mention the operations of worms and other forms of malware such as viruses. All of these will be harmless noise to a well-protected computer network. What we should consider is someone who is deliberately targeting a computer network. This article will assume that the attacker has already attacked his victim and has done some research beforehand such as finding out the IP address and network addresses of the victim. The attacker may also have tried to exploit information such as email addresses associated with that network. This type of information is very important in case the attacker has found but has no way to get into the network after scanning, enumerating and spoofing it. The email addresses he has collected will be useful in setting up a client-side attack by trying and inviting the user to a malicious website through a link in an email. These types of attacks will be covered in later articles.
How it works
We should observe the actions of a hacker as he scans and enumerates the victim network. The first tool that the hacker uses is Nmap. Although Nmap has few IDS signatures, it is still a very useful and widely used tool.
We can see through the syntax used by the hacker in the screenshot above, the hacker has chosen ports 21 and 80 because he has some exploits that can be used through the Metasploit Framework. Not only that but also the two system services and protocols that he understands quite well. It is clearly shown that he is using a SYN scan, which is the most commonly used type of port scan. This is also due to the fact that when a TCP service listening on a port receives a SYN packet, it will send back a SYN/ACK packet. The SYN/ACK packet indicates that a service is indeed listening and waiting for a connection. However the same problem is not the case with UDP, which relies on services like DNS (DNS also uses TCP but it mostly uses UDP for the majority of its transactions).
The syntax listed below is the output that Nmap gathers from the packets it sends, but more accurately from the packets it receives as a result of the SYN scan it performs. We can see that there appear to be FTP and HTTP services provided. We don’t really care about the MAC address so we’ll ignore that. Tools like Nmap don’t often have errors so it’s usually good to verify your information at the packet level to ensure accuracy. Not only that but it also allows you to look at the packets coming back, from the victim network, to glean architectural, service and host information from them. Look up
the packets
There are a number of programs available today that will dig into the packets and find out information like the operating system type, architectural information, such as x86 or SPARC, and more. That's not enough but it's important when we're looking at letting a program do the work for us. With that in mind, let's take a look at the Nmap packet trace and find out some information about the victim network.
10:52:59.062500 IP (tos 0x0, ttl 43, id 8853, offset 0, flags [none], proto: ICMP (1), length: 28) 192.168.111.17 > 192.168.111.23: ICMP echo request seq 38214, length 8
0x0000: 4500 001c 2295 0000 2b01 0dd3 c0a8 6f11 E..."...+.....o.
0x0010: c0a8 6f17 0800 315a 315f 9546 ..o...1Z1_.F
10:52:59.078125 IP (tos 0x0, ttl 128, id 396, offset 0, flags [none], proto: ICMP (1), length: 28) 192.168.111.23 > 192.168.111.17: ICMP echo reply seq 38214, length 8
0x0000: 4500 001c 018c 0000 8001 d9db c0a8 6f17 E.............o.
0x0010: c0a8 6f11 0000 395a 315f 9546 0000 0000 ..o...9Z1_.F....
0x0020: 0000 0000 0000 0000 0000 0000 0000 ..............Shown in the two packets above is the open sequence from Nmap. What it does is send an ICMP echo request to the victim network. You will notice that it is not equipped with a port number, because ICMP does not use ports, but is managed by the ICMP error message generator built into the TCP/IP protocol stack. This ICMP packet is also labeled with a unique number, in this case 38214, so that the TCP/IP stack can examine the return traffic, and associate it with the previous ICMP packet sent. The packet just above is the reply from the victim network, in the form of an ICMP echo reply. The sequence number 38214 is also taken into account. This is how the hacker knows that there is a computer or network behind that IP address.
This open sequence of ICMP packets is why Nmap has an IDS notation for it. The ICMP host discovery option can be disabled in Nmap if desired. What kind of information can be gleaned from the ICMP echo reply packet from the victim network? There is not much information here that can help us understand the network. However, preliminary attacks can be used in areas related to the operating system. The time to reside field and the value next to it are highlighted in the packet above. The value of 128 indicates the fact that this computer is probably a Windows computer. While the ttl value does not tell us exactly what is related to the operating system, it will be the basis for the next packet that we will look at.
Conclusion
In this part one, we looked at a scan of a network in an attack for two specific ports using Nmap. At this point, the attacker knows for sure that there is a computer or a network of computers residing at that IP address. In part 2 of this series, we'll continue our research into this packet's trace, and find out what other pieces of information we can glean.
Analyzing an Attack (Part 2)
We showed you in part one the information that can be observed while opening the packet sequence sent by Nmap. The sequence sent starts with an ICMP echo response to determine if the computer or network has been assigned an IP address.
How to regain access to hard drive, fix error of not being able to open hard drive
In this article, we will guide you how to regain access to your hard drive when it fails. Let's follow along!
How to use dental floss
Dental floss is a common tool for cleaning teeth, however, not everyone knows how to use it properly. Below are instructions on how to use dental floss to clean teeth effectively.
How to gain muscle according to experts
Building muscle takes time and the right training, but its something anyone can do. Heres how to build muscle, according to experts.
The Best Diets for Heart Health
In addition to regular exercise and not smoking, diet is one of the best ways to protect your heart. Here are the best diets for heart health.
How to cure insomnia for pregnant women in the last 3 months
The third trimester is often the most difficult time to sleep during pregnancy. Here are some ways to treat insomnia in the third trimester.
Scientifically Proven Ways to Automatically Burn Calories
There are many ways to lose weight without changing anything in your diet. Here are some scientifically proven automatic weight loss or calorie-burning methods that anyone can use.
All about iOS 26
Apple has introduced iOS 26 – a major update with a brand new frosted glass design, smarter experiences, and improvements to familiar apps.
Yoga exercises to treat insomnia
Yoga can provide many health benefits, including better sleep. Because yoga can be relaxing and restorative, its a great way to beat insomnia after a busy day.
What is the flower of the other shore? Meaning and legend of the flower of the other shore
The flower of the other shore is a unique flower, carrying many unique meanings. So what is the flower of the other shore, is the flower of the other shore real, what is the meaning and legend of the flower of the other shore?
Healthy snacks that help you lose weight
Craving for snacks but afraid of gaining weight? Dont worry, lets explore together many types of weight loss snacks that are high in fiber, low in calories without making you try to starve yourself.
What to do when you have trouble sleeping?
Prioritizing a consistent sleep schedule and evening routine can help improve the quality of your sleep. Heres what you need to know to stop tossing and turning at night.
How to add a printer to Windows 10
Adding a printer to Windows 10 is simple, although the process for wired devices will be different than for wireless devices.
The most commonly deficient nutrients in the diet
Diet is important to our health. Yet most of our meals are lacking in these six important nutrients.
How to get beautiful nails quickly
You want to have a beautiful, shiny, healthy nail quickly. The simple tips for beautiful nails below will be useful for you.
The best laptops for students in 2025
Students need a specific type of laptop for their studies. It should not only be powerful enough to perform well in their chosen major, but also compact and light enough to carry around all day.