Analyzing an Attack (Part 3)
In part 2 of this series, we have left all the necessary information required for an attack on the victim's network.
Analyzing an Attack (Part 1)
Don Parker
This series will be based on a network vulnerability. What will be introduced in the article is a real attack, starting from reconnaissance to enumeration, exploiting network services and ending with notification exploitation strategies.
All of these steps will be viewed at the packet level, and then explained in detail. Being able to view and understand an attack at the packet level is extremely important for both sys admins and network security personnel. The output of firewalls, Intrusion Detection Systems (IDS) and other security devices will always be used to see the actual network traffic. If you don’t understand what you are seeing at the packet level, all of your network security technology is useless.
The tools used for simulating a cyber attack are:
-
IPEye
-
TFTP client
-
FU Rootkit
Setup Step
There are many scanning operations on the Internet today, not to mention the operations of worms and other forms of malware such as viruses. All of these will be harmless noise to a well-protected computer network. What we should consider is someone who is deliberately targeting a computer network. This article will assume that the attacker has already attacked his victim and has done some research beforehand such as finding out the IP address and network addresses of the victim. The attacker may also have tried to exploit information such as email addresses associated with that network. This type of information is very important in case the attacker has found but has no way to get into the network after scanning, enumerating and spoofing it. The email addresses he has collected will be useful in setting up a client-side attack by trying and inviting the user to a malicious website through a link in an email. These types of attacks will be covered in later articles.
How it works
We should observe the actions of a hacker as he scans and enumerates the victim network. The first tool that the hacker uses is Nmap. Although Nmap has few IDS signatures, it is still a very useful and widely used tool.
We can see through the syntax used by the hacker in the screenshot above, the hacker has chosen ports 21 and 80 because he has some exploits that can be used through the Metasploit Framework. Not only that but also the two system services and protocols that he understands quite well. It is clearly shown that he is using a SYN scan, which is the most commonly used type of port scan. This is also due to the fact that when a TCP service listening on a port receives a SYN packet, it will send back a SYN/ACK packet. The SYN/ACK packet indicates that a service is indeed listening and waiting for a connection. However the same problem is not the case with UDP, which relies on services like DNS (DNS also uses TCP but it mostly uses UDP for the majority of its transactions).
The syntax listed below is the output that Nmap gathers from the packets it sends, but more accurately from the packets it receives as a result of the SYN scan it performs. We can see that there appear to be FTP and HTTP services provided. We don’t really care about the MAC address so we’ll ignore that. Tools like Nmap don’t often have errors so it’s usually good to verify your information at the packet level to ensure accuracy. Not only that but it also allows you to look at the packets coming back, from the victim network, to glean architectural, service and host information from them. Look up
the packets
There are a number of programs available today that will dig into the packets and find out information like the operating system type, architectural information, such as x86 or SPARC, and more. That's not enough but it's important when we're looking at letting a program do the work for us. With that in mind, let's take a look at the Nmap packet trace and find out some information about the victim network.
10:52:59.062500 IP (tos 0x0, ttl 43, id 8853, offset 0, flags [none], proto: ICMP (1), length: 28) 192.168.111.17 > 192.168.111.23: ICMP echo request seq 38214, length 8
0x0000: 4500 001c 2295 0000 2b01 0dd3 c0a8 6f11 E..."...+.....o.
0x0010: c0a8 6f17 0800 315a 315f 9546 ..o...1Z1_.F
10:52:59.078125 IP (tos 0x0, ttl 128, id 396, offset 0, flags [none], proto: ICMP (1), length: 28) 192.168.111.23 > 192.168.111.17: ICMP echo reply seq 38214, length 8
0x0000: 4500 001c 018c 0000 8001 d9db c0a8 6f17 E.............o.
0x0010: c0a8 6f11 0000 395a 315f 9546 0000 0000 ..o...9Z1_.F....
0x0020: 0000 0000 0000 0000 0000 0000 0000 ..............Shown in the two packets above is the open sequence from Nmap. What it does is send an ICMP echo request to the victim network. You will notice that it is not equipped with a port number, because ICMP does not use ports, but is managed by the ICMP error message generator built into the TCP/IP protocol stack. This ICMP packet is also labeled with a unique number, in this case 38214, so that the TCP/IP stack can examine the return traffic, and associate it with the previous ICMP packet sent. The packet just above is the reply from the victim network, in the form of an ICMP echo reply. The sequence number 38214 is also taken into account. This is how the hacker knows that there is a computer or network behind that IP address.
This open sequence of ICMP packets is why Nmap has an IDS notation for it. The ICMP host discovery option can be disabled in Nmap if desired. What kind of information can be gleaned from the ICMP echo reply packet from the victim network? There is not much information here that can help us understand the network. However, preliminary attacks can be used in areas related to the operating system. The time to reside field and the value next to it are highlighted in the packet above. The value of 128 indicates the fact that this computer is probably a Windows computer. While the ttl value does not tell us exactly what is related to the operating system, it will be the basis for the next packet that we will look at.
Conclusion
In this part one, we looked at a scan of a network in an attack for two specific ports using Nmap. At this point, the attacker knows for sure that there is a computer or a network of computers residing at that IP address. In part 2 of this series, we'll continue our research into this packet's trace, and find out what other pieces of information we can glean.
Analyzing an Attack (Part 2)
We showed you in part one the information that can be observed while opening the packet sequence sent by Nmap. The sequence sent starts with an ICMP echo response to determine if the computer or network has been assigned an IP address.
Difference between regular TV and Smart TV
Smart TVs have really taken the world by storm. With so many great features and the ability to connect to the Internet, technology has changed the way we watch TV.
Why doesnt the freezer have a light but the refrigerator does?
Refrigerators are familiar appliances in families. Refrigerators usually have 2 compartments, the cool compartment is spacious and has a light that automatically turns on every time the user opens it, while the freezer compartment is narrow and has no light.
2 Ways to Fix Network Congestion That Slows Down Wi-Fi
Wi-Fi networks are affected by many factors beyond routers, bandwidth, and interference, but there are some smart ways to boost your network.
How to Downgrade from iOS 17 to iOS 16 without Losing Data using Tenorshare Reiboot
If you want to go back to stable iOS 16 on your phone, here is the basic guide to uninstall iOS 17 and downgrade from iOS 17 to 16.
What happens to the body when you eat yogurt every day?
Yogurt is a great food. Is it good to eat yogurt every day? What will happen to your body when you eat yogurt every day? Let's find out together!
Which type of rice is best for health?
This article discusses the most nutritious types of rice and how to maximize the health benefits of whichever rice you choose.
How to wake up on time in the morning
Establishing a sleep schedule and bedtime routine, changing your alarm clock, and adjusting your diet are some of the measures that can help you sleep better and wake up on time in the morning.
Rent Please! Landlord Sim Tips for Beginners
Rent Please! Landlord Sim is a simulation mobile game on iOS and Android. You will play as a landlord of an apartment complex and start renting out an apartment with the goal of upgrading the interior of your apartments and getting them ready for rent.
Latest Bathroom Tower Defense Codes and How to Enter Codes
Get Bathroom Tower Defense Roblox game codes and redeem them for exciting rewards. They will help you upgrade or unlock towers with higher damage.
Structure, symbols and operating principles of transformers
Let's learn about the structure, symbols and operating principles of transformers in the most accurate way.
4 Ways AI Is Making Smart TVs Better
From better picture and sound quality to voice control and more, these AI-powered features are making smart TVs so much better!
Why ChatGPT is better than DeepSeek
DeepSeek initially had high hopes. As an AI chatbot marketed as a strong competitor to ChatGPT, it promised intelligent conversational capabilities and experiences.
Meet Fireflies.ai: The Free AI Secretary That Saves You Hours of Work
It's easy to miss important details when you're jotting down other essentials, and trying to take notes while chatting can be distracting. Fireflies.ai is the solution.
How to raise Axolotl Minecraft, tame Minecraft Salamander
Axolot Minecraft will be a great assistant for players when operating underwater if they know how to use them.
A Quiet Place: The Road Ahead PC Game Configuration
A Quiet Place: The Road Ahead's configuration is rated quite highly, so you will need to consider the configuration before deciding to download.