Analyzing an Attack (Part 2)

Analyzing an Attack (Part 1)

Don Parker

We showed you in part one the information that can be observed while opening the packet sequence sent by Nmap. The sequence sent starts with an ICMP echo response to determine if the computer or network has been assigned an IP address.

Additionally, we can also guess that the network of the attacked computer is a Windows-based network by looking at the ttl in the ICMP echo response packet it sends back. What we should do now is to continue observing the remaining packets in the Nmap scanner, and find out the remaining information to be able to know the profile of the victim network.

Continue

10:52:59.078125 IP (tos 0x0, ttl 49, id 9808, offset 0, flags [none], proto: TCP (6), length: 40) 192.168.111.17.37668 > 192.168.111.23.80: ., cksum 0xfd46 (correct), ack 85042526 win 2048
0x0000: 4500 0028 2650 0000 3106 0407 c0a8 6f11 E..(&P..1.....o.
0x0010: c0a8 6f17 9324 0050 67d1 a55e 0511 a55e ..o..$.Pg..^...^
0x0020: 5010 0800 fd46 0000 P....F..

10:52:59.078125 IP (tos 0x0, ttl 128, id 397, offset 0, flags [none], proto: TCP(6), length: 40) 192.168.111.23.80 > 192.168.111.17.37668: R, cksum 0x6813 (correct), 85042526:85042526(0)win 0
0x0000: 4500 0028 018d 0000 8006 d9c9 c0a8 6f17 E..(..........o.
0x0010: c0a8 6f11 0050 9324 0511 a55e 0511 a55e ..o..P.$...^...^
0x0020: 5004 0000 6813 0000 0000 0000 0000 P...h.........

The two packets above come after the ICMP packets we observed in part 1. Nmap sent an ACK packet to the victim network IP 192.168.111.23 on port 80. As forged information we don't get the whole picture here. We only see that the ACK packet received a RST packet from the attacker in response, since this ACK was not expected. It is not part of a previously established connection. We still have a ttl of 128 corresponding to the ttl observed earlier.

10:52:59.296875 IP (tos 0x0, ttl 58, id 45125, offset 0, flags [none], proto: TCP (6), length: 40) 192.168.111.17.37644 > 192.168.111.23.21: S, cksum 0x37ce (correct), 2010644897:2010644897(0) win 3072
0x0000: 4500 0028 b045 0000 3a06 7111 c0a8 6f11 E..(.E..:.q...o.
0x0010: c0a8 6f17 930c 0015 77d8 01a1 0000 0000 ..o.....w.......
0x0020: 5002 0c00 37ce 0000 P...7...

10:52:59.296875 IP (tos 0x0, ttl 128, id 398, offset 0, flags [DF], proto: TCP (6), length: 44) 192.168.111.23.21 > 192.168.111.17.37644: S, cksum 0x4f58 (correct), 1685290308:1685290308(0) ack 2010644898 win 64240
0x0000: 4500 002c 018e 4000 8006 99c4 c0a8 6f17 E..,[email protected].
0x0010: c0a8 6f11 0015 930c 6473 7d44 77d8 01a2 ..o.....ds}Dw...
0x0020: 6012 faf0 4f58 0000 0204 05b4 0000 `...OX........

10:52:59.296875 IP (tos 0x0, ttl 128, id 110, offset 0, flags [none], proto: TCP(6), length: 40) 192.168.111.17.37644 > 192.168.111.23.21: R, cksum 0xca50 (correct), 2010644898:2010644898(0) win 0
0x0000: 4500 0028 006e 0000 8006 dae8 c0a8 6f11 E..(.n........o.
0x0010: c0a8 6f17 930c 0015 77d8 01a2 77d8 01a2 ..o.....w...w...
0x0020: 5004 0000 ca50 0000 P....P..

Following the ACK and RST packet exchange, we can see that a genuine SYN packet has been sent from the hacker to the victim network, as evidenced by the packet with the bold S. This allows us to deduce that the SYN/ACK packet is returning from the victim network on its port 21. This exchange is then concluded by the RST packet being sent back from the hacker computer to the victim network. These three packets now hold a wealth of information about the spoofing.

We also have a ttl of 128 from the victim computer, but also win64240. While this value is not listed, it is indeed a size that I have seen many times before from Win32 (32-bit versions of Microsoft Windows such as Win NT, 2K, XP, and 2K3). Another limitation of Windows computers is that they are somewhat predictable in the number of IP IDs. In this case, we only have one IP ID value. We need at least one more value before we can confidently say that this computer is a Microsoft Windows machine. With that in mind, let's look at the remaining packets from the Nmap scan.

10:52:59.312500 IP (tos 0x0, ttl 59, id 54025, offset 0, flags [none], proto: TCP (6), length: 40) 192.168.111.17.37644 > 192.168.111.23.80: S, cksum 0x3393 (correct), 2010644897:2010644897(0) win 4096
0x0000: 4500 0028 d309 0000 3b06 4d4d c0a8 6f11 E..(....;.MM..o.
0x0010: c0a8 6f17 930c 0050 77d8 01a1 0000 0000 ..o....Pw.......
0x0020: 5002 1000 3393 0000 P...3...

10:52:59.312500 IP (tos 0x0, ttl 128, id 399, offset 0, flags [DF], proto: TCP (6), length: 44) 192.168.111.23.80 > 192.168.111.17.37644: S, cksum 0x7913 (correct), 1685345101:1685345101(0) ack 2010644898 win 64240
0x0000: 4500 002c 018f 4000 8006 99c3 c0a8 6f17 E..,[email protected].
0x0010: c0a8 6f11 0050 930c 6474 534d 77d8 01a2 ..o..P..dtSMw...
0x0020: 6012 faf0 7913 0000 0204 05b4 0000 `...y.........

10:52:59.312500 IP (tos 0x0, ttl 128, id 111, offset 0, flags [none], proto: TCP(6), length: 40) 192.168.111.17.37644 > 192.168.111.23.80: R, cksum 0xca15 (correct), 2010644898:2010644898(0) win 0
0x0000: 4500 0028 006f 0000 8006 dae7 c0a8 6f11 E..(.o........o.
0x0010: c0a8 6f17 930c 0050 77d8 01a2 77d8 01a2 ..o....Pw...w...
0x0020: 5004 0000 ca15 0000 P.......

The first piece of information the hacker looks for is to see if the IP ID number increases to 399. This IP DI is indeed 399 as we can see in the middle of the packet. With this information, the hacker is fairly confident that the victim computer he is attacking is Windows NT, 2K, XP, or 2K3. Also observed in this packet sequence is that port 80 on the victim network appears to have a service, as evidenced by the SYN/ACK packet, the SYN/ACK packet is determined by examining the flag field in the TCP header, in this case the underlined hex value is 12 or 18 in decimal. This can be detected by adding the SYN flag value 2 to the ACK flag value 16.

Enumeration

Once the hacker knows that both ports 21 and 80 are open to the enterprise, he will move to enumeration mode. All he needs to know is what type of webserver is listening for connections. It would be pointless for this hacker to use an Apache vulnerability on an IIS web server. With that in mind, the attacker will open a cmd.exe session and find out the network type.

C:\>nc.exe 192.168.111.23 80
GET slslslls
HTTP/1.1 400 Bad Request
Server: Microsoft-IIS/5.0
Date: Mon, 06 Aug 2007 15:11:48 GMT
Content-Type: text/html
Content-Length: 87

The parameter is incorrect.

C:\>

We can observe the network type that has been marked above or the nc.exe syntax that the hacker types in the victim's IP address as well as port 80. Once in, the hacker will add the HTTP of the GET method followed by some gibberish. This action can make the victim's webserver send back its system information when it does not understand what the request is. Therefore, they naturally list the necessary information for the hacker. The hacker can now know that he is on Microsoft IIS 5.0. The good news is that the hacker has some exploits for this version.

Conclusion

By scanning the victim's network using Nmap, the hacker can receive a series of important data packets afterwards. Inside these data packets, as we have seen, there is enough information for the hacker to exploit the vulnerabilities in the architecture, operating system, network type as well as server type.

In short, this way, the hacker can get the main information about the host, architecture and services provided. With this information in hand, the hacker can launch an attack on the victim's web server. In the following section, we will introduce more about what attacks the hacker can use to attack the user in this case.

Analyzing an Attack (Part 3)