Page 1

Advanced Network Exploitation Research and Networking Concepts. September 2009 – Written by Nicholas Lemonias Copyright © 2009 Advanced Information Security Online.

Basic Networking Concepts A Network Infrastructure refers to different sets of physical and logical components, which provide the basis, mainly for connectivity, security, routing, management, access to resources and other features integral to a network, while a Physical Infrastructure refers to a network’s topology or physical design, such as the routers, switches, bridges, hubs and other physical components , composing a network’s design.

A logical Infrastructure refers to the shared software components, which allow computers to communicate over a network’s physical topology. Elements of a network’s logical infrastructure incorporate shared network protocols, an addressing mechanism, a name resolution system, and network services.

As you may know, in all modern network and computer communications, the basis for that, refers to the TCP/IP Protocol suite, a protocol design which provides addressing , a naming system , routing, interoperability with the internet, but also many other features for network communication.

Definition of the TCP/IP Protocol as described in

“TCP/IP defines a set of rules to enable computers to communicate over a network, specifying how data should be packaged, addressed, shipped, routed and delivered to the right destination. The specification defines protocols for different types of communication between computers and provides a framework for more detailed standards. TCP/IP is generally described as having four 'layers’ or five if you include the bottom Physical Layer. The layer view of TCP/IP is based on the seven-layer OSI Refernce. Model written long after the original TCP/IP specifications, and is not officially recognized. Regardless, it makes a good analogy for how TCP/IP works and comparison of the models is common.

The TCP/IP Model and related protocols are currently maintained by the Internet Engineering Task Force (IETF).�

The four Layers of TCP/IP Protocol suite. | Application Layer | This particular facet or layer of communication handles the data or context of information, of a particular application, utilized in our TCP/IP connection. Many common applications: Telnet, FTP, SNMP. | Transport Layer | This particular layer or facet of communication of the TCP/IP protocol provides the workflow of communicative data between the sender and the receiver. In this layer of the TCP/IP we can choose our transportation protocol, from either the TCP (Transmission Control Protocol) or the User Datagram Protocol (UDP).

Differences between UDP and TCP in the workflow of data: 1. TCP provides a reliable workflow of communicative data between HOST A and HOST B, providing a reliable flow of data, and a mechanism of data organization (into appropriate size chunks), thus preparing data, for encapsulation onto the next layer (Network Layer) prior to submission. The TCP protocol also provides guaranteed delivery, through a mechanism of reliable flow: a) setting timeouts, b) acknowledging received packets from the other end, and c) setting timeouts, in order to make certain that the other end (HOST B) acknowledges packets from our source host, thus preventing packet-loss and providing a communicative initiation, with no necessity, for the application to process this information. 2. In contrast to the (TCP) Transmission Control Protocol, the (User Datagram Protocol) - UDP provides a much convenient and simpler service through the application layer, itself. The concept, is basically to just sends UDP packetets or diagrams from HOST A to HOST B but with no guarantees that the datagram’s will reach the other end, as there is no retransmission and a guaranteed delivery mechanisms , unlike the concept behind TCP. | Network Layer| The Network Layer or otherwise the Internet Layer Handles the movement of packets around the network rather than the transportation, and is responsible for the sequencing,

rerouting and packet-delivery, from our source to the destination. This facet handles the routing of packets. In this layer or facet of communications, we can see the operation of the following protocols:   

IP (Internet Protocol) ICMP (Internet Control Message Protocol) IGMP (Internet Group Management Protocol)

These protocols operate under the ‘Network Layer’, thus providing our Internet with a control messaging mechanism including: (Error Reporting for Bad packets), Routing of Packets and the sequencing and Re-transmission of packets through the use of the above mentioned protocols. |Link Layer| The Link Layer, sometimes called the ‘Data-Link Layer’ or otherwise, the ‘Network Interface Layer’, normally includes the device driver in the operating system and the corresponding ‘Network Interface Card’ (NIC) in the computer, thus handling the direct hardware and physical interfacing with the cable.

Objectives TCP provides a reliable Transport Layer, although as impressive as this sounds and even though the work-horse of TCP, the Internet Protocol (IP) is unreliable , incontrast to a reliable Transport Layer, due to the fact that the IP can not operate by itself, although it is a major component to the TCP protocol suite. The Internet Protocol or (IP) can also be defined as the work-horse protocol for communication, used by UDP and TCP. For every bit of information to be transferred through an Internet, it has to pass through the Internet Protocol or (IP), and of course through every immediate router system. But, as you may know, in rare occasions it is also possible that an application by itself, could also access the ICMP protocol directly from the Application Layer without any contact to the Networking Layer. (Older routing protocols are utilized this way.) The Internet Control Messaging Protocol (ICMP) is an adjunct to the IP protocol. And that follows a set of instructions, thus our ‘IP Protocol’ is provided with a mechanism to exchange Error messages and or/other vital information to the other end, through the adjunct use of the ICMP Protocol.

IGMP is the Internet Group Management Protocol. It is used for multicasting (sending a UDP datagram to multiple hosts.

ARP and RARP (Address Resolution Protocol / Reverse Address Resolution Protocol) are specialized protocols utilized under certain types of network interfaces such as Ethernet, in order to convert between the addresses used by the IP Layer and the addresses used by a network interface (Interface Addressees Ref: MAC address).

TCP/IP Encapsulation & Demultiplexing of Information. Encapsulation is the process whereby the application sends data using TCP, and the data is sent down the protocol stack, through and each layer of communication encapsulating our information from each and every layer, tied-up together, and that information, on-to each layer or facet of communication, thus sending the outcome as a stream of bits to our destination. Demultiplexing is the opposite of Encapsulation. When a network frame or (Ethernet frame) is received at the destination, our host starts its way up the protocol stack, thus removing all the information ‘tied-up’ during encapsulation, reading our stream of bits sent across, in that particular order. Each protocol looks at certain identifiers with-in its header to determine which computer system or device, in the next upper layer, receives the data. And that is the definition of ‘Demultiplexing ‘. As you may find out, the ‘Demultiplexing’ of information is achieved through the recipient of incoming segments, using a destination port number , a source ip address and a source port number, positioning that streams of bits, in that ordered delivered by the source host or sender.

Client-Server Model

Most Networking applications are written supposing that one side or an ‘X’ side is the client and a ‘Y’ side, is the server. The purpose of the application is to provide services to its clients. (Client-Server Concept).

Thus, Servers can be subdivided into iterative or either concurrent, thus meaning that an iterative server follows through the following steps: A. Wait for a client request to arrive B. Process the client request. C. Send the response back to the client that sends the request. D. Wait for a client request to arrive (Ref: Step A).\

The only different between an iterative server and a concurrent server is that , during the time of operation (e.g.: processing a client’s request), in an iterative server, no other clients are serviced, whilst a concurrent server follows the following order: A. Wait for a client request to arrive. B. Start a New server to handle the client’s request. (Creating a New process in task, or thread, depending on what the underlying operating systems supports. How this step is performed depends on what the underlying operating system. C. Wait for a client request to arrive (Ref: Step 1).

Port Numbers TCP and UDP protocols identify applications using 16-bit port numbers. Servers are normally known by their well-known port numbers. Until 1992 the well-known ports were between 1 and 255. Ports between 256 and 1023 were normally used by UNIX systems for UNIX specific services. The Internet Assigned Numbers Authority (IANA) now manages ports between 1 and 1023. A client usually doesn’t care what port number it uses on its end, and the choice is randomly chosen. Client port numbers are called ephemeral ports or ports that are short-lived, because these types of ports only last while the application is executed, thus the application binding a random client port. UNIX Ports The well-known port numbers are contained in the file /etc/services.

% grep telnet /etc/services telnet 23/tcp %grep domain /etc/services domain 53/udp domain 53/tcp

Request for Comment (RFC’s) To: rfc-info@ISI.EDU Subject: getting rfcs Internet Official Protocol Standards, RFC 1600 [Postel 1994]. Host Requirements RFC’s [1112 and 1123] [Braden 1989a, 1989b]. All the Official Standards in the Internet Community are published as a Request for Comment or RFC. Internet Protocol The Internet Protocol (IP) is the main protocol or the workhorse protocol of the TCP/IP suite. All the information encapsulated through the TCP, UDP, ICMP and IGMP data gets transmitted as IP datagrams. Although, IP is an unreliable connectionless datagram delivery of service. The term connectionless meaning, that IP does not maintain state of information about successive datagrams (by itself), but it rather follows an algorithm that throws away datagrams and try to send an ICMP message back to the source, for every bad packet TCP/IP v4 IP HEADER 0_______________________15 16_________________________________________31 4 bits | 4 bit header length | 8 bit type of service (TOS) | 16-BIT total length (in bytes) 16-bit identification | 3-bit flags | 13-bit fragment offset | 8 bit time to live (TTL) | 8bit protocol | 16-bit header checksum 32 bit source IP address } 20 BYTES 32 bit destination IP address Options (other options) [Data] AAAAAAAAAAAAAAAAAAAAAA ________________________________________________________________________

UDP HEADER 0_______________________15 16_________________________________________31 16-bit source port number | 16-bit destination port number 16-bit UDP length | 16-bit UDP checksum [Data]________________________________________ AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

TCP HEADER 0_______________________15 16_________________________________________31 16-bit source port number | 16-bit destination port number 32 bit Sequence number _________________________________________________ 32 bit acknowledgement number_________________________ 4-bit header length | reserved 6 bits| U|A|P|R|S|F|_____16 BIT Window__________ |R|C|S|S|Y |I|__________ SIZE_______| |G|K|H|T|NN| 16 bit TCP Checksum 16 BIT Urgent Pointer| [ OPTIONS]_________________________________________ [ DATA] _____________________

ICMP: Internet Control Message Protocol. The ICMP protocol is considered to be part of the IP Protocol and it communicates the error messages and other problems persisting within a communication. ICMP messages are usually acted on by either the IP Protocol, or the higher TCP/UDP protocols.




20 bytes (Sample ICMP Message encapsulated within an IP datagram).

TCP - (Establishing a connection) (TCP 3 – WAY Handshake). To establish a connection, TCP uses a methodology or concept called the ‘3 WAY Handshake’. Prior to the establishment of a TCP connection HOST A prompts HOST B with a sequence of packets, thus allowing or either disallowing the connection establishment, and then, follows the successful handshake and connection establishment between the two hosts. [HOST A ]

SYN Packet sent to destination. (Hello HOST B)

[HOST B] a. Acknolwedging the packet received with a SYN-ACK or either b. neglecting it using a SYN-RST thus terminating the connection. [HOST A ] SYN-ACK received. Sending Back an ‘ACK’ packet indicating Acknowledgement of the connection. [HOST B] Receiving ACK packet from client, and the connection is established.  CONNECTION ESTABLISHED  [HOST A – HOST B] ACKNOWLEDGED

Network Exploitation – Advanced Methodologies of Network Enumeration and Exploitation – (Breaking Through Firewall Security).

1. Remote Host Fingerprinting And Hping Fire walking Methodology: This method demonstrates an exploitation method for trespassing Firewalls through the ICMP and RING Half-Opening method. [HOST A] We tend to send SYN packet to captivate the interest of our destination.

[HOST B] Replies with either SYN/ACK or SYN/RST thus telling us whether the particular port is open or closed. Even though a misconfigured fire walled infrastructure, could potentially lack the security for SYN scanning, avoinding the normal Connect () method of port scanning;

2. Normal Port Knocking Scenario (NMAP) NMAP – P0 –p

Normal Responses: Open/Closed (Indicating whether the port is open or closed). Scenario Type: Syn Scan Response Filtered Ports: Indicating that the host is possible fire walled and secured against this type of attack, because we know that close ports respond with RST, thus knowing the normal behavior of the TCP/IP handshake.

Hping –S –P <Port> -c 2 IP Len=40 ip= TTL=180 ID=40491 sport=50 flags=RA  RA - Reset Acknolwedgement thus indicating that our port is closed!

Scenario 3 –100% Complete Packet Loss – (Hping) Hping –S –p 50 –c 10 LIFE1 {10 SYN Packets transmitted across using HPING => 0 Packets Received} Possible Scenario for Firewall Enumeration: 10 Syn packets Sent >

|F |I |R |E |W |A |L |L

| BLOCKED | BY | FIREWALL | | X – False. | | |

As we can see our SYN packets are being filtered by the firewall technology on the target infrastructure, thus we should endorse a different method of enumeration, which is possible not filtered.

Scenario 4. (In case Scenario 3 fails). / FIN Scanning Methodology

Firewall Enumeration

Hping – F –p 50 LIFE1

<Flags=RA> Indication of an RA (Reset Acknowledgement) – Thus indicating that all our syn packets might have previously been filtered, but now the utilization of A ‘FIN’ packet can actually pass-through the firewall, and our port is open.  In case that there is no response, which indicates that the port is closed.  In case that there is an RST response, once our FIN packet is accepted , that means that the port is closed. HPING –S –p 80 –c2 <ip> SYN FLAG -S – Syn Packet indication -p Port number -c2 number of packets to be sent. Possible Responses: Flags = RA Flags = SA

HPING –S –p 80 ++20 <IP> ++ Indicates an incremental request. Possible Responses: Flags = RA Flags = SA *Note*: In a case of packet loss that means that the ports are firewalled.

UDP Scanning and Enumeration A. Normal UDP Scan >


POSSIBLE STATE: OPEN | FILETERED > This indication explains that our scanner failed to determine results.

Hping -2 –p 50++ <host>

We could also utilize another advanced UNIX networking tool in order to capture our packet responses. This new methods utilizes the use of payload through the Hping. #tcpdump (promiscuous mode) #hping -2 –p ++50 –d 120 –E file.txt (containing 120 bytes of junk data).

Illustration 1.a Len=46 ip= ttl=49 Id=37187 sq=3 rtt=531.0ms

Possible responses: In case that we receive an ‘ICMP Port Unreachable’ response that means that potentially our destination infrastructure utilizes the use of IPtables.

5. Network Enumeration (Ping Sweeping through ICMP) Gathering System Information on a target infrastructure through the usage of the following flags: Message Type 0 – Echo Reply > Packets utilized by the Ping networking tool. Message Type 3 – Destination Unreachable The Destination Unreachable message is a message which is generated by the host or its firewall or proxy to inform the user that the destination is not reachable. A Destination Unreachable message may be generated as a result of a TCP , UDP or another ICMP transmission. Unreachable TCP ports notably respond with TCP RST rather than a Destination Unreachable code 3 as might be expected.

Code Description


Network unreachable error.


Host unreachable error.


Protocol unreachable error (the designated transport protocol is not supported).


Port unreachable error (the designated protocol is unable to inform the host of the incoming message).


The datagram is too big. Packet fragmentation is required but the 'don't fragment' (DF) flag is on.


Source route failed error.


Destination network unknown error.


Destination host unknown error.


Source host isolated error (military use only).


The destination network is administratively prohibited.


The destination host is administratively prohibited.


The network is unreachable for Type Of Service.


The host is unreachable for Type Of Service.


Communication administratively prohibited (administrative filtering prevents packet from being



Host precedence violation (indicates the requested precedence is not permitted for the combination of host or network and port).


Precedence cutoff in effect (precedence of datagram is below the level set by the network administrators).

The Next-Hop MTU field (48 bits-63) contains the MTU of the next-hop network if a code 4 error occurs. The additional data (bits 64-95) is included to allow the client to match the reply with the request that caused the destination unreachable reply.

Message Type 4 – Source Quench The Source Quench is an ICMP message which requests the sender to decrease the traffic rate of messages to a router or host. This message may be generated if the router or host does not have sufficient buffer space to process the request, or may occur if the router or host's buffer is approaching its limit. Message Type 5 – Redirect Code Description 0

Redirect for Network Error.


Redirect for Host Error.


Redirect for Type of Service and Network Error.


Redirect for Type of Service and Host Error.

The ICMP type 5 contains a redirect message to send data packets on alternative route. ICMP Redirect is a mechanism for routers to convey routing information to hosts. The Redirect Message is an ICMP message which informs a host to redirect its routing information (to send packets on an alternate route). Message Type 11 – Time Exceeded . A time exceeded message may also be sent by a host if it fails to reassemble a fragmented datagram within its time limit. Type must be set to 11. The code, which specifies the reason for the time exceeded message, includes the following:




Time-to-live exceeded in transit.


Fragment reassembly time exceeded.

Message Type 12 – Parameter Problem Ref: RFC 792, page 9: If the gateway or host processing a datagram finds a problem with the header parameters such that it cannot complete processing the datagram it must discard the datagram. One potential source of such a problem is with incorrect arguments in an option. The gateway or host may also notify the source host via the parameter problem message. This message is only sent if the error caused the datagram to be discarded. The pointer identifies the octet of the original datagram's header where the error was detected (it may be in the middle of an option). For example, 1 indicates something is wrong with the Type of Service, and (if there are options present) 20 indicates something is wrong with the type code of the first option. Code 0 may be received from a gateway or a host.

Message Type 13 – Timestamp Request – Requesting the Timestamp and Timezone Information for the remote infrastructure or remote inbound gateway. Message Type 14 – Timestamp Reply The Timestamp Reply is an ICMP message which replies to a Timestamp message. It consists of the originating timestamp sent by the sender of the Timestamp as well as a receive timestamp and a transmit timestamp. Message Type 15 – Information Request RFC 792, page 19: This message may be sent with the source network in the IP header source and destination address fields zero (which means "this" network). The replying IP module should send the reply with the addresses fully specified. This message is a way for a host to find out the number of the network it is on. The identifier and sequence number may be used by the echo sender to aid in matching the replies with the requests. For example, the identifier might be used like a port in TCP or UDP to identify a session, and the sequence number might be incremented on each request sent. The destination returns these same values in the reply.

Code 0 may be received from a gateway or a host.

Message Type 16 – Information Reply RFC 1812, page 59: The Information Request/Reply pair was intended to support self-configuring systems such as diskless workstations, to allow them to discover their IP network prefixes at boot time. However, these messages are now obsolete. The RARP and BOOTP protocols provide better mechanisms for a host to discover its own IP address.

ICMP Enumeration Tool Resource: Syntax: Icmpenum –s (Spoofed Packets).

6. Network Exploitation Tactics – Infrastructure Mapping 1. You can find the Time zone that the system is in utilizing an ICMP Type 13. 2. You can also find the Net mask of a particular device using the ICMP Type 17, utilizing an ADDRESS_Mask_Request and all thus to calculate all the subnets being used within the infrastructure. Resource:

Syntax: (1) Query a Router’s Time:

ICMPQUERY –t Response: :11:36:19

ICMPQUERY –m Response: :0Xffffffe0

Security Access Control Lists (ACL) for Firewalls Security Advice: ACL Security: Allow Only: ICMP_ECHO_REPLY’s (ping) HOST_UNREACHABLE TIME_EXCEEDED

Overview of Network Scanning and Firewall Enumeration (IP Implementations). Under normal circumstances the below mentioned packets are not being sent individually to a network host, but rather they are being utilized in a communication, in order to provide information and or delivery and establishment and connectivity between two hosts and the intermediate systems. Although a malicious hacker can also utilize these packets and vulnerabilities within the TCP/IP stack in order to enumerate and gain satisfactory responses, on the state and security of an infrastructure

Other Methods Fin Scanning – A Fin Packet is sent across to the target host.

TCP XMAS TREE – A combination of Fin, URG and Push packets are sent across to the target infrastructure. An RST response indicates closed ports.

TCP Null Scan – A packet with all the flags off is sent to the target host, thus replying with an RST for all closed port.

TCP ACK Scanning – An ‘ACK’ packet is sent to the destination target host.

7. Remote Operating System Detection – Network Enumeration Passive Stack Fingerprinting

Passive Stack Fingerprinting is a method of gathering network information on a given network and comparing that information against a database of entries, thus determining the Operating System used. You have to be part of the same network , in order for this method to be effective.

#telnet 01/08-11:23:48.29976 -> TCP TTL:225 TOS:0x0 ID:58943 DF **S***A*

Seq: 0XD3B709A4

ACK: 0XB309B2B7 WIN: 0X2798

TCP OPTIONS => NOP NOP TS: 9688775 9682347 NOP WS: 0 MSS:1460

Gathered Information

REF: TTL = 225 Windows Size= 0x2798 DF = Don’t Fragment Bit

# grep – I solaris osprints.conf 2328:255:1 Solaris 2.6 – 2.7 2238:255:1 Solaris 2.6 – 27 2400:255:1 Solaris 2.6 – 2.7 2798:255:1 Solaris 2.6 – 2.7 # siphon –v – I x10 –I fingerprint_accumulation.txt Operating System Determined against Siphon’s fingerprints: Host

Port 23

TTL 225


OS Solaris 2.6. - 27

‘Admin Prohibited Filter.’ If we suppose that the remote system indication that NO SYN/ACK is received and NO RST/ACK is received , thus no ICMP type 3 is received although you might

receive an Admin Prohibited Filter response, which oftentimes that is a response sent from a CISCO Firewall System. In some cases when an RST/ACK is received, it is either the OS indicating the our port is closed or either the Firewall contains a REJECT rule within its ACL list.

Scenario 10 – Firewall Enumeration through Netcat & SNMP Management, and Advanced Firewalking. Nc –v –n 257 (Unknown) [] 257 (?) Open 31000000 -> Indicating the Checkpoint Serial Number.

Firewalking Scenario (Discovering Open Ports behind a firewall). This method works by generating packets with a TTL value calculated to expire one hop past the Firewall. The theory behind this method is , that our generated packets will pas the through the firewall and expire with an error message of ‘ ICMP TTL expired in transmit’. In the scenario that our packets are blocked , either no response will be received or either an ICMP type 13 message will be received.

Resource: Firewalk is a reconnaissance network security enumeration project, designed for the enumeration of firewalls. It attempts to enumerate the protocols and rules behind a firewall within its current configuration will allow to pass through to internal hosts. Firewalk sends out TCP or UDP packets with a TTL one greater than the targeted gateway/firewall. If the gateway/firewall allows the traffic, it will forward the packets to the next hop where they will expire and elicit an ICMP_TIME_EXCEEDED message. If the gateway host does not allow the traffic, it will likely reject our packets with no response. -d 1-65535 Specify initial dest port to use during the ramping phase. -h Program help. -i Interface_name Specify interface to use. -n Don't resolve IP's to hostnames.

-P 1-2000 Set a network writing pause, to keep firealk from flooding the network. -p TCP,UDP Type of scan to perform. -r Strict RFC 793 compliance. -S 1-65535,... (1-130,139,1025) Specify ports to scan. Specified in ranges, delimited by dashes, multiple ranges may be specified, delimited by commas. Omitting the terminating port number is shorthand for 65535. -s 1-65535 (53)Specify the source port for the scan (both phases). -T 1-2000 (2)Network packet reading timeout. -t 1-25 (1)Sets initial IP TTL value (target gateway is known to be n hops from the source host, the TTL can be preloaded to facilitate a faster scan. -v Dump program version and exit. -x Expire vector (1)The expire vector is the number of hops that the scanning probes will expire,past the gateway host. The binding hopcount is the hopcount of the gateway + the expire vector.

#firewalk â&#x20AC;&#x201C;p tcp â&#x20AC;&#x201C;s135-140 As you may know, it is not possible to block ICMP TTL expired values because, if we do that, our clients will not be able to receive information regarding their connection.


TCP/IP is generally described as having four 'layers’ or five if you include the bottom Physical Layer. The layer view of TCP/IP is based on...