Under normal circumstances, the next packet would be an ACK from the host that sent the initial SYN. However, in this case, our attacker doesn’t want to complete the connection and doesn’t send a response. As a result, the target retransmits the SYN/ACK three more times before giving up. Since a SYN/ACK response is received when attempting to communicate with the host on port 53, it’s safe to assume that a service is listening on that port. Let’s rinse and repeat this process one more time for packet 13. This is a SYN packet sent to port 113, which is commonly associated with the Ident protocol, often used for IRC identification and authentication services. If you apply the same type of filter to the port listed in this packet, you will see four packets, as shown in Figure 12-5. Figure 12-5: A SYN followed by an RST, indicating the port is closed
262 Chapter 12 The first packet is the initial SYN, which is followed immediately by an RST from the target. This is an indication that the target is not accepting connections on the targeted port and that a service is most likely not run- ning on it. Identifying Open and Closed Ports Now that you understand the different types of responses a SYN scan can elicit, you’ll want to find a fast method of identifying which ports are open or closed. The answer lies within the Conversations window once again. In this window, you can sort the TCP conversations by packet number, with the highest values at the top, by clicking the Packets column header until the arrow points downward, as shown in Figure 12-6. Figure 12-6: Finding open ports with the Conversations window Three scanned ports include five packets in each of their conversa- tions u . We know that ports 53, 80, and 22 are open, because these five packets represent the initial SYN, the corresponding SYN/ACK, and the retransmitted SYN/ACKs from the target. For five ports, only two packets were involved in the communication v . The first is the initial SYN, and the second is the RST from the target. These results indicate that ports 113, 25, 31337, 113, and 70 are closed. The remaining entries in the Conversations window include only one packet, meaning that the target host never responded to the initial SYN. These remaining ports are most likely closed, but we’re not sure. This technique of counting packets worked for this host, but it won’t be consistent for all hosts you might scan, so you shouldn’t rely on it exclusively. Instead, focus on learning what normal stimulus and response looks like and what abnormal responses to normal stimuli can mean.
Packet Analysis for Security 263 Operating System Fingerprinting An attacker puts a great deal of value on knowing the target’s operating system. Knowledge of the operating system helps the attacker configure all their methods of attack correctly for that system. It also allows the attacker to know the location of certain critical files and directories within the tar- get file system, should they succeed in accessing the system.
You've reached the end of your free preview.
Want to read all 372 pages?
- Fall '15
- The Bible