12. Detecting a PING Sweep Attempt A ping sweep scan helps attackers discover the active systems in the network. It involves sending multiple ICMP, TCP, or UDP ECHO requests to target ports and then analyzing the ECHO reply obtained from the port. In an ICMP ping sweep, the attacker sends an ICMP type 8 ECHO request followed by an ICMP. type 0 and analyzes the ECHO reply. To detect the ICMP ping sweep, find the ICMP type 8 and ICMP type 0 ECHO requests in the network traffic. It is recommended that a filter is used to accomplish this task. Use the filter icomp.type==8 or icmp.type==0 to detect an ICMP ping sweep attempt. In a TCP/UDP ping sweep, an attacker sends an ECHO request packet to the TCP/UDP port 7. To detect the TCP/UDP ping sweep attempt, find the TCP ECHO request packets going to port 7 and the UDP ECHO request packets going to port 7 in the network traffic. Use the filter tep.dstport==7 to detect the TCP ping sweep and udp.dstport==7 to detect the UDP ping sweep attempts. If the target port doesn’t support an ECHO reply, then this technique will not work. File Edit View Go Capture Analyze Statistics Telephony Wireless Tools Help 4ec@QBRS eres tsszbaaagn Protocol Length Info TcHP 166 Echo ICMP 106 Echo rcp 106 Echo rcp 1@6 Echo ICMP 1€6 Echo ICMP 106 Echo id=0x0001, id=exo0e1, id=0x0001, id=0x0001, id=0xo0e1, id=0x0001, ping) request (ping) request (ping) reply (ping) reply request reply cp a Ice 106 Echo TeMP 166 Echo oP 106 Echo ICNP 106 Echo id=exoee1, ide@xo001, id=exo001, id=exo001, reply (ping) request (ping) request (ping) request TcMe 106 Echo |(ping) reply | id=exooon,, 10” 106 Echo |(ping) reply | id~exo0e2, TCMP 1@6 Echo (ping) reply | id=exo0e1, TOP 106 Echo [(ping) request | id=exoee2, 0? 106 Echo |(ping) reply | id-exo0e2, cM 106 Echo [(ping) request | id=exo0e2, rcMP 106 Echo |(ping) request | id=exoee2, erg 106 Echo id=ex0001, reply Ethernet II, Src: CadmusCo_@9:ef:ce (@8:00:27:09:eF:ce), Dst: CadmusCo_00:36:dd (08:00:27:00:36:dr Internet Protocol Version 4, Src: 192.168.@.54, Dst: 192.168.0.55 Internet Control Message Protocol Type: 8 (Echo (ping) request) Code: @ ew13. Detecting an ARP Sweep/ARP Scan Attempt Similar to a ping sweep scan, an attacker also uses an ARP Sweep/ARP Scan to locate active IPs in the network. Attackers use this method when a firewall is implemented in between them and the target network. If a firewall is implemented in the network, the ping sweep method will not work. In an ARP sweep, an attacker broadcasts ARP packets to all the hosts in the selected subnet and waits for a response. If they get an ARP response from a specific host, this indicates the host is live. ARP communications cannot be disabled to restrict an ARP sweep attempt on the network, as all TCP/IP communication is based on it. If ARP communication is disabled, it will also break the TCP communication. However, administrators can easily monitor and detect this type of attempt using an ARP filter in Wireshark. If they detect an unexpected number of broadcast ARP requests, then they also know it indicates an ARP sweep attempt on the network. | File | Edt View Go Capture Analyze Statistics Telephony Wireless Tools Help AncOUERE WeeETISEQQan a ti Goaee 1. 31. CodmusCo_09:eF:ce 1. 31. CadeusCo 09: ‘estnaton Broadcast Broadcast Broadcast Broadcast Broadcast Broadcast Broadcast Broadcast Broadcast Broadcast Broadcast has 192.168.0.1942 ARP 42 Who has 192.168.0.194? ARP 42 Who has 192.168.0.195? ARP 42 Who has 192.168.0.195? ARP 42 Who has 192.168.0.198? ARP 42 Who has 192.168.0.198? ARP 42 Who has 192.168.0.1997 ARP 42 Who has 192.168.0.199? ARP 42 Who has 192.168.0.200? 192.168.0.200? 192.168.0201? fell 192.168.0.54 fell 192.168.0.54 fell 192.168.0.54 fell 192.168.0.54 fell 192.168.0.54 jell 192.168.0.54 fell 192.168.0.54 fell 192.168.0.54 fell 192.168.0.54 192.168.0.54 192.168.0.54 1. 31. CadmisCo_09: 1. 31. CadmusCo_09, 1. 31. CadmusCo_09 1, 31. CadmusCo_09 1. 31. CadmisCo_09: 1. 31. CadmusCo_09 1. 31. CadmusCo_09 1. 31. CadmisCo_@9:eF:ce ARP 42 Who has 192.168.0.202? ARP 42 Who has 192.168.0.202? ARP 42 Who has 192.168.0.203? ARP 42 Who has 192.168.0.203? ARP 42 Who has 192.168.0.204? ARP 42 Who has 192.168.0.204? ARP 42 Who has 192.168.0.205? ARP 42 Who has 192.168.0.205? ARP 42 Who has 192.168.0.208? ARP 42 Who has 192.168.0.208? ARP 42 Who has 192.168.0.209? ARP 42 Who has 192.168.0.209? 1. 31. CadmusCo_@9, 1. 31. CadmisCo_ @9:eF:ce 1. 31. CadmusCo_9:eF:ce 1. 31. CadmusCo_@9:eF:ce 1. 31. CadmusCo_09:eF:ce 1. 31. CadmusCo_Q9:eF:ce 1. 31. CadmusCo_@9:eF:ce 1. 31. CadmusCo_09:eF:ce 1. 31. CadmusCo 09:eF:ce 1. 31. CadmusCo_09:eF:ce 1. 31. CadmusCo_09:eF:ce 1. 31. CadmusCo_09:eF:ce fell 192.168.0.54 fell 192.168.0.54 fell 192.168.0.54 fell 192.168.0.54 fell 192.168.0.54 fell 192.168.0.54 fell 192.168.0.54 fell 192,168.0.54 fell 192.168.0.54 fell 192.168.0.54 192.168.0.54 192.168.0.54 #F FF FF FF FF FF 1c 56 fe 99 80 Oa 08 06 8B @0 6 04 00 01 1c 56 fe 99 80 Ga cO a8 20 00 0 00 00 20 cd a8 00 09 00 00 00 00 2 @@ 20 0 Ge 2 00 28 €2 00 G0 C0 00 OL 00 b7 0 00 Figure 11. 17: Detecting an ARP Sweep/ARP Scan Attempt14. Detecting TCP Half-Open/Stealth Scan Attempts The attacker uses a TCP Half-Open/Stealth scan to detect open or closed TCP ports on the target system. It involves sending a SYN packet to the target port exactly like normal TCP communication and waiting for the response. If they receive a SYN+ACK packet in the response, then it indicates the target port is open. If they receive a RST or RST+ACK packet in the response, then it indicates the port is closed. If the target port is behind a firewall, then they will receive an ICMP type 3 packet with a code 1, 2, 3, 9, 10, or 13 in the response. The TCP half-connection can act as an open gate for attackers to get in to the network. It is necessary for administrators to detect the TCP Half-Open connection. If there are too many RST packets or ICMP type 3 response packets in Wireshark, then it can be a sign of a TCP Half- Open/Stealth scan attempt on the network. A Stealth scan or TCP full-connect scan attempt is recognized if there are a large amount of RST or ICMP type 3 packets. * Go to Statistics -> Conversations and click on the TCP tab to view and analyze multiple TCP sessions = If the communication is less than 4 packets, then it is a sign of a TCP port scan on the network File Edit View Go Capture Analyze Statistics Telephony Wireless Tools Help ECOUBRE QeoSTs QQQak Protocol Length Info > Frame 43: 58 bytes on wire (464 bits), 58 bytes captured (464 bits) on interface > Ethernet IZ, Src: Microsof_ 00:39:00 (00:15:5d:00:39:08), Dst: Microsof_@:39:03 (#@:15:5d:2@:39:03) > Internet Protocol Version 4, Src: 192.168.0.93, Dst: 192.168.0.177 Figure 11. 18: Detecting TCP Half-Open/ Stealth Scan - 1File Edit View Go Capture Analyze Statistics Telephony Wireless Tools Help. 4 ®OUERE QS (Jl Ttep.fiags.syn==1 and tep.flags.ack==1 x] ~) Express No, Time Source Destination Protocal Length Info 43 5.972548 192.168.0.93 Te 58 445 > 34489/[SVN, ACK] S¥q-0 56 5.973036 192.168.0.93 192.168, TeP 58 23 + 34489 [SYN, ACK] Seg=0 / 88 5.973715 192.168.0.93 192.168.0.177 TeP 58 135 + 34489][SYN, ACK] S¥q=0 97 5.973752 |/ 192.168.0.93 192.168 TP 58 139 + 34489|[SYN, ACK] Stqz0 1185 7.238751 192.168.0.93 192.168, Ter. 58 49156 > ACK]]Seq: 3420 7.319703 | 192.168.0.93 192.168.0.177 13 58 49152 + 344 Ack] Seq: 1652 7.430982 192.168.0.93 192.168.0.177 Te. 58 49157 » 3: ACK]} Seq? 1715 7.433566 | 192.168.0.93 192.168.0.177 1. 58 49155 + 34499 ACK] Seq: 1733 7.433712 | 192.168.0.93 192.168.0.177 Te 58 49158 + 344 ACK] Seq: 1881 7.457598 | 192.168.0.93 Te 58 49153 > ACK] Seq: 2092 7.540195 192.168.0.93 Toe 58 49154 + 344 ACK]} Seq: Frane 43: 58 bytes on wire (464 bits), 58 bytes captured (464 bits) on interface @ Ethernet IZ, Sre: Microsof_00:39:00 (00:15:5d:00:39:00), Dst: Nicrosof_00:39:03 (00:15: Internet Protocol Version 4, Src: 192.168.0.93, Dst: 192.168.0.177 Transmission Control Protocol, Src Port: 445 (445), Ost Port: 34489 (34489), Seq: @, Ack: 1, Len: 0 00:39:03) Figure 11. 19: Detectir ‘Open/ Stealth Scan - 2 File Edit View Go Capture Analyze Statistics Telephony Wireless Tools Help 4 @BERE Gee tep.fiags.reset==1 andi. 52. 168.0.17 id -)e0 Protocol Length Info Header Length: 20 bytes > Window size value: @ [Calculated window si 2] Figure 11. 20: Detecting TCP Half-Open/ Stealth Scan - 315. Detecting a TCP Full-Connect Scan Attempt A TCP full-connect scan or a TCP connect scan is the default scan that establishes a complete three-way handshake connection. A successful three-way handshake means that the port is open. To establish a TCP full-connect scan, the attacker sends a SYN probe packet to the target port. If the port is open, the attacker will receive a SYN/ACK packet in the response. It indicates the target port is open. The attacker will complete the communication by sending an ACK flag and will send a RST flag to terminate the session. If the port is closed, the attacker will receive the response as a RST/ACK. If the target port is behind a firewall, they will receive an ICMP type 3 packet with a code 1, 2, 3, 9, 10, or 13 in the response. As a full TCP connection is established in the network, it is easy for an administrator to detect a TCP full-connect scan attempt with the help of Wireshark. The following filters are used to detect a TCP full-connect scan attempt: Apply the filter for SYN, SYN+ACK, and RST+ACK packets: or tep.flags==0x012 or tcp.flags==0x004 or Apply the filter for ICMP type 3 packets: and (icmp.code==1 or icmp.code==2 or icmp.code==3 or or icmp.code==10 or icmp.code==13) To check SYN+ACK, RST, and RST+ACK packets along with ICMP type 3 packets: x002 or tep.flags==0x012 or tcp. flags==0x004 or x014 or (icmp.type==3 and (icmp.code==1 or ==3 or icmp.code==9 or icmp.code==10 or Ae c@UBRBRS Figure 11. 21: Detecting TCP Full-Connect Scan ~ SYNFile Edt View Go Capture Analyze Statistics Telephony Wireless Tools Help AecOReERER oOo StseBaaanvr (WT fags. yn==1 and tp fiags.acke=1 and p.src==192.168.0.93, Frame 111: 66 bytes on wire (528 bits), 66 bytes captured (528 bits) on interface @ Ethernet IZ, Sre: Microsof_00:39:00 (00:15:5d:00:39:00), Dst: Microsof_00:39:03 (00: > Internet Protocol Version 4, Src: 192.168.0.93, Dst: 192.168.0.177 ‘Transmission Control Protocol, Sre Port: 445 (445), Dst Port: 5406 (5406), Seq: @, Ack: 2, Len: Figure 11. 22: Detecting TCP Full-Connect Scan ~ SYN+ACK File Edit View Go Capture Analyze Statistics Telephony Wireless Tools Help AECOUBRE Cee StseBaaag (Wi tep iags.ack==1 and ip.sre==192. 168.0.177 No. ime [Source Destination 157 7...]192.168.0.177 192.168.0.93 158 7.— 192.168 FORT 392.1590, 37 192.168.0.93 mc 54 5448 > 13 tae) Set z 192.168.0 eer (272 5. ]192.168,0.177 0 1922165.0.53 255 9._[192. I8-0-077 S2-168-0- 33 re 58 5525 = 48 cE se RT 92.168.0 5523 615 10..[192.168.0.177 192.168.0.93 = 38 S564 > 245) [ACK] Sean CECE RE 768 12-[192.168.0.177 Bema 93 TP 55 565 35 (ace) Sear | EET TCP is 192. 168.0.177 192. a 0.93 Ter EEE Le | 13. 192.1680. TCP 6 > 982 14_]192.168.0. 177 Ser naes rcp 58 5740 > 49155 om a 192.168, PECREY SUIS 1025 14. [192.168.0.177 192-168.0.93 58 5757 = s9ibs [ACK] est = se byter on wire (250 bits), s6 bytes captured (452 bits) on interface © Ethernet IZ, Src: Microsof_00:39:03 (00:15:5d:00:39:03), Dst: Microsof_00:39:00 (00:15:5d:00:3 Internet Protocol Version 4, Src: 192.168.0.177, Dst: 192.168.0.93 ‘Transmission Control Protocol, Src Port: $406 (5496), Dst Port: 445 (445), Seq: 1, Ack: 1, Len Figure 11. 23: Detecting TCP Full-Connect Scan ~ RST+ACK16. Detecting a TCP Null Scan Attempt ATCP null scan helps attackers identify the listening ports in the network. A TCP null scan is a series of TCP scan packets containing a sequence number of 0 and no set flag. Since the null scan does not contain any set flags, it can penetrate through a router and a firewall that filters incoming packets with particular flags set. In the TCP null scan, the attacker sends a TCP packet to the target port. If the port is closed, it will receive a RST flag. If the port is open, the port will not respond because there are no flags sent with the packet. A TCP null scan sets all the TCP headers (ACK, FIN, RST, SYN, URG, and PSH) to NULL. By applying the filter tep. flag: 0x000 in Wireshark, administrators can detect a TCP null scan on UNIX servers. A TCP null scan does not support Windows. AuCOUEBREQGeoeTS Destination Leng Info 192.168.0. 54 37853 > 192.168.0. 54. 37853 54 37853 54 37853 54 37853 54 37853 54 37853 54 37853 54 37854 54 37854 54 37854 54 37854 54 37853 54 37853 54 37853 + 22 [] $e: 54 37853 > 587| []}S: Figure 11, 24: Detecting TCP Null Scan Attempt17. Detecting a TCP Xmas Scan Attempt In the TCP Xmas scan, attackers scan the entire network and look for the machines that are up and running. It also scans for the services running on those machines. The Xmas scan involves sending packets set with URG, PSH, ACK, and FIN flags. If the port is closed, it will receive a RST flag. If the port is open, the port will not respond, as there are no flags sent with the packet. The TCP Xmas can scan through the firewall and ACL filters. An ACL filter blocks the ports with the help of SYN packets. However, the FIN and ACK packets bypass this security. FIN scans do not work on many operating systems. Operating systems like Microsoft Windows send a RST flag to any malformed TCP segment. This makes it difficult for the attacker to distinguish between the open and closed ports. Apply the filter tcp. £lags==0X029 in Wireshark to detect a TCP Xmas scan attempt. File Edit View Go Capture Analyze Statistics Telephony Wireless Tools Help A4BSCOUBRE RC OPZFIADSLAAQn STOP 54 51514 » 00 FEIN, PSH, URS) Be [Stream index: 45] [TeP Segment Len: @] Sequence number: 2 (relative sequence nunber) Acknowledgment number: @ Header Length: 20 bytes > Flags: @x029 (FIN, PSH, URG) Figure 11. 25: Detecting TCP Xmas Scan Attempt18. Detecting a SYN/FIN DDOS Attempt In a SYN attack, the attacker sends a succession of SYN requests to a target system in order to make the system unavailable for legitimate users. It exploits a known weakness in the TCP connection. Typical TCP communication (TCP three-way handshake) works as follows: 1. Client sends the SYN packet to request a connection 2. Server responds back with SYN-ACK 3. Client then responds with an ACK to establish the connection The SYN flood attack is initiated by not responding to the server with an expected ACK in the last step of the TCP communication. The server will wait for the acknowledgement, causing network congestion problems. The SYN flag establishes a connection and the FIN flag terminates the connection. In a SYN/FIN DDoS attempt, the attacker floods the network by setting both the SYN and FIN flags. In typical TCP communication, both the SYN and FIN are not set simultaneously. If an administrator detects traffic with both SYN and FIN flags set, then it is a sign of a SYN/FIN DDoS attempt. The SYN/FIN DDoS attempt can exhaust the firewall on the server by sending the packets regularly. To detect such suspicious attacks, you should use the filter tep. flags==0X003 to find out if these traffic entries are in the same packet. File Edt View Go Capture Analyze Statistics Telephony Wireless Tools Help © WERE Qe sFsTbaaan Sequence number: @ (relative sequence nunber) ‘Acknowledgment nunber: @ Header Length: 24 bytes Flags: 0x003 (FIN, SYN) Uindras etre 1094 Figure 11. 26: Detecting a SYN/FIN DDoS attempt19. Detecting a UDP Scan Attempt In a UDP scan, an attacker sends UDP packets to a target port and waits for the response. The attacker will receive an ICMP Type 3 Code 3 response if the port is closed; if no response is received, then the port is either open or filtered. If the target responds with a large number of packets with an ICMP Type 3 Code 3, then the port is unavailable and it is sign of a UDP port scan ‘on the network. The UDP service can receive packets without establishing a connection. When an attacker sends a UDP packet to the target, either of the following can occur: «If the UDP port is open, the target accepts the packet and does not send any response. «If the UDP port is closed, the ICMP packet is sent in response. UDP scanning is more difficult to probe than TCP, as it does not depend on the acknowledgements received. A UDP scan gathers all the ICMP errors received from closed ports. Administrators should take proper measure to handle open UDP ports to avoid any intrusion in the network. While monitoring, if any machine is replying with bulk ICMP type 3 responses, it is a sign of a UDP scan attempt on the network. To identify the UDP scan attempt, run the filter icmp. type==3 and icmp.code==3 in Wireshark. Fst Yew Go Copture Analyze @UBRES lerp.type==3.and ion code==3 Ethernet 11, Src: CadeusCo_8c:07:13 (@8:00:27:6c1b7:13), Ost: CadmusCo e9:eF:ce ( Internet Protocol Version 4, Src: 192.168.0.53, Dst: 192.168.0.54 Figure 11. 27: Detecting a UDP Scan Attempt