WinDump/TCPDump. Casos de estudio.
Analizamos aquí las salidas de TCPDump / Windump ante escaneos básicos nmap y otras utilidades en la red para su estudio. De esta manera aprenderemos a identificar los problemas o intrusiones a la red.
Salidas WinDUMP/TCPDump ante escaneos nmap.
C:\scan\nmap3>nmap -sT 192.168.4.15 -p8080 | windump -nt host 192.168.4.15 and host 192.168.4.3
windump: listening on\Device\Packet_{604C8AE3-5FAC-45A5-BFAA-81175A8C32BF}
192.168.4.3.43174 > 192.168.4.15.80: . ack 1827959592 win 1024
192.168.4.15.80 > 192.168.4.3.43174: R 1827959592:1827959592(0) win 0
192.168.4.3.137 > 192.168.4.15.137:
>>> NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
192.168.4.3.137 > 192.168.4.15.137:
>>> NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
192.168.4.3.137 > 192.168.4.15.137:
>>> NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
192.168.4.3.1884 > 192.168.4.15.8080: S 189871296:189871296(0) win 64240 (DF)
192.168.4.15.8080 > 192.168.4.3.1884: S 1772688780:1772688780(0) ack 189871297 win 64240
192.168.4.3.1884 > 192.168.4.15.8080: . ack 1 win 64240 (DF)
192.168.4.3.1884 > 192.168.4.15.8080: R 189871297:189871297(0) win 0 (DF)
C:\scan\nmap3>nmap -sS 192.168.4.15 -p8080 | windump -nt host 192.168.4.15 and host 192.168.4.3
windump: listening on\Device\Packet_{604C8AE3-5FAC-45A5-BFAA-81175A8C32BF}
192.168.4.3.57766 > 192.168.4.15.80: . ack 185616010 win 3072
arp who-has 192.168.4.3 tell 192.168.4.15
arp reply 192.168.4.3 is-at 0:4:76:f2:c9:5f
192.168.4.15.80 > 192.168.4.3.57766: R 185616010:185616010(0) win 0
192.168.4.3.137 > 192.168.4.15.137:
>>> NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
192.168.4.3.137 > 192.168.4.15.137:
>>> NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
192.168.4.3.137 > 192.168.4.15.137:
>>> NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
192.168.4.3.57746 > 192.168.4.15.8080: S 565404479:565404479(0) win 3072
192.168.4.15.8080 > 192.168.4.3.57746: S 1818962999:1818962999(0) ack 565404480 win 64240
192.168.4.3.57746 > 192.168.4.15.8080: R 565404480:565404480(0) win 0
C:\scan\nmap3>nmap -sN 192.168.4.15 -p8080 | windump -nt host 192.168.4.15 and host 192.168.4.3
windump: listening on\Device\Packet_{604C8AE3-5FAC-45A5-BFAA-81175A8C32BF}
192.168.4.3.57420 > 192.168.4.15.80: . ack 678437475 win 4096
arp who-has 192.168.4.3 tell 192.168.4.15
arp reply 192.168.4.3 is-at 0:4:76:f2:c9:5f
192.168.4.15.80 > 192.168.4.3.57420: R 678437475:678437475(0) win 0
192.168.4.3.137 > 192.168.4.15.137:
>>> NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
192.168.4.3.137 > 192.168.4.15.137:
>>> NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
192.168.4.3.137 > 192.168.4.15.137:
>>> NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
192.168.4.3.57400 > 192.168.4.15.8080: . win 4096
192.168.4.15.8080 > 192.168.4.3.57400: R 0:0(0) ack 0 win 0
C:\scan\nmap3>nmap -sU 192.168.4.15 -p8080 | windump -nt host 192.168.4.15 and host 192.168.4.3
windump: listening on\Device\Packet_{604C8AE3-5FAC-45A5-BFAA-81175A8C32BF}
192.168.4.3.50665 > 192.168.4.15.80: . ack 83760541 win 1024
arp who-has 192.168.4.3 tell 192.168.4.15
arp reply 192.168.4.3 is-at 0:4:76:f2:c9:5f
192.168.4.15.80 > 192.168.4.3.50665: R 83760541:83760541(0) win 0
192.168.4.3.137 > 192.168.4.15.137:
>>> NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
192.168.4.3.137 > 192.168.4.15.137:
>>> NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
192.168.4.3.137 > 192.168.4.15.137:
>>> NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
192.168.4.3.50645 > 192.168.4.15.8080: udp 0
192.168.4.15 > 192.168.4.3: icmp: 192.168.4.15 udp port 8080 unreachable
C:\scan\nmap3>ping 192.168.4.15 | windump -nt host 192.168.4.15 and host 192.168.4.3
windump: listening on\Device\Packet_{604C8AE3-5FAC-45A5-BFAA-81175A8C32BF}
192.168.4.3 > 192.168.4.15: icmp: echo request
192.168.4.15 > 192.168.4.3: icmp: echo reply
192.168.4.3 > 192.168.4.15: icmp: echo request
192.168.4.15 > 192.168.4.3: icmp: echo reply
192.168.4.3 > 192.168.4.15: icmp: echo request
192.168.4.15 > 192.168.4.3: icmp: echo reply
Identificar protocolos. Descifrando la salida.
UDP
16:33:59.501208 192.168.4.1.520 > 192.168.4.255.520: udp 24
16:34:27.131434 192.168.4.1.137 > 192.168.4.2.137: udp 62
16:34:29.503733 192.168.4.1.520 > 192.168.4.255.520: udp 24
16:34:59.506694 192.168.4.1.520 > 192.168.4.255.520: udp 24
16:35:29.509226 192.168.4.1.520 > 192.168.4.255.520: udp 24
TCP
16:37:34.672005 192.168.4.15.4036 > 192.168.4.1.139: tcp 280
16:37:34.674529 192.168.4.1.139 > 192.168.4.15.4036: tcp 131 (DF)
16:37:34.674949 192.168.4.15.4036 > 192.168.4.1.139: tcp 43
16:37:34.675151 192.168.4.1.139 > 192.168.4.15.4036: tcp 43 (DF)
16:37:34.680743 192.168.4.15.4036 > 192.168.4.1.139: tcp 280
16:39:23.854768 192.168.4.1.139 > 192.168.4.11.2027: . ack 2920 win 8760 (DF)
16:39:23.854973 192.168.4.1.139 > 192.168.4.11.2027: P 1:52(51) ack 4163 win 751
16:39:42.082752 192.168.4.11.2027 > 192.168.4.1.139: . ack 33380 win 8632 (DF)
16:39:55.697455 192.168.4.11.2635 > 192.168.4.1.139: S 1990792:1990792(0) win 81
92 (DF)
16:39:55.697567 192.168.4.1.139 > 192.168.4.11.2635: S 51131010:51131010(0) ack
1990793 win 8760 (DF)
16:39:55.697756 192.168.4.11.2635 > 192.168.4.1.139: . ack 1 win 8760 (DF)
16:39:55.697793 192.168.4.11.2635 > 192.168.4.1.139: P 1:73(72) ack 1 win 8760
ICMP
16:45:29.386197 192.168.4.1 > 192.168.4.10: icmp: host 192.168.1.150 unreachable
16:45:29.386430 192.168.4.1 > 192.168.4.10: icmp: host 205.134.xxx.xxx unreachable
16:45:35.160914 192.168.4.1 > 192.168.4.10: icmp: host 192.168.1.151 unreachable
16:45:40.910035 192.168.4.10 > 192.168.4.1: icmp: echo request
16:45:40.910160 192.168.4.1 > 192.168.4.10: icmp: echo reply
ARP
16:51:21.227113 arp who-has 192.168.2.86 tell 192.168.2.60
16:51:21.538845 arp who-has 192.168.2.64 tell 192.168.2.60
16:51:21.850790 arp who-has 192.168.2.76 tell 192.168.2.60
16:51:21.851784 arp who-has 192.168.2.197 tell 192.168.2.60
16:51:21.851863 arp who-has 192.168.2.200 tell 192.168.2.60
16:51:21.857060 arp reply 192.168.2.197 is-at 0:a0:c9:1c:c1:f5
POP3
16:53:43.824474 192.168.2.90.2040 > 192.168.4.15.110: S 1607781:1607781(0) win 8192 (DF)
16:53:43.824575 192.168.4.15.110 > 192.168.2.90.2040: S 4064642994:4064642994(0) ack 1607782 win 64240
60>
16:53:43.824920 192.168.2.90.2040 > 192.168.4.15.110: . ack 1 win 8760 (DF)
16:53:43.863694 192.168.4.15.110 > 192.168.2.90.2040: P 1:89(88) ack 1 win 64240
16:53:43.864264 192.168.2.90.2040 > 192.168.4.15.110: P 1:17(16) ack 89 win 8672 (DF)
16:53:43.962939 192.168.4.15.110 > 192.168.2.90.2040: P 89:120(31) ack 17 win 64224
16:53:43.963439 192.168.2.90.2040 > 192.168.4.15.110: P 17:33(16) ack 120 win 8641 (DF)
16:53:44.009535 192.168.4.15.110 > 192.168.2.90.2040: P 120:188(68) ack 33 win 64208
SMTP
192.168.4.3.2605 > 192.168.4.15.25: S 3369617405:3369617405(0) win 64240 (DF)
192.168.4.15.25 > 192.168.4.3.2605: S 138683007:138683007(0) ack 3369617406 win 64240
>
192.168.4.3.2605 > 192.168.4.15.25: . ack 1 win 64240 (DF)
192.168.4.15.25 > 192.168.4.3.2605: P 1:42(41) ack 1 win 64240
En la siguiente parte de este artículo trataremos de forma más detallada los filtros avanzados.
En este articulo no entiendo nada… podrías poner una pequeña descripción de que se trata cada bloque porfavor