Analizando la Red con WinDump/TCPDump. (Parte III)

Publicado el 14 enero, 2008 por Alfon

WinDump/TCPDump. Casos de estudio.

Analizamos aquí las salidas de TCPDump / Windump ante escaneos básicos nmap y otras utilidades en la red para su estudio. De esta manera aprenderemos a identificar los problemas o intrusiones a la red.

Salidas WinDUMP/TCPDump ante escaneos nmap.

C:\scan\nmap3>nmap -sT 192.168.4.15 -p8080 | windump -nt host 192.168.4.15 and host 192.168.4.3
windump: listening on\Device\Packet_{604C8AE3-5FAC-45A5-BFAA-81175A8C32BF}
192.168.4.3.43174 > 192.168.4.15.80: . ack 1827959592 win 1024
192.168.4.15.80 > 192.168.4.3.43174: R 1827959592:1827959592(0) win 0
192.168.4.3.137 > 192.168.4.15.137:
>>> NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
192.168.4.3.137 > 192.168.4.15.137:
>>> NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
192.168.4.3.137 > 192.168.4.15.137:
>>> NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
192.168.4.3.1884 > 192.168.4.15.8080: S 189871296:189871296(0) win 64240 (DF)
192.168.4.15.8080 > 192.168.4.3.1884: S 1772688780:1772688780(0) ack 189871297 win 64240
192.168.4.3.1884 > 192.168.4.15.8080: . ack 1 win 64240 (DF)
192.168.4.3.1884 > 192.168.4.15.8080: R 189871297:189871297(0) win 0 (DF)

C:\scan\nmap3>nmap -sS 192.168.4.15 -p8080 | windump -nt host 192.168.4.15 and host 192.168.4.3
windump: listening on\Device\Packet_{604C8AE3-5FAC-45A5-BFAA-81175A8C32BF}
192.168.4.3.57766 > 192.168.4.15.80: . ack 185616010 win 3072
arp who-has 192.168.4.3 tell 192.168.4.15
arp reply 192.168.4.3 is-at 0:4:76:f2:c9:5f
192.168.4.15.80 > 192.168.4.3.57766: R 185616010:185616010(0) win 0
192.168.4.3.137 > 192.168.4.15.137:
>>> NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
192.168.4.3.137 > 192.168.4.15.137:
>>> NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
192.168.4.3.137 > 192.168.4.15.137:
>>> NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
192.168.4.3.57746 > 192.168.4.15.8080: S 565404479:565404479(0) win 3072
192.168.4.15.8080 > 192.168.4.3.57746: S 1818962999:1818962999(0) ack 565404480 win 64240
192.168.4.3.57746 > 192.168.4.15.8080: R 565404480:565404480(0) win 0

C:\scan\nmap3>nmap -sN 192.168.4.15 -p8080 | windump -nt host 192.168.4.15 and host 192.168.4.3
windump: listening on\Device\Packet_{604C8AE3-5FAC-45A5-BFAA-81175A8C32BF}
192.168.4.3.57420 > 192.168.4.15.80: . ack 678437475 win 4096
arp who-has 192.168.4.3 tell 192.168.4.15
arp reply 192.168.4.3 is-at 0:4:76:f2:c9:5f
192.168.4.15.80 > 192.168.4.3.57420: R 678437475:678437475(0) win 0
192.168.4.3.137 > 192.168.4.15.137:
>>> NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
192.168.4.3.137 > 192.168.4.15.137:
>>> NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
192.168.4.3.137 > 192.168.4.15.137:
>>> NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
192.168.4.3.57400 > 192.168.4.15.8080: . win 4096
192.168.4.15.8080 > 192.168.4.3.57400: R 0:0(0) ack 0 win 0

C:\scan\nmap3>nmap -sU 192.168.4.15 -p8080 | windump -nt host 192.168.4.15 and host 192.168.4.3
windump: listening on\Device\Packet_{604C8AE3-5FAC-45A5-BFAA-81175A8C32BF}
192.168.4.3.50665 > 192.168.4.15.80: . ack 83760541 win 1024
arp who-has 192.168.4.3 tell 192.168.4.15
arp reply 192.168.4.3 is-at 0:4:76:f2:c9:5f
192.168.4.15.80 > 192.168.4.3.50665: R 83760541:83760541(0) win 0
192.168.4.3.137 > 192.168.4.15.137:
>>> NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
192.168.4.3.137 > 192.168.4.15.137:
>>> NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
192.168.4.3.137 > 192.168.4.15.137:
>>> NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
192.168.4.3.50645 > 192.168.4.15.8080: udp 0
192.168.4.15 > 192.168.4.3: icmp: 192.168.4.15 udp port 8080 unreachable

C:\scan\nmap3>ping 192.168.4.15 | windump -nt host 192.168.4.15 and host 192.168.4.3
windump: listening on\Device\Packet_{604C8AE3-5FAC-45A5-BFAA-81175A8C32BF}
192.168.4.3 > 192.168.4.15: icmp: echo request
192.168.4.15 > 192.168.4.3: icmp: echo reply
192.168.4.3 > 192.168.4.15: icmp: echo request
192.168.4.15 > 192.168.4.3: icmp: echo reply
192.168.4.3 > 192.168.4.15: icmp: echo request
192.168.4.15 > 192.168.4.3: icmp: echo reply

Identificar protocolos. Descifrando la salida.

UDP

16:33:59.501208 192.168.4.1.520 > 192.168.4.255.520: udp 24
16:34:27.131434 192.168.4.1.137 > 192.168.4.2.137: udp 62
16:34:29.503733 192.168.4.1.520 > 192.168.4.255.520: udp 24
16:34:59.506694 192.168.4.1.520 > 192.168.4.255.520: udp 24
16:35:29.509226 192.168.4.1.520 > 192.168.4.255.520: udp 24

TCP

16:37:34.672005 192.168.4.15.4036 > 192.168.4.1.139: tcp 280
16:37:34.674529 192.168.4.1.139 > 192.168.4.15.4036: tcp 131 (DF)
16:37:34.674949 192.168.4.15.4036 > 192.168.4.1.139: tcp 43
16:37:34.675151 192.168.4.1.139 > 192.168.4.15.4036: tcp 43 (DF)
16:37:34.680743 192.168.4.15.4036 > 192.168.4.1.139: tcp 280

16:39:23.854768 192.168.4.1.139 > 192.168.4.11.2027: . ack 2920 win 8760 (DF)
16:39:23.854973 192.168.4.1.139 > 192.168.4.11.2027: P 1:52(51) ack 4163 win 751

16:39:42.082752 192.168.4.11.2027 > 192.168.4.1.139: . ack 33380 win 8632 (DF)
16:39:55.697455 192.168.4.11.2635 > 192.168.4.1.139: S 1990792:1990792(0) win 81
92 (DF)
16:39:55.697567 192.168.4.1.139 > 192.168.4.11.2635: S 51131010:51131010(0) ack
1990793 win 8760 (DF)
16:39:55.697756 192.168.4.11.2635 > 192.168.4.1.139: . ack 1 win 8760 (DF)
16:39:55.697793 192.168.4.11.2635 > 192.168.4.1.139: P 1:73(72) ack 1 win 8760

ICMP

16:45:29.386197 192.168.4.1 > 192.168.4.10: icmp: host 192.168.1.150 unreachable
16:45:29.386430 192.168.4.1 > 192.168.4.10: icmp: host 205.134.xxx.xxx unreachable
16:45:35.160914 192.168.4.1 > 192.168.4.10: icmp: host 192.168.1.151 unreachable
16:45:40.910035 192.168.4.10 > 192.168.4.1: icmp: echo request
16:45:40.910160 192.168.4.1 > 192.168.4.10: icmp: echo reply

ARP

16:51:21.227113 arp who-has 192.168.2.86 tell 192.168.2.60
16:51:21.538845 arp who-has 192.168.2.64 tell 192.168.2.60
16:51:21.850790 arp who-has 192.168.2.76 tell 192.168.2.60
16:51:21.851784 arp who-has 192.168.2.197 tell 192.168.2.60
16:51:21.851863 arp who-has 192.168.2.200 tell 192.168.2.60
16:51:21.857060 arp reply 192.168.2.197 is-at 0:a0:c9:1c:c1:f5

POP3

16:53:43.824474 192.168.2.90.2040 > 192.168.4.15.110: S 1607781:1607781(0) win 8192 (DF)
16:53:43.824575 192.168.4.15.110 > 192.168.2.90.2040: S 4064642994:4064642994(0) ack 1607782 win 64240
60>
16:53:43.824920 192.168.2.90.2040 > 192.168.4.15.110: . ack 1 win 8760 (DF)
16:53:43.863694 192.168.4.15.110 > 192.168.2.90.2040: P 1:89(88) ack 1 win 64240
16:53:43.864264 192.168.2.90.2040 > 192.168.4.15.110: P 1:17(16) ack 89 win 8672 (DF)
16:53:43.962939 192.168.4.15.110 > 192.168.2.90.2040: P 89:120(31) ack 17 win 64224
16:53:43.963439 192.168.2.90.2040 > 192.168.4.15.110: P 17:33(16) ack 120 win 8641 (DF)
16:53:44.009535 192.168.4.15.110 > 192.168.2.90.2040: P 120:188(68) ack 33 win 64208

SMTP

192.168.4.3.2605 > 192.168.4.15.25: S 3369617405:3369617405(0) win 64240 (DF)
192.168.4.15.25 > 192.168.4.3.2605: S 138683007:138683007(0) ack 3369617406 win 64240
>
192.168.4.3.2605 > 192.168.4.15.25: . ack 1 win 64240 (DF)
192.168.4.15.25 > 192.168.4.3.2605: P 1:42(41) ack 1 win 64240

En la siguiente parte de este artículo trataremos de forma más detallada los filtros avanzados.

Esta entrada fue publicada en Seguridad y redes, Windump. TCPDump y etiquetada , , , , , , , , , , , , , , , . Guarda el enlace permanente.

Una respuesta a Analizando la Red con WinDump/TCPDump. (Parte III)

  1. manxon dijo:
    25 enero, 2009 en 4:06 pm

    En este articulo no entiendo nada… podrías poner una pequeña descripción de que se trata cada bloque porfavor

    Responder

Deja una respuesta

Introduce tus datos o haz clic en un icono para iniciar sesión:

Gravatar
Logo de WordPress.com

Estás comentando usando tu cuenta de WordPress.com. Salir /  Cambiar )

Imagen de Twitter

Estás comentando usando tu cuenta de Twitter. Salir /  Cambiar )

Foto de Facebook

Estás comentando usando tu cuenta de Facebook. Salir /  Cambiar )

Cancelar

Conectando a %s