Search icon CANCEL
Subscription
0
Cart icon
Your Cart (0 item)
Close icon
You have no products in your basket yet
Save more on your purchases! discount-offer-chevron-icon
Savings automatically calculated. No voucher code required.
Arrow left icon
All Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Newsletter Hub
Free Learning
Arrow right icon
timer SALE ENDS IN
0 Days
:
00 Hours
:
00 Minutes
:
00 Seconds

Analyzing network reconnaissance attempts

Save for later
  • 480 min read
  • 2015-08-11 00:00:00

article-image

In this article by Piyush Verma, author of the book Wireshark Network Security, you will be introduced to using Wireshark to detect network reconnaissance activities performed by an insider.

A dictionary definition of reconnaissance is "military observation of a region to locate an enemy or ascertain strategic features." A good analogy for reconnaissance will be a thief studying the neighborhood to observe which houses are empty and which are occupied, the number of family members who live at the occupied houses, their entrance points, the time during which these occupied houses are empty, and so on, before he/she can even think about stealing anything from that neighborhood.

Network reconnaissance relates to the act of gathering information about the target’s network infrastructure, the devices that reside on the network, the platform used by such devices, and the ports opened on them, to ultimately come up with a brief network diagram of devices and then plan the attack accordingly.

The tools required to perform network scanning are readily available and can be downloaded easily over the Internet. One such popular tool is Nmap, short for Network Mapper. It is written by Gordon “Fyodor” Lyon and is a popular tool of choice to perform network-based reconnaissance.

Network scanning activities can be as follows:

  • Scanning for live machines
  • Port scans
  • Detecting the presence of a firewall or additional IP protocols

(For more resources related to this topic, see here.)

Detect the scanning activity for live machines

An attacker would want to map out the live machines on the network rather than performing any activity with an assumption that all the machines are live. The following are the two popular techniques, which can be used, and the ways to detect them using Wireshark.

Ping sweep

This technique makes use of a simple technique to ping an IP address in order to identify whether it is alive or not. Almost all modern networks block the ICMP protocol; hence, this technique is not very successful. However, in case your network supports ICMP-based traffic, you can detect this attack by looking for large number of ping requests going to a range of IP addresses on your network. A helpful filter in this case will be:

icmp.type == 8 || icmp.type == 0
ICMP Type 8 = ECHO Request
ICMP Type 0 = ECHO Reply

ARP sweep

ARP responses cannot be disabled on the network; hence, this technique works very well while trying to identify live machines on a local network. Using this technique, an attacker can discover hosts that may be hidden from other discovery methods, such as ping sweeps, by a firewall.

To perform this, an attacker sends ARP broadcasts (destination MAC address: FF:FF:FF:FF:FF:FF) for all possible IP addresses on a given subnet, and the machines responding to these requests are noted as alive or active.

To detect ARP sweep attempts, we need to look for a massive amount of ARP broadcasts from a client machine on the network. Another thing to note will be the duration in which these broadcasts are sent. These are highlighted in the following screenshot:

analyzing-network-reconnaissance-attempts-img-0

Shows an ARP sweep in action

A point to note is the source of these ARP requests to avoid false positives because such requests may also be made by legitimate services, such as SNMP.

Identifying port scanning attempts

Now, we will look at different port scanning techniques used by attackers and how to detect them using Wireshark.

TCP Connect scan

In a TCP Connect scan, a client/attacker sends a SYN packet to the server/victim on a range of port numbers. For the ports that respond to SYN/ACK, the client completes the 3-way handshake by sending an ACK and then terminates the connection by sending an RST to the server/victim, while the ports that are closed reply with RST/ACK packets to the SYN sent by the client/attacker.

Hence, in order to identify this type of scan, we will need to look for a significantly large number of RST (Expert Info) or SYN/ACK packets. Generally, when a connection is established, some form of data is transferred; however, in scanning attempts, no data is sent across indicating a suspicious activity (Conversations | TCP).

Another indication is the short period of time under which these packets are sent (Statistics | Flow Graph).

Wireshark’s Flow Graph

While observing the TCP flow in the Flow Graph, we noted a sequence of SYN, SYN/ACK, and ACKs along with SYN and RST/ACKs. Another indication is the fraction of seconds (displayed on left-hand side) under which these packets are sent.

analyzing-network-reconnaissance-attempts-img-1

Shows a complete 3-way handshake with open-ports and how quickly the packets were sent under the ‘Time’ column

Wireshark’s Expert Info

Even the Expert Info window indicates a significant number of connection resets.

analyzing-network-reconnaissance-attempts-img-2

Shows Warning Tab under Expert Info

Wireshark’s Conversations

We can look at the TCP Conversations, to observe which type of scan is underway and the number of Bytes associated with each conversation.

analyzing-network-reconnaissance-attempts-img-3

Shows the number of packets and Bytes transferred for each Conversation

The number 4 in the Packets column indicates a SYN, SYN/ACK, ACK, and RST packets, and the number 2 indicates the SYN sent by Nmap and RST/ACK received for a closed port.

Stealth scan

A stealth scan is different from the TCP Connect scan explained earlier and is never detected by the application layer as the complete TCP 3-way handshake is never established during this scan and hence also known as half-open scan.

During this scan, a client/attacker sends a SYN packet to the server/victim on a range of port numbers. If Nmap receives a SYN/ACK to the SYN request, it means that the port is open, and Nmap then sends an RST to close the connection without ever completing the 3-way handshake, while the ports that are closed reply with RST/ACK packets to the SYN requests.

Unlock access to the largest independent learning library in Tech for FREE!
Get unlimited access to 7500+ expert-authored eBooks and video courses covering every tech area you can think of.
Renews at £15.99/month. Cancel anytime

The way to detect this attack is similar to the previous scan, where you will note a lot of RST (Expert Info) or SYN/ACK packets without data transfers (Conversations | TCP) on the network.

Another indication is the short period of time under which these packets are sent (Statistics | Flow Graph).

Now, we will look at the Flow Graph, Expert Info, and Conversations in Wireshark for Stealth scan.

Wireshark’s Flow Graph

While observing the TCP flow in the Flow Graph, we noted a sequence of SYN, SYN/ACK, and RSTs (indicating a half-open connection) along with SYN and RST/ACKs. Another indication is the fraction of seconds (displayed on the left-hand side) under which these packets are sent.

analyzing-network-reconnaissance-attempts-img-4

Shows the half-open scan underway and how quickly the packets were sent under the "Time" column

Wireshark’s Expert Info

The huge number of connection resets is another indication of a scan underway.

analyzing-network-reconnaissance-attempts-img-5

Shows Warning Tab under Expert Info

Wireshark’s Conversations

TCP Conversations also provide an insight to indicate that a half-open scan is underway and the number of Bytes associated with each attempt.

analyzing-network-reconnaissance-attempts-img-6

Shows the number of packets and Bytes transferred for each Conversation

The number 3 in the Packets column indicates a SYN, SYN/ACK, and RST packets, and the number 2 indicates the SYN sent by Nmap and RST/ACK received for a closed port.

NULL scan

During a null scan, unusual TCP packets are sent with no flags set. If the resultant of this is no response, it means that the port is either open or filtered; while the RST/ACK response means that the port is closed.

A quick way to detect, whether such a scan is underway, is to filter on tcp.flags == 0x00.

analyzing-network-reconnaissance-attempts-img-7

UDP scan

The last three techniques were related to TCP-based scans. Many common protocols work over UDP as well (DNS, SNMP, TFTP, and so on), and scans are conducted to detect whether such ports are open or not.

No response to a UDP port scan indicates that the port is either open or firewalled, and a response of ICMP Destination Unreachable/Port Unreachable means that the port is closed.

Detect UDP scans by filtering on (icmp.type == 3) && (icmp.code == 3).

ICMP Type 3 = Destination Unreachable
ICMP Code 3 = Port Unreachable

Other scanning attempts

The following scanning techniques go beyond the traditional port scanning techniques and help the attacker in further enumeration of the network.

ACK scan

ACK Flag scan never locates an open port; rather, it only provides the result in form of "filtered" or "unfiltered" and is generally used to detect the presence of a firewall.

No response means port is filtered, and RST response indicates that the port is unfiltered.

analyzing-network-reconnaissance-attempts-img-8

Shows Flow Graph (TCP) of an ACK Flag Scan

IP Protocol scan

IP Protocol scan is conducted by attackers to determine the presence of additional IP protocols in use by the victim. For example, if a router is scanned using this technique, it might reveal the use of other protocols as EGP, IGP, EIGRP, and so on.

No response indicates that a protocol is present or the response is filtered, while an ICMP Destination Unreachable/Protocol Unreachable indicates that the protocol is not supported by the device.

To detect this scan using Wireshark, we can filter the traffic based on (icmp.type == 3) && (icmp.code == 2).

ICMP Type 3 = Destination Unreachable
ICMP Code 2 = Protocol Unreachable

Summary

In this article, we used Wireshark and the set of robust features it has to offer, to analyze the network scanning attempts performed by attackers.

Resources for Article:


Further resources on this subject: