Objectives

You will learn how to detect various types of scans and attacks on a network

Why you need to know

Network reconnaissance is the initial phase of an attack where attackers collect as much information about a network as possible, including the IP address ranges, OS version, services running on the OS etc. The attackers mainly look at gain access to a system, or enforce denial of service attacks, and make the system stop responding to the requests coming from its clients. As a security admin, you need to know how to analyze the packets captured by wireshark, and detect the reconnaissance activities occurring on the network; network access related attempts as well as denial of service attempts performed on a machine or a network.

Network Topology

Demo

1: login Domain Controller

2: Open Cain and abel

3:To configure Ethernet card, Configure from menu bar. Leave the settings set to default. Click OK

4:Click Start/stop sniffer tab and Sniffer tab

5:Click the plus (+) icon. The mac address scanner window appears, select Range button, enter the scan range 10.0.0.101 – 10.0.0.254. Check All Tests, then OK

6:Cain& Abel starts scanning for MAC address and lists all those found.

7: Click ARP bottom left and plus icon

8: Select 10.0.0.101 (domain controller) from the left and 10.0.0.200 (windows 10) from the right

9: Select the added IP address in the configuration/routed packets, and click Start/Stop ARP.

10: You can see that status becomes poisoning

11: Open wireshark and start traffic capture on Internal

12: Login windows 10 client and open Zenmap

13: Start typing the command and Scan

14: Stop the packet capture and issue syntax below in the filter. This shows all the packets containing SYN request and SYN, ACK response between windows 10 and domain controller

15: Since a huge number of SYN requests are sent to the target machine, the target ports which are open reply with SYN+ACK. Issue the syntax below to see the traffic containing the SYN, ACK response packets.

16: From this, it is clear that an attempt was made to scan open ports by an attacker using the TCP half scan method. In a half scan attack, an attacker replies with RST to close the connection after getting to know the open ports. But in a full connect scan the attacker establishes a full 3 way TCP handshake and after the connection is established immediately terminates it with RST packet.

17: remove the filter and start a new Wireshark packet capture.

18: go to windows 10 and type the command below

19: Go to Domain Controller and stop the packet capture. Issue the syntax tcp.flags.syn == 1 and ip.src == 10.0.0.101

This shows all the packets containing the SYN request and SYN,ACK response between windows 10 and Domain Controller

20: The victim is filled up with SYN packets and it starts replying to the attacker with SYN,ACK packets from the open ports. You can observe particular ports of victim which are open and replying to the attacker.

21: Type the command below to see the attacker sends ACK packets to open ports. After attacker sends the ACK packets, the TCP 3 way connection is established. But instead of sending data immediately terminates the connection by sending an RST packet, after the ACK packet.

22: Next step is ARP sweep. The attacker broadcasts numerous ARP packets requesting for MAC address of all the machines.

you can type the command below

23: Type arp in the filter. Wireshark shows all the arp packets that have been broadcasted in the network, proving that an ARP sweep attack has been performed on the network

Conclusion

You learned how to detect various types of scans and attacks happening on a network.