Thursday, March 4, 2010

Wired Attack Tool Digital Trace Basics


Carving digital attack tool traces out of packets can be fun.  The  network packet matrix is all around us we just have to want to see it.  Here are a few of my notes:

 Attack Tool Digital Signature

Cain& Abel
Cain and Abel only use arp packets to find another live host in LAN

Metasploit
 Extensive SMB protocol scanning on the network.

Retina - "anonymous" user using the password "retina@example.org"

Nessus -contains the string nessus

Nmap - FIN probes, BOGUS flag probes in ICMP code field.

Ettercap - 0xe77e in IP version field.

A good reference list:

ATTACK OBJECTS by juniper
IPD Attack detection set.

https://services.netscreen.com/restricted/sigupdates/nsm-updates/HTML/index.html 


Posted by Lsattr_Nix at 1:50 PM 0 comments
Labels: ,

The First Internet Router




Wonderful, explanation and salvage of an original Internet router.

Enjoy the video!
Posted by Lsattr_Nix at 1:46 PM 0 comments
Labels:

Sunday, February 28, 2010

Network Attack Signature List

Intruder Alert!

How did I learn the basics about network attack signatures?

Using the Cisco IOS Firewall IDS Signature List.


59 basic attack signatures
The signatures are categorized into four types:

(Info Atomic) -Information-gathering actions such as a port scans.
Example:
2005 ICMP Time Exceeded for a Datagram (Info, Atomic)
Triggers when an IP datagram is received with the "protocol" field in the IP header set to 1 (ICMP) and the "type" field in the ICMP header set to 11

(Info Compound)-Attacks attempted into the guarded network.
Example:
3151 FTP SYST Command Attempt (Info, Compound)
Triggers when someone tries to execute the FTP SYST command.

(Attack Atomic) - Simple intrusion patterns
Example:
1101 Unknown IP Protocol (Attack, Atomic)
Triggers when an IP datagram is received with the protocol field set to 101 or greater. These protocol types are undefined or reserved and should not be used

(Attack Compound)- Intricate patterns or series of operations divided across many host over a specific period.
Example:
3050 Half-open SYN Attack/SYN Flood (Attack, Compound)
Triggers when multiple TCP sessions have been improperly initiated

Very good article at http://ciscoarticles.com/CCSP-Cisco-Certified-Security-Professional/CIDS-Log-Files.html

Enjoy!

Posted by Lsattr_Nix at 3:24 AM 0 comments
Labels: , ,

Wireless Support Call



TechSupport : How can I help?
Caller: My wireless device is broke.
TechSupport: What type of wireless device?
Caller:.( Ding..sounds in the background ) Hold on I have to get my lunch out of the microwave.

Posted by Lsattr_Nix at 3:21 AM 0 comments
Labels: ,
Subscribe to: Posts (Atom)