URG-ACK-PSH-RST-SYN-FIN -> Listening Port 80
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=80, flags="UAPRSF"),iface='eth0', count=1)
..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
1 0.000000 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 80 [FIN, SYN, RST, PSH, ACK, URG] Seq=0 Ack=0 Win=8192 Urg=0 Len=0
2 0.001215 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 80 [FIN, SYN, RST, PSH, ACK, URG] Seq=0 Ack=0 Win=8192 Urg=0 Len=0
From the above:
Windows 2012 - Packet with URG-ACK-PSH-RST-SYN-FIN flag set, sent to LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the Windows 2012 system simply drops the packet.
CentOS 6.5 - Packet with URG-ACK-PSH-RST-SYN-FIN flag set, sent to LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the CentOS system simply drops the packet.
URG-ACK-PSH-RST-SYN-FIN -> Non-Listening Port 81
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=81, flags="UAPRSF"),iface='eth0', count=1)
..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
5 4.149099 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 81 [FIN, SYN, RST, PSH, ACK, URG] Seq=0 Ack=0 Win=8192 Urg=0 Len=0
8 4.155698 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 81 [FIN, SYN, RST, PSH, ACK, URG] Seq=0 Ack=0 Win=8192 Urg=0 Len=0
From the above:
Windows 2012 - Packet with URG-ACK-PSH-RST-SYN-FIN flag set, sent to NON-LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the Windows 2012 system simply drops the packet.
CentOS 6.5 - Packet with URG-ACK-PSH-RST-SYN-FIN flag set, sent to NON-LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the CentOS system simply drops the packet.
Conclusion:
While there are many cases in which both Windows 2012 and CentOS 6.5 TCP/IP Stack provides the same responses to the stimulus, there are also many cases in which they do not. Windows 2012 seems to be the more polite :-) of the two, being more willing to send a RST-ACK, while CentOS 6.5 discards the packet silently.
If you wish to have this as a reference, you may download:
"Stimulus and Response.pdf" document.
md5:8c931888caf948504188f57440396ebc
sha-1:c4cb5b06928e660a09ddc7eaf4b7e32fb0dd1a27
stimulus-response.xlsx
MD5:6176b65c89b73e3b07a519bf77db462a
SHA-1:1ff6308e2a56a1c950e4cc5831932d78563bf853
Sunday, July 6, 2014
Stimulus and Response - TCP - Setting 5 flags
In the 4 previous posts within this series, we looked at setting 1, then 2, then 3 and then 4 flags. In this post we will set 5 flags. So without further ado, let's look at setting 5 flags
URG-ACK-PSH-RST-SYN -> Windows 2012/CentOS 6.5 -> 80 (Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=80, flags="UAPRS"),iface='eth0', count=1)
..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
1 0.000000 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 80 [SYN, RST, PSH, ACK, URG] Seq=0 Ack=0 Win=8192 Urg=0 Len=0
2 0.000957 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 80 [SYN, RST, PSH, ACK, URG] Seq=0 Ack=0 Win=8192 Urg=0 Len=0
From the above:
Windows 2012 - Packet with URG-ACK-PSH-RST-SYN flag set, sent to LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the Windows 2012 system simply drops the packet.
CentOS 6.5 - Packet with URG-ACK-PSH-RST-SYN flag set, sent to LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the CentOS system simply drops the packet.
URG-ACK-PSH-RST-SYN -> Windows 2012/CentOS 6.5 -> 81 (Non-Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=81, flags="UAPRS"),iface='eth0', count=1)
..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
1 0.000000 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 81 [SYN, RST, PSH, ACK, URG] Seq=0 Ack=0 Win=8192 Urg=0 Len=0
2 0.000961 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 81 [SYN, RST, PSH, ACK, URG] Seq=0 Ack=0 Win=8192 Urg=0 Len=0
From the above:
Windows 2012 - Packet with URG-ACK-PSH-RST-SYN flag set, sent to NON-LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the Windows 2012 system simply drops the packet.
CentOS 6.5 - Packet with URG-ACK-PSH-RST-SYN flag set, sent to NON-LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the CentOS system simply drops the packet.
---------------------------------------------------------------------------
URG-ACK-PSH-RST-FIN -> Windows 2012/CentOS 6.5 -> 80 (Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=80, flags="UAPRF"),iface='eth0', count=1)
..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
3 19.183058 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 80 [FIN, RST, PSH, ACK, URG] Seq=0 Ack=0 Win=8192 Urg=0 Len=0
6 19.189581 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 80 [FIN, RST, PSH, ACK, URG] Seq=0 Ack=0 Win=8192 Urg=0 Len=0
From the above:
Windows 2012 - Packet with URG-ACK-PSH-RST-FIN flag set, sent to LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the Windows 2012 system simply drops the packet.
CentOS 6.5 - Packet with URG-ACK-PSH-RST-FIN flag set, sent to LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the CentOS system simply drops the packet.
URG-ACK-PSH-RST-FIN -> Windows 2012/CentOS 6.5 -> 81 (Non-Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=81, flags="UAPRF"),iface='eth0', count=1)
..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
1 0.000000 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 81 [FIN, RST, PSH, ACK, URG] Seq=0 Ack=0 Win=8192 Urg=0 Len=0
2 0.000903 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 81 [FIN, RST, PSH, ACK, URG] Seq=0 Ack=0 Win=8192 Urg=0 Len=0
From the above:
Windows 2012 - Packet with URG-ACK-PSH-RST-FIN flag set, sent to NON-LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the Windows 2012 system simply drops the packet.
CentOS 6.5 - Packet with URG-ACK-PSH-RST-FIN flag set, sent to NON-LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the CentOS system simply drops the packet.
---------------------------------------------------------------------------
ACK-PSH-RST-SYN-FIN -> Windows 2012/CentOS 6.5 -> 80 (Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=80, flags="APRSF"),iface='eth0', count=1)
..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
4 15.724956 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 80 [FIN, SYN, RST, PSH, ACK] Seq=0 Ack=0 Win=8192 Len=0
5 15.726052 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 80 [FIN, SYN, RST, PSH, ACK] Seq=0 Ack=0 Win=8192 Len=0
From the above:
Windows 2012 - Packet with ACK-PSH-RST-SYN-FIN flag set, sent to LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the Windows 2012 system simply drops the packet.
CentOS 6.5 - Packet with ACK-PSH-RST-SYN-FIN flag set, sent to LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the CentOS system simply drops the packet.
ACK-PSH-RST-SYN-FIN -> Windows 2012/CentOS 6.5 -> 81 (Non-Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=81, flags="APRSF"),iface='eth0', count=1)
..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
1 0.000000 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 81 [FIN, SYN, RST, PSH, ACK] Seq=0 Ack=0 Win=8192 Len=0
2 0.000908 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 81 [FIN, SYN, RST, PSH, ACK] Seq=0 Ack=0 Win=8192 Len=0
From the above:
Windows 2012 - Packet with ACK-PSH-RST-SYN-FIN flag set, sent to NON-LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the Windows 2012 system simply drops the packet.
CentOS 6.5 - Packet with ACK-PSH-RST-SYN-FIN flag set, sent to NON-LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the CentOS system simply drops the packet.
If you wish to have this as a reference, you may download:If you wish to have this as a reference, you may download:
"Stimulus and Response.pdf" document.
md5:8c931888caf948504188f57440396ebc
sha-1:c4cb5b06928e660a09ddc7eaf4b7e32fb0dd1a27
stimulus-response.xlsx
MD5:6176b65c89b73e3b07a519bf77db462a
SHA-1:1ff6308e2a56a1c950e4cc5831932d78563bf853
URG-ACK-PSH-RST-SYN -> Windows 2012/CentOS 6.5 -> 80 (Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=80, flags="UAPRS"),iface='eth0', count=1)
..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
1 0.000000 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 80 [SYN, RST, PSH, ACK, URG] Seq=0 Ack=0 Win=8192 Urg=0 Len=0
2 0.000957 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 80 [SYN, RST, PSH, ACK, URG] Seq=0 Ack=0 Win=8192 Urg=0 Len=0
From the above:
Windows 2012 - Packet with URG-ACK-PSH-RST-SYN flag set, sent to LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the Windows 2012 system simply drops the packet.
CentOS 6.5 - Packet with URG-ACK-PSH-RST-SYN flag set, sent to LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the CentOS system simply drops the packet.
URG-ACK-PSH-RST-SYN -> Windows 2012/CentOS 6.5 -> 81 (Non-Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=81, flags="UAPRS"),iface='eth0', count=1)
..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
1 0.000000 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 81 [SYN, RST, PSH, ACK, URG] Seq=0 Ack=0 Win=8192 Urg=0 Len=0
2 0.000961 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 81 [SYN, RST, PSH, ACK, URG] Seq=0 Ack=0 Win=8192 Urg=0 Len=0
From the above:
Windows 2012 - Packet with URG-ACK-PSH-RST-SYN flag set, sent to NON-LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the Windows 2012 system simply drops the packet.
CentOS 6.5 - Packet with URG-ACK-PSH-RST-SYN flag set, sent to NON-LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the CentOS system simply drops the packet.
---------------------------------------------------------------------------
URG-ACK-PSH-RST-FIN -> Windows 2012/CentOS 6.5 -> 80 (Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=80, flags="UAPRF"),iface='eth0', count=1)
..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
3 19.183058 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 80 [FIN, RST, PSH, ACK, URG] Seq=0 Ack=0 Win=8192 Urg=0 Len=0
6 19.189581 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 80 [FIN, RST, PSH, ACK, URG] Seq=0 Ack=0 Win=8192 Urg=0 Len=0
From the above:
Windows 2012 - Packet with URG-ACK-PSH-RST-FIN flag set, sent to LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the Windows 2012 system simply drops the packet.
CentOS 6.5 - Packet with URG-ACK-PSH-RST-FIN flag set, sent to LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the CentOS system simply drops the packet.
URG-ACK-PSH-RST-FIN -> Windows 2012/CentOS 6.5 -> 81 (Non-Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=81, flags="UAPRF"),iface='eth0', count=1)
..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
1 0.000000 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 81 [FIN, RST, PSH, ACK, URG] Seq=0 Ack=0 Win=8192 Urg=0 Len=0
2 0.000903 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 81 [FIN, RST, PSH, ACK, URG] Seq=0 Ack=0 Win=8192 Urg=0 Len=0
From the above:
Windows 2012 - Packet with URG-ACK-PSH-RST-FIN flag set, sent to NON-LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the Windows 2012 system simply drops the packet.
CentOS 6.5 - Packet with URG-ACK-PSH-RST-FIN flag set, sent to NON-LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the CentOS system simply drops the packet.
---------------------------------------------------------------------------
ACK-PSH-RST-SYN-FIN -> Windows 2012/CentOS 6.5 -> 80 (Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=80, flags="APRSF"),iface='eth0', count=1)
..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
4 15.724956 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 80 [FIN, SYN, RST, PSH, ACK] Seq=0 Ack=0 Win=8192 Len=0
5 15.726052 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 80 [FIN, SYN, RST, PSH, ACK] Seq=0 Ack=0 Win=8192 Len=0
From the above:
Windows 2012 - Packet with ACK-PSH-RST-SYN-FIN flag set, sent to LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the Windows 2012 system simply drops the packet.
CentOS 6.5 - Packet with ACK-PSH-RST-SYN-FIN flag set, sent to LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the CentOS system simply drops the packet.
ACK-PSH-RST-SYN-FIN -> Windows 2012/CentOS 6.5 -> 81 (Non-Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=81, flags="APRSF"),iface='eth0', count=1)
..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
1 0.000000 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 81 [FIN, SYN, RST, PSH, ACK] Seq=0 Ack=0 Win=8192 Len=0
2 0.000908 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 81 [FIN, SYN, RST, PSH, ACK] Seq=0 Ack=0 Win=8192 Len=0
From the above:
Windows 2012 - Packet with ACK-PSH-RST-SYN-FIN flag set, sent to NON-LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the Windows 2012 system simply drops the packet.
CentOS 6.5 - Packet with ACK-PSH-RST-SYN-FIN flag set, sent to NON-LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the CentOS system simply drops the packet.
If you wish to have this as a reference, you may download:If you wish to have this as a reference, you may download:
"Stimulus and Response.pdf" document.
md5:8c931888caf948504188f57440396ebc
sha-1:c4cb5b06928e660a09ddc7eaf4b7e32fb0dd1a27
stimulus-response.xlsx
MD5:6176b65c89b73e3b07a519bf77db462a
SHA-1:1ff6308e2a56a1c950e4cc5831932d78563bf853
Stimulus and Response - TCP - Setting 4 flags
In the 3 previous posts within this series, we looked at setting 1, then 2 and then 3 flags. In this post we will set 4 flags. So without further ado, let's look at setting 4 flags
--------------------------------------------------------
URG-ACK-PSH-RST -> Windows 2012/CentOS 6.5 -> 80 (Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=80, flags="UAPR"),iface='eth0', count=1)
..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
1 0.000000 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 80 [RST, PSH, ACK, URG] Seq=0 Ack=0 Win=8192 Urg=0 Len=0
2 0.001673 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 80 [RST, PSH, ACK, URG] Seq=0 Ack=0 Win=8192 Urg=0 Len=0
From the above:
Windows 2012 - Packet with URG-ACK-PSH-RST flag set, sent to LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the Windows 2012 system simply drops the packet.
CentOS 6.5 - Packet with URG-ACK-PSH-RST flag set, sent to LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the CentOS system simply drops the packet.
URG-ACK-PSH-RST -> Windows 2012/CentOS 6.5 -> 81 (Non-Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=81, flags="UAPR"),iface='eth0', count=1)..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
5 9.982480 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 81 [RST, PSH, ACK, URG] Seq=0 Ack=0 Win=8192 Urg=0 Len=0
8 9.990088 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 81 [RST, PSH, ACK, URG] Seq=0 Ack=0 Win=8192 Urg=0 Len=0
From the above:
Windows 2012 - Packet with URG-ACK-PSH-RST flag set, sent to NON-LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the Windows 2012 system simply drops the packet.
CentOS 6.5 - Packet with URG-ACK-PSH-RST flag set, sent to NON-LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the CentOS system simply drops the packet.
--------------------------------------------------------
URG-ACK-PSH-SYN -> Windows 2012/CentOS 6.5 -> 80 (Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=80, flags="UAPS"),iface='eth0', count=1)
..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
1 0.000000 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 80 [SYN, PSH, ACK, URG] Seq=0 Ack=0 Win=8192 Urg=0 Len=0
4 0.000608 10.0.0.100 -> 10.0.0.50 TCP 60 80 > 5000 [RST] Seq=0 Win=0 Len=0
7 0.007313 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 80 [SYN, PSH, ACK, URG] Seq=0 Ack=0 Win=8192 Urg=0 Len=0
10 0.009664 10.0.0.101 -> 10.0.0.50 TCP 60 80 > 5000 [RST] Seq=0 Win=0 Len=0
From the above:
Windows 2012 - Packet with the URG-ACK-PSH-SYN flags set, sent to LISTENING PORT, results in a RST
CentOS 6.5 - Packet with the URG-ACK-PSH-SYN flags set, sent to LISTENING PORT, results in a RST
URG-ACK-PSH-SYN -> Windows 2012/CentOS 6.5 -> 81 (Non-Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=81, flags="UAPS"),iface='eth0', count=1)
..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
1 0.000000 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 81 [SYN, PSH, ACK, URG] Seq=0 Ack=0 Win=8192 Urg=0 Len=0
4 0.001550 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 81 [SYN, PSH, ACK, URG] Seq=0 Ack=0 Win=8192 Urg=0 Len=0
5 0.001607 10.0.0.100 -> 10.0.0.50 TCP 60 81 > 5000 [RST] Seq=0 Win=0 Len=0
6 0.002232 10.0.0.101 -> 10.0.0.50 TCP 60 81 > 5000 [RST] Seq=0 Win=0 Len=0
From the above:
Windows 2012 - Packet with the URG-ACK-PSH-SYN flags set, sent to NON-LISTENING PORT, results in a RST
CentOS 6.5 - Packet with the URG-ACK-PSH-SYN flags set, sent to NON-LISTENING PORT, results in a RST
--------------------------------------------------------
URG-ACK-PSH-FIN -> Windows 2012/CentOS 6.5 -> 80 (Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=80, flags="UAPF"),iface='eth0', count=1)
..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
1 0.000000 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 80 [FIN, PSH, ACK, URG] Seq=0 Ack=0 Win=8192 Urg=0 Len=0
4 0.002013 10.0.0.100 -> 10.0.0.50 TCP 60 80 > 5000 [RST] Seq=0 Win=0 Len=0
5 0.002365 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 80 [FIN, PSH, ACK, URG] Seq=0 Ack=0 Win=8192 Urg=0 Len=0
6 0.002845 10.0.0.101 -> 10.0.0.50 TCP 60 80 > 5000 [RST] Seq=0 Win=0 Len=0
From the above:
Windows 2012 - Packet with the URG-ACK-PSH-FIN flags set, sent to LISTENING PORT, results in a RST
CentOS 6.5 - Packet with the URG-ACK-PSH-FIN flags set, sent to LISTENING PORT, results in a RST
URG-ACK-PSH-FIN -> Windows 2012/CentOS 6.5 -> 81 (Non-Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=81, flags="UAPF"),iface='eth0', count=1)..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
1 0.000000 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 81 [FIN, PSH, ACK, URG] Seq=0 Ack=0 Win=8192 Urg=0 Len=0
4 0.001450 10.0.0.100 -> 10.0.0.50 TCP 60 81 > 5000 [RST] Seq=0 Win=0 Len=0
7 0.007067 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 81 [FIN, PSH, ACK, URG] Seq=0 Ack=0 Win=8192 Urg=0 Len=0
10 0.009361 10.0.0.101 -> 10.0.0.50 TCP 60 81 > 5000 [RST] Seq=0 Win=0 Len=0
From the above:
Windows 2012 - Packet with the URG-ACK-PSH-FIN flags set, sent to NON-LISTENING PORT, results in a RST
CentOS 6.5 - Packet with the URG-ACK-PSH-FIN flags set, sent to NON-LISTENING PORT, results in a RST
--------------------------------------------------------
ACK-PSH-RST-SYN -> Windows 2012/CentOS 6.5 -> 80 (Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=80, flags="APRS"),iface='eth0', count=1)..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
1 0.000000 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 80 [SYN, RST, PSH, ACK] Seq=0 Ack=0 Win=8192 Len=0
4 0.006835 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 80 [SYN, RST, PSH, ACK] Seq=0 Ack=0 Win=8192 Len=0
From the above:
Windows 2012 - Packet with ACK-PSH-RST-SYN flag set, sent to LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the Windows 2012 system simply drops the packet.
CentOS 6.5 - Packet with ACK-PSH-RST-SYN flag set, sent to LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the CentOS system simply drops the packet.
ACK-PSH-RST-SYN -> Windows 2012/CentOS 6.5 -> 81 (Non-Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=81, flags="APRS"),iface='eth0', count=1)..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
1 0.000000 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 81 [SYN, RST, PSH, ACK] Seq=0 Ack=0 Win=8192 Len=0
2 0.001947 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 81 [SYN, RST, PSH, ACK] Seq=0 Ack=0 Win=8192 Len=0
From the above:
Windows 2012 - Packet with ACK-PSH-RST-SYN flag set, sent to NON-LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the Windows 2012 system simply drops the packet.
CentOS 6.5 - Packet with ACK-PSH-RST-SYN flag set, sent to NON-LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the CentOS system simply drops the packet.
--------------------------------------------------------
ACK-PSH-RST-FIN -> Windows 2012/CentOS 6.5 -> 80 (Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=80, flags="APRF"),iface='eth0', count=1)
..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
1 0.000000 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 80 [FIN, RST, PSH, ACK] Seq=0 Ack=0 Win=8192 Len=0
2 0.000912 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 80 [FIN, RST, PSH, ACK] Seq=0 Ack=0 Win=8192 Len=0
From the above:
Windows 2012 - Packet with ACK-PSH-RST-FIN flag set, sent to LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the Windows 2012 system simply drops the packet.
CentOS 6.5 - Packet with ACK-PSH-RST-FIN flag set, sent to LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the CentOS system simply drops the packet.
ACK-PSH-RST-FIN -> Windows 2012/CentOS 6.5 -> 81 (Non-Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=81, flags="APRF"),iface='eth0', count=1)
..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
11 5.260897 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 81 [FIN, RST, PSH, ACK] Seq=0 Ack=0 Win=8192 Len=0
14 5.266354 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 81 [FIN, RST, PSH, ACK] Seq=0 Ack=0 Win=8192 Len=0
From the above:
Windows 2012 - Packet with ACK-PSH-RST-FIN flag set, sent to NON-LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the Windows 2012 system simply drops the packet.
CentOS 6.5 - Packet with ACK-PSH-RST-FIN flag set, sent to NON-LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the CentOS system simply drops the packet.
--------------------------------------------------------
PSH-RST-SYN-FIN -> Windows 2012/CentOS 6.5 -> 80 (Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=80, flags="PRSF"),iface='eth0', count=1)..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
5 7.782003 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 80 [FIN, SYN, RST, PSH] Seq=0 Win=8192 Len=0
8 7.788585 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 80 [FIN, SYN, RST, PSH] Seq=0 Win=8192 Len=0
From the above:
Windows 2012 - Packet with PSH-RST-SYN-FIN flag set, sent to LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the Windows 2012 system simply drops the packet.
CentOS 6.5 - Packet with PSH-RST-SYN-FIN flag set, sent to LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the CentOS system simply drops the packet.
PSH-RST-SYN-FIN -> Windows 2012/CentOS 6.5 -> 81 (Non-Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=81, flags="PRSF"),iface='eth0', count=1)
..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
4 1.527062 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 81 [FIN, SYN, RST, PSH] Seq=0 Win=8192 Len=0
5 1.527916 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 81 [FIN, SYN, RST, PSH] Seq=0 Win=8192 Len=0
From the above:
Windows 2012 - Packet with PSH-RST-SYN-FIN flag set, sent to NON-LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the Windows 2012 system simply drops the packet.
CentOS 6.5 - Packet with PSH-RST-SYN-FIN flag set, sent to NON-LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the CentOS system simply drops the packet.
--------------------------------------------------------
URG-ACK-SYN-FIN -> Windows 2012/CentOS 6.5 -> 80 (Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=80, flags="UASF"),iface='eth0', count=1)..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
1 0.000000 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 80 [FIN, SYN, ACK, URG] Seq=0 Ack=0 Win=8192 Urg=0 Len=0
4 0.001974 10.0.0.100 -> 10.0.0.50 TCP 60 80 > 5000 [RST] Seq=0 Win=0 Len=0
7 0.006452 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 80 [FIN, SYN, ACK, URG] Seq=0 Ack=0 Win=8192 Urg=0 Len=0
10 0.007292 10.0.0.101 -> 10.0.0.50 TCP 60 80 > 5000 [RST] Seq=0 Win=0 Len=0
From the above:
Windows 2012 - Packet with the URG-ACK-SYN-FIN flags set, sent to LISTENING PORT, results in a RST
CentOS 6.5 - Packet with the URG-ACK-SYN-FIN flags set, sent to LISTENING PORT, results in a RST
URG-ACK-SYN-FIN -> Windows 2012/CentOS 6.5 -> 81 (Non-Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=81, flags="UASF"),iface='eth0', count=1)..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
1 0.000000 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 81 [FIN, SYN, ACK, URG] Seq=0 Ack=0 Win=8192 Urg=0 Len=0
2 0.001163 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 81 [FIN, SYN, ACK, URG] Seq=0 Ack=0 Win=8192 Urg=0 Len=0
5 0.001950 10.0.0.101 -> 10.0.0.50 TCP 60 81 > 5000 [RST] Seq=0 Win=0 Len=0
6 0.001961 10.0.0.100 -> 10.0.0.50 TCP 60 81 > 5000 [RST] Seq=0 Win=0 Len=0
From the above:
Windows 2012 - Packet with the URG-ACK-SYN-FIN flags set, sent to NON-LISTENING PORT, results in a RST
CentOS 6.5 - Packet with the URG-ACK-SYN-FIN flags set, sent to NON-LISTENING PORT, results in a RST
--------------------------------------------------------
PSH-ACK-URG-FIN -> Windows 2012/CentOS 6.5 -> 80 (Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=80, flags="PAUF"),iface='eth0', count=1)..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
4 8.797922 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 80 [FIN, PSH, ACK, URG] Seq=0 Ack=0 Win=8192 Urg=0 Len=0
7 8.799443 10.0.0.100 -> 10.0.0.50 TCP 60 80 > 5000 [RST] Seq=0 Win=0 Len=0
10 8.804208 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 80 [FIN, PSH, ACK, URG] Seq=0 Ack=0 Win=8192 Urg=0 Len=0
11 8.804788 10.0.0.101 -> 10.0.0.50 TCP 60 80 > 5000 [RST] Seq=0 Win=0 Len=0
From the above:
Windows 2012 - Packet with the PSH-ACK-URG-FIN flags set, sent to LISTENING PORT, results in a RST
CentOS 6.5 - Packet with the PSH-ACK-URG-FIN flags set, sent to LISTENING PORT, results in a RST
PSH-ACK-URG-FIN -> Windows 2012/CentOS 6.5 -> 81 (Non-Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=81, flags="PAUF"),iface='eth0', count=1)
..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
1 0.000000 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 81 [FIN, PSH, ACK, URG] Seq=0 Ack=0 Win=8192 Urg=0 Len=0
2 0.001308 10.0.0.100 -> 10.0.0.50 TCP 60 81 > 5000 [RST] Seq=0 Win=0 Len=0
3 0.001721 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 81 [FIN, PSH, ACK, URG] Seq=0 Ack=0 Win=8192 Urg=0 Len=0
4 0.002662 10.0.0.101 -> 10.0.0.50 TCP 60 81 > 5000 [RST] Seq=0 Win=0 Len=0
From the above:
Windows 2012 - Packet with the URG-ACK-SYN-FIN flags set, sent to NON-LISTENING PORT, results in a RSTCentOS 6.5 - Packet with the URG-ACK-SYN-FIN flags set, sent to NON-LISTENING PORT, results in a RST
If you wish to have this as a reference, you may download:
"Stimulus and Response.pdf" document.
md5:8c931888caf948504188f57440396ebc
sha-1:c4cb5b06928e660a09ddc7eaf4b7e32fb0dd1a27
stimulus-response.xlsx
MD5:6176b65c89b73e3b07a519bf77db462a
SHA-1:1ff6308e2a56a1c950e4cc5831932d78563bf853
--------------------------------------------------------
URG-ACK-PSH-RST -> Windows 2012/CentOS 6.5 -> 80 (Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=80, flags="UAPR"),iface='eth0', count=1)
..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
1 0.000000 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 80 [RST, PSH, ACK, URG] Seq=0 Ack=0 Win=8192 Urg=0 Len=0
2 0.001673 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 80 [RST, PSH, ACK, URG] Seq=0 Ack=0 Win=8192 Urg=0 Len=0
From the above:
Windows 2012 - Packet with URG-ACK-PSH-RST flag set, sent to LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the Windows 2012 system simply drops the packet.
CentOS 6.5 - Packet with URG-ACK-PSH-RST flag set, sent to LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the CentOS system simply drops the packet.
URG-ACK-PSH-RST -> Windows 2012/CentOS 6.5 -> 81 (Non-Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=81, flags="UAPR"),iface='eth0', count=1)..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
5 9.982480 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 81 [RST, PSH, ACK, URG] Seq=0 Ack=0 Win=8192 Urg=0 Len=0
8 9.990088 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 81 [RST, PSH, ACK, URG] Seq=0 Ack=0 Win=8192 Urg=0 Len=0
From the above:
Windows 2012 - Packet with URG-ACK-PSH-RST flag set, sent to NON-LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the Windows 2012 system simply drops the packet.
CentOS 6.5 - Packet with URG-ACK-PSH-RST flag set, sent to NON-LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the CentOS system simply drops the packet.
--------------------------------------------------------
URG-ACK-PSH-SYN -> Windows 2012/CentOS 6.5 -> 80 (Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=80, flags="UAPS"),iface='eth0', count=1)
..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
1 0.000000 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 80 [SYN, PSH, ACK, URG] Seq=0 Ack=0 Win=8192 Urg=0 Len=0
4 0.000608 10.0.0.100 -> 10.0.0.50 TCP 60 80 > 5000 [RST] Seq=0 Win=0 Len=0
7 0.007313 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 80 [SYN, PSH, ACK, URG] Seq=0 Ack=0 Win=8192 Urg=0 Len=0
10 0.009664 10.0.0.101 -> 10.0.0.50 TCP 60 80 > 5000 [RST] Seq=0 Win=0 Len=0
From the above:
Windows 2012 - Packet with the URG-ACK-PSH-SYN flags set, sent to LISTENING PORT, results in a RST
CentOS 6.5 - Packet with the URG-ACK-PSH-SYN flags set, sent to LISTENING PORT, results in a RST
URG-ACK-PSH-SYN -> Windows 2012/CentOS 6.5 -> 81 (Non-Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=81, flags="UAPS"),iface='eth0', count=1)
..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
1 0.000000 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 81 [SYN, PSH, ACK, URG] Seq=0 Ack=0 Win=8192 Urg=0 Len=0
4 0.001550 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 81 [SYN, PSH, ACK, URG] Seq=0 Ack=0 Win=8192 Urg=0 Len=0
5 0.001607 10.0.0.100 -> 10.0.0.50 TCP 60 81 > 5000 [RST] Seq=0 Win=0 Len=0
6 0.002232 10.0.0.101 -> 10.0.0.50 TCP 60 81 > 5000 [RST] Seq=0 Win=0 Len=0
From the above:
Windows 2012 - Packet with the URG-ACK-PSH-SYN flags set, sent to NON-LISTENING PORT, results in a RST
CentOS 6.5 - Packet with the URG-ACK-PSH-SYN flags set, sent to NON-LISTENING PORT, results in a RST
--------------------------------------------------------
URG-ACK-PSH-FIN -> Windows 2012/CentOS 6.5 -> 80 (Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=80, flags="UAPF"),iface='eth0', count=1)
..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
1 0.000000 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 80 [FIN, PSH, ACK, URG] Seq=0 Ack=0 Win=8192 Urg=0 Len=0
4 0.002013 10.0.0.100 -> 10.0.0.50 TCP 60 80 > 5000 [RST] Seq=0 Win=0 Len=0
5 0.002365 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 80 [FIN, PSH, ACK, URG] Seq=0 Ack=0 Win=8192 Urg=0 Len=0
6 0.002845 10.0.0.101 -> 10.0.0.50 TCP 60 80 > 5000 [RST] Seq=0 Win=0 Len=0
From the above:
Windows 2012 - Packet with the URG-ACK-PSH-FIN flags set, sent to LISTENING PORT, results in a RST
CentOS 6.5 - Packet with the URG-ACK-PSH-FIN flags set, sent to LISTENING PORT, results in a RST
URG-ACK-PSH-FIN -> Windows 2012/CentOS 6.5 -> 81 (Non-Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=81, flags="UAPF"),iface='eth0', count=1)..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
1 0.000000 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 81 [FIN, PSH, ACK, URG] Seq=0 Ack=0 Win=8192 Urg=0 Len=0
4 0.001450 10.0.0.100 -> 10.0.0.50 TCP 60 81 > 5000 [RST] Seq=0 Win=0 Len=0
7 0.007067 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 81 [FIN, PSH, ACK, URG] Seq=0 Ack=0 Win=8192 Urg=0 Len=0
10 0.009361 10.0.0.101 -> 10.0.0.50 TCP 60 81 > 5000 [RST] Seq=0 Win=0 Len=0
From the above:
Windows 2012 - Packet with the URG-ACK-PSH-FIN flags set, sent to NON-LISTENING PORT, results in a RST
CentOS 6.5 - Packet with the URG-ACK-PSH-FIN flags set, sent to NON-LISTENING PORT, results in a RST
--------------------------------------------------------
ACK-PSH-RST-SYN -> Windows 2012/CentOS 6.5 -> 80 (Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=80, flags="APRS"),iface='eth0', count=1)..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
1 0.000000 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 80 [SYN, RST, PSH, ACK] Seq=0 Ack=0 Win=8192 Len=0
4 0.006835 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 80 [SYN, RST, PSH, ACK] Seq=0 Ack=0 Win=8192 Len=0
From the above:
Windows 2012 - Packet with ACK-PSH-RST-SYN flag set, sent to LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the Windows 2012 system simply drops the packet.
CentOS 6.5 - Packet with ACK-PSH-RST-SYN flag set, sent to LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the CentOS system simply drops the packet.
ACK-PSH-RST-SYN -> Windows 2012/CentOS 6.5 -> 81 (Non-Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=81, flags="APRS"),iface='eth0', count=1)..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
1 0.000000 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 81 [SYN, RST, PSH, ACK] Seq=0 Ack=0 Win=8192 Len=0
2 0.001947 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 81 [SYN, RST, PSH, ACK] Seq=0 Ack=0 Win=8192 Len=0
From the above:
Windows 2012 - Packet with ACK-PSH-RST-SYN flag set, sent to NON-LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the Windows 2012 system simply drops the packet.
CentOS 6.5 - Packet with ACK-PSH-RST-SYN flag set, sent to NON-LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the CentOS system simply drops the packet.
--------------------------------------------------------
ACK-PSH-RST-FIN -> Windows 2012/CentOS 6.5 -> 80 (Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=80, flags="APRF"),iface='eth0', count=1)
..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
1 0.000000 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 80 [FIN, RST, PSH, ACK] Seq=0 Ack=0 Win=8192 Len=0
2 0.000912 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 80 [FIN, RST, PSH, ACK] Seq=0 Ack=0 Win=8192 Len=0
From the above:
Windows 2012 - Packet with ACK-PSH-RST-FIN flag set, sent to LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the Windows 2012 system simply drops the packet.
CentOS 6.5 - Packet with ACK-PSH-RST-FIN flag set, sent to LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the CentOS system simply drops the packet.
ACK-PSH-RST-FIN -> Windows 2012/CentOS 6.5 -> 81 (Non-Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=81, flags="APRF"),iface='eth0', count=1)
..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
11 5.260897 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 81 [FIN, RST, PSH, ACK] Seq=0 Ack=0 Win=8192 Len=0
14 5.266354 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 81 [FIN, RST, PSH, ACK] Seq=0 Ack=0 Win=8192 Len=0
From the above:
Windows 2012 - Packet with ACK-PSH-RST-FIN flag set, sent to NON-LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the Windows 2012 system simply drops the packet.
CentOS 6.5 - Packet with ACK-PSH-RST-FIN flag set, sent to NON-LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the CentOS system simply drops the packet.
--------------------------------------------------------
PSH-RST-SYN-FIN -> Windows 2012/CentOS 6.5 -> 80 (Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=80, flags="PRSF"),iface='eth0', count=1)..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
5 7.782003 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 80 [FIN, SYN, RST, PSH] Seq=0 Win=8192 Len=0
8 7.788585 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 80 [FIN, SYN, RST, PSH] Seq=0 Win=8192 Len=0
From the above:
Windows 2012 - Packet with PSH-RST-SYN-FIN flag set, sent to LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the Windows 2012 system simply drops the packet.
CentOS 6.5 - Packet with PSH-RST-SYN-FIN flag set, sent to LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the CentOS system simply drops the packet.
PSH-RST-SYN-FIN -> Windows 2012/CentOS 6.5 -> 81 (Non-Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=81, flags="PRSF"),iface='eth0', count=1)
..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
4 1.527062 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 81 [FIN, SYN, RST, PSH] Seq=0 Win=8192 Len=0
5 1.527916 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 81 [FIN, SYN, RST, PSH] Seq=0 Win=8192 Len=0
From the above:
Windows 2012 - Packet with PSH-RST-SYN-FIN flag set, sent to NON-LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the Windows 2012 system simply drops the packet.
CentOS 6.5 - Packet with PSH-RST-SYN-FIN flag set, sent to NON-LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the CentOS system simply drops the packet.
--------------------------------------------------------
URG-ACK-SYN-FIN -> Windows 2012/CentOS 6.5 -> 80 (Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=80, flags="UASF"),iface='eth0', count=1)..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
1 0.000000 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 80 [FIN, SYN, ACK, URG] Seq=0 Ack=0 Win=8192 Urg=0 Len=0
4 0.001974 10.0.0.100 -> 10.0.0.50 TCP 60 80 > 5000 [RST] Seq=0 Win=0 Len=0
7 0.006452 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 80 [FIN, SYN, ACK, URG] Seq=0 Ack=0 Win=8192 Urg=0 Len=0
10 0.007292 10.0.0.101 -> 10.0.0.50 TCP 60 80 > 5000 [RST] Seq=0 Win=0 Len=0
From the above:
Windows 2012 - Packet with the URG-ACK-SYN-FIN flags set, sent to LISTENING PORT, results in a RST
CentOS 6.5 - Packet with the URG-ACK-SYN-FIN flags set, sent to LISTENING PORT, results in a RST
URG-ACK-SYN-FIN -> Windows 2012/CentOS 6.5 -> 81 (Non-Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=81, flags="UASF"),iface='eth0', count=1)..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
1 0.000000 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 81 [FIN, SYN, ACK, URG] Seq=0 Ack=0 Win=8192 Urg=0 Len=0
2 0.001163 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 81 [FIN, SYN, ACK, URG] Seq=0 Ack=0 Win=8192 Urg=0 Len=0
5 0.001950 10.0.0.101 -> 10.0.0.50 TCP 60 81 > 5000 [RST] Seq=0 Win=0 Len=0
6 0.001961 10.0.0.100 -> 10.0.0.50 TCP 60 81 > 5000 [RST] Seq=0 Win=0 Len=0
From the above:
Windows 2012 - Packet with the URG-ACK-SYN-FIN flags set, sent to NON-LISTENING PORT, results in a RST
CentOS 6.5 - Packet with the URG-ACK-SYN-FIN flags set, sent to NON-LISTENING PORT, results in a RST
--------------------------------------------------------
PSH-ACK-URG-FIN -> Windows 2012/CentOS 6.5 -> 80 (Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=80, flags="PAUF"),iface='eth0', count=1)..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
4 8.797922 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 80 [FIN, PSH, ACK, URG] Seq=0 Ack=0 Win=8192 Urg=0 Len=0
7 8.799443 10.0.0.100 -> 10.0.0.50 TCP 60 80 > 5000 [RST] Seq=0 Win=0 Len=0
10 8.804208 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 80 [FIN, PSH, ACK, URG] Seq=0 Ack=0 Win=8192 Urg=0 Len=0
11 8.804788 10.0.0.101 -> 10.0.0.50 TCP 60 80 > 5000 [RST] Seq=0 Win=0 Len=0
From the above:
Windows 2012 - Packet with the PSH-ACK-URG-FIN flags set, sent to LISTENING PORT, results in a RST
CentOS 6.5 - Packet with the PSH-ACK-URG-FIN flags set, sent to LISTENING PORT, results in a RST
PSH-ACK-URG-FIN -> Windows 2012/CentOS 6.5 -> 81 (Non-Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=81, flags="PAUF"),iface='eth0', count=1)
..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
1 0.000000 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 81 [FIN, PSH, ACK, URG] Seq=0 Ack=0 Win=8192 Urg=0 Len=0
2 0.001308 10.0.0.100 -> 10.0.0.50 TCP 60 81 > 5000 [RST] Seq=0 Win=0 Len=0
3 0.001721 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 81 [FIN, PSH, ACK, URG] Seq=0 Ack=0 Win=8192 Urg=0 Len=0
4 0.002662 10.0.0.101 -> 10.0.0.50 TCP 60 81 > 5000 [RST] Seq=0 Win=0 Len=0
From the above:
Windows 2012 - Packet with the URG-ACK-SYN-FIN flags set, sent to NON-LISTENING PORT, results in a RSTCentOS 6.5 - Packet with the URG-ACK-SYN-FIN flags set, sent to NON-LISTENING PORT, results in a RST
If you wish to have this as a reference, you may download:
"Stimulus and Response.pdf" document.
md5:8c931888caf948504188f57440396ebc
sha-1:c4cb5b06928e660a09ddc7eaf4b7e32fb0dd1a27
stimulus-response.xlsx
MD5:6176b65c89b73e3b07a519bf77db462a
SHA-1:1ff6308e2a56a1c950e4cc5831932d78563bf853
Stimulus and Response - TCP - Setting 3 flags
In the 2 previous posts within this series, we looked at setting 1, then 2 flags. In this post we will set 3 flags. So without further ado, let's look at setting 3 flags.
--------------------------------------------------------------
URG-ACK-PSH -> Windows 2012/CentOS 6.5 -> 80 (Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=80, flags="UAP"),iface='eth0', count=1)
..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
2 8.050680 10.0.0.50 -> 10.0.0.100 TCP 54 [TCP Window Update] 5000 > 80 [PSH, ACK, URG] Seq=0 Ack=0 Win=8192 Urg=0 Len=0
3 8.051269 10.0.0.100 -> 10.0.0.50 TCP 60 80 > 5000 [RST] Seq=0 Win=0 Len=0
4 8.051409 10.0.0.50 -> 10.0.0.101 TCP 54 [TCP Window Update] 5000 > 80 [PSH, ACK, URG] Seq=0 Ack=0 Win=8192 Urg=0 Len=0
5 8.051824 10.0.0.101 -> 10.0.0.50 TCP 60 80 > 5000 [RST] Seq=0 Win=0 Len=0
From the above:
Windows 2012 - Packet with the URG-ACK-PSH flags set, sent to LISTENING PORT, results in a RST
CentOS 6.5 - Packet with the URG-ACK-PSH flags set, sent to LISTENING PORT, results in a RST
URG-ACK-PSH -> Windows 2012/CentOS 6.5 -> 81 (Non-Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=81, flags="UAP"),iface='eth0', count=1)..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
1 0.000000 10.0.0.50 -> 10.0.0.100 TCP 54 [TCP Window Update] 5000 > 81 [PSH, ACK, URG] Seq=0 Ack=0 Win=8192 Urg=0 Len=0
2 0.001082 10.0.0.50 -> 10.0.0.101 TCP 54 [TCP Window Update] 5000 > 81 [PSH, ACK, URG] Seq=0 Ack=0 Win=8192 Urg=0 Len=0
3 0.001108 10.0.0.100 -> 10.0.0.50 TCP 60 81 > 5000 [RST] Seq=0 Win=0 Len=0
4 0.001380 10.0.0.101 -> 10.0.0.50 TCP 60 81 > 5000 [RST] Seq=0 Win=0 Len=0
From the above:
Windows 2012 - Packet with the URG-ACK-PSH flags set, sent to NON-LISTENING PORT, results in a RST
CentOS 6.5 - Packet with the URG-ACK-PSH flags set, sent to NON-LISTENING PORT, results in a RST
--------------------------------------------------------------
URG-ACK-RST -> Windows 2012/CentOS 6.5 -> 80 (Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=80, flags="UAR"),iface='eth0', count=1)..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
1 0.000000 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 80 [RST, ACK, URG] Seq=0 Ack=0 Win=8192 Urg=0 Len=0
2 0.002009 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 80 [RST, ACK, URG] Seq=0 Ack=0 Win=8192 Urg=0 Len=0
From the above:
Windows 2012 - Packet with URG-ACK-RST flag set, sent to LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the Windows 2012 system simply drops the packet.
CentOS 6.5 - Packet with URG-ACK-RST flag set, sent to LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the CentOS system simply drops the packet.
URG-ACK-RST -> Windows 2012/CentOS 6.5 -> 81 (Non-Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=81, flags="UAR"),iface='eth0', count=1)..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
5 3.290352 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 81 [RST, ACK, URG] Seq=0 Ack=0 Win=8192 Urg=0 Len=0
8 3.299002 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 81 [RST, ACK, URG] Seq=0 Ack=0 Win=8192 Urg=0 Len=0
From the above:
Windows 2012 - Packet with URG-ACK-RST flag set, sent to NON-LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the Windows 2012 system simply drops the packet.
CentOS 6.5 - Packet with URG-ACK-RST flag set, sent to NON-LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the CentOS system simply drops the packet.
--------------------------------------------------------------
URG-ACK-SYN -> Windows 2012/CentOS 6.5 -> 80 (Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=80, flags="UAS"),iface='eth0', count=1)
..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
1 0.000000 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 80 [SYN, ACK, URG] Seq=0 Ack=0 Win=8192 Urg=0 Len=0
2 0.000730 10.0.0.100 -> 10.0.0.50 TCP 60 80 > 5000 [RST] Seq=0 Win=0 Len=0
3 0.000971 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 80 [SYN, ACK, URG] Seq=0 Ack=0 Win=8192 Urg=0 Len=0
4 0.001447 10.0.0.101 -> 10.0.0.50 TCP 60 80 > 5000 [RST] Seq=0 Win=0 Len=0
From the above:
Windows 2012 - Packet with the URG-ACK-SYN flags set, sent to LISTENING PORT, results in a RST
CentOS 6.5 - Packet with the URG-ACK-SYN flags set, sent to LISTENING PORT, results in a RST
URG-ACK-SYN -> Windows 2012/CentOS 6.5 -> 81 (Non-Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=81, flags="UAS"),iface='eth0', count=1)
..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
3 8.777791 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 81 [SYN, ACK, URG] Seq=0 Ack=0 Win=8192 Urg=0 Len=0
6 8.778659 10.0.0.100 -> 10.0.0.50 TCP 60 81 > 5000 [RST] Seq=0 Win=0 Len=0
9 8.784533 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 81 [SYN, ACK, URG] Seq=0 Ack=0 Win=8192 Urg=0 Len=0
12 8.786545 10.0.0.101 -> 10.0.0.50 TCP 60 81 > 5000 [RST] Seq=0 Win=0 Len=0
From the above:
Windows 2012 - Packet with the URG-ACK-SYN flags set, sent to NON-LISTENING PORT, results in a RST
CentOS 6.5 - Packet with the URG-ACK-SYN flags set, sent to NON-LISTENING PORT, results in a RST
--------------------------------------------------------------
URG-ACK-FIN -> Windows 2012/CentOS 6.5 -> 80 (Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=80, flags="UAF"),iface='eth0', count=1)..
Sent 2 packets
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
2 2.193187 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 80 [FIN, ACK, URG] Seq=0 Ack=0 Win=8192 Urg=0 Len=0
5 2.194752 10.0.0.100 -> 10.0.0.50 TCP 60 80 > 5000 [RST] Seq=0 Win=0 Len=0
8 2.217398 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 80 [FIN, ACK, URG] Seq=0 Ack=0 Win=8192 Urg=0 Len=0
11 2.218462 10.0.0.101 -> 10.0.0.50 TCP 60 80 > 5000 [RST] Seq=0 Win=0 Len=0
From the above:
Windows 2012 - Packet with the URG-ACK-FIN flags set, sent to LISTENING PORT, results in a RST
CentOS 6.5 - Packet with the URG-ACK-FIN flags set, sent to LISTENING PORT, results in a RST
URG-ACK-FIN -> Windows 2012/CentOS 6.5 -> 81 (Non-Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=81, flags="UAF"),iface='eth0', count=1)..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
3 6.952935 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 81 [FIN, ACK, URG] Seq=0 Ack=0 Win=8192 Urg=0 Len=0
6 6.954813 10.0.0.100 -> 10.0.0.50 TCP 60 81 > 5000 [RST] Seq=0 Win=0 Len=0
9 6.960017 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 81 [FIN, ACK, URG] Seq=0 Ack=0 Win=8192 Urg=0 Len=0
10 6.960799 10.0.0.101 -> 10.0.0.50 TCP 60 81 > 5000 [RST] Seq=0 Win=0 Len=0
From the above:
Windows 2012 - Packet with the URG-ACK-FIN flags set, sent to NON-LISTENING PORT, results in a RST
CentOS 6.5 - Packet with the URG-ACK-FIN flags set, sent to NON-LISTENING PORT, results in a RST
--------------------------------------------------------------
FIN-SYN-RST -> Windows 2012/CentOS 6.5 -> 80 (Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=80, flags="FSR"),iface='eth0', count=1)
..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
1 0.000000 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 80 [FIN, SYN, RST] Seq=0 Win=8192 Len=0
4 0.006779 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 80 [FIN, SYN, RST] Seq=0 Win=8192 Len=0
From the above:
Windows 2012 - Packet with FIN-SYN-RST flag set, sent to LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the Windows 2012 system simply drops the packet.
CentOS 6.5 - Packet with FIN-SYN-RST flag set, sent to LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the CentOS system simply drops the packet.
FIN-SYN-RST -> Windows 2012/CentOS 6.5 -> 81 (Non-Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=81, flags="FSR"),iface='eth0', count=1)
..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
1 0.000000 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 81 [FIN, SYN, RST] Seq=0 Win=8192 Len=0
4 0.007679 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 81 [FIN, SYN, RST] Seq=0 Win=8192 Len=0
From the above:
Windows 2012 - Packet with FIN-SYN-RST flag set, sent to NON-LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the Windows 2012 system simply drops the packet.
CentOS 6.5 - Packet with FIN-SYN-RST flag set, sent to NON-LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the CentOS system simply drops the packet.
--------------------------------------------------------------
FIN-SYN-PSH -> Windows 2012/CentOS 6.5 -> 80 (Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=80, flags="FSP"),iface='eth0', count=1)
..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
1 0.000000 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 80 [FIN, SYN, PSH] Seq=0 Win=8192 Len=0
4 0.001930 10.0.0.100 -> 10.0.0.50 TCP 60 [TCP ACKed unseen segment] 80 > 5000 [RST, ACK] Seq=0 Ack=2 Win=0 Len=0
7 0.006305 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 80 [FIN, SYN, PSH] Seq=0 Win=8192 Len=0
From the above:
Windows 2012 - Packet with the FIN-SYN-PSH flags set, sent to LISTENING PORT , results in a RST-ACK
CentOS 6.5 - Packet with the FIN-SYN-PSH flags set, sent to a LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the CentOS system simply drops the packet.
FIN-SYN-PSH -> Windows 2012/CentOS 6.5 -> 81 (Non-Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=81, flags="FSP"),iface='eth0', count=1)
..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
6 4.623353 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 81 [FIN, SYN, PSH] Seq=0 Win=8192 Len=0
9 4.624532 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 81 [FIN, SYN, PSH] Seq=0 Win=8192 Len=0
10 4.624578 10.0.0.100 -> 10.0.0.50 TCP 60 [TCP ACKed unseen segment] 81 > 5000 [RST, ACK] Seq=0 Ack=2 Win=0 Len=0
13 4.625571 10.0.0.101 -> 10.0.0.50 TCP 60 [TCP ACKed unseen segment] 81 > 5000 [RST, ACK] Seq=0 Ack=2 Win=0 Len=0
From the above:
Windows 2012 - Packet with the FIN-SYN-PSH flags set, sent to NON-LISTENING PORT, results in a RST-ACK
CentOS 6.5 - Packet with the FIN-SYN-PSH flags set, sent to NON-LISTENING PORT, results in a RST-ACK
--------------------------------------------------------------
FIN-SYN-ACK -> Windows 2012/CentOS 6.5 -> 80 (Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=80, flags="FSA"),iface='eth0', count=1)
..
Sent 2 packets
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
1 0.000000 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 80 [FIN, SYN, ACK] Seq=0 Ack=0 Win=8192 Len=0
4 0.001043 10.0.0.100 -> 10.0.0.50 TCP 60 80 > 5000 [RST] Seq=0 Win=0 Len=0
7 0.006517 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 80 [FIN, SYN, ACK] Seq=0 Ack=0 Win=8192 Len=0
8 0.006975 10.0.0.101 -> 10.0.0.50 TCP 60 80 > 5000 [RST] Seq=0 Win=0 Len=0
From the above:
Windows 2012 - Packet with the FIN-SYN-ACK flags set, sent to LISTENING PORT, results in a RST
CentOS 6.5 - Packet with the FIN-SYN-ACK flags set, sent to LISTENING PORT, results in a RST
FIN-SYN-ACK -> Windows 2012/CentOS 6.5 -> 81 (Non-Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=81, flags="FSA"),iface='eth0', count=1)..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
1 0.000000 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 81 [FIN, SYN, ACK] Seq=0 Ack=0 Win=8192 Len=0
4 0.002237 10.0.0.100 -> 10.0.0.50 TCP 60 81 > 5000 [RST] Seq=0 Win=0 Len=0
7 0.006692 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 81 [FIN, SYN, ACK] Seq=0 Ack=0 Win=8192 Len=0
10 0.008642 10.0.0.101 -> 10.0.0.50 TCP 60 81 > 5000 [RST] Seq=0 Win=0 Len=0
From the above:
Windows 2012 - Packet with the FIN-SYN-ACK flags set, sent to NON-LISTENING PORT, results in a RST
CentOS 6.5 - Packet with the FIN-SYN-ACK flags set, sent to NON-LISTENING PORT, results in a RST
--------------------------------------------------------------
FIN-SYN-URG -> Windows 2012/CentOS 6.5 -> 80 (Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=80, flags="FSU"),iface='eth0', count=1)
..
Sent 2 packets
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
1 0.000000 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 80 [FIN, SYN, URG] Seq=0 Win=8192 Urg=0 Len=0
4 0.001772 10.0.0.100 -> 10.0.0.50 TCP 60 [TCP ACKed unseen segment] 80 > 5000 [RST, ACK] Seq=0 Ack=2 Win=0 Len=0
7 0.005842 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 80 [FIN, SYN, URG] Seq=0 Win=8192 Urg=0 Len=0
From the above:
Windows 2012 - Packet with the FIN-SYN-URG flags set, sent to LISTENING PORT , results in a RST-ACK
CentOS 6.5 - Packet with the FIN-SYN-URG flags set, sent to a LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the CentOS system simply drops the packet.
FIN-SYN-URG -> Windows 2012/CentOS 6.5 -> 81 (Non-Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=81, flags="FSU"),iface='eth0', count=1)
..
Sent 2 packets
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
1 0.000000 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 81 [FIN, SYN, URG] Seq=0 Win=8192 Urg=0 Len=0
4 0.001999 10.0.0.100 -> 10.0.0.50 TCP 60 [TCP ACKed unseen segment] 81 > 5000 [RST, ACK] Seq=0 Ack=2 Win=0 Len=0
7 0.006221 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 81 [FIN, SYN, URG] Seq=0 Win=8192 Urg=0 Len=0
10 0.008805 10.0.0.101 -> 10.0.0.50 TCP 60 [TCP ACKed unseen segment] 81 > 5000 [RST, ACK] Seq=0 Ack=2 Win=0 Len=0
From the above:
Windows 2012 - Packet with the FIN-SYN-URG flags set, sent to NON-LISTENING PORT, results in a RST-ACK
CentOS 6.5 - Packet with the FIN-SYN-URG flags set, sent to NON-LISTENING PORT, results in a RST-ACK
--------------------------------------------------------------
SYN-RST-PSH -> Windows 2012/CentOS 6.5 -> 80 (Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=80, flags="SRP"),iface='eth0', count=1)
..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))' 1 0.000000 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 80 [SYN, RST, PSH] Seq=0 Win=8192 Len=0
2 0.000941 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 80 [SYN, RST, PSH] Seq=0 Win=8192 Len=0
From the above:
Windows 2012 - Packet with SYN-RST-PSH flag set, sent to LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the Windows 2012 system simply drops the packet.
CentOS 6.5 - Packet with SYN-RST-PSH flag set, sent to LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the CentOS system simply drops the packet.
SYN-RST-PSH -> Windows 2012/CentOS 6.5 -> 81 (Non-Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=81, flags="SRP"),iface='eth0', count=1)
..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
7 10.501695 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 81 [SYN, RST, PSH] Seq=0 Win=8192 Len=0
10 10.511809 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 81 [SYN, RST, PSH] Seq=0 Win=8192 Len=0
From the above:
Windows 2012 - Packet with SYN-RST-PSH flag set, sent to NON-LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the Windows 2012 system simply drops the packet.
CentOS 6.5 - Packet with SYN-RST-PSH flag set, sent to NON-LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the CentOS system simply drops the packet.
--------------------------------------------------------------
SYN-RST-ACK -> Windows 2012/CentOS 6.5 -> 80 (Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=80, flags="SRA"),iface='eth0', count=1)
..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
1 0.000000 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 80 [SYN, RST, ACK] Seq=0 Ack=0 Win=8192 Len=0
4 0.005815 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 80 [SYN, RST, ACK] Seq=0 Ack=0 Win=8192 Len=0
From the above:
Windows 2012 - Packet with SYN-RST-ACK flag set, sent to LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the Windows 2012 system simply drops the packet.
CentOS 6.5 - Packet with SYN-RST-ACK flag set, sent to LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the CentOS system simply drops the packet.
SYN-RST-ACK -> Windows 2012/CentOS 6.5 -> 81 (Non-Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=81, flags="SRA"),iface='eth0', count=1)
..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
1 0.000000 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 81 [SYN, RST, ACK] Seq=0 Ack=0 Win=8192 Len=0
2 0.001433 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 81 [SYN, RST, ACK] Seq=0 Ack=0 Win=8192 Len=0
From the above:
Windows 2012 - Packet with SYN-RST-ACK flag set, sent to NON-LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the Windows 2012 system simply drops the packet.
CentOS 6.5 - Packet with SYN-RST-ACK flag set, sent to NON-LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the CentOS system simply drops the packet.
--------------------------------------------------------------
SYN-RST-URG -> Windows 2012/CentOS 6.5 -> 80 (Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=80, flags="SRU"),iface='eth0', count=1)
..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
1 0.000000 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 80 [SYN, RST, URG] Seq=0 Win=8192 Urg=0 Len=0
4 0.006632 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 80 [SYN, RST, URG] Seq=0 Win=8192 Urg=0 Len=0
From the above:
Windows 2012 - Packet with SYN-RST-URG flag set, sent to LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the Windows 2012 system simply drops the packet.
CentOS 6.5 - Packet with SYN-RST-URG flag set, sent to LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the CentOS system simply drops the packet.
SYN-RST-URG -> Windows 2012/CentOS 6.5 -> 81 (Non-Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=81, flags="SRU"),iface='eth0', count=1)
..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
1 0.000000 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 81 [SYN, RST, URG] Seq=0 Win=8192 Urg=0 Len=0
2 0.001376 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 81 [SYN, RST, URG] Seq=0 Win=8192 Urg=0 Len=0
From the above:
Windows 2012 - Packet with SYN-RST-URG flag set, sent to NON-LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the Windows 2012 system simply drops the packet.
CentOS 6.5 - Packet with SYN-RST-URG flag set, sent to NON-LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the CentOS system simply drops the packet.
--------------------------------------------------------------
PSH-RST-ACK -> Windows 2012/CentOS 6.5 -> 80 (Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=80, flags="PRA"),iface='eth0', count=1)
..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
1 0.000000 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 80 [RST, PSH, ACK] Seq=0 Ack=0 Win=8192 Len=0
4 0.006336 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 80 [RST, PSH, ACK] Seq=0 Ack=0 Win=8192 Len=0
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
1 0.000000 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 80 [RST, PSH, ACK] Seq=0 Ack=0 Win=8192 Len=0
4 0.006336 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 80 [RST, PSH, ACK] Seq=0 Ack=0 Win=8192 Len=0
From the above:
Windows 2012 - Packet with PSH-RST-ACK flag set, sent to LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the Windows 2012 system simply drops the packet.
CentOS 6.5 - Packet with PSH-RST-ACK flag set, sent to LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the CentOS system simply drops the packet.
PSH-RST-ACK -> Windows 2012/CentOS 6.5 -> 81 (Non-Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=81, flags="PRA"),iface='eth0', count=1)
..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
4 9.148893 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 81 [RST, PSH, ACK] Seq=0 Ack=0 Win=8192 Len=0
7 9.156663 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 81 [RST, PSH, ACK] Seq=0 Ack=0 Win=8192 Len=0
From the above:
Windows 2012 - Packet with PSH-RST-ACK flag set, sent to NON-LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the Windows 2012 system simply drops the packet.
CentOS 6.5 - Packet with PSH-RST-ACK flag set, sent to NON-LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the CentOS system simply drops the packet.
--------------------------------------------------------------
PSH-ACK-SYN -> Windows 2012/CentOS 6.5 -> 80 (Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=80, flags="PAS"),iface='eth0', count=1)
..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
3 15.616396 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 80 [SYN, PSH, ACK] Seq=0 Ack=0 Win=8192 Len=0
6 15.617127 10.0.0.100 -> 10.0.0.50 TCP 60 80 > 5000 [RST] Seq=0 Win=0 Len=0
9 15.623923 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 80 [SYN, PSH, ACK] Seq=0 Ack=0 Win=8192 Len=0
12 15.624927 10.0.0.101 -> 10.0.0.50 TCP 60 80 > 5000 [RST] Seq=0 Win=0 Len=0
From the above:
Windows 2012 - Packet with the PSH-ACK-SYN flags set, sent to LISTENING PORT, results in a RST
CentOS 6.5 - Packet with the PSH-ACK-SYN flags set, sent to LISTENING PORT, results in a RST
PSH-ACK-SYN -> Windows 2012/CentOS 6.5 -> 81 (Non-Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=81, flags="PAS"),iface='eth0', count=1)
..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
1 0.000000 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 81 [SYN, PSH, ACK] Seq=0 Ack=0 Win=8192 Len=0
4 0.001569 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 81 [SYN, PSH, ACK] Seq=0 Ack=0 Win=8192 Len=0
5 0.001735 10.0.0.100 -> 10.0.0.50 TCP 60 81 > 5000 [RST] Seq=0 Win=0 Len=0
6 0.002225 10.0.0.101 -> 10.0.0.50 TCP 60 81 > 5000 [RST] Seq=0 Win=0 Len=0
From the above:
Windows 2012 - Packet with the PSH-ACK-SYN flags set, sent to NON-LISTENING PORT, results in a RST
CentOS 6.5 - Packet with the PSH-ACK-SYN flags set, sent to NON-LISTENING PORT, results in a RST
--------------------------------------------------------------
PSH-FIN-SYN -> Windows 2012/CentOS 6.5 -> 80 (Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=80, flags="PFS"),iface='eth0', count=1)
..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
3 4.267364 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 80 [FIN, SYN, PSH] Seq=0 Win=8192 Len=0
6 4.268165 10.0.0.100 -> 10.0.0.50 TCP 60 [TCP ACKed unseen segment] 80 > 5000 [RST, ACK] Seq=0 Ack=2 Win=0 Len=0
7 4.268711 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 80 [FIN, SYN, PSH] Seq=0 Win=8192 Len=0
From the above:
Windows 2012 - Packet with the PSH-FIN-SYN flags set, sent to LISTENING PORT , results in a RST-ACK
CentOS 6.5 - Packet with the PSH-FIN-SYN flags set, sent to a LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the CentOS system simply drops the packet.
PSH-FIN-SYN -> Windows 2012/CentOS 6.5 -> 81 (Non-Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=81, flags="PFS"),iface='eth0', count=1)
..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
5 1.651018 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 81 [FIN, SYN, PSH] Seq=0 Win=8192 Len=0
8 1.653316 10.0.0.100 -> 10.0.0.50 TCP 60 [TCP ACKed unseen segment] 81 > 5000 [RST, ACK] Seq=0 Ack=2 Win=0 Len=0
11 1.660990 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 81 [FIN, SYN, PSH] Seq=0 Win=8192 Len=0
12 1.661332 10.0.0.101 -> 10.0.0.50 TCP 60 [TCP ACKed unseen segment] 81 > 5000 [RST, ACK] Seq=0 Ack=2 Win=0 Len=0
From the above:
Windows 2012 - Packet with the PSH-FIN-SYN flags set, sent to NON-LISTENING PORT, results in a RST-ACK
CentOS 6.5 - Packet with the PSH-FIN-SYN flags set, sent to NON-LISTENING PORT, results in a RST-ACK
--------------------------------------------------------------
PSH-RST-SYN -> Windows 2012/CentOS 6.5 -> 80 (Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=80, flags="PRS"),iface='eth0', count=1)
..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
5 3.204299 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 80 [SYN, RST, PSH] Seq=0 Win=8192 Len=0
8 3.209791 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 80 [SYN, RST, PSH] Seq=0 Win=8192 Len=0
From the above:
Windows 2012 - Packet with PSH-RST-SYN flag set, sent to LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the Windows 2012 system simply drops the packet.
CentOS 6.5 - Packet with PSH-RST-SYN flag set, sent to LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the CentOS system simply drops the packet.
PSH-RST-SYN -> Windows 2012/CentOS 6.5 -> 81 (Non-Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=81, flags="PRS"),iface='eth0', count=1)
..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
1 0.000000 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 81 [SYN, RST, PSH] Seq=0 Win=8192 Len=0
2 0.001072 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 81 [SYN, RST, PSH] Seq=0 Win=8192 Len=0
From the above:
Windows 2012 - Packet with PSH-RST-SYN flag set, sent to NON-LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the Windows 2012 system simply drops the packet.
CentOS 6.5 - Packet with PSH-RST-SYN flag set, sent to NON-LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the CentOS system simply drops the packet.
--------------------------------------------------------------
RST-ACK-SYN -> Windows 2012/CentOS 6.5 -> 80 (Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=80, flags="RAS"),iface='eth0', count=1)
..
Sent 2 packets
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
1 0.000000 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 80 [SYN, RST, ACK] Seq=0 Ack=0 Win=8192 Len=0
2 0.001700 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 80 [SYN, RST, ACK] Seq=0 Ack=0 Win=8192 Len=0
From the above:
Windows 2012 - Packet with RST-ACK-SYN flag set, sent to LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the Windows 2012 system simply drops the packet.
CentOS 6.5 - Packet with RST-ACK-SYN flag set, sent to LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the CentOS system simply drops the packet.
RST-ACK-SYN -> Windows 2012/CentOS 6.5 -> 81 (Non-Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=81, flags="RAS"),iface='eth0', count=1)
..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
1 0.000000 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 81 [SYN, RST, ACK] Seq=0 Ack=0 Win=8192 Len=0
4 0.008154 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 81 [SYN, RST, ACK] Seq=0 Ack=0 Win=8192 Len=0
From the above:
Windows 2012 - Packet with RST-ACK-SYN flag set, sent to NON-LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the Windows 2012 system simply drops the packet.
CentOS 6.5 - Packet with RST-ACK-SYN flag set, sent to NON-LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the CentOS system simply drops the packet.
--------------------------------------------------------------
RST-FIN-SYN -> Windows 2012/CentOS 6.5 -> 80 (Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=80, flags="RFS"),iface='eth0', count=1)
..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
1 0.000000 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 80 [FIN, SYN, RST] Seq=0 Win=8192 Len=0
4 0.007232 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 80 [FIN, SYN, RST] Seq=0 Win=8192 Len=0
From the above:
Windows 2012 - Packet with RST-FIN-SYN flag set, sent to LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the Windows 2012 system simply drops the packet.
CentOS 6.5 - Packet with RST-FIN-SYN flag set, sent to LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the CentOS system simply drops the packet.
RST-FIN-SYN -> Windows 2012/CentOS 6.5 -> 81 (Non-Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=81, flags="RFS"),iface='eth0', count=1)
..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
3 3.343153 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 81 [FIN, SYN, RST] Seq=0 Win=8192 Len=0
4 3.344126 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 81 [FIN, SYN, RST] Seq=0 Win=8192 Len=0
From the above:
Windows 2012 - Packet with RST-FIN-SYN flag set, sent to NON-LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the Windows 2012 system simply drops the packet.
CentOS 6.5 - Packet with RST-FIN-SYN flag set, sent to NON-LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the CentOS system simply drops the packet.
--------------------------------------------------------------
RST-URG-FIN -> Windows 2012/CentOS 6.5 -> 80 (Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=80, flags="RUF"),iface='eth0', count=1)
..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
3 3.318014 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 80 [FIN, RST, URG] Seq=0 Win=8192 Urg=0 Len=0
4 3.319163 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 80 [FIN, RST, URG] Seq=0 Win=8192 Urg=0 Len=0
From the above:
Windows 2012 - Packet with RST-URG-FIN flag set, sent to LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the Windows 2012 system simply drops the packet.
CentOS 6.5 - Packet with RST-URG-FIN flag set, sent to LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the CentOS system simply drops the packet.
RST-URG-FIN -> Windows 2012/CentOS 6.5 -> 81 (Non-Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=81, flags="RUF"),iface='eth0', count=1)
..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
1 0.000000 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 81 [FIN, RST, URG] Seq=0 Win=8192 Urg=0 Len=0
4 0.005783 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 81 [FIN, RST, URG] Seq=0 Win=8192 Urg=0 Len=0
From the above:
Windows 2012 - Packet with RST-URG-FIN flag set, sent to NON-LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the Windows 2012 system simply drops the packet.
CentOS 6.5 - Packet with RST-URG-FIN flag set, sent to NON-LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the CentOS system simply drops the packet.
--------------------------------------------------------------
RST-PSH-FIN -> Windows 2012/CentOS 6.5 -> 80 (Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=80, flags="RPF"),iface='eth0', count=1)
..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
1 0.000000 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 80 [FIN, RST, PSH] Seq=0 Win=8192 Len=0
4 0.006418 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 80 [FIN, RST, PSH] Seq=0 Win=8192 Len=0
From the above:
Windows 2012 - Packet with RST-PSH-FIN flag set, sent to LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the Windows 2012 system simply drops the packet.
CentOS 6.5 - Packet with RST-PSH-FIN flag set, sent to LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the CentOS system simply drops the packet.
RST-PSH-FIN -> Windows 2012/CentOS 6.5 -> 81 (Non-Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=81, flags="RPF"),iface='eth0', count=1)
..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
1 0.000000 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 81 [FIN, RST, PSH] Seq=0 Win=8192 Len=0
4 0.007311 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 81 [FIN, RST, PSH] Seq=0 Win=8192 Len=0
From the above:
Windows 2012 - Packet with RST-PSH-FIN flag set, sent to NON-LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the Windows 2012 system simply drops the packet.
CentOS 6.5 - Packet with RST-PSH-FIN flag set, sent to NON-LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the CentOS system simply drops the packet.
If you wish to have this as a reference, you may download:
"Stimulus and Response.pdf" document.
md5:8c931888caf948504188f57440396ebc
sha-1:c4cb5b06928e660a09ddc7eaf4b7e32fb0dd1a27
stimulus-response.xlsx
MD5:6176b65c89b73e3b07a519bf77db462a
SHA-1:1ff6308e2a56a1c950e4cc5831932d78563bf853
--------------------------------------------------------------
URG-ACK-PSH -> Windows 2012/CentOS 6.5 -> 80 (Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=80, flags="UAP"),iface='eth0', count=1)
..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
2 8.050680 10.0.0.50 -> 10.0.0.100 TCP 54 [TCP Window Update] 5000 > 80 [PSH, ACK, URG] Seq=0 Ack=0 Win=8192 Urg=0 Len=0
3 8.051269 10.0.0.100 -> 10.0.0.50 TCP 60 80 > 5000 [RST] Seq=0 Win=0 Len=0
4 8.051409 10.0.0.50 -> 10.0.0.101 TCP 54 [TCP Window Update] 5000 > 80 [PSH, ACK, URG] Seq=0 Ack=0 Win=8192 Urg=0 Len=0
5 8.051824 10.0.0.101 -> 10.0.0.50 TCP 60 80 > 5000 [RST] Seq=0 Win=0 Len=0
From the above:
Windows 2012 - Packet with the URG-ACK-PSH flags set, sent to LISTENING PORT, results in a RST
CentOS 6.5 - Packet with the URG-ACK-PSH flags set, sent to LISTENING PORT, results in a RST
URG-ACK-PSH -> Windows 2012/CentOS 6.5 -> 81 (Non-Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=81, flags="UAP"),iface='eth0', count=1)..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
1 0.000000 10.0.0.50 -> 10.0.0.100 TCP 54 [TCP Window Update] 5000 > 81 [PSH, ACK, URG] Seq=0 Ack=0 Win=8192 Urg=0 Len=0
2 0.001082 10.0.0.50 -> 10.0.0.101 TCP 54 [TCP Window Update] 5000 > 81 [PSH, ACK, URG] Seq=0 Ack=0 Win=8192 Urg=0 Len=0
3 0.001108 10.0.0.100 -> 10.0.0.50 TCP 60 81 > 5000 [RST] Seq=0 Win=0 Len=0
4 0.001380 10.0.0.101 -> 10.0.0.50 TCP 60 81 > 5000 [RST] Seq=0 Win=0 Len=0
From the above:
Windows 2012 - Packet with the URG-ACK-PSH flags set, sent to NON-LISTENING PORT, results in a RST
CentOS 6.5 - Packet with the URG-ACK-PSH flags set, sent to NON-LISTENING PORT, results in a RST
--------------------------------------------------------------
URG-ACK-RST -> Windows 2012/CentOS 6.5 -> 80 (Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=80, flags="UAR"),iface='eth0', count=1)..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
1 0.000000 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 80 [RST, ACK, URG] Seq=0 Ack=0 Win=8192 Urg=0 Len=0
2 0.002009 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 80 [RST, ACK, URG] Seq=0 Ack=0 Win=8192 Urg=0 Len=0
From the above:
Windows 2012 - Packet with URG-ACK-RST flag set, sent to LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the Windows 2012 system simply drops the packet.
CentOS 6.5 - Packet with URG-ACK-RST flag set, sent to LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the CentOS system simply drops the packet.
URG-ACK-RST -> Windows 2012/CentOS 6.5 -> 81 (Non-Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=81, flags="UAR"),iface='eth0', count=1)..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
5 3.290352 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 81 [RST, ACK, URG] Seq=0 Ack=0 Win=8192 Urg=0 Len=0
8 3.299002 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 81 [RST, ACK, URG] Seq=0 Ack=0 Win=8192 Urg=0 Len=0
From the above:
Windows 2012 - Packet with URG-ACK-RST flag set, sent to NON-LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the Windows 2012 system simply drops the packet.
CentOS 6.5 - Packet with URG-ACK-RST flag set, sent to NON-LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the CentOS system simply drops the packet.
--------------------------------------------------------------
URG-ACK-SYN -> Windows 2012/CentOS 6.5 -> 80 (Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=80, flags="UAS"),iface='eth0', count=1)
..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
1 0.000000 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 80 [SYN, ACK, URG] Seq=0 Ack=0 Win=8192 Urg=0 Len=0
2 0.000730 10.0.0.100 -> 10.0.0.50 TCP 60 80 > 5000 [RST] Seq=0 Win=0 Len=0
3 0.000971 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 80 [SYN, ACK, URG] Seq=0 Ack=0 Win=8192 Urg=0 Len=0
4 0.001447 10.0.0.101 -> 10.0.0.50 TCP 60 80 > 5000 [RST] Seq=0 Win=0 Len=0
From the above:
Windows 2012 - Packet with the URG-ACK-SYN flags set, sent to LISTENING PORT, results in a RST
CentOS 6.5 - Packet with the URG-ACK-SYN flags set, sent to LISTENING PORT, results in a RST
URG-ACK-SYN -> Windows 2012/CentOS 6.5 -> 81 (Non-Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=81, flags="UAS"),iface='eth0', count=1)
..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
3 8.777791 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 81 [SYN, ACK, URG] Seq=0 Ack=0 Win=8192 Urg=0 Len=0
6 8.778659 10.0.0.100 -> 10.0.0.50 TCP 60 81 > 5000 [RST] Seq=0 Win=0 Len=0
9 8.784533 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 81 [SYN, ACK, URG] Seq=0 Ack=0 Win=8192 Urg=0 Len=0
12 8.786545 10.0.0.101 -> 10.0.0.50 TCP 60 81 > 5000 [RST] Seq=0 Win=0 Len=0
From the above:
Windows 2012 - Packet with the URG-ACK-SYN flags set, sent to NON-LISTENING PORT, results in a RST
CentOS 6.5 - Packet with the URG-ACK-SYN flags set, sent to NON-LISTENING PORT, results in a RST
--------------------------------------------------------------
URG-ACK-FIN -> Windows 2012/CentOS 6.5 -> 80 (Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=80, flags="UAF"),iface='eth0', count=1)..
Sent 2 packets
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
2 2.193187 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 80 [FIN, ACK, URG] Seq=0 Ack=0 Win=8192 Urg=0 Len=0
5 2.194752 10.0.0.100 -> 10.0.0.50 TCP 60 80 > 5000 [RST] Seq=0 Win=0 Len=0
8 2.217398 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 80 [FIN, ACK, URG] Seq=0 Ack=0 Win=8192 Urg=0 Len=0
11 2.218462 10.0.0.101 -> 10.0.0.50 TCP 60 80 > 5000 [RST] Seq=0 Win=0 Len=0
From the above:
Windows 2012 - Packet with the URG-ACK-FIN flags set, sent to LISTENING PORT, results in a RST
CentOS 6.5 - Packet with the URG-ACK-FIN flags set, sent to LISTENING PORT, results in a RST
URG-ACK-FIN -> Windows 2012/CentOS 6.5 -> 81 (Non-Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=81, flags="UAF"),iface='eth0', count=1)..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
3 6.952935 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 81 [FIN, ACK, URG] Seq=0 Ack=0 Win=8192 Urg=0 Len=0
6 6.954813 10.0.0.100 -> 10.0.0.50 TCP 60 81 > 5000 [RST] Seq=0 Win=0 Len=0
9 6.960017 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 81 [FIN, ACK, URG] Seq=0 Ack=0 Win=8192 Urg=0 Len=0
10 6.960799 10.0.0.101 -> 10.0.0.50 TCP 60 81 > 5000 [RST] Seq=0 Win=0 Len=0
From the above:
Windows 2012 - Packet with the URG-ACK-FIN flags set, sent to NON-LISTENING PORT, results in a RST
CentOS 6.5 - Packet with the URG-ACK-FIN flags set, sent to NON-LISTENING PORT, results in a RST
--------------------------------------------------------------
FIN-SYN-RST -> Windows 2012/CentOS 6.5 -> 80 (Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=80, flags="FSR"),iface='eth0', count=1)
..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
1 0.000000 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 80 [FIN, SYN, RST] Seq=0 Win=8192 Len=0
4 0.006779 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 80 [FIN, SYN, RST] Seq=0 Win=8192 Len=0
From the above:
Windows 2012 - Packet with FIN-SYN-RST flag set, sent to LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the Windows 2012 system simply drops the packet.
CentOS 6.5 - Packet with FIN-SYN-RST flag set, sent to LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the CentOS system simply drops the packet.
FIN-SYN-RST -> Windows 2012/CentOS 6.5 -> 81 (Non-Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=81, flags="FSR"),iface='eth0', count=1)
..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
1 0.000000 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 81 [FIN, SYN, RST] Seq=0 Win=8192 Len=0
4 0.007679 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 81 [FIN, SYN, RST] Seq=0 Win=8192 Len=0
From the above:
Windows 2012 - Packet with FIN-SYN-RST flag set, sent to NON-LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the Windows 2012 system simply drops the packet.
CentOS 6.5 - Packet with FIN-SYN-RST flag set, sent to NON-LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the CentOS system simply drops the packet.
--------------------------------------------------------------
FIN-SYN-PSH -> Windows 2012/CentOS 6.5 -> 80 (Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=80, flags="FSP"),iface='eth0', count=1)
..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
1 0.000000 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 80 [FIN, SYN, PSH] Seq=0 Win=8192 Len=0
4 0.001930 10.0.0.100 -> 10.0.0.50 TCP 60 [TCP ACKed unseen segment] 80 > 5000 [RST, ACK] Seq=0 Ack=2 Win=0 Len=0
7 0.006305 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 80 [FIN, SYN, PSH] Seq=0 Win=8192 Len=0
From the above:
Windows 2012 - Packet with the FIN-SYN-PSH flags set, sent to LISTENING PORT , results in a RST-ACK
CentOS 6.5 - Packet with the FIN-SYN-PSH flags set, sent to a LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the CentOS system simply drops the packet.
FIN-SYN-PSH -> Windows 2012/CentOS 6.5 -> 81 (Non-Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=81, flags="FSP"),iface='eth0', count=1)
..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
6 4.623353 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 81 [FIN, SYN, PSH] Seq=0 Win=8192 Len=0
9 4.624532 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 81 [FIN, SYN, PSH] Seq=0 Win=8192 Len=0
10 4.624578 10.0.0.100 -> 10.0.0.50 TCP 60 [TCP ACKed unseen segment] 81 > 5000 [RST, ACK] Seq=0 Ack=2 Win=0 Len=0
13 4.625571 10.0.0.101 -> 10.0.0.50 TCP 60 [TCP ACKed unseen segment] 81 > 5000 [RST, ACK] Seq=0 Ack=2 Win=0 Len=0
From the above:
Windows 2012 - Packet with the FIN-SYN-PSH flags set, sent to NON-LISTENING PORT, results in a RST-ACK
CentOS 6.5 - Packet with the FIN-SYN-PSH flags set, sent to NON-LISTENING PORT, results in a RST-ACK
--------------------------------------------------------------
FIN-SYN-ACK -> Windows 2012/CentOS 6.5 -> 80 (Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=80, flags="FSA"),iface='eth0', count=1)
..
Sent 2 packets
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
1 0.000000 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 80 [FIN, SYN, ACK] Seq=0 Ack=0 Win=8192 Len=0
4 0.001043 10.0.0.100 -> 10.0.0.50 TCP 60 80 > 5000 [RST] Seq=0 Win=0 Len=0
7 0.006517 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 80 [FIN, SYN, ACK] Seq=0 Ack=0 Win=8192 Len=0
8 0.006975 10.0.0.101 -> 10.0.0.50 TCP 60 80 > 5000 [RST] Seq=0 Win=0 Len=0
From the above:
Windows 2012 - Packet with the FIN-SYN-ACK flags set, sent to LISTENING PORT, results in a RST
CentOS 6.5 - Packet with the FIN-SYN-ACK flags set, sent to LISTENING PORT, results in a RST
FIN-SYN-ACK -> Windows 2012/CentOS 6.5 -> 81 (Non-Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=81, flags="FSA"),iface='eth0', count=1)..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
1 0.000000 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 81 [FIN, SYN, ACK] Seq=0 Ack=0 Win=8192 Len=0
4 0.002237 10.0.0.100 -> 10.0.0.50 TCP 60 81 > 5000 [RST] Seq=0 Win=0 Len=0
7 0.006692 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 81 [FIN, SYN, ACK] Seq=0 Ack=0 Win=8192 Len=0
10 0.008642 10.0.0.101 -> 10.0.0.50 TCP 60 81 > 5000 [RST] Seq=0 Win=0 Len=0
From the above:
Windows 2012 - Packet with the FIN-SYN-ACK flags set, sent to NON-LISTENING PORT, results in a RST
CentOS 6.5 - Packet with the FIN-SYN-ACK flags set, sent to NON-LISTENING PORT, results in a RST
--------------------------------------------------------------
FIN-SYN-URG -> Windows 2012/CentOS 6.5 -> 80 (Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=80, flags="FSU"),iface='eth0', count=1)
..
Sent 2 packets
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
1 0.000000 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 80 [FIN, SYN, URG] Seq=0 Win=8192 Urg=0 Len=0
4 0.001772 10.0.0.100 -> 10.0.0.50 TCP 60 [TCP ACKed unseen segment] 80 > 5000 [RST, ACK] Seq=0 Ack=2 Win=0 Len=0
7 0.005842 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 80 [FIN, SYN, URG] Seq=0 Win=8192 Urg=0 Len=0
From the above:
Windows 2012 - Packet with the FIN-SYN-URG flags set, sent to LISTENING PORT , results in a RST-ACK
CentOS 6.5 - Packet with the FIN-SYN-URG flags set, sent to a LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the CentOS system simply drops the packet.
FIN-SYN-URG -> Windows 2012/CentOS 6.5 -> 81 (Non-Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=81, flags="FSU"),iface='eth0', count=1)
..
Sent 2 packets
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
1 0.000000 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 81 [FIN, SYN, URG] Seq=0 Win=8192 Urg=0 Len=0
4 0.001999 10.0.0.100 -> 10.0.0.50 TCP 60 [TCP ACKed unseen segment] 81 > 5000 [RST, ACK] Seq=0 Ack=2 Win=0 Len=0
7 0.006221 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 81 [FIN, SYN, URG] Seq=0 Win=8192 Urg=0 Len=0
10 0.008805 10.0.0.101 -> 10.0.0.50 TCP 60 [TCP ACKed unseen segment] 81 > 5000 [RST, ACK] Seq=0 Ack=2 Win=0 Len=0
From the above:
Windows 2012 - Packet with the FIN-SYN-URG flags set, sent to NON-LISTENING PORT, results in a RST-ACK
CentOS 6.5 - Packet with the FIN-SYN-URG flags set, sent to NON-LISTENING PORT, results in a RST-ACK
--------------------------------------------------------------
SYN-RST-PSH -> Windows 2012/CentOS 6.5 -> 80 (Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=80, flags="SRP"),iface='eth0', count=1)
..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))' 1 0.000000 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 80 [SYN, RST, PSH] Seq=0 Win=8192 Len=0
2 0.000941 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 80 [SYN, RST, PSH] Seq=0 Win=8192 Len=0
From the above:
Windows 2012 - Packet with SYN-RST-PSH flag set, sent to LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the Windows 2012 system simply drops the packet.
CentOS 6.5 - Packet with SYN-RST-PSH flag set, sent to LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the CentOS system simply drops the packet.
SYN-RST-PSH -> Windows 2012/CentOS 6.5 -> 81 (Non-Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=81, flags="SRP"),iface='eth0', count=1)
..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
7 10.501695 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 81 [SYN, RST, PSH] Seq=0 Win=8192 Len=0
10 10.511809 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 81 [SYN, RST, PSH] Seq=0 Win=8192 Len=0
From the above:
Windows 2012 - Packet with SYN-RST-PSH flag set, sent to NON-LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the Windows 2012 system simply drops the packet.
CentOS 6.5 - Packet with SYN-RST-PSH flag set, sent to NON-LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the CentOS system simply drops the packet.
--------------------------------------------------------------
SYN-RST-ACK -> Windows 2012/CentOS 6.5 -> 80 (Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=80, flags="SRA"),iface='eth0', count=1)
..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
1 0.000000 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 80 [SYN, RST, ACK] Seq=0 Ack=0 Win=8192 Len=0
4 0.005815 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 80 [SYN, RST, ACK] Seq=0 Ack=0 Win=8192 Len=0
From the above:
Windows 2012 - Packet with SYN-RST-ACK flag set, sent to LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the Windows 2012 system simply drops the packet.
CentOS 6.5 - Packet with SYN-RST-ACK flag set, sent to LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the CentOS system simply drops the packet.
SYN-RST-ACK -> Windows 2012/CentOS 6.5 -> 81 (Non-Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=81, flags="SRA"),iface='eth0', count=1)
..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
1 0.000000 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 81 [SYN, RST, ACK] Seq=0 Ack=0 Win=8192 Len=0
2 0.001433 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 81 [SYN, RST, ACK] Seq=0 Ack=0 Win=8192 Len=0
From the above:
Windows 2012 - Packet with SYN-RST-ACK flag set, sent to NON-LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the Windows 2012 system simply drops the packet.
CentOS 6.5 - Packet with SYN-RST-ACK flag set, sent to NON-LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the CentOS system simply drops the packet.
--------------------------------------------------------------
SYN-RST-URG -> Windows 2012/CentOS 6.5 -> 80 (Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=80, flags="SRU"),iface='eth0', count=1)
..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
1 0.000000 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 80 [SYN, RST, URG] Seq=0 Win=8192 Urg=0 Len=0
4 0.006632 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 80 [SYN, RST, URG] Seq=0 Win=8192 Urg=0 Len=0
From the above:
Windows 2012 - Packet with SYN-RST-URG flag set, sent to LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the Windows 2012 system simply drops the packet.
CentOS 6.5 - Packet with SYN-RST-URG flag set, sent to LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the CentOS system simply drops the packet.
SYN-RST-URG -> Windows 2012/CentOS 6.5 -> 81 (Non-Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=81, flags="SRU"),iface='eth0', count=1)
..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
1 0.000000 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 81 [SYN, RST, URG] Seq=0 Win=8192 Urg=0 Len=0
2 0.001376 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 81 [SYN, RST, URG] Seq=0 Win=8192 Urg=0 Len=0
From the above:
Windows 2012 - Packet with SYN-RST-URG flag set, sent to NON-LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the Windows 2012 system simply drops the packet.
CentOS 6.5 - Packet with SYN-RST-URG flag set, sent to NON-LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the CentOS system simply drops the packet.
--------------------------------------------------------------
PSH-RST-ACK -> Windows 2012/CentOS 6.5 -> 80 (Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=80, flags="PRA"),iface='eth0', count=1)
..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
1 0.000000 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 80 [RST, PSH, ACK] Seq=0 Ack=0 Win=8192 Len=0
4 0.006336 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 80 [RST, PSH, ACK] Seq=0 Ack=0 Win=8192 Len=0
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
1 0.000000 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 80 [RST, PSH, ACK] Seq=0 Ack=0 Win=8192 Len=0
4 0.006336 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 80 [RST, PSH, ACK] Seq=0 Ack=0 Win=8192 Len=0
From the above:
Windows 2012 - Packet with PSH-RST-ACK flag set, sent to LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the Windows 2012 system simply drops the packet.
CentOS 6.5 - Packet with PSH-RST-ACK flag set, sent to LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the CentOS system simply drops the packet.
PSH-RST-ACK -> Windows 2012/CentOS 6.5 -> 81 (Non-Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=81, flags="PRA"),iface='eth0', count=1)
..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
4 9.148893 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 81 [RST, PSH, ACK] Seq=0 Ack=0 Win=8192 Len=0
7 9.156663 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 81 [RST, PSH, ACK] Seq=0 Ack=0 Win=8192 Len=0
From the above:
Windows 2012 - Packet with PSH-RST-ACK flag set, sent to NON-LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the Windows 2012 system simply drops the packet.
CentOS 6.5 - Packet with PSH-RST-ACK flag set, sent to NON-LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the CentOS system simply drops the packet.
--------------------------------------------------------------
PSH-ACK-SYN -> Windows 2012/CentOS 6.5 -> 80 (Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=80, flags="PAS"),iface='eth0', count=1)
..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
3 15.616396 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 80 [SYN, PSH, ACK] Seq=0 Ack=0 Win=8192 Len=0
6 15.617127 10.0.0.100 -> 10.0.0.50 TCP 60 80 > 5000 [RST] Seq=0 Win=0 Len=0
9 15.623923 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 80 [SYN, PSH, ACK] Seq=0 Ack=0 Win=8192 Len=0
12 15.624927 10.0.0.101 -> 10.0.0.50 TCP 60 80 > 5000 [RST] Seq=0 Win=0 Len=0
From the above:
Windows 2012 - Packet with the PSH-ACK-SYN flags set, sent to LISTENING PORT, results in a RST
CentOS 6.5 - Packet with the PSH-ACK-SYN flags set, sent to LISTENING PORT, results in a RST
PSH-ACK-SYN -> Windows 2012/CentOS 6.5 -> 81 (Non-Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=81, flags="PAS"),iface='eth0', count=1)
..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
1 0.000000 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 81 [SYN, PSH, ACK] Seq=0 Ack=0 Win=8192 Len=0
4 0.001569 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 81 [SYN, PSH, ACK] Seq=0 Ack=0 Win=8192 Len=0
5 0.001735 10.0.0.100 -> 10.0.0.50 TCP 60 81 > 5000 [RST] Seq=0 Win=0 Len=0
6 0.002225 10.0.0.101 -> 10.0.0.50 TCP 60 81 > 5000 [RST] Seq=0 Win=0 Len=0
From the above:
Windows 2012 - Packet with the PSH-ACK-SYN flags set, sent to NON-LISTENING PORT, results in a RST
CentOS 6.5 - Packet with the PSH-ACK-SYN flags set, sent to NON-LISTENING PORT, results in a RST
--------------------------------------------------------------
PSH-FIN-SYN -> Windows 2012/CentOS 6.5 -> 80 (Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=80, flags="PFS"),iface='eth0', count=1)
..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
3 4.267364 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 80 [FIN, SYN, PSH] Seq=0 Win=8192 Len=0
6 4.268165 10.0.0.100 -> 10.0.0.50 TCP 60 [TCP ACKed unseen segment] 80 > 5000 [RST, ACK] Seq=0 Ack=2 Win=0 Len=0
7 4.268711 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 80 [FIN, SYN, PSH] Seq=0 Win=8192 Len=0
From the above:
Windows 2012 - Packet with the PSH-FIN-SYN flags set, sent to LISTENING PORT , results in a RST-ACK
CentOS 6.5 - Packet with the PSH-FIN-SYN flags set, sent to a LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the CentOS system simply drops the packet.
PSH-FIN-SYN -> Windows 2012/CentOS 6.5 -> 81 (Non-Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=81, flags="PFS"),iface='eth0', count=1)
..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
5 1.651018 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 81 [FIN, SYN, PSH] Seq=0 Win=8192 Len=0
8 1.653316 10.0.0.100 -> 10.0.0.50 TCP 60 [TCP ACKed unseen segment] 81 > 5000 [RST, ACK] Seq=0 Ack=2 Win=0 Len=0
11 1.660990 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 81 [FIN, SYN, PSH] Seq=0 Win=8192 Len=0
12 1.661332 10.0.0.101 -> 10.0.0.50 TCP 60 [TCP ACKed unseen segment] 81 > 5000 [RST, ACK] Seq=0 Ack=2 Win=0 Len=0
From the above:
Windows 2012 - Packet with the PSH-FIN-SYN flags set, sent to NON-LISTENING PORT, results in a RST-ACK
CentOS 6.5 - Packet with the PSH-FIN-SYN flags set, sent to NON-LISTENING PORT, results in a RST-ACK
--------------------------------------------------------------
PSH-RST-SYN -> Windows 2012/CentOS 6.5 -> 80 (Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=80, flags="PRS"),iface='eth0', count=1)
..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
5 3.204299 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 80 [SYN, RST, PSH] Seq=0 Win=8192 Len=0
8 3.209791 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 80 [SYN, RST, PSH] Seq=0 Win=8192 Len=0
From the above:
Windows 2012 - Packet with PSH-RST-SYN flag set, sent to LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the Windows 2012 system simply drops the packet.
CentOS 6.5 - Packet with PSH-RST-SYN flag set, sent to LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the CentOS system simply drops the packet.
PSH-RST-SYN -> Windows 2012/CentOS 6.5 -> 81 (Non-Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=81, flags="PRS"),iface='eth0', count=1)
..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
1 0.000000 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 81 [SYN, RST, PSH] Seq=0 Win=8192 Len=0
2 0.001072 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 81 [SYN, RST, PSH] Seq=0 Win=8192 Len=0
From the above:
Windows 2012 - Packet with PSH-RST-SYN flag set, sent to NON-LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the Windows 2012 system simply drops the packet.
CentOS 6.5 - Packet with PSH-RST-SYN flag set, sent to NON-LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the CentOS system simply drops the packet.
--------------------------------------------------------------
RST-ACK-SYN -> Windows 2012/CentOS 6.5 -> 80 (Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=80, flags="RAS"),iface='eth0', count=1)
..
Sent 2 packets
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
1 0.000000 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 80 [SYN, RST, ACK] Seq=0 Ack=0 Win=8192 Len=0
2 0.001700 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 80 [SYN, RST, ACK] Seq=0 Ack=0 Win=8192 Len=0
From the above:
Windows 2012 - Packet with RST-ACK-SYN flag set, sent to LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the Windows 2012 system simply drops the packet.
CentOS 6.5 - Packet with RST-ACK-SYN flag set, sent to LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the CentOS system simply drops the packet.
RST-ACK-SYN -> Windows 2012/CentOS 6.5 -> 81 (Non-Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=81, flags="RAS"),iface='eth0', count=1)
..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
1 0.000000 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 81 [SYN, RST, ACK] Seq=0 Ack=0 Win=8192 Len=0
4 0.008154 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 81 [SYN, RST, ACK] Seq=0 Ack=0 Win=8192 Len=0
From the above:
Windows 2012 - Packet with RST-ACK-SYN flag set, sent to NON-LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the Windows 2012 system simply drops the packet.
CentOS 6.5 - Packet with RST-ACK-SYN flag set, sent to NON-LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the CentOS system simply drops the packet.
--------------------------------------------------------------
RST-FIN-SYN -> Windows 2012/CentOS 6.5 -> 80 (Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=80, flags="RFS"),iface='eth0', count=1)
..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
1 0.000000 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 80 [FIN, SYN, RST] Seq=0 Win=8192 Len=0
4 0.007232 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 80 [FIN, SYN, RST] Seq=0 Win=8192 Len=0
From the above:
Windows 2012 - Packet with RST-FIN-SYN flag set, sent to LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the Windows 2012 system simply drops the packet.
CentOS 6.5 - Packet with RST-FIN-SYN flag set, sent to LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the CentOS system simply drops the packet.
RST-FIN-SYN -> Windows 2012/CentOS 6.5 -> 81 (Non-Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=81, flags="RFS"),iface='eth0', count=1)
..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
3 3.343153 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 81 [FIN, SYN, RST] Seq=0 Win=8192 Len=0
4 3.344126 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 81 [FIN, SYN, RST] Seq=0 Win=8192 Len=0
From the above:
Windows 2012 - Packet with RST-FIN-SYN flag set, sent to NON-LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the Windows 2012 system simply drops the packet.
CentOS 6.5 - Packet with RST-FIN-SYN flag set, sent to NON-LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the CentOS system simply drops the packet.
--------------------------------------------------------------
RST-URG-FIN -> Windows 2012/CentOS 6.5 -> 80 (Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=80, flags="RUF"),iface='eth0', count=1)
..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
3 3.318014 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 80 [FIN, RST, URG] Seq=0 Win=8192 Urg=0 Len=0
4 3.319163 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 80 [FIN, RST, URG] Seq=0 Win=8192 Urg=0 Len=0
From the above:
Windows 2012 - Packet with RST-URG-FIN flag set, sent to LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the Windows 2012 system simply drops the packet.
CentOS 6.5 - Packet with RST-URG-FIN flag set, sent to LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the CentOS system simply drops the packet.
RST-URG-FIN -> Windows 2012/CentOS 6.5 -> 81 (Non-Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=81, flags="RUF"),iface='eth0', count=1)
..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
1 0.000000 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 81 [FIN, RST, URG] Seq=0 Win=8192 Urg=0 Len=0
4 0.005783 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 81 [FIN, RST, URG] Seq=0 Win=8192 Urg=0 Len=0
From the above:
Windows 2012 - Packet with RST-URG-FIN flag set, sent to NON-LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the Windows 2012 system simply drops the packet.
CentOS 6.5 - Packet with RST-URG-FIN flag set, sent to NON-LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the CentOS system simply drops the packet.
--------------------------------------------------------------
RST-PSH-FIN -> Windows 2012/CentOS 6.5 -> 80 (Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=80, flags="RPF"),iface='eth0', count=1)
..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
1 0.000000 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 80 [FIN, RST, PSH] Seq=0 Win=8192 Len=0
4 0.006418 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 80 [FIN, RST, PSH] Seq=0 Win=8192 Len=0
From the above:
Windows 2012 - Packet with RST-PSH-FIN flag set, sent to LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the Windows 2012 system simply drops the packet.
CentOS 6.5 - Packet with RST-PSH-FIN flag set, sent to LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the CentOS system simply drops the packet.
RST-PSH-FIN -> Windows 2012/CentOS 6.5 -> 81 (Non-Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=81, flags="RPF"),iface='eth0', count=1)
..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
1 0.000000 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 81 [FIN, RST, PSH] Seq=0 Win=8192 Len=0
4 0.007311 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 81 [FIN, RST, PSH] Seq=0 Win=8192 Len=0
From the above:
Windows 2012 - Packet with RST-PSH-FIN flag set, sent to NON-LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the Windows 2012 system simply drops the packet.
CentOS 6.5 - Packet with RST-PSH-FIN flag set, sent to NON-LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the CentOS system simply drops the packet.
If you wish to have this as a reference, you may download:
"Stimulus and Response.pdf" document.
md5:8c931888caf948504188f57440396ebc
sha-1:c4cb5b06928e660a09ddc7eaf4b7e32fb0dd1a27
stimulus-response.xlsx
MD5:6176b65c89b73e3b07a519bf77db462a
SHA-1:1ff6308e2a56a1c950e4cc5831932d78563bf853
Stimulus and Response - TCP - Setting 2 flags
In the previous post we dealt with setting individual flags. However, what happens when we send a packet with various combinations of 2 flags. Let's find out.
FIN-SYN -> Windows 2012/CentOS 6.5 -> 80 (Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=80, flags="FS"),iface='eth0', count=1)
..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
3 3.934865 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 80 [FIN, SYN] Seq=0 Win=8192 Len=0
6 3.936696 10.0.0.100 -> 10.0.0.50 TCP 60 [TCP ACKed unseen segment] 80 > 5000 [RST, ACK] Seq=0 Ack=2 Win=0 Len=0
9 3.948311 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 80 [FIN, SYN] Seq=0 Win=8192 Len=0
From the above:
Windows 2012 - Packet with the FIN-SYN flags set, sent to LISTENING PORT, results in a RST-ACK
CentOS 6.5 - Packet with the FIN-SYN flags set, sent to a LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the CentOS system simply drops the packet.
FIN-SYN -> Windows 2012/CentOS 6.5 -> 81 (Non-Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=81, flags="FS"),iface='eth0', count=1)
..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
3 2.002337 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 81 [FIN, SYN] Seq=0 Win=8192 Len=0
6 2.004018 10.0.0.100 -> 10.0.0.50 TCP 60 [TCP ACKed unseen segment] 81 > 5000 [RST, ACK] Seq=0 Ack=2 Win=0 Len=0
9 2.010447 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 81 [FIN, SYN] Seq=0 Win=8192 Len=0
12 2.013828 10.0.0.101 -> 10.0.0.50 TCP 60 [TCP ACKed unseen segment] 81 > 5000 [RST, ACK] Seq=0 Ack=2 Win=0 Len=0
From the above:
Windows 2012 - Packet with the FIN-SYN flags set, sent to NON-LISTENING PORT, results in a RST-ACK
CentOS 6.5 - Packet with the FIN-SYN flags set, sent to NON-LISTENING PORT, results in a RST-ACK
---------------------------------------------------------------
RST-PSH -> Windows 2012/CentOS 6.5 -> 80 (Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=80, flags="RP"),iface='eth0', count=1)
..
Sent 2 packets
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
5 10.357223 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 80 [RST, PSH] Seq=0 Win=8192 Len=0
8 10.363234 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 80 [RST, PSH] Seq=0 Win=8192 Len=0
From the above:
Windows 2012 - Packet with the RST-PSH flags set, sent to LISTENING PORT , results in a Silent Discard. That is there is no response from the TCP/IP Stack, the Windows 2012 system simply drops the packet.
CentOS 6.5 - Packet with the RST-PSH flags set, sent to a LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the CentOS system simply drops the packet.
RST-PSH -> Windows 2012/CentOS 6.5 -> 81 (Non-Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=81, flags="RP"),iface='eth0', count=1)
..
Sent 2 packets
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))' 3 6.826082 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 81 [RST, PSH] Seq=0 Win=8192 Len=0
6 6.832142 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 81 [RST, PSH] Seq=0 Win=8192 Len=0
From the above:
Windows 2012 - Packet with the RST-PSH flags set, sent to NON-LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the Windows 2012 system simply drops the packet.
CentOS 6.5 - Packet with the RST-PSH flags set, sent to a NON-LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the CentOS system simply drops the packet.
---------------------------------------------------------------
ACK-URG -> Windows 2012/CentOS 6.5 -> 80 (Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=80, flags="UA"),iface='eth0', count=1)
..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))' 1 0.000000 10.0.0.50 -> 10.0.0.100 TCP 54 [TCP Window Update] 5000 > 80 [ACK, URG] Seq=0 Ack=0 Win=8192 Urg=0 Len=0
4 0.001850 10.0.0.100 -> 10.0.0.50 TCP 60 80 > 5000 [RST] Seq=0 Win=0 Len=0
7 0.007789 10.0.0.50 -> 10.0.0.101 TCP 54 [TCP Window Update] 5000 > 80 [ACK, URG] Seq=0 Ack=0 Win=8192 Urg=0 Len=0
10 0.010094 10.0.0.101 -> 10.0.0.50 TCP 60 80 > 5000 [RST] Seq=0 Win=0 Len=0
From the above:
Windows 2012 - Packet with the ACK-URG flags set, sent to LISTENING PORT, results in a RST
CentOS 6.5 - Packet with the ACK-URG flags set, sent to LISTENING PORT, results in a RST
ACK-URG -> Windows 2012/CentOS 6.5 -> 81 (Non-Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=81, flags="UA"),iface='eth0', count=1)
..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
1 0.000000 10.0.0.50 -> 10.0.0.100 TCP 54 [TCP Window Update] 5000 > 81 [ACK, URG] Seq=0 Ack=0 Win=8192 Urg=0 Len=0
4 0.003142 10.0.0.100 -> 10.0.0.50 TCP 60 81 > 5000 [RST] Seq=0 Win=0 Len=0
7 0.007261 10.0.0.50 -> 10.0.0.101 TCP 54 [TCP Window Update] 5000 > 81 [ACK, URG] Seq=0 Ack=0 Win=8192 Urg=0 Len=0
8 0.007798 10.0.0.101 -> 10.0.0.50 TCP 60 81 > 5000 [RST] Seq=0 Win=0 Len=0
From the above:
Windows 2012 - Packet with the ACK-URG flags set, sent to NON-LISTENING PORT, results in a RST
CentOS 6.5 - Packet with the ACK-URG flags set, sent to NON-LISTENING PORT, results in a RST
---------------------------------------------------------------
URG-FIN -> Windows 2012/CentOS 6.5 -> 80 (Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=80, flags="UF"),iface='eth0', count=1)
..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))' 1 0.000000 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 80 [FIN, URG] Seq=0 Win=8192 Urg=0 Len=0
4 0.001790 10.0.0.100 -> 10.0.0.50 TCP 60 80 > 5000 [RST, ACK] Seq=0 Ack=1 Win=0 Len=0
7 0.006253 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 80 [FIN, URG] Seq=0 Win=8192 Urg=0 Len=0
From the above:
Windows 2012 - Packet with the URG-FIN flags set, sent to LISTENING PORT, results in a RST-ACK
CentOS 6.5 - Packet with the URG-FIN flags set, sent to a LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the CentOS system simply drops the packet.
URG-FIN -> Windows 2012/CentOS 6.5 -> 81 (Non-Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=81, flags="UF"),iface='eth0', count=1)
..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))' 1 0.000000 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 81 [FIN, URG] Seq=0 Win=8192 Urg=0 Len=0
4 0.001132 10.0.0.100 -> 10.0.0.50 TCP 60 81 > 5000 [RST, ACK] Seq=0 Ack=1 Win=0 Len=0
7 0.006518 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 81 [FIN, URG] Seq=0 Win=8192 Urg=0 Len=0
10 0.008365 10.0.0.101 -> 10.0.0.50 TCP 60 81 > 5000 [RST, ACK] Seq=0 Ack=1 Win=0 Len=0
From the above:
Windows 2012 - Packet with the URG-FIN flags set, sent to NON-LISTENING PORT, results in a RST-ACK
CentOS 6.5 - Packet with the URG-FIN flags set, sent to NON-LISTENING PORT, results in a RST-ACK
---------------------------------------------------------------
URG-SYN -> Windows 2012/CentOS 6.5 -> 80 (Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=80, flags="US"),iface='eth0', count=1)..
Sent 2 packets
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
13 5.585379 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 80 [SYN, URG] Seq=0 Win=8192 Urg=0 Len=0
1 16 5.588931 10.0.0.100 -> 10.0.0.50 TCP 60 80 > 5000 [SYN, ACK] Seq=957194415 Ack=1 Win=8192 Len=0 MSS=1460
19 5.593237 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 80 [SYN, URG] Seq=0 Win=8192 Urg=0 Len=0
22 5.595879 10.0.0.101 -> 10.0.0.50 TCP 60 80 > 5000 [SYN, ACK] Seq=1703572497 Ack=1 Win=14600 Len=0 MSS=1460
From the above:
Windows 2012 - Packet with the URG-SYN flags set, sent to LISTENING PORT, results in a SYN-ACK
CentOS 6.5 - Packet with the URG-SYN flags set, sent to LISTENING PORT, results in a SYN-ACK
URG-SYN -> Windows 2012/CentOS 6.5 -> 81 (Non-Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=81, flags="US"),iface='eth0', count=1)..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
5 7.948457 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 81 [SYN, URG] Seq=0 Win=8192 Urg=0 Len=0
8 7.950322 10.0.0.100 -> 10.0.0.50 TCP 60 81 > 5000 [RST, ACK] Seq=0 Ack=1 Win=0 Len=0
11 7.955180 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 81 [SYN, URG] Seq=0 Win=8192 Urg=0 Len=0
12 7.955767 10.0.0.101 -> 10.0.0.50 TCP 60 81 > 5000 [RST, ACK] Seq=0 Ack=1 Win=0 Len=0
Windows 2012 - Packet with the URG-SYN flags set, sent to NON-LISTENING PORT, results in a RST-ACK
CentOS 6.5 - Packet with the URG-SYN flags set, sent to NON-LISTENING PORT, results in a RST-ACK
---------------------------------------------------------------
URG-RST -> Windows 2012/CentOS 6.5 -> 80 (Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=80, flags="UR"),iface='eth0', count=1)
..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
1 0.000000 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 80 [RST, URG] Seq=0 Win=8192 Urg=0 Len=0
4 0.008478 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 80 [RST, URG] Seq=0 Win=8192 Urg=0 Len=0
From the above:
Windows 2012 - Packet with URG-RST flag set, sent to NON-LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the Windows 2012 system simply drops the packet.
CentOS 6.5 - Packet with URG-RST flag set, sent to NON-LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the CentOS system simply drops the packet.
URG-RST -> Windows 2012/CentOS 6.5 -> 81 (Non-Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=81, flags="UR"),iface='eth0', count=1)
..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
1 0.000000 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 81 [RST, URG] Seq=0 Win=8192 Urg=0 Len=0
2 0.000989 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 81 [RST, URG] Seq=0 Win=8192 Urg=0 Len=0
From the above:
Windows 2012 - Packet with URG-RST flag set, sent to NON-LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the Windows 2012 system simply drops the packet.
CentOS 6.5 - Packet with URG-RST flag set, sent to NON-LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the CentOS system simply drops the packet.
---------------------------------------------------------------
URG-PSH -> Windows 2012/CentOS 6.5 -> 80 (Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=80, flags="UP"),iface='eth0', count=1)..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
1 0.000000 10.0.0.50 -> 10.0.0.100 TCP 54 [TCP Window Update] 5000 > 80 [PSH, URG] Seq=0 Win=8192 Urg=0 Len=0
4 0.002659 10.0.0.100 -> 10.0.0.50 TCP 60 80 > 5000 [RST, ACK] Seq=0 Ack=0 Win=0 Len=0
7 0.007878 10.0.0.50 -> 10.0.0.101 TCP 54 [TCP Window Update] 5000 > 80 [PSH, URG] Seq=0 Win=8192 Urg=0 Len=0
Windows 2012 - Packet with the URG-PSH flags set, sent to LISTENING PORT, results in a RST-ACK
CentOS 6.5 - Packet with the URG-PSH flags set, sent to a LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the CentOS system simply drops the packet.
URG-PSH -> Windows 2012/CentOS 6.5 -> 81 (Non-Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=81, flags="UP"),iface='eth0', count=1)..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
1 0.000000 10.0.0.50 -> 10.0.0.100 TCP 54 [TCP Window Update] 5000 > 81 [PSH, URG] Seq=0 Win=8192 Urg=0 Len=0
4 0.002396 10.0.0.100 -> 10.0.0.50 TCP 60 81 > 5000 [RST, ACK] Seq=0 Ack=0 Win=0 Len=0
7 0.006092 10.0.0.50 -> 10.0.0.101 TCP 54 [TCP Window Update] 5000 > 81 [PSH, URG] Seq=0 Win=8192 Urg=0 Len=0
10 0.007837 10.0.0.101 -> 10.0.0.50 TCP 60 81 > 5000 [RST, ACK] Seq=0 Ack=0 Win=0 Len=0
Windows 2012 - Packet with the URG-PSH flags set, sent to NON-LISTENING PORT, results in a RST-ACK
CentOS 6.5 - Packet with the URG-PSH flags set, sent to NON-LISTENING PORT, results in a RST-ACK
---------------------------------------------------------------
ACK-PSH -> Windows 2012/CentOS 6.5 -> 80 (Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=80, flags="AP"),iface='eth0', count=1)..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
3 3.254561 10.0.0.50 -> 10.0.0.100 TCP 54 [TCP Window Update] 5000 > 80 [PSH, ACK] Seq=0 Ack=0 Win=8192 Len=0
6 3.257235 10.0.0.100 -> 10.0.0.50 TCP 60 80 > 5000 [RST] Seq=0 Win=0 Len=0
9 3.261255 10.0.0.50 -> 10.0.0.101 TCP 54 [TCP Window Update] 5000 > 80 [PSH, ACK] Seq=0 Ack=0 Win=8192 Len=0
12 3.262827 10.0.0.101 -> 10.0.0.50 TCP 60 80 > 5000 [RST] Seq=0 Win=0 Len=0
From the above:
Windows 2012 - Packet with the ACK-PSH flags set, sent to LISTENING PORT, results in a RST
CentOS 6.5 - Packet with the ACK-PSH flags set, sent to LISTENING PORT, results in a RST
ACK-PSH -> Windows 2012/CentOS 6.5 -> 81 (Non-Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=81, flags="AP"),iface='eth0', count=1)
..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
7 4.247236 10.0.0.50 -> 10.0.0.100 TCP 54 [TCP Window Update] 5000 > 81 [PSH, ACK] Seq=0 Ack=0 Win=8192 Len=0
10 4.248504 10.0.0.50 -> 10.0.0.101 TCP 54 [TCP Window Update] 5000 > 81 [PSH, ACK] Seq=0 Ack=0 Win=8192 Len=0
11 4.248577 10.0.0.100 -> 10.0.0.50 TCP 60 81 > 5000 [RST] Seq=0 Win=0 Len=0
12 4.248994 10.0.0.101 -> 10.0.0.50 TCP 60 81 > 5000 [RST] Seq=0 Win=0 Len=0
From the above:
Windows 2012 - Packet with the ACK-PSH flags set, sent to LISTENING PORT, results in a RST
CentOS 6.5 - Packet with the ACK-PSH flags set, sent to LISTENING PORT, results in a RST
---------------------------------------------------------------
ACK-RST -> Windows 2012/CentOS 6.5 -> 80 (Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=80, flags="AR"),iface='eth0', count=1)
..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
7 14.580837 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 80 [RST, ACK] Seq=0 Ack=0 Win=8192 Len=0
10 14.587160 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 80 [RST, ACK] Seq=0 Ack=0 Win=8192 Len=0
From the above:
Windows 2012 - Packet with ACK-RST flag set, sent to LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the Windows 2012 system simply drops the packet.
CentOS 6.5 - Packet with only ACK-RST flag set, sent to LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the CentOS system simply drops the packet.
ACK-RST -> Windows 2012/CentOS 6.5 -> 81 (Non-Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=81, flags="AR"),iface='eth0', count=1)
..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
3 1.871013 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 81 [RST, ACK] Seq=0 Ack=0 Win=8192 Len=0
4 1.871912 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 81 [RST, ACK] Seq=0 Ack=0 Win=8192 Len=0
From the above:
Windows 2012 - Packet with ACK-RST flag set, sent to NON-LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the Windows 2012 system simply drops the packet.
CentOS 6.5 - Packet with ACK-RST flag set, sent to NON-LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the CentOS system simply drops the packet.
---------------------------------------------------------------
SYN-ACK -> Windows 2012/CentOS 6.5 -> 80 (Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=80, flags="AS"),iface='eth0', count=1)..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
3 9.046910 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 80 [SYN, ACK] Seq=0 Ack=0 Win=8192 Len=0
6 9.048661 10.0.0.100 -> 10.0.0.50 TCP 60 80 > 5000 [RST] Seq=0 Win=0 Len=0
9 9.054315 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 80 [SYN, ACK] Seq=0 Ack=0 Win=8192 Len=0
12 9.056520 10.0.0.101 -> 10.0.0.50 TCP 60 80 > 5000 [RST] Seq=0 Win=0 Len=0
From the above:
Windows 2012 - Packet with the SYN-ACK flags set, sent to LISTENING PORT , results in a RST
CentOS 6.5 - Packet with the SYN-ACK flags set, sent to LISTENING PORT , results in a RST
SYN-ACK -> Windows 2012/CentOS 6.5 -> 81 (Non-Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=81, flags="AS"),iface='eth0', count=1)
..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))' 1 0.000000 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 81 [SYN, ACK] Seq=0 Ack=0 Win=8192 Len=0
4 0.001216 10.0.0.100 -> 10.0.0.50 TCP 60 81 > 5000 [RST] Seq=0 Win=0 Len=0
7 0.006024 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 81 [SYN, ACK] Seq=0 Ack=0 Win=8192 Len=0
8 0.006380 10.0.0.101 -> 10.0.0.50 TCP 60 81 > 5000 [RST] Seq=0 Win=0 Len=0
From the above:
Windows 2012 - Packet with the URG-SYN flags set, sent to NON-LISTENING PORT, results in a RST
CentOS 6.5 - Packet with the URG-SYN flags set, sent to NON-LISTENING PORT, results in a RST
---------------------------------------------------------------
FIN-ACK -> Windows 2012/CentOS 6.5 -> 80 (Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=80, flags="FA"),iface='eth0', count=1)
..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))' 4 3.345117 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 80 [FIN, ACK] Seq=0 Ack=0 Win=8192 Len=0
5 3.346344 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 80 [FIN, ACK] Seq=0 Ack=0 Win=8192 Len=0
8 3.346730 10.0.0.101 -> 10.0.0.50 TCP 60 80 > 5000 [RST] Seq=0 Win=0 Len=0
9 3.346745 10.0.0.100 -> 10.0.0.50 TCP 60 80 > 5000 [RST] Seq=0 Win=0 Len=0
From the above:
Windows 2012 - Packet with the URG-SYN flags set, sent to LISTENING PORT, results in a RST
CentOS 6.5 - Packet with the URG-SYN flags set, sent to LISTENING PORT, results in a RST
FIN-ACK -> Windows 2012/CentOS 6.5 -> 81 (Non-Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=81, flags="FA"),iface='eth0', count=1)..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
1 0.000000 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 81 [FIN, ACK] Seq=0 Ack=0 Win=8192 Len=0
4 0.001788 10.0.0.100 -> 10.0.0.50 TCP 60 81 > 5000 [RST] Seq=0 Win=0 Len=0
7 0.007718 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 81 [FIN, ACK] Seq=0 Ack=0 Win=8192 Len=0
8 0.008070 10.0.0.101 -> 10.0.0.50 TCP 60 81 > 5000 [RST] Seq=0 Win=0 Len=0
From the above:
Windows 2012 - Packet with the URG-SYN flags set, sent to NON-LISTENING PORT, results in a RST
CentOS 6.5 - Packet with the URG-SYN flags set, sent to NON-LISTENING PORT, results in a RST
---------------------------------------------------------------
PSH-SYN -> Windows 2012/CentOS 6.5 -> 80 (Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=80, flags="PS"),iface='eth0', count=1)..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
1 0.000000 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 80 [SYN, PSH] Seq=0 Win=8192 Len=0
4 0.001929 10.0.0.100 -> 10.0.0.50 TCP 60 80 > 5000 [SYN, ACK] Seq=1785425873 Ack=1 Win=8192 Len=0 MSS=1460
7 0.008294 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 80 [SYN, PSH] Seq=0 Win=8192 Len=0
8 0.008872 10.0.0.101 -> 10.0.0.50 TCP 60 80 > 5000 [SYN, ACK] Seq=730449456 Ack=1 Win=14600 Len=0 MSS=1460
From the above:
Windows 2012 - Packet with the PSH-SYN flags set, sent to LISTENING PORT, results in a SYN-ACK
CentOS 6.5 - Packet with the PSH-SYN flags set, sent to LISTENING PORT, results in a SYN-ACK
PSH-SYN -> Windows 2012/CentOS 6.5 -> 81 (Non-Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=81, flags="PS"),iface='eth0', count=1)..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
3 1.380943 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 81 [SYN, PSH] Seq=0 Win=8192 Len=0
6 1.383989 10.0.0.100 -> 10.0.0.50 TCP 60 81 > 5000 [RST, ACK] Seq=0 Ack=1 Win=0 Len=0
9 1.389811 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 81 [SYN, PSH] Seq=0 Win=8192 Len=0
12 1.392904 10.0.0.101 -> 10.0.0.50 TCP 60 81 > 5000 [RST, ACK] Seq=0 Ack=1 Win=0 Len=0
From the above:
Windows 2012 - Packet with the PSH-SYN flags set, sent to NON-LISTENING PORT, results in a RST
CentOS 6.5 - Packet with the PSH-SYN flags set, sent to NON-LISTENING PORT, results in a RST
---------------------------------------------------------------
PSH-FIN -> Windows 2012/CentOS 6.5 -> 80 (Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=80, flags="PF"),iface='eth0', count=1)..
Sent 2 packets
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))' 1 0.000000 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 80 [FIN, PSH] Seq=0 Win=8192 Len=0
4 0.002823 10.0.0.100 -> 10.0.0.50 TCP 60 80 > 5000 [RST, ACK] Seq=0 Ack=1 Win=0 Len=0
7 0.007607 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 80 [FIN, PSH] Seq=0 Win=8192 Len=0
Windows 2012 - Packet with the PSH-FIN flags set, sent to LISTENING PORT, results in a RST-ACK
CentOS 6.5 - Packet with the PSH-FIN flags set, sent to a LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the CentOS system simply drops the packet.
PSH-FIN -> Windows 2012/CentOS 6.5 -> 81 (Non-Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=81, flags="PF"),iface='eth0', count=1)..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
3 2.501900 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 81 [FIN, PSH] Seq=0 Win=8192 Len=0
6 2.505076 10.0.0.100 -> 10.0.0.50 TCP 60 81 > 5000 [RST, ACK] Seq=0 Ack=1 Win=0 Len=0
9 2.510756 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 81 [FIN, PSH] Seq=0 Win=8192 Len=0
12 2.513249 10.0.0.101 -> 10.0.0.50 TCP 60 81 > 5000 [RST, ACK] Seq=0 Ack=1 Win=0 Len=0
From the above:
Windows 2012 - Packet with the PSH-FIN flags set, sent to NON-LISTENING PORT, results in a RST-ACK
CentOS 6.5 - Packet with the PSH-FIN flags set, sent to NON-LISTENING PORT, results in a RST-ACK
--------------------------------------------------------------
RST-SYN -> Windows 2012/CentOS 6.5 -> 80 (Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=80, flags="RS"),iface='eth0', count=1)
..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
5 1.253590 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 80 [SYN, RST] Seq=0 Win=8192 Len=0
8 1.259028 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 80 [SYN, RST] Seq=0 Win=8192 Len=0
From the above:
Windows 2012 - Packet with RST-SYN flag set, sent to LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the Windows 2012 system simply drops the packet.CentOS 6.5 - Packet with only RST-SYN flag set, sent to LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the CentOS system simply drops the packet.
RST-SYN -> Windows 2012/CentOS 6.5 -> 81 (Non-Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=81, flags="RS"),iface='eth0', count=1)
..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
1 0.000000 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 81 [SYN, RST] Seq=0 Win=8192 Len=0
2 0.001233 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 81 [SYN, RST] Seq=0 Win=8192 Len=0
From the above:
Windows 2012 - Packet with only RST flag set, sent to NON-LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the CentOS system simply drops the packet.
CentOS 6.5 - Packet with only RST flag set, sent to NON-LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the CentOS system simply drops the packet.
--------------------------------------------------------------
RST-FIN -> Windows 2012/CentOS 6.5 -> 80 (Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=80, flags="RF"),iface='eth0', count=1)
..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
5 14.172512 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 80 [FIN, RST] Seq=0 Win=8192 Len=0
8 14.183378 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 80 [FIN, RST] Seq=0 Win=8192 Len=0
From the above:
Windows 2012 - Packet with only RST-FIN flag set, sent to LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the Windows 2012system simply drops the packet.
CentOS 6.5 - Packet with only RST-FIN flag set, sent to LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the CentOS system simply drops the packet.
RST-FIN -> Windows 2012/CentOS 6.5 -> 81 (Non-Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=81, flags="RF"),iface='eth0', count=1)
..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
9 4.935682 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 81 [FIN, RST] Seq=0 Win=8192 Len=0
10 4.936662 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 81 [FIN, RST] Seq=0 Win=8192 Len=0
From the above:
Windows 2012 - Packet with only RST-FIN flag set, sent to NON-LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the Windows 2012 system simply drops the packet.
CentOS 6.5 - Packet with only RST-FIN flag set, sent to NON-LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the CentOS system simply drops the packet.
--------------------------------------------------------------
SYN-FIN -> Windows 2012/CentOS 6.5 -> 80 (Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=80, flags="SF"),iface='eth0', count=1)..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
5 3.266392 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 80 [FIN, SYN] Seq=0 Win=8192 Len=0
8 3.267852 10.0.0.100 -> 10.0.0.50 TCP 60 [TCP ACKed unseen segment] 80 > 5000 [RST, ACK] Seq=0 Ack=2 Win=0 Len=0
11 3.273375 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 80 [FIN, SYN] Seq=0 Win=8192 Len=0
From the above:
Windows 2012 - Packet with the SYN-FIN flags set, sent to LISTENING PORT , results in a RST-ACK
CentOS 6.5 - Packet with the SYN-FIN flags set, sent to a LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the CentOS system simply drops the packet.
SYN-FIN -> Windows 2012/CentOS 6.5 -> 81 (Non-Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=81, flags="SF"),iface='eth0', count=1)
..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))' 1 0.000000 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 81 [FIN, SYN] Seq=0 Win=8192 Len=0
4 0.001726 10.0.0.100 -> 10.0.0.50 TCP 60 [TCP ACKed unseen segment] 81 > 5000 [RST, ACK] Seq=0 Ack=2 Win=0 Len=0
7 0.006025 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 81 [FIN, SYN] Seq=0 Win=8192 Len=0
10 0.006219 10.0.0.101 -> 10.0.0.50 TCP 60 [TCP ACKed unseen segment] 81 > 5000 [RST, ACK] Seq=0 Ack=2 Win=0 Len=0
From the above:
Windows 2012 - Packet with the SYN-FIN flags set, sent to NON-LISTENING PORT, results in a RST-ACK
CentOS 6.5 - Packet with the SYN-FIN flags set, sent to NON-LISTENING PORT, results in a RST-ACK
If you wish to have this as a reference, you may download:
"Stimulus and Response.pdf" document.
md5:8c931888caf948504188f57440396ebc
sha-1:c4cb5b06928e660a09ddc7eaf4b7e32fb0dd1a27
stimulus-response.xlsx
MD5:6176b65c89b73e3b07a519bf77db462a
SHA-1:1ff6308e2a56a1c950e4cc5831932d78563bf853
FIN-SYN -> Windows 2012/CentOS 6.5 -> 80 (Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=80, flags="FS"),iface='eth0', count=1)
..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
3 3.934865 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 80 [FIN, SYN] Seq=0 Win=8192 Len=0
6 3.936696 10.0.0.100 -> 10.0.0.50 TCP 60 [TCP ACKed unseen segment] 80 > 5000 [RST, ACK] Seq=0 Ack=2 Win=0 Len=0
9 3.948311 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 80 [FIN, SYN] Seq=0 Win=8192 Len=0
From the above:
Windows 2012 - Packet with the FIN-SYN flags set, sent to LISTENING PORT, results in a RST-ACK
CentOS 6.5 - Packet with the FIN-SYN flags set, sent to a LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the CentOS system simply drops the packet.
FIN-SYN -> Windows 2012/CentOS 6.5 -> 81 (Non-Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=81, flags="FS"),iface='eth0', count=1)
..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
3 2.002337 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 81 [FIN, SYN] Seq=0 Win=8192 Len=0
6 2.004018 10.0.0.100 -> 10.0.0.50 TCP 60 [TCP ACKed unseen segment] 81 > 5000 [RST, ACK] Seq=0 Ack=2 Win=0 Len=0
9 2.010447 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 81 [FIN, SYN] Seq=0 Win=8192 Len=0
12 2.013828 10.0.0.101 -> 10.0.0.50 TCP 60 [TCP ACKed unseen segment] 81 > 5000 [RST, ACK] Seq=0 Ack=2 Win=0 Len=0
From the above:
Windows 2012 - Packet with the FIN-SYN flags set, sent to NON-LISTENING PORT, results in a RST-ACK
CentOS 6.5 - Packet with the FIN-SYN flags set, sent to NON-LISTENING PORT, results in a RST-ACK
---------------------------------------------------------------
RST-PSH -> Windows 2012/CentOS 6.5 -> 80 (Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=80, flags="RP"),iface='eth0', count=1)
..
Sent 2 packets
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
5 10.357223 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 80 [RST, PSH] Seq=0 Win=8192 Len=0
8 10.363234 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 80 [RST, PSH] Seq=0 Win=8192 Len=0
From the above:
Windows 2012 - Packet with the RST-PSH flags set, sent to LISTENING PORT , results in a Silent Discard. That is there is no response from the TCP/IP Stack, the Windows 2012 system simply drops the packet.
CentOS 6.5 - Packet with the RST-PSH flags set, sent to a LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the CentOS system simply drops the packet.
RST-PSH -> Windows 2012/CentOS 6.5 -> 81 (Non-Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=81, flags="RP"),iface='eth0', count=1)
..
Sent 2 packets
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))' 3 6.826082 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 81 [RST, PSH] Seq=0 Win=8192 Len=0
6 6.832142 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 81 [RST, PSH] Seq=0 Win=8192 Len=0
From the above:
Windows 2012 - Packet with the RST-PSH flags set, sent to NON-LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the Windows 2012 system simply drops the packet.
CentOS 6.5 - Packet with the RST-PSH flags set, sent to a NON-LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the CentOS system simply drops the packet.
---------------------------------------------------------------
ACK-URG -> Windows 2012/CentOS 6.5 -> 80 (Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=80, flags="UA"),iface='eth0', count=1)
..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))' 1 0.000000 10.0.0.50 -> 10.0.0.100 TCP 54 [TCP Window Update] 5000 > 80 [ACK, URG] Seq=0 Ack=0 Win=8192 Urg=0 Len=0
4 0.001850 10.0.0.100 -> 10.0.0.50 TCP 60 80 > 5000 [RST] Seq=0 Win=0 Len=0
7 0.007789 10.0.0.50 -> 10.0.0.101 TCP 54 [TCP Window Update] 5000 > 80 [ACK, URG] Seq=0 Ack=0 Win=8192 Urg=0 Len=0
10 0.010094 10.0.0.101 -> 10.0.0.50 TCP 60 80 > 5000 [RST] Seq=0 Win=0 Len=0
From the above:
Windows 2012 - Packet with the ACK-URG flags set, sent to LISTENING PORT, results in a RST
CentOS 6.5 - Packet with the ACK-URG flags set, sent to LISTENING PORT, results in a RST
ACK-URG -> Windows 2012/CentOS 6.5 -> 81 (Non-Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=81, flags="UA"),iface='eth0', count=1)
..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
1 0.000000 10.0.0.50 -> 10.0.0.100 TCP 54 [TCP Window Update] 5000 > 81 [ACK, URG] Seq=0 Ack=0 Win=8192 Urg=0 Len=0
4 0.003142 10.0.0.100 -> 10.0.0.50 TCP 60 81 > 5000 [RST] Seq=0 Win=0 Len=0
7 0.007261 10.0.0.50 -> 10.0.0.101 TCP 54 [TCP Window Update] 5000 > 81 [ACK, URG] Seq=0 Ack=0 Win=8192 Urg=0 Len=0
8 0.007798 10.0.0.101 -> 10.0.0.50 TCP 60 81 > 5000 [RST] Seq=0 Win=0 Len=0
From the above:
Windows 2012 - Packet with the ACK-URG flags set, sent to NON-LISTENING PORT, results in a RST
CentOS 6.5 - Packet with the ACK-URG flags set, sent to NON-LISTENING PORT, results in a RST
---------------------------------------------------------------
URG-FIN -> Windows 2012/CentOS 6.5 -> 80 (Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=80, flags="UF"),iface='eth0', count=1)
..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))' 1 0.000000 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 80 [FIN, URG] Seq=0 Win=8192 Urg=0 Len=0
4 0.001790 10.0.0.100 -> 10.0.0.50 TCP 60 80 > 5000 [RST, ACK] Seq=0 Ack=1 Win=0 Len=0
7 0.006253 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 80 [FIN, URG] Seq=0 Win=8192 Urg=0 Len=0
From the above:
Windows 2012 - Packet with the URG-FIN flags set, sent to LISTENING PORT, results in a RST-ACK
CentOS 6.5 - Packet with the URG-FIN flags set, sent to a LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the CentOS system simply drops the packet.
URG-FIN -> Windows 2012/CentOS 6.5 -> 81 (Non-Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=81, flags="UF"),iface='eth0', count=1)
..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))' 1 0.000000 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 81 [FIN, URG] Seq=0 Win=8192 Urg=0 Len=0
4 0.001132 10.0.0.100 -> 10.0.0.50 TCP 60 81 > 5000 [RST, ACK] Seq=0 Ack=1 Win=0 Len=0
7 0.006518 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 81 [FIN, URG] Seq=0 Win=8192 Urg=0 Len=0
10 0.008365 10.0.0.101 -> 10.0.0.50 TCP 60 81 > 5000 [RST, ACK] Seq=0 Ack=1 Win=0 Len=0
From the above:
Windows 2012 - Packet with the URG-FIN flags set, sent to NON-LISTENING PORT, results in a RST-ACK
CentOS 6.5 - Packet with the URG-FIN flags set, sent to NON-LISTENING PORT, results in a RST-ACK
---------------------------------------------------------------
URG-SYN -> Windows 2012/CentOS 6.5 -> 80 (Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=80, flags="US"),iface='eth0', count=1)..
Sent 2 packets
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
13 5.585379 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 80 [SYN, URG] Seq=0 Win=8192 Urg=0 Len=0
1 16 5.588931 10.0.0.100 -> 10.0.0.50 TCP 60 80 > 5000 [SYN, ACK] Seq=957194415 Ack=1 Win=8192 Len=0 MSS=1460
19 5.593237 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 80 [SYN, URG] Seq=0 Win=8192 Urg=0 Len=0
22 5.595879 10.0.0.101 -> 10.0.0.50 TCP 60 80 > 5000 [SYN, ACK] Seq=1703572497 Ack=1 Win=14600 Len=0 MSS=1460
From the above:
Windows 2012 - Packet with the URG-SYN flags set, sent to LISTENING PORT, results in a SYN-ACK
CentOS 6.5 - Packet with the URG-SYN flags set, sent to LISTENING PORT, results in a SYN-ACK
URG-SYN -> Windows 2012/CentOS 6.5 -> 81 (Non-Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=81, flags="US"),iface='eth0', count=1)..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
5 7.948457 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 81 [SYN, URG] Seq=0 Win=8192 Urg=0 Len=0
8 7.950322 10.0.0.100 -> 10.0.0.50 TCP 60 81 > 5000 [RST, ACK] Seq=0 Ack=1 Win=0 Len=0
11 7.955180 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 81 [SYN, URG] Seq=0 Win=8192 Urg=0 Len=0
12 7.955767 10.0.0.101 -> 10.0.0.50 TCP 60 81 > 5000 [RST, ACK] Seq=0 Ack=1 Win=0 Len=0
Windows 2012 - Packet with the URG-SYN flags set, sent to NON-LISTENING PORT, results in a RST-ACK
CentOS 6.5 - Packet with the URG-SYN flags set, sent to NON-LISTENING PORT, results in a RST-ACK
---------------------------------------------------------------
URG-RST -> Windows 2012/CentOS 6.5 -> 80 (Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=80, flags="UR"),iface='eth0', count=1)
..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
1 0.000000 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 80 [RST, URG] Seq=0 Win=8192 Urg=0 Len=0
4 0.008478 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 80 [RST, URG] Seq=0 Win=8192 Urg=0 Len=0
From the above:
Windows 2012 - Packet with URG-RST flag set, sent to NON-LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the Windows 2012 system simply drops the packet.
CentOS 6.5 - Packet with URG-RST flag set, sent to NON-LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the CentOS system simply drops the packet.
URG-RST -> Windows 2012/CentOS 6.5 -> 81 (Non-Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=81, flags="UR"),iface='eth0', count=1)
..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
1 0.000000 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 81 [RST, URG] Seq=0 Win=8192 Urg=0 Len=0
2 0.000989 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 81 [RST, URG] Seq=0 Win=8192 Urg=0 Len=0
From the above:
Windows 2012 - Packet with URG-RST flag set, sent to NON-LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the Windows 2012 system simply drops the packet.
CentOS 6.5 - Packet with URG-RST flag set, sent to NON-LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the CentOS system simply drops the packet.
---------------------------------------------------------------
URG-PSH -> Windows 2012/CentOS 6.5 -> 80 (Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=80, flags="UP"),iface='eth0', count=1)..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
1 0.000000 10.0.0.50 -> 10.0.0.100 TCP 54 [TCP Window Update] 5000 > 80 [PSH, URG] Seq=0 Win=8192 Urg=0 Len=0
4 0.002659 10.0.0.100 -> 10.0.0.50 TCP 60 80 > 5000 [RST, ACK] Seq=0 Ack=0 Win=0 Len=0
7 0.007878 10.0.0.50 -> 10.0.0.101 TCP 54 [TCP Window Update] 5000 > 80 [PSH, URG] Seq=0 Win=8192 Urg=0 Len=0
Windows 2012 - Packet with the URG-PSH flags set, sent to LISTENING PORT, results in a RST-ACK
CentOS 6.5 - Packet with the URG-PSH flags set, sent to a LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the CentOS system simply drops the packet.
URG-PSH -> Windows 2012/CentOS 6.5 -> 81 (Non-Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=81, flags="UP"),iface='eth0', count=1)..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
1 0.000000 10.0.0.50 -> 10.0.0.100 TCP 54 [TCP Window Update] 5000 > 81 [PSH, URG] Seq=0 Win=8192 Urg=0 Len=0
4 0.002396 10.0.0.100 -> 10.0.0.50 TCP 60 81 > 5000 [RST, ACK] Seq=0 Ack=0 Win=0 Len=0
7 0.006092 10.0.0.50 -> 10.0.0.101 TCP 54 [TCP Window Update] 5000 > 81 [PSH, URG] Seq=0 Win=8192 Urg=0 Len=0
10 0.007837 10.0.0.101 -> 10.0.0.50 TCP 60 81 > 5000 [RST, ACK] Seq=0 Ack=0 Win=0 Len=0
Windows 2012 - Packet with the URG-PSH flags set, sent to NON-LISTENING PORT, results in a RST-ACK
CentOS 6.5 - Packet with the URG-PSH flags set, sent to NON-LISTENING PORT, results in a RST-ACK
---------------------------------------------------------------
ACK-PSH -> Windows 2012/CentOS 6.5 -> 80 (Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=80, flags="AP"),iface='eth0', count=1)..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
3 3.254561 10.0.0.50 -> 10.0.0.100 TCP 54 [TCP Window Update] 5000 > 80 [PSH, ACK] Seq=0 Ack=0 Win=8192 Len=0
6 3.257235 10.0.0.100 -> 10.0.0.50 TCP 60 80 > 5000 [RST] Seq=0 Win=0 Len=0
9 3.261255 10.0.0.50 -> 10.0.0.101 TCP 54 [TCP Window Update] 5000 > 80 [PSH, ACK] Seq=0 Ack=0 Win=8192 Len=0
12 3.262827 10.0.0.101 -> 10.0.0.50 TCP 60 80 > 5000 [RST] Seq=0 Win=0 Len=0
From the above:
Windows 2012 - Packet with the ACK-PSH flags set, sent to LISTENING PORT, results in a RST
CentOS 6.5 - Packet with the ACK-PSH flags set, sent to LISTENING PORT, results in a RST
ACK-PSH -> Windows 2012/CentOS 6.5 -> 81 (Non-Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=81, flags="AP"),iface='eth0', count=1)
..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
7 4.247236 10.0.0.50 -> 10.0.0.100 TCP 54 [TCP Window Update] 5000 > 81 [PSH, ACK] Seq=0 Ack=0 Win=8192 Len=0
10 4.248504 10.0.0.50 -> 10.0.0.101 TCP 54 [TCP Window Update] 5000 > 81 [PSH, ACK] Seq=0 Ack=0 Win=8192 Len=0
11 4.248577 10.0.0.100 -> 10.0.0.50 TCP 60 81 > 5000 [RST] Seq=0 Win=0 Len=0
12 4.248994 10.0.0.101 -> 10.0.0.50 TCP 60 81 > 5000 [RST] Seq=0 Win=0 Len=0
From the above:
Windows 2012 - Packet with the ACK-PSH flags set, sent to LISTENING PORT, results in a RST
CentOS 6.5 - Packet with the ACK-PSH flags set, sent to LISTENING PORT, results in a RST
---------------------------------------------------------------
ACK-RST -> Windows 2012/CentOS 6.5 -> 80 (Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=80, flags="AR"),iface='eth0', count=1)
..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
7 14.580837 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 80 [RST, ACK] Seq=0 Ack=0 Win=8192 Len=0
10 14.587160 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 80 [RST, ACK] Seq=0 Ack=0 Win=8192 Len=0
From the above:
Windows 2012 - Packet with ACK-RST flag set, sent to LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the Windows 2012 system simply drops the packet.
CentOS 6.5 - Packet with only ACK-RST flag set, sent to LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the CentOS system simply drops the packet.
ACK-RST -> Windows 2012/CentOS 6.5 -> 81 (Non-Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=81, flags="AR"),iface='eth0', count=1)
..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
3 1.871013 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 81 [RST, ACK] Seq=0 Ack=0 Win=8192 Len=0
4 1.871912 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 81 [RST, ACK] Seq=0 Ack=0 Win=8192 Len=0
From the above:
Windows 2012 - Packet with ACK-RST flag set, sent to NON-LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the Windows 2012 system simply drops the packet.
CentOS 6.5 - Packet with ACK-RST flag set, sent to NON-LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the CentOS system simply drops the packet.
---------------------------------------------------------------
SYN-ACK -> Windows 2012/CentOS 6.5 -> 80 (Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=80, flags="AS"),iface='eth0', count=1)..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
3 9.046910 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 80 [SYN, ACK] Seq=0 Ack=0 Win=8192 Len=0
6 9.048661 10.0.0.100 -> 10.0.0.50 TCP 60 80 > 5000 [RST] Seq=0 Win=0 Len=0
9 9.054315 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 80 [SYN, ACK] Seq=0 Ack=0 Win=8192 Len=0
12 9.056520 10.0.0.101 -> 10.0.0.50 TCP 60 80 > 5000 [RST] Seq=0 Win=0 Len=0
From the above:
Windows 2012 - Packet with the SYN-ACK flags set, sent to LISTENING PORT , results in a RST
CentOS 6.5 - Packet with the SYN-ACK flags set, sent to LISTENING PORT , results in a RST
SYN-ACK -> Windows 2012/CentOS 6.5 -> 81 (Non-Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=81, flags="AS"),iface='eth0', count=1)
..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))' 1 0.000000 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 81 [SYN, ACK] Seq=0 Ack=0 Win=8192 Len=0
4 0.001216 10.0.0.100 -> 10.0.0.50 TCP 60 81 > 5000 [RST] Seq=0 Win=0 Len=0
7 0.006024 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 81 [SYN, ACK] Seq=0 Ack=0 Win=8192 Len=0
8 0.006380 10.0.0.101 -> 10.0.0.50 TCP 60 81 > 5000 [RST] Seq=0 Win=0 Len=0
From the above:
Windows 2012 - Packet with the URG-SYN flags set, sent to NON-LISTENING PORT, results in a RST
CentOS 6.5 - Packet with the URG-SYN flags set, sent to NON-LISTENING PORT, results in a RST
---------------------------------------------------------------
FIN-ACK -> Windows 2012/CentOS 6.5 -> 80 (Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=80, flags="FA"),iface='eth0', count=1)
..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))' 4 3.345117 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 80 [FIN, ACK] Seq=0 Ack=0 Win=8192 Len=0
5 3.346344 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 80 [FIN, ACK] Seq=0 Ack=0 Win=8192 Len=0
8 3.346730 10.0.0.101 -> 10.0.0.50 TCP 60 80 > 5000 [RST] Seq=0 Win=0 Len=0
9 3.346745 10.0.0.100 -> 10.0.0.50 TCP 60 80 > 5000 [RST] Seq=0 Win=0 Len=0
From the above:
Windows 2012 - Packet with the URG-SYN flags set, sent to LISTENING PORT, results in a RST
CentOS 6.5 - Packet with the URG-SYN flags set, sent to LISTENING PORT, results in a RST
FIN-ACK -> Windows 2012/CentOS 6.5 -> 81 (Non-Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=81, flags="FA"),iface='eth0', count=1)..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
1 0.000000 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 81 [FIN, ACK] Seq=0 Ack=0 Win=8192 Len=0
4 0.001788 10.0.0.100 -> 10.0.0.50 TCP 60 81 > 5000 [RST] Seq=0 Win=0 Len=0
7 0.007718 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 81 [FIN, ACK] Seq=0 Ack=0 Win=8192 Len=0
8 0.008070 10.0.0.101 -> 10.0.0.50 TCP 60 81 > 5000 [RST] Seq=0 Win=0 Len=0
From the above:
Windows 2012 - Packet with the URG-SYN flags set, sent to NON-LISTENING PORT, results in a RST
CentOS 6.5 - Packet with the URG-SYN flags set, sent to NON-LISTENING PORT, results in a RST
---------------------------------------------------------------
PSH-SYN -> Windows 2012/CentOS 6.5 -> 80 (Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=80, flags="PS"),iface='eth0', count=1)..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
1 0.000000 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 80 [SYN, PSH] Seq=0 Win=8192 Len=0
4 0.001929 10.0.0.100 -> 10.0.0.50 TCP 60 80 > 5000 [SYN, ACK] Seq=1785425873 Ack=1 Win=8192 Len=0 MSS=1460
7 0.008294 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 80 [SYN, PSH] Seq=0 Win=8192 Len=0
8 0.008872 10.0.0.101 -> 10.0.0.50 TCP 60 80 > 5000 [SYN, ACK] Seq=730449456 Ack=1 Win=14600 Len=0 MSS=1460
From the above:
Windows 2012 - Packet with the PSH-SYN flags set, sent to LISTENING PORT, results in a SYN-ACK
CentOS 6.5 - Packet with the PSH-SYN flags set, sent to LISTENING PORT, results in a SYN-ACK
PSH-SYN -> Windows 2012/CentOS 6.5 -> 81 (Non-Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=81, flags="PS"),iface='eth0', count=1)..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
3 1.380943 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 81 [SYN, PSH] Seq=0 Win=8192 Len=0
6 1.383989 10.0.0.100 -> 10.0.0.50 TCP 60 81 > 5000 [RST, ACK] Seq=0 Ack=1 Win=0 Len=0
9 1.389811 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 81 [SYN, PSH] Seq=0 Win=8192 Len=0
12 1.392904 10.0.0.101 -> 10.0.0.50 TCP 60 81 > 5000 [RST, ACK] Seq=0 Ack=1 Win=0 Len=0
From the above:
Windows 2012 - Packet with the PSH-SYN flags set, sent to NON-LISTENING PORT, results in a RST
CentOS 6.5 - Packet with the PSH-SYN flags set, sent to NON-LISTENING PORT, results in a RST
---------------------------------------------------------------
PSH-FIN -> Windows 2012/CentOS 6.5 -> 80 (Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=80, flags="PF"),iface='eth0', count=1)..
Sent 2 packets
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))' 1 0.000000 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 80 [FIN, PSH] Seq=0 Win=8192 Len=0
4 0.002823 10.0.0.100 -> 10.0.0.50 TCP 60 80 > 5000 [RST, ACK] Seq=0 Ack=1 Win=0 Len=0
7 0.007607 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 80 [FIN, PSH] Seq=0 Win=8192 Len=0
Windows 2012 - Packet with the PSH-FIN flags set, sent to LISTENING PORT, results in a RST-ACK
CentOS 6.5 - Packet with the PSH-FIN flags set, sent to a LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the CentOS system simply drops the packet.
PSH-FIN -> Windows 2012/CentOS 6.5 -> 81 (Non-Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=81, flags="PF"),iface='eth0', count=1)..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
3 2.501900 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 81 [FIN, PSH] Seq=0 Win=8192 Len=0
6 2.505076 10.0.0.100 -> 10.0.0.50 TCP 60 81 > 5000 [RST, ACK] Seq=0 Ack=1 Win=0 Len=0
9 2.510756 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 81 [FIN, PSH] Seq=0 Win=8192 Len=0
12 2.513249 10.0.0.101 -> 10.0.0.50 TCP 60 81 > 5000 [RST, ACK] Seq=0 Ack=1 Win=0 Len=0
From the above:
Windows 2012 - Packet with the PSH-FIN flags set, sent to NON-LISTENING PORT, results in a RST-ACK
CentOS 6.5 - Packet with the PSH-FIN flags set, sent to NON-LISTENING PORT, results in a RST-ACK
--------------------------------------------------------------
RST-SYN -> Windows 2012/CentOS 6.5 -> 80 (Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=80, flags="RS"),iface='eth0', count=1)
..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
5 1.253590 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 80 [SYN, RST] Seq=0 Win=8192 Len=0
8 1.259028 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 80 [SYN, RST] Seq=0 Win=8192 Len=0
From the above:
Windows 2012 - Packet with RST-SYN flag set, sent to LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the Windows 2012 system simply drops the packet.CentOS 6.5 - Packet with only RST-SYN flag set, sent to LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the CentOS system simply drops the packet.
RST-SYN -> Windows 2012/CentOS 6.5 -> 81 (Non-Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=81, flags="RS"),iface='eth0', count=1)
..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
1 0.000000 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 81 [SYN, RST] Seq=0 Win=8192 Len=0
2 0.001233 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 81 [SYN, RST] Seq=0 Win=8192 Len=0
From the above:
Windows 2012 - Packet with only RST flag set, sent to NON-LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the CentOS system simply drops the packet.
CentOS 6.5 - Packet with only RST flag set, sent to NON-LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the CentOS system simply drops the packet.
--------------------------------------------------------------
RST-FIN -> Windows 2012/CentOS 6.5 -> 80 (Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=80, flags="RF"),iface='eth0', count=1)
..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
5 14.172512 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 80 [FIN, RST] Seq=0 Win=8192 Len=0
8 14.183378 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 80 [FIN, RST] Seq=0 Win=8192 Len=0
From the above:
Windows 2012 - Packet with only RST-FIN flag set, sent to LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the Windows 2012system simply drops the packet.
CentOS 6.5 - Packet with only RST-FIN flag set, sent to LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the CentOS system simply drops the packet.
RST-FIN -> Windows 2012/CentOS 6.5 -> 81 (Non-Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=81, flags="RF"),iface='eth0', count=1)
..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
9 4.935682 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 81 [FIN, RST] Seq=0 Win=8192 Len=0
10 4.936662 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 81 [FIN, RST] Seq=0 Win=8192 Len=0
From the above:
Windows 2012 - Packet with only RST-FIN flag set, sent to NON-LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the Windows 2012 system simply drops the packet.
CentOS 6.5 - Packet with only RST-FIN flag set, sent to NON-LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the CentOS system simply drops the packet.
--------------------------------------------------------------
SYN-FIN -> Windows 2012/CentOS 6.5 -> 80 (Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=80, flags="SF"),iface='eth0', count=1)..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
5 3.266392 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 80 [FIN, SYN] Seq=0 Win=8192 Len=0
8 3.267852 10.0.0.100 -> 10.0.0.50 TCP 60 [TCP ACKed unseen segment] 80 > 5000 [RST, ACK] Seq=0 Ack=2 Win=0 Len=0
11 3.273375 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 80 [FIN, SYN] Seq=0 Win=8192 Len=0
From the above:
Windows 2012 - Packet with the SYN-FIN flags set, sent to LISTENING PORT , results in a RST-ACK
CentOS 6.5 - Packet with the SYN-FIN flags set, sent to a LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the CentOS system simply drops the packet.
SYN-FIN -> Windows 2012/CentOS 6.5 -> 81 (Non-Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=81, flags="SF"),iface='eth0', count=1)
..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))' 1 0.000000 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 81 [FIN, SYN] Seq=0 Win=8192 Len=0
4 0.001726 10.0.0.100 -> 10.0.0.50 TCP 60 [TCP ACKed unseen segment] 81 > 5000 [RST, ACK] Seq=0 Ack=2 Win=0 Len=0
7 0.006025 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 81 [FIN, SYN] Seq=0 Win=8192 Len=0
10 0.006219 10.0.0.101 -> 10.0.0.50 TCP 60 [TCP ACKed unseen segment] 81 > 5000 [RST, ACK] Seq=0 Ack=2 Win=0 Len=0
From the above:
Windows 2012 - Packet with the SYN-FIN flags set, sent to NON-LISTENING PORT, results in a RST-ACK
CentOS 6.5 - Packet with the SYN-FIN flags set, sent to NON-LISTENING PORT, results in a RST-ACK
If you wish to have this as a reference, you may download:
"Stimulus and Response.pdf" document.
md5:8c931888caf948504188f57440396ebc
sha-1:c4cb5b06928e660a09ddc7eaf4b7e32fb0dd1a27
stimulus-response.xlsx
MD5:6176b65c89b73e3b07a519bf77db462a
SHA-1:1ff6308e2a56a1c950e4cc5831932d78563bf853
Subscribe to:
Posts (Atom)