In the previous post we dealt with setting individual flags. However, what happens when we send a packet with various combinations of 2 flags. Let's find out.
FIN-SYN -> Windows 2012/CentOS 6.5 -> 80 (Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=80, flags="FS"),iface='eth0', count=1)
..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
3 3.934865 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 80 [FIN, SYN] Seq=0 Win=8192 Len=0
6 3.936696 10.0.0.100 -> 10.0.0.50 TCP 60 [TCP ACKed unseen segment] 80 > 5000 [RST, ACK] Seq=0 Ack=2 Win=0 Len=0
9 3.948311 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 80 [FIN, SYN] Seq=0 Win=8192 Len=0
From the above:
Windows 2012 - Packet with the FIN-SYN flags set, sent to LISTENING PORT, results in a RST-ACK
CentOS 6.5 - Packet with the FIN-SYN flags set, sent to a LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the CentOS system simply drops the packet.
FIN-SYN -> Windows 2012/CentOS 6.5 -> 81 (Non-Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=81, flags="FS"),iface='eth0', count=1)
..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
3 2.002337 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 81 [FIN, SYN] Seq=0 Win=8192 Len=0
6 2.004018 10.0.0.100 -> 10.0.0.50 TCP 60 [TCP ACKed unseen segment] 81 > 5000 [RST, ACK] Seq=0 Ack=2 Win=0 Len=0
9 2.010447 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 81 [FIN, SYN] Seq=0 Win=8192 Len=0
12 2.013828 10.0.0.101 -> 10.0.0.50 TCP 60 [TCP ACKed unseen segment] 81 > 5000 [RST, ACK] Seq=0 Ack=2 Win=0 Len=0
From the above:
Windows 2012 - Packet with the FIN-SYN flags set, sent to NON-LISTENING PORT, results in a RST-ACK
CentOS 6.5 - Packet with the FIN-SYN flags set, sent to NON-LISTENING PORT, results in a RST-ACK
---------------------------------------------------------------
RST-PSH -> Windows 2012/CentOS 6.5 -> 80 (Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=80, flags="RP"),iface='eth0', count=1)
..
Sent 2 packets
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
5 10.357223 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 80 [RST, PSH] Seq=0 Win=8192 Len=0
8 10.363234 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 80 [RST, PSH] Seq=0 Win=8192 Len=0
From the above:
Windows 2012 - Packet with the RST-PSH flags set, sent to LISTENING PORT , results in a Silent Discard. That is there is no response from the TCP/IP Stack, the Windows 2012 system simply drops the packet.
CentOS 6.5 - Packet with the RST-PSH flags set, sent to a LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the CentOS system simply drops the packet.
RST-PSH -> Windows 2012/CentOS 6.5 -> 81 (Non-Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=81, flags="RP"),iface='eth0', count=1)
..
Sent 2 packets
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))' 3 6.826082 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 81 [RST, PSH] Seq=0 Win=8192 Len=0
6 6.832142 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 81 [RST, PSH] Seq=0 Win=8192 Len=0
From the above:
Windows 2012 - Packet with the RST-PSH flags set, sent to NON-LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the Windows 2012 system simply drops the packet.
CentOS 6.5 - Packet with the RST-PSH flags set, sent to a NON-LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the CentOS system simply drops the packet.
---------------------------------------------------------------
ACK-URG -> Windows 2012/CentOS 6.5 -> 80 (Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=80, flags="UA"),iface='eth0', count=1)
..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))' 1 0.000000 10.0.0.50 -> 10.0.0.100 TCP 54 [TCP Window Update] 5000 > 80 [ACK, URG] Seq=0 Ack=0 Win=8192 Urg=0 Len=0
4 0.001850 10.0.0.100 -> 10.0.0.50 TCP 60 80 > 5000 [RST] Seq=0 Win=0 Len=0
7 0.007789 10.0.0.50 -> 10.0.0.101 TCP 54 [TCP Window Update] 5000 > 80 [ACK, URG] Seq=0 Ack=0 Win=8192 Urg=0 Len=0
10 0.010094 10.0.0.101 -> 10.0.0.50 TCP 60 80 > 5000 [RST] Seq=0 Win=0 Len=0
From the above:
Windows 2012 - Packet with the ACK-URG flags set, sent to LISTENING PORT, results in a RST
CentOS 6.5 - Packet with the ACK-URG flags set, sent to LISTENING PORT, results in a RST
ACK-URG -> Windows 2012/CentOS 6.5 -> 81 (Non-Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=81, flags="UA"),iface='eth0', count=1)
..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
1 0.000000 10.0.0.50 -> 10.0.0.100 TCP 54 [TCP Window Update] 5000 > 81 [ACK, URG] Seq=0 Ack=0 Win=8192 Urg=0 Len=0
4 0.003142 10.0.0.100 -> 10.0.0.50 TCP 60 81 > 5000 [RST] Seq=0 Win=0 Len=0
7 0.007261 10.0.0.50 -> 10.0.0.101 TCP 54 [TCP Window Update] 5000 > 81 [ACK, URG] Seq=0 Ack=0 Win=8192 Urg=0 Len=0
8 0.007798 10.0.0.101 -> 10.0.0.50 TCP 60 81 > 5000 [RST] Seq=0 Win=0 Len=0
From the above:
Windows 2012 - Packet with the ACK-URG flags set, sent to NON-LISTENING PORT, results in a RST
CentOS 6.5 - Packet with the ACK-URG flags set, sent to NON-LISTENING PORT, results in a RST
---------------------------------------------------------------
URG-FIN -> Windows 2012/CentOS 6.5 -> 80 (Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=80, flags="UF"),iface='eth0', count=1)
..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))' 1 0.000000 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 80 [FIN, URG] Seq=0 Win=8192 Urg=0 Len=0
4 0.001790 10.0.0.100 -> 10.0.0.50 TCP 60 80 > 5000 [RST, ACK] Seq=0 Ack=1 Win=0 Len=0
7 0.006253 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 80 [FIN, URG] Seq=0 Win=8192 Urg=0 Len=0
From the above:
Windows 2012 - Packet with the URG-FIN flags set, sent to LISTENING PORT, results in a RST-ACK
CentOS 6.5 - Packet with the URG-FIN flags set, sent to a LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the CentOS system simply drops the packet.
URG-FIN -> Windows 2012/CentOS 6.5 -> 81 (Non-Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=81, flags="UF"),iface='eth0', count=1)
..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))' 1 0.000000 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 81 [FIN, URG] Seq=0 Win=8192 Urg=0 Len=0
4 0.001132 10.0.0.100 -> 10.0.0.50 TCP 60 81 > 5000 [RST, ACK] Seq=0 Ack=1 Win=0 Len=0
7 0.006518 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 81 [FIN, URG] Seq=0 Win=8192 Urg=0 Len=0
10 0.008365 10.0.0.101 -> 10.0.0.50 TCP 60 81 > 5000 [RST, ACK] Seq=0 Ack=1 Win=0 Len=0
From the above:
Windows 2012 - Packet with the URG-FIN flags set, sent to NON-LISTENING PORT, results in a RST-ACK
CentOS 6.5 - Packet with the URG-FIN flags set, sent to NON-LISTENING PORT, results in a RST-ACK
---------------------------------------------------------------
URG-SYN -> Windows 2012/CentOS 6.5 -> 80 (Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=80, flags="US"),iface='eth0', count=1)..
Sent 2 packets
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
13 5.585379 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 80 [SYN, URG] Seq=0 Win=8192 Urg=0 Len=0
1 16 5.588931 10.0.0.100 -> 10.0.0.50 TCP 60 80 > 5000 [SYN, ACK] Seq=957194415 Ack=1 Win=8192 Len=0 MSS=1460
19 5.593237 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 80 [SYN, URG] Seq=0 Win=8192 Urg=0 Len=0
22 5.595879 10.0.0.101 -> 10.0.0.50 TCP 60 80 > 5000 [SYN, ACK] Seq=1703572497 Ack=1 Win=14600 Len=0 MSS=1460
From the above:
Windows 2012 - Packet with the URG-SYN flags set, sent to LISTENING PORT, results in a SYN-ACK
CentOS 6.5 - Packet with the URG-SYN flags set, sent to LISTENING PORT, results in a SYN-ACK
URG-SYN -> Windows 2012/CentOS 6.5 -> 81 (Non-Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=81, flags="US"),iface='eth0', count=1)..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
5 7.948457 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 81 [SYN, URG] Seq=0 Win=8192 Urg=0 Len=0
8 7.950322 10.0.0.100 -> 10.0.0.50 TCP 60 81 > 5000 [RST, ACK] Seq=0 Ack=1 Win=0 Len=0
11 7.955180 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 81 [SYN, URG] Seq=0 Win=8192 Urg=0 Len=0
12 7.955767 10.0.0.101 -> 10.0.0.50 TCP 60 81 > 5000 [RST, ACK] Seq=0 Ack=1 Win=0 Len=0
Windows 2012 - Packet with the URG-SYN flags set, sent to NON-LISTENING PORT, results in a RST-ACK
CentOS 6.5 - Packet with the URG-SYN flags set, sent to NON-LISTENING PORT, results in a RST-ACK
---------------------------------------------------------------
URG-RST -> Windows 2012/CentOS 6.5 -> 80 (Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=80, flags="UR"),iface='eth0', count=1)
..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
1 0.000000 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 80 [RST, URG] Seq=0 Win=8192 Urg=0 Len=0
4 0.008478 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 80 [RST, URG] Seq=0 Win=8192 Urg=0 Len=0
From the above:
Windows 2012 - Packet with URG-RST flag set, sent to NON-LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the Windows 2012 system simply drops the packet.
CentOS 6.5 - Packet with URG-RST flag set, sent to NON-LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the CentOS system simply drops the packet.
URG-RST -> Windows 2012/CentOS 6.5 -> 81 (Non-Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=81, flags="UR"),iface='eth0', count=1)
..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
1 0.000000 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 81 [RST, URG] Seq=0 Win=8192 Urg=0 Len=0
2 0.000989 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 81 [RST, URG] Seq=0 Win=8192 Urg=0 Len=0
From the above:
Windows 2012 - Packet with URG-RST flag set, sent to NON-LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the Windows 2012 system simply drops the packet.
CentOS 6.5 - Packet with URG-RST flag set, sent to NON-LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the CentOS system simply drops the packet.
---------------------------------------------------------------
URG-PSH -> Windows 2012/CentOS 6.5 -> 80 (Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=80, flags="UP"),iface='eth0', count=1)..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
1 0.000000 10.0.0.50 -> 10.0.0.100 TCP 54 [TCP Window Update] 5000 > 80 [PSH, URG] Seq=0 Win=8192 Urg=0 Len=0
4 0.002659 10.0.0.100 -> 10.0.0.50 TCP 60 80 > 5000 [RST, ACK] Seq=0 Ack=0 Win=0 Len=0
7 0.007878 10.0.0.50 -> 10.0.0.101 TCP 54 [TCP Window Update] 5000 > 80 [PSH, URG] Seq=0 Win=8192 Urg=0 Len=0
Windows 2012 - Packet with the URG-PSH flags set, sent to LISTENING PORT, results in a RST-ACK
CentOS 6.5 - Packet with the URG-PSH flags set, sent to a LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the CentOS system simply drops the packet.
URG-PSH -> Windows 2012/CentOS 6.5 -> 81 (Non-Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=81, flags="UP"),iface='eth0', count=1)..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
1 0.000000 10.0.0.50 -> 10.0.0.100 TCP 54 [TCP Window Update] 5000 > 81 [PSH, URG] Seq=0 Win=8192 Urg=0 Len=0
4 0.002396 10.0.0.100 -> 10.0.0.50 TCP 60 81 > 5000 [RST, ACK] Seq=0 Ack=0 Win=0 Len=0
7 0.006092 10.0.0.50 -> 10.0.0.101 TCP 54 [TCP Window Update] 5000 > 81 [PSH, URG] Seq=0 Win=8192 Urg=0 Len=0
10 0.007837 10.0.0.101 -> 10.0.0.50 TCP 60 81 > 5000 [RST, ACK] Seq=0 Ack=0 Win=0 Len=0
Windows 2012 - Packet with the URG-PSH flags set, sent to NON-LISTENING PORT, results in a RST-ACK
CentOS 6.5 - Packet with the URG-PSH flags set, sent to NON-LISTENING PORT, results in a RST-ACK
---------------------------------------------------------------
ACK-PSH -> Windows 2012/CentOS 6.5 -> 80 (Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=80, flags="AP"),iface='eth0', count=1)..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
3 3.254561 10.0.0.50 -> 10.0.0.100 TCP 54 [TCP Window Update] 5000 > 80 [PSH, ACK] Seq=0 Ack=0 Win=8192 Len=0
6 3.257235 10.0.0.100 -> 10.0.0.50 TCP 60 80 > 5000 [RST] Seq=0 Win=0 Len=0
9 3.261255 10.0.0.50 -> 10.0.0.101 TCP 54 [TCP Window Update] 5000 > 80 [PSH, ACK] Seq=0 Ack=0 Win=8192 Len=0
12 3.262827 10.0.0.101 -> 10.0.0.50 TCP 60 80 > 5000 [RST] Seq=0 Win=0 Len=0
From the above:
Windows 2012 - Packet with the ACK-PSH flags set, sent to LISTENING PORT, results in a RST
CentOS 6.5 - Packet with the ACK-PSH flags set, sent to LISTENING PORT, results in a RST
ACK-PSH -> Windows 2012/CentOS 6.5 -> 81 (Non-Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=81, flags="AP"),iface='eth0', count=1)
..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
7 4.247236 10.0.0.50 -> 10.0.0.100 TCP 54 [TCP Window Update] 5000 > 81 [PSH, ACK] Seq=0 Ack=0 Win=8192 Len=0
10 4.248504 10.0.0.50 -> 10.0.0.101 TCP 54 [TCP Window Update] 5000 > 81 [PSH, ACK] Seq=0 Ack=0 Win=8192 Len=0
11 4.248577 10.0.0.100 -> 10.0.0.50 TCP 60 81 > 5000 [RST] Seq=0 Win=0 Len=0
12 4.248994 10.0.0.101 -> 10.0.0.50 TCP 60 81 > 5000 [RST] Seq=0 Win=0 Len=0
From the above:
Windows 2012 - Packet with the ACK-PSH flags set, sent to LISTENING PORT, results in a RST
CentOS 6.5 - Packet with the ACK-PSH flags set, sent to LISTENING PORT, results in a RST
---------------------------------------------------------------
ACK-RST -> Windows 2012/CentOS 6.5 -> 80 (Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=80, flags="AR"),iface='eth0', count=1)
..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
7 14.580837 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 80 [RST, ACK] Seq=0 Ack=0 Win=8192 Len=0
10 14.587160 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 80 [RST, ACK] Seq=0 Ack=0 Win=8192 Len=0
From the above:
Windows 2012 - Packet with ACK-RST flag set, sent to LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the Windows 2012 system simply drops the packet.
CentOS 6.5 - Packet with only ACK-RST flag set, sent to LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the CentOS system simply drops the packet.
ACK-RST -> Windows 2012/CentOS 6.5 -> 81 (Non-Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=81, flags="AR"),iface='eth0', count=1)
..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
3 1.871013 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 81 [RST, ACK] Seq=0 Ack=0 Win=8192 Len=0
4 1.871912 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 81 [RST, ACK] Seq=0 Ack=0 Win=8192 Len=0
From the above:
Windows 2012 - Packet with ACK-RST flag set, sent to NON-LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the Windows 2012 system simply drops the packet.
CentOS 6.5 - Packet with ACK-RST flag set, sent to NON-LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the CentOS system simply drops the packet.
---------------------------------------------------------------
SYN-ACK -> Windows 2012/CentOS 6.5 -> 80 (Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=80, flags="AS"),iface='eth0', count=1)..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
3 9.046910 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 80 [SYN, ACK] Seq=0 Ack=0 Win=8192 Len=0
6 9.048661 10.0.0.100 -> 10.0.0.50 TCP 60 80 > 5000 [RST] Seq=0 Win=0 Len=0
9 9.054315 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 80 [SYN, ACK] Seq=0 Ack=0 Win=8192 Len=0
12 9.056520 10.0.0.101 -> 10.0.0.50 TCP 60 80 > 5000 [RST] Seq=0 Win=0 Len=0
From the above:
Windows 2012 - Packet with the SYN-ACK flags set, sent to LISTENING PORT , results in a RST
CentOS 6.5 - Packet with the SYN-ACK flags set, sent to LISTENING PORT , results in a RST
SYN-ACK -> Windows 2012/CentOS 6.5 -> 81 (Non-Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=81, flags="AS"),iface='eth0', count=1)
..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))' 1 0.000000 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 81 [SYN, ACK] Seq=0 Ack=0 Win=8192 Len=0
4 0.001216 10.0.0.100 -> 10.0.0.50 TCP 60 81 > 5000 [RST] Seq=0 Win=0 Len=0
7 0.006024 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 81 [SYN, ACK] Seq=0 Ack=0 Win=8192 Len=0
8 0.006380 10.0.0.101 -> 10.0.0.50 TCP 60 81 > 5000 [RST] Seq=0 Win=0 Len=0
From the above:
Windows 2012 - Packet with the URG-SYN flags set, sent to NON-LISTENING PORT, results in a RST
CentOS 6.5 - Packet with the URG-SYN flags set, sent to NON-LISTENING PORT, results in a RST
---------------------------------------------------------------
FIN-ACK -> Windows 2012/CentOS 6.5 -> 80 (Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=80, flags="FA"),iface='eth0', count=1)
..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))' 4 3.345117 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 80 [FIN, ACK] Seq=0 Ack=0 Win=8192 Len=0
5 3.346344 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 80 [FIN, ACK] Seq=0 Ack=0 Win=8192 Len=0
8 3.346730 10.0.0.101 -> 10.0.0.50 TCP 60 80 > 5000 [RST] Seq=0 Win=0 Len=0
9 3.346745 10.0.0.100 -> 10.0.0.50 TCP 60 80 > 5000 [RST] Seq=0 Win=0 Len=0
From the above:
Windows 2012 - Packet with the URG-SYN flags set, sent to LISTENING PORT, results in a RST
CentOS 6.5 - Packet with the URG-SYN flags set, sent to LISTENING PORT, results in a RST
FIN-ACK -> Windows 2012/CentOS 6.5 -> 81 (Non-Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=81, flags="FA"),iface='eth0', count=1)..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
1 0.000000 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 81 [FIN, ACK] Seq=0 Ack=0 Win=8192 Len=0
4 0.001788 10.0.0.100 -> 10.0.0.50 TCP 60 81 > 5000 [RST] Seq=0 Win=0 Len=0
7 0.007718 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 81 [FIN, ACK] Seq=0 Ack=0 Win=8192 Len=0
8 0.008070 10.0.0.101 -> 10.0.0.50 TCP 60 81 > 5000 [RST] Seq=0 Win=0 Len=0
From the above:
Windows 2012 - Packet with the URG-SYN flags set, sent to NON-LISTENING PORT, results in a RST
CentOS 6.5 - Packet with the URG-SYN flags set, sent to NON-LISTENING PORT, results in a RST
---------------------------------------------------------------
PSH-SYN -> Windows 2012/CentOS 6.5 -> 80 (Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=80, flags="PS"),iface='eth0', count=1)..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
1 0.000000 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 80 [SYN, PSH] Seq=0 Win=8192 Len=0
4 0.001929 10.0.0.100 -> 10.0.0.50 TCP 60 80 > 5000 [SYN, ACK] Seq=1785425873 Ack=1 Win=8192 Len=0 MSS=1460
7 0.008294 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 80 [SYN, PSH] Seq=0 Win=8192 Len=0
8 0.008872 10.0.0.101 -> 10.0.0.50 TCP 60 80 > 5000 [SYN, ACK] Seq=730449456 Ack=1 Win=14600 Len=0 MSS=1460
From the above:
Windows 2012 - Packet with the PSH-SYN flags set, sent to LISTENING PORT, results in a SYN-ACK
CentOS 6.5 - Packet with the PSH-SYN flags set, sent to LISTENING PORT, results in a SYN-ACK
PSH-SYN -> Windows 2012/CentOS 6.5 -> 81 (Non-Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=81, flags="PS"),iface='eth0', count=1)..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
3 1.380943 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 81 [SYN, PSH] Seq=0 Win=8192 Len=0
6 1.383989 10.0.0.100 -> 10.0.0.50 TCP 60 81 > 5000 [RST, ACK] Seq=0 Ack=1 Win=0 Len=0
9 1.389811 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 81 [SYN, PSH] Seq=0 Win=8192 Len=0
12 1.392904 10.0.0.101 -> 10.0.0.50 TCP 60 81 > 5000 [RST, ACK] Seq=0 Ack=1 Win=0 Len=0
From the above:
Windows 2012 - Packet with the PSH-SYN flags set, sent to NON-LISTENING PORT, results in a RST
CentOS 6.5 - Packet with the PSH-SYN flags set, sent to NON-LISTENING PORT, results in a RST
---------------------------------------------------------------
PSH-FIN -> Windows 2012/CentOS 6.5 -> 80 (Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=80, flags="PF"),iface='eth0', count=1)..
Sent 2 packets
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))' 1 0.000000 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 80 [FIN, PSH] Seq=0 Win=8192 Len=0
4 0.002823 10.0.0.100 -> 10.0.0.50 TCP 60 80 > 5000 [RST, ACK] Seq=0 Ack=1 Win=0 Len=0
7 0.007607 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 80 [FIN, PSH] Seq=0 Win=8192 Len=0
Windows 2012 - Packet with the PSH-FIN flags set, sent to LISTENING PORT, results in a RST-ACK
CentOS 6.5 - Packet with the PSH-FIN flags set, sent to a LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the CentOS system simply drops the packet.
PSH-FIN -> Windows 2012/CentOS 6.5 -> 81 (Non-Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=81, flags="PF"),iface='eth0', count=1)..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
3 2.501900 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 81 [FIN, PSH] Seq=0 Win=8192 Len=0
6 2.505076 10.0.0.100 -> 10.0.0.50 TCP 60 81 > 5000 [RST, ACK] Seq=0 Ack=1 Win=0 Len=0
9 2.510756 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 81 [FIN, PSH] Seq=0 Win=8192 Len=0
12 2.513249 10.0.0.101 -> 10.0.0.50 TCP 60 81 > 5000 [RST, ACK] Seq=0 Ack=1 Win=0 Len=0
From the above:
Windows 2012 - Packet with the PSH-FIN flags set, sent to NON-LISTENING PORT, results in a RST-ACK
CentOS 6.5 - Packet with the PSH-FIN flags set, sent to NON-LISTENING PORT, results in a RST-ACK
--------------------------------------------------------------
RST-SYN -> Windows 2012/CentOS 6.5 -> 80 (Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=80, flags="RS"),iface='eth0', count=1)
..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
5 1.253590 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 80 [SYN, RST] Seq=0 Win=8192 Len=0
8 1.259028 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 80 [SYN, RST] Seq=0 Win=8192 Len=0
From the above:
Windows 2012 - Packet with RST-SYN flag set, sent to LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the Windows 2012 system simply drops the packet.CentOS 6.5 - Packet with only RST-SYN flag set, sent to LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the CentOS system simply drops the packet.
RST-SYN -> Windows 2012/CentOS 6.5 -> 81 (Non-Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=81, flags="RS"),iface='eth0', count=1)
..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
1 0.000000 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 81 [SYN, RST] Seq=0 Win=8192 Len=0
2 0.001233 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 81 [SYN, RST] Seq=0 Win=8192 Len=0
From the above:
Windows 2012 - Packet with only RST flag set, sent to NON-LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the CentOS system simply drops the packet.
CentOS 6.5 - Packet with only RST flag set, sent to NON-LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the CentOS system simply drops the packet.
--------------------------------------------------------------
RST-FIN -> Windows 2012/CentOS 6.5 -> 80 (Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=80, flags="RF"),iface='eth0', count=1)
..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
5 14.172512 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 80 [FIN, RST] Seq=0 Win=8192 Len=0
8 14.183378 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 80 [FIN, RST] Seq=0 Win=8192 Len=0
From the above:
Windows 2012 - Packet with only RST-FIN flag set, sent to LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the Windows 2012system simply drops the packet.
CentOS 6.5 - Packet with only RST-FIN flag set, sent to LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the CentOS system simply drops the packet.
RST-FIN -> Windows 2012/CentOS 6.5 -> 81 (Non-Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=81, flags="RF"),iface='eth0', count=1)
..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
9 4.935682 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 81 [FIN, RST] Seq=0 Win=8192 Len=0
10 4.936662 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 81 [FIN, RST] Seq=0 Win=8192 Len=0
From the above:
Windows 2012 - Packet with only RST-FIN flag set, sent to NON-LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the Windows 2012 system simply drops the packet.
CentOS 6.5 - Packet with only RST-FIN flag set, sent to NON-LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the CentOS system simply drops the packet.
--------------------------------------------------------------
SYN-FIN -> Windows 2012/CentOS 6.5 -> 80 (Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=80, flags="SF"),iface='eth0', count=1)..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
5 3.266392 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 80 [FIN, SYN] Seq=0 Win=8192 Len=0
8 3.267852 10.0.0.100 -> 10.0.0.50 TCP 60 [TCP ACKed unseen segment] 80 > 5000 [RST, ACK] Seq=0 Ack=2 Win=0 Len=0
11 3.273375 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 80 [FIN, SYN] Seq=0 Win=8192 Len=0
From the above:
Windows 2012 - Packet with the SYN-FIN flags set, sent to LISTENING PORT , results in a RST-ACK
CentOS 6.5 - Packet with the SYN-FIN flags set, sent to a LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the CentOS system simply drops the packet.
SYN-FIN -> Windows 2012/CentOS 6.5 -> 81 (Non-Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=81, flags="SF"),iface='eth0', count=1)
..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))' 1 0.000000 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 81 [FIN, SYN] Seq=0 Win=8192 Len=0
4 0.001726 10.0.0.100 -> 10.0.0.50 TCP 60 [TCP ACKed unseen segment] 81 > 5000 [RST, ACK] Seq=0 Ack=2 Win=0 Len=0
7 0.006025 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 81 [FIN, SYN] Seq=0 Win=8192 Len=0
10 0.006219 10.0.0.101 -> 10.0.0.50 TCP 60 [TCP ACKed unseen segment] 81 > 5000 [RST, ACK] Seq=0 Ack=2 Win=0 Len=0
From the above:
Windows 2012 - Packet with the SYN-FIN flags set, sent to NON-LISTENING PORT, results in a RST-ACK
CentOS 6.5 - Packet with the SYN-FIN flags set, sent to NON-LISTENING PORT, results in a RST-ACK
If you wish to have this as a reference, you may download:
"Stimulus and Response.pdf" document.
md5:8c931888caf948504188f57440396ebc
sha-1:c4cb5b06928e660a09ddc7eaf4b7e32fb0dd1a27
stimulus-response.xlsx
MD5:6176b65c89b73e3b07a519bf77db462a
SHA-1:1ff6308e2a56a1c950e4cc5831932d78563bf853
No comments:
Post a Comment