In the 3 previous posts within this series, we looked at setting 1, then 2 and then 3 flags. In this post we will set 4 flags. So without further ado, let's look at setting 4 flags
--------------------------------------------------------
URG-ACK-PSH-RST -> Windows 2012/CentOS 6.5 -> 80 (Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=80, flags="UAPR"),iface='eth0', count=1)
..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
1 0.000000 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 80 [RST, PSH, ACK, URG] Seq=0 Ack=0 Win=8192 Urg=0 Len=0
2 0.001673 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 80 [RST, PSH, ACK, URG] Seq=0 Ack=0 Win=8192 Urg=0 Len=0
From the above:
Windows 2012 - Packet with URG-ACK-PSH-RST flag set, sent to LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the Windows 2012 system simply drops the packet.
CentOS 6.5 - Packet with URG-ACK-PSH-RST flag set, sent to LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the CentOS system simply drops the packet.
URG-ACK-PSH-RST -> Windows 2012/CentOS 6.5 -> 81 (Non-Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=81, flags="UAPR"),iface='eth0', count=1)..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
5 9.982480 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 81 [RST, PSH, ACK, URG] Seq=0 Ack=0 Win=8192 Urg=0 Len=0
8 9.990088 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 81 [RST, PSH, ACK, URG] Seq=0 Ack=0 Win=8192 Urg=0 Len=0
From the above:
Windows 2012 - Packet with URG-ACK-PSH-RST flag set, sent to NON-LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the Windows 2012 system simply drops the packet.
CentOS 6.5 - Packet with URG-ACK-PSH-RST flag set, sent to NON-LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the CentOS system simply drops the packet.
--------------------------------------------------------
URG-ACK-PSH-SYN -> Windows 2012/CentOS 6.5 -> 80 (Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=80, flags="UAPS"),iface='eth0', count=1)
..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
1 0.000000 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 80 [SYN, PSH, ACK, URG] Seq=0 Ack=0 Win=8192 Urg=0 Len=0
4 0.000608 10.0.0.100 -> 10.0.0.50 TCP 60 80 > 5000 [RST] Seq=0 Win=0 Len=0
7 0.007313 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 80 [SYN, PSH, ACK, URG] Seq=0 Ack=0 Win=8192 Urg=0 Len=0
10 0.009664 10.0.0.101 -> 10.0.0.50 TCP 60 80 > 5000 [RST] Seq=0 Win=0 Len=0
From the above:
Windows 2012 - Packet with the URG-ACK-PSH-SYN flags set, sent to LISTENING PORT, results in a RST
CentOS 6.5 - Packet with the URG-ACK-PSH-SYN flags set, sent to LISTENING PORT, results in a RST
URG-ACK-PSH-SYN -> Windows 2012/CentOS 6.5 -> 81 (Non-Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=81, flags="UAPS"),iface='eth0', count=1)
..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
1 0.000000 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 81 [SYN, PSH, ACK, URG] Seq=0 Ack=0 Win=8192 Urg=0 Len=0
4 0.001550 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 81 [SYN, PSH, ACK, URG] Seq=0 Ack=0 Win=8192 Urg=0 Len=0
5 0.001607 10.0.0.100 -> 10.0.0.50 TCP 60 81 > 5000 [RST] Seq=0 Win=0 Len=0
6 0.002232 10.0.0.101 -> 10.0.0.50 TCP 60 81 > 5000 [RST] Seq=0 Win=0 Len=0
From the above:
Windows 2012 - Packet with the URG-ACK-PSH-SYN flags set, sent to NON-LISTENING PORT, results in a RST
CentOS 6.5 - Packet with the URG-ACK-PSH-SYN flags set, sent to NON-LISTENING PORT, results in a RST
--------------------------------------------------------
URG-ACK-PSH-FIN -> Windows 2012/CentOS 6.5 -> 80 (Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=80, flags="UAPF"),iface='eth0', count=1)
..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
1 0.000000 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 80 [FIN, PSH, ACK, URG] Seq=0 Ack=0 Win=8192 Urg=0 Len=0
4 0.002013 10.0.0.100 -> 10.0.0.50 TCP 60 80 > 5000 [RST] Seq=0 Win=0 Len=0
5 0.002365 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 80 [FIN, PSH, ACK, URG] Seq=0 Ack=0 Win=8192 Urg=0 Len=0
6 0.002845 10.0.0.101 -> 10.0.0.50 TCP 60 80 > 5000 [RST] Seq=0 Win=0 Len=0
From the above:
Windows 2012 - Packet with the URG-ACK-PSH-FIN flags set, sent to LISTENING PORT, results in a RST
CentOS 6.5 - Packet with the URG-ACK-PSH-FIN flags set, sent to LISTENING PORT, results in a RST
URG-ACK-PSH-FIN -> Windows 2012/CentOS 6.5 -> 81 (Non-Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=81, flags="UAPF"),iface='eth0', count=1)..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
1 0.000000 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 81 [FIN, PSH, ACK, URG] Seq=0 Ack=0 Win=8192 Urg=0 Len=0
4 0.001450 10.0.0.100 -> 10.0.0.50 TCP 60 81 > 5000 [RST] Seq=0 Win=0 Len=0
7 0.007067 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 81 [FIN, PSH, ACK, URG] Seq=0 Ack=0 Win=8192 Urg=0 Len=0
10 0.009361 10.0.0.101 -> 10.0.0.50 TCP 60 81 > 5000 [RST] Seq=0 Win=0 Len=0
From the above:
Windows 2012 - Packet with the URG-ACK-PSH-FIN flags set, sent to NON-LISTENING PORT, results in a RST
CentOS 6.5 - Packet with the URG-ACK-PSH-FIN flags set, sent to NON-LISTENING PORT, results in a RST
--------------------------------------------------------
ACK-PSH-RST-SYN -> Windows 2012/CentOS 6.5 -> 80 (Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=80, flags="APRS"),iface='eth0', count=1)..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
1 0.000000 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 80 [SYN, RST, PSH, ACK] Seq=0 Ack=0 Win=8192 Len=0
4 0.006835 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 80 [SYN, RST, PSH, ACK] Seq=0 Ack=0 Win=8192 Len=0
From the above:
Windows 2012 - Packet with ACK-PSH-RST-SYN flag set, sent to LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the Windows 2012 system simply drops the packet.
CentOS 6.5 - Packet with ACK-PSH-RST-SYN flag set, sent to LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the CentOS system simply drops the packet.
ACK-PSH-RST-SYN -> Windows 2012/CentOS 6.5 -> 81 (Non-Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=81, flags="APRS"),iface='eth0', count=1)..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
1 0.000000 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 81 [SYN, RST, PSH, ACK] Seq=0 Ack=0 Win=8192 Len=0
2 0.001947 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 81 [SYN, RST, PSH, ACK] Seq=0 Ack=0 Win=8192 Len=0
From the above:
Windows 2012 - Packet with ACK-PSH-RST-SYN flag set, sent to NON-LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the Windows 2012 system simply drops the packet.
CentOS 6.5 - Packet with ACK-PSH-RST-SYN flag set, sent to NON-LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the CentOS system simply drops the packet.
--------------------------------------------------------
ACK-PSH-RST-FIN -> Windows 2012/CentOS 6.5 -> 80 (Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=80, flags="APRF"),iface='eth0', count=1)
..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
1 0.000000 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 80 [FIN, RST, PSH, ACK] Seq=0 Ack=0 Win=8192 Len=0
2 0.000912 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 80 [FIN, RST, PSH, ACK] Seq=0 Ack=0 Win=8192 Len=0
From the above:
Windows 2012 - Packet with ACK-PSH-RST-FIN flag set, sent to LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the Windows 2012 system simply drops the packet.
CentOS 6.5 - Packet with ACK-PSH-RST-FIN flag set, sent to LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the CentOS system simply drops the packet.
ACK-PSH-RST-FIN -> Windows 2012/CentOS 6.5 -> 81 (Non-Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=81, flags="APRF"),iface='eth0', count=1)
..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
11 5.260897 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 81 [FIN, RST, PSH, ACK] Seq=0 Ack=0 Win=8192 Len=0
14 5.266354 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 81 [FIN, RST, PSH, ACK] Seq=0 Ack=0 Win=8192 Len=0
From the above:
Windows 2012 - Packet with ACK-PSH-RST-FIN flag set, sent to NON-LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the Windows 2012 system simply drops the packet.
CentOS 6.5 - Packet with ACK-PSH-RST-FIN flag set, sent to NON-LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the CentOS system simply drops the packet.
--------------------------------------------------------
PSH-RST-SYN-FIN -> Windows 2012/CentOS 6.5 -> 80 (Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=80, flags="PRSF"),iface='eth0', count=1)..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
5 7.782003 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 80 [FIN, SYN, RST, PSH] Seq=0 Win=8192 Len=0
8 7.788585 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 80 [FIN, SYN, RST, PSH] Seq=0 Win=8192 Len=0
From the above:
Windows 2012 - Packet with PSH-RST-SYN-FIN flag set, sent to LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the Windows 2012 system simply drops the packet.
CentOS 6.5 - Packet with PSH-RST-SYN-FIN flag set, sent to LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the CentOS system simply drops the packet.
PSH-RST-SYN-FIN -> Windows 2012/CentOS 6.5 -> 81 (Non-Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=81, flags="PRSF"),iface='eth0', count=1)
..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
4 1.527062 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 81 [FIN, SYN, RST, PSH] Seq=0 Win=8192 Len=0
5 1.527916 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 81 [FIN, SYN, RST, PSH] Seq=0 Win=8192 Len=0
From the above:
Windows 2012 - Packet with PSH-RST-SYN-FIN flag set, sent to NON-LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the Windows 2012 system simply drops the packet.
CentOS 6.5 - Packet with PSH-RST-SYN-FIN flag set, sent to NON-LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the CentOS system simply drops the packet.
--------------------------------------------------------
URG-ACK-SYN-FIN -> Windows 2012/CentOS 6.5 -> 80 (Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=80, flags="UASF"),iface='eth0', count=1)..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
1 0.000000 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 80 [FIN, SYN, ACK, URG] Seq=0 Ack=0 Win=8192 Urg=0 Len=0
4 0.001974 10.0.0.100 -> 10.0.0.50 TCP 60 80 > 5000 [RST] Seq=0 Win=0 Len=0
7 0.006452 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 80 [FIN, SYN, ACK, URG] Seq=0 Ack=0 Win=8192 Urg=0 Len=0
10 0.007292 10.0.0.101 -> 10.0.0.50 TCP 60 80 > 5000 [RST] Seq=0 Win=0 Len=0
From the above:
Windows 2012 - Packet with the URG-ACK-SYN-FIN flags set, sent to LISTENING PORT, results in a RST
CentOS 6.5 - Packet with the URG-ACK-SYN-FIN flags set, sent to LISTENING PORT, results in a RST
URG-ACK-SYN-FIN -> Windows 2012/CentOS 6.5 -> 81 (Non-Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=81, flags="UASF"),iface='eth0', count=1)..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
1 0.000000 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 81 [FIN, SYN, ACK, URG] Seq=0 Ack=0 Win=8192 Urg=0 Len=0
2 0.001163 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 81 [FIN, SYN, ACK, URG] Seq=0 Ack=0 Win=8192 Urg=0 Len=0
5 0.001950 10.0.0.101 -> 10.0.0.50 TCP 60 81 > 5000 [RST] Seq=0 Win=0 Len=0
6 0.001961 10.0.0.100 -> 10.0.0.50 TCP 60 81 > 5000 [RST] Seq=0 Win=0 Len=0
From the above:
Windows 2012 - Packet with the URG-ACK-SYN-FIN flags set, sent to NON-LISTENING PORT, results in a RST
CentOS 6.5 - Packet with the URG-ACK-SYN-FIN flags set, sent to NON-LISTENING PORT, results in a RST
--------------------------------------------------------
PSH-ACK-URG-FIN -> Windows 2012/CentOS 6.5 -> 80 (Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=80, flags="PAUF"),iface='eth0', count=1)..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
4 8.797922 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 80 [FIN, PSH, ACK, URG] Seq=0 Ack=0 Win=8192 Urg=0 Len=0
7 8.799443 10.0.0.100 -> 10.0.0.50 TCP 60 80 > 5000 [RST] Seq=0 Win=0 Len=0
10 8.804208 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 80 [FIN, PSH, ACK, URG] Seq=0 Ack=0 Win=8192 Urg=0 Len=0
11 8.804788 10.0.0.101 -> 10.0.0.50 TCP 60 80 > 5000 [RST] Seq=0 Win=0 Len=0
From the above:
Windows 2012 - Packet with the PSH-ACK-URG-FIN flags set, sent to LISTENING PORT, results in a RST
CentOS 6.5 - Packet with the PSH-ACK-URG-FIN flags set, sent to LISTENING PORT, results in a RST
PSH-ACK-URG-FIN -> Windows 2012/CentOS 6.5 -> 81 (Non-Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=81, flags="PAUF"),iface='eth0', count=1)
..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
1 0.000000 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 81 [FIN, PSH, ACK, URG] Seq=0 Ack=0 Win=8192 Urg=0 Len=0
2 0.001308 10.0.0.100 -> 10.0.0.50 TCP 60 81 > 5000 [RST] Seq=0 Win=0 Len=0
3 0.001721 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 81 [FIN, PSH, ACK, URG] Seq=0 Ack=0 Win=8192 Urg=0 Len=0
4 0.002662 10.0.0.101 -> 10.0.0.50 TCP 60 81 > 5000 [RST] Seq=0 Win=0 Len=0
From the above:
Windows 2012 - Packet with the URG-ACK-SYN-FIN flags set, sent to NON-LISTENING PORT, results in a RSTCentOS 6.5 - Packet with the URG-ACK-SYN-FIN flags set, sent to NON-LISTENING PORT, results in a RST
If you wish to have this as a reference, you may download:
"Stimulus and Response.pdf" document.
md5:8c931888caf948504188f57440396ebc
sha-1:c4cb5b06928e660a09ddc7eaf4b7e32fb0dd1a27
stimulus-response.xlsx
MD5:6176b65c89b73e3b07a519bf77db462a
SHA-1:1ff6308e2a56a1c950e4cc5831932d78563bf853
No comments:
Post a Comment