Sunday, July 6, 2014

Stimulus and Response - TCP - Setting 4 flags

In the 3 previous posts within this series, we looked at setting 1, then 2 and then 3 flags. In this post we will set 4 flags. So without further ado, let's look at setting 4 flags
--------------------------------------------------------

URG-ACK-PSH-RST  -> Windows 2012/CentOS 6.5 -> 80 (Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=80, flags="UAPR"),iface='eth0', count=1)
..
Sent 2 packets.

root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'  
1   0.000000    10.0.0.50 -> 10.0.0.100   TCP 54 5000 > 80 [RST, PSH, ACK, URG] Seq=0 Ack=0 Win=8192 Urg=0 Len=0
  2   0.001673    10.0.0.50 -> 10.0.0.101   TCP 54 5000 > 80 [RST, PSH, ACK, URG] Seq=0 Ack=0 Win=8192 Urg=0 Len=0


From the above:
Windows 2012 - Packet with URG-ACK-PSH-RST flag set, sent to LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the Windows 2012 system simply drops the packet.

CentOS 6.5  - Packet with URG-ACK-PSH-RST flag set, sent to LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the CentOS system simply drops the packet.
       
URG-ACK-PSH-RST  -> Windows 2012/CentOS 6.5 -> 81 (Non-Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=81, flags="UAPR"),iface='eth0', count=1)..
Sent 2 packets.

root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
  5   9.982480    10.0.0.50 -> 10.0.0.100   TCP 54 5000 > 81 [RST, PSH, ACK, URG] Seq=0 Ack=0 Win=8192 Urg=0 Len=0
  8   9.990088    10.0.0.50 -> 10.0.0.101   TCP 54 5000 > 81 [RST, PSH, ACK, URG] Seq=0 Ack=0 Win=8192 Urg=0 Len=0


From the above:
Windows 2012 - Packet with URG-ACK-PSH-RST flag set, sent to NON-LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the Windows 2012 system simply drops the packet.


CentOS 6.5
  - Packet with URG-ACK-PSH-RST flag set, sent to NON-LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the CentOS system simply drops the packet.

--------------------------------------------------------

URG-ACK-PSH-SYN  -> Windows 2012/CentOS 6.5 -> 80 (Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=80, flags="UAPS"),iface='eth0', count=1)
..
Sent 2 packets.


root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
  1   0.000000    10.0.0.50 -> 10.0.0.100   TCP 54 5000 > 80 [SYN, PSH, ACK, URG] Seq=0 Ack=0 Win=8192 Urg=0 Len=0
  4   0.000608   10.0.0.100 -> 10.0.0.50    TCP 60 80 > 5000 [RST] Seq=0 Win=0 Len=0
  7   0.007313    10.0.0.50 -> 10.0.0.101   TCP 54 5000 > 80 [SYN, PSH, ACK, URG] Seq=0 Ack=0 Win=8192 Urg=0 Len=0
 10   0.009664   10.0.0.101 -> 10.0.0.50    TCP 60 80 > 5000 [RST] Seq=0 Win=0 Len=0


From the above:
Windows 2012 - Packet with the URG-ACK-PSH-SYN flags set, sent to LISTENING PORT, results in a RST

CentOS 6.5  - Packet with the URG-ACK-PSH-SYN flags set, sent to LISTENING PORT, results in a RST
   
URG-ACK-PSH-SYN  -> Windows 2012/CentOS 6.5 -> 81 (Non-Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=81, flags="UAPS"),iface='eth0', count=1)
..
Sent 2 packets.

root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'  
1   0.000000    10.0.0.50 -> 10.0.0.100   TCP 54 5000 > 81 [SYN, PSH, ACK, URG] Seq=0 Ack=0 Win=8192 Urg=0 Len=0
  4   0.001550    10.0.0.50 -> 10.0.0.101   TCP 54 5000 > 81 [SYN, PSH, ACK, URG] Seq=0 Ack=0 Win=8192 Urg=0 Len=0
  5   0.001607   10.0.0.100 -> 10.0.0.50    TCP 60 81 > 5000 [RST] Seq=0 Win=0 Len=0
  6   0.002232   10.0.0.101 -> 10.0.0.50    TCP 60 81 > 5000 [RST] Seq=0 Win=0 Len=0


From the above:
Windows 2012 - Packet with the URG-ACK-PSH-SYN flags set, sent to NON-LISTENING PORT, results in a RST

CentOS 6.5  - Packet with the URG-ACK-PSH-SYN flags set, sent to NON-LISTENING PORT, results in a RST


--------------------------------------------------------

URG-ACK-PSH-FIN  -> Windows 2012/CentOS 6.5 -> 80 (Listening)   
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=80, flags="UAPF"),iface='eth0', count=1)
..
Sent 2 packets.

root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'  
1   0.000000    10.0.0.50 -> 10.0.0.100   TCP 54 5000 > 80 [FIN, PSH, ACK, URG] Seq=0 Ack=0 Win=8192 Urg=0 Len=0
  4   0.002013   10.0.0.100 -> 10.0.0.50    TCP 60 80 > 5000 [RST] Seq=0 Win=0 Len=0
  5   0.002365    10.0.0.50 -> 10.0.0.101   TCP 54 5000 > 80 [FIN, PSH, ACK, URG] Seq=0 Ack=0 Win=8192 Urg=0 Len=0
  6   0.002845   10.0.0.101 -> 10.0.0.50    TCP 60 80 > 5000 [RST] Seq=0 Win=0 Len=0


From the above:
Windows 2012 - Packet with the URG-ACK-PSH-FIN flags set, sent to LISTENING PORT, results in a RST

CentOS 6.5  - Packet with the URG-ACK-PSH-FIN flags set, sent to LISTENING PORT, results in a RST
   
URG-ACK-PSH-FIN  -> Windows 2012/CentOS 6.5 -> 81 (Non-Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=81, flags="UAPF"),iface='eth0', count=1)..
Sent 2 packets.

root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
  1   0.000000    10.0.0.50 -> 10.0.0.100   TCP 54 5000 > 81 [FIN, PSH, ACK, URG] Seq=0 Ack=0 Win=8192 Urg=0 Len=0
  4   0.001450   10.0.0.100 -> 10.0.0.50    TCP 60 81 > 5000 [RST] Seq=0 Win=0 Len=0
  7   0.007067    10.0.0.50 -> 10.0.0.101   TCP 54 5000 > 81 [FIN, PSH, ACK, URG] Seq=0 Ack=0 Win=8192 Urg=0 Len=0
 10   0.009361   10.0.0.101 -> 10.0.0.50    TCP 60 81 > 5000 [RST] Seq=0 Win=0 Len=0


From the above:
Windows 2012 - Packet with the URG-ACK-PSH-FIN flags set, sent to NON-LISTENING PORT, results in a RST

CentOS 6.5  - Packet with the URG-ACK-PSH-FIN flags set, sent to NON-LISTENING PORT, results in a RST

--------------------------------------------------------
   
ACK-PSH-RST-SYN  -> Windows 2012/CentOS 6.5 -> 80 (Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=80, flags="APRS"),iface='eth0', count=1)..
Sent 2 packets.

root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
  1   0.000000    10.0.0.50 -> 10.0.0.100   TCP 54 5000 > 80 [SYN, RST, PSH, ACK] Seq=0 Ack=0 Win=8192 Len=0
  4   0.006835    10.0.0.50 -> 10.0.0.101   TCP 54 5000 > 80 [SYN, RST, PSH, ACK] Seq=0 Ack=0 Win=8192 Len=0


From the above:
Windows 2012 - Packet with ACK-PSH-RST-SYN flag set, sent to LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the Windows 2012 system simply drops the packet.


CentOS 6.5
  - Packet with ACK-PSH-RST-SYN flag set, sent to LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the CentOS system simply drops the packet.


ACK-PSH-RST-SYN  -> Windows 2012/CentOS 6.5 -> 81 (Non-Listening)   
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=81, flags="APRS"),iface='eth0', count=1)..
Sent 2 packets.

root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'  
1   0.000000    10.0.0.50 -> 10.0.0.100   TCP 54 5000 > 81 [SYN, RST, PSH, ACK] Seq=0 Ack=0 Win=8192 Len=0
  2   0.001947    10.0.0.50 -> 10.0.0.101   TCP 54 5000 > 81 [SYN, RST, PSH, ACK] Seq=0 Ack=0 Win=8192 Len=0


From the above:
Windows 2012 - Packet with ACK-PSH-RST-SYN flag set, sent to NON-LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the Windows 2012 system simply drops the packet.


CentOS 6.5
  - Packet with ACK-PSH-RST-SYN flag set, sent to NON-LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the CentOS system simply drops the packet.


--------------------------------------------------------   

ACK-PSH-RST-FIN  -> Windows 2012/CentOS 6.5 -> 80 (Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=80, flags="APRF"),iface='eth0', count=1)
..
Sent 2 packets.

root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
  1   0.000000    10.0.0.50 -> 10.0.0.100   TCP 54 5000 > 80 [FIN, RST, PSH, ACK] Seq=0 Ack=0 Win=8192 Len=0
  2   0.000912    10.0.0.50 -> 10.0.0.101   TCP 54 5000 > 80 [FIN, RST, PSH, ACK] Seq=0 Ack=0 Win=8192 Len=0

 

From the above:
Windows 2012 - Packet with ACK-PSH-RST-FIN flag set, sent to LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the Windows 2012 system simply drops the packet.


CentOS 6.5
  - Packet with ACK-PSH-RST-FIN flag set, sent to LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the CentOS system simply drops the packet.


ACK-PSH-RST-FIN  -> Windows 2012/CentOS 6.5 -> 81 (Non-Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=81, flags="APRF"),iface='eth0', count=1)
..
Sent 2 packets.


root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
 11   5.260897    10.0.0.50 -> 10.0.0.100   TCP 54 5000 > 81 [FIN, RST, PSH, ACK] Seq=0 Ack=0 Win=8192 Len=0
 14   5.266354    10.0.0.50 -> 10.0.0.101   TCP 54 5000 > 81 [FIN, RST, PSH, ACK] Seq=0 Ack=0 Win=8192 Len=0


From the above:
Windows 2012 - Packet with ACK-PSH-RST-FIN flag set, sent to NON-LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the Windows 2012 system simply drops the packet.


CentOS 6.5
  - Packet with ACK-PSH-RST-FIN flag set, sent to NON-LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the CentOS system simply drops the packet.

--------------------------------------------------------
   
PSH-RST-SYN-FIN  -> Windows 2012/CentOS 6.5 -> 80 (Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=80, flags="PRSF"),iface='eth0', count=1)..
Sent 2 packets.

root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
  5   7.782003    10.0.0.50 -> 10.0.0.100   TCP 54 5000 > 80 [FIN, SYN, RST, PSH] Seq=0 Win=8192 Len=0
  8   7.788585    10.0.0.50 -> 10.0.0.101   TCP 54 5000 > 80 [FIN, SYN, RST, PSH] Seq=0 Win=8192 Len=0


From the above:
Windows 2012 - Packet with PSH-RST-SYN-FIN flag set, sent to LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the Windows 2012 system simply drops the packet.


CentOS 6.5
  - Packet with PSH-RST-SYN-FIN flag set, sent to LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the CentOS system simply drops the packet.


PSH-RST-SYN-FIN  -> Windows 2012/CentOS 6.5 -> 81 (Non-Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=81, flags="PRSF"),iface='eth0', count=1)
..
Sent 2 packets.

root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
  4   1.527062    10.0.0.50 -> 10.0.0.100   TCP 54 5000 > 81 [FIN, SYN, RST, PSH] Seq=0 Win=8192 Len=0
  5   1.527916    10.0.0.50 -> 10.0.0.101   TCP 54 5000 > 81 [FIN, SYN, RST, PSH] Seq=0 Win=8192 Len=0


From the above:
Windows 2012 - Packet with PSH-RST-SYN-FIN flag set, sent to NON-LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the Windows 2012 system simply drops the packet.


CentOS 6.5
  - Packet with PSH-RST-SYN-FIN flag set, sent to NON-LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the CentOS system simply drops the packet.

--------------------------------------------------------   
   
URG-ACK-SYN-FIN  -> Windows 2012/CentOS 6.5 -> 80 (Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=80, flags="UASF"),iface='eth0', count=1)..
Sent 2 packets.

root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
  1   0.000000    10.0.0.50 -> 10.0.0.100   TCP 54 5000 > 80 [FIN, SYN, ACK, URG] Seq=0 Ack=0 Win=8192 Urg=0 Len=0
  4   0.001974   10.0.0.100 -> 10.0.0.50    TCP 60 80 > 5000 [RST] Seq=0 Win=0 Len=0
  7   0.006452    10.0.0.50 -> 10.0.0.101   TCP 54 5000 > 80 [FIN, SYN, ACK, URG] Seq=0 Ack=0 Win=8192 Urg=0 Len=0
 10   0.007292   10.0.0.101 -> 10.0.0.50    TCP 60 80 > 5000 [RST] Seq=0 Win=0 Len=0


From the above:
Windows 2012 - Packet with the URG-ACK-SYN-FIN flags set, sent to LISTENING PORT, results in a RST

CentOS 6.5  - Packet with the URG-ACK-SYN-FIN flags set, sent to LISTENING PORT, results in a RST
   
   
URG-ACK-SYN-FIN  -> Windows 2012/CentOS 6.5 -> 81 (Non-Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=81, flags="UASF"),iface='eth0', count=1)..
Sent 2 packets.


root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
  1   0.000000    10.0.0.50 -> 10.0.0.100   TCP 54 5000 > 81 [FIN, SYN, ACK, URG] Seq=0 Ack=0 Win=8192 Urg=0 Len=0
  2   0.001163    10.0.0.50 -> 10.0.0.101   TCP 54 5000 > 81 [FIN, SYN, ACK, URG] Seq=0 Ack=0 Win=8192 Urg=0 Len=0
  5   0.001950   10.0.0.101 -> 10.0.0.50    TCP 60 81 > 5000 [RST] Seq=0 Win=0 Len=0
  6   0.001961   10.0.0.100 -> 10.0.0.50    TCP 60 81 > 5000 [RST] Seq=0 Win=0 Len=0


From the above:
Windows 2012 - Packet with the URG-ACK-SYN-FIN flags set, sent to NON-LISTENING PORT, results in a RST

CentOS 6.5  - Packet with the URG-ACK-SYN-FIN flags set, sent to NON-LISTENING PORT, results in a RST

--------------------------------------------------------   
   
PSH-ACK-URG-FIN  -> Windows 2012/CentOS 6.5 -> 80 (Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=80, flags="PAUF"),iface='eth0', count=1)..
Sent 2 packets.

root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
  4   8.797922    10.0.0.50 -> 10.0.0.100   TCP 54 5000 > 80 [FIN, PSH, ACK, URG] Seq=0 Ack=0 Win=8192 Urg=0 Len=0
  7   8.799443   10.0.0.100 -> 10.0.0.50    TCP 60 80 > 5000 [RST] Seq=0 Win=0 Len=0
 10   8.804208    10.0.0.50 -> 10.0.0.101   TCP 54 5000 > 80 [FIN, PSH, ACK, URG] Seq=0 Ack=0 Win=8192 Urg=0 Len=0
 11   8.804788   10.0.0.101 -> 10.0.0.50    TCP 60 80 > 5000 [RST] Seq=0 Win=0 Len=0


From the above:
Windows 2012 - Packet with the PSH-ACK-URG-FIN flags set, sent to LISTENING PORT, results in a RST

CentOS 6.5  - Packet with the PSH-ACK-URG-FIN flags set, sent to LISTENING PORT, results in a RST


PSH-ACK-URG-FIN  -> Windows 2012/CentOS 6.5 -> 81 (Non-Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=81, flags="PAUF"),iface='eth0', count=1)
..
Sent 2 packets.

root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
  1   0.000000    10.0.0.50 -> 10.0.0.100   TCP 54 5000 > 81 [FIN, PSH, ACK, URG] Seq=0 Ack=0 Win=8192 Urg=0 Len=0
  2   0.001308   10.0.0.100 -> 10.0.0.50    TCP 60 81 > 5000 [RST] Seq=0 Win=0 Len=0
  3   0.001721    10.0.0.50 -> 10.0.0.101   TCP 54 5000 > 81 [FIN, PSH, ACK, URG] Seq=0 Ack=0 Win=8192 Urg=0 Len=0
  4   0.002662   10.0.0.101 -> 10.0.0.50    TCP 60 81 > 5000 [RST] Seq=0 Win=0 Len=0


From the above:
Windows 2012 - Packet with the URG-ACK-SYN-FIN flags set, sent to NON-LISTENING PORT, results in a RST
CentOS 6.5  - Packet with the URG-ACK-SYN-FIN flags set, sent to NON-LISTENING PORT, results in a RST

If you wish to have this as a reference, you may download:
"Stimulus and Response.pdf" document.
md5:8c931888caf948504188f57440396ebc
sha-1:c4cb5b06928e660a09ddc7eaf4b7e32fb0dd1a27

stimulus-response.xlsx
MD5:6176b65c89b73e3b07a519bf77db462a
SHA-1:1ff6308e2a56a1c950e4cc5831932d78563bf853

No comments:

Post a Comment