In this first post, we will set 1 flag on each packet.
FIN -> Windows 2012/CentOS 6.5 -> 80 (Listening)
>>> sendp(Ether()/IP(src="10.0.0.100", dst=["10.0.0.50","10.0.0.101"])/TCP(sport=5000, dport=80, flags="F"),iface='eth0', count=1)..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
22 2.053441 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 80 [FIN] Seq=0 Win=8192 Len=0
23 2.054268 10.0.0.100 -> 10.0.0.50 TCP 60 80 > 5000 [RST, ACK] Seq=0 Ack=1 Win=0 Len=0
24 2.054747 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 80 [FIN] Seq=0 Win=8192 Len=0
From the above:
Windows 2012 - Packet with only FIN flag set, sent to LISTENING PORT, results in a RST-ACK
CentOS 6.5 - Packet with only FIN flag set, sent to a LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the CentOS system simply drops the packet.
FIN -> Windows 2012/CentOS 6.5 -> 81 (Non-Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=81, flags="F"),iface='eth0', count=1)
..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))' 2 7.452878 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 81 [FIN] Seq=0 Win=8192 Len=0
5 7.454208 10.0.0.100 -> 10.0.0.50 TCP 60 81 > 5000 [RST, ACK] Seq=0 Ack=1 Win=0 Len=0
8 7.459747 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 81 [FIN] Seq=0 Win=8192 Len=0
11 7.460909 10.0.0.101 -> 10.0.0.50 TCP 60 81 > 5000 [RST, ACK] Seq=0 Ack=1 Win=0 Len=0
From the above:
Windows 2012 - Packet with only FIN flag set, sent to NON-LISTENING PORT, results in a RST-ACK
CentOS 6.5 - Packet with only FIN flag set, sent to NON-LISTENING PORT, results in a RST-ACK
---------------------------------------------------------------------------
SYN -> Windows 2012/CentOS 6.5 -> 80 (Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=80, flags="S"),iface='eth0', count=1)
..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
1 0.000000 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 80 [SYN] Seq=0 Win=8192 Len=0
4 0.001981 10.0.0.100 -> 10.0.0.50 TCP 60 80 > 5000 [SYN, ACK] Seq=3564399764 Ack=1 Win=8192 Len=0 MSS=1460
7 0.006482 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 80 [SYN] Seq=0 Win=8192 Len=0
8 0.007100 10.0.0.101 -> 10.0.0.50 TCP 60 80 > 5000 [SYN, ACK] Seq=1504198032 Ack=1 Win=14600 Len=0 MSS=1460
From the above:
Windows 2012 - Packet with only SYN flag set, sent to LISTENING PORT , results in a SYN-ACK
CentOS 6.5 - Packet with only SYN flag set, sent to LISTENING PORT , results in a SYN-ACK
SYN -> Windows 2012/CentOS 6.5 -> 81 (Non-Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=81, flags="S"),iface='eth0', count=1)..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
5 8.859239 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 81 [SYN] Seq=0 Win=8192 Len=0
8 8.860945 10.0.0.100 -> 10.0.0.50 TCP 60 81 > 5000 [RST, ACK] Seq=0 Ack=1 Win=0 Len=0
11 8.865713 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 81 [SYN] Seq=0 Win=8192 Len=0
12 8.866265 10.0.0.101 -> 10.0.0.50 TCP 60 81 > 5000 [RST, ACK] Seq=0 Ack=1 Win=0 Len=0
From the above:
Windows 2012 - Packet with only SYN flag set, sent to NON-LISTENING PORT, results in a RST-ACK
CentOS 6.5 - Packet with only SYN flag set, sent to NON-LISTENING PORT, results in a RST-ACK
---------------------------------------------------------------------------
RST -> Windows 2012/CentOS 6.5 -> 80 (Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=80, flags="R"),iface='eth0', count=1)
..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
1 0.000000 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 80 [RST] Seq=0 Win=8192 Len=0
4 0.006243 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 80 [RST] Seq=0 Win=8192 Len=0
From the above:
Windows 2012 - Packet with only RST flag set, sent to LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the Windows 2012 system simply drops the packet.
CentOS 6.5 - Packet with only RST flag set, sent to LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the CentOS system simply drops the packet.
RST -> Windows 2012/CentOS 6.5 -> 81 (Non-Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=81, flags="R"),iface='eth0', count=1)
..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
1 0.000000 10.0.0.50 -> 10.0.0.100 TCP 54 5000 > 81 [RST] Seq=0 Win=8192 Len=0
4 0.005582 10.0.0.50 -> 10.0.0.101 TCP 54 5000 > 81 [RST] Seq=0 Win=8192 Len=0
From the above:
Windows 2012 - Packet with only RST flag set, sent to LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the Windows 2012 system simply drops the packet.
CentOS 6.5 - Packet with only RST flag set, sent to NON-LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the CentOS system simply drops the packet.
---------------------------------------------------------------------------
ACK -> Windows 2012/CentOS 6.5 -> 80 (Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=80, flags="A"),iface='eth0', count=1)
..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
3 1.161009 10.0.0.50 -> 10.0.0.100 TCP 54 [TCP Window Update] 5000 > 80 [ACK] Seq=0 Ack=0 Win=8192 Len=0
6 1.162377 10.0.0.100 -> 10.0.0.50 TCP 60 80 > 5000 [RST] Seq=0 Win=0 Len=0
9 1.167634 10.0.0.50 -> 10.0.0.101 TCP 54 [TCP Window Update] 5000 > 80 [ACK] Seq=0 Ack=0 Win=8192 Len=0
12 1.170036 10.0.0.101 -> 10.0.0.50 TCP 60 80 > 5000 [RST] Seq=0 Win=0 Len=0
From the above:
Windows 2012 - Packet with only ACK flag set, sent to LISTENING PORT, results in a RST
CentOS 6.5 - Packet with only ACK flag set, sent to LISTENING PORT, results in a RST
ACK -> Windows 2012/CentOS 6.5 -> 81 (Non-Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=81, flags="A"),iface='eth0', count=1)
..
Sent 2 packets
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
1 0.000000 10.0.0.50 -> 10.0.0.100 TCP 54 [TCP Window Update] 5000 > 81 [ACK] Seq=0 Ack=0 Win=8192 Len=0
4 0.000896 10.0.0.100 -> 10.0.0.50 TCP 60 81 > 5000 [RST] Seq=0 Win=0 Len=0
7 0.006320 10.0.0.50 -> 10.0.0.101 TCP 54 [TCP Window Update] 5000 > 81 [ACK] Seq=0 Ack=0 Win=8192 Len=0
8 0.006949 10.0.0.101 -> 10.0.0.50 TCP 60 81 > 5000 [RST] Seq=0 Win=0 Len=0
From the above:
Windows 2012 - Packet with only ACK flag set, sent to a NON-LISTENING PORT, results in a RST
CentOS 6.5 - Packet with only ACK flag set, sent to a NON-LISTENING PORT, results in a RST
----------------------------------------------------------------------------
PSH -> Windows 2012/CentOS 6.5 -> 80 (Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=80, flags="P"),iface='eth0', count=1)
..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
1 0.000000 10.0.0.50 -> 10.0.0.100 TCP 54 [TCP Window Update] 5000 > 80 [PSH] Seq=0 Win=8192 Len=0
4 0.001861 10.0.0.100 -> 10.0.0.50 TCP 60 80 > 5000 [RST, ACK] Seq=0 Ack=0 Win=0 Len=0
7 0.006921 10.0.0.50 -> 10.0.0.101 TCP 54 [TCP Window Update] 5000 > 80 [PSH] Seq=0 Win=8192 Len=0
From the above:
Windows 2012 - Packet with only PSH flag set, sent to a LISTENING PORT, results in a RST-ACK
CentOS 6.5 - Packet with only PSH flag set, sent to a LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the CentOS system simply drops the packet.
PSH -> Windows 2012/CentOS 6.5 -> 81 (Non-Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=81, flags="P"),iface='eth0', count=1)
..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
3 41.524627 10.0.0.50 -> 10.0.0.100 TCP 54 [TCP Window Update] 5000 > 81 [PSH] Seq=0 Win=8192 Len=0
6 41.527925 10.0.0.100 -> 10.0.0.50 TCP 60 81 > 5000 [RST, ACK] Seq=0 Ack=0 Win=0 Len=0
9 41.532888 10.0.0.50 -> 10.0.0.101 TCP 54 [TCP Window Update] 5000 > 81 [PSH] Seq=0 Win=8192 Len=0
10 41.533280 10.0.0.101 -> 10.0.0.50 TCP 60 81 > 5000 [RST, ACK] Seq=0 Ack=0 Win=0 Len=0
From the above:
Windows 2012 - Packet with only PSH flag set, sent to a NON-LISTENING PORT, results in a RST-ACK
CentOS 6.5 - Packet with only PSH flag set, sent to a NON-LISTENING PORT, results in a RST-ACK----------------------------------------------------------------------------
URG -> Windows 2012/CentOS 6.5 -> 80 (Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=80, flags="P"),iface='eth0', count=1)
..
Sent 2 packets
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
1 0.000000 10.0.0.50 -> 10.0.0.100 TCP 54 [TCP Window Update] 5000 > 80 [PSH] Seq=0 Win=8192 Len=0
4 0.003736 10.0.0.100 -> 10.0.0.50 TCP 60 80 > 5000 [RST, ACK] Seq=0 Ack=0 Win=0 Len=0
7 0.008091 10.0.0.50 -> 10.0.0.101 TCP 54 [TCP Window Update] 5000 > 80 [PSH] Seq=0 Win=8192 Len=0
From the above:
Windows 2012 - Packet with only URG flag set, sent to a LISTENING PORT, results in a RST-ACK
CentOS 6.5 - Packet with only URG flag set, sent to a LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the CentOS system simply drops the packet.
URG -> Windows 2012/CentOS 6.5 -> 81 (Non-Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=81, flags="U"),iface='eth0', count=1)
..
Sent 2 packets.
root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
1 0.000000 10.0.0.50 -> 10.0.0.100 TCP 54 [TCP Window Update] 5000 > 81 [URG] Seq=0 Win=8192 Urg=0 Len=0
2 0.000598 10.0.0.100 -> 10.0.0.50 TCP 60 81 > 5000 [RST, ACK] Seq=0 Ack=0 Win=0 Len=0
3 0.001072 10.0.0.50 -> 10.0.0.101 TCP 54 [TCP Window Update] 5000 > 81 [URG] Seq=0 Win=8192 Urg=0 Len=0
4 0.001492 10.0.0.101 -> 10.0.0.50 TCP 60 81 > 5000 [RST, ACK] Seq=0 Ack=0 Win=0 Len=0
From the above:
Windows 2012 - Packet with only URG flag set, sent to a NON-LISTENING PORT, results in a RST-ACK
CentOS 6.5 - Packet with only URG flag set, sent to a NON-LISTENING PORT, results in a RST-ACK
If you wish to have this as a reference, you may download:
"Stimulus and Response.pdf" document.
md5:8c931888caf948504188f57440396ebc
sha-1:c4cb5b06928e660a09ddc7eaf4b7e32fb0dd1a27
stimulus-response.xlsx
MD5:6176b65c89b73e3b07a519bf77db462a
SHA-1:1ff6308e2a56a1c950e4cc5831932d78563bf853
No comments:
Post a Comment