Sunday, July 6, 2014

Stimulus and Response - TCP - Setting a single flag

In this first post, we will set 1 flag on each packet.

FIN -> Windows 2012/CentOS 6.5 -> 80 (Listening)
>>> sendp(Ether()/IP(src="10.0.0.100", dst=["10.0.0.50","10.0.0.101"])/TCP(sport=5000, dport=80, flags="F"),iface='eth0', count=1)..
Sent 2 packets.

root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
 22   2.053441    10.0.0.50 -> 10.0.0.100   TCP 54 5000 > 80 [FIN] Seq=0 Win=8192 Len=0
 23   2.054268   10.0.0.100 -> 10.0.0.50    TCP 60 80 > 5000 [RST, ACK] Seq=0 Ack=1 Win=0 Len=0
 24   2.054747    10.0.0.50 -> 10.0.0.101   TCP 54 5000 > 80 [FIN] Seq=0 Win=8192 Len=0


From the above:
Windows 2012 - Packet with only FIN flag set, sent to LISTENING PORT, results in a RST-ACK

CentOS 6.5  - Packet with only FIN flag set, sent to a LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the CentOS system simply drops the packet.


FIN -> Windows 2012/CentOS 6.5 -> 81 (Non-Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=81, flags="F"),iface='eth0', count=1)
..
Sent 2 packets.

root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'   2   7.452878    10.0.0.50 -> 10.0.0.100   TCP 54 5000 > 81 [FIN] Seq=0 Win=8192 Len=0
  5   7.454208   10.0.0.100 -> 10.0.0.50    TCP 60 81 > 5000 [RST, ACK] Seq=0 Ack=1 Win=0 Len=0
  8   7.459747    10.0.0.50 -> 10.0.0.101   TCP 54 5000 > 81 [FIN] Seq=0 Win=8192 Len=0
 11   7.460909   10.0.0.101 -> 10.0.0.50    TCP 60 81 > 5000 [RST, ACK] Seq=0 Ack=1 Win=0 Len=0



From the above:
Windows 2012 - Packet with only FIN flag set, sent to NON-LISTENING PORT, results in a RST-ACK

CentOS 6.5  - Packet with only FIN flag set, sent to NON-LISTENING PORT, results in a RST-ACK

---------------------------------------------------------------------------

SYN -> Windows 2012/CentOS 6.5 -> 80 (Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=80, flags="S"),iface='eth0', count=1)
..
Sent 2 packets.

root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
  1   0.000000    10.0.0.50 -> 10.0.0.100   TCP 54 5000 > 80 [SYN] Seq=0 Win=8192 Len=0
  4   0.001981   10.0.0.100 -> 10.0.0.50    TCP 60 80 > 5000 [SYN, ACK] Seq=3564399764 Ack=1 Win=8192 Len=0 MSS=1460
  7   0.006482    10.0.0.50 -> 10.0.0.101   TCP 54 5000 > 80 [SYN] Seq=0 Win=8192 Len=0
  8   0.007100   10.0.0.101 -> 10.0.0.50    TCP 60 80 > 5000 [SYN, ACK] Seq=1504198032 Ack=1 Win=14600 Len=0 MSS=1460


From the above:
Windows 2012 - Packet with only SYN flag set, sent to LISTENING PORT , results in a SYN-ACK

CentOS 6.5  - Packet with only SYN flag set, sent to LISTENING PORT , results in a SYN-ACK


SYN -> Windows 2012/CentOS 6.5 -> 81 (Non-Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=81, flags="S"),iface='eth0', count=1)..
Sent 2 packets.

root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
  5   8.859239    10.0.0.50 -> 10.0.0.100   TCP 54 5000 > 81 [SYN] Seq=0 Win=8192 Len=0
  8   8.860945   10.0.0.100 -> 10.0.0.50    TCP 60 81 > 5000 [RST, ACK] Seq=0 Ack=1 Win=0 Len=0
 11   8.865713    10.0.0.50 -> 10.0.0.101   TCP 54 5000 > 81 [SYN] Seq=0 Win=8192 Len=0
 12   8.866265   10.0.0.101 -> 10.0.0.50    TCP 60 81 > 5000 [RST, ACK] Seq=0 Ack=1 Win=0 Len=0


From the above:
Windows 2012 - Packet with only SYN flag set, sent to NON-LISTENING PORT, results in a RST-ACK

CentOS 6.5  - Packet with only SYN flag set, sent to NON-LISTENING PORT, results in a RST-ACK


---------------------------------------------------------------------------


RST -> Windows 2012/CentOS 6.5 -> 80 (Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=80, flags="R"),iface='eth0', count=1)
..
Sent 2 packets.

root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
  1   0.000000    10.0.0.50 -> 10.0.0.100   TCP 54 5000 > 80 [RST] Seq=0 Win=8192 Len=0
  4   0.006243    10.0.0.50 -> 10.0.0.101   TCP 54 5000 > 80 [RST] Seq=0 Win=8192 Len=0


From the above:
Windows 2012 - Packet with only RST flag set, sent to LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the Windows 2012 system simply drops the packet.

CentOS 6.5  - Packet with only RST flag set, sent to LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the CentOS system simply drops the packet.


RST -> Windows 2012/CentOS 6.5 -> 81 (Non-Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=81, flags="R"),iface='eth0', count=1)
..
Sent 2 packets.

root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
  1   0.000000    10.0.0.50 -> 10.0.0.100   TCP 54 5000 > 81 [RST] Seq=0 Win=8192 Len=0
  4   0.005582    10.0.0.50 -> 10.0.0.101   TCP 54 5000 > 81 [RST] Seq=0 Win=8192 Len=0


From the above:
Windows 2012 - Packet with only RST flag set, sent to LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the Windows 2012 system simply drops the packet.


CentOS 6.5
  - Packet with only RST flag set, sent to NON-LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the CentOS system simply drops the packet.


---------------------------------------------------------------------------
 

ACK -> Windows 2012/CentOS 6.5 -> 80 (Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=80, flags="A"),iface='eth0', count=1)
..
Sent 2 packets.

root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
  3   1.161009    10.0.0.50 -> 10.0.0.100   TCP 54 [TCP Window Update] 5000 > 80 [ACK] Seq=0 Ack=0 Win=8192 Len=0
  6   1.162377   10.0.0.100 -> 10.0.0.50    TCP 60 80 > 5000 [RST] Seq=0 Win=0 Len=0
  9   1.167634    10.0.0.50 -> 10.0.0.101   TCP 54 [TCP Window Update] 5000 > 80 [ACK] Seq=0 Ack=0 Win=8192 Len=0
 12   1.170036   10.0.0.101 -> 10.0.0.50    TCP 60 80 > 5000 [RST] Seq=0 Win=0 Len=0



From the above:
Windows 2012 - Packet with only ACK flag set, sent to LISTENING PORT, results in a RST

CentOS 6.5  - Packet with only ACK flag set, sent to LISTENING PORT, results in a RST


ACK -> Windows 2012/CentOS 6.5 -> 81 (Non-Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=81, flags="A"),iface='eth0', count=1)
..
Sent 2 packets

root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
  1   0.000000    10.0.0.50 -> 10.0.0.100   TCP 54 [TCP Window Update] 5000 > 81 [ACK] Seq=0 Ack=0 Win=8192 Len=0
  4   0.000896   10.0.0.100 -> 10.0.0.50    TCP 60 81 > 5000 [RST] Seq=0 Win=0 Len=0
  7   0.006320    10.0.0.50 -> 10.0.0.101   TCP 54 [TCP Window Update] 5000 > 81 [ACK] Seq=0 Ack=0 Win=8192 Len=0
  8   0.006949   10.0.0.101 -> 10.0.0.50    TCP 60 81 > 5000 [RST] Seq=0 Win=0 Len=0

From the above:
Windows 2012 - Packet with only ACK flag set, sent to a NON-LISTENING PORT, results in a RST

CentOS 6.5  - Packet with only ACK flag set, sent to a NON-LISTENING PORT, results in a RST


----------------------------------------------------------------------------


PSH -> Windows 2012/CentOS 6.5 -> 80 (Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=80, flags="P"),iface='eth0', count=1)
..
Sent 2 packets.

root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
  1   0.000000    10.0.0.50 -> 10.0.0.100   TCP 54 [TCP Window Update] 5000 > 80 [PSH] Seq=0 Win=8192 Len=0
  4   0.001861   10.0.0.100 -> 10.0.0.50    TCP 60 80 > 5000 [RST, ACK] Seq=0 Ack=0 Win=0 Len=0
  7   0.006921    10.0.0.50 -> 10.0.0.101   TCP 54 [TCP Window Update] 5000 > 80 [PSH] Seq=0 Win=8192 Len=0

From the above:
Windows 2012 - Packet with only PSH flag set, sent to a LISTENING PORT, results in a RST-ACK

CentOS 6.5  - Packet with only PSH flag set, sent to a LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the CentOS system simply drops the packet.


PSH -> Windows 2012/CentOS 6.5 -> 81 (Non-Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=81, flags="P"),iface='eth0', count=1)
..
Sent 2 packets.

root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
  3  41.524627    10.0.0.50 -> 10.0.0.100   TCP 54 [TCP Window Update] 5000 > 81 [PSH] Seq=0 Win=8192 Len=0
  6  41.527925   10.0.0.100 -> 10.0.0.50    TCP 60 81 > 5000 [RST, ACK] Seq=0 Ack=0 Win=0 Len=0
  9  41.532888    10.0.0.50 -> 10.0.0.101   TCP 54 [TCP Window Update] 5000 > 81 [PSH] Seq=0 Win=8192 Len=0
 10  41.533280   10.0.0.101 -> 10.0.0.50    TCP 60 81 > 5000 [RST, ACK] Seq=0 Ack=0 Win=0 Len=0


From the above:
Windows 2012 - Packet with only PSH flag set, sent to a NON-LISTENING PORT, results in a RST-ACK

CentOS 6.5  - Packet with only PSH flag set, sent to a NON-LISTENING PORT, results in a RST-ACK
----------------------------------------------------------------------------
URG -> Windows 2012/CentOS 6.5 -> 80 (Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=80, flags="P"),iface='eth0', count=1)
..
Sent 2 packets

root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
  1   0.000000    10.0.0.50 -> 10.0.0.100   TCP 54 [TCP Window Update] 5000 > 80 [PSH] Seq=0 Win=8192 Len=0
  4   0.003736   10.0.0.100 -> 10.0.0.50    TCP 60 80 > 5000 [RST, ACK] Seq=0 Ack=0 Win=0 Len=0
  7   0.008091    10.0.0.50 -> 10.0.0.101   TCP 54 [TCP Window Update] 5000 > 80 [PSH] Seq=0 Win=8192 Len=0


From the above:
Windows 2012 - Packet with only URG flag set, sent to a LISTENING PORT, results in a RST-ACK

CentOS 6.5  - Packet with only URG flag set, sent to a LISTENING PORT, results in a Silent Discard. That is there is no response from the TCP/IP Stack, the CentOS system simply drops the packet.


URG -> Windows 2012/CentOS 6.5 -> 81 (Non-Listening)
>>> sendp(Ether()/IP(src="10.0.0.50", dst=["10.0.0.100","10.0.0.101"])/TCP(sport=5000, dport=81, flags="U"),iface='eth0', count=1)
..
Sent 2 packets.

root@securitynik:~# tshark -n -i eth0 -Y '((tcp.port==80) or (tcp.port==81))'
  1   0.000000    10.0.0.50 -> 10.0.0.100   TCP 54 [TCP Window Update] 5000 > 81 [URG] Seq=0 Win=8192 Urg=0 Len=0
  2   0.000598   10.0.0.100 -> 10.0.0.50    TCP 60 81 > 5000 [RST, ACK] Seq=0 Ack=0 Win=0 Len=0
  3   0.001072    10.0.0.50 -> 10.0.0.101   TCP 54 [TCP Window Update] 5000 > 81 [URG] Seq=0 Win=8192 Urg=0 Len=0
  4   0.001492   10.0.0.101 -> 10.0.0.50    TCP 60 81 > 5000 [RST, ACK] Seq=0 Ack=0 Win=0 Len=0


From the above:
Windows 2012 - Packet with only URG flag set, sent to a NON-LISTENING PORT, results in a RST-ACK

CentOS 6.5  - Packet with only URG flag set, sent to a NON-LISTENING PORT, results in a RST-ACK


If you wish to have this as a reference, you may download:
"Stimulus and Response.pdf" document.
md5:8c931888caf948504188f57440396ebc
sha-1:c4cb5b06928e660a09ddc7eaf4b7e32fb0dd1a27

stimulus-response.xlsx
MD5:6176b65c89b73e3b07a519bf77db462a
SHA-1:1ff6308e2a56a1c950e4cc5831932d78563bf853 

No comments:

Post a Comment