Unskilled Attackers Pester Real Security Folks
来源:互联网 发布:jdk1.8 for linux下载 编辑:程序博客网 时间:2024/06/07 02:54
Unskilled Attackers Pester Real Security Folks
Unskilled = URG
Attackers = ACK
Pester = PSH
Real = RST
Security = SYN
Folks = FIN
Uses
TCP flag information is most helpful to me when looking for particular types of traffic using Tcpdump. It's possible, for example, to capture only SYNs (new connection requests), onlyRSTs (immediate session teardowns), or any combination of the six flags really. As noted in my own little Tcpdump primer, you can capture these various flags like so:
Find all SYN packetstcpdump 'tcp[13] & 2 != 0'
Find all RST packetstcpdump 'tcp[13] & 4 != 0'
Find all ACK packetstcpdump 'tcp[13] & 16 != 0'
Notice the SYN example has the number 2 in it, the RST the number 4, and the ACK the number 16. These numbers correspond to where the TCP flags fall on the binary scale. So when you write out:
U A P R S F
...that corresponds to:
32 16 8 4 2 1
Example
So as you read the SYN capture tcpdump 'tcp[13] & 2 != 0'
, you're saying find the 13th byte in the TCP header, and only grab packets where the flag in the 2nd bit is not zero. Well if you go from right to left in the UAPRSF string, you see that the spot where 2 falls is where the S is, which is the SYN placeholder, and that's why you're capturing only SYN packets when you apply that filter.
# tcpdump 'tcp[13] & 2 != 0'
12:40:04.649404 IP 10.5.1.42.51584 > 64.233.187.99.http: S 1524039069:1524039069(0) win 65535 12:40:04.708459 IP 64.233.187.99.http > 10.5.1.42.51584: S 1416742397:1416742397(0) ack 1524039070 win 8190
You'll notice that when I netcat
'd to Google on port 80 from another terminal, tcpdump
shows only two out of the three steps involved in the three-way handshake. It didn't show the third because the final step is simply an ACK from my side, i.e. no SYN flag set.
Conclusion
Remembering these flags and how to make use of them can go a long way in helping low-level network troubleshooting/security work by isolating what it is you want to see and/or capture. And of course the better you can isolate the problem, the faster you can solve it.:
- Unskilled Attackers Pester Real Security Folks
- Real World Linux Security (2nd Edition)
- Real World Microsoft Access Database Protection and Security
- Real 802.11 Security: Wi-Fi Protected Access and 802.11i
- Security Administrator Street Smarts: A Real World Guide to CompTIA Security+ Skills
- 191. Greedy folks have long arms. 心贪手长
- Tracking Attackers: Honeypot, Part 1 (Honeyd)
- 11 Steps Attackers Took to Crack Target
- That's all for now folks
- Security
- security
- Security
- Security
- security
- Security
- Security
- Security
- Security
- SunShafts 阳光射线特效(也称之天空光,上帝射线)
- php相对目录比较
- Android如何确定Activity控件渲染完成
- TBB(Intel Threading Building Blocks)学习笔记
- 提高SCADA系统信息安全(一)
- Unskilled Attackers Pester Real Security Folks
- 正则表达式学习
- php 5.3连接 sqlserver数据库
- Httpload使用
- java如何操作非关系型数据库redis(-)
- 三星Note 2发送不了短信怎么办
- 如何制作一个基于Tile的游戏 Cocos2d-x 2.0.4
- OpenERP重载create方法
- oc学习之旅:自动释放池