Sniffing the Network
A network sniffer is a device that captures and displays network traffic. Your existing comput-
ers have the ability to operate as sniffers. Network cards usually only pass information up to the
protocol stack if the information is intended for that computer; any network traffic not intended
for that computer is ignored. Most NIC cards can be placed into what is called promiscuous
mode, which allows the NIC card to capture all information that it sees on the network. Most
networks are bus-oriented, in that all traffic is sent to all internal computer systems. Devices
such as routers, bridges, and switches can be used to separate or segment networks within a
larger network (known as virtual LANs or VLANs). Any traffic in a particular segment is visible
to all stations in that segment.
Adding a network sniffer such as the one included by Microsoft in its Systems Management
Server (SMS) package allows any computer to function as a network sniffer. This software is
widely available and is very capable. A number of public domain or shareware sniffers are also
available online.
Using a sniffer, an internal attacker can capture all the information transported by the net-
work. Many advanced sniffers can reassemble packets and create entire messages including user
IDs and passwords. This vulnerability is particularly acute in environments where network con-
nections are easily accessible to outsiders. For example, an attacker could put a laptop or a por-
table computer in your wiring closet and attach it to your network.
Scanning Ports
A TCP/IP network makes many of the ports available to outside users through the router. These
ports respond in a predictable manner when queried. For example, TCP attempts synchroniza-
tion when a session initiation occurs. An attacker can systematically query your network to
determine which services and ports are open. This process is called port scanning, and it’s part
of fingerprinting a network; it can reveal a great deal about your systems. Port scans can be per-
formed both internally and externally. Many routers, unless configured appropriately, will let
all of the protocols pass through them.
Port scans are used to figure out what services are running on a network.
Individual systems within a network may also have applications and services running that
the owner doesn’t know about. These services could potentially allow an internal attacker to
gain access to information by connecting to that port. Many Microsoft Internet Information
Server (IIS) users don’t realize the weak security offered by this product. If they didn’t install all
of the security patches when they installed IIS on their desktops, attackers can exploit the weak-
nesses of IIS and gain access to information. This has been done in many cases without the
knowledge of the owner. These attacks might not technically be considered TCP/IP attacks, but
they are, because they use the inherent trust of TCP to facilitate the attacks.
actos hyperglycemia
actos diabetes prevention
actos 30 mg
side affects for actos
what is actos used for
try to check
Once they know the IP addresses of your systems, external attackers can attempt to commu-
nicate with the ports open in your network, sometimes simply using Telnet.
To check whether a system has a particular protocol or port available, all you
have to do is use the telnet command and add the port number. For example,
you can check to see if a particular server is running an e-mail server program
by entering telnet www.yourintrouble.com 25. This initiates a Telnet connec-
tion to the server on port 25. If the server is running SMTP, it will immediately
respond with logon information. It doesn’t take much to figure out how to talk
to SMTP; the interface is well documented. If an e-mail account didn’t have a
password, this system is now vulnerable to attack.
This process of port scanning can be expanded to develop a footprint of your organization. If
your attacker has a single IP address of a system in your network, they can probe all the addresses
in the range and probably determine what other systems and protocols your network is utilizing.
This allows the attacker to gain knowledge about the internal structure of your network.
TCP Attacks
TCP operates using synchronized connections. The synchronization is vulnerable to attack; this
is probably the most common attack used today. As you may recall, the synchronization, or
handshake, process initiates a TCP connection. This handshake is particularly vulnerable to a
DoS attack referred to as a TCP SYN flood attack. The protocol is also susceptible to access and
modification attacks, which are briefly explained in the following sections.
TCP SYN or TCP ACK Flood Attack
The TCP SYN flood, also referred to as the TCP ACK attack, is very common. The purpose of
this attack is to deny service. The attack begins as a normal TCP connection: The client and server
exchange information in TCP packets. Figure 2.11 illustrates how this attack occurs. Notice that the
TCP client continues to send ACK packets to the server. These ACK packets tell the server that a
connection is requested. The server responds with an ACK packet to the client. The client is sup-
posed to respond with another packet accepting the connection, and a session is established.
In this attack, the client continually sends and receives the ACK packets but doesn’t open the
session. The server holds these sessions open, awaiting the final packet in the sequence. This causes
the server to fill up the available sessions and denies other clients the ability to access the resources.
ers have the ability to operate as sniffers. Network cards usually only pass information up to the
protocol stack if the information is intended for that computer; any network traffic not intended
for that computer is ignored. Most NIC cards can be placed into what is called promiscuous
mode, which allows the NIC card to capture all information that it sees on the network. Most
networks are bus-oriented, in that all traffic is sent to all internal computer systems. Devices
such as routers, bridges, and switches can be used to separate or segment networks within a
larger network (known as virtual LANs or VLANs). Any traffic in a particular segment is visible
to all stations in that segment.
Adding a network sniffer such as the one included by Microsoft in its Systems Management
Server (SMS) package allows any computer to function as a network sniffer. This software is
widely available and is very capable. A number of public domain or shareware sniffers are also
available online.
Using a sniffer, an internal attacker can capture all the information transported by the net-
work. Many advanced sniffers can reassemble packets and create entire messages including user
IDs and passwords. This vulnerability is particularly acute in environments where network con-
nections are easily accessible to outsiders. For example, an attacker could put a laptop or a por-
table computer in your wiring closet and attach it to your network.
Scanning Ports
A TCP/IP network makes many of the ports available to outside users through the router. These
ports respond in a predictable manner when queried. For example, TCP attempts synchroniza-
tion when a session initiation occurs. An attacker can systematically query your network to
determine which services and ports are open. This process is called port scanning, and it’s part
of fingerprinting a network; it can reveal a great deal about your systems. Port scans can be per-
formed both internally and externally. Many routers, unless configured appropriately, will let
all of the protocols pass through them.
Port scans are used to figure out what services are running on a network.
Individual systems within a network may also have applications and services running that
the owner doesn’t know about. These services could potentially allow an internal attacker to
gain access to information by connecting to that port. Many Microsoft Internet Information
Server (IIS) users don’t realize the weak security offered by this product. If they didn’t install all
of the security patches when they installed IIS on their desktops, attackers can exploit the weak-
nesses of IIS and gain access to information. This has been done in many cases without the
knowledge of the owner. These attacks might not technically be considered TCP/IP attacks, but
they are, because they use the inherent trust of TCP to facilitate the attacks.
actos hyperglycemia
actos diabetes prevention
actos 30 mg
side affects for actos
what is actos used for
try to check
Once they know the IP addresses of your systems, external attackers can attempt to commu-
nicate with the ports open in your network, sometimes simply using Telnet.
To check whether a system has a particular protocol or port available, all you
have to do is use the telnet command and add the port number. For example,
you can check to see if a particular server is running an e-mail server program
by entering telnet www.yourintrouble.com 25. This initiates a Telnet connec-
tion to the server on port 25. If the server is running SMTP, it will immediately
respond with logon information. It doesn’t take much to figure out how to talk
to SMTP; the interface is well documented. If an e-mail account didn’t have a
password, this system is now vulnerable to attack.
This process of port scanning can be expanded to develop a footprint of your organization. If
your attacker has a single IP address of a system in your network, they can probe all the addresses
in the range and probably determine what other systems and protocols your network is utilizing.
This allows the attacker to gain knowledge about the internal structure of your network.
TCP Attacks
TCP operates using synchronized connections. The synchronization is vulnerable to attack; this
is probably the most common attack used today. As you may recall, the synchronization, or
handshake, process initiates a TCP connection. This handshake is particularly vulnerable to a
DoS attack referred to as a TCP SYN flood attack. The protocol is also susceptible to access and
modification attacks, which are briefly explained in the following sections.
TCP SYN or TCP ACK Flood Attack
The TCP SYN flood, also referred to as the TCP ACK attack, is very common. The purpose of
this attack is to deny service. The attack begins as a normal TCP connection: The client and server
exchange information in TCP packets. Figure 2.11 illustrates how this attack occurs. Notice that the
TCP client continues to send ACK packets to the server. These ACK packets tell the server that a
connection is requested. The server responds with an ACK packet to the client. The client is sup-
posed to respond with another packet accepting the connection, and a session is established.
In this attack, the client continually sends and receives the ACK packets but doesn’t open the
session. The server holds these sessions open, awaiting the final packet in the sequence. This causes
the server to fill up the available sessions and denies other clients the ability to access the resources.
ksanf - 5. Apr, 22:38
