Taller de TcpDump / WinDump: Analizando la Red - Casos de estudio

6 - Casos de estudio

[editar]

Tutorial creado por Alfon. Extraido de: http://www.nautopia.net

16 de Diciembre de 2005

< anterior | 1 ... 4 5 6 7 8 9 | siguiente >

Analizamos aquí las salidas de TCPDump / Windump ante escaneos básicos nmap y otras utilidades en la red para su estudio. De esta manera aprenderemos a identificar los problemas o intrusiones a la red.

LISTADOS

C:\scan\nmap3>nmap -sT 192.168.4.15 -p8080 | windump -nt host 192.168.4.15 and host 192.168.4.3 windump: listening on\Device\Packet_{604C8AE3-5FAC-45A5-BFAA-81175A8C32BF} 192.168.4.3.43174 > 192.168.4.15.80: . ack 1827959592 win 1024 192.168.4.15.80 > 192.168.4.3.43174: R 1827959592:1827959592(0) win 0 192.168.4.3.137 > 192.168.4.15.137: >>> NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST 192.168.4.3.137 > 192.168.4.15.137: >>> NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST 192.168.4.3.137 > 192.168.4.15.137: >>> NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST 192.168.4.3.1884 > 192.168.4.15.8080: S 189871296:189871296(0) win 64240 <mss 1460,nop,nop,sackOK> (DF) 192.168.4.15.8080 > 192.168.4.3.1884: S 1772688780:1772688780(0) ack 189871297 win 64240 <mss 1460,nop,nop,sack OK> 192.168.4.3.1884 > 192.168.4.15.8080: . ack 1 win 64240 (DF) 192.168.4.3.1884 > 192.168.4.15.8080: R 189871297:189871297(0) win 0 (DF) C:\scan\nmap3>nmap -sS 192.168.4.15 -p8080 | windump -nt host 192.168.4.15 and host 192.168.4.3 windump: listening on\Device\Packet_{604C8AE3-5FAC-45A5-BFAA-81175A8C32BF} 192.168.4.3.57766 > 192.168.4.15.80: . ack 185616010 win 3072 arp who-has 192.168.4.3 tell 192.168.4.15 arp reply 192.168.4.3 is-at 0:4:76:f2:c9:5f 192.168.4.15.80 > 192.168.4.3.57766: R 185616010:185616010(0) win 0 192.168.4.3.137 > 192.168.4.15.137: >>> NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST 192.168.4.3.137 > 192.168.4.15.137: >>> NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST 192.168.4.3.137 > 192.168.4.15.137: >>> NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST 192.168.4.3.57746 > 192.168.4.15.8080: S 565404479:565404479(0) win 3072 192.168.4.15.8080 > 192.168.4.3.57746: S 1818962999:1818962999(0) ack 565404480 win 64240 <mss 1460> 192.168.4.3.57746 > 192.168.4.15.8080: R 565404480:565404480(0) win 0 C:\scan\nmap3>nmap -sN 192.168.4.15 -p8080 | windump -nt host 192.168.4.15 and host 192.168.4.3 windump: listening on\Device\Packet_{604C8AE3-5FAC-45A5-BFAA-81175A8C32BF} 192.168.4.3.57420 > 192.168.4.15.80: . ack 678437475 win 4096 arp who-has 192.168.4.3 tell 192.168.4.15 arp reply 192.168.4.3 is-at 0:4:76:f2:c9:5f 192.168.4.15.80 > 192.168.4.3.57420: R 678437475:678437475(0) win 0 192.168.4.3.137 > 192.168.4.15.137: >>> NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST 192.168.4.3.137 > 192.168.4.15.137: >>> NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST 192.168.4.3.137 > 192.168.4.15.137: >>> NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST 192.168.4.3.57400 > 192.168.4.15.8080: . win 4096 192.168.4.15.8080 > 192.168.4.3.57400: R 0:0(0) ack 0 win 0 C:\scan\nmap3>nmap -sU 192.168.4.15 -p8080 | windump -nt host 192.168.4.15 and host 192.168.4.3 windump: listening on\Device\Packet_{604C8AE3-5FAC-45A5-BFAA-81175A8C32BF} 192.168.4.3.50665 > 192.168.4.15.80: . ack 83760541 win 1024 arp who-has 192.168.4.3 tell 192.168.4.15 arp reply 192.168.4.3 is-at 0:4:76:f2:c9:5f 192.168.4.15.80 > 192.168.4.3.50665: R 83760541:83760541(0) win 0 192.168.4.3.137 > 192.168.4.15.137: >>> NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST 192.168.4.3.137 > 192.168.4.15.137: >>> NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST 192.168.4.3.137 > 192.168.4.15.137: >>> NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST 192.168.4.3.50645 > 192.168.4.15.8080: udp 0 192.168.4.15 > 192.168.4.3: icmp: 192.168.4.15 udp port 8080 unreachable C:\scan\nmap3>ping 192.168.4.15 | windump -nt host 192.168.4.15 and host 192.168.4.3 windump: listening on\Device\Packet_{604C8AE3-5FAC-45A5-BFAA-81175A8C32BF} 192.168.4.3 > 192.168.4.15: icmp: echo request 192.168.4.15 > 192.168.4.3: icmp: echo reply 192.168.4.3 > 192.168.4.15: icmp: echo request 192.168.4.15 > 192.168.4.3: icmp: echo reply 192.168.4.3 > 192.168.4.15: icmp: echo request 192.168.4.15 > 192.168.4.3: icmp: echo reply

IDENTIFICANDO PROTOCOLOS. DESCIFRANDO LA SALIDA.

UDP

16:33:59.501208 192.168.4.1.520 > 192.168.4.255.520: udp 24 16:34:27.131434 192.168.4.1.137 > 192.168.4.2.137: udp 62 16:34:29.503733 192.168.4.1.520 > 192.168.4.255.520: udp 24 16:34:59.506694 192.168.4.1.520 > 192.168.4.255.520: udp 24 16:35:29.509226 192.168.4.1.520 > 192.168.4.255.520: udp 24

TCP

16:37:34.672005 192.168.4.15.4036 > 192.168.4.1.139: tcp 280 16:37:34.674529 192.168.4.1.139 > 192.168.4.15.4036: tcp 131 (DF) 16:37:34.674949 192.168.4.15.4036 > 192.168.4.1.139: tcp 43 16:37:34.675151 192.168.4.1.139 > 192.168.4.15.4036: tcp 43 (DF) 16:37:34.680743 192.168.4.15.4036 > 192.168.4.1.139: tcp 280 16:39:23.854768 192.168.4.1.139 > 192.168.4.11.2027: . ack 2920 win 8760 (DF) 16:39:23.854973 192.168.4.1.139 > 192.168.4.11.2027: P 1:52(51) ack 4163 win 751 16:39:42.082752 192.168.4.11.2027 > 192.168.4.1.139: . ack 33380 win 8632 (DF) 16:39:55.697455 192.168.4.11.2635 > 192.168.4.1.139: S 1990792:1990792(0) win 8192 <mss 1460> (DF) 16:39:55.697567 192.168.4.1.139 > 192.168.4.11.2635: S 51131010:51131010(0) ack 1990793 win 8760 <mss 1460> (DF) 16:39:55.697756 192.168.4.11.2635 > 192.168.4.1.139: . ack 1 win 8760 (DF) 16:39:55.697793 192.168.4.11.2635 > 192.168.4.1.139: P 1:73(72) ack 1 win 8760

ICMP

16:45:29.386197 192.168.4.1 > 192.168.4.10: icmp: host 192.168.1.150 unreachable 16:45:29.386430 192.168.4.1 > 192.168.4.10: icmp: host 205.134.xxx.xxx unreachable 16:45:35.160914 192.168.4.1 > 192.168.4.10: icmp: host 192.168.1.151 unreachable 16:45:40.910035 192.168.4.10 > 192.168.4.1: icmp: echo request 16:45:40.910160 192.168.4.1 > 192.168.4.10: icmp: echo reply

ARP

16:51:21.227113 arp who-has 192.168.2.86 tell 192.168.2.60 16:51:21.538845 arp who-has 192.168.2.64 tell 192.168.2.60 16:51:21.850790 arp who-has 192.168.2.76 tell 192.168.2.60 16:51:21.851784 arp who-has 192.168.2.197 tell 192.168.2.60 16:51:21.851863 arp who-has 192.168.2.200 tell 192.168.2.60 16:51:21.857060 arp reply 192.168.2.197 is-at 0:a0:c9:1c:c1:f5

POP3

16:53:43.824474 192.168.2.90.2040 > 192.168.4.15.110: S 1607781:1607781(0) win 8192 <mss 1460> (DF) 16:53:43.824575 192.168.4.15.110 > 192.168.2.90.2040: S 4064642994:4064642994(0) ack 1607782 win 64240 <mss 1460> 16:53:43.824920 192.168.2.90.2040 > 192.168.4.15.110: . ack 1 win 8760 (DF) 16:53:43.863694 192.168.4.15.110 > 192.168.2.90.2040: P 1:89(88) ack 1 win 64240 16:53:43.864264 192.168.2.90.2040 > 192.168.4.15.110: P 1:17(16) ack 89 win 8672 (DF) 16:53:43.962939 192.168.4.15.110 > 192.168.2.90.2040: P 89:120(31) ack 17 win 64224 16:53:43.963439 192.168.2.90.2040 > 192.168.4.15.110: P 17:33(16) ack 120 win 8641 (DF) 16:53:44.009535 192.168.4.15.110 > 192.168.2.90.2040: P 120:188(68) ack 33 win 64208

SMTP

192.168.4.3.2605 > 192.168.4.15.25: S 3369617405:3369617405(0) win 64240 <mss 1460,nop,nop,sackOK> (DF) 192.168.4.15.25 > 192.168.4.3.2605: S 138683007:138683007(0) ack 3369617406 win 64240 <mss 1460,nop,nop,sackOK> 192.168.4.3.2605 > 192.168.4.15.25: . ack 1 win 64240 (DF) 192.168.4.15.25 > 192.168.4.3.2605: P 1:42(41) ack 1 win 64240 ...

[editar]

< anterior | 1 ... 4 5 6 7 8 9 | siguiente >

Opinar
Sé el primero en opinar

Tutoriales relacionados con 'Taller de TcpDump / WinDump: Analizando la Red'

Taller de TcpDump / WinDump: Analizando la Red

Una de las actividades más comunes en la administación de una red o administración de... Más »

Taller de Sistemas de detección de intrusiones SNORT

Vamos a ver cómo funciona Snort en todas sus facetas, instalación y configuración (sistemas Windows),... Más »

Anuncios Google

Autor y licencia de 'Taller de TcpDump / WinDump: Analizando la Red'

Tutorial de Alfon. Extraido de: http://www.nautopia.net CopyLeft

Debe reconocer los créditos de la obra de la manera especificada por el autor o el licenciador.

Este contenido ha sido recopilado por el equipo de Wikilearning. Todo el contenido recopilado se ha obtenido respetando y comunicando en nuestro site la licencia de cada fuente.

Wikilearning tiene permiso expreso por escrito de los autores para publicar los contenidos que ha extraído de otras webs, incluyendo su uso comercial.