Traffic for ICMP-Based OS Fingerprinting Attempts

Attackers send unique ICMP probes to the target and look for the response

Use the following filter to locate unusual ICMP requests:

(icmp.type==8 && (!(icmp.code==8))

(icmp.type==13) || (icmp.type==15) || (icmp.type==17)

Discover unique ICMP probes, unual ICMP code, ICMP timestamp requests (13), ICMP information requests (15), and ICMP address mask requests (917) from the traffic to make an educated guess to detect OS fingerprinting.

Attackers send TCP probes using specific field values in the header to look for the response and reveal deteails about the OS.

The fields that indicate OS fingerprinting attempts are the initial squence number, timestamp, IP ID sequence, and TCP options.

Use the following filter to find OS fingerprinting attempts:

(tcp.flags==0x02) && (tcp.windows_size <1025)

tcp.flags==0x2b

tcp.flags==0x00

tcp.optionswscale_val==10

tcp.options.mss_val<1460

Attackers generally use Nmap for target OS fingerprinting

Folks should be aware of the Nmap OS fingerprinting process to detect OS fingerprinting attempts

ICMP echo request (type 8) with no payload

ICMP echo request (type 8) with a 120 or 150 byte payload of 0x00

ICMP timestamp request with the origin timestamp value set to 0

TCP SYN with a 40 byte options area

TCP SYN with the windows scale shift count set to 10

TCP SYN with the maximum segment size set to 256

TCP SYN with the timestamp value set to 0xFFFFFFFF

TCP packet with options and SYN, FIN, PSH, and URG bits set

TCP packet with options and no flags set

A non-zero TCP acknowledgement number field without the ACK bit set

TCP packets with unusual window size filed values

Ping sweep attempts

Attackers use a ping sweep to determine the live hosts within a specified IP arange

It is accomplished using ICMP, TCP, or UDP

Attackers send a series of ICMP, TCP, or UDP echo requests to the specified IP range.

The following filters can be used to detect these actions:

ICMP Sweeps use:

icmp.type==8

icmp.type==0

TCP ping sweep:

tcp.dstport==7

UDP ping sweep:

udp.dstport==7

TCP half open stealth scan attempts

SYN

SYN/ACK

RST

tcp.flags.syn==1 && tcp.flags.ack==1

tcp.flags.reset==1 && ip.src==10.0.0.2

TCP full connect scan attempts

ICMP type 3

tcp.flags.syn==1 && tcp.flags.ack && ip.src==10.0.0.2

tcp.flag.ack && ip.src==10.0.0.2

Null Scan

tcp.flags=0x000

SYN/FIN DDoS attempts

tcp.flags==0x003

UDP scan

icmp.type==3 && icmp.code==3

type 3 = destination unreachable

code 3 = port unreachable

Password Cracking Attempts

Example of FTP password cracking attempts

ftp.request.command

ftp.response.code==530

ftp.response.code==230

ARP Spoofing

arp.duplicate-address-detected

SQL-Injection attempts

Windows Logs

HKLM\SYSTEM\CurrentControlSet\Services\EventLog\<Event Log>

c:\Windows\System32\LogFiles\Firewall

Linux Logs

/var/log

OSX

/private/var/log

/Library/Logs

ASA

Timestamp | Device ID | Message ID | Message Text

Dec 27 2021 16:28:03 | asa 1: | % ASA -5 – 110008 |

Message ID bengines with %ASA, %PIX, %FWSM, followed by severity

Attack Surface Mapper

OhPhish Phishing Simulation Framework – shieldalliance.com

SpeedPhish Framework (SPF) – github.com

Lucy – github.com

Phishing Frenzy – github.com

Gophish – getgophish.com

Social-Engineering Toolkit (SET) – trustedsec.com

infection monkey

Cymulate

AttackIQ – attackiq.com

CyCognito – cycognito.com

XM Cyber – xmcyber.com

Picus Security – picussecurity.com

SafeBreach – safebreach.com

Verodin – verodin.com

WhatHaX – mvs2i.com

owasp.org

exchange.xforce.ibmcloud.com

malstrom – github.com