Traffic for ICMP-Based OS Fingerprinting Attempts
Attackers send unique ICMP probes to the target and look for the response
Use the following filter to locate unusual ICMP requests:
(icmp.type==8 && (!(icmp.code==8))
(icmp.type==13) || (icmp.type==15) || (icmp.type==17)
Discover unique ICMP probes, unual ICMP code, ICMP timestamp requests (13), ICMP information requests (15), and ICMP address mask requests (917) from the traffic to make an educated guess to detect OS fingerprinting.
Attackers send TCP probes using specific field values in the header to look for the response and reveal deteails about the OS.
The fields that indicate OS fingerprinting attempts are the initial squence number, timestamp, IP ID sequence, and TCP options.
Use the following filter to find OS fingerprinting attempts:
(tcp.flags==0x02) && (tcp.windows_size <1025)
tcp.flags==0x2b
tcp.flags==0x00
tcp.optionswscale_val==10
tcp.options.mss_val<1460
Attackers generally use Nmap for target OS fingerprinting
Folks should be aware of the Nmap OS fingerprinting process to detect OS fingerprinting attempts
ICMP echo request (type 8) with no payload
ICMP echo request (type 8) with a 120 or 150 byte payload of 0x00
ICMP timestamp request with the origin timestamp value set to 0
TCP SYN with a 40 byte options area
TCP SYN with the windows scale shift count set to 10
TCP SYN with the maximum segment size set to 256
TCP SYN with the timestamp value set to 0xFFFFFFFF
TCP packet with options and SYN, FIN, PSH, and URG bits set
TCP packet with options and no flags set
A non-zero TCP acknowledgement number field without the ACK bit set
TCP packets with unusual window size filed values
Ping sweep attempts
Attackers use a ping sweep to determine the live hosts within a specified IP arange
It is accomplished using ICMP, TCP, or UDP
Attackers send a series of ICMP, TCP, or UDP echo requests to the specified IP range.
The following filters can be used to detect these actions:
ICMP Sweeps use:
icmp.type==8
icmp.type==0
TCP ping sweep:
tcp.dstport==7
UDP ping sweep:
udp.dstport==7
TCP half open stealth scan attempts
SYN
SYN/ACK
RST
tcp.flags.syn==1 && tcp.flags.ack==1
tcp.flags.reset==1 && ip.src==10.0.0.2
TCP full connect scan attempts
ICMP type 3
tcp.flags.syn==1 && tcp.flags.ack && ip.src==10.0.0.2
tcp.flag.ack && ip.src==10.0.0.2
Null Scan
tcp.flags=0x000
SYN/FIN DDoS attempts
tcp.flags==0x003
UDP scan
icmp.type==3 && icmp.code==3
type 3 = destination unreachable
code 3 = port unreachable
Password Cracking Attempts
Example of FTP password cracking attempts
ftp.request.command
ftp.response.code==530
ftp.response.code==230
ARP Spoofing
arp.duplicate-address-detected
SQL-Injection attempts
Windows Logs
HKLM\SYSTEM\CurrentControlSet\Services\EventLog\<Event Log>
c:\Windows\System32\LogFiles\Firewall
Linux Logs
/var/log
OSX
/private/var/log
/Library/Logs
ASA
Timestamp | Device ID | Message ID | Message Text
Dec 27 2021 16:28:03 | asa 1: | % ASA -5 – 110008 |
Message ID bengines with %ASA, %PIX, %FWSM, followed by severity
Attack Surface Mapper
OhPhish Phishing Simulation Framework – shieldalliance.com
SpeedPhish Framework (SPF) – github.com
Lucy – github.com
Phishing Frenzy – github.com
Gophish – getgophish.com
Social-Engineering Toolkit (SET) – trustedsec.com
infection monkey
Cymulate
AttackIQ – attackiq.com
CyCognito – cycognito.com
XM Cyber – xmcyber.com
Picus Security – picussecurity.com
SafeBreach – safebreach.com
Verodin – verodin.com
WhatHaX – mvs2i.com
owasp.org
exchange.xforce.ibmcloud.com
malstrom – github.com