Packet Fingerprinting with Wireshark and Detecting NMap Scans cvv sites, cvv store

Extreme Hacking
Advanced Ethical Hacking Institute in Pune
This is going to be a fairly long tutorial on Wireshark. This is if you have had some sort of experience with wireshark and nmap, and you should have an above-average understanding of some basic protocols.
We will be covering some major scans including:
~ TCP SYN scan === nmap -sS
Explanation: Sends a SYN packet to an IP’s ports
~ TCP Christmas Scan === nmap -sX
Explanation: Sends a TCP packet with the flags PSH, URG, and FIN set
~ TCP Null Scan === nmap -sN
Explanation: Sends NO TCP flags (easy to detect)
~ TCP FIN Scan === nmap -sF
Explanation: Sends only a TCP FIN header
We will ONLY be covering TCP as it is the most common. If you’re interested in SCTP/UDP scans, feel free to PM me!’
We will be making our OWN color scheme. The default wireshark theme is never meant to be used. It’s malleable and meant to be played with.
Here is how we do that:
I’m going to set some of the default colors to my own.
Protocol – Background Color / Text Color
TCP – Dark Green / White
UDP – Dark Blue / White
ARP – Orange / Black
I have also set HTTP to Dark Green / Yellow off-camera.
This should color QUITE A BIT of the packets green and blue since 90% of them run on either TCP or UDP.
Here’s how:
1. Nmap SYN Scan (nmap -sS -v -n ):
Alrightm so here is what the scan looks like in wireshark:
Let’s look at the coloring rule and see why each is which. This is very easy.
Make sure the “Packet Details” panel is available. Click View -> Packet Details
The red is simple. It’s just a RST (reset) or RST ACK packet
Alright, now click on the packet you’d like to see and expand the “Frame” tag. Then you can look at the colorize rule and see exactly why it’s colored the way it is.
We can see that all of this grey is a TCP SYN packet. Hopefully you know that SYN requests are very common throught a network. When initiating a TCP connection (every time you visit a website), a SYN request is sent. So what makes this SYN request different than a normal SYN request?
NMAP SYN scans have a TCP window size of:
– 1024
– 2048
– 3072
– 4096
while normal SYN window sizes are usually much larger and vary constantly. So this is our key! We can also note that the FIN header is always on.
So, let’s write a rule. Here are some things you should note:
&& = and. Ex: tcp && udp = that will show something that has both TCP and UDP protocols
|| = or. Ex: tcp || udp = this will show anything that is either TCP OR UDP
! = not. Ex: !tcp = this will show everything that is NOT TCP protocol
That’s pretty much it!
So we know that it is TCP so let’s just make sure it’s TCP:
Alright. So we also know that the TCP FIN header is also on. So let’s write that as well:
Alright, this may be just a little confusing if you’re not a coder. Basically, we want to see if the window size is any of the aforementioned window sizes. If any of them match (they can’t all match) then this will definitively prove a SYN scan without much chance for false positive. We are going to set this aside with () and will use || inside them. Let’s see:
Here I show a real SYN request (grey) and a NMap SYN request (orange).
There we go! We have finished our first scan!!! Now we can detect a very basic TCP SYN Scan!!! Hoorah!
2. Christmas Scan (nmap -sX -v -n ):
Alright, let’s see the packet as we scan it. Open any packet you find and look at the packet details 🙂
What do we notice?
Alright, lt’s go ahead and write a simple rule based on what we’ve noticed:
It’s TCP only, right? Yes.
Now lets make sure the flag size is 0x29
Now, lastly, we need to specify the headers that are set:
And that’s our rule! That will detect a Xmas scan!
3. TCP Null Scan (nmap -sN -v -n ):
This is a very obvious one to detect…
What do you notice?
Again, let’s write the rule.
Now you can follow the last 2 tutorials to add your own color-coded scheme 🙂
This one I want you to do yourself!
First write what you notice. Once you’re done, open the spoiler and see if you get the same things I have:
Okay, once you’ve done that, try and write a simple rule!
cvv sites cvv store

This entry was posted in Статьи. Bookmark the permalink.