Assignments of day 1 in week #2

Detection of stealth and decoy port scans

1. tcpdump a normal open port network connection
1. tcpdump a finger port
   tcpdump port finger

2. Open another window to ssh your partner host and issue the command
   finger @your_host

3. Post the dump result on your web page and list the flags sequence of these dump packets. These flags are some combination of S (SYN), F (FIN), P (PUSH) or R (RST) or a single `.' (no flags).

2. tcpdump a normal close port network connection
   1. tcpdump a pop3 port
      tcpdump port 110

   2. Open another window to ssh your partner host and issue the command
      telnet your_host 110

   3. Post the dump result on your web page and list the flags sequence of these dump packets. These flags are some combination of S (SYN), F (FIN), P (PUSH) or R (RST) or a single `.' (no flags).

   4. Identify the different network response of your host between a close and open port. Post your finding on your web page

3. tcpdump a TCP connect () scan of an open port
   1. tcpdump a finger port connection
      tcpdump port 79

   2. Open another window to ssh your partner host and issue the command
      /usr/local2/bin/nmap -p 79 your_host

   3. Post the dump result on your web page and list the flags sequence of these dump packets. These flags are some combination of S (SYN), F (FIN), P (PUSH) or R (RST) or a single `.' (no flags).

   4. Identify the different between a normal finger port network connection and a TCP connect() scan network connection. Post your finding on your web page

4. tcpdump a TCP connect () scan of an close port
   1. tcpdump a pop3 port connection
      tcpdump port 110

   2. Open another window to ssh your partner host and issue the command
      /usr/local2/bin/nmap -p 110 your_host

   3. Post the dump result on your web page and list the flags sequence of these dump packets. These flags are some combination of S (SYN), F (FIN), P (PUSH) or R (RST) or a single `.' (no flags).

   4. Identify the difference between a normal close port network connection and its a TCP connect() scan network connection. Post your finding on your web page

5. Identify stealth port scan
   1. tcpdump the open port 79 and a close port 110 at your host
      tcpdump port 79 or 110

   2. Ask your partner to issue the following commands as root at his/her host
      /usr/local2/bin/nmap -sS -p 79,110 your_host
      /usr/local2/bin/nmap -sF -p 79,110 your_host
      /usr/local2/bin/nmap -sN -p 79,110 your_host
      /usr/local2/bin/nmap -sX -p 79,110 your_host
      

   3. Post the dump result on your web page and list the flags sequence of these dump packets. These flags are some combination of S (SYN), F (FIN), P (PUSH) or R (RST) or a single `.' (no flags).

   4. Identify the difference among these stealth scans. Post your finding on your web page

6. Identify decoy port scan
   1. tcpdump the open port 79 at your host
      tcpdump -ev port 79

   2. Ask your partner to issue the following commands as root at his/her host
      /usr/local2/bin/nmap -Dntec1,ntec4 -sF -p 79 your_host

   3. Post the dump result on your web page and identify if the TTL of these packets have the same value.

References:

• http://info.hkntec.net/course/ieg7006/hack1/#D

• NMAP -- The Network Mapper

• Interpreting Network Traffic

• I'm seeing attempts on the same set of ports from widely varying sources all over the Internet. --- from Firewall Forensics (What am I seeing?)