The TCP Three-Way Handshake Demo
>> I just opened up a browser and went to www.rit.edu
with Wireshark capturing the packets.
Let's take a look at what I captured.
I'm using a display filter of tcp.port, equals, equals 56,479,
which is the port my browser opened up to communicate with the RIT web server.
The RIT web server is using port 80.
My browser actually opened up multiple connections to the RIT web server
for the various components of the web page.
The connection on port 56,479 is the most interesting one,
since it's where the communication initially begins, and it involves the actual HTML
for what you see when you go to www.rit.edu.
The TCP three-way handshake appears right at the top -- SYN, SYN ACK, ACK.
Let's look at the actual numbers.
In step one, the SYN is sent from my web browser using port 56,479
to the RIT web server on port 80.
We can see the SYN flag raised.
Let's take a look at the actual sequence number -- c9 7e 81 be.
The RIT web server ACKs that SYN by turning on the ACK flag in step two
and incrementing the sequence number by 1.
c9 7e 81 bf is the acknowledgement number.
Notice the bf at the end, which is 1 more than the be we just saw in the previous TCP segment.
The RIT web server also turns on the SYN flag and comes
up with its own sequence number, 2b 4a 95 fe.
My browser in step three turns on the ACK flag
and increments the web server sequence number by 1.
Notice the acknowledgment number of 2b 4a 95 ff is 1 more
than the sequence number we saw in the previous TCP segment.
Now, there is a bidirectional TCP connection established between client and server
for guaranteed connection-oriented, acknowledged communications.
The sequence numbers established by each side now increment by the size of the TCP data
to make sure that all bits sent are received.
SYN Scan Demo
>> Let's see port scanning in action.
In Kali, I'm going to type Nmap by itself and type the output to less.
We see a very detailed help output.
As you can see, Nmap does more than port scanning, including host discovery,
service and version detection, OS detection, and much more.
I'm going to use my Kali VM to scan my Windows host machine.
Without a scan type specified, Nmap uses a SYN scan.
The output reveals ports and their related service names, indicative of a Windows system.
Let's start sniffing with Wireshark on the Windows machine and filter by the IP address
of the Kali VM -- ip.adder, equals, equals 192.168.1.104.
On my Windows machine, I am going to start WampServer,
which includes an Apache web server and a MySQL database server.
Let's scan that Windows machine again.
Notice that ports 80 and 3306 are now discovered as open since the web server
and database server have both been started.
[silence]
When I change my display filter to tcp.port, equals, equals 3306,
you'll notice that after the Kali box sent the SYN, the open port 3306 sent a SYN ACK.
Then, the Kali box closed the connection with an RST.
Compare that to the sequence related to the scanning of port 21.
The Kali box sent the SYN, but since port 21 is closed on the Windows host machine,
the Windows host machine responded back with an RST.
That closed the connection and said, sorry, no FTP server here.
Connect Scan Demo
>> Now, we'll see traffic generated by the connect scan.
Let's start a new Wireshark capture on the Windows host machine using a display filter
of ip.adder, equals, equals 192.168.1.104, the IP address of the Kali box and TCP,
which will eliminate other nonrelated traffic.
The Nmap help output shows the syntax which we'll be using.
Dash lowercase s species the scan.
When followed by an uppercase S, that refers to a SYN scan.
When followed by an uppercase T, that refers to a connect scan.
If you look in the port specification and scan order section, dash p can limit the scan
to a port or multiple ports that can adjacent or nonadjacent.
[silence]
We're going to send a connect scan to port 80 of the machine at 192.168.1.101.
Lo and behold, with the Apache web server started on the Windows host machine,
Nmap is identifying port 80 as open.
Compared to the SYN scan, though,
we can see that the TCP three-way handshake actually completed.
SYN, SYN ACK, ACK.
After that, Nmap on the Kali box sent an RST,
but the destination application now has a log entry of the completed connection.
The connect scan, which is the only scan that doesn't require root privileges,
should be avoided at all costs, since it is very noisy.
Let's scan port 22 on the Windows host machine with a connect scan.
Nmap is reporting port 22 as closed, and in Wireshark,
we can see a closed port once again will respond with an RST.
492
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
