Apreciados Julieta/Alberto/Walter/Ernesto Adjunto un lista útil que desarrollamos en mi área para hacer análisis más veloces (basado en el material del curso). Úsenla, con libertad. Luego les estoy enviando un reto para que lo apliquen. -------------------------------------------------------------------------------- Resumen de filtros complejos (sin macro comandos) 1. Basados en Campos Correctos - ICMP Echo Request and Echo Reply "(icmp[0:1]=0)" or "(icmp[0:1]=8)" - Paquetes TCP SYN "(tcp[13:1]=0x02)" - Paquetes TCP ACK "(tcp[13:1]=0x10)" - Paquetes TCP RST "(tcp[13:1]=0x04)" - Paquetes TCP SYN or ACK "(tcp[13:1]=0x02) or (tcp[13:1]=0x10)" - Paquetes TCP SYN or RST "(tcp[13:1]=0x02) or (tcp[13:1]=0x04)" - Paquetes TCP SYN or FIN "(tcp[13:1]=0x02) or (tcp[13:1]=0x01)" - Paquetes TCP SYN and ACK "(tcp[13:1]=0x12)" - SMTP: EHLO email.server.com Para estos filtros hay que tener en cuenta que el Windump no puede hacer búsqueda de cadenas de más de 4 bytes. Para hacer búsqueda de cadenas de más de 4 bytes se deben utilizar los operadores lógicos: Cadena: EHLO email.server.com tcp port 25 and "(tcp[20:4]=0x45484c4f)" and "(tcp[24:4]=0x20656d61)" and "(tcp[28:4]=0x696c2e73)" and "(tcp[32:4]=0x65727665)" and "(tcp[36:4]=0x722e636f)" and "(tcp[40:1]=0x6d)" - SMTP: HELO email.server.com tcp port 25 and "(tcp[20:4]=0x48454c4f)" and "(tcp[24:4]=0x20656d61)" and "(tcp[28:4]=0x696c2e73)" and "(tcp[32:4]=0x65727665)" and "(tcp[36:4]=0x722e636f)" and "(tcp[40:1]=0x6d)" - SMTP: RCPT TO: <cuenta@xxxxxxxxxxxxxxxx> tcp port 25 and "(tcp[20:4]=0x52435054)" and "(tcp[24:4]=0x20544f3a)" and "(tcp[28:4]=0x203c6375)" and "(tcp[32:4]=0x65707461)" and "(tcp[36:4]=0x40656d61)" and "(tcp[40:4]=0x696c2e73)" and "(tcp[44:4]=0x65727665)" and "(tcp[48:4]=0x722e636f)" and "(tcp[52:2]=0x6d3e)" - SMTP: MAIL FROM: <cuenta@xxxxxxxxxxxxxxxx> tcp port 25 and "(tcp[20:4]=0x4d41494c)" and "(tcp[24:4]=0x20465254)" and "(tcp[28:4]=0x4d3a203c)" and "(tcp[32:4]=0x63756570)" and "(tcp[36:4]=0x74614065)" and "(tcp[40:4]=0x6d61696c)" and "(tcp[44:4]=0x2e736572)" and "(tcp[48:4]=0x7665722e)" and "(tcp[52:4]=0x636f6d3e)" - POP3: USER <libidonet@xxxxxxxxxxxxx> tcp port 110 and "(tcp[20:4]=0x55534552)" and "(tcp[24:4]=0x206c6962)" and "(tcp[28:4]=0x69646f6e)" and "(tcp[32:4]=0x6574406c)" and "(tcp[36:4]=0x69626964)" and "(tcp[40:4]=0x6f6e6574)" and "(tcp[44:4]=0x2e636f6d)" - Búsqueda de claves en POP3: PASS tcp port 110 and "(tcp[20:4]=0x50415353)" 2. Basados en Campos Erróneos o Intentos de Hacking - Paquetes TCP Flag Null "(tcp[13:1]&0x3f=0)" - Paquetes TCP FIN "(tcp[13:1]=0x01)" - Paquetes TCP PUSH "(tcp[13:1]=0x08)" - Paquetes TCP UNNUMBERED "(tcp[13:1]=0x20)" - Paquetes TCP FLAG RESSERVED "(tcp[13:1]&0xc0!=0)" - Paquetes TCP SYN and RST "(tcp[13:1]=0x06)" - Paquetes TCP SYN and FIN "(tcp[13:1]=0x03)" - Paquetes TCP RST and FIN "(tcp[13:1]=0x05)" - Protocolo IP Desconocido "(ip[9:1]>101)" - IP Fragmentación "(ip[6:1]&0x20!=0x00)" - Fragmentación imposible "(ip[6:1]&0x20!=0)" and "((ip[2:2]-((ip[0:1]&0x0f)*4))&0x7!=0)" - IP Options set "(ip[0:1]&0x05>0x05)" - Sourced Routed Packets "((ip[19:1]=0xff) or (ip[19:1]=0x00))" or "(ip[0:1]&0xff>0x05)" and "((ip[20:1]=0x83) or (ip[20:1]=0x89))" - Land Attack - Impossible IP Packet ip[12:4] = ip[16:4] - IP Options DoS Attack against Raptor Firewall vr. 6.0 "(ip[0:1]&0x05>0x05)" and "(ip[20:2]=0x4400)" - IP Improper Addresses net 10 or net 127 or net 169.254 or "(net 172 and (((ip[13]>15) and (ip[13]<32)) or ((ip[17]>15) and (ip[17]<32)))) or dst net 0 or "(src net 0 and not src host 0.0.0.0)" or net 1 or net 2 or net 5 or net 23 or net 31 or "((ip[12]>=65) and (ip[12]<=127))" or "((ip[16]>=65) and (ip[12]<=127))" or net 191.255 or net 128.0 or net 197 or net 201 or net 223 or "(ip[12]>239)" or net 255 - ICMP Host Unreachable "(icmp[0:1]=3)" - ICMP Source Quench "(icmp[0:1]=4)" - ICMP Redirect "(icmp[0:1]=5)" - ICMP Router Discovery Attack "(icmp[0:1]=9)" and "((icmp[12:4]=0x03e8) or (icmp[20:4]=0x03e8) or(icmp[28:4]=0x03e8) or .)" - ICMP Time Exceed for a Datagram "(icmp[0:1]=11)" - ICMP Parameter Problem Attack "(icmp[0:1]=12)" and "(icmp[8:1]>5)" - ICMP Timestamp Attack "(icmp[0:1]=13)" and "(icmp[0:1]=0)" and "(icmp[4:2]=0xffff)" and "(icmp[6:2]=0xffff)" - ICMP Timestamp Reply "(icmp[0:1]=14)" - ICMP Smurf Attack: Broadcast Echo Request icmp and "(ip[19]=0xff)" or "(icmp[0]=8)" - ICMP Mask Request and Mask Reply "(icmp[0:1]=17)" or "(icmp[0:1]=18)" - Loki (según la versión original) "(icmp[0:1]=8)" or "(icmp[0:1]=0)" and "((icmp[6:2]=0xf001) or (icmp[6:2]=0x01f0))" - Ping of Death Attack icmp and "((ip[2:2]-((ip[0:1]&0x0f)*4)+((ip[6:2]&0x1fff)*8))>65535)" - BackOrifice 2000: UDP "(udp[8:4]=0xce63d1d2)" and "(udp[12:4]=0x16e713cf)" - Traceroute filters based on UDP "(udp[2:2]>=33000)" and "(udp[2:2]<=34999)" - Teardrop attack udp and "((ip[6:1]&0x20!=0) or (ip[6:2]&0x1fff!=0))" - Sesquipedalian: Against Linux O.S. "(ip[6:1]&0x20!=0)" and "(ip[6:2]&0x1fff=0)" and "((ip[2:2])=((ip[0:1]&0x0f)*4))" - Diagnostic Port Attack udp and "(port 7 or port 13 or port 19 or port 37)" - Fragmented IGMP Attack igmp and "((ip[6:1]&0x20!=0) or (ip[6:2]&0x1fff!=0))" - Smurf Attack "(ip[19]=0xff)" or "(ip[19]=0x00)" - DNS Server Failure "(udp[11:1]=0x82) - Windows Registry Access or Denied File Access tcp port 139 and "(tcp[20:1]=0x00) and ((tcp[28:2]=0x2d02) and (tcp[31:2]=0x0400) or (tcp[28:2]=0x2d00))" - Low Numbered UDP Ports: Diagnostic Prelude Attack "(udp[0:2]<20)" or "(udp[2:2]<20)" - UDP Bomb udp port 53 and "((((ip[2:2]&0xffff)-((ip[0:1]&0x0f)*4))!=(ip[26:2])))" - UDP Snork "(udp src port 135 or src port 7 or src port 19)" and "(udp dst port 135)" - Fragmented UDP udp and "((ip[6:1]&0x20!=0) or (ip[6:2]&0x1fff!=0))" - UDP Malformed Packet "(udp[4:2]<8)" - UDP Chargen DoS udp src port 7 and udp dst port 19 - UDP nmap OS Determination Probe "(udp[2:2]>=30000)" and "(udp[2:2]<=44780)" and "(udp[4:2]=308)" - UDP Syslog Vulnerability "(udp dst port 514)" and "(udp[4:2]=8)" - UDP NBTStat udp port 137 and "((udp[55:1]=0x15) or (udp[54:1]=0x21))" - BO2k UDP Packets "(udp[10:2]=0)" and "((ip[2:2]-((ip[0]&0x0f)*4)-8-4)=((udp[9]*256)+udp[8]))" - BO2k TCP Packets "(tcp[22:2]=0)" and "((ip[2:2]-((ip[0]&0x0f)*4)-20-4)=((tcp[21]*256)+tcp[20]))" - TCP Services Network Scan tcp and "(dst port 143 or dst port 80 or dst port 25 or dst port 23 or dst port 1080 or dst port 110)" or in other case tcp and "(((dst port 80) and (not host 200.14.241.5)) or ((dst port 25) and (not host 200.14.241.6)))" - Comando SMTP: VRFY tcp port 25 and "(tcp[20:4]=0x56524658)" or "(tcp[20:4]=0x6577706e)" - Comando SMTP: EXPN tcp port 25 and "(tcp[20:4]=0x4557504e)" or "(tcp[20:4]=0x76726678)" - Comando SMTP: NOOP tcp port 25 and "(tcp[20:4]=0x 4e4f4f50)" or "(tcp[20:4]=0x6e6f6f70)" - Quake I/II "(src net 192.168.40)" and "(udp[2:2]>26999)" and "(udp[2:2]<28000)" - Tribe Flood Networks tcp port 27665 or udp port 31335 or udp port 27444 - Stacheldraft tcp port 16660 or tcp port 65000 - Shaft tcp port 20432 or udp port 20433 or udp port 18753 Captura de consulta ANY a hotmail.com udp[21:4]=0x686f746d and udp[25:4]=0x61696c03 and udp[29:2]=0x636f Captura de consulta DNS Server Fail udp[11:1]=0x82 Captura de consulta ANY a windowsupdate.com udp[21:4]=0x77696e64 and udp[25:4]=0x6f777375 and udp[29:4]=0x70646174 and udp[33:4]=0x6503636f