Packet Analysis & Network Scanning

Learn how TCP and UDP work, analyze packet headers with Wireshark, and explore network scanning techniques using tools!

Krit Karnjanakrajang

Krit Karnjanakrajang

|
Krit Karnjanakrajang

Krit Karnjanakrajang

Founder

A visionary leader with a passion for technology, He expertise in Business Analyst and AI integration helps the team deliver exceptional results on time, he leads the team towards transformative results.

Learn Packet Analysis & Network Scanning
#Fundamental Concepts #Cybersecurity #Ethical Hacking #Packet Analysis #Nmap Scan

Packet Analysis & Network Scanning

1. Packet Structure and Analysis

1.1 TCP vs. UDP

Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) are the two key players in the transport layer of the Internet protocol suite. As a pentester, understanding these protocols is vital because they determine how data travels between systems and reveal potential vulnerabilities in the way services listen for incoming connections.

  1. Reliability and Connection Orientation

    • TCP is a connection-oriented protocol. This means it establishes a formal connection (the “TCP handshake”) between the client and the server before any data is exchanged. Because of this, TCP ensures reliability via sequence numbers and acknowledgment (ACK) packets. If packets are lost, TCP can detect the loss and resend them.

    • UDP is a connectionless protocol. It sends datagrams (packets) without performing handshakes or guaranteeing delivery. It does not track lost packets or ensure packet order. This makes UDP faster in many scenarios but less reliable if packet loss occurs.

  2. Speed and Overhead

    • TCP comes with a higher overhead because of its connection maintenance, retransmissions, flow control, and error checking. It’s generally slower for applications where speed is critical but reliability is not.

    • UDP has lower overhead. It does not spend time on establishing a connection or handling retransmissions, so it tends to be faster. This lack of overhead is why real-time applications like video streaming or online gaming often use UDP.

  3. Typical Use Cases

    • TCP is typically used by protocols like HTTP, HTTPS, SSH, FTP, and other applications where data integrity matters more than speed.

    • UDP is widely used by protocols like DNS, DHCP, VoIP (Voice over IP), and streaming services, where speed and low latency are more important than absolute reliability.

By knowing the characteristics of TCP and UDP, a pentester can predict how a target service behaves under certain scan types, how to craft packets for stealth, and which vulnerabilities might exist (for example, packet amplification attacks are more common in UDP services).

1.2 Packet Headers

An Internet Protocol (IP) packet traveling across the network has multiple layers of headers. As a pentester, these headers tell you where the data is coming from, where it’s going, and how it’s being handled.

  1. IP Headers

    • Source IP: The originating IP address of the packet.

    • Destination IP: The target IP address of the packet.

    • TTL (Time to Live): A value that decreases by one each time the packet traverses a router. If the TTL reaches zero, the packet is dropped. Pentesters sometimes use TTL to guess the approximate number of hops to a target or to evade simple detection rules.

  2. TCP Headers

    • Sequence Number: Keeps track of the position of data within a stream. This is essential to ensure that all data segments arrive and can be reassembled correctly.

    • Acknowledgment Number: Indicates the next sequence number the sender is expecting to receive. This mechanism helps ensure reliability.

    • Flags: Control bits in the header such as SYN (synchronize), ACK (acknowledge), RST (reset), FIN (finish), and others. These flags enable or disable certain features of TCP connections. For instance, a packet with only the SYN flag set starts a new TCP connection request.

  3. UDP Headers

    • Length: Represents the total length of the UDP header and the data segment.

    • Checksum: Basic error-detection mechanism for the UDP header and data. While UDP is not connection-oriented, it does have a minimal level of integrity checking.

Understanding these headers is crucial for analyzing traffic. Knowledge of headers lets you see how malicious actors might craft or manipulate packets—such as forging source IPs or custom flags—to bypass intrusion detection systems (IDS) or firewalls.

1.3 Hands-On with Wireshark or tcpdump

Hands-on experience with packet capture tools is invaluable in pentesting. Wireshark (with a GUI) and tcpdump (command-line) are industry-standard tools.

  1. Capturing Live Traffic

    • Wireshark: Open Wireshark and select an active network interface (e.g., eth0 or wlan0). Start a live capture, and Wireshark displays real-time packet data.

    • tcpdump: On a command line, run tcpdump -i eth0 (replace eth0 with your interface name). You’ll see a stream of captured packets.

  2. Filtering Captures

    • Wireshark: Use display filters like tcp.port == 80 to only see packets on TCP port 80 (HTTP). Or ip.src == 192.168.1.10 to capture traffic from a specific IP address.

    • tcpdump: Use capture filters on the command line, for instance:

      tcpdump -i eth0 'tcp port 80'

      This displays only the traffic on port 80 over TCP.

  3. Interpreting Packet Details for Pentesting Insights

    • Look at the sequence numbers in TCP and see if there’s any anomaly (e.g., suspicious resets or out-of-order segments).

    • Check the DNS queries and responses to see what domains are being resolved.

    • Identify potential open ports or unusual traffic patterns that might indicate an attack or vulnerability.

Collecting and analyzing live traffic will help you see exactly what is happening on the wire, enabling you to detect suspicious behavior, identify misconfigurations, and plan more targeted tests.

2. Introduction to Network Scanning

2.1 Why Network Scanning Is Crucial

Network scanning is often one of the first activities in a penetration test because it reveals how a network is organized and identifies potential entry points.

  1. Identifying Open Ports and Services

    • Every open port on a device represents a potential communication channel. If an old or misconfigured service is listening on an open port, that service could be an entry point for an attacker.

    • By mapping which ports are open, you can often guess what type of services or operating systems are in use, which then informs deeper testing.

  2. Uncovering Potential Attack Surfaces

    • Different services might run different software versions. Outdated versions of software can have well-known exploits.

    • Even if the software is up-to-date, misconfiguration can leave a service vulnerable. For example, an FTP server might allow anonymous login if not configured correctly.

2.2 Scanning Strategies (Conceptual)

Scan strategies range from simple to sophisticated. Understanding these helps you choose the right tool for each scenario and helps you interpret scan results more accurately.

  1. Stealth Scans (SYN Scans)

    • A SYN scan sends a TCP SYN packet to a target port without completing the handshake. If the port is open, the target sends back a SYN/ACK; if it’s closed, it often sends an RST (reset).

    • Because the TCP handshake is never fully completed, this can sometimes bypass certain logging or detection systems, making it less obvious than a full connect scan.

  2. ACK Scans

    • ACK scans send a TCP packet with the ACK flag set to see how the host responds.

    • These scans do not tell you if a port is open or closed in the traditional sense, but they can reveal whether the port is “unfiltered” (no firewall rules) or “filtered” (blocked by a firewall).

  3. Other Common Scan Types

    • FIN Scans: Send a packet with the FIN flag set, which is unexpected when there’s no existing connection. An open port might ignore it, whereas a closed port might send an RST.

    • NULL Scans: Send a packet with no flags set at all. Similar logic: a closed port often generates an RST.

    • Xmas Scans: Send a packet with the FIN, URG, and PSH flags set—like a lit-up Christmas tree. The response, or lack thereof, can sometimes bypass certain firewalls or IDS rules.

Knowing how these scans work helps you pick a method that balances stealth and information-gathering needs. For instance, in a heavily monitored environment, you might want to use stealth scans to reduce detection.

2.3 Tools and Techniques

Several tools exist to automate the scanning process. While these tools can be used maliciously by attackers, they are also indispensable in legitimate pentesting.

  1. High-Level Overview of Popular Tools

    • Nmap: The most well-known scanning tool. It can do SYN scans, ACK scans, version detection, OS fingerprinting, and more. Nmap hompage

    • Masscan: Known for its speed and capable of scanning the entire Internet in a relatively short amount of time. Useful for broad reconnaissance. Masscan on Github

  2. Interpreting Scan Results in a Penetration Testing Context

    • Open: The port responds and is listening. This means a service is active.

    • Closed: The port is accessible on the network level, but there is no application listening.

    • Filtered: A firewall or other device is blocking the probe, so you can’t determine whether it’s open or closed.

    • Banner Grabbing: Many scanning tools allow banner grabbing, which collects basic information about the service, often including version number. This is critical for identifying known vulnerabilities.

  1. Investigate Packets (Module 1)

    • Hands-On Labs:

      • Spend time on Wireshark. Perform a capture while you load a website in your browser. Observe the TCP handshake—SYN, SYN/ACK, ACK—and note the source and destination IPs. Wireshark Download

      • Experiment with tcpdump filters to see just the HTTP traffic. Then switch to a secure site (HTTPS) and note the difference in the encryption details you can observe.

    • Why It Matters: A deep understanding of packet structure helps you recognize abnormal traffic, possible attacks, or misconfigurations. Skilled pentesters learn to “think in packets” because that’s how data moves under the hood.

  2. Study Scanning Methods (Module 2)

    • Nmap Basics:

      • Install Nmap

        • On Windows: Nmap Download the installer, execute it and install it.
        • On Linux (CentOS/Fedora): sudo dnf install nmap
        • On Linux (Ubuntu/Debian): sudo apt-get install nmap

      • Try a simple command, such as

        • Basic Scan: nmap <target_IP_adress> to check its connectivity status (open ports) on the target machine.
        • Port Scanning: nmap -p <port_number> <target_IP_adress> to knowing the state of the port on the target machine.
        • Scanning Service and Version: nmap -sV <target_IP_adress> to knowing the service details on the target machine..
        • Scanning Operating System: nmap -O <target_IP_adress> to knowing the OS on the target machine.
        • Scanning All Devices on a Network: nmap -sP <network_IP_range> to discover connected devices in the network segment.
        • Verbose Output: nmap -v <target_IP_adress> to more detailed output of the scanning process.
        • TCP Syn Scan (Stealth Scan): nmap -sS <target_IP_adress> to scan a local network range using a SYN scan.
        • UDP Scan: nmap -sU <target_IP_adress> to scan UDP works by sending a UDP packet to each port on the targeted IP address.
        • Nmap Help: nmap -h

      • Look at how Nmap categorizes ports as open, closed, or filtered. Note the difference in your results when scanning the same range with a full connect scan (-sT) versus a SYN scan (-sS).

    • Interpreting Results:

      • Practice reading and translating scan output into actionable insights. For instance, if you see 22/tcp open ssh, you might investigate the SSH version to check for vulnerabilities.

      • If you see that the port state is filtered, it means you are hitting a firewall or some packet-filtering device, and you might consider using a different technique such as ACK scanning to figure out filtering rules.

    • Why It Matters: Network scanning is a pentester’s roadmap. It shows you what services are out there to potentially exploit. Skilled scanning helps you be efficient and stealthy, minimizing your noise on the network while maximizing the information gained.

Additional Tips and Insights

  • Stay Organized: When scanning multiple hosts, it’s easy to lose track of what you’ve found. Keep logs, screen captures, or notes on each host, including open ports, service versions, and any anomalies noticed.

  • Ethical Considerations: Always get explicit permission before scanning and capturing traffic on a network you do not own. Unauthorized scanning can be seen as malicious and may lead to legal consequences.

  • Defensive Perspective: While learning these techniques offensively, also think about how defenders detect and block them. This dual perspective makes you a stronger pentester because you can adapt your approach to evade defensive measures.

  • Iterative Approach: Scanning and packet analysis are not a one-and-done deal. You’ll often capture traffic, notice something suspicious, refine your filters, scan again, and so on. This iterative cycle is typical in real-world pentests.

Conclusion

Mastering Networking Basics for Pentesters—specifically packet structure and network scanning—lays an indispensable foundation for your pentesting journey. By understanding how TCP and UDP packets are crafted, what headers look like, and how to observe them with Wireshark or tcpdump, you gain the insight needed to identify weak points in network defenses. Furthermore, learning the different scanning strategies, from SYN scans to ACK scans and beyond, empowers you to map and assess networks effectively. Each open port or filtered response tells a story about the host’s security posture, guiding your next steps in the test.

As you progress, remember that good pentesters are lifelong learners. Networks evolve, defense technologies improve, and new vulnerabilities appear. The practices you build now—familiarity with packets, comfort with scanning tools, and systematic note-taking—will remain relevant throughout your career, even as the landscape changes.

Keep exploring, keep testing, and keep honing your skills. With consistent practice and ethical diligence, you’ll develop the intuition and expertise that make for a top-notch pentester.

Test Your Knowledge

  • Which of the following is true about TCP compared to UDP?

  • In an IP header, which field decreases by 1 every time the packet crosses a router?

  • Which of these statements about SYN scans is most accurate?

  • If Nmap shows a port in the “filtered” state, what is the best explanation?

  • In a packet capture using Wireshark or tcpdump, you observe that an attacker has set FIN, PSH, and URG flags on a single TCP packet (an Xmas scan). What is the primary reason an attacker might use this scan type?
Share:
Tweet or X? Share on Facebook Share via WhatsApp Share via Telegram Share via email

← Previous Post

Networking Basics TCP/IP Essentials

Next Post →

Linux Basics for Penetration Testing

Latest Posts

See all posts