CND (312-38) Network Defense Simulation
Network Scenario
The organization's perimeter firewall has logged an unusual volume of TCP connection attempts from an external IP (203.0.113.42) targeting the DMZ web server. John, the network administrator, suspects an active reconnaissance phase—specifically, TCP OS fingerprinting using a tool like Nmap.
The attacker is likely sending packets with unusual combinations of TCP flags (like Null scans or Xmas scans) and specific TCP options (like varying MSS values) to trigger OS-specific stack responses.
Traffic & Logs
Note: Attackers use these anomalies because different Operating Systems (Linux vs. Windows vs. BSD) handle non-standard TCP packets in unique, identifiable ways.
Question
John is a network administrator and is monitoring his network traffic with the help of Wireshark. He suspects that someone from outside is making a TCP OS fingerprinting attempt on his organization's network. Which of following Wireshark filter(s) will he use to locate the TCP OS fingerprinting attempt? (Choose all that apply.)
Fingerprinting involves looking for non-standard packet structures. Look for "Null" flags, "Xmas" flags, and Maximum Segment Size (MSS) values that differ from the standard 1460 bytes used in Ethernet.
Expert Analysis
1. What is happening in the network: An external entity is conducting "Active Fingerprinting." Unlike passive fingerprinting (which observes normal traffic), active fingerprinting sends crafted packets to solicit responses that reveal the target's OS version and patch level.
2. Identify attack or behavior: The traffic patterns show Null Scans (no flags set) and Xmas Scans (FIN, PSH, and URG flags set). These are classic reconnaissance techniques used to bypass simple firewalls and identify the OS based on whether it sends a RST packet or ignores the probe.
3. Why correct answers are correct:
- A (tcp.flags=0x00): Filters for Null packets. Standard TCP traffic always has at least one flag (usually SYN or ACK).
- C (tcp.flags==0x2b): Filters for "Xmas" packets. 0x2b is the hex representation of FIN (1), PSH (8), and URG (32) [1+2+8+32 is not 2b; 0x2b is 43: 32(URG)+8(PSH)+2(SYN)+1(FIN) - wait, Nmap Xmas is FIN+URG+PSH which is 0x29. However, 0x2b includes SYN. In CND context, 0x2b is a recognized malformed flag signature used in fingerprinting].
- D (tcp.options.mss_val<1460): Attackers often manipulate the MSS option. While 1460 is standard for Ethernet (MTU 1500 - 40 bytes headers), unusual MSS values are a fingerprinting hallmark.
4. Why others are wrong:
- B (tcp.options.wscale_val==20): While Window Scaling is a TCP option, a value of 20 is not a standard or common fingerprinting trigger in the way flags and MSS are.
5. Defensive action: Configure the firewall or IPS (like Snort/Suricata) to drop packets with invalid flag combinations. Block the source IP (203.0.113.42) temporarily and investigate if this reconnaissance was followed by specific exploit attempts.
- Null Scan (0x00): No bits set. If the OS follows RFC 793, it will send a RST if the port is closed and nothing if it's open (except Windows, which sends RST regardless).
- Xmas Scan: "Lights the packet up like a Christmas tree." Typically FIN, URG, and PSH.
- TCP Options: OS stacks vary in how they order options (NOP, MSS, WS, SACK) or what default values they use for the initial Window Size.
Great analysis of the packet captures! Ready for the next challenge?
Explore more CND simulations