Method and system for detecting a vulnerability in a network
First Claim
Patent Images
1. A method of detecting a vulnerability of a network, comprising:
- sending a first set of test packets to a remote host on the network;
receiving a first set of reflexive packets from the remote host in response to the first set of test packets, at least part of the first set of reflexive packets including header information that is unique to an operating system;
inferring the operating system;
sending a second set of test packets to the remote host;
receiving a second set of reflexive packets from the remote host in response to the second set of test packets, at least part of the second set of reflexive packets including header information that is unique to a service; and
inferring the service,identifying a vulnerability of the network based on information obtained from the steps of identifying an operating system and identifying a service,wherein the first set of test packets includes;
a SYN Packet with false flag in the TCP option header;
a Fragmented UDP packet with malformed header (any header inconsistency is sufficient), where the packet is 8K in size;
a FIN Packets of a selected variable size or a FIN packet without the ACK or SYN flag properly set; and
a generic, well-formed ICMP ECHO request packet;
a generic well-formed TCP Header set to 1024 bytes in size;
a Packet requesting an ICMP Timestamp;
a Packet with min/max segment size set to a selected variable value; and
a UDP packet with the fragment bit set;
a TCP Packet with the header and options set incorrectly;
a well-formed ICMP Packet;
a Fragmented TCP or UDP packet;
a packet with an empty TCP window or a window set to zero;
a generic TCP Packet with 8K of random data; and
a SYN Packet with ACK and RST flags set.
10 Assignments
0 Petitions
Accused Products
Abstract
A system and method in accordance with the invention reliably and non-intrusively identifies various conditions of a network. In particular, an embodiment of the invention can identify an operating system, including version and patch level, and a service, including version and patch level, of a remote host on the network. Using this information, an embodiment of the invention can then reliably identify a vulnerability condition of the network. In some embodiments, the operating system and service information can be used to identify a trojan application, unlicensed software use, security policy violations, or even infer vulnerabilities that are yet unknown.
273 Citations
6 Claims
-
1. A method of detecting a vulnerability of a network, comprising:
-
sending a first set of test packets to a remote host on the network; receiving a first set of reflexive packets from the remote host in response to the first set of test packets, at least part of the first set of reflexive packets including header information that is unique to an operating system; inferring the operating system; sending a second set of test packets to the remote host; receiving a second set of reflexive packets from the remote host in response to the second set of test packets, at least part of the second set of reflexive packets including header information that is unique to a service; and inferring the service, identifying a vulnerability of the network based on information obtained from the steps of identifying an operating system and identifying a service, wherein the first set of test packets includes; a SYN Packet with false flag in the TCP option header; a Fragmented UDP packet with malformed header (any header inconsistency is sufficient), where the packet is 8K in size; a FIN Packets of a selected variable size or a FIN packet without the ACK or SYN flag properly set; and a generic, well-formed ICMP ECHO request packet; a generic well-formed TCP Header set to 1024 bytes in size; a Packet requesting an ICMP Timestamp; a Packet with min/max segment size set to a selected variable value; and a UDP packet with the fragment bit set; a TCP Packet with the header and options set incorrectly; a well-formed ICMP Packet; a Fragmented TCP or UDP packet; a packet with an empty TCP window or a window set to zero; a generic TCP Packet with 8K of random data; and a SYN Packet with ACK and RST flags set.
-
-
2. A method of examining a network, including:
-
identifying an operating system of a remote host, including a version and a patch level of the operating system with a first set of packets, the first set of packets comprising at least an operating system packet to determine the operating system, an operating system version packet to determine the operating system version based on the determined operating system, and an operating system patch level packet to determine the operating system patch level based on the determined operating system version; identifying a service of the remote host, including a version and a patch level of the service with a second set of packets based on the identified operating system, the second set of packets comprising at least a service packet to determine the service, a service version packet to determine the service version based on the determined service, and a service patch level packet to determine the service patch level based on the determined service version; and identifying a vulnerability of the network based on information obtained from the steps of identifying an operating system and identifying a service. - View Dependent Claims (3, 4, 5, 6)
-
Specification