TRUE Blind ip spoofed portscanning Thomas Olofsson C.T.O Defcom.

Slides:



Advertisements
Similar presentations
TCP/IP Christopher Zacky. lolwut Decimal Numbers.
Advertisements

TCP Flooding. TCP handshake C S SYN C SYN S, ACK C ACK S Listening Store data Wait Connected.
CISCO NETWORKING ACADEMY Chabot College ELEC Transport Layer (4)
CCNA – Network Fundamentals
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 OSI Transport Layer Network Fundamentals – Chapter 4.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 OSI Transport Layer Network Fundamentals – Chapter 4.
CISCO NETWORKING ACADEMY PROGRAM (CNAP)
CIS 193A – Lesson13 Attack and Defense. CIS 193A – Lesson13 Focus Question Describe how Nmap, psad, and iptables work together for playing out attack.
NMAP Scanning Options. EC-Council NMAP  Nmap is the most popular scanning tool used on the Internet.  Cretead by Fyodar ( it.
UDP & TCP Where would we be without them!. UDP User Datagram Protocol.
Configuring a Router with RIP Basic Configuration and Show Commands.
1 Reading Log Files. 2 Segment Format
1 TCP - Part I Relates to Lab 5. First module on TCP which covers packet format, data transfer, and connection management.
1 CS 4396 Computer Networks Lab Transmission Control Protocol (TCP) Part I.
Instructor: Sam Nanavaty TCP/IP protocol. Instructor: Sam Nanavaty Version – Allows for the evolution of the protocol IHL (Internet header length) – Length.
Transport Layer – TCP (Part1) Dr. Sanjay P. Ahuja, Ph.D. Fidelity National Financial Distinguished Professor of CIS School of Computing, UNF.
TCP segment structure source port # dest port # 32 bits application data (variable length) sequence number acknowledgement number rcvr window size ptr.
EEC-484/584 Computer Networks Lecture 15 Wenbing Zhao (Part of the slides are based on Drs. Kurose & Ross ’ s slides for their Computer.
TCP/IP Network and Firewall. IP Packet Protocol  1 ICMP packet  6 TCP packet  17 UDP packet.
source router Destination IP packet IP packet fragments Reassembly Required Fragments Created.
CSEE W4140 Networking Laboratory Lecture 6: TCP and UDP Jong Yul Kim
Lecture 23: Network Primer 7/15/2003 CSCE 590 Summer 2003.
1 CCNA 2 v3.1 Module Intermediate TCP/IP CCNA 2 Module 10.
Communication Protocols III Tenth Meeting. Connections in TCP A wants to send to B. What is the packet next move? A travels through hub and bridge to.
TCP. Learning objectives Reliable Transport in TCP TCP flow and Congestion Control.
WXES2106 Network Technology Semester /2005 Chapter 8 Intermediate TCP CCNA2: Module 10.
ECE Prof. John A. Copeland fax Office: Klaus 3362.
SCSC 555 Frank Li.  Port scanning  Port-scanning tools  Ping sweeps 2.
1 Reconnaissance, Network Mapping, and Vulnerability Assessment ECE4112 – Internetwork Security Georgia Institute of Technology.
1 Semester 2 Module 10 Intermediate TCP/IP Yuda college of business James Chen
Port Scanning 0x470~0x480 Presenter SangDuk Seo 1.
Sniffing and Spoofing. Spoofing  Fraudulent authentication one machine as another  ARP spoofing  IP spoofing  DNS spoofing  Web spoofing.
TCP : Transmission Control Protocol Computer Network System Sirak Kaewjamnong.
Introduction to Sockstress A TCP Socket Stress Testing Framework Presented at the SEC-T Security Conference Presented by: Jack C. Louis –Senior Security.
Transmission Control Protocol TCP. Transport layer function.
TCP1 Transmission Control Protocol (TCP). TCP2 Outline Transmission Control Protocol.
© Introduction to Internetworking – Alex Kooijman 04/04/2000 Introduction to internetworking Part Two.
Transmission Control Protocol
CSE 461 Section. Let’s learn things first! Joke Later!
Scanning & Enumeration Lab 3 Once attacker knows who to attack, and knows some of what is there (e.g. DNS servers, mail servers, etc.) the next step is.
Lecture 22 Network Security CS 450/650 Fundamentals of Integrated Computer Security Slides are modified from Hesham El-Rewini.
Computer Science and Engineering Computer System Security CSE 5339/7339 Session 25 November 16, 2004.
Connection Establishment and Termination. Tcpdump tcpdump is a common packet analyzer that runs under the command line. It allows the user to intercept.
Slide #1 CIT 380: Securing Computer Systems TCP/IP.
1 Figure 3-13: Internet Protocol (IP) IP Addresses and Security  IP address spoofing: Sending a message with a false IP address (Figure 3-17)  Gives.
UDP & TCP Where would we be without them!. UDP User Datagram Protocol.
or call for office visit,
© 2002, Cisco Systems, Inc. All rights reserved..
Transport Layer1 TCP Connection Management Recall: TCP sender, receiver establish “connection” before exchanging data segments r initialize TCP variables:
Data Communications and Networks Chapter 6 – IP, UDP and TCP ICT-BVF8.1- Data Communications and Network Trainer: Dr. Abbes Sebihi.
TCP/IP1 Address Resolution Protocol Internet uses IP address to recognize a computer. But IP address needs to be translated to physical address (NIC).
Cisco I Introduction to Networks Semester 1 Chapter 7 JEOPADY.
TCP Handshake NW Analysis Class. What happens in 3-way handshake Client tells server it wants connection Server acknowledges the client’s connection Server.
COMP2322 Lab 6 TCP Steven Lee April 1, TCP Transmission Control Protocol Transport layer protocol User Datagram Protocol (UDP) is another one 2.
Two Transport Protocols Available Transmission Control Protocol (TCP) User Datagram Protocol (UDP) Provides unreliable transfer Requires minimal – Overhead.
Port Scanning James Tate II
COMP2322 Lab 6 TCP Steven Lee Mar 29, 2017.
or call for office visit, or call Kathy Cheek,
Hping2.
or call for office visit,
Transport Layer.
TCP/IP Internetworking
Process-to-Process Delivery
© 2003, Cisco Systems, Inc. All rights reserved.
TCP/IP Internetworking
Introduction to Networking
Figure 3-23: Transmission Control Protocol (TCP) (Study Figure)
TRANSMISSION CONTROL PROTOCOL
Transport Layer 9/22/2019.
TCP Connection Management
Presentation transcript:

TRUE Blind ip spoofed portscanning Thomas Olofsson C.T.O Defcom

Agenda Background on TCP ip handshakes Background on traditional scanning ID numbers and their prediction Spoofed scanning in theory and practice. The code and examples Demo Q/A

Background on TCP handshakes Definitions Tcp header Traditional 3 way handshake

Definitions An open connection between two computers communicating by TCP/IP is called a socket and is defined by: Source IP number Source Port number Destination IP number Destination Port number Initial source SEQ number Initial destination SEQ number AN ID # that is increased for each packet

TCP packet header 16-bit source port number16-bit destination port number 32-bit sequence number 32-bit acknowledgement number lengthunusedflags16-bit window size 16-bit TCP checksum16-bit urgent offset Options (if any) Data (if any)

Traditional TCP/IP handshake targetattacker syn Src ip,Dst ip Src prt, Dst Prt Syn = in seq# Ack = NULL Flags = S Src ID = src ID + 1

Traditional TCP/IP handshake targetattacker syn Src ip,Dst ip Src prt, Dst Prt Syn = src seq# Ack = NULL Flags = S Syn / Ack Src ip,Dst ip Src prt, Dst Prt Syn = Dst seq# Ack = src seq# +1 Flags = Dst ID = Dst ID + 1

Traditional TCP/IP handshake targetattacker syn Src ip,Dst ip Src prt, Dst Prt Syn = src seq# Ack = dst seq# +1 Flags = A Src ID = src ID + 1 Syn / Ack Ack

Establishing a socket AB SYN (seq a ) SYN/ACK (seq b /ack= seq a +1) ACK (ack= seq b +1)

Traditional port scanning

targetattacker syn Syn / Ack Ack

targetattacker syn Syn / Ack Traditional stealth scanning 1

Traditional stealth scanning 2 targetattacker syn Syn / Ack Rst

Sequence numbers Are in place to provide easy packet reassembly. Increments each time a packet is sent. Various incrementation schemes exist

ID flag  Are in place to identify each tcp session  Is also in some cases used for packet reassembly  The id counter is increased every time a packet is sent  This is valid far all packets including reset packets

ID flag prediction  Most unix boxes increments the ID flag by a random or seudo random number.  Up till today id numbers has not been known to bee security critical.  Windows 95 boxes tend to increment id# by 1  Windows 2000 boxes seems to increment id# by 254  This due to reversed byte ordering of the id# in theese operating systems.

Spoofed scanning in theory By constantly polling a decoy host for id number increments we can se If the scanned target host has sent it syn/ack or reset packets. By analyzing this we will know whether a port on the scanned host is open or not This is done totally blind from the scanned host.

Spoofed scanning in theory Since we know a win box will increase the id# by sending a packet we can by constantly probing the host se how many packets it has sent between our polls This is done my monitoring the ID# increment

Spoofed scanning in theory If a port is open on a scanned host the server will respond with a syn/ack If a port is closed on the scanned host it will respond with a rst

Spoofed scanning in theory If a host receives a syn ack from a unknown source it will send a rst packet back If a host receives a rst packet from a unknown source it will NOT send a packet back

Spooed scanning in practice Or how it all fits together

Introducing our players targetattacker Spoof host

Why do we need three of them targetattacker Spoof host unknowing.com 3vil.org

Phase one (sync the id# of spoof) targetattacker Spoof host unknowing.com 3vil.org Syn:80

Phase one (sync the id# of spoof) targetattacker Spoof host unknowing.com 3vil.org Syn/ack

Why did we do that  Attacker now knows the spoofs initial ID#

Phase2 (spoofing the source) targetattacker Spoof host Syn src = Dst =

Phase 3 (fooling the respons) targetattacker Spoof host Syn/Ack src = Dst =

Phase 3 (fooling the respons) targetattacker Spoof host Rst src == Dst =

Phase 4 (probing the spoof host) targetattacker Spoof host Syn:80

Phase 4 (probing the spoof host) targetattacker Spoof host Syn:80 Syn/ack

Case port open Adding the ID counters

Phase one (sync the id# of spoof) targetattacker unknowing.com 3vil.org Syn:80 Spoof host ID =

Phase one (sync the id# of spoof) targetattacker unknowing.com 3vil.org Syn/ack Spoof host ID =

Phase2 (spoofing the source) targetattacker Spoof host ID = Syn src = Dst =

Phase 3 (fooling the respons) targetattacker Syn/Ack src = Dst = Spoof host ID =

Phase 3 (fooling the respons) targetattacker Rst src == Dst = Spoof host ID =

Phase 4 (probing the spoof host) targetattacker Syn:80 Spoof host ID =

Phase 4 (probing the spoof host) targetattacker Syn:80 Syn/ack Spoof host ID =

Case port closed Adding the ID counters

Phase one (sync the id# of spoof) targetattacker unknowing.com 3vil.org Syn:80 Spoof host ID =

Phase one (sync the id# of spoof) targetattacker unknowing.com 3vil.org Syn/ack Spoof host ID =

Phase2 (spoofing the source) targetattacker Spoof host ID = Syn src = Dst =

Phase 3 (fooling the respons) targetattacker Rst src = Dst = Spoof host ID =

Phase 4 (probing the spoof host) targetattacker Syn:80 Spoof host ID =

Phase 4 (probing the spoof host) targetattacker Syn:80 Syn/ack Spoof host ID =

Summary By constantly polling a decoy host for id number increments we can se If the scanned target host has sent it syn/ack or reset packets. By analysing this we will know whether a port on the scanned host is open or not This is done totally blind from the scanned host.

The basic technique and its flaws If the poll host is active it will increase the id# for each connection. This will result in false possitives. Theese false positives can be minimized by sending multiple packets for each port. Then calculating the increase The port will only show up true if the increase is > (#packets_sent*255)/2

Phase2 (spoofing the source) targetattacker Spoof host ID = (Syn src = Dst = ) * 20

Phase 3 (fooling the respons) targetattacker Syn /Ack src = Dst = Spoof host ID=

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.