Download presentation
Presentation is loading. Please wait.
Published byJemimah Barnett Modified over 9 years ago
1
Port Scanning 0x470~0x480 Presenter SangDuk Seo 1
2
Motivation 2
3
3 192.168.11.12 / 24 Network Address = ZIP- CODE Host Address = Office Address What is Port ?
4
Motivation 4 Port = Windows 192.168.11.12 :80 / 24 THIS IS PORT Scanning
5
What is Port Scanning? 5 Way of figuring out which ports are listening and accepting connections. Port scanning can find vulnerabilities in Server NMAP – Most popular open source port-scanning tools. nmap [-main option] [-sub option] [main option] sT – Full connection sS – Syn half sA – Ack Scan sI- Idle Scan D – Decoy Scan sU – UDP Scan sN – NULL Scan sX – Xmas Scan sF – FIN Scan d –show detail [sub option] sV - Identify Port application O – Identify OS oA - Save result p - Select Target [result] Open Filtered – cannot access port (firewall) Closed
6
Full Connection Scanning 6 Trying to open TCP connections to every possible port on the target system – Effective but noisy and detectable Attacke r Victim Open on target Attacke r Victim Closed on target
7
Full Connection Scanning 7 Nmap -sT 192.168.42.72
8
Stealth SYN Scan 8 Half- Open Scan - It doesn’t actually open a full TCP connection. RST packet is sent to tear down the connection to prevent the service from accidentally being DoSed. Attacke r Victim Open on target RST Attacke r Victim Closed on target
9
Stealth SYN Scan 9 Nmap -sS
10
FIN, X-mas, NULL Scan 10 These all involve sending a nonsensical packet to every port on the target system. If the port is closed and the implementation follows protocol (RFC 793), an RST packet will be sent Attacke r Victim Open on target Attacke r Victim Closed on target Nothing
11
FIN, X-mas, NULL Scan 11 Nmap –sF Nmap –sX Nmap -sN Failed
12
FIN, X-mas, NULL Scan add on -d Option 12 Failed
13
Spoofing Decoys 13 Spoofs connections from various decoy IP addresses in between each real port-scanning connection Spoofed decoy addresses must use real IP addresses of live hosts - the target may be accidentally SYN flooded.
14
Spoofing Decoys 14 Nmap –D
15
Idle Scanning 15 Scan a target using spoofed packets from an idle host, by observing changes in the idle host Find a usable idle host that is not sending or receiving any other network traffic TCP implementation that produces predictable IP IDs that change by a known increment with each packet. IP IDs are meant to be unique per packet per session, and they are commonly incremented by 1 or 254 (depending on byte ordering) on Windows 95 and 2000 Recent Linux kernel, OpenBSD, and Windows Vista using randomize the IP ID -> It didn’t Work NOW
16
Idle Scanning 16 1.Get the current IP ID 2.Identify the increment of IP ID 3.Send a spoofed SYN packet with the idle host’s IP address to a port on the target machine ID = ID+1 if the idle host isn't truly idle, the results will be skewed
17
Idle Scanning 17 Nmap -sI
18
Proactive Defense (Shroud) – Close Port 18 Close Ports what we don’t use fuser -n tcp [port], kill -9 [pid] iptables -A INPUT -p udp --dport 1234 -j DROP
19
Proactive Defense (Shroud) – NO RST 19 FIN, Null, and X-mas scans can be prevented by a simple kernel modification If the kernel never sends reset packets, these scans will turn up nothing Return; YOU HAVE TO recompile kernel
20
Proactive Defense (Shroud) – NO RST 20 Attacke r Victim Open on target Attacke r Victim Closed on target Nothing
21
Proactive Defense (Shroud) 21
22
Proactive Defense (Shroud) – Full & Half Scan 22 Make sea of false positives. –Attacker can’t find what port is really open. Source -> Pretend to Destination Destination -> Return to Source Pretend all Ports are OPEN
23
Proactive Defense (Shroud) – Full & Half Scan 23 Make sea of false positives.
24
Proactive Defense (Shroud) 24 Sometimes it did not work.. http://www.certcc.or.kr/tools/Psionic_Portsentry.html
25
Reach Out and Hack Someone 25 There is no code to limit the length. Ref) http://maj3sty.tistory.com/1026http://maj3sty.tistory.com/1026
26
Analysis with GDB 26 Compile with –g option to debug Run and find tinyweb’s PID Use GDB and Attach to the process after it’s already running
27
Why Doing like that? 27 Tinyweb requires root privileges, so the debugger must be run as root (Application that using 1~1024 port requires root privileges) Using sudo or running with root’s environment will change the stack The addresses seen in the debugger’s run of the binary won’t match the addresses when it’s running normally Sudo gdb./tinyweb Grep Pid
28
Analysis with GDB 28 Break We know this function has Vulnerability
29
Analysis with GDB 29 Breaking We will insert shell code there Let’s Find that Return Address
30
Analysis with GDB 30 0 Return = 0xbfff7b(4 + 8) = c Request’s Buffer Space = 540byte +200 for Avoid Buffer Start Point 0xbffff668 is return Address
31
Almost Only Counts with Hand Grenades 31 Change RetADDR Vim./tinyweb_exploit.c
32
Almost Only Counts with Hand Grenades 32 Attacker’s Terminal NOP sled Shell Code Victim’s Terminal We aren’t at the console, So this won’t do us any good!
33
Port-Binding Shellcode 33 Count Words Cut Address Add “/x “ and delete null Space Shell code for Binding 31337 Port
34
Port-Binding Shellcode 34 works like that cat program but over the network
35
Port-Binding Shellcode 35 Count words NOP Sled Rest / Return ADDR Size
36
Port-Binding Shellcode
37
QnA 37
38
38
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.