TCP Sorcery
Post on 15-May-2015
1347 Views
Preview:
DESCRIPTION
Transcript
Barry Irwin Security and Networks Research Group Department of Computer Science Rhodes University
TCP SORCERY A TALE OF UNINTENDED HAPPENINGS IN A HIDDEN W0RLD
ABOUT ME
ABO
UT M
E Head up the “Security & Network Research Group” within the Rhodes University CS Department
Interested in: Packet Wrangling Passive Monitoring Collaborative Defense VizSec
Contacts: b.irwin@ru.ac.za @barryirwin
365 DAYS LATER....
Conficker burst on the world...... 21/11/2008
HO
W W
E GO
T HERE
Intro Network Telescope Research The quandry -- Active vs Passive Traffic
Whats the difference? Why care?
The Protocols ICMP is trivial Well defined in specs TCP is not too difficult Brute force all combos UDP is a pain Needs protocol /L7 decodes
TCP FU
ND
AM
ENTA
L Hi, My name is TCP
TCP FU
ND
AM
ENTA
L Hi, My name is TCP
TCP State Tests How do we Determine what is active vs passive traffic ? Write an empirical test
Whats most important is how things respond to combos of the TCP flags. RFC793 && Stevens don’t define all the actions
Six Flags • URG • ACK • PSH • RST • SYN • FIN
TCPFuzzing Flags give us 26 Combinations == 64 options Fuzzer iterates though these. Tested against different targets Linux 2.6 Kernel FreeBSD 6.4/7.1 Windows Server 2003 +patches Cisco Switch (IOS 12.x) Both Open and closed ports tested
512 Responses Recorded using TCPdump 64 States * 4 targets * two ports (open/closed)
FUZZIN
G R
ESULTS
What we Found….. Of the 64 possible responses
Only 50% were of any interest (across the board) RST flags are no fun – the generate no response ‘X-mas tree ’ packets garner no response either
Of the Remainder: 16 Combinations only produce RST packet This is what we expect Responses the same for Open and Closed ports Some flag combos produced different reponses
SIN
GLE PA
CKET O
S CH
ECK
So whats your Genus ? We have shown it is possible to determine the Remote OS family using a single packet probe
SYN,FIN SYN, FIN, PSH SYN, FIN, URG SYN, FIN, URG,PSH
Give the same distinctive results for Open Ports: Linux 2.6
6 [ SYN,ACK ] datagrams FreeBSD
4 [ SYN,ACK ] datagrams Windows 2003
3 [ SYN,ACK ] datagrams Cisco IOS
[ SYN,ACK ] [RST] datagrams Closed ports give [RST, ACK]
SIN
GLE PA
CKET O
S CH
ECK
Unix Family Differentiation ? Linux/FreeBSD can also be differentiated from other IP Stack implementations using an Additional Single packet Probe
No Flags FIN URG PSH FIN, PSH, URG
Give the same distinctive results for Open Ports: Open ports give nor response on FreeBSD/Lunux Windows and IOS both reply with [RST, ACK]
Closed ports give [RST, ACK]
MA
KING
MISC
HIEF
Seen any Tiny blue guys around ? Using what have seen we can build a little amplification attack
Linux and some other target:
Attacker sends a TCP packet with a SYN,FIN variation to a linux target Source Address is forged to be Victim TARGET generated 6 datagrams back for every one received. VICTIM receives 6 SYN,ACK packets VICTIM responds with 6 RST packets
Values vary with FreeBSD (8x) and Windows (6x) This is a VERY crude attack Mostly useful for noisemaking Not about to be the next Smurf(ette)
MA
KING
MISC
HIEF
No way did I scan that host What we have seen is that that certain Flag combinations can elicit and active response form a target which in turn can activate yet another (although passive) reponse.
Given access to a Network Choke point, switch, shared media etc One can coerce a target into scanning a 3rd party with some level of success
Possible uses are: Shifing blame IDS evasion Exploiting ‘allow friends’ Firewall rules
CO
NC
LUSIO
N So What ? NMAP has been fingerprinting for a while
Active, multi pkt probe More Accurate, but noisy
Sideband/Reflective scanning can be of use: Covert OPS Reflectively scanning your own Network
Obfustication/Noise Generation 12x traffic multiplier It’s a Packet Count smokescreen Small probability of this able to be realised to a Bandwidth
consumption
QUESTIONS ?
Contacts: b.irwin@ru.ac.za @barryirwin
top related