1 / 44

SAK 5514 Examining Embedded Protocol Header Fields

SAK 5514 Examining Embedded Protocol Header Fields. Introduction: TCPdump and TCP. What is TCPdump ? Practical analysis tool to analyze network traffic data A UNIX tool used to gather data from the network, decipher the bits, and display the output in a semi coherent fashion.

Download Presentation

SAK 5514 Examining Embedded Protocol Header Fields

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. SAK 5514 Examining Embedded Protocol Header Fields

  2. Introduction: TCPdump and TCP What is TCPdump ? Practical analysis tool to analyze network traffic data A UNIX tool used to gather data from the network, decipher the bits, and display the output in a semi coherent fashion.

  3. TCPdump and TCP, cont… What is TCP (Transmission Control Protocol) ? • One of the core protocols of the Internet protocol suite. • A set of rules (protocols) used along with the Internet Protocol (IP) to send data in the form of message units between computers over the Internet • Oversees the exchange of data and knows when there is a possible problem.

  4. TCP Header

  5. Ports TCP Header Fields Port numbers are generally allocated by0 --not used 1-255 --Reserved ports for well-known services 256-1023 --Other reserved ports 1024-65535 --user-defined server ports

  6. Ports cont… • Port Header in details: Source, destination port:16,16 - identify applications at ends of the connectionSequence:32 - indicates 1st data octet in this segmentAcknowledgment:32 - next expected sequence number, valid only when the ACK bit (reside in flag) is setData offset:4 - 32 bit words offset tells the receiver where user data beginsReserved:6 -not usedWindow:16 - advertise amount of buffer space this node has allocatedChecksum:16 - 16 bits 1’s complement of pseudo header, TCP header and dataUrgent pointer:16 - byte position of data that should be processed firstOptions - variable length option e.g. MSS (max segment size) tells destinationnode

  7. Source host name Destination port number Destination host name TCP specific information What does a line convey? 01:46:28.808262 IP danjo.CS.Berkeley.EDU.ssh > adsl-69-228-230-7.dsl.pltn13.pacbell.net.2481: . 2513546054:2513547434(1380) ack 1268355216 win 12816 Timestamp Source port number (22) This is an IP packet

  8. TCP Checksum • Cover the embedded header and respective data for TCP, UDP, and ICMP. • These are end-to-end checksums calculated by the source • Has been chosen to represent the embedded protocol checksums

  9. Pseudo-header Figure TCP checksum pseudo-header fields.

  10. Why is the pseudo-header necessary ??? • To validate IP: • not accidentally accepted a datagram destined for another host • not accidentally tried to give TCP a datagram that is for another protocol • some fields from the IP header are included in the pseudo-header checksum computation to help protect against errant corruption that occurs in transit.

  11. Figure :Pseudo-header checksum protection. How does it work???

  12. (Pseudo-header checksum protection – Flow Chart) (Use TCP as the embedded protocol) Host destination IP1.2.3.4, used in the TCP checksum computation. Router IP layer somehow corrupts, the destination IP to be 1.2.3.5 IP checksum is valid, packet continues sending Wrong destination arrives, IP 1.2.3.5. (Assume exits…) IP layer validates the checksum TCP uses the pseudo header fields in the checksum validation Transport Layer IP1.2.3.5against anddoes not match the packet's actual TCP pseudo-header checksum ( IP 1.2.3.4 as the destination IP in the pseudo-header checksum ) Discard Reason Embedded protocol checksum does not match the computed checksum done by the destination host. Packet Discard

  13. TCP Sequence Numbers Type A mechanism to account for data being sent and received Used touniquely identify the beginning byte of each TCP segment that is sent Functions To keep track of all the TCP data that is sent and received in a TCP stream Should not be repeated unless there is a retry of the same connection. Condition Initial sequence number (ISN) Important components Nmap Synchronize sequence numbers (SYN)

  14. Acknowledgement Numbers Method that TCP uses to ensure that data is received. Acknowledgement flag and Acknowledgement number = validation that the receiving host did indeed get the data. Acknowledgement number = the next expected TCP sequence number it should receive. = must be greater than 0.

  15. TCP Flags To indicate the function of a given TCP connection or session. Different valid combinations. Different OS, TCP/IP stacks respond differently to mutant flag settings. Eg: SYN,FIN,RST,ACK,PUSH,UGT flag.

  16. TCP Corruption • It is not necessarily an indication of malicious behavior. • Packets can get corrupted, it is possible for TCP flags to be unnaturally set after some kind of corruption in the TCP portion of the packet. • Ways to verify packet corruption is to manually compute the checksum of the received packet on the sensor. • Eg: Specified TCP header length is > actual TCP segment length.

  17. ECN Flag Bits • Explicit Congestion Notification Flag. • Different OS, TCP stacks would respond uniquely when these bits were set. • The two high-order bits of the TCP byte were known as the reserved bits.

  18. ECN Flag Bits (Cont’) • Eg : If TCP sets the ECN-echo bit (high-order bit), reduce the rate at which it is sending data.

  19. Operating System Fingerprinting • Remote OS scans • Eg : Windows 98, Sparky, Linux. • The technique of sending the mutant combination to the Windows port. • Windows host listens on this port and it responds with an acknowledgement. • Difficult to distinguish between malicious code and TCP stack problem.

  20. Why Retransmissions? • Destination host not respond because it might not exists. • Destination host might be sitting behind some kind of packet-filtering device that blocks the connection inbound, yet silently drops the connection without informing the sending host. • A router attempt to deliver an ICMP message about the destination host being unreachable.

  21. Retransmit a loss segment

  22. Using Retransmissions Against a Hostile Host — LaBrea Tarpit Version 1 LaBrea the Tar pit • Written by Tom Liston originally to “slow down worms” • A program that creates a tarpit or, as some have called it, a “sticky honeypot” • LaBrea takes over unused IP addresses on a network and creates "virtual machines" that answer to connection attempts. • The program answers connection attempts in such a way that the machine at the other end gets "stuck", sometimes for a very long time.

  23. How does it work??? ARP request for unassigned IP 192.168.143.236 18:34:32.757821 arp who-has 192.168.143.236 tell 192.168.143.1 18:34:35.743528 arp who-has 192.168.143.236 tell 192.168.143.1 After 3 seconds and no ARP reply, LaBrea host fakes reply 18:34:35.743591 arp reply 192.168.143.236 (0:0:f:ff:ff:ff) is-at 0:0:f:ff:ff:ff • Watches for ARP packets with no replies • Impersonates unused IP addresses by sending forged ARP replies • Responds to ICMP ping requests • Responds to TCP SYN packets with SYN+ACK and a ‘custom’ window size • Responses to TCP SYN+ACK with RST

  24. TCP WINDOW SIZE • The TCP window size is the method employed by a receiving host to inform the sending host of the current buffer size for data sent for that connection. • This is a flow control mechanism because it is dynamic.

  25. The window size becomes smaller for all data that has been received, but not yet processed by the receiving host • If the receiving buffer ever becomes full, the window size becomes 0. • After the receiving host has processed some of the data in the buffer, it sends a window size update to the sending host to inform it to resume sending data.

  26. Flow of control for TCP sessions is mostly done by the receiving host by use of the window size. • Initial window sizes are used by nmap to determine the operating system. • Different TCP/IP stacks select different initial window sizes, which is used to help fingerprint the operating system.

  27. LA BREA VERSION 2 • The new version of LaBrea uses the persist timer to tarpit the attacker for an indefinite amount of time • It works exactly like the previous version of LaBrea up through the three-way handshake. • LaBrea reacts to the sender's data with an acknowledgement, but with a window size of 0.

  28. It doesn't increase the window size via a window update, forcing the scanner to send a window probe. • The LaBrea host responds to the window probe, but again advertises the window size as 0. • This pattern of window probe and a response of a window size of 0 continues indefinitely. • This tarpits the attacker into a persistent connection with the LaBrea host if there is no intervention.

  29. UDP • UDP is a much less complicated protocol compared to TCP. • UDP does not make any guarantees that data will be delivered and leaves this function to applications to handle.

  30. PORTS • UDP port fields are two separate 16-bit fields in the TCP header—one for source and another for destination • Valid range of values is between 1 and 65535; the use of port 0 is typically a signature of unusual activity

  31. UDP PORT SCANNING • to connect to a destination host, an ephemeral/short-lived port is typically selected in the range of ports greater than 1023. • UDP doesn't respond to an initial connection with any positive feedback. • But, a live host responds with a negative response of ICMP "port unreachable" to a non-listening UDP port.

  32. This is how scanners determine if the UDP port is listening or not. • This is another more stealthy way to scan for live hosts, assuming the site does not block outbound ICMP error messages. • Nmap scans the UDP ports many times to try to deal with the case of dropped packets.

  33. If one packet is dropped and the network is not under duress or having problems, chances are one of the repeated packets will not be dropped. • And once again, nmap is intelligent enough to know that the lack of any response is more likely an indication of filtering of some sort by the destination site than it is of all UDP ports listening.

  34. UDP LENGTH FIELD • UDP length is the number of bytes found in the UDP header plus the number of bytes found in the UDP payload. • Minimum length for the UDP length is 8 bytes. • maximum theoretical byte length of an IP datagram is 65535.

  35. Given this, and that the IP header is a minimum of 20 bytes long, the theoretical maximum UDP length value is 65515. • TCP/IP stack of a given operating system as implemented in the kernel might limit the length of the UDP datagram.

  36. ICMP – Internet Control Message Protocol • Notifies the sender when something goes wrong in the transmission of a packet. • Provided within IP which generates error messages to help IP layers • Does not guarantee delivery of the message, so its structure and fields are straightforward.

  37. ICMP Header Type: relevant ICMP messageCode: more detail informationChecksum: covers ICMP header/data

  38. Type & Code

  39. Identification & Sequence numbers

  40. Ping – ICMP echo request/reply • Ping sends an ICMP echo request to the remote hosts, which then turn an ICMP echo reply to the sender • All TCP/IP node is supposed to implement ICMP and respond to ICMP echo

  41. Ping example PING sparky (1.1.1.100) from 1.1.1.5 : 56(84) bytes of data. 64 bytes from 1.1.1.100: icmp_seq=0 ttl=255 time=0.8 ms 64 bytes from 1.1.1.100: icmp_seq=1 ttl=255 time=0.9 ms 64 bytes from 1.1.1.100: icmp_seq=2 ttl=255 time=7.3 ms 16:33:07.400700 verbo > sparky: icmp: echo request 4500 0054 038d 0000 4001 bed1 0101 0105 0101 0164 0800 9e12 c402 0000 0391 8439 1d1d 0600 0809 0a0b 0c0d 0e0f 1011 1213 1415 1617 181916:33:07.401479 sparky > verbo: icmp: echo reply (DF) 4500 0054 7146 4000 ff01 5217 010018f64 010018f05 0000 a612 c402 0000 0391 8439 1d1d 0600 0809 0a0b 0c0d 0e0f 1011 1213 1415 1617 1819

  42. Misuse of ICMP Identification and Sequence Numbers • ICMP identifier and sequence number fields are chosen to signal exploit traffic to the receiving host • DDoS known as Stacheldraht: the ICMP identifier value of 667 was used to initiate connections between handler and agent hosts in an ICMP echo reply. The ICMP identifier value of 666 was used to respond from agent to handler with another ICMP echo reply.

  43. Summary • TCP • Stateful communication (Session, Reliable) • Busiest of the protocol headers • UDP • Stateless communication (no session, Less reliable, fast) • Ports can be scanned using nmap • ICMP • Diagnostic (dangerous?) • Provides a mechanism for reporting failures • Some of the fields can be used for invasion or insertion attacks as we saw demonstrated with the TCP checksum example.

  44. The End Thank you!

More Related