1 / 51

TRUE Blind ip spoofed portscanning

TRUE Blind ip spoofed portscanning. Thomas Olofsson C.T.O Defcom . Agenda. Background on TCP ip handshakes Background on traditional scanning ID numbers and their prediction Spoofed scanning in theory and practice. The code and examples Demo Q/A. Background on TCP handshakes.

dara
Download Presentation

TRUE Blind ip spoofed portscanning

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. TRUE Blind ip spoofed portscanning Thomas Olofsson C.T.O Defcom

  2. Agenda • Background on TCP ip handshakes • Background on traditional scanning • ID numbers and their prediction • Spoofed scanning in theory and practice. • The code and examples • Demo • Q/A

  3. Background on TCP handshakes • Definitions • Tcp header • Traditional 3 way handshake

  4. Definitions • An open connection between two computers communicating by TCP/IP is called a socket and is defined by: • Source IP number • Source Port number • Destination IP number • Destination Port number • Initial source SEQ number • Initial destination SEQ number • AN ID # that is increased for each packet 2.6.1.1

  5. TCP packet header 16-bit source port number 16-bit destination port number 32-bit sequence number 32-bit acknowledgement number length unused flags 16-bit window size 16-bit TCP checksum 16-bit urgent offset Options (if any) Data (if any)

  6. Traditional TCP/IP handshake Src ip,Dst ip Src prt, Dst Prt Syn = in seq# Ack = NULL Flags = S Src ID = src ID + 1 syn attacker target

  7. Traditional TCP/IP handshake Src ip,Dst ip Src prt, Dst Prt Syn = src seq# Ack = NULL Flags = S Src ip,Dst ip Src prt, Dst Prt Syn = Dst seq# Ack = src seq# +1 Flags = Dst ID = Dst ID + 1 syn Syn / Ack attacker target

  8. Traditional TCP/IP handshake syn Src ip,Dst ip Src prt, Dst Prt Syn = src seq# Ack = dst seq# +1 Flags = A Src ID = src ID + 1 Syn / Ack Ack attacker target

  9. Establishinga socket A B SYN (seqa) SYN/ACK (seqb/ack= seqa+1) ACK (ack= seqb+1)

  10. Traditional port scanning

  11. Traditional port scanning syn Syn / Ack Ack attacker target

  12. Traditional stealth scanning 1 syn Syn / Ack attacker target

  13. Traditional stealth scanning 2 syn Syn / Ack Rst attacker target

  14. Sequence numbers Are in place to provide easy packet reassembly. Increments each time a packet is sent. Various incrementation schemes exist

  15. ID flag • Are in place to identify each tcp session • Is also in some cases used for packet reassembly • The id counter is increased every time a packet is sent • This is valid far all packets including reset packets

  16. ID flag prediction • Most unix boxes increments the ID flag by a random or seudo random number. • Up till today id numbers has not been known to bee security critical. • Windows 95 boxes tend to increment id# by 1 • Windows 2000 boxes seems to increment id# by 254 • This due to reversed byte ordering of the id# in theese operating systems.

  17. Spoofed scanning in theory • By constantly polling a decoy host for id number increments we can se If the scanned target host has sent it syn/ack or reset packets. • By analyzing this we will know whether a port on the scanned host is open or not • This is done totally blind from the scanned host.

  18. Spoofed scanning in theory • Since we know a win box will increase the id# by sending a packet we can by constantly probing the host se how many packets it has sent between our polls • This is done my monitoring the ID# increment

  19. Spoofed scanning in theory • If a port is open on a scanned host the server will respond with a syn/ack • If a port is closed on the scanned host it will respond with a rst

  20. Spoofed scanning in theory If a host receives a syn ack from a unknown source it will send a rst packet back If a host receives a rst packet from a unknown source it will NOT send a packet back

  21. Spooed scanning in practice Or how it all fits together

  22. Introducing our players Spoof host 172.0.0.1 attacker target 10.0.0.1 192.0.0.1

  23. Why do we need three of them Spoof host www.anycompany.com:80 attacker target unknowing.com 3vil.org

  24. Phase one (sync the id# of spoof) Spoof host www.anycompany.com:80 Syn:80 attacker target unknowing.com 3vil.org

  25. Phase one (sync the id# of spoof) Spoof host www.anycompany.com:80 Syn/ack attacker target unknowing.com 3vil.org

  26. Why did we do that • Attacker now knows the spoofs initial ID#

  27. Phase2 (spoofing the source) Spoof host 172.0.0.1 Syn src = 172.0.0.1 Dst = 192.0.0.1 attacker target 10.0.0.1 192.0.0.1

  28. Phase 3 (fooling the respons) Spoof host 172.0.0.1 Syn/Ack src = 192.0.0.1 Dst = 172.0.0.1 attacker target 10.0.0.1 192.0.0.1

  29. Phase 3 (fooling the respons) Spoof host 172.0.0.1 Rst src == 172.0.0.1 Dst = 192.0.0.1 attacker target 10.0.0.1 192.0.0.1

  30. Phase 4 (probing the spoof host) Spoof host 172.0.0.1 Syn:80 attacker target 10.0.0.1 192.0.0.1

  31. Phase 4 (probing the spoof host) Spoof host 172.0.0.1 Syn:80 Syn/ack attacker target 10.0.0.1 192.0.0.1

  32. Case port open Adding the ID counters

  33. Phase one (sync the id# of spoof) Spoof host ID =0 172.0.0.1 Syn:80 attacker target unknowing.com 3vil.org

  34. Phase one (sync the id# of spoof) Spoof host ID =1 172.0.0.1 Syn/ack attacker target unknowing.com 3vil.org

  35. Phase2 (spoofing the source) Spoof host ID =1 172.0.0.1 Syn src = 172.0.0.1 Dst = 192.0.0.1 attacker target 10.0.0.1 192.0.0.1

  36. Phase 3 (fooling the respons) Spoof host ID =1 172.0.0.1 Syn/Ack src = 192.0.0.1 Dst = 172.0.0.1 attacker target 10.0.0.1 192.0.0.1

  37. Phase 3 (fooling the respons) Spoof host ID =2 172.0.0.1 Rst src == 172.0.0.1 Dst = 192.0.0.1 attacker target 10.0.0.1 192.0.0.1

  38. Phase 4 (probing the spoof host) Spoof host ID =2 172.0.0.1 Syn:80 attacker target 10.0.0.1 192.0.0.1

  39. Phase 4 (probing the spoof host) Spoof host ID =3 172.0.0.1 Syn:80 Syn/ack attacker target 10.0.0.1 192.0.0.1

  40. Case port closed Adding the ID counters

  41. Phase one (sync the id# of spoof) Spoof host ID =0 172.0.0.1 Syn:80 attacker target unknowing.com 3vil.org

  42. Phase one (sync the id# of spoof) Spoof host ID =1 172.0.0.1 Syn/ack attacker target unknowing.com 3vil.org

  43. Phase2 (spoofing the source) Spoof host ID =1 172.0.0.1 Syn src = 172.0.0.1 Dst = 192.0.0.1 attacker target 10.0.0.1 192.0.0.1

  44. Phase 3 (fooling the respons) Spoof host ID =1 172.0.0.1 Rst src = 192.0.0.1 Dst = 172.0.0.1 attacker target 10.0.0.1 192.0.0.1

  45. Phase 4 (probing the spoof host) Spoof host ID =1 172.0.0.1 Syn:80 attacker target 10.0.0.1 192.0.0.1

  46. Phase 4 (probing the spoof host) Spoof host ID =2 172.0.0.1 Syn:80 Syn/ack attacker target 10.0.0.1 192.0.0.1

  47. Summary • By constantly polling a decoy host for id number increments we can se If the scanned target host has sent it syn/ack or reset packets. • By analysing this we will know whether a port on the scanned host is open or not • This is done totally blind from the scanned host.

  48. The basic technique and its flaws • If the poll host is active it will increase the id# for each connection. • This will result in false possitives. • Theese false positives can be minimized by sending multiple packets for each port. • Then calculating the increase • The port will only show up true if the increase is > (#packets_sent*255)/2

  49. Phase2 (spoofing the source) Spoof host ID =1 172.0.0.1 (Syn src = 172.0.0.1 Dst = 192.0.0.1) * 20 attacker target 10.0.0.1 192.0.0.1

  50. Phase 3 (fooling the respons) Spoof host ID=1+20 172.0.0.1 Syn /Ack src = 192.0.0.1 Dst = 172.0.0.1 attacker target 10.0.0.1 192.0.0.1

More Related