Fun with TCP Packets
-
Upload
security-b-sides -
Category
Technology
-
view
1.091 -
download
1
description
Transcript of Fun with TCP Packets
ZACON 2009
Andrew MacPherson
TCP/IP Packet Fun – ZAcon 2009
• 3 1 3 3 7 h 4 > < z 0 r
• M a s t e r m i n d
• E v i l G e n i u s
• H i p p y
• C o d e r
• Degree in Information Science • Tech Support -> Webdev -> Paterva
• @Paterva: • Work on Maltego related stuff (local/server) transforms • Built the Mesh ( firefox plugin )
• Interesting Because: • Old stuff • Still Applicable
• Not new – just scattered • Portscanners
• Scanrand, Unicorn • DOS
• Slowlaris
TCP/IP Packet Fun – ZAcon 2009
• Scapy • Packet crafting tool • Sender • Listener
• TCP Handshake • Syn/SynAck/Ack
• Portscan • We send a SYN
• Filtered (no response) • Open (got back SynAck) • Close (RST)
TCP/IP Packet Fun – ZAcon 2009
We can send packets really fast SYN TCP packet is =~ 54 Bytes = 432 bits 4Mbit/s (4194304 bits) can send 9.7K Syn packets per
second (theory) We can monitor responses as per previous slide Means we can scan 65k ports in around 6s Packet loss – so we want to put in some delays
RST packets getting in the way Firewall em!
TCP/IP Packet Fun – ZAcon 2009
Unicorn, like scanrand, etc.
TCP/IP Packet Fun – ZAcon 2009
Traceroute Sending out all TTLs at once (no wait)
Know when to stop? Tracing to multiple hosts at once
Put the hopcount in the payload Why is it cool to traceroute to blocks?
See routing protocols (entire block is not all in the same place?)
Load balancing (3 times) Geo Location
TCP/IP Packet Fun – ZAcon 2009
TCP/IP Packet Fun – ZAcon 2009
Single Port Full connection – Ack the SynAck –
Complete the handshake Target has stack full of connection, we
have…. Nothing? Different from a SynFlood Cant spoof our IP Address ~ 400 packets for Apache
Welcome to DoS
TCP/IP Packet Fun – ZAcon 2009
TCP/IP Packet Fun – ZAcon 2009
Full connections get torn down Need to convince the stack we are still
speaking to it! Drip,Drip,Drip. Use apps that run on protocols ○ SMTP ( DATA seg of mail ) ○ HTTP ( POST – content length 99999?)
Slowlaris ○ FTP (PUT) ○ Others?
Anything that we can send data too Means we need to track seq + ack
numbers
TCP/IP Packet Fun – ZAcon 2009
TCP/IP Packet Fun – ZAcon 2009
TCP/IP Packet Fun – ZAcon 2009
!!WARNING!! South African Space
Transparent Proxies :O :O :O
Firewalls in front of applications Limit connections per client Time per request
TCP/IP Packet Fun – ZAcon 2009
Tech is NOT new, its scattered but still applicable
Why is there not more of this going on? Botnets Online protests Competition
Go further, packets = network = what others see, smokescreen networks?