2. • Degree in Information Science
• Tech Support -> Webdev -> Paterva • 3 1 3 3 7 h 4 > < z 0 r
• M a s t e r m i n d
• @Paterva:
• E v i l G e n i u s
• Work on Maltego related stuff
(local/server) transforms • H i p p y
• Built the Mesh ( firefox plugin ) • C o d e r
• Interesting Because:
• Old stuff
• Still Applicable
• Not new – just scattered
• Portscanners
• Scanrand, Unicorn
• DOS
• Slowlaris
TCP/IP Packet Fun – ZAcon 2009
3. • Scapy
• Packet crafting tool
• Sender
• Listener
• TCP Handshake
• Syn/SynAck/Ack
• Portscan
• We send a SYN
• Filtered (no response)
• Open (got back SynAck)
• Close (RST)
TCP/IP Packet Fun – ZAcon 2009
4. We can send packets really fast
SYN TCP packet is =~ 54 Bytes = 432 bits
4Mbit/s (4194304 bits) can send 9.7K Syn packets per
second (theory)
We can monitor responses as per previous slide
Means we can scan 65k ports in around 6s
Packet loss – so we want to put in some delays
RST packets getting in the way
Firewall em!
TCP/IP Packet Fun – ZAcon 2009
5. Unicorn, like scanrand, etc.
TCP/IP Packet Fun – ZAcon 2009
6. Traceroute
Sending out all TTLs at once (no wait)
Know when to stop?
Tracing to multiple hosts at once
Put the hopcount in the payload
Why is it cool to traceroute to blocks?
See routing protocols (entire block is not all in
the same place?)
Load balancing (3 times)
Geo Location
TCP/IP Packet Fun – ZAcon 2009
9. Single Port
Full connection – Ack the SynAck –
Complete the handshake
Target has stack full of connection, we
have…. Nothing?
Different from a SynFlood
Cant spoof our IP Address
~ 400 packets for Apache
Welcome to DoS
TCP/IP Packet Fun – ZAcon 2009
11. Full connections get torn down
Need to convince the stack we are still
speaking to it! Drip,Drip,Drip.
Use apps that run on protocols
○ SMTP ( DATA seg of mail )
○ HTTP ( POST – content length 99999?)
Slowlaris
○ FTP (PUT)
○ Others?
Anything that we can send data too
Means we need to track seq + ack
numbers
TCP/IP Packet Fun – ZAcon 2009
14. !!WARNING!!
South African Space
Transparent Proxies :O :O :O
Firewallsin front of applications
Limit connections per client
Time per request
TCP/IP Packet Fun – ZAcon 2009
15. Tech is NOT new, its scattered but still
applicable
Why is there not more of this going on?
Botnets
Online protests
Competition
Gofurther, packets = network = what
others see, smokescreen networks?
TCP/IP Packet Fun – ZAcon 2009