ZACON 2009


Andrew MacPherson
•  Degree in Information Science
•  Tech Support -> Webdev -> Paterva                  • 3 1 3 3 7 h 4 > < z 0 r
         ...
•  Scapy
     •  Packet crafting tool
     •  Sender
     •  Listener

•  TCP Handshake
     • Syn/SynAck/Ack

•  Portscan...
    We can send packets really fast
    SYN TCP packet is =~ 54 Bytes = 432 bits
    4Mbit/s (4194304 bits) can send 9....
  Unicorn,   like scanrand, etc.




                 TCP/IP Packet Fun – ZAcon 2009
  Traceroute
  Sending out all TTLs at once (no wait)
       Know when to stop?
    Tracing to multiple hosts at once
...
TCP/IP Packet Fun – ZAcon 2009
  Single Port
  Full connection – Ack the SynAck –
   Complete the handshake
  Target has stack full of connection, we
...
TCP/IP Packet Fun – ZAcon 2009
  Full connections get torn down
  Need to convince the stack we are still
   speaking to it! Drip,Drip,Drip.
       Us...
TCP/IP Packet Fun – ZAcon 2009
TCP/IP Packet Fun – ZAcon 2009
  !!WARNING!!
  South African   Space
    Transparent Proxies :O :O :O


  Firewallsin front of applications
  Limit ...
  Tech  is NOT new, its scattered but still
   applicable
  Why is there not more of this going on?
    Botnets
    On...
Fun with TCP Packets
Upcoming SlideShare
Loading in...5
×

Fun with TCP Packets

1,091

Published on

Andrew MacPherson
Zacon 2009
http://www.zacon.org.za/Archives/2009/slides/

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,091
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
30
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Fun with TCP Packets

  1. 1. ZACON 2009 Andrew MacPherson
  2. 2. •  Degree in Information Science •  Tech Support -> Webdev -> Paterva • 3 1 3 3 7 h 4 > < z 0 r • M a s t e r m i n d •  @Paterva: • E v i l G e n i u s •  Work on Maltego related stuff (local/server) transforms • H i p p y •  Built the Mesh ( firefox plugin ) • C o d e r •  Interesting Because: •  Old stuff •  Still Applicable •  Not new – just scattered •  Portscanners •  Scanrand, Unicorn •  DOS •  Slowlaris TCP/IP Packet Fun – ZAcon 2009
  3. 3. •  Scapy •  Packet crafting tool •  Sender •  Listener •  TCP Handshake • Syn/SynAck/Ack •  Portscan •  We send a SYN •  Filtered (no response) •  Open (got back SynAck) •  Close (RST) TCP/IP Packet Fun – ZAcon 2009
  4. 4.   We can send packets really fast   SYN TCP packet is =~ 54 Bytes = 432 bits   4Mbit/s (4194304 bits) can send 9.7K Syn packets per second (theory)   We can monitor responses as per previous slide   Means we can scan 65k ports in around 6s   Packet loss – so we want to put in some delays   RST packets getting in the way   Firewall em! TCP/IP Packet Fun – ZAcon 2009
  5. 5.   Unicorn, like scanrand, etc. TCP/IP Packet Fun – ZAcon 2009
  6. 6.   Traceroute   Sending out all TTLs at once (no wait)   Know when to stop?   Tracing to multiple hosts at once   Put the hopcount in the payload   Why is it cool to traceroute to blocks?   See routing protocols (entire block is not all in the same place?)   Load balancing (3 times)   Geo Location TCP/IP Packet Fun – ZAcon 2009
  7. 7. TCP/IP Packet Fun – ZAcon 2009
  8. 8.   Single Port   Full connection – Ack the SynAck – Complete the handshake   Target has stack full of connection, we have…. Nothing?   Different from a SynFlood   Cant spoof our IP Address   ~ 400 packets for Apache   Welcome to DoS TCP/IP Packet Fun – ZAcon 2009
  9. 9. TCP/IP Packet Fun – ZAcon 2009
  10. 10.   Full connections get torn down   Need to convince the stack we are still speaking to it! Drip,Drip,Drip.   Use apps that run on protocols ○  SMTP ( DATA seg of mail ) ○  HTTP ( POST – content length 99999?)   Slowlaris ○  FTP (PUT) ○  Others?   Anything that we can send data too   Means we need to track seq + ack numbers TCP/IP Packet Fun – ZAcon 2009
  11. 11. TCP/IP Packet Fun – ZAcon 2009
  12. 12. TCP/IP Packet Fun – ZAcon 2009
  13. 13.   !!WARNING!!   South African Space   Transparent Proxies :O :O :O   Firewallsin front of applications   Limit connections per client   Time per request TCP/IP Packet Fun – ZAcon 2009
  14. 14.   Tech is NOT new, its scattered but still applicable   Why is there not more of this going on?   Botnets   Online protests   Competition   Gofurther, packets = network = what others see, smokescreen networks? TCP/IP Packet Fun – ZAcon 2009
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×