TCP Sorcery


Published on

Barry Irwin
ZaCon 2009

Published in: Technology
1 Like
  • Be the first to comment

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

TCP Sorcery

  1. 1. TCP SORCERY A TALE OF UNINTENDED HAPPENINGS IN A HIDDEN W0RLD Barry Irwin Security and Networks Research Group Department of Computer Science Rhodes University
  2. 2. ABOUT ME
  3. 3. ABOUT ME Head up the “Security & Network Research Group” within the Rhodes University CS Department Interested in: Packet Wrangling Passive Monitoring Collaborative Defense VizSec Contacts: @barryirwin
  4. 4. 365 DAYS LATER.... Conficker burst on the world...... 21/11/2008
  5. 5. HOW WE GOT HERE Intro Network Telescope Research The quandry -- Active vs Passive Traffic Whats the difference? Why care? The Protocols ICMP is trivial Well defined in specs TCP is not too difficult Brute force all combos UDP is a pain Needs protocol /L7 decodes
  6. 6. TCP FUNDAMENTAL Hi, My name is TCP
  7. 7. TCP FUNDAMENTAL Hi, My name is TCP
  8. 8. TCP State Tests How do we Determine what is active vs passive traffic ? Write an empirical test Whats most important is how things respond to combos of the TCP flags. RFC793 && Stevens don’t define all the actions Six Flags •  URG •  ACK •  PSH •  RST •  SYN •  FIN
  9. 9. TCPFuzzing Flags give us 26 Combinations == 64 options Fuzzer iterates though these. Tested against different targets   Linux 2.6 Kernel   FreeBSD 6.4/7.1   Windows Server 2003 +patches   Cisco Switch (IOS 12.x) Both Open and closed ports tested 512 Responses Recorded using TCPdump 64 States * 4 targets * two ports (open/closed)
  10. 10. FUZZING RESULTS What we Found….. Of the 64 possible responses Only 50% were of any interest (across the board) RST flags are no fun – the generate no response ‘X-mas tree ’ packets garner no response either Of the Remainder: 16 Combinations only produce RST packet This is what we expect Responses the same for Open and Closed ports Some flag combos produced different reponses
  11. 11. SINGLE PACKET OS CHECK So whats your Genus ? We have shown it is possible to determine the Remote OS family using a single packet probe SYN,FIN SYN, FIN, PSH SYN, FIN, URG SYN, FIN, URG,PSH Give the same distinctive results for Open Ports: Linux 2.6 6 [ SYN,ACK ] datagrams FreeBSD 4 [ SYN,ACK ] datagrams Windows 2003 3 [ SYN,ACK ] datagrams Cisco IOS [ SYN,ACK ] [RST] datagrams Closed ports give [RST, ACK]
  12. 12. SINGLE PACKET OS CHECK Unix Family Differentiation ? Linux/FreeBSD can also be differentiated from other IP Stack implementations using an Additional Single packet Probe No Flags FIN URG PSH FIN, PSH, URG Give the same distinctive results for Open Ports: Open ports give nor response on FreeBSD/Lunux Windows and IOS both reply with [RST, ACK] Closed ports give [RST, ACK]
  13. 13. MAKING MISCHIEF Seen any Tiny blue guys around ? Using what have seen we can build a little amplification attack Linux and some other target: Attacker sends a TCP packet with a SYN,FIN variation to a linux target Source Address is forged to be Victim TARGET generated 6 datagrams back for every one received. VICTIM receives 6 SYN,ACK packets VICTIM responds with 6 RST packets Values vary with FreeBSD (8x) and Windows (6x) This is a VERY crude attack Mostly useful for noisemaking Not about to be the next Smurf(ette)
  14. 14. MAKING MISCHIEF No way did I scan that host What we have seen is that that certain Flag combinations can elicit and active response form a target which in turn can activate yet another (although passive) reponse. Given access to a Network Choke point, switch, shared media etc One can coerce a target into scanning a 3rd party with some level of success Possible uses are: Shifing blame IDS evasion Exploiting ‘allow friends’ Firewall rules
  15. 15. CONCLUSION So What ? NMAP has been fingerprinting for a while Active, multi pkt probe More Accurate, but noisy Sideband/Reflective scanning can be of use: Covert OPS Reflectively scanning your own Network Obfustication/Noise Generation 12x traffic multiplier It’s a Packet Count smokescreen Small probability of this able to be realised to a Bandwidth consumption
  16. 16. QUESTIONS ? Contacts: @barryirwin
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.