1 / 24

Homuncd: TCP With Spoofed IPs

Homuncd: TCP With Spoofed IPs. Lurene A Grenier Seth Hinze. Why?. Anonymity! Long Term Short Term. Long Term Anonymity. What Ian Goldberg calls “ Unlinkable Anonymity. ” Hide your identity from the owners of your target. Spoofing Activities with LTA as a goal: SYN Flooding

aelwen
Download Presentation

Homuncd: TCP With Spoofed IPs

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Homuncd:TCP With Spoofed IPs Lurene A Grenier Seth Hinze

  2. Why? • Anonymity! • Long Term • Short Term

  3. Long Term Anonymity • What Ian Goldberg calls “Unlinkable Anonymity.” • Hide your identity from the owners of your target. • Spoofing Activities with LTA as a goal: • SYN Flooding • Reconnaissance

  4. Short Term Anonymity • Maintain independence of activity • Conceal the continuity • Simple concept, hard to explain • Spoofing activities with STA as a goal: • Homuncd

  5. Why Is This Interesting? • TCP creates a virtual stream • 3-Way handshake • TCP sequence numbers

  6. SYN Floods • Simple to execute. • Send many SYNs to target host in quick succession with spoofed IPs. • Target allocates buffer in kernel space, which stays allocated until time out.

  7. Reconnaissance with Spoofed IPs • 3 basic recon methods • Spoofed IPs as Misinformation • Port Scanning by IP Seq Number Observation • Port Scanning by Indirect Observation

  8. Spoofed IPs as Misinformation • Scan from 100 random used IPs and your own. • All must be checked to determine actual scanner. • Ex: -D option in nmap

  9. IP Sequence Number Observation Step 1 Step 2 Step 3 Z T Z Unknown traffic response echo Spoofed SYN from Z echo response Z A A A

  10. IP Seq # (Cont.) • Port is Open T-> Z: SYN/ACK Z->T: RST (IP Sequence Number of Z +1) • Port is Closed T->Z: RST (IP Sequence Number of Z unchanged)

  11. Indirect Observation • The basis of Homuncd • Requires ability to “sniff” packets sent to Zombie. • SYN w/ spoofed IP sent to Target - responses sniffed.

  12. Maintaining TCP Connections • What if the Zombie doesn’t exist? • No responses are returned • What if the Zombie is on a sniffable portion of the network? • We can see all responses to the Zombie • What if we were to respond for the Zombie? • We could maintain a TCP connection for a non-existent machine

  13. Using Firewalls as Zombies • Firewalled ports return nothing when queried. (No RST sent from closed ports) • Attacks can be spoofed from machines with “personal firewalls” • Firewalled machine is liable for your malicious activities.

  14. Who uses a personal firewall? • Soon? • Everybody. • Windows XP SP2 is shipped with the firewall on by default. • You can steal music, hack websites, and DoS large companies, all on someone else’s conscience

  15. Why would we want to do this? • Create non-existent honeypots. • Simulate an attack by a real botnet for testing purposes • Maintain LTA for malicious TCP activity. • Brute-force accounts without alerting IDSs. • Hack the Gibson.

  16. Limitations • Spoofable IP range determined by the traffic we can sniff. • Range can be expanded with arp spoofing. • HomuncBots are easily detected • To prevent this, an entire virtual TCP/IP stack must be implemented.

  17. Honeyd - Homunc’s Big Brother • Honeyd implements virtual machines with the purpose of responding to connections • Supports several mechanisms to circumvent the detection limitation. • Not subject to the range limitation due to is use.

  18. Honeyd (cont.) • Allows for system Impersonation • TCP Personality can be learned from nmap fingerprints. • Personalities can also be edited by hand • Services can be impersonated, or proxied to other machines

  19. Honeyd (cont.) Honeyd is by far a more complicated and flexable tool than Homuncd, but it lacks important features necessary for attack. But the usage is different. Honeyd, however, is the perfect example of TCP with spoofed Ips.

  20. Protecting your Network • Honeyd can protect your network from housing Homuncd zombies • Use up free IP space before an unauthorized user can • Simply know which IPs are valid, and terminate traffic from others.

  21. Protection (cont.) • What if I’m the target? • Don’t profile attacks by IP • Search for other patterns • Sorted Password lists • Use IP seq numbers against the attacker

  22. Basic References • “Honeyd - Network Rhapsody for you”http://www.citi.umich.edu/u/provos/honeyd/ • “Low-Level Enumeration With TCP/IP”http://www.securityfocus.com/guest/24226 • “Reconnassiance Techniques using Spoofed IP Addresses”http://www.sans.org/resources/idfaq/spoofed_ip.php

  23. Thanks To… • Niels Provos… for his blessing on the honeyd info • CITI… for rocking hardcore • Martin Murray… for keeping me warm on cold nights

  24. Any Questions?

More Related