true blind ip spoofed portscanning l.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
TRUE Blind ip spoofed portscanning PowerPoint Presentation
Download Presentation
TRUE Blind ip spoofed portscanning

Loading in 2 Seconds...

play fullscreen
1 / 51

TRUE Blind ip spoofed portscanning - PowerPoint PPT Presentation


  • 174 Views
  • Uploaded on

TRUE Blind ip spoofed portscanning. Thomas Olofsson C.T.O Defcom . Agenda. Background on TCP ip handshakes Background on traditional scanning ID numbers and their prediction Spoofed scanning in theory and practice. The code and examples Demo Q/A. Background on TCP handshakes.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

TRUE Blind ip spoofed portscanning


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
true blind ip spoofed portscanning

TRUE Blind ip spoofed portscanning

Thomas Olofsson

C.T.O

Defcom

agenda
Agenda
  • Background on TCP ip handshakes
  • Background on traditional scanning
  • ID numbers and their prediction
  • Spoofed scanning in theory and practice.
  • The code and examples
  • Demo
  • Q/A
background on tcp handshakes
Background on TCP handshakes
  • Definitions
  • Tcp header
  • Traditional 3 way handshake
definitions
Definitions
  • An open connection between two computers communicating by TCP/IP is called a socket and is defined by:
  • Source IP number
  • Source Port number
  • Destination IP number
  • Destination Port number
  • Initial source SEQ number
  • Initial destination SEQ number
  • AN ID # that is increased for each packet

2.6.1.1

tcp packet header
TCP packet header

16-bit source port number

16-bit destination port number

32-bit sequence number

32-bit acknowledgement number

length

unused

flags

16-bit window size

16-bit TCP checksum

16-bit urgent offset

Options (if any)

Data (if any)

traditional tcp ip handshake
Traditional TCP/IP handshake

Src ip,Dst ip

Src prt, Dst Prt

Syn = in seq#

Ack = NULL

Flags = S

Src ID = src ID + 1

syn

attacker

target

traditional tcp ip handshake7
Traditional TCP/IP handshake

Src ip,Dst ip

Src prt, Dst Prt

Syn = src seq#

Ack = NULL

Flags = S

Src ip,Dst ip

Src prt, Dst Prt

Syn = Dst seq#

Ack = src seq# +1

Flags =

Dst ID = Dst ID + 1

syn

Syn / Ack

attacker

target

traditional tcp ip handshake8
Traditional TCP/IP handshake

syn

Src ip,Dst ip

Src prt, Dst Prt

Syn = src seq#

Ack = dst seq# +1

Flags = A

Src ID = src ID + 1

Syn / Ack

Ack

attacker

target

establishing a socket
Establishinga socket

A

B

SYN (seqa)

SYN/ACK (seqb/ack= seqa+1)

ACK (ack= seqb+1)

traditional port scanning11
Traditional port scanning

syn

Syn / Ack

Ack

attacker

target

traditional stealth scanning 1
Traditional stealth scanning 1

syn

Syn / Ack

attacker

target

traditional stealth scanning 2
Traditional stealth scanning 2

syn

Syn / Ack

Rst

attacker

target

sequence numbers
Sequence numbers

Are in place to provide easy packet reassembly.

Increments each time a packet is sent.

Various incrementation schemes exist

id flag
ID flag
  • Are in place to identify each tcp session
  • Is also in some cases used for packet reassembly
  • The id counter is increased every time a packet is sent
  • This is valid far all packets including reset packets
id flag prediction
ID flag prediction
  • Most unix boxes increments the ID flag by a random or seudo random number.
  • Up till today id numbers has not been known to bee security critical.
  • Windows 95 boxes tend to increment id# by 1
  • Windows 2000 boxes seems to increment id# by 254
  • This due to reversed byte ordering of the id# in theese operating systems.
spoofed scanning in theory
Spoofed scanning in theory
  • By constantly polling a decoy host for id number increments we can se If the scanned target host has sent it syn/ack or reset packets.
  • By analyzing this we will know whether a port on the scanned host is open or not
  • This is done totally blind from the scanned host.
spoofed scanning in theory18
Spoofed scanning in theory
  • Since we know a win box will increase the id# by sending a packet we can by constantly probing the host se how many packets it has sent between our polls
  • This is done my monitoring the ID# increment
spoofed scanning in theory19
Spoofed scanning in theory
  • If a port is open on a scanned host the server will respond with a syn/ack
  • If a port is closed on the scanned host it will respond with a rst
spoofed scanning in theory20
Spoofed scanning in theory

If a host receives a syn ack from a unknown source it will send a rst packet back

If a host receives a rst packet from a unknown source it will NOT send a packet back

spooed scanning in practice
Spooed scanning in practice

Or how it all fits together

introducing our players
Introducing our players

Spoof host

172.0.0.1

attacker

target

10.0.0.1

192.0.0.1

why do we need three of them
Why do we need three of them

Spoof host

www.anycompany.com:80

attacker

target

unknowing.com

3vil.org

phase one sync the id of spoof
Phase one (sync the id# of spoof)

Spoof host

www.anycompany.com:80

Syn:80

attacker

target

unknowing.com

3vil.org

phase one sync the id of spoof25
Phase one (sync the id# of spoof)

Spoof host

www.anycompany.com:80

Syn/ack

attacker

target

unknowing.com

3vil.org

why did we do that
Why did we do that
  • Attacker now knows the spoofs initial ID#
phase2 spoofing the source
Phase2 (spoofing the source)

Spoof host

172.0.0.1

Syn src = 172.0.0.1 Dst = 192.0.0.1

attacker

target

10.0.0.1

192.0.0.1

phase 3 fooling the respons
Phase 3 (fooling the respons)

Spoof host

172.0.0.1

Syn/Ack src = 192.0.0.1 Dst = 172.0.0.1

attacker

target

10.0.0.1

192.0.0.1

phase 3 fooling the respons29
Phase 3 (fooling the respons)

Spoof host

172.0.0.1

Rst src == 172.0.0.1 Dst = 192.0.0.1

attacker

target

10.0.0.1

192.0.0.1

phase 4 probing the spoof host
Phase 4 (probing the spoof host)

Spoof host

172.0.0.1

Syn:80

attacker

target

10.0.0.1

192.0.0.1

phase 4 probing the spoof host31
Phase 4 (probing the spoof host)

Spoof host

172.0.0.1

Syn:80

Syn/ack

attacker

target

10.0.0.1

192.0.0.1

case port open
Case port open

Adding the ID counters

phase one sync the id of spoof33
Phase one (sync the id# of spoof)

Spoof host ID =0

172.0.0.1

Syn:80

attacker

target

unknowing.com

3vil.org

phase one sync the id of spoof34
Phase one (sync the id# of spoof)

Spoof host ID =1

172.0.0.1

Syn/ack

attacker

target

unknowing.com

3vil.org

phase2 spoofing the source35
Phase2 (spoofing the source)

Spoof host ID =1

172.0.0.1

Syn src = 172.0.0.1 Dst = 192.0.0.1

attacker

target

10.0.0.1

192.0.0.1

phase 3 fooling the respons36
Phase 3 (fooling the respons)

Spoof host ID =1

172.0.0.1

Syn/Ack src = 192.0.0.1 Dst = 172.0.0.1

attacker

target

10.0.0.1

192.0.0.1

phase 3 fooling the respons37
Phase 3 (fooling the respons)

Spoof host ID =2

172.0.0.1

Rst src == 172.0.0.1 Dst = 192.0.0.1

attacker

target

10.0.0.1

192.0.0.1

phase 4 probing the spoof host38
Phase 4 (probing the spoof host)

Spoof host ID =2

172.0.0.1

Syn:80

attacker

target

10.0.0.1

192.0.0.1

phase 4 probing the spoof host39
Phase 4 (probing the spoof host)

Spoof host ID =3

172.0.0.1

Syn:80

Syn/ack

attacker

target

10.0.0.1

192.0.0.1

case port closed
Case port closed

Adding the ID counters

phase one sync the id of spoof41
Phase one (sync the id# of spoof)

Spoof host ID =0

172.0.0.1

Syn:80

attacker

target

unknowing.com

3vil.org

phase one sync the id of spoof42
Phase one (sync the id# of spoof)

Spoof host ID =1

172.0.0.1

Syn/ack

attacker

target

unknowing.com

3vil.org

phase2 spoofing the source43
Phase2 (spoofing the source)

Spoof host ID =1

172.0.0.1

Syn src = 172.0.0.1 Dst = 192.0.0.1

attacker

target

10.0.0.1

192.0.0.1

phase 3 fooling the respons44
Phase 3 (fooling the respons)

Spoof host ID =1

172.0.0.1

Rst src = 192.0.0.1 Dst = 172.0.0.1

attacker

target

10.0.0.1

192.0.0.1

phase 4 probing the spoof host45
Phase 4 (probing the spoof host)

Spoof host ID =1

172.0.0.1

Syn:80

attacker

target

10.0.0.1

192.0.0.1

phase 4 probing the spoof host46
Phase 4 (probing the spoof host)

Spoof host ID =2

172.0.0.1

Syn:80

Syn/ack

attacker

target

10.0.0.1

192.0.0.1

summary
Summary
  • By constantly polling a decoy host for id number increments we can se If the scanned target host has sent it syn/ack or reset packets.
  • By analysing this we will know whether a port on the scanned host is open or not
  • This is done totally blind from the scanned host.
the basic technique and its flaws
The basic technique and its flaws
  • If the poll host is active it will increase the id# for each connection.
  • This will result in false possitives.
  • Theese false positives can be minimized by sending multiple packets for each port.
  • Then calculating the increase
  • The port will only show up true if the increase is > (#packets_sent*255)/2
phase2 spoofing the source49
Phase2 (spoofing the source)

Spoof host ID =1

172.0.0.1

(Syn src = 172.0.0.1 Dst = 192.0.0.1) * 20

attacker

target

10.0.0.1

192.0.0.1

phase 3 fooling the respons50
Phase 3 (fooling the respons)

Spoof host ID=1+20

172.0.0.1

Syn /Ack src = 192.0.0.1 Dst = 172.0.0.1

attacker

target

10.0.0.1

192.0.0.1