15
ZACON 2009 Andrew MacPherson

Fun with TCP Packets

Embed Size (px)

DESCRIPTION

Andrew MacPhersonZacon 2009http://www.zacon.org.za/Archives/2009/slides/

Citation preview

Page 1: Fun with TCP Packets

ZACON 2009

Andrew MacPherson

Page 2: Fun with TCP Packets

TCP/IP Packet Fun – ZAcon 2009

• 3 1 3 3 7 h 4 > < z 0 r

• M a s t e r m i n d

• E v i l G e n i u s

• H i p p y

• C o d e r

•  Degree in Information Science •  Tech Support -> Webdev -> Paterva

•  @Paterva: •  Work on Maltego related stuff (local/server) transforms •  Built the Mesh ( firefox plugin )

•  Interesting Because: •  Old stuff •  Still Applicable

•  Not new – just scattered •  Portscanners

•  Scanrand, Unicorn •  DOS

•  Slowlaris

Page 3: Fun with TCP Packets

TCP/IP Packet Fun – ZAcon 2009

•  Scapy •  Packet crafting tool •  Sender •  Listener

•  TCP Handshake • Syn/SynAck/Ack

•  Portscan •  We send a SYN

•  Filtered (no response) •  Open (got back SynAck) •  Close (RST)

Page 4: Fun with TCP Packets

TCP/IP Packet Fun – ZAcon 2009

  We can send packets really fast   SYN TCP packet is =~ 54 Bytes = 432 bits   4Mbit/s (4194304 bits) can send 9.7K Syn packets per

second (theory)   We can monitor responses as per previous slide   Means we can scan 65k ports in around 6s   Packet loss – so we want to put in some delays

  RST packets getting in the way   Firewall em!

Page 5: Fun with TCP Packets

TCP/IP Packet Fun – ZAcon 2009

 Unicorn, like scanrand, etc.

Page 6: Fun with TCP Packets

TCP/IP Packet Fun – ZAcon 2009

  Traceroute   Sending out all TTLs at once (no wait)

  Know when to stop?   Tracing to multiple hosts at once

  Put the hopcount in the payload   Why is it cool to traceroute to blocks?

  See routing protocols (entire block is not all in the same place?)

  Load balancing (3 times)   Geo Location

Page 7: Fun with TCP Packets

TCP/IP Packet Fun – ZAcon 2009

Page 8: Fun with TCP Packets
Page 9: Fun with TCP Packets

TCP/IP Packet Fun – ZAcon 2009

 Single Port   Full connection – Ack the SynAck –

Complete the handshake   Target has stack full of connection, we

have…. Nothing?  Different from a SynFlood  Cant spoof our IP Address   ~ 400 packets for Apache

 Welcome to DoS

Page 10: Fun with TCP Packets

TCP/IP Packet Fun – ZAcon 2009

Page 11: Fun with TCP Packets

TCP/IP Packet Fun – ZAcon 2009

  Full connections get torn down   Need to convince the stack we are still

speaking to it! Drip,Drip,Drip.   Use apps that run on protocols ○  SMTP ( DATA seg of mail ) ○  HTTP ( POST – content length 99999?)

  Slowlaris ○  FTP (PUT) ○  Others?

  Anything that we can send data too   Means we need to track seq + ack

numbers

Page 12: Fun with TCP Packets

TCP/IP Packet Fun – ZAcon 2009

Page 13: Fun with TCP Packets

TCP/IP Packet Fun – ZAcon 2009

Page 14: Fun with TCP Packets

TCP/IP Packet Fun – ZAcon 2009

  !!WARNING!!  South African Space

  Transparent Proxies :O :O :O

  Firewalls in front of applications   Limit connections per client   Time per request

Page 15: Fun with TCP Packets

TCP/IP Packet Fun – ZAcon 2009

  Tech is NOT new, its scattered but still applicable

 Why is there not more of this going on?   Botnets  Online protests  Competition

 Go further, packets = network = what others see, smokescreen networks?