Fun with TCP Packets

  • View

  • Download

Embed Size (px)


Andrew MacPhersonZacon 2009

Text of Fun with TCP Packets

  • 1. ZACON 2009 Andrew MacPherson

2. Degree in Information Science Tech Support -> Webdev -> Paterva3 1 3 3 7 h 4 > < z 0 r M a s t e r m i n d @Paterva: E v i l G e n i u s Work on Maltego related stuff(local/server) transformsH i p p y Built the Mesh ( firefox plugin )C o d e r Interesting Because: Old stuff Still Applicable Not new just scattered Portscanners Scanrand, Unicorn DOS Slowlaris TCP/IP Packet Fun ZAcon 2009 3. Scapy Packet crafting tool Sender Listener TCP HandshakeSyn/SynAck/Ack Portscan We send a SYN Filtered (no response) Open (got back SynAck) Close (RST)TCP/IP Packet Fun ZAcon 2009 4. We can send packets really fast SYN TCP packet is =~ 54 Bytes = 432 bits 4Mbit/s (4194304 bits) can send 9.7K Syn packets persecond (theory) We can monitor responses as per previous slide Means we can scan 65k ports in around 6s Packet loss so we want to put in some delays RST packets getting in the way Firewall em!TCP/IP Packet Fun ZAcon 2009 5. Unicorn, like scanrand, etc.TCP/IP Packet Fun ZAcon 2009 6. Traceroute Sending out all TTLs at once (no wait) Know when to stop? Tracing to multiple hosts at once Put the hopcount in the payload Why is it cool to traceroute to blocks? See routing protocols (entire block is not all in the same place?) Load balancing (3 times) Geo LocationTCP/IP Packet Fun ZAcon 2009 7. TCP/IP Packet Fun ZAcon 2009 8. Single Port Full connection Ack the SynAck Complete the handshake Target has stack full of connection, wehave. Nothing? Different from a SynFlood Cant spoof our IP Address ~ 400 packets for Apache Welcome to DoS TCP/IP Packet Fun ZAcon 2009 9. TCP/IP Packet Fun ZAcon 2009 10. Full connections get torn down Need to convince the stack we are stillspeaking to it! Drip,Drip,Drip. Use apps that run on protocols SMTP ( DATA seg of mail ) HTTP ( POST content length 99999?) Slowlaris FTP (PUT) Others? Anything that we can send data too Means we need to track seq + acknumbersTCP/IP Packet Fun ZAcon 2009 11. TCP/IP Packet Fun ZAcon 2009 12. TCP/IP Packet Fun ZAcon 2009 13. !!WARNING!! South African Space Transparent Proxies :O :O :O Firewallsin front of applications Limit connections per client Time per request TCP/IP Packet Fun ZAcon 2009 14. Techis NOT new, its scattered but stillapplicable Why is there not more of this going on? Botnets Online protests Competition Gofurther, packets = network = what others see, smokescreen networks? TCP/IP Packet Fun ZAcon 2009