Information Networking Security and Assurance Lab National Chung Cheng University Anti-hacker Tool Kit: CH13 Port Redirection Jared 04/03/31
Information Networking Security and Assurance Lab National Chung Cheng University 2 Agenda Introduction Datapipe FPipe Case Study: Port Hopping Case Study: Packet Filters, Ports, and Problems Conclusion Reference
Information Networking Security and Assurance Lab National Chung Cheng University 3 Introduction Port For a packet to reach its destination, it must have a destination IP address and a destination port. TCP/IP allows 16-bit port numbers. Well-known port number: 0~1023 The Well Known Ports are controlled and assigned by the IANA and on most systems can only be used by system (or root) processes or by programs executed by privileged users. Registered port number:1024~65535 The Registered Ports are not controlled by the IANA and on most systems can be used by ordinary user processes or programs executed by ordinary users. ms-sql-s 1433/tcp Microsoft-SQL-Server ms-sql-s 1433/udp Microsoft-SQL-Server
Information Networking Security and Assurance Lab National Chung Cheng University 4 netstat
Information Networking Security and Assurance Lab National Chung Cheng University 5 datapipe A port redirection tool passes TCP/IP traffic received by the tool on one port to another port to which the tool points. Port redirection is protocol ignorant Neither a client nor a server
Information Networking Security and Assurance Lab National Chung Cheng University 6 datapipe
Information Networking Security and Assurance Lab National Chung Cheng University 7
Information Networking Security and Assurance Lab National Chung Cheng University 8 protocol ignorant
Information Networking Security and Assurance Lab National Chung Cheng University 9 FPipe By Foundstone Implement port redirection techniques natively in Windows Adds User Datagram Protocol (UDP) and outbound source port number support, which datapipe lacks
Information Networking Security and Assurance Lab National Chung Cheng University 10 FPipe (cont.)
Information Networking Security and Assurance Lab National Chung Cheng University 11
Information Networking Security and Assurance Lab National Chung Cheng University 12 Case Study: Port Hopping Local Redirection Client Redirection Dual Redirection
Information Networking Security and Assurance Lab National Chung Cheng University 13 Case Study: Port Hopping Local Redirection C:\>fpipe –l 22 –r 3389 localhost $./datapipe localhost
Information Networking Security and Assurance Lab National Chung Cheng University 14 Case Study: Port Hopping (cont.) Client Redirection IIS server running on port 7070 C:\>fpipe.exe –l 80 –r C:\>spork localhost spork “spork” is IIS exploit code written to run against port 80
Information Networking Security and Assurance Lab National Chung Cheng University 15 Case Study: Port Hopping (cont.) Dual Redirection ABCD C:\>fpipe –l 1433 –r 80 $./datapipe
Information Networking Security and Assurance Lab National Chung Cheng University 16 Case Study: Packet Filters, Ports, and Problems Basic packet filters allow or deny traffic based on IP addresses and port numbers. Linux’s ipchains and Cisco routers Source IP address Source port Destination IP address Destination port Source-port problems ftp data connection DNS Use FPipe’s outbound source port option (-s) C:\>fpipe –l 3389 –r 3389 –s
Information Networking Security and Assurance Lab National Chung Cheng University 17 Case Study: Packet Filters, Ports, and Problems (cont.) Blocking Port Redirection Host security command-line access Patch, configure, verify Ingress filters “DENY ALL” Egress filters Web server
Information Networking Security and Assurance Lab National Chung Cheng University 18 Conclusion Ports are used in the TCP to name the ends of logical connections. The port redirection tool is neither a client nor a server. It functions as a conduit for TCP/IP connections, not an end point. A firewall or router access control list should be defined as detail as possible.
Information Networking Security and Assurance Lab National Chung Cheng University 19 Reference DATAPIPE htdocs/datapipe.c htdocs/datapipe.c Foundstone RFC 1700 ASSIGNED NUMBERS = =1700