Presentation is loading. Please wait.

Presentation is loading. Please wait.

TRUE Blind ip spoofed portscanning Thomas Olofsson C.T.O Defcom.

Published byConnor Bowerman Modified over 9 years ago

Similar presentations

Presentation on theme: "TRUE Blind ip spoofed portscanning Thomas Olofsson C.T.O Defcom."— Presentation transcript:

1 TRUE Blind ip spoofed portscanning Thomas Olofsson C.T.O Defcom

2 Agenda Background on TCP ip handshakes Background on traditional scanning ID numbers and their prediction Spoofed scanning in theory and practice. The code and examples Demo Q/A

3 Background on TCP handshakes Definitions Tcp header Traditional 3 way handshake

4 Definitions An open connection between two computers communicating by TCP/IP is called a socket and is defined by: Source IP number Source Port number Destination IP number Destination Port number Initial source SEQ number Initial destination SEQ number AN ID # that is increased for each packet 2.6.1.1

5 TCP packet header 16-bit source port number16-bit destination port number 32-bit sequence number 32-bit acknowledgement number lengthunusedflags16-bit window size 16-bit TCP checksum16-bit urgent offset Options (if any) Data (if any)

6 Traditional TCP/IP handshake targetattacker syn Src ip,Dst ip Src prt, Dst Prt Syn = in seq# Ack = NULL Flags = S Src ID = src ID + 1

7 Traditional TCP/IP handshake targetattacker syn Src ip,Dst ip Src prt, Dst Prt Syn = src seq# Ack = NULL Flags = S Syn / Ack Src ip,Dst ip Src prt, Dst Prt Syn = Dst seq# Ack = src seq# +1 Flags = Dst ID = Dst ID + 1

8 Traditional TCP/IP handshake targetattacker syn Src ip,Dst ip Src prt, Dst Prt Syn = src seq# Ack = dst seq# +1 Flags = A Src ID = src ID + 1 Syn / Ack Ack

9 Establishing a socket AB SYN (seq a ) SYN/ACK (seq b /ack= seq a +1) ACK (ack= seq b +1)

10 Traditional port scanning

11 targetattacker syn Syn / Ack Ack

12 targetattacker syn Syn / Ack Traditional stealth scanning 1

13 Traditional stealth scanning 2 targetattacker syn Syn / Ack Rst

14 Sequence numbers Are in place to provide easy packet reassembly. Increments each time a packet is sent. Various incrementation schemes exist

15 ID flag  Are in place to identify each tcp session  Is also in some cases used for packet reassembly  The id counter is increased every time a packet is sent  This is valid far all packets including reset packets

16 ID flag prediction  Most unix boxes increments the ID flag by a random or seudo random number.  Up till today id numbers has not been known to bee security critical.  Windows 95 boxes tend to increment id# by 1  Windows 2000 boxes seems to increment id# by 254  This due to reversed byte ordering of the id# in theese operating systems.

17 Spoofed scanning in theory By constantly polling a decoy host for id number increments we can se If the scanned target host has sent it syn/ack or reset packets. By analyzing this we will know whether a port on the scanned host is open or not This is done totally blind from the scanned host.

18 Spoofed scanning in theory Since we know a win box will increase the id# by sending a packet we can by constantly probing the host se how many packets it has sent between our polls This is done my monitoring the ID# increment

19 Spoofed scanning in theory If a port is open on a scanned host the server will respond with a syn/ack If a port is closed on the scanned host it will respond with a rst

20 Spoofed scanning in theory If a host receives a syn ack from a unknown source it will send a rst packet back If a host receives a rst packet from a unknown source it will NOT send a packet back

21 Spooed scanning in practice Or how it all fits together

22 Introducing our players targetattacker Spoof host 10.0.0.1192.0.0.1 172.0.0.1

23 Why do we need three of them targetattacker Spoof host www.anycompany.com:80 unknowing.com 3vil.org

24 Phase one (sync the id# of spoof) targetattacker Spoof host www.anycompany.com:80 unknowing.com 3vil.org Syn:80

25 Phase one (sync the id# of spoof) targetattacker Spoof host www.anycompany.com:80 unknowing.com 3vil.org Syn/ack

26 Why did we do that  Attacker now knows the spoofs initial ID#

27 Phase2 (spoofing the source) targetattacker Spoof host 10.0.0.1192.0.0.1 172.0.0.1 Syn src = 172.0.0.1 Dst = 192.0.0.1

28 Phase 3 (fooling the respons) targetattacker Spoof host 10.0.0.1192.0.0.1 172.0.0.1 Syn/Ack src = 192.0.0.1 Dst = 172.0.0.1

29 Phase 3 (fooling the respons) targetattacker Spoof host 10.0.0.1192.0.0.1 172.0.0.1 Rst src == 172.0.0.1 Dst = 192.0.0.1

30 Phase 4 (probing the spoof host) targetattacker Spoof host 10.0.0.1192.0.0.1 172.0.0.1 Syn:80

31 Phase 4 (probing the spoof host) targetattacker Spoof host 10.0.0.1192.0.0.1 172.0.0.1 Syn:80 Syn/ack

32 Case port open Adding the ID counters

33 Phase one (sync the id# of spoof) targetattacker unknowing.com 3vil.org Syn:80 Spoof host ID =0 172.0.0.1

34 Phase one (sync the id# of spoof) targetattacker unknowing.com 3vil.org Syn/ack Spoof host ID =1 172.0.0.1

35 Phase2 (spoofing the source) targetattacker Spoof host ID =1 10.0.0.1192.0.0.1 172.0.0.1 Syn src = 172.0.0.1 Dst = 192.0.0.1

36 Phase 3 (fooling the respons) targetattacker 10.0.0.1192.0.0.1 Syn/Ack src = 192.0.0.1 Dst = 172.0.0.1 Spoof host ID =1 172.0.0.1

37 Phase 3 (fooling the respons) targetattacker 10.0.0.1192.0.0.1 Rst src == 172.0.0.1 Dst = 192.0.0.1 Spoof host ID =2 172.0.0.1

38 Phase 4 (probing the spoof host) targetattacker 10.0.0.1192.0.0.1 Syn:80 Spoof host ID =2 172.0.0.1

39 Phase 4 (probing the spoof host) targetattacker 10.0.0.1192.0.0.1 Syn:80 Syn/ack Spoof host ID =3 172.0.0.1

40 Case port closed Adding the ID counters

41 Phase one (sync the id# of spoof) targetattacker unknowing.com 3vil.org Syn:80 Spoof host ID =0 172.0.0.1

42 Phase one (sync the id# of spoof) targetattacker unknowing.com 3vil.org Syn/ack Spoof host ID =1 172.0.0.1

43 Phase2 (spoofing the source) targetattacker Spoof host ID =1 10.0.0.1192.0.0.1 172.0.0.1 Syn src = 172.0.0.1 Dst = 192.0.0.1

44 Phase 3 (fooling the respons) targetattacker 10.0.0.1192.0.0.1 Rst src = 192.0.0.1 Dst = 172.0.0.1 Spoof host ID =1 172.0.0.1

45 Phase 4 (probing the spoof host) targetattacker 10.0.0.1192.0.0.1 Syn:80 Spoof host ID =1 172.0.0.1

46 Phase 4 (probing the spoof host) targetattacker 10.0.0.1192.0.0.1 Syn:80 Syn/ack Spoof host ID =2 172.0.0.1

47 Summary By constantly polling a decoy host for id number increments we can se If the scanned target host has sent it syn/ack or reset packets. By analysing this we will know whether a port on the scanned host is open or not This is done totally blind from the scanned host.

48 The basic technique and its flaws If the poll host is active it will increase the id# for each connection. This will result in false possitives. Theese false positives can be minimized by sending multiple packets for each port. Then calculating the increase The port will only show up true if the increase is > (#packets_sent*255)/2

49 Phase2 (spoofing the source) targetattacker Spoof host ID =1 10.0.0.1192.0.0.1 172.0.0.1 (Syn src = 172.0.0.1 Dst = 192.0.0.1) * 20

50 Phase 3 (fooling the respons) targetattacker 10.0.0.1192.0.0.1 Syn /Ack src = 192.0.0.1 Dst = 172.0.0.1 Spoof host ID=1+20 172.0.0.1

51

Download ppt "TRUE Blind ip spoofed portscanning Thomas Olofsson C.T.O Defcom."

Similar presentations

TCP/IP Christopher Zacky. lolwut Decimal Numbers.

TCP/IP Christopher Zacky. lolwut Decimal Numbers.
TCP Flooding. TCP handshake C S SYN C SYN S, ACK C ACK S Listening Store data Wait Connected.

TCP Flooding. TCP handshake C S SYN C SYN S, ACK C ACK S Listening Store data Wait Connected.
CISCO NETWORKING ACADEMY Chabot College ELEC 99.05 Transport Layer (4)

CISCO NETWORKING ACADEMY Chabot College ELEC Transport Layer (4)
CCNA – Network Fundamentals

CCNA – Network Fundamentals
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 OSI Transport Layer Network Fundamentals – Chapter 4.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 OSI Transport Layer Network Fundamentals – Chapter 4.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 OSI Transport Layer Network Fundamentals – Chapter 4.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 OSI Transport Layer Network Fundamentals – Chapter 4.
CISCO NETWORKING ACADEMY PROGRAM (CNAP)

CISCO NETWORKING ACADEMY PROGRAM (CNAP)
CIS 193A – Lesson13 Attack and Defense. CIS 193A – Lesson13 Focus Question Describe how Nmap, psad, and iptables work together for playing out attack.

CIS 193A – Lesson13 Attack and Defense. CIS 193A – Lesson13 Focus Question Describe how Nmap, psad, and iptables work together for playing out attack.
NMAP Scanning Options. EC-Council NMAP  Nmap is the most popular scanning tool used on the Internet.  Cretead by Fyodar (http://www.insecure.org), it.

NMAP Scanning Options. EC-Council NMAP  Nmap is the most popular scanning tool used on the Internet.  Cretead by Fyodar ( it.
UDP & TCP Where would we be without them!. UDP User Datagram Protocol.

UDP & TCP Where would we be without them!. UDP User Datagram Protocol.
Configuring a Router with RIP Basic Configuration and Show Commands.

Configuring a Router with RIP Basic Configuration and Show Commands.
1 Reading Log Files. 2 Segment Format

1 Reading Log Files. 2 Segment Format
1 TCP - Part I Relates to Lab 5. First module on TCP which covers packet format, data transfer, and connection management.

1 TCP - Part I Relates to Lab 5. First module on TCP which covers packet format, data transfer, and connection management.
1 CS 4396 Computer Networks Lab Transmission Control Protocol (TCP) Part I.

1 CS 4396 Computer Networks Lab Transmission Control Protocol (TCP) Part I.
Instructor: Sam Nanavaty TCP/IP protocol. Instructor: Sam Nanavaty Version – Allows for the evolution of the protocol IHL (Internet header length) – Length.

Instructor: Sam Nanavaty TCP/IP protocol. Instructor: Sam Nanavaty Version – Allows for the evolution of the protocol IHL (Internet header length) – Length.
Transport Layer – TCP (Part1) Dr. Sanjay P. Ahuja, Ph.D. Fidelity National Financial Distinguished Professor of CIS School of Computing, UNF.

Transport Layer – TCP (Part1) Dr. Sanjay P. Ahuja, Ph.D. Fidelity National Financial Distinguished Professor of CIS School of Computing, UNF.
TCP segment structure source port # dest port # 32 bits application data (variable length) sequence number acknowledgement number rcvr window size ptr.

TCP segment structure source port # dest port # 32 bits application data (variable length) sequence number acknowledgement number rcvr window size ptr.
EEC-484/584 Computer Networks Lecture 15 Wenbing Zhao (Part of the slides are based on Drs. Kurose & Ross ’ s slides for their Computer.

EEC-484/584 Computer Networks Lecture 15 Wenbing Zhao (Part of the slides are based on Drs. Kurose & Ross ’ s slides for their Computer.
TCP/IP Network and Firewall. IP Packet Protocol  1 ICMP packet  6 TCP packet  17 UDP packet.

TCP/IP Network and Firewall. IP Packet Protocol  1 ICMP packet  6 TCP packet  17 UDP packet.
source router Destination IP packet IP packet fragments Reassembly Required Fragments Created.

source router Destination IP packet IP packet fragments Reassembly Required Fragments Created.

Similar presentations

Ads by Google