Presentation is loading. Please wait.

Presentation is loading. Please wait.

Port Scanning 0x470~0x480 Presenter SangDuk Seo 1.

Published byJemimah Barnett Modified over 9 years ago

Similar presentations

Presentation on theme: "Port Scanning 0x470~0x480 Presenter SangDuk Seo 1."— Presentation transcript:

1 Port Scanning 0x470~0x480 Presenter SangDuk Seo 1

2 Motivation 2

3 3 192.168.11.12 / 24 Network Address = ZIP- CODE Host Address = Office Address What is Port ?

4 Motivation 4 Port = Windows 192.168.11.12 :80 / 24 THIS IS PORT Scanning

5 What is Port Scanning? 5 Way of figuring out which ports are listening and accepting connections. Port scanning can find vulnerabilities in Server NMAP – Most popular open source port-scanning tools. nmap [-main option] [-sub option] [main option] sT – Full connection sS – Syn half sA – Ack Scan sI- Idle Scan D – Decoy Scan sU – UDP Scan sN – NULL Scan sX – Xmas Scan sF – FIN Scan d –show detail [sub option] sV - Identify Port application O – Identify OS oA - Save result p - Select Target [result] Open Filtered – cannot access port (firewall) Closed

6 Full Connection Scanning 6 Trying to open TCP connections to every possible port on the target system – Effective but noisy and detectable Attacke r Victim Open on target Attacke r Victim Closed on target

7 Full Connection Scanning 7 Nmap -sT 192.168.42.72

8 Stealth SYN Scan 8 Half- Open Scan - It doesn’t actually open a full TCP connection. RST packet is sent to tear down the connection to prevent the service from accidentally being DoSed. Attacke r Victim Open on target RST Attacke r Victim Closed on target

9 Stealth SYN Scan 9 Nmap -sS

10 FIN, X-mas, NULL Scan 10 These all involve sending a nonsensical packet to every port on the target system. If the port is closed and the implementation follows protocol (RFC 793), an RST packet will be sent Attacke r Victim Open on target Attacke r Victim Closed on target Nothing

11 FIN, X-mas, NULL Scan 11 Nmap –sF Nmap –sX Nmap -sN Failed

12 FIN, X-mas, NULL Scan add on -d Option 12 Failed

13 Spoofing Decoys 13 Spoofs connections from various decoy IP addresses in between each real port-scanning connection Spoofed decoy addresses must use real IP addresses of live hosts - the target may be accidentally SYN flooded.

14 Spoofing Decoys 14 Nmap –D

15 Idle Scanning 15 Scan a target using spoofed packets from an idle host, by observing changes in the idle host Find a usable idle host that is not sending or receiving any other network traffic TCP implementation that produces predictable IP IDs that change by a known increment with each packet. IP IDs are meant to be unique per packet per session, and they are commonly incremented by 1 or 254 (depending on byte ordering) on Windows 95 and 2000 Recent Linux kernel, OpenBSD, and Windows Vista using randomize the IP ID -> It didn’t Work NOW

16 Idle Scanning 16 1.Get the current IP ID 2.Identify the increment of IP ID 3.Send a spoofed SYN packet with the idle host’s IP address to a port on the target machine ID = ID+1 if the idle host isn't truly idle, the results will be skewed

17 Idle Scanning 17 Nmap -sI

18 Proactive Defense (Shroud) – Close Port 18 Close Ports what we don’t use fuser -n tcp [port], kill -9 [pid] iptables -A INPUT -p udp --dport 1234 -j DROP

19 Proactive Defense (Shroud) – NO RST 19 FIN, Null, and X-mas scans can be prevented by a simple kernel modification If the kernel never sends reset packets, these scans will turn up nothing Return; YOU HAVE TO recompile kernel

20 Proactive Defense (Shroud) – NO RST 20 Attacke r Victim Open on target Attacke r Victim Closed on target Nothing

21 Proactive Defense (Shroud) 21

22 Proactive Defense (Shroud) – Full & Half Scan 22 Make sea of false positives. –Attacker can’t find what port is really open. Source -> Pretend to Destination Destination -> Return to Source Pretend all Ports are OPEN

23 Proactive Defense (Shroud) – Full & Half Scan 23 Make sea of false positives.

24 Proactive Defense (Shroud) 24 Sometimes it did not work.. http://www.certcc.or.kr/tools/Psionic_Portsentry.html

25 Reach Out and Hack Someone 25 There is no code to limit the length. Ref) http://maj3sty.tistory.com/1026http://maj3sty.tistory.com/1026

26 Analysis with GDB 26 Compile with –g option to debug Run and find tinyweb’s PID Use GDB and Attach to the process after it’s already running

27 Why Doing like that? 27 Tinyweb requires root privileges, so the debugger must be run as root (Application that using 1~1024 port requires root privileges) Using sudo or running with root’s environment will change the stack The addresses seen in the debugger’s run of the binary won’t match the addresses when it’s running normally Sudo gdb./tinyweb Grep Pid

28 Analysis with GDB 28 Break We know this function has Vulnerability

29 Analysis with GDB 29 Breaking We will insert shell code there Let’s Find that Return Address

30 Analysis with GDB 30 0 Return = 0xbfff7b(4 + 8) = c Request’s Buffer Space = 540byte +200 for Avoid Buffer Start Point 0xbffff668 is return Address

31 Almost Only Counts with Hand Grenades 31 Change RetADDR Vim./tinyweb_exploit.c

32 Almost Only Counts with Hand Grenades 32 Attacker’s Terminal NOP sled Shell Code Victim’s Terminal We aren’t at the console, So this won’t do us any good!

33 Port-Binding Shellcode 33 Count Words Cut Address Add “/x “ and delete null Space Shell code for Binding 31337 Port

34 Port-Binding Shellcode 34 works like that cat program but over the network

35 Port-Binding Shellcode 35 Count words NOP Sled Rest / Return ADDR Size

36 Port-Binding Shellcode

37 QnA 37

38 38

Download ppt "Port Scanning 0x470~0x480 Presenter SangDuk Seo 1."

Similar presentations

Overview The TCP/IP Stack. The Link Layer (L2). The Network Layer (L3). The Transport Layer (L4). Port scanning & OS/App detection techniques. Evasion.

Overview The TCP/IP Stack. The Link Layer (L2). The Network Layer (L3). The Transport Layer (L4). Port scanning & OS/App detection techniques. Evasion.
Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,

 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,
TCP Flooding. TCP handshake C S SYN C SYN S, ACK C ACK S Listening Store data Wait Connected.

TCP Flooding. TCP handshake C S SYN C SYN S, ACK C ACK S Listening Store data Wait Connected.
TRUE Blind ip spoofed portscanning Thomas Olofsson C.T.O Defcom.

TRUE Blind ip spoofed portscanning Thomas Olofsson C.T.O Defcom.
TCP/IP Fundamentals A quick and easy way to understand TCP/IP v4.

TCP/IP Fundamentals A quick and easy way to understand TCP/IP v4.
1 Topic 2 – Lesson 4 Packet Filtering Part I. 2 Basic Questions What is packet filtering? What is packet filtering? What elements are inside an IP header?

1 Topic 2 – Lesson 4 Packet Filtering Part I. 2 Basic Questions What is packet filtering? What is packet filtering? What elements are inside an IP header?
Computer Security Fundamentals

Computer Security Fundamentals
CIS 193A – Lesson13 Attack and Defense. CIS 193A – Lesson13 Focus Question Describe how Nmap, psad, and iptables work together for playing out attack.

CIS 193A – Lesson13 Attack and Defense. CIS 193A – Lesson13 Focus Question Describe how Nmap, psad, and iptables work together for playing out attack.
Lecture 9 Page 1 CS 236 Online Denial of Service Attacks that prevent legitimate users from doing their work By flooding the network Or corrupting routing.

Lecture 9 Page 1 CS 236 Online Denial of Service Attacks that prevent legitimate users from doing their work By flooding the network Or corrupting routing.
NMAP Scanning Options. EC-Council NMAP  Nmap is the most popular scanning tool used on the Internet.  Cretead by Fyodar (http://www.insecure.org), it.

NMAP Scanning Options. EC-Council NMAP  Nmap is the most popular scanning tool used on the Internet.  Cretead by Fyodar ( it.
Network Security of Labnet ******. Introduction Test the network security of the servers on our Labnet domain Find Potential Weaknesses Find Security.

Network Security of Labnet ******. Introduction Test the network security of the servers on our Labnet domain Find Potential Weaknesses Find Security.
UDP & TCP Where would we be without them!. UDP User Datagram Protocol.

UDP & TCP Where would we be without them!. UDP User Datagram Protocol.
Hands-On Ethical Hacking and Network Defense Second Edition Chapter 5 Port Scanning.

Hands-On Ethical Hacking and Network Defense Second Edition Chapter 5 Port Scanning.
Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning.

Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning.
IP Network Scanning.

IP Network Scanning.
CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Scanning.

CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Scanning.
Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning Last updated 9-18-08.

Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning Last updated
Scanning Determining if the system is alive IP Scanning Port Scanning War Dialing.

Scanning Determining if the system is alive IP Scanning Port Scanning War Dialing.
Hacking Exposed 7 Network Security Secrets & Solutions Chapter 2 Scanning 1.

Hacking Exposed 7 Network Security Secrets & Solutions Chapter 2 Scanning 1.

Similar presentations

Ads by Google