fun with tcp packets
DESCRIPTION
Andrew MacPhersonZacon 2009http://www.zacon.org.za/Archives/2009/slides/TRANSCRIPT
![Page 1: Fun with TCP Packets](https://reader037.vdocuments.net/reader037/viewer/2022102610/5555cf5ed8b42a711f8b4978/html5/thumbnails/1.jpg)
ZACON 2009
Andrew MacPherson
![Page 2: Fun with TCP Packets](https://reader037.vdocuments.net/reader037/viewer/2022102610/5555cf5ed8b42a711f8b4978/html5/thumbnails/2.jpg)
TCP/IP Packet Fun – ZAcon 2009
• 3 1 3 3 7 h 4 > < z 0 r
• M a s t e r m i n d
• E v i l G e n i u s
• H i p p y
• C o d e r
• Degree in Information Science • Tech Support -> Webdev -> Paterva
• @Paterva: • Work on Maltego related stuff (local/server) transforms • Built the Mesh ( firefox plugin )
• Interesting Because: • Old stuff • Still Applicable
• Not new – just scattered • Portscanners
• Scanrand, Unicorn • DOS
• Slowlaris
![Page 3: Fun with TCP Packets](https://reader037.vdocuments.net/reader037/viewer/2022102610/5555cf5ed8b42a711f8b4978/html5/thumbnails/3.jpg)
TCP/IP Packet Fun – ZAcon 2009
• Scapy • Packet crafting tool • Sender • Listener
• TCP Handshake • Syn/SynAck/Ack
• Portscan • We send a SYN
• Filtered (no response) • Open (got back SynAck) • Close (RST)
![Page 4: Fun with TCP Packets](https://reader037.vdocuments.net/reader037/viewer/2022102610/5555cf5ed8b42a711f8b4978/html5/thumbnails/4.jpg)
TCP/IP Packet Fun – ZAcon 2009
We can send packets really fast SYN TCP packet is =~ 54 Bytes = 432 bits 4Mbit/s (4194304 bits) can send 9.7K Syn packets per
second (theory) We can monitor responses as per previous slide Means we can scan 65k ports in around 6s Packet loss – so we want to put in some delays
RST packets getting in the way Firewall em!
![Page 5: Fun with TCP Packets](https://reader037.vdocuments.net/reader037/viewer/2022102610/5555cf5ed8b42a711f8b4978/html5/thumbnails/5.jpg)
TCP/IP Packet Fun – ZAcon 2009
Unicorn, like scanrand, etc.
![Page 6: Fun with TCP Packets](https://reader037.vdocuments.net/reader037/viewer/2022102610/5555cf5ed8b42a711f8b4978/html5/thumbnails/6.jpg)
TCP/IP Packet Fun – ZAcon 2009
Traceroute Sending out all TTLs at once (no wait)
Know when to stop? Tracing to multiple hosts at once
Put the hopcount in the payload Why is it cool to traceroute to blocks?
See routing protocols (entire block is not all in the same place?)
Load balancing (3 times) Geo Location
![Page 7: Fun with TCP Packets](https://reader037.vdocuments.net/reader037/viewer/2022102610/5555cf5ed8b42a711f8b4978/html5/thumbnails/7.jpg)
TCP/IP Packet Fun – ZAcon 2009
![Page 8: Fun with TCP Packets](https://reader037.vdocuments.net/reader037/viewer/2022102610/5555cf5ed8b42a711f8b4978/html5/thumbnails/8.jpg)
![Page 9: Fun with TCP Packets](https://reader037.vdocuments.net/reader037/viewer/2022102610/5555cf5ed8b42a711f8b4978/html5/thumbnails/9.jpg)
TCP/IP Packet Fun – ZAcon 2009
Single Port Full connection – Ack the SynAck –
Complete the handshake Target has stack full of connection, we
have…. Nothing? Different from a SynFlood Cant spoof our IP Address ~ 400 packets for Apache
Welcome to DoS
![Page 10: Fun with TCP Packets](https://reader037.vdocuments.net/reader037/viewer/2022102610/5555cf5ed8b42a711f8b4978/html5/thumbnails/10.jpg)
TCP/IP Packet Fun – ZAcon 2009
![Page 11: Fun with TCP Packets](https://reader037.vdocuments.net/reader037/viewer/2022102610/5555cf5ed8b42a711f8b4978/html5/thumbnails/11.jpg)
TCP/IP Packet Fun – ZAcon 2009
Full connections get torn down Need to convince the stack we are still
speaking to it! Drip,Drip,Drip. Use apps that run on protocols ○ SMTP ( DATA seg of mail ) ○ HTTP ( POST – content length 99999?)
Slowlaris ○ FTP (PUT) ○ Others?
Anything that we can send data too Means we need to track seq + ack
numbers
![Page 12: Fun with TCP Packets](https://reader037.vdocuments.net/reader037/viewer/2022102610/5555cf5ed8b42a711f8b4978/html5/thumbnails/12.jpg)
TCP/IP Packet Fun – ZAcon 2009
![Page 13: Fun with TCP Packets](https://reader037.vdocuments.net/reader037/viewer/2022102610/5555cf5ed8b42a711f8b4978/html5/thumbnails/13.jpg)
TCP/IP Packet Fun – ZAcon 2009
![Page 14: Fun with TCP Packets](https://reader037.vdocuments.net/reader037/viewer/2022102610/5555cf5ed8b42a711f8b4978/html5/thumbnails/14.jpg)
TCP/IP Packet Fun – ZAcon 2009
!!WARNING!! South African Space
Transparent Proxies :O :O :O
Firewalls in front of applications Limit connections per client Time per request
![Page 15: Fun with TCP Packets](https://reader037.vdocuments.net/reader037/viewer/2022102610/5555cf5ed8b42a711f8b4978/html5/thumbnails/15.jpg)
TCP/IP Packet Fun – ZAcon 2009
Tech is NOT new, its scattered but still applicable
Why is there not more of this going on? Botnets Online protests Competition
Go further, packets = network = what others see, smokescreen networks?