Barry Irwin ZaCon 2009 http://www.zacon.org.za/Archives/2009/slides/

1. TCP SORCERY
A TALE OF UNINTENDED HAPPENINGS IN A HIDDEN W0RLD
Barry Irwin
Security and Networks Research Group
Department of Computer Science
Rhodes University

2. ABOUT ME

3. ABOUT ME
Head up the “Security & Network Research Group” within the Rhodes
University CS Department
Interested in:
Packet Wrangling
Passive Monitoring
Collaborative Defense
VizSec
Contacts:
b.irwin@ru.ac.za
@barryirwin

4. 365 DAYS LATER....
Conficker burst on the world...... 21/11/2008

5. HOW WE GOT HERE
Intro
Network Telescope Research
The quandry -- Active vs Passive Traffic
Whats the difference?
Why care?
The Protocols
ICMP is trivial
Well defined in specs
TCP is not too difficult
Brute force all combos
UDP is a pain
Needs protocol /L7 decodes

6. TCP FUNDAMENTAL
Hi, My name is TCP

7. TCP FUNDAMENTAL
Hi, My name is TCP

8. TCP State Tests
How do we Determine what is active vs passive traffic ?
Write an empirical test
Whats most important is how things respond to combos of the TCP flags.
RFC793 && Stevens don’t define all the actions
Six Flags
• URG
• ACK
• PSH
• RST
• SYN
• FIN

9. TCPFuzzing
Flags give us 26 Combinations == 64 options
Fuzzer iterates though these.
Tested against different targets
 Linux 2.6 Kernel
 FreeBSD 6.4/7.1
 Windows Server 2003 +patches
 Cisco Switch (IOS 12.x)
Both Open and closed ports tested
512 Responses Recorded using TCPdump
64 States * 4 targets * two ports (open/closed)

10. FUZZING RESULTS
What we Found…..
Of the 64 possible responses
Only 50% were of any interest (across the board)
RST flags are no fun – the generate no response
‘X-mas tree ’ packets garner no response either
Of the Remainder:
16 Combinations only produce RST packet
This is what we expect
Responses the same for Open and Closed ports
Some flag combos produced different reponses

11. SINGLE PACKET OS CHECK
So whats your Genus ?
We have shown it is possible to determine the Remote OS family using a
single packet probe
SYN,FIN
SYN, FIN, PSH
SYN, FIN, URG
SYN, FIN, URG,PSH
Give the same distinctive results for Open Ports:
Linux 2.6
6 [ SYN,ACK ] datagrams
FreeBSD
4 [ SYN,ACK ] datagrams
Windows 2003
3 [ SYN,ACK ] datagrams
Cisco IOS
[ SYN,ACK ] [RST] datagrams
Closed ports give [RST, ACK]

12. SINGLE PACKET OS CHECK
Unix Family Differentiation ?
Linux/FreeBSD can also be differentiated from other IP Stack
implementations using an Additional Single packet Probe
No Flags
FIN
URG
PSH
FIN, PSH, URG
Give the same distinctive results for Open Ports:
Open ports give nor response on FreeBSD/Lunux
Windows and IOS both reply with [RST, ACK]
Closed ports give [RST, ACK]

13. MAKING MISCHIEF
Seen any Tiny blue guys around ?
Using what have seen we can build a little amplification attack
Linux and some other target:
Attacker sends a TCP packet with a SYN,FIN variation to a linux target
Source Address is forged to be Victim
TARGET generated 6 datagrams back for every one received.
VICTIM receives 6 SYN,ACK packets
VICTIM responds with 6 RST packets
Values vary with FreeBSD (8x) and Windows (6x)
This is a VERY crude attack
Mostly useful for noisemaking
Not about to be the next Smurf(ette)

14. MAKING MISCHIEF
No way did I scan that host
What we have seen is that that certain Flag combinations can elicit and active
response form a target which in turn can activate yet another (although
passive) reponse.
Given access to a Network Choke point, switch, shared media etc
One can coerce a target into scanning a 3rd party with some level of success
Possible uses are:
Shifing blame
IDS evasion
Exploiting ‘allow friends’ Firewall rules

15. CONCLUSION
So What ?
NMAP has been fingerprinting for a while
Active, multi pkt probe
More Accurate, but noisy
Sideband/Reflective scanning can be of use:
Covert OPS
Reflectively scanning your own Network
Obfustication/Noise Generation
12x traffic multiplier
It’s a Packet Count smokescreen
Small probability of this able to be realised to a Bandwidth
consumption

16. QUESTIONS ?
Contacts:
b.irwin@ru.ac.za
@barryirwin