Embed Size (px)
Citation preview
SAK 5514 SAK 5514
Examining Embedded Protocol Header FieldsExamining Embedded Protocol Header Fields
Introduction: TCPdump and TCP
What is TCPdump ?
• Practical analysis tool to analyze network traffic
data
• A UNIX tool used to gather data from the network,
decipher the bits, and display the output in a semi
coherent fashion.
TCPdump and TCP, cont…
What is TCP (Transmission Control Protocol) ?
• One of the core protocols of the Internet protocol suite.
• A set of rules (protocols) used along with the Internet Protocol (IP) to send data in the form of message units between computers over the Internet
• Oversees the exchange of data and knows when
there is a possible problem.
TCP Header
IP header TCP header TCP data
Sequence number (32 bits)
DATA
20 bytes 20 bytes
0 15 16 31
Source Port Number Destination Port Number
Acknowledgement number (32 bits)
window sizeheaderlength
0 Flags
Options (if any)
TCP checksum urgent pointer
20 bytes
Ports
TCP Header Fields Port numbers are generally allocated by 0 --not used 1-255 --Reserved ports for well-known services 256-1023 --Other reserved ports 1024-65535 --user-defined server ports
Ports cont…
• Port Header in details:
Source, destination port:16,16 - identify applications at ends of the connectionSequence:32 - indicates 1st data octet in this segmentAcknowledgment:32 - next expected sequence number, valid only when the ACK bit (reside in flag) is setData offset:4 - 32 bit words offset tells the receiver where user data begins Reserved:6 -not usedWindow:16 - advertise amount of buffer space this node has allocatedChecksum:16 - 16 bits 1’s complement of pseudo header, TCP header and dataUrgent pointer:16 - byte position of data that should be processed firstOptions - variable length option e.g. MSS (max segment size) tells destination node
01:46:28.808262 IP danjo.CS.Berkeley.EDU.ssh > adsl-69-228-230-7.dsl.pltn13.pacbell.net.2481: .
2513546054:2513547434(1380) ack 1268355216 win 12816
Timestamp
This is an IP packet
Source host nameSource port number (22)
Destination host name Destination port number
TCP specific information
What does a line convey?
TCP Checksum
• Cover the embedded header and respective data for TCP, UDP, and ICMP.
• These are end-to-end checksums calculated by the source
• Has been chosen to represent the embedded protocol checksums
Pseudo-header
Figure TCP checksum pseudo-header fields.
Why is the pseudo-header necessary ???
• To validate IP:
– not accidentally accepted a datagram destined for another host
– not accidentally tried to give TCP a datagram that is for another protocol
– some fields from the IP header are included in the pseudo-header checksum computation to help protect against errant corruption that occurs in transit.
Figure :Pseudo-header checksum protection.
How does it work???
(Pseudo-header checksum protection – Flow Chart)
Host
destination IP1.2.3.4, used in the TCP checksum computation.
Router
IP layer somehow corrupts, the destination IP to be 1.2.3.5
Wrong destination arrives, IP 1.2.3.5. (Assume exits…)
IP checksum is valid, packet continues sending
IP layer validates the checksum
Transport LayerTCP uses the pseudo header fields in the checksum validation
IP1.2.3.5 against and does not match the packet's actual TCP pseudo-header checksum ( IP 1.2.3.4 as the destination IP in the pseudo-header checksum )
Packet Discard
(Use TCP as the embedded protocol)
Discard ReasonEmbedded protocol checksum does not match the computed checksum done by the destination host.
TCP Sequence NumbersA mechanism to account for data being sent and received
Used to uniquely identify the beginning byte of each TCP segment that is sent
To keep track of all the TCP data that is sent and received in a TCP stream
Type
Functions
Initial sequence number (ISN)
Important components Nmap
Should not be repeated unless there is a retry of thesame connection.Condition
Synchronize sequence numbers (SYN)
Acknowledgement Numbers
Method that TCP uses to ensure that data is received.
Acknowledgement flag and Acknowledgement number = validation that the receiving host did indeed get the data.
Acknowledgement number = the next expected TCP sequence number it should receive.= must be greater than 0.
TCP Flags
• To indicate the function of a given TCP connection or session.
• Different valid combinations.
• Different OS, TCP/IP stacks respond differently to mutant flag settings.
• Eg: SYN,FIN,RST,ACK,PUSH,UGT flag.
TCP Corruption
• It is not necessarily an indication of malicious behavior.
• Packets can get corrupted, it is possible for TCP flags to be unnaturally set after some kind of corruption in the TCP portion of the packet.
• Ways to verify packet corruption is to manually compute the checksum of the received packet on the sensor.
• Eg: Specified TCP header length is > actual TCP segment length.
ECN Flag Bits
• Explicit Congestion Notification Flag.
• Different OS, TCP stacks would respond uniquely when these bits were set.
• The two high-order bits of the TCP byte were known as the reserved bits.
ECN Flag Bits (Cont’)
• Eg : If TCP sets the ECN-echo bit (high-order bit),
reduce the rate at which it is sending data.
Operating System Fingerprinting
• Remote OS scans
• Eg : Windows 98, Sparky, Linux.
• The technique of sending the mutant combination to the Windows port.
• Windows host listens on this port and it responds with an acknowledgement.
• Difficult to distinguish between malicious code and TCP stack problem.
Why Retransmissions?
• Destination host not respond because it might not exists.
• Destination host might be sitting behind some kind of packet-filtering device that blocks the connection inbound, yet silently drops the connection without informing the sending host.
• A router attempt to deliver an ICMP message about the destination host being unreachable.
Retransmit a loss segment
Using Retransmissions Against a Hostile Host — LaBrea Tarpit Version 1
LaBrea the Tar pit
• Written by Tom Liston originally to “slow down worms”
• A program that creates a tarpit or, as some have called it, a “sticky honeypot”
• LaBrea takes over unused IP addresses on a network and creates "virtual machines" that answer to connection attempts.
• The program answers connection attempts in such a way that the machine at the other end gets "stuck", sometimes for a very long time.
How does it work???
ARP request for unassigned IP 192.168.143.236
18:34:32.757821 arp who-has 192.168.143.236 tell 192.168.143.1
18:34:35.743528 arp who-has 192.168.143.236 tell 192.168.143.1
After 3 seconds and no ARP reply, LaBrea host fakes reply
18:34:35.743591 arp reply 192.168.143.236 (0:0:f:ff:ff:ff) is-at 0:0:f:ff:ff:ff
• Watches for ARP packets with no replies• Impersonates unused IP addresses by sending
forged ARP replies• Responds to ICMP ping requests• Responds to TCP SYN packets with SYN+ACK and
a ‘custom’ window size• Responses to TCP SYN+ACK with RST
TCP WINDOW SIZE
• The TCP window size is the method employed by a receiving host to inform the sending host of the current buffer size for data sent for that connection.
• This is a flow control mechanism because it is dynamic.
• The window size becomes smaller for all data that has been received, but not yet processed by the receiving host
• If the receiving buffer ever becomes full, the window size becomes 0.
• After the receiving host has processed some of the data in the buffer, it sends a window size update to the sending host to inform it to resume sending data.
• Flow of control for TCP sessions is mostly done by the receiving host by use of the window size.
• Initial window sizes are used by nmap to determine the operating system.
• Different TCP/IP stacks select different initial window sizes, which is used to help fingerprint the operating system.
LA BREA VERSION 2
• The new version of LaBrea uses the persist timer to tarpit the attacker for an indefinite amount of time
• It works exactly like the previous version of LaBrea up through the three-way handshake.
• LaBrea reacts to the sender's data with an acknowledgement, but with a window size of 0.
• It doesn't increase the window size via a window update, forcing the scanner to send a window probe.
• The LaBrea host responds to the window probe, but again advertises the window size as 0.
• This pattern of window probe and a response of a window size of 0 continues indefinitely.
• This tarpits the attacker into a persistent connection with the LaBrea host if there is no intervention.
UDP
• UDP is a much less complicated protocol compared to TCP.
• UDP does not make any guarantees that data will be delivered and leaves this function to applications to handle.
PORTS
• UDP port fields are two separate 16-bit fields in the TCP header—one for source and another for destination
• Valid range of values is between 1 and 65535; the use of port 0 is typically a signature of unusual activity
UDP PORT SCANNING
• to connect to a destination host, an ephemeral/short-lived port is typically selected in the range of ports greater than 1023.
• UDP doesn't respond to an initial connection with any positive feedback.
• But, a live host responds with a negative response of ICMP "port unreachable" to a non-listening UDP port.
• This is how scanners determine if the UDP port is listening or not.
• This is another more stealthy way to scan for live hosts, assuming the site does not block outbound ICMP error messages.
• Nmap scans the UDP ports many times to try to deal with the case of dropped packets.
• If one packet is dropped and the network is not under duress or having problems, chances are one of the repeated packets will not be dropped.
• And once again, nmap is intelligent enough to know that the lack of any response is more likely an indication of filtering of some sort by the destination site than it is of all UDP ports listening.
UDP LENGTH FIELD
• UDP length is the number of bytes found in the UDP header plus the number of bytes found in the UDP payload.
• Minimum length for the UDP length is 8 bytes.
• maximum theoretical byte length of an IP datagram is 65535.
• Given this, and that the IP header is a minimum of 20 bytes long, the theoretical maximum UDP length value is 65515.
• TCP/IP stack of a given operating system as implemented in the kernel might limit the length of the UDP datagram.
ICMP – Internet Control Message Protocol
– Notifies the sender when something goes wrong in the transmission of a packet.
– Provided within IP which generates error messages to help IP layers
– Does not guarantee delivery of the message, so its structure and fields are straightforward.
ICMP Header
Type: relevant ICMP messageCode: more detail informationChecksum: covers ICMP header/data
Type & Code
Identification & Sequence numbers
Ping – ICMP echo request/reply
• Ping sends an ICMP echo request to the remote hosts, which then turn an ICMP echo reply to the sender
• All TCP/IP node is supposed to implement ICMP and respond to ICMP echo
Ping example
PING sparky (1.1.1.100) from 1.1.1.5 : 56(84) bytes of data.64 bytes from 1.1.1.100: icmp_seq=0 ttl=255 time=0.8 ms64 bytes from 1.1.1.100: icmp_seq=1 ttl=255 time=0.9 ms64 bytes from 1.1.1.100: icmp_seq=2 ttl=255 time=7.3 ms16:33:07.400700 verbo > sparky: icmp: echo request4500 0054 038d 0000 4001 bed1 0101 01050101 0164 0800 9e12 c402 0000 0391 84391d1d 0600 0809 0a0b 0c0d 0e0f 1011 12131415 1617 181916:33:07.401479 sparky > verbo: icmp: echo reply (DF)4500 0054 7146 4000 ff01 5217 010018f64010018f05 0000 a612 c402 0000 0391 84391d1d 0600 0809 0a0b 0c0d 0e0f 1011 12131415 1617 1819
Misuse of ICMP Identification and Sequence Numbers
• ICMP identifier and sequence number fields are chosen to signal exploit traffic to the receiving host
• DDoS known as Stacheldraht:
the ICMP identifier value of 667 was used to initiate connections between handler and agent hosts in an ICMP echo reply. The ICMP identifier value of 666 was used to respond from agent to handler with another ICMP echo reply.
Summary
• TCP– Stateful communication (Session, Reliable)– Busiest of the protocol headers
• UDP– Stateless communication (no session, Less reliable, fast)– Ports can be scanned using nmap
• ICMP– Diagnostic (dangerous?)– Provides a mechanism for reporting failures
• Some of the fields can be used for invasion or insertion attacks as we saw demonstrated with the TCP checksum example.
The EndThe End
Thank you!Thank you!
