1 Intelligent Application Switching Security Training II – Network Hacking Renaud BIDOU Security Consultant EMEA 2 Intelligent Application Switching • Basic Identification • Port Scanning • OS fingerprinting & Application scanning • Advanced Identification • Stealth operations • Inline systems detection Agenda – Part I : Identification 3 Intelligent Application Switching • Security policy bypassing • Fragmentation tricks • ISN prediction & Spoofing • Evading detection • Bouncing Agenda – Part II : Bypassing 4 Intelligent Application Switching • Denial of Service • Floods • Protocol anomalies • Leveraging the DoS • Reflection • DDoS & Worms Agenda – Part III : DoS 6 Intelligent Application Switching Basic Identification 7 Intelligent Application Switching Port Scanning 8 Intelligent Application Switching About port scanning • What scan sports for ? • Identify running applications  HTTP : 80, SMTP : 25 etc. • Identify OS  TCP 135+139+445 = Windows 2k/XP/2003 • Identify Applications  TCP 264+18264 = CHKP VPN • Quick and dirty • scan 100s of ports in a short time • Easily detected • Targeted PORTS 9 Intelligent Application Switching • 3-Way handshake based (SYN / SYN-ACK / ACK) • Connect method • Full TCP connection : • established ok  open • received RST  closed • no answer to first SYN  filtered • Half-scan • Send SYN only : • received SYN-ACK  open • received RST  closed • no answer to first SYN  filtered Scanning TCP Ports PORTS 10 Intelligent Application Switching • Anomaly based • FIN Scan : FIN out of established session • RFC : RST on open AND closed ports • BSD based stacks : RST only on closed ports • 90% of actual IP stacks • FIN Scan variants • X-mas tree : all TCP flags set • Rely on TCP window size (0  closed, !0  open) • Drawbacks • Not very reliable : packet may be lost, filtered port as open • Takes a lot of time as based on attacker stack timeout Scanning TCP Ports PORTS 11 Intelligent Application Switching • Only one method • Packet sent on UDP ports • ICMP Port unreachable  closed • no response  open • Drawbacks • Same as FIN scan • Not very reliable • packet may be lost • filtered port as open • Takes a lot of time as based on attacker stack timeout Scanning UDP Ports PORTS [...]...PORTS • Tools • • • Hands-on Unix / windows : nmap # nmap -sS -p22,443 10.0.0.1 # nmap –sU –p161 10.0.0.1 Windows : superscan Practice • • Find FTP servers on the 192.168.202.0/24 network Identify open ports on 10.0.0.105 or 10.0.0.106 • Any idea... application must be identified • What works with apache won’t work on IIS • The version is also important • What works with apache 1.3.22 won’t work on apache 2.0.40 • Versions can reveal if application is patched or not • Some applications may run on non standard ports • • • Common for intranet web servers Remote management applications for security Banners may have been changed Intelligent Application Switching... STEALTH Blame the goat Intelligent Application Switching 30 Inline detection Intelligent Application Switching 31 Inline Playing with the IP Stack • Inline security system • • May act as a proxy at different levels • L2 : for layer 3 equipements (firewalls-like) • L3 : mainly NAT • L4 : SYNCookies, stateful inspection • L7 : application proxies Should behave like the proxied IP stack / Application • Detection... Intelligent Application Switching 12 OS Fingerprinting & Application Scanning Intelligent Application Switching 13 Banners and commands OS • Banners # telnet 10.0.0.1 Fedora Core release 1 (Yarrow) Kernel 2.4.2 2-1 .2115.nptlsmp on an i686 login: • From commands # nc 10.0.0.1 80 HEAD / HTTP/1.1 … Date: Tue, 30 Nov 2004 18:19:27 GMT Server: Apache/2.0.47 (Fedora) Intelligent Application Switching 14 OS Fingerprinting... may have been changed Intelligent Application Switching 17 APPS Problems with applications • Three points to analyze • • • Type of application • SSH, HTTP, POP3, IMAP etc Nature of application • Apache, IIS etc Version of application • Each application has a specific behavior • • At most one unique method for identifying type, nature and version A lot of research is necessary to find the way to Intelligent... application scanner based on specific broadcast packets httprint : HTTP server identification tool Based on fingerprints Works under windows with a GUI! Intelligent Application Switching 20 OS & APPS Hands-On • Identify by different ways • • • OS on 10.0.0.10(1|2|3|4) Apps on 10.0.0.10(5|6) OS and Apps on 192.168.202.21 Intelligent Application Switching 21 Advanced identification Intelligent Application... lost in the flood of fake systems Intelligent Application Switching 26 STEALTH Discretion • Fooling triggers • • Automated triggers • Based on a ratio #of suspicious packets /s • Just have to go slow • -delay option on nmap Human triggers • Based on visual detection in logs • One packet from time to time with ≠ IP should be ok Intelligent Application Switching 27 STEALTH Blame the goat • The IPID • •... existing fingerprint is found then OS is identified Intelligent Application Switching 15 OS Fingerprinting • TCP based techniques • • ISN generation algorithm • Initial TCP window size • TCP options • TCP SYN-ACK retransmit delay  Tools : nmap, chronOS ICMP based techniques • ICMP error message echoing (size + integrity) • DF Bit echoing in error or replies messages • IP ID and TTL values in ICMP messages... them to save CPU • L4 checksums are not calculated • Bad L4 checksum • • IP Stack : packet silently dropped Inline systems : packet analyzed • Obvious attack with bad L4 checksum • REJECTED by an inline security device  Can be identified Intelligent Application Switching 33 Inline NAT • NAT are L3/4 devices • • They perform routing They appear on traceroute output • The RFC says • TTL must not be decreased . 1 Intelligent Application Switching Security Training II – Network Hacking Renaud BIDOU Security Consultant EMEA 2 Intelligent Application Switching • Basic. Switching • Security policy bypassing • Fragmentation tricks • ISN prediction & Spoofing • Evading detection • Bouncing Agenda – Part II : Bypassing 4 Intelligent