tcp/ip and its vunlerabilities
Results 1 to 4 of 4

Thread: tcp/ip and its vunlerabilities

  1. #1
    Senior Member
    Join Date
    May 2002
    Posts
    135

    tcp/ip and its vunlerabilities

    tcp/ip and its weaknesses and vulnerabilites by peter shipley
    email : shipley@dis.org
    +1 510 849 22 30 ( i think thats his phone number ) it was on the tut
    but remember u need adobe acrobat reader for this ... well not THIS but the tut if u want me to send u the tut
    THIS IS TAKEN FROM A FILE BUT ITS PARAPHARASED SO ITS 50/50 MY OWN STUFF =) not copy and pasted =)

    when you connect to the internet you need these basics
    a modem , a phone line, and an internet service provider (ISP!), you probably have heard that term before (msn is a lousy ISP so is AOL) ISP's provide lots of different serivces E.I: emaail,web page , stress (the stress thing is humor)


    that was pretty basic now going on to some what specifics

    you are probably wondering but how does all the information get dilvered to the right source?
    well i will tell u in my next tut but lets learn about tcp/ip haha


    tcp/ip is a *protocol, and a protocol is a language
    tcp/ip is a set of protocols that was invented by a team of researches "centered" around ARPAnet
    tcp/ip allows two computers to share resouces, but both of the computers must agree on sharing them otherwise, you know (im assuming u know)

    as time progressed our beloved ARPAnet became the internet!

    why do we need tcp/ip?

    ok well we need tcp/ip because it allows us to communicate and share and pass on info to other computers and such! oh and services too dont forget that!
    ~*examples*~ : ftp - file transfer protocol ... basically .. has a friend of yours ever sent u anything thru email or instant messager? well thats ftp

    WWW - World Wide Web this is web pages , like www.google.com (great search engine), porn sites ( jk =P )

    SMTP - thats email , stuff like hotmail or msn mail or aol mail

    remote login access- that one is pretty easy

    HOW THE PROTOCOLS CAME TOGETHER!

    Ok theres 7 layers



    layer 7: application layer |application layer|
    layer 4: transport layer |TCP UDP|
    LAYER 3: network layer |IP ICMP|
    layer 2: data link layer |ethernet protocol)
    layer 1: physical layer 10BT-AUI-ATM

    each one of those layers is built up from the supporting protocol layers

    that was the OSI model

    layer 7: application layer -----> programs and applications
    layer 4: transport layer -----> Data flow and delivery
    LAYER 3: network layer -----> virtual path adressing
    layer 2: data link layer -----> protocol used on layer one
    layer 1: physical layer -----> ethernet wire

    Each layers security is built from the supporting rpotocols


    TCP THREE WAY HANDSHAKE!

    TCP relies on the three way handshake when establishing a connection
    ok this basically makes sure that both parties (sides) whatever floats ur boat , agree that a connection has been established and that its ok for data to be transmitted reliably!

    the three way handshake guarantees that both parties are ready to exchange whatever data that needs to be exchanged and it allows both parties to agree on on a initial sequence number synch. and data window size

    NORMAL CONNECTION FAILURE!

    there is obviously more than one way for a tcp/ip connection to fail =(

    the most common is for a connction to be reset or rejected by the recieving or answering host
    ^^ ^^^^^^^^^most commonly done by the recieving answering system

    heres a quote form the tut ( in fear on messing up i will quote)
    in some cases if there is a IP filtering router btween the client/originating host and the server/recieving host, the filtering router will filter - block the SYN and sent a RST or ICMP unreachable messate or sometimes just drop the SYN ( blackhole) andsend nothing back. this is a drop vs. reject

    ok next item
    Apache 1.1.1

    you can get a directory listing of a web server even if there is an index.html file there

    on a browser request the URL:
    http://www.server.com///////////////...//////////////[many]///////

    you should get a listing of the files instead of the contents of the index.html file

    Apache 1.1.1 (without cookies) not the cookies u eat go to jargon and look up cookies if u dont already know it

    a buffer overflow condition exists in the cookie processing code of the server and that can be exploited to get a shell or run commands on as the server userid.

    FTP ( file transfer protocol) Bounce attack

    if u manipulqate the ftp daemon ( not to be confused with deamon , if u do not know daemon please go to jargon) that supports the PASV command it is possible to get a third party one way connections thru the ftp host

    this can be used to transfer data anpnymously or slip past application firewalls ( NOT RECOOMMENDED!) or remotely portscan

    moving on to Normal FTP connection

    1. u can establish a connection to the servers FTP port from a high numbered port to port 21 on the server
    Login/passowrd are sent over this connection

    2. whne the cient or orginating host wants to get a file that opens and local port (high port) a msg to the server t oconnect that port and trasmit the requested data

    FTP bounce Attack

    the best fix for thisis to upgrade your ftp daemon ( did u look up daemon? u should have!)

    some firewalls which filter command and contect can block this attack but it is not adised to rely on this security strategy

    Ping flooding

    it is DOS (denial of service) attack invilding flooding the victims with IP traffic this taking away or descreasin the remote site;s availbale bandwidth

    this allows an attacked to inhibit network connectivitu to the target network
    remember kids high-bandwidth beats low bandwidth *lol*
    spoofable , thus easy to hide source

    awe heres something sad :

    DDps Attacks
    *similar to "smurf" attacks
    *attacker does NOT have to be online ( connected to internet) but can be!
    *they are nearly impossible to defend against
    *best defense is not to be a "tool"

    TCP port scanning

    this is a term that refers to the way of sequentially connectiong to IP ports and finding out if there is a daemon running on that port

    moving on

    Ip Fragmentation the tcp /ip protocol standar shoukd does support the ability to fragment a Ip packets into smaller packets

    this accomodates the ip transmission over congested networks or with nets smaller MTU sizes <- that was quoted

    next stop is IP fragmentation flooding

    okay well any tcp/ip implm. has to deal with gramented packets of some sort , so a DOS attack can be done by sending random IP frags. to a system os then the system will buffer these grags. and it waits for the other IP or TCP fags to arrive to put toge ther the packets but the joining frag never arives! so then this will cause a system to run low on memory and CPU resources! bummer eh? =(

    side note : both IP and tcp packets can be framented , the protocol supports this

    ip fragmentation :

    on a healthy good running networking the IP fragmentation is really rare

    <quote> filter fragments at the router level (1% / 5%) of sites have problems connecting
    RFC 1858 (solution?)
    See also RFCs 791 and 815



    Ip sequences prediction
    most OSs now reandomize their squence numbers to thwart prediction

    this attack can be prevented with ip filtering to inhibit ip spoofing <- also a quote

    crypto login authenticatuon sys. will inhibit the establishment oflogin sessions



    Sniffers / Data Interception
    Sniffing is a term thats used to describe an evesdropping on a networkin, its really commond for many black hats to install a sniffer on a system ( dont ask me to explan how ) to get info so collect at anothe time

    stats : 85-95 % of internet attacks are sniffer based
    if u think this is not big deal listen to this these are the services affected by sniffers :
    telnet
    rlogin
    pop/IMAP
    http/WWW
    ftp
    SMTP
    SNMP
    rpe/NFS
    these are just a few , u can count on theres more services affected

    so you are wondering... how do i protect myself? well let me tell ya! the best way is a "smart" hub or "switch"
    whne ever its possible for u to remove support for prmiscous mode from the kernel DO IT!

    antisniff is a prog that can detect most sniffers remotely on a local network

    moooooving on

    on a local ethernet networking commucation relies on each ethernet interface having a special mac adress ( a property of a ethernet interface card) the 'table' systen maintains that maps MAC adresses to a system up adress is reffered to as ARP table <- that was a quote

    u should know this : on the ethernet level its possible to inset erroneuos info into a sys's arpc cache , why? becase as i told u before each layers security is based on the preceding protocol and ethernet is at the bottom

    it permits ppl to impersonate any machine on a LAN ( local area network)
    and many DOS attacks are possible cuz like i said before the security level isnt too great
    also there is a possiblityof intercept and redirect ethernet communications

    DNS is domain name system and its one of the internet fundamental building blocks ... very important =) dns privides a distributes host info data base ysed to the mapping of host names and IP adresses and their inverse mapping


    NORMAL dns RESOLUTION

    ok this seems exprensive right? but its really efficuebt once u add the concept of cashing

    there for DNS server doesnt have to send a query to "." or learn where the heck .com is located , etc, u know what im getting at!

    but alas the vulnerability of DNS is the cache , when someone inserts erroneous info int othe servers cache they can redirect network connections also they can block the acess to remote sites .. another bummer

    ok well that conludes our tour ladies and gentlemen please gather all your belongings , get the heck off my tcp/ip bus! lol

    if u want info on where i got this info u can PM me or get ur booty on IRC and ask me for this tutorial, i suggest you do because there are many things i left out because i thought it wasnt necessary and there are many purdy pictures =) this was called

    tcp/ip and its weaknesses and vulnerabilites by peter shipley email : shipley@dis.org
    +1 510 849 22 30 ( i think thats his phone number ) it was on the tut
    but remember u need adobe acrobat reader for this

    -jan

  2. #2
    Senior Member
    Join Date
    Jul 2002
    Posts
    112
    All in all there is a lot of good information here although I am sure you are paraphasing most of this information because some of it isn't quite right. Let me point out two. First TCP/IP is NOT a 7 Layer Protocol stack it is a 4 Layer stack. The 7 layer stack you are refering to is the OSI Model and it is just that a model for networking, (too much information to go in here) TCP/IP is composed of four layers.

    Network Layer = Physical and Data Link layers of the OSI Model
    Internet Layer = Network Layer of the OSI Model
    Transport Layer = Transport Layer of the OSI Model
    Applciation LAyer= Session. Presentation, and Application Layers of the OSI Model

    Check your information

    Also. using a "Smart" hub WILL NOT prevent sniffing. A HUB period is a layer one device and is only concerned about the signal strength and does not do any filtering based upon AMC addressing as a SWITCH would do. A "SMART" Hub only has some managment build into it.

    Again check if you like...

    p41di3
    My other Computer is a 4000 node Beowulf Custer

  3. #3
    Senior Member
    Join Date
    Sep 2001
    Posts
    1,027
    Hum, much of this is outdated...
    Apache 1.1.1 is waaaayyy outdated: we're up to 1.3.26
    FTP bounce attack is based on quite old ftpd servers too...
    Ping flooding is old news too..

    Also, the best way to protect against sniffing IS NOT a switch (if you understood your part about arp-poisoning, you'd know that you that) the switch can be fooled to redirect to the wrong host. Many switches will also revert to broadcasting when flooded...
    The only safe way to protect against sniffing is ENCRYPTION. SSH, SSL, TLS, IPSec are your friends...

    This is a little to recycled to my taste...

    Ammo
    Credit travels up, blame travels down -- The Boss

  4. #4
    Senior Member
    Join Date
    May 2002
    Posts
    135
    i never said it was the tcp/ip model , i said it was the osi model later im sorry if it isnt up to your standards at least im trying , throw me a friggin bone here ( not literally)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides