tcp/ip and its vunlerabilities

[RuffRyder]

tcp/ip and its weaknesses and vulnerabilites by peter shipley
email : shipley@dis.org
+1 510 849 22 30 ( i think thats his phone number ) it was on the tut
but remember u need adobe acrobat reader for this ... well not THIS but the tut if u want me to send u the tut
THIS IS TAKEN FROM A FILE BUT ITS PARAPHARASED SO ITS 50/50 MY OWN STUFF =) not copy and pasted =)

when you connect to the internet you need these basics
a modem , a phone line, and an internet service provider (ISP!), you probably have heard that term before (msn is a lousy ISP so is AOL) ISP's provide lots of different serivces E.I: emaail,web page , stress (the stress thing is humor)


that was pretty basic now going on to some what specifics

you are probably wondering but how does all the information get dilvered to the right source?
well i will tell u in my next tut but lets learn about tcp/ip haha


tcp/ip is a *protocol, and a protocol is a language
tcp/ip is a set of protocols that was invented by a team of researches "centered" around ARPAnet
tcp/ip allows two computers to share resouces, but both of the computers must agree on sharing them otherwise, you know (im assuming u know)

as time progressed our beloved ARPAnet became the internet!

why do we need tcp/ip?

ok well we need tcp/ip because it allows us to communicate and share and pass on info to other computers and such! oh and services too dont forget that!
~*examples*~ : ftp - file transfer protocol ... basically .. has a friend of yours ever sent u anything thru email or instant messager? well thats ftp

WWW - World Wide Web this is web pages , like www.google.com (great search engine), porn sites ( jk =P )

SMTP - thats email , stuff like hotmail or msn mail or aol mail

remote login access- that one is pretty easy

HOW THE PROTOCOLS CAME TOGETHER!

Ok theres 7 layers



layer 7: application layer |application layer|
layer 4: transport layer |TCP UDP|
LAYER 3: network layer |IP ICMP|
layer 2: data link layer |ethernet protocol)
layer 1: physical layer 10BT-AUI-ATM

each one of those layers is built up from the supporting protocol layers

that was the OSI model

layer 7: application layer -----> programs and applications
layer 4: transport layer -----> Data flow and delivery
LAYER 3: network layer -----> virtual path adressing
layer 2: data link layer -----> protocol used on layer one
layer 1: physical layer -----> ethernet wire

Each layers security is built from the supporting rpotocols


TCP THREE WAY HANDSHAKE!

TCP relies on the three way handshake when establishing a connection
ok this basically makes sure that both parties (sides) whatever floats ur boat , agree that a connection has been established and that its ok for data to be transmitted reliably!

the three way handshake guarantees that both parties are ready to exchange whatever data that needs to be exchanged and it allows both parties to agree on on a initial sequence number synch. and data window size

NORMAL CONNECTION FAILURE!

there is obviously more than one way for a tcp/ip connection to fail =(

the most common is for a connction to be reset or rejected by the recieving or answering host
^^ ^^^^^^^^^most commonly done by the recieving answering system

heres a quote form the tut ( in fear on messing up i will quote)
in some cases if there is a IP filtering router btween the client/originating host and the server/recieving host, the filtering router will filter - block the SYN and sent a RST or ICMP unreachable messate or sometimes just drop the SYN ( blackhole) andsend nothing back. this is a drop vs. reject

ok next item
Apache 1.1.1

you can get a directory listing of a web server even if there is an index.html file there

on a browser request the URL:
http://www.server.com///////////////...//////////////[many]///////

you should get a listing of the files instead of the contents of the index.html file

Apache 1.1.1 (without cookies) not the cookies u eat go to jargon and look up cookies if u dont already know it

a buffer overflow condition exists in the cookie processing code of the server and that can be exploited to get a shell or run commands on as the server userid.

FTP ( file transfer protocol) Bounce attack

if u manipulqate the ftp daemon ( not to be confused with deamon , if u do not know daemon please go to jargon) that supports the PASV command it is possible to get a third party one way connections thru the ftp host

this can be used to transfer data anpnymously or slip past application firewalls ( NOT RECOOMMENDED!) or remotely portscan

moving on to Normal FTP connection

1. u can establish a connection to the servers FTP port from a high numbered port to port 21 on the server
Login/passowrd are sent over this connection

2. whne the cient or orginating host wants to get a file that opens and local port (high port) a msg to the server t oconnect that port and trasmit the requested data

FTP bounce Attack

the best fix for thisis to upgrade your ftp daemon ( did u look up daemon? u should have!)

some firewalls which filter command and contect can block this attack but it is not adised to rely on this security strategy

Ping flooding

it is DOS (denial of service) attack invilding flooding the victims with IP traffic this taking away or descreasin the remote site;s availbale bandwidth

this allows an attacked to inhibit network connectivitu to the target network
remember kids high-bandwidth beats low bandwidth *lol*
spoofable , thus easy to hide source

awe heres something sad :

DDps Attacks
*similar to "smurf" attacks
*attacker does NOT have to be online ( connected to internet) but can be!
*they are nearly impossible to defend against
*best defense is not to be a "tool"

TCP port scanning

this is a term that refers to the way of sequentially connectiong to IP ports and finding out if there is a daemon running on that port

moving on

Ip Fragmentation the tcp /ip protocol standar shoukd does support the ability to fragment a Ip packets into smaller packets

this accomodates the ip transmission over congested networks or with nets smaller MTU sizes <- that was quoted

next stop is IP fragmentation flooding

okay well any tcp/ip implm. has to deal with gramented packets of some sort , so a DOS attack can be done by sending random IP frags. to a system os then the system will buffer these grags. and it waits for the other IP or TCP fags to arrive to put toge ther the packets but the joining frag never arives! so then this will cause a system to run low on memory and CPU resources! bummer eh? =(

side note : both IP and tcp packets can be framented , the protocol supports this

ip fragmentation :

on a healthy good running networking the IP fragmentation is really rare

<quote> filter fragments at the router level (1% / 5%) of sites have problems connecting
RFC 1858 (solution?)
See also RFCs 791 and 815



Ip sequences prediction
most OSs now reandomize their squence numbers to thwart prediction

this attack can be prevented with ip filtering to inhibit ip spoofing <- also a quote

crypto login authenticatuon sys. will inhibit the establishment oflogin sessions



Sniffers / Data Interception
Sniffing is a term thats used to describe an evesdropping on a networkin, its really commond for many black hats to install a sniffer on a system ( dont ask me to explan how ) to get info so collect at anothe time

stats : 85-95 % of internet attacks are sniffer based
if u think this is not big deal listen to this these are the services affected by sniffers :
telnet
rlogin
pop/IMAP
http/WWW
ftp
SMTP
SNMP
rpe/NFS
these are just a few , u can count on theres more services affected

so you are wondering... how do i protect myself? well let me tell ya! the best way is a "smart" hub or "switch"
whne ever its possible for u to remove support for prmiscous mode from the kernel DO IT!

antisniff is a prog that can detect most sniffers remotely on a local network

moooooving on

on a local ethernet networking commucation relies on each ethernet interface having a special mac adress ( a property of a ethernet interface card) the 'table' systen maintains that maps MAC adresses to a system up adress is reffered to as ARP table <- that was a quote

u should know this : on the ethernet level its possible to inset erroneuos info into a sys's arpc cache , why? becase as i told u before each layers security is based on the preceding protocol and ethernet is at the bottom

it permits ppl to impersonate any machine on a LAN ( local area network)
and many DOS attacks are possible cuz like i said before the security level isnt too great
also there is a possiblityof intercept and redirect ethernet communications

DNS is domain name system and its one of the internet fundamental building blocks ... very important =) dns privides a distributes host info data base ysed to the mapping of host names and IP adresses and their inverse mapping


NORMAL dns RESOLUTION

ok this seems exprensive right? but its really efficuebt once u add the concept of cashing

there for DNS server doesnt have to send a query to "." or learn where the heck .com is located , etc, u know what im getting at!

but alas the vulnerability of DNS is the cache , when someone inserts erroneous info int othe servers cache they can redirect network connections also they can block the acess to remote sites .. another bummer

ok well that conludes our tour ladies and gentlemen please gather all your belongings , get the heck off my tcp/ip bus! lol

if u want info on where i got this info u can PM me or get ur booty on IRC and ask me for this tutorial, i suggest you do because there are many things i left out because i thought it wasnt necessary and there are many purdy pictures =) this was called

tcp/ip and its weaknesses and vulnerabilites by peter shipley email : shipley@dis.org
+1 510 849 22 30 ( i think thats his phone number ) it was on the tut
but remember u need adobe acrobat reader for this

-jan

[paldie]

All in all there is a lot of good information here although I am sure you are paraphasing most of this information because some of it isn't quite right. Let me point out two. First TCP/IP is NOT a 7 Layer Protocol stack it is a 4 Layer stack. The 7 layer stack you are refering to is the OSI Model and it is just that a model for networking, (too much information to go in here) TCP/IP is composed of four layers.

Network Layer = Physical and Data Link layers of the OSI Model
Internet Layer = Network Layer of the OSI Model
Transport Layer = Transport Layer of the OSI Model
Applciation LAyer= Session. Presentation, and Application Layers of the OSI Model

Check your information

Also. using a "Smart" hub WILL NOT prevent sniffing. A HUB period is a layer one device and is only concerned about the signal strength and does not do any filtering based upon AMC addressing as a SWITCH would do. A "SMART" Hub only has some managment build into it.

Again check if you like...

p41di3

[ammo]

Hum, much of this is outdated...
Apache 1.1.1 is waaaayyy outdated: we're up to 1.3.26
FTP bounce attack is based on quite old ftpd servers too...
Ping flooding is old news too..

Also, the best way to protect against sniffing IS NOT a switch (if you understood your part about arp-poisoning, you'd know that you that) the switch can be fooled to redirect to the wrong host. Many switches will also revert to broadcasting when flooded...
The only safe way to protect against sniffing is ENCRYPTION. SSH, SSL, TLS, IPSec are your friends...

This is a little to recycled to my taste...

Ammo

[RuffRyder]

i never said it was the tcp/ip model , i said it was the osi model later im sorry if it isnt up to your standards at least im trying , throw me a friggin bone here ( not literally)