-
July 10th, 2002, 10:48 PM
#1
tcp/ip and its vunlerabilities
tcp/ip and its weaknesses and vulnerabilites by peter shipley
email : shipley@dis.org
+1 510 849 22 30 ( i think thats his phone number ) it was on the tut
but remember u need adobe acrobat reader for this ... well not THIS but the tut if u want me to send u the tut
THIS IS TAKEN FROM A FILE BUT ITS PARAPHARASED SO ITS 50/50 MY OWN STUFF =) not copy and pasted =)
when you connect to the internet you need these basics
a modem , a phone line, and an internet service provider (ISP!), you probably have heard that term before (msn is a lousy ISP so is AOL) ISP's provide lots of different serivces E.I: emaail,web page , stress (the stress thing is humor)
that was pretty basic now going on to some what specifics
you are probably wondering but how does all the information get dilvered to the right source?
well i will tell u in my next tut but lets learn about tcp/ip haha
tcp/ip is a *protocol, and a protocol is a language
tcp/ip is a set of protocols that was invented by a team of researches "centered" around ARPAnet
tcp/ip allows two computers to share resouces, but both of the computers must agree on sharing them otherwise, you know (im assuming u know)
as time progressed our beloved ARPAnet became the internet!
why do we need tcp/ip?
ok well we need tcp/ip because it allows us to communicate and share and pass on info to other computers and such! oh and services too dont forget that!
~*examples*~ : ftp - file transfer protocol ... basically .. has a friend of yours ever sent u anything thru email or instant messager? well thats ftp
WWW - World Wide Web this is web pages , like www.google.com (great search engine), porn sites ( jk =P )
SMTP - thats email , stuff like hotmail or msn mail or aol mail
remote login access- that one is pretty easy
HOW THE PROTOCOLS CAME TOGETHER!
Ok theres 7 layers
layer 7: application layer |application layer|
layer 4: transport layer |TCP UDP|
LAYER 3: network layer |IP ICMP|
layer 2: data link layer |ethernet protocol)
layer 1: physical layer 10BT-AUI-ATM
each one of those layers is built up from the supporting protocol layers
that was the OSI model
layer 7: application layer -----> programs and applications
layer 4: transport layer -----> Data flow and delivery
LAYER 3: network layer -----> virtual path adressing
layer 2: data link layer -----> protocol used on layer one
layer 1: physical layer -----> ethernet wire
Each layers security is built from the supporting rpotocols
TCP THREE WAY HANDSHAKE!
TCP relies on the three way handshake when establishing a connection
ok this basically makes sure that both parties (sides) whatever floats ur boat , agree that a connection has been established and that its ok for data to be transmitted reliably!
the three way handshake guarantees that both parties are ready to exchange whatever data that needs to be exchanged and it allows both parties to agree on on a initial sequence number synch. and data window size
NORMAL CONNECTION FAILURE!
there is obviously more than one way for a tcp/ip connection to fail =(
the most common is for a connction to be reset or rejected by the recieving or answering host
^^ ^^^^^^^^^most commonly done by the recieving answering system
heres a quote form the tut ( in fear on messing up i will quote)
in some cases if there is a IP filtering router btween the client/originating host and the server/recieving host, the filtering router will filter - block the SYN and sent a RST or ICMP unreachable messate or sometimes just drop the SYN ( blackhole) andsend nothing back. this is a drop vs. reject
ok next item
Apache 1.1.1
you can get a directory listing of a web server even if there is an index.html file there
on a browser request the URL:
http://www.server.com///////////////...//////////////[many]///////
you should get a listing of the files instead of the contents of the index.html file
Apache 1.1.1 (without cookies) not the cookies u eat go to jargon and look up cookies if u dont already know it
a buffer overflow condition exists in the cookie processing code of the server and that can be exploited to get a shell or run commands on as the server userid.
FTP ( file transfer protocol) Bounce attack
if u manipulqate the ftp daemon ( not to be confused with deamon , if u do not know daemon please go to jargon) that supports the PASV command it is possible to get a third party one way connections thru the ftp host
this can be used to transfer data anpnymously or slip past application firewalls ( NOT RECOOMMENDED!) or remotely portscan
moving on to Normal FTP connection
1. u can establish a connection to the servers FTP port from a high numbered port to port 21 on the server
Login/passowrd are sent over this connection
2. whne the cient or orginating host wants to get a file that opens and local port (high port) a msg to the server t oconnect that port and trasmit the requested data
FTP bounce Attack
the best fix for thisis to upgrade your ftp daemon ( did u look up daemon? u should have!)
some firewalls which filter command and contect can block this attack but it is not adised to rely on this security strategy
Ping flooding
it is DOS (denial of service) attack invilding flooding the victims with IP traffic this taking away or descreasin the remote site;s availbale bandwidth
this allows an attacked to inhibit network connectivitu to the target network
remember kids high-bandwidth beats low bandwidth *lol*
spoofable , thus easy to hide source
awe heres something sad :
DDps Attacks
*similar to "smurf" attacks
*attacker does NOT have to be online ( connected to internet) but can be!
*they are nearly impossible to defend against
*best defense is not to be a "tool"
TCP port scanning
this is a term that refers to the way of sequentially connectiong to IP ports and finding out if there is a daemon running on that port
moving on
Ip Fragmentation the tcp /ip protocol standar shoukd does support the ability to fragment a Ip packets into smaller packets
this accomodates the ip transmission over congested networks or with nets smaller MTU sizes <- that was quoted
next stop is IP fragmentation flooding
okay well any tcp/ip implm. has to deal with gramented packets of some sort , so a DOS attack can be done by sending random IP frags. to a system os then the system will buffer these grags. and it waits for the other IP or TCP fags to arrive to put toge ther the packets but the joining frag never arives! so then this will cause a system to run low on memory and CPU resources! bummer eh? =(
side note : both IP and tcp packets can be framented , the protocol supports this
ip fragmentation :
on a healthy good running networking the IP fragmentation is really rare
<quote> filter fragments at the router level (1% / 5%) of sites have problems connecting
RFC 1858 (solution?)
See also RFCs 791 and 815
Ip sequences prediction
most OSs now reandomize their squence numbers to thwart prediction
this attack can be prevented with ip filtering to inhibit ip spoofing <- also a quote
crypto login authenticatuon sys. will inhibit the establishment oflogin sessions
Sniffers / Data Interception
Sniffing is a term thats used to describe an evesdropping on a networkin, its really commond for many black hats to install a sniffer on a system ( dont ask me to explan how ) to get info so collect at anothe time
stats : 85-95 % of internet attacks are sniffer based
if u think this is not big deal listen to this these are the services affected by sniffers :
telnet
rlogin
pop/IMAP
http/WWW
ftp
SMTP
SNMP
rpe/NFS
these are just a few , u can count on theres more services affected
so you are wondering... how do i protect myself? well let me tell ya! the best way is a "smart" hub or "switch"
whne ever its possible for u to remove support for prmiscous mode from the kernel DO IT!
antisniff is a prog that can detect most sniffers remotely on a local network
moooooving on
on a local ethernet networking commucation relies on each ethernet interface having a special mac adress ( a property of a ethernet interface card) the 'table' systen maintains that maps MAC adresses to a system up adress is reffered to as ARP table <- that was a quote
u should know this : on the ethernet level its possible to inset erroneuos info into a sys's arpc cache , why? becase as i told u before each layers security is based on the preceding protocol and ethernet is at the bottom
it permits ppl to impersonate any machine on a LAN ( local area network)
and many DOS attacks are possible cuz like i said before the security level isnt too great
also there is a possiblityof intercept and redirect ethernet communications
DNS is domain name system and its one of the internet fundamental building blocks ... very important =) dns privides a distributes host info data base ysed to the mapping of host names and IP adresses and their inverse mapping
NORMAL dns RESOLUTION
ok this seems exprensive right? but its really efficuebt once u add the concept of cashing
there for DNS server doesnt have to send a query to "." or learn where the heck .com is located , etc, u know what im getting at!
but alas the vulnerability of DNS is the cache , when someone inserts erroneous info int othe servers cache they can redirect network connections also they can block the acess to remote sites .. another bummer
ok well that conludes our tour ladies and gentlemen please gather all your belongings , get the heck off my tcp/ip bus! lol
if u want info on where i got this info u can PM me or get ur booty on IRC and ask me for this tutorial, i suggest you do because there are many things i left out because i thought it wasnt necessary and there are many purdy pictures =) this was called
tcp/ip and its weaknesses and vulnerabilites by peter shipley email : shipley@dis.org
+1 510 849 22 30 ( i think thats his phone number ) it was on the tut
but remember u need adobe acrobat reader for this
-jan
-
July 10th, 2002, 11:04 PM
#2
Senior Member
All in all there is a lot of good information here although I am sure you are paraphasing most of this information because some of it isn't quite right. Let me point out two. First TCP/IP is NOT a 7 Layer Protocol stack it is a 4 Layer stack. The 7 layer stack you are refering to is the OSI Model and it is just that a model for networking, (too much information to go in here) TCP/IP is composed of four layers.
Network Layer = Physical and Data Link layers of the OSI Model
Internet Layer = Network Layer of the OSI Model
Transport Layer = Transport Layer of the OSI Model
Applciation LAyer= Session. Presentation, and Application Layers of the OSI Model
Check your information
Also. using a "Smart" hub WILL NOT prevent sniffing. A HUB period is a layer one device and is only concerned about the signal strength and does not do any filtering based upon AMC addressing as a SWITCH would do. A "SMART" Hub only has some managment build into it.
Again check if you like...
p41di3
My other Computer is a 4000 node Beowulf Custer
-
July 11th, 2002, 12:41 AM
#3
Hum, much of this is outdated...
Apache 1.1.1 is waaaayyy outdated: we're up to 1.3.26
FTP bounce attack is based on quite old ftpd servers too...
Ping flooding is old news too..
Also, the best way to protect against sniffing IS NOT a switch (if you understood your part about arp-poisoning, you'd know that you that) the switch can be fooled to redirect to the wrong host. Many switches will also revert to broadcasting when flooded...
The only safe way to protect against sniffing is ENCRYPTION. SSH, SSL, TLS, IPSec are your friends...
This is a little to recycled to my taste...
Ammo
Credit travels up, blame travels down -- The Boss
-
July 11th, 2002, 12:54 AM
#4
i never said it was the tcp/ip model , i said it was the osi model later im sorry if it isnt up to your standards at least im trying , throw me a friggin bone here ( not literally)
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|