Transcript Anti-hacker Tool Kit: CH13 Port Redirection Jared 04/03/31
Information Networking Security and Assurance Lab National Chung Cheng University
Anti-hacker Tool Kit: CH13 Port Redirection
Jared 04/03/31
Agenda
Introduction
Datapipe
FPipe
Case Study: Port Hopping
Case Study: Packet Filters, Ports, and Problems
Conclusion
Reference
Information Networking Security and Assurance Lab National Chung Cheng University 2
Introduction
Port
For a packet to reach its destination, it must have a destination IP address and a destination port.
TCP/IP allows 16-bit port numbers.
Well-known port number: 0~1023 The Well Known Ports are controlled and assigned by the IANA and on most systems can only be used by system (or root) processes or by programs executed by privileged users.
Registered port number:1024~65535 The Registered Ports are not controlled by the IANA and on most systems can be used by ordinary user processes or programs executed by ordinary users. ms-sql-s 1433/tcp Microsoft-SQL-Server ms-sql-s 1433/udp Microsoft-SQL-Server 3 Information Networking Security and Assurance Lab National Chung Cheng University
netstat
Information Networking Security and Assurance Lab National Chung Cheng University 4
datapipe
A port redirection tool passes TCP/IP traffic received by the tool on one port to another port to which the tool points.
Port redirection is protocol ignorant
Neither a client nor a server
5 Information Networking Security and Assurance Lab National Chung Cheng University
datapipe
Information Networking Security and Assurance Lab National Chung Cheng University 6
Information Networking Security and Assurance Lab National Chung Cheng University 7
protocol ignorant
Information Networking Security and Assurance Lab National Chung Cheng University 8
FPipe
FPipe
By Foundstone Implement port redirection techniques natively in Windows Adds User Datagram Protocol (UDP) and outbound source port number support, which datapipe lacks 9 Information Networking Security and Assurance Lab National Chung Cheng University
FPipe (cont.)
Information Networking Security and Assurance Lab National Chung Cheng University 10
Information Networking Security and Assurance Lab National Chung Cheng University 11
Case Study: Port Hopping
Local Redirection
Client Redirection
Dual Redirection
Information Networking Security and Assurance Lab National Chung Cheng University 12
Case Study: Port Hopping
Local Redirection
C:\>fpipe –l 22 –r 3389 localhost $ ./datapipe localhost 3389 33 Information Networking Security and Assurance Lab National Chung Cheng University 13
Case Study: Port Hopping (cont.)
Client Redirection
“spork” is IIS exploit code written to run against port 80 IIS server running on port 7070
spork
C:\>fpipe.exe –l 80 –r 7070 www.target.com
C:\>spork localhost 14 Information Networking Security and Assurance Lab National Chung Cheng University
Case Study: Port Hopping (cont.)
A
Dual Redirection B C
C:\>fpipe –l 1433 –r 80
D
Information Networking Security and Assurance Lab National Chung Cheng University 15
Case Study: Packet Filters, Ports, and Problems
Basic packet filters allow or deny traffic based on IP addresses and port numbers.
Linux’s ipchains and Cisco routers Source IP address Source port Destination IP address Destination port
Source-port problems
ftp data connection DNS
Use FPipe’s outbound source port option (-s)
C:\>fpipe –l 3389 –r 3389
–s 20
192.168.0.116
16 Information Networking Security and Assurance Lab National Chung Cheng University
Case Study: Packet Filters, Ports, and Problems (cont.)
Blocking Port Redirection
Host security command-line access Patch, configure, verify Ingress filters “DENY ALL” Egress filters Web server Information Networking Security and Assurance Lab National Chung Cheng University 17
Conclusion
Ports are used in the TCP to name the ends of logical connections.
The port redirection tool is neither a client nor a server. It functions as a conduit for TCP/IP connections, not an end point.
A firewall or router access control list should be defined as detail as possible.
18 Information Networking Security and Assurance Lab National Chung Cheng University
Reference
DATAPIPE http://cvs.sourceforge.net/viewcvs.py/synce/ htdocs/datapipe.c
Foundstone http://www.foundstone.com/
RFC 1700 ASSIGNED NUMBERS http://www.ietf.org/rfc/rfc1700.txt?number
=1700
19 Information Networking Security and Assurance Lab National Chung Cheng University