Anti-hacker Tool Kit: CH13 Port Redirection Jared 04/03/31

Download Report

Transcript Anti-hacker Tool Kit: CH13 Port Redirection Jared 04/03/31

Information Networking Security and Assurance Lab National Chung Cheng University

Anti-hacker Tool Kit: CH13 Port Redirection

Jared 04/03/31

Agenda

Introduction

Datapipe

FPipe

Case Study: Port Hopping

Case Study: Packet Filters, Ports, and Problems

Conclusion

Reference

Information Networking Security and Assurance Lab National Chung Cheng University 2

Introduction

Port

 For a packet to reach its destination, it must have a destination IP address and a destination port.

 TCP/IP allows 16-bit port numbers.

 Well-known port number: 0~1023  The Well Known Ports are controlled and assigned by the IANA and on most systems can only be used by system (or root) processes or by programs executed by privileged users.

 Registered port number:1024~65535  The Registered Ports are not controlled by the IANA and on most systems can be used by ordinary user processes or programs executed by ordinary users.  ms-sql-s 1433/tcp Microsoft-SQL-Server  ms-sql-s 1433/udp Microsoft-SQL-Server 3 Information Networking Security and Assurance Lab National Chung Cheng University

netstat

Information Networking Security and Assurance Lab National Chung Cheng University 4

datapipe

A port redirection tool passes TCP/IP traffic received by the tool on one port to another port to which the tool points.

Port redirection is protocol ignorant

Neither a client nor a server

5 Information Networking Security and Assurance Lab National Chung Cheng University

datapipe

Information Networking Security and Assurance Lab National Chung Cheng University 6

Information Networking Security and Assurance Lab National Chung Cheng University 7

protocol ignorant

Information Networking Security and Assurance Lab National Chung Cheng University 8

FPipe

FPipe

 By Foundstone  Implement port redirection techniques natively in Windows  Adds User Datagram Protocol (UDP) and outbound source port number support, which datapipe lacks 9 Information Networking Security and Assurance Lab National Chung Cheng University

FPipe (cont.)

Information Networking Security and Assurance Lab National Chung Cheng University 10

Information Networking Security and Assurance Lab National Chung Cheng University 11

Case Study: Port Hopping

Local Redirection

Client Redirection

Dual Redirection

Information Networking Security and Assurance Lab National Chung Cheng University 12

Case Study: Port Hopping

Local Redirection

 C:\>fpipe –l 22 –r 3389 localhost  $ ./datapipe localhost 3389 33 Information Networking Security and Assurance Lab National Chung Cheng University 13

Case Study: Port Hopping (cont.)

Client Redirection

“spork” is IIS exploit code written to run against port 80 IIS server running on port 7070

spork

C:\>fpipe.exe –l 80 –r 7070 www.target.com

C:\>spork localhost 14 Information Networking Security and Assurance Lab National Chung Cheng University

Case Study: Port Hopping (cont.)

A

Dual Redirection B C

C:\>fpipe –l 1433 –r 80 $./datapipe 80 1433

D

Information Networking Security and Assurance Lab National Chung Cheng University 15

Case Study: Packet Filters, Ports, and Problems

Basic packet filters allow or deny traffic based on IP addresses and port numbers.

 Linux’s ipchains and Cisco routers  Source IP address  Source port  Destination IP address  Destination port  

Source-port problems

 ftp data connection  DNS

Use FPipe’s outbound source port option (-s)

 C:\>fpipe –l 3389 –r 3389

–s 20

192.168.0.116

16 Information Networking Security and Assurance Lab National Chung Cheng University

Case Study: Packet Filters, Ports, and Problems (cont.)

Blocking Port Redirection

 Host security  command-line access  Patch, configure, verify  Ingress filters  “DENY ALL”  Egress filters  Web server Information Networking Security and Assurance Lab National Chung Cheng University 17

Conclusion

Ports are used in the TCP to name the ends of logical connections.

The port redirection tool is neither a client nor a server. It functions as a conduit for TCP/IP connections, not an end point.

A firewall or router access control list should be defined as detail as possible.

18 Information Networking Security and Assurance Lab National Chung Cheng University

Reference

DATAPIPE http://cvs.sourceforge.net/viewcvs.py/synce/ htdocs/datapipe.c

Foundstone http://www.foundstone.com/

RFC 1700 ASSIGNED NUMBERS http://www.ietf.org/rfc/rfc1700.txt?number

=1700

19 Information Networking Security and Assurance Lab National Chung Cheng University