[an error occurred while processing this directive] [an error occurred while processing this directive]
[an error occurred while processing this directive] [an error occurred while processing this directive]
;) Packet-Securitydot com
[an error occurred while processing this directive] [an error occurred while processing this directive]

Papers By Bagarre:

  • Intro to PGP
  • Chris Snell give a good explaination of what Pretty Good Privacy is and how it works.

  • Intro to Pseudo Code
  • A good read on the basics of pseudo code and program management.

  • I'd rather be fragging
  • Bypassing those Linksys boxes, some ACLs and tons of other fun stuff.

  • The Art of Wardialing
  • A lost art? Not worth exploring? I think not.

  • deny, Deny, DENY
  • If you didn't say it could come in, it shouldn't. This will be a discussion on router ACLs and the construction of a DMZ.

  • OPP Other People's Passwords
  • How do you get your users to use good passwords? How important is it?

  • The Enemy Within
  • Do you trust your users? Should you? The internal threat is real and needs to be addressed with written policy, permissions and well planned grouping.

  • Who's Watching Who?
  • The intruder is no doubt looking at your traffic. You should too. How will you know what's not normal if you've never seen your normal traffic on the wire?

      [an error occurred while processing this directive]
    [an error occurred while processing this directive]
    [an error occurred while processing this directive]
    I'd Rather be Fragging
    By: Bagarre
    [an error occurred while processing this directive]
    Loading Document
    If the page does not load, click here.
    [an error occurred while processing this directive] [an error occurred while processing this directive] IP Packet Fragmentation: The act of breaking up large packets into smaller pieces in order to be transmitted over a small network path.

    Reference: RFC-791

      Packet fragmentation is a method built into the IP header to allow large data packets to traverse networks that can't handle the original packet. In today's networks, packet fragmentation is all but forgotten about. The capability is still there however, due to the quality and speed of networks, it's not needed. The method of IP fragmentation is kind of like this:

       Imagine you just finished a 32-page letter to your mom. It's a long letter but you find an envelope that you can fit the entire letter into. You take it to your local Post Office and the Post Master tells you that they can't deliver the letter because it's too big. It just wont fit in their delivery truck (It's the US Postal Service, give me a break here). The Post Master tells you that the biggest package he can accept is 5 pages long and you will have to 'fragment' your letter accordingly. You pull out the letter (data) from the old envelope (IP Header) and divide it into fragments no bigger than 5 pages. That gives us six five page fragments and one two page fragment. You didn't number the pages! You decide to label each of the new envelopes according to where they fit in the big package (Offsets). The first fragment goes at space zero or the beginning. The second fragment goes at space five, third at space ten, fourth at space fifteen and so on. This way, once your mom gets all the fragments, she can re-assemble them into the original letter. [an error occurred while processing this directive] [an error occurred while processing this directive]

       This seems like a good idea until the Post Master tells you that, the next Post Office down the road can only accept letter that are half a page. If he fragments the letter as well, all of your 'offsets' will be useless! Hmm. To be safe, you decide to divide the entire letter into ten word increments and 'use this as your new offset scale. This way, so long as no one tries to break the letter any smaller than 10 words, they can use the same fragmentation and offset scheme as you and, your mom will be able to re-assemble the letter with ease (Although, I doubt she would be happy about getting a 32 page letter in ten word increments.) So that your mom knows when she has all the fragments, you mark each letter saying there are more fragments to come and then the last letter (or fragment) says, "No more fragments."

       The new envelope 'offsets' would not be the number of ten word groups it contained but, rather where the first word of the envelope should be placed from the first word of the entire letter. IE: The contents of this envelope should be placed at the 1023rd ten-word group space from the beginning of the letter. Sound like a complicated way to do business? For a person, it is. For a computer, it's rather fast. The computer doesn't have to count into the data; it doesn't have to keep track of how many packets it's received (IP has no way of counting packet sequence) and the destination computer doesn't have to care about how many times a packet was broken up or fragmented enroute. The draw back is, the sender has no control over how the packet is fragmented. If any of the fragments are lost enroute, the destination computer (Mom) has to ask the sending computer to resent the entire letter (packet). The only protection is to set the packet as "Don't Fragment". If the packet must be fragmented by a computer along the way, the packet is dropped and a message sent back to the sender saying, "I can't send this without fragmentation." [an error occurred while processing this directive] [an error occurred while processing this directive]

    Now For Some Fun ;)

       For some bizarre reason, the Post Office that handles mail for your Mom screens all letters! (Again, US Postal Service) They are constantly going thru mail looking at the first 50 ten word blocks for very specific strings of words. They aren't too smart about it though. They have a list of paragraphs they look for and they need to match exactly. Unfortunately, the secret stuff you are sending you mom MUST be within the first 50 or so blocks and they MUST be worded exactly. To get around this, you fragment your letters into pieces smaller than the whole of what they are looking for. When your Mom puts it all back together, she has whatever paragraph the Post Office was looking for but, they are none the wiser!

       Well, the guys as the Post Office got wind of this and decided they should do something about it. They are already pretty busy scanning all of these letters so; a quick fix is to only reassemble the first few fragments until they can see enough of the packet to know what's going on. This works pretty good. Until we get a little more creative...

       Remember all that talk about packet fragmentation earlier? Here is where we put it to work for us. What would happen if we wrote the letter so that the first few fragments were harmless conversation (to fool the Post Office) and then later, we send another packet with the offset of zero to over write that piece of the conversation? The Post Office is only assembling enough of the package to read the first 50 blocks but your mom will re-assemble the whole package using the packet with the 'spoofed' offset. Pretty cute huh? That is why IP packet fragmentation is so useful! Every once in a while, you'll come across a Post Office (Firewall/Router) that will de-fragment the entire packet but, there are not man companies that can afford this type of horse power. [an error occurred while processing this directive] [an error occurred while processing this directive]

    How can we use this in the real world?

       IDS systems and Firewalls try to match the data inside an IP packet with a specific set of definitions the same way Anti-Virus software tries to match strings in files. If it finds one of these strings, it pops a warning of a certain type of attack. If it doesn't find a string match, it sits dumb and quiet. If the packets are fragmented smaller than the string they are looking for, they wont see it! Some of the newer IDSs will de-fragment some of the packet or others will just pop warnings of a possible fragmented attack.

       Another way to employ packet offset spoofing is to get past router ACLs and those pesky Linksys personal router boxes. This is more to evade TCP/UDP filters by using IP fragmentation to re-write the TCP header. On fragmentation, everything past the IP header can be fragmented and re-written with spoofed packets. Each new fragment gets it's own IP header but, the TCP or UDP header is split up and thus, subject to creative over-writing So...

       Say you find a computer behind a router that only allows port 80 inbound to that computer. This is very common. A good set of ACLs should only allow port 80 to your web-server for normal traffic (http) and 443 for secure web-server (https). That web server may also be listening on another port that is not accessible from outside the firewall. Let's say, it's a Windows box and is listening on port 139 for user logons, IPC, File and Print shares. With a normal packet, you can't get to port 139 because the firewall will drop the packet. So, we fragment... [an error occurred while processing this directive] [an error occurred while processing this directive]

       We fabricate a packet to exploit vulnerability on port 139. Then, we fragment the packet into little pieces. Once it's fragmented, we replace the destination port field with port 80 because, it's allowed thru the firewall. Next, we set the last fragment to "More fragments" and fabricate a new 'Last Fragment' packet. This new fragmented packet is very small and only contains the new destination port and has an offset to over write the old destination port. When the firewall receives this packet, it will see a destination port of 80 and allow the fragment (and all following fragments) thru to the web-server. The web-server will do nothing with the fragments until it has all the pieces and reconstructs the packet. As it's reconstructing the packet, it receives the fabricated packet with the 'spoofed' offset and sticks it in the appropriate place, thus changing the destination port. The fully constructed packet it directed, not to port 80 but to port 139 and your exploit is launched.

       A very simple use of this is to send canned packets thru in order to port scan a computer behind a firewall however, with enough skill you can actually accomplish full TCP connections to blocked ports! One thing to remember though, in today's world, legitimate packet fragmentation in incredibly rare. So rare that, any fragments on a network should be cause for alarm. [an error occurred while processing this directive] [an error occurred while processing this directive]

       Fixes:

    Now that we know how fragmentation can be used for evil. How do we keep evil packets out of our networks?

    1. Drop all fragmented packets. Sounds a little harsh but it does work rather well. Before it gets to your IDS or even into your network, just set your outer router to drop the packets. There will be a few people in the world that this might inconvenience but, in reality, the only people it will piss off is the intruders.
    2. Block ephemeral ports at the router. If you are blocking port 139 as a destination port, block it as a source port as well. In fact, I'd say block all source ports from 1024 and below unless specifically needed (port 80 from web server needs to be allowed as an ephemeral port). This should be used in conjunction with number one because it is possible to DOS a computer with a single packet to a specific port. This procedure will also stop some types of reverse tunneling backdoors.
    3. Monitor your logs! Look at your networks. Fragmented packets do not belong on a modern network. If you see one (or a piece of one) after you've blocked them, be alarmed and find out How, Where and Why it got in.

      -Bagarre
    [an error occurred while processing this directive] [an error occurred while processing this directive]

    Loading Document
    If the page does not load, click here.

    Google Packet-Security.com
    [an error occurred while processing this directive]
    [an error occurred while processing this directive]