IP attacks

How the packet goes?
from Application -> transport layer (UDP or TCP) -> network layer(IP)-> pick interface card ->data linker layer(ARP according to the MAC address to find where to send)

IP header(IPV4 as example)
Version: 4
Header Length: divided by 4
Each role has 32 bits = 4bytes, we have 5 roles, so totally we have 4*5=20. Then 20/4,we get header length= 4. It actually shows how many roles. 
Protocol can specify the UDP/ TCP/ICMP as number, like 17 is UDP, it will in the header as 8 bit, will not occupy the data part.

Data part
UDP protocol, it should be specified in the 1st packet and take 8 bit of the data payload.
1st packet is (8+ payload) actually. 
First packet: IP/UDP/payload
2nd packet's data part don’t need claim UDP protocol, only need to claim in the header as 17, it specifies in the header. 
Other packet: IP/payload


If 1 fragment is missing, the packet will not be reassembled and will not show on the screen, it will stay in the buffer.

Ping of death attack
Can you create an IP packet larger than 65536 bytes?
In real life, this cannot happen. But if we set the offset intended, this can happen, it may cause buffer-overflow or other issue.
How that work: The last one packet’s offset as 65536-8(at least we have to leave 1byte that is 8bit for the last packet payload), offset is the first offset of the payload, so we can set the length as 1000, the total packet will exceed 65536. Total data part payload is 65536-8+1000 -20. 20 is the header.the final offset should be divided by 8. 

Teardrop attack
Can you create some abnormal condition using offset and payload size?
Yes
Overlapping. 
When the second packet is enclosed by the first packet, the offset T2-T1 will be negative, that is a huge number. The computer will crush.

Can you use a small amount of bandwidth to tie up a target machine’s significant amount of resource?
Only send the 1st and last packet, and allocate many free space for the upcoming packet which will never come.


IMCP redirect message (MITM)
Open the redirect mode.
Send the spoofed packet which contains ICMP redirect information.
Format: (ip/icmp/ip2/UDP()) ip is the real source and destination IP, ip2 is the redirect message which contains the sources IP and destination IP it wants to tell to the host.
Let every packet on specific local network or host send to the attacker.

Can you launch ICMP redirect from remote computer ? 
NO, if we pretend the gateway to redirect the ICMP for another network, it won’t pass the reverse filter path. Because the interface go and back are not use the same interface, it will be dropped.


Can you use ICMP redirect attacks to redirect to a remote computer?
NO, the gateway is on the remote not on the same network, so it will not be allowed.


ICMP smurf
IP direct broadcast 
Victim 1.2.3.4
Pretend the packet as the victim to send ICMP broadcast, all the computer will reply the victim to make it crush.

IP fragment
The IP packet fragment has flag bit, 1 is for MF(more fragment) 0 is don't fragment. Only the last fragment has 0. Only the first fragment has header to claim the source port, the destination port and the chksum.

Every fragment has source IP and destination IP.

Use scapy to send fragment IP packets.
nc -lu 9090
#!/usr/bin/python3
from scapy.all import *


ID = 1001
payload = "A" * 32 ## the payload of every fragment


######################################
## First Fragment
######################################


udp = UDP(sport=7070, dport=9090)
udp.len = 8 + 32 + 32 + 32
ip = IP(src="10.0.2.9", dst="10.0.2.6")
ip.id = ID
ip.frag = 0
ip.flags = 1
pkt = ip/udp/payload
pkt[UDP].chksum = 0
send(pkt,verbose=0)
#####second fragment#######
udp.len = 8 + 32 + 32 + 32
ip = IP(src="10.0.2.9", dst="10.0.2.6")
ip.id = ID
ip.frag = 5
ip.proto = 17
ip.flags = 1
pkt = ip/payload
send(pkt,verbose=0)
#######third fragment#####
udp.len = 8 + 32 + 32 + 32
ip = IP(src="10.0.2.9", dst="10.0.2.6")
ip.id = ID
ip.frag = 9
ip.proto = 17
ip.flags = 0
pkt = ip/payload
send(pkt,verbose=0) 

Popular posts from this blog

Phonebook - Hack the box Write up -- Web LDAP injection

Image
 0x00 Problem  0x01 Check the vulnerability When we see the login form on the website, it might be command injection, SQL injection, LDAP injection.  We can see that this need us to login with workstation username, it might be LDAP injection. 0x02 LDAP injection payload Here is the basic LDAP injection payload. We can check the vulnerability. user=*)(& password=*)(& --> (&(user=*)(&)(password=*)(&))  After we type it, we found the response shows successful, and return a page has search box. Then we type a character in the search box, and it returns some user phonebook information. I tried 'flag', 'HTB', it doesn't find any results. Then we try to find user 'Reese', but the information doesn't look like flag.   0x03 Locate the flag  Then we change our payload to check if the password is the flag. user=Reese password=HTB*)(& --> (&(user=Reese)(password=HTB*)(&  It can also return to the search page which means it...
Read more

wafwaf -- Hack The Box -- Web SQL injection

Image
0x00 Problem 0x01 Check the Source Code We open the website and only see the source code on the website. As we can see, there is a WAF will filter some characters and words, that means the normal injection will not work. However, we can see, there is a json_decode() function will decode JSON data, that means the data can be accepted should be JSON format.  The example JSON format data is like: /u0074, /u0075. In addition, there is a "php://input",  accesses the read-only stream of the requested raw data, executing the data in the post request as PHP code. 0x02 Local Test We can launch an Apache server to test it. I copy the source code and make a little change to test this. This file is in /var/www/html. We will construct the data first. This time I use 'select' as an example. The word transfer to ASCII, then to hex, then replace the '\0x' as '\u00'. This can be test in the browser console. At the end, we can test it with curl . As we can see, the SQL...
Read more

Cheat sheet for security+

Image
Malware virus: need people action to execute and spread. Hoax: trick the victim to infect, like game. worms: spread and execute without humman  trojans: can get remote control. RAT(remote access Trojan) ransomware: take control of your computer system, pay for unlock, most time will not unlock if you pay spyware: audit the callender, website history and other actions. rootkit: a type of backdoor, software design to administrative level control or root priviledge without detection. use DLL injection. malicious code inserted into a running process or kernel-mode device drvier. intercept calls and redirect to the malicous code. spam: CAN-Spam Act law to stop relaying send out email through other's mail server. Spim(instant message) like chat, text message.
Read more