Skip to main content

Welcome to Mark Baggett - In Depth Defense

I am the course Author of SANS SEC573 Automating Information Security with Python. Check back frequently for updated tools and articles related to course material.




TCP Fragment Evasion

Originally posted on http://pauldotcom.com/2009/08/tcp-frament-evasion-attacks.html

By: Mark Baggett

I recently read a very good article on tuning Snort's Stream5 preprocessor to avoid "TCP Fragment Overlap" attacks. It's a great article, but the wording confused me. I thought to myself, "TCP Fragments, that must be a mistake. The TCP Header doesn't have a 'more fragments bit', a 'fragment offset' or anything to support fragmentation. How can there be any TCP fragments?"   Typically when we talk about fragmentation attacks we think about Layer 3 attacks. Attackers manipulate the IP packet headers to pull off various insertion and evasion attacks. Examples of layer3 attacks include overlapping fragment attacks and temporal evasion (host reassembly timeout evasion). These attacks are explained pretty well in an article titled "Evading NIDS, revisited".

So what is TCP or Layer 4 "fragmentation"? Really, its overlapping or retransmitted datagrams with the same TCP Sequence number. To demonstrate the concept I fired up a virtual machine running Backtrack 3. I ran a netcat listener on my host (nc -l -p 9000) and used a netcat client in backtrack to connect to it. I fired up wireshark to watch the packets and I transfered the text "This is a test of the emergency broadcast system. If it were an actual emergency" between the two hosts. This is what Wireshark captured.

Figure #1

TCPFragmentation1.jpg



View image


Perfect. Exactly what we would expect. Since my packet doesn't exceed the MTU of the established TCP connection a single packet is transfered to the client with a single acknowledgment in return.  If it had exceeded the MTU it still wouldn't have fragmented. It would have sent more than one datagram, each with its own unique IP ID.


Then I created a fragroute configuration file with one line in it:

tcp_seg 16



This will cause fragroute to break the packets down so that they can only carry 16 bytes of TCP traffic. I start fragroute (fragroute -f ~/myfrag.conf 192.168.100.12) and transfer the same text between the hosts...

Figure #2



TCPFragmentation2.jpg


View image

Fragroute works as expected and breaks the packets down such that only 16 bits of data can be transfered in each packet. Each packet sequence number increases by the number of bytes transmitted. Sequence numbers increase in order. Also, notice that each packet has its own unique IP ID field. There is NO FRAGMENTATION. The "More Fragments bit" isn't set.   The fragment offset isn't set. No fragments. Instead, fragroute is transferring packets as if the MTU of the segment is only enough for 16 TCP bytes.



So now lets do some "tcp fragmentation overlaps". I change my fragroute.conf file to say this:



tcp_seg 16 new



This will cause fragroute to transmit frames with overlapping sequence numbers.   This attack takes advantage of the fact that the TCP layer doesn't pass data up the stack to the application until it has acknowledged the data and that packets are acknowledged in sequential order.    So if we skip datagram #3  and transmit datagrams #4, #5 and #6, duplicates of #4 and overlaps of #5 and #6 then the TCP stack needs to hold datagrams #4,#5 and #6 (as long as they are within the window size) and figure out what to do with duplicates/overlaps once it receives fragment #3.

To see this in action I fire up fragroute and retransmit the text "This is a test of the emergency broadcast system. If it were an actual emergency"  

Figure #3

TCPFragmentation3.jpg

View image



Lets look at it in the fragroute packets in figure#3.   The first two datagrams (#1 and #2) are garbage.  Their payload is random junk.  Then fragroute transmits good data in packets 4 and 5.  The payload here is the end of our payload "If this had been an actual emergency."  After the 4th packet the receiving host begins screaming to the transmitting client "HEY DUDE,  ACK 2933750986.  I didn't get that one yet".   The receiving TCP stack is complaining about not receiving the first datagram.    Then fragroute sends 2 packets with 32 TCP bytes in each.  These two datagrams include the  FIRST datagram (Notice packet #10 has the lowest sequence number and the embedded text payload).  Parts of these two packets overlap packets 1 and 2. Packet #9 overlaps 16 bytes of packet #2.  16 bytes of packet #10 overlap packet #1.  If the TCP reassembly engine favors NEW packets then it will reassemble the text as expected.  If the IDS reassembles the packets favoring the OLD packets then we can bypass the IPS. If we were drawing analogies to layer three fragment attacks holding the low sequence number datagrams is equivalent to setting the "more fragments bit" and the sequence number is the equivalent to the fragment offset. So how to fix this?  The attacks aren't new.  Snort has the STREAM5 preprocessor.  Just be sure that you tune STREAM5 just like your FRAG3 preprocessor.  

References



Snort's Stream5 and TCP overlapping fragments An article by Richard Bejtlich that sparked my interest in this topic. Its a very good article with more explanation on tuning the snort preprocessor.

Popular posts from this blog

SRUM-DUMP and SRUM_DUMP_CSV Ported to Python 3

SRUM_DUMP and SRUM_DUMP_CSV have been ported to Python3 and are available for download from the PYTHON3 branch of my github page.

https://github.com/MarkBaggett/srum-dump/tree/python3

In moving to Python3 I also updated the modules that I depend upon to parse and create XLSX files and access the ESE database that contains the SRUM data.  I hope that this will fix the issue that some users have experienced with SRUDB.dat files that create very large spreadsheets.  If it does not please let me know and continue to use SRUM_DUMP_CSV.EXE to avoid the XLSX problem.

In moving to Python3 you will find the process to be faster.

If you would like to run the tools from source instructions for doing so are in the README on the github page.

Awesome Keyboard Tricks - Clevo/Sager Backlight control from Powershell

I'm back on Windows.   After 8 years on a Macintosh I just couldn't go another day with ONLY 16GB of RAM.   I priced it out and for the cost of a top of the line MacBook I could get a tricked out PC with 32GB of ram and 2.5 TB or hard drive space (1.5 of it being SSD).   So I made the switch.  To get a top performing laptop I ended up buying a gaming machine from xoticpc.com.   The model is Sager NP9752 (Clevo P750ZM).    I have to say I like it quite a bit.    One of the features I was curious about was the "Programmable backlit keyboard".   With it you can set your keyboard backlight to various colors and light movement patterns.    Now, when I hear "programmable" I think APIs.   I was a little disappointed to find out there weren't any documented APIs that I could use to control the keyboard.    Your only choice is to use their built in tool to configure the lights on the keyboard.   That stinks.  I want to be able to change key colors automatically …

Use Python and Scapy to Easily Do Full Duplex Stream Reassembly!

Check out this blog on how to get scapy to do full packet reassembly in just a few lines of Python code.

https://pen-testing.sans.org/blog/2017/10/13/scapy-full-duplex-stream-reassembly


New tool Freq_sort.py

I read an article on Fireeye's website the other day where they used Machine Learning to eliminate a lot of the noise that comes out of tools like strings.  It's pretty interesting and looks like it would save me some time when looking through malware.

https://www.fireeye.com/blog/threat-research/2019/05/learning-to-rank-strings-output-for-speedier-malware-analysis.html

I wondered how effective freq.py scores would be in helping to eliminate the noise.  45 minutes and 29 lines of Python code later I have something that looks like it works.  Check out freq_sort.py.

Before freq_sort.py here is the output of strings on a piece of malware:

student@573:~/freq$ strings -n 6 malware.exe | head -n 20
!This program cannot be run in DOS mode.
e!Rich
`.rdata
@.data
.pdata
@.gfids
@.rsrc
@.reloc
\$0u"H
L$ SVWH
K SVWH
|$ H;_
<bt%<xt!<Zt
|$ AVH
l$ VWAV
L$ SUVWH
UVWATAUAVAWH
0A_A^A]A\_^]
UVWATAUAVAWH
@A_A^A]A\_^]

After freq_sort.py the useful stings quickly bubble to the top.  Its not perfect but th…

FREQ and FREQ-SERVER UPDATE

While sitting in SANS SEC511 I listened to @sethmisenar lament the difficulty in using existing tools to detect DGA (Dynamically Generation Algorithm) hostnames used by malware. There are lots of AI based tools out there that do this but some are rather complex. I thought I could quickly write a tool that would work. In about 30 minutes I threw together some old code I had lying around from a SQL Inction tool I worked on and I had a working proof of concept. freq.py was born and it worked pretty well. A year later @securitymapper had me wrap it in a web interface so he could query it from a SIM and then the tool took off. It turns out to be a pretty effective technique and gained some popularity and wide use! This is a rewrite of the tool that incorporates some lessons learned and performance enhancments.
Improvements: -Only one table is required for case sensitve or insensitive lookups. The tables are all case sensitive. You can turn off and on case sensitivity and the .probability l…