NETWORKING - Hacking: The Art of Exploitation

Graphics Programs Reference

In-Depth Information

In the example above, the host 192.168.42.88 is a Windows XP machine

running an openssh server on port 22 via cygwin. The tcpdump output below

shows the spoofed SYN packets flooding the host from apparently random

IPs. While the program is running, legitimate connections cannot be made

to this port.

reader@hacking:~/booksrc $ sudo tcpdump -i eth0 -nl -c 15 "host 192.168.42.88"

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes

17:08:16.334498 IP 121.213.150.59.4584 > 192.168.42.88.22: S

751659999:751659999(0) win 14609

17:08:16.346907 IP 158.78.184.110.40565 > 192.168.42.88.22: S

139725579:139725579(0) win 64357

17:08:16.358491 IP 53.245.19.50.36638 > 192.168.42.88.22: S

322318966:322318966(0) win 43747

17:08:16.370492 IP 91.109.238.11.4814 > 192.168.42.88.22: S

685911671:685911671(0) win 62957

17:08:16.382492 IP 52.132.214.97.45099 > 192.168.42.88.22: S

71363071:71363071(0) win 30490

17:08:16.394909 IP 120.112.199.34.19452 > 192.168.42.88.22: S

1420507902:1420507902(0) win 53397

17:08:16.406491 IP 60.9.221.120.21573 > 192.168.42.88.22: S

2144342837:2144342837(0) win 10594

17:08:16.418494 IP 137.101.201.0.54665 > 192.168.42.88.22: S

1185734766:1185734766(0) win 57243

17:08:16.430497 IP 188.5.248.61.8409 > 192.168.42.88.22: S

1825734966:1825734966(0) win 43454

17:08:16.442911 IP 44.71.67.65.60484 > 192.168.42.88.22: S

1042470133:1042470133(0) win 7087

17:08:16.454489 IP 218.66.249.126.27982 > 192.168.42.88.22: S

1767717206:1767717206(0) win 50156

17:08:16.466493 IP 131.238.172.7.15390 > 192.168.42.88.22: S

2127701542:2127701542(0) win 23682

17:08:16.478497 IP 130.246.104.88.48221 > 192.168.42.88.22: S

2069757602:2069757602(0) win 4767

17:08:16.490908 IP 140.187.48.68.9179 > 192.168.42.88.22: S

1429854465:1429854465(0) win 2092

17:08:16.502498 IP 33.172.101.123.44358 > 192.168.42.88.22: S

1524034954:1524034954(0) win 26970

15 packets captured

30 packets received by filter

0 packets dropped by kernel

reader@hacking:~/booksrc $ ssh -v 192.168.42.88

OpenSSH_4.3p2, OpenSSL 0.9.8c 05 Sep 2006

debug1: Reading configuration data /etc/ssh/ssh_config

debug1: Connecting to 192.168.42.88 [192.168.42.88] port 22.

debug1: connect to address 192.168.42.88 port 22: Connection refused

ssh: connect to host 192.168.42.88 port 22: Connection refused

r eader@hacking:~/booksrc $

Some operating systems (for example, Linux) use a technique called

syncookies to try to prevent SYN flood attacks. The TCP stack using syncookies

adjusts the initial acknowledgment number for the responding SYN/ACK

packet using a value based on host details and time (to prevent replay attacks).

Hacking: The Art of Exploitation

Search WWH ::

Custom Search

Home