Wednesday, June 30, 2010

How TCP SynCookies Work?

So far, TCP Syn-Cookies is only available in Linux (some are turned on by default). Below is an interesting quirk of TCP Syncookies of how it works.

>>> From IDS/IPS Evasion with SynCookies
I will start off by covering the relevant parts of syncookies. There are many types of Denial of service attack, but the most powerful are low rate DoS attacks; attacks that need very little of the attackers resources, but cause major disruption to the attacked host or network. 
One such attack was the SYN flood attack. The attacker would spoof thousands of packets from fake hosts. Since the destination would half-open a connection for each of these, its resources would soon be overwhelmed with these faked connections, and it would then stop acting as it should (either by rejecting new connections, or dropping old ones, or even crashing outright). 
Some clever folks devised TCP Syncookies to combat this problem. Whenever a SYN was received, the connection was not opened by the destination. Instead, it SYN-ACK’d using a ‘magic’ sequence number that it calculated. The calculation involved the IP Source, Destination, TCP Source port and Destination port, along with an unknown random bit of data that only the server would know. No entry was added to the servers table, so its resources would stay free. When the client would ACK, it would increase the sequence number by one. The server would see this ack, and would do the same math it did before to create its magic sequence number, and subtract one from the received number. 
Since the number is only based on the IP, Port, and random number, the numbers should be identical, even though it would not remember the original connection. If the two matched, it would open the connection. Since the magic number was effectively unguessable to the client, this would make it impossible for an attacker to flood the server with a low rate SYN flood attack.

Monday, June 28, 2010

Spot Crafted Packet in PCAP

An excellent article about detecting crafted packets: Fitting in:
If you ever see a packet flying by on your network that has a SYN flag set and does not have a TCP options Maximum Segment Size (MSS) – you can be fairly certain that it was crafted. And, if it was crafted – it probably is for some nefarious purposes. There are other TCP options too that can be included, but most current well-known TCP/IP stacks list the MSS as the first of the TCP options in the TCP header. However, Solaris stacks do not follow this convention and may present some false positives if you include this check.
Another unusual condition that may be a reflection of a crafted packet or a poorly written TCP/IP stack is where a client SYN packet has a non-zero acknowledgement value. After all, the client has received nothing to acknowledge.
To filter (SYN and !MSS) with tcpdump:
tcp[13] & 2 != 0 and ((tcp[12]/16 == 5) or (tcp[12]/16 > 5 and tcp[20] != 02))
  • 'tcp[13] & 2 !=0' looks for the SYN flag set
  • 'tcp[12]/16 ==5' looks for a TCP header length of 5. This is fairly convoluted because the value for the TCP header length is found in the high-order nibble so we must first divide by 16 to make it more logical (at least for me). Now, a TCP header length of 5 (32-bit words) means a conventional 20-byte TCP header with no options.
  • There can still be TCP options, yet no MSS. The rest of the "and" clause examines that by finding TCP options where the TCP header length is greater than 5, and assumes that the MSS value appears first in the 20th byte offset of the TCP header with a value of 02.
To filter (SYN and !MSS) with Wireshark (display filter) :
!(tcp.options.mss) && (tcp.flags.syn == 1)

To find bogus packet with Wireshark (display filter):
tcp.flags.syn == 0 && (tcp.options.mss || tcp.options.wscale || tcp.options.sack)

To filter (SYN and non-zero ACK ) with tcpdump:
tcp[13] = 2 and tcp[8:4] > 0
To filter (SYN and non-zero ACK ) with tcpdump:
tcp.flags.syn == 1 && tcp.flags.ack == 0 && tcp[8:4] > 0

Thursday, June 10, 2010

Remote Desktop Connection from Linux

During the pentest,  we may sometime need to perform rdp to a Windows server. This can be done using "rdesktop" command. Here is how I do it with my backtrack.

rdesktop -E -z -g 90% [Windows Server IP address]


  • -E : disable encryption from client to server (to speed up the connection).
  • -z : enable rdp compression
  • -g 90% :  desktop geometry at 90% of your current monitor.

Wednesday, June 02, 2010

Dell Express Service Code

Dell service tag format is either 7 or 5 characters. Dell Express Service Code format is either 8/10/11 digits. Both service tags and express service codes are directly related. Given one type, the other can be computed.


Dell's service tag numbers are alpha-numeric sequences used as serial numbers for the equipment they sell. They are helpful when getting support, but must be converted to numerical sequences called Express Service Codes when using Dell's automated phone help. This allows purchasers to more easily key them in on a standard touch-tone pad.

Dell computers include a little converter program that allows users to convert alpha-numeric "service tags" into number-only "Express Service Codes" when dialing in to the support line.


Service Tag is a base-36 integer (composed of digits [0-9A-Z]).  Once you have the Service Tag, you can calculate express service code yourself. Express Service Code is base-10 decimal integer of Service Tag. Dell uses express service code mainly for their support call-routing. When you call dell support, their automated call-routing system may ask you to enter express service code, which you can easily enter in your telephone, as it is just a bunch of numbers, instead of characters.


Use the following online tools to find express service code from service tag and vice-versa.

Tuesday, June 01, 2010

Dell Service Tag

If you are running Linux, the following command will show you the service tag:

root@bt:/etc# dmidecode -s system-serial-number
ABCDE1S

root@bt:/etc# dmidecode --type 1
# dmidecode 2.9
SMBIOS 2.4 present.

Handle 0x0100, DMI type 1, 27 bytes
System Information
        Manufacturer: Dell Inc.
        Product Name: Latitude D620
        Version: Not Specified
        Serial Number: ABCDE1S
        Wake-up Type: Power Switch
        SKU Number: Not Specified
        Family:
If you are using Windows, use this command:

C:\>wmic bios get serialnumber
SerialNumber
ABCDEF1

C:\>wmic csproduct get vendor,name,identifyingnumber
IdentifyingNumber    Name                Vendor
ABCDEF1              PowerEdge 2950      Dell Inc.