Fragmentation occurs if the IP must send a datagram that is large than is allowed by the receive window in the network layer. This process will break up a datagram into smaller packets and then it will be restored when received by the other end. This is a normal and very important process. Each packet is marked with a length, an offset and a more bit.
Length = Total length of the fragment
Offset - distance from the beginning of the original datagram
More bit = used to determine if there are other packets after that one. 1 indicates there is another packet which is part of that set. 0 indicates it is the last packet of the set.
|
IPID = 043C Length = 3,600 Offset = 0 |
Fragmented (Normal)
| More = 1 Len = 1,000 Offset = 0 |
|||
| More = 1 Len = 1,000 Offset = 1,000 |
|||
| More = 1 Len = 1,000 Offset = 2,000 |
|||
| More = 0 Len = 600 Offset = 3,000 |
When the packets are manipulated so that they overlap (shown below) instead of following in order one after another (above) it can crash the computer. The teardrop attack is a good example of an exploit that will overlap packets. The packets can also be manipulated so that instead of overlapping, there is too much space between them as well.
Overlapping Fragment Attack
| More = 1 Len = 1,000 Offset = 0 |
||||
| More = 1 Len = 1,000 Offset = 500 |
||||
| More = 0 Len = 1,000 Offset = 1,500 |
||||
Search: Cosmos | BlogPulse
Submit: Digg This | Shout this! | Slashdot
Bookmark: Del.icio.us | Furl It | Spurl | Tag!RawSugar | Simpy This! | Shadows Tag! | Blink It | My Web
GirlGeekteete dotNet Tags: fragmentation, datagram, packet, IP, teardrop, exploit, IP
Technorati Tags: fragmentation, datagram, packet, IP, teardrop, exploit, IP
No Comments »
Needless to say, I was inspired by an article on Windows Security
that did a test using Windows 2000 to try my own test with Windows XP using NTFS. Now, I have decided to test it using Windows 2003. Below are my findings and screen by screen snapshots (Thumbnails are shown, click them to see a larger picture that opens in a new window):
ADS test using Windows 2003
1. I begin by making a test directory and copying the c:\windows\system32\calc.exe to it. Notice the original date and timestamp (last modified time and date stamp) of the file is 4/3/2003 8:00AM and the size is 113KB.
Here is a listing in DOS that shows the directory with the copied calc.exe file.
2. I append an ADS (Alternate Data Stream) to the Windows Calculator program I copied to the test directory with another Windows program (Notepad - c:\windows\notepad.exe).
Notice the size of the calc program did not change, bit the timestamp (last modified time and date stamp) DID change.
3. Next, I executed the new ADS notepad.exe using the standard command start.
On the desktop, the NOTEPAD program popped up, even though I had executed the CALC program in the command line.
4. By using CTRL + ALT + DELETE to get the Task Manager, I noticed that my test varied a bit. In the task manager, I could clearly see that calc.exe was running (which I had executed at the command prompt) but, unlike the simple demonstration using Windows 2000, Windows 2003 displayed the calc.exe name and ADS command, much like Windows XP.
This is where I must stop and note that depending on the version of windows used, things can be displayed slightly different.
Search: Cosmos | BlogPulse
Submit: Digg This | Shout this! | Slashdot
Bookmark: Del.icio.us | Furl It | Spurl | Tag!RawSugar | Simpy This! | Shadows Tag! | Blink It | My Web
GirlGeekteete dotNet Tags: Alternate Data Streams, Windows 2003, security
Technorati Tags: Alternate, Data, Streams, Windows, 2003, security
No Comments »