Did you know about the Xmas attack?
In this blog post, we are going to give short light on the Christmas tree attack. It is a type of attack where a specially crafted TCP packet is sent to the target device. This attack is used as a reconnaissance technique to grab information about various operating systems. The attack involves the setting of some TCP flags bit on which is normally not seen. Christmas tree packets are also known as kamikaze packets and lamp test segments. Now we will begin with a short overview of the different flags of a TCP packet.
A TCP packet contains many flags.
1) Synchronization: This flag is sent when establishing a three-way handshake.
2) Acknowledgment: This flag is used to acknowledge the successful receipt of the packets.
3) Fin flag: This flag is used to finish the connections created using the SYN flag.
4) Reset: This flag is set to indicate the reset of the connection.
5) Urgent pointer: This flag is used to indicate to abort other segments so that the given segment is given priority.
6) Push: This flag is used to inform the receiving host to push data to the application immediately.
Out of all these flags, in an X-mas attack, a specially crafted TCP packet where Urgent, Push and Fin flags turned on are sent. In a normal situation the combination of these flags with bits turned on is not sent. Upon sending such packets the target devices may respond differently. As different OS may react differently it can be used for OS fingerprinting, port state, and other information. Once the attacker gets the information he can look for potential loopholes and vulnerabilities in the network.
Now, we will analyze what this packet looks like. We can write a custom code that crafts the required TCP packet but for now, we will use a popular Nmap scanner and capture the traffic with Wireshark to see what the packet looks like.
sudo nmap -sX 192.168.1.1
As we can see only three FIN, PSH, and URG bits are turned on and other flags SYN, ACK, and RST are turned off. It is lit up like a Christmas tree. Hence the name Christmas tree attack.
We can compare the above screenshot with another flag section of a TCP packet where there is an ACK flag set 1 for normal traffic.
RFC 793 says that any out of state flag sent to an open port is discarded, whereas segments with out of state flag sent to the closed ports should be handled with RST in response.
So, the idea here is to send such specially crafted packets to different ports of the target device. If the ports are opened then the packets will be ignored. If the ports are closed then an RST will be sent back. This way we can identify open and closed ports in the target device. However, if the target device does not conform to the RFC the target device may behave differently. In certain cases, it might lead to a DOS attack. In fact, a large number of Xmas packets can be sent to cause a denial of service attack as the routers require more processing.
Intrusion detection systems, when configured properly, can find such attacks easily. If such attacks are detected network professionals should respond quickly as the presence of such attacks indicates active reconnaissance of the network.
The following IP table rules can be set to protect the system from this attack.
iptables -A INPUT -p tcp — tcp-flags FIN,URG,PSH FIN,URG,PSH -j DROP
iptables -A INPUT -p tcp — tcp-flags ALL ALL -j DROP
iptables -A INPUT -p tcp — tcp-flags ALL NONE -j DROP
iptables -A INPUT -p tcp — tcp-flags SYN,RST SYN,RST -j DROP
References :
https://nmap.org/book/scan-methods-null-fin-xmas-scan.html
https://www.plixer.com/blog/understanding-xmas-scans/
https://www.professormesser.com/security-plus/sy0-401/christmas-tree-attack-2/
https://linuxhint.com/nmap_xmas_scan/
Visit :
https://blog.cryptogennepal.com
https://infosec.cryptogennepal.com