Around The Globe ATG.WORLD

Visit our sister website :

http://www.atg.world/

This is a social network for enthusiasts just like us. No Junk! Only meaningful conversations with the people who share the same enthusiasm as us.

Around The Globe ATG.WORLD

Visit our sister website :

http://www.atg.world/

This is a social network for enthusiasts just like us. No Junk! Only meaningful conversations with the people who share the same enthusiasm as us.

Friday, July 31, 2009

SMURF Attack

A broadcast server is a server capable of duplicating a message and sending it to all machines present on the same network. The "smurf" technique is based on the use of broadcast servers to paralyze a network

The scenario of such an attack is as follows:

  • the attacking machine sends forged packets that contain the spoofed source address of the attacker's intended victim (i.e. providing the IP address of a target machine) to one or more broadcast servers.
  • the broadcast server passes on the request to the entire network
  • all of the network's machines send a response to the broadcast server
  • the broadcast server redirects the responses to the target machine.
As such, when the attacking machine sends a request to several broadcast servers located on different networks, all of the responses from computers on the various networks will be routed to the target machine.

Denial-of-service by SMURF

In this way the bulk of the attacker's work involves finding a list of broadcast servers and falsifying the response address in order to direct them to the target machine.

Thursday, July 30, 2009

SYN FLOOD

Prerequisite : In order to understnad a SYN Flood completely, you must understand the TCP-IP 3-way HandShake

A SYN packet notifies a server of a new connection. The server then allocates some memory in order to handle the incoming connection, sends back an acknowledgement, then waits for the client to complete the connection and start sending data. By spoofing large numbers of SYN requests, an attacker can fill up memory on the server, which will sit their waiting for more data that never will arrive. Once memory has filled up, the server will be unable to accept connections from legitimate clients. This effectively disables the server.

Key point: SYN floods exploit a flaw in the core of the TCP/IP technology itself. There is no complete defense against this attack. There are, however, partial defenses. Servers can be configured to reserve more memory and decrease the amount of time they wait for connections to complete. Likewise, routers and firewalls can filter out some of the spoofed SYN packets. Finally, there are techniques (such as "SYN cookies") that can play tricks with the protocol in order to help distinguish good SYNs from bad ones.


SYN Flood. The attacker sends several packets but does not send the "ACK" back to the server. The connections are hence half-opened and consuming server resources. Alice, a legitimate user, tries to connect but the server refuses to open a connection resulting in a denial of service.


The CERT advisory on SYN Flooding includes an up-to-date list of the vendors who have patches for this attack. All server systems are vulnerable unless patched if traffic from the Internet (or any hostile network) are permitted.

How does a DOS attack works - Behind the Scenes


There are two main approaches to denying a service:


a FLOODING ATTACK, sending a vast number of seemingly legitimate messages.
&
a VULNERABILITY ATTACK, exploiting a vulnerability present on the target


FLOODING ATTACK :
Flooding or Bandwidth attacks are attempts to consume resources, such as network bandwidth or equipment throughput. High-data-volume attacks can consume all available bandwidth between an ISP and your site. The link fills up, and legitimate traffic slows down. Timeouts may occur, causing retransmission, generating even more traffic.

Flooding attacks work by sending a vast number of messages whose processing requires the server to allocate some key resource at the target. Once the server allocates its key resource to the attack, legitimate users cannot receive service. The crucial feature of flooding attacks is that their strength lies in the volume, so the flow of traffic must be so large as to consume the target's resources. If the attacker engages more than one machine to send out the attack traffic, then it is known as a DDoS attack.
Techniques : SYN Flood, Smurf, Fraggle


VULNERABILITY ATTACKS : Malicious messages by the attacker represent an unexpected input that the application programmer did not foresee. The messages cause the target application to go into an infinite loop; to severely slow down, crash, freeze, or reboot a machine; or to consume a vast amount of memory and deny service to legitimate users.
Techniques : teardrop, land, ping of death, Naptha

Denial of Service (DOS) Attack

A denial-of-service attack (DoS attack) or distributed denial-of-service attack (DDoS attack) is an attempt to make a computer resource unavailable to its intended users. During a Denial of Service (DoS) attack, a hacker renders a system unusable or significantly slows the system by over-loading resources or preventing legitimate users from accessing the system. This denial-of-service effect is achieved by sending messages to the target that interfere with its operation, and make it hang, crash, reboot, or do useless work.

The goal of DoS or DDoS isn’t to gain unauthorized access to machines or data, but to prevent legitimate users of a service from using it.
A DoS attack may do the following:
 Flood a network with traffic, thereby preventing legitimate network traffic.
 Disrupt connections between two machines, thereby preventing access to a service.
 Prevent a particular individual from accessing a service.
 Disrupt service to a specific system or person.

Both DoS and DDoS attacks are hard to handle. Defenses (firewalls, IDS, closed ports, patches updated) that work well against many other kinds of attacks are not necessarily effective against denial of service. The attack can consist of traffic that the firewall finds acceptable, probably because it bears a close resemblance to legitimate traffic. Since the DoS attack merely needs to exhaust resources, it can work on any port left open. Attackers can perform DoS attacks on machines that have no vulnerabilities, so patches to close vulnerabilities may not help.

Techniques : SYN Flood, Smurf, teardrop, land, ping of death
Tools : SSPing, Land Exploit, Smurf, Syn Flood, Jolt2, WinNuke, Targa


Related Posts :
Distributed denial-of-service attack (DDoS attack)
HOW DOS ATTACKS WORK - BEHIND THE SCENES

Sunday, July 19, 2009

Secret Keys - A description

We all know how the lock on a door works. There are a series of small round bars called tumblers that, when lined up correctly, drop out of the way, removing the obstruction, so you can turn the key and open the door. But, just because you know how a door lock works does not mean that you can find the right key. It takes a lot of time and trouble to find the correct key.

Similarly,

Talented people can reverse-engineer software that uses an algorithm and know its internal working. Well, if that is true, how do you keep the data safe if everyone knows how it’s done? The solution is in the key. The key is a complex sequence of alpha-numeric characters, used as an input to the encryption algorithm. If you can keep the key unknown and unknowable, that goes a very long way in keeping the data safe from prying eyes.

LONGER KEY IS BETTER

For keys to be secure, they must be lengthy i.e. a 128-bit key is more secure than a 56-bit key. Longer keys are generally much harder to crack. Look at it this way, of the house keys shown below, which do you think would be safer to use?

Symmetric Algorithms

Symmetric algorithms use one key to encrypt data and the same key to decrypt it.
Your front door key is symmetric — you use the same key to lock as well as unlock your door. The secret to the security of your front door is that you have the key with you and you don’t give a copy to anyone else. If you do trust someone else with the key, it will always be an exact copy of the one you have.

DES

Triple DES

IDEA

AES

Wednesday, July 15, 2009

CRYPTOGRAPHY

Cryptography is the practice and study of hiding information.

Related Terms :
Plaintext: Decrypted or unencrypted data (it doesn’t have to be text only)
Encrypt: Scrambling data using an algorithm to make it unrecognizable
Decrypt: Unscrambling data to its original format
Cipher: Another word for algorithm
Secret key: The secret key is a complex sequence of alpha-numeric characters, used as an input to the encryption algorithm. The algorithm will produce a different output depending on the specific key being used at the time. They allow you to scramble and unscramble data. As the same key is used to open or close a door lock, similarly, a same secret key must be used both at sender's and receiver's end to encrypt and decrypt the data. MORE ON SECRET KEYS

Ciphertext: This is the scrambled unrecognisable message produced as output. It depends on the plaintext and the secret key. For a given message, two different keys will produce two different ciphertexts.

Do read this WIKIPEDIA entry on Cryptography.

Saturday, July 11, 2009

SNIFFING : How it Works

SNIFFING : HOW IT WORKS?
This section explains how a sniffer grabs all the traffic on the network, and does what it is best at!!

  • In a network, all network interfaces on a network segment have access to all of the data that travels on the media.
  • Each network interface has a unique hardware-layer address [MAC Address] and receives data intended for its MAC address in addition to the data that is broadcasted on the network.
  • The broadcast nature of shared media networks affects network performance and reliability so greatly that networking professionals use a network analyzer, or sniffer, to troubleshoot problems.
  • In the hands of an experienced system administrator, a sniffer is an invaluable aid in determining why a network is behaving (or misbehaving) the way it is.
  • A sniffer puts a network interface in promiscuous mode so that the sniffer can monitor each data packet on the network segment.
  • With an analyzer, you can determine how much of the traffic is due to which network protocols, which hosts are the source of most of the traffic, and which hosts are the destination of most of the traffic.
  • You can also examine data traveling between a particular pair of hosts and categorize it by protocol and store it for later analysis offline.
  • Most commercial network sniffers are rather expensive, costing thousands of dollars. When you examine these closely, you notice that they are nothing more than a portable computer with an Ethernet card and some special software. The only item that differentiates a sniffer from an ordinary computer is software.
  • It is easy to download shareware and freeware sniffing software.
  • The easy availability of this software also means that malicious computer users with access to a network can capture all the data flowing through the network.
  • The sniffer can capture all the data for a short period of time or selected portions of the data for a fairly long period of time.

SNIFFING : Low Level Protocol Information

Information network protocols send between computers includes hardware addresses of local network interfaces, the IP addresses of remote network interfaces, IP routing information, and sequence numbers assigned to bytes on a TCP connection. A sniffer can obtain any of these data. After an attacker has this kind of information, he or she is in a position to turn a passive attack into an active attack with even greater potential for damage.

SNIFFING : Private Data

Loss of privacy is also common in e-mail transactions. Many e-mail messages have been publicized without the permission of the sender or receiver. It is not at all uncommon for e-mail to contain confidential business information or personal information. Even routine memos can be embarrassing when they fall into the wrong hands.

The most famous instance is the Iran-Contra affair in which President Reagan’s secretary of defense, Caspar Weinberger, was convicted. A crucial piece of evidence was backup tapes of PROFS e-mail on a National Security Agency computer. The e-mail was not intercepted in transit, but in a typical networked system, it could have been.

SNIFFING : Financial Account Numbers

Most users are uneasy about sending financial account numbers, such as credit card numbers and checking account numbers, over the Internet. The privacy of each user’s credit card numbers is important.

Presumably, businesses making electronic transactions are as fastidious about security, so the highest risk comes from the same local network in which the users are typing passwords.

However, much larger potential losses exist for businesses that conduct electronic funds transfer or electronic document interchange over a computer network. These transactions involve the transmission of account numbers that a sniffer could pick up; the thief could then transfer funds into his or her own account or order goods paid for by a corporate account.

SNIFFING PASSWORDS


Theft of passwords is the most disastrous thing that can happen to a company or a person. Typical users type a password at least once a day. Data is often thought of as secure because access to it requires a password. Users usually are very careful about guarding their password by not sharing it with anyone and not writing it down anywhere.

When the user types any of these passwords, the system sends each character in a password across the network, which is extremely easy for any Ethernet sniffer to see. End users do not realize just how easily these passwords can be found by someone using a simple and common piece of software.

SNIFFING : HOW IT THREATENS SECURITY

Sniffing data from the network leads to loss of privacy of several kinds of information that should be private for a computer network to be secure. These kinds of information include the following:

Friday, July 10, 2009

SNIFFER

SNIFFING is the use of a network interface to receive data not intended for the machine in which the interface resides.
  • Network analyzers or SNIFFERS monitor network data. A sniffer is a piece of software that captures the traffic on a network.
  • Sniffers usually act as network probes or "snoops" -- examining network traffic but NOT intercepting or altering it.
  • Most sniffers work only with TCP/IP packets.
  • A network analyzer or SNIFFER helps network administrators diagnose a variety of obscure problems that may not be visible on any one particular host.
  • A sniffer can be a self-contained software program or a hardware device with the appropriate software or firmware programming.
  • WIRESHARK is the most popular network sniffer.

Devices that incorporate sniffing are useful and necessary. However, their very existence implies that a malicious person could use such a device or modify an existing machine to snoop on network traffic. Sniffing programs could be used to gather passwords, read inter-machine e-mail, and examine client-server database records in transit. Besides these high-level data, low-level information might be used to mount an active attack on data in another computer system. For more information : SNIFFING : HOW IT THREATENS SECURITY

Thursday, July 9, 2009

OPERATING SYSTEM (OS) DETECTION

Operating System detection is a technique to determine the Operating System running on the target PC, then exploit vulnerabilities associated with that Operating System.
  • Each company has its own way of implementing the TCP/IP stack, so it responds to certain scans in its unique way, which determines the OS.
  • An exact query sent to one OS will respond differently from the exact same query sent to different OS, usually allows us to enumerate information about the Operating System.
  • Some OSes run particular services on certain ports, so OS can be determined if these ports are open. Example : If ports 137, 138, 139, 445 are open on a system, it is Windows 2000
You have an idea how OS Detection works. Lets study OS DETECTION STRATEGIES in detail.

TOOLS : NMap, CHECKOS

Tuesday, July 7, 2009

NETWORK ENUMERATION

Enumeration helps identify a user account or system account for potential use in hacking the target system.
  • It isn’t necessary to find a system administrator account, because most account privileges can be escalated to allow the account more access than was previously granted.
  • Enumeration involves active connections to systems and directed queries.
  • The type of information enumerated by intruders:
    * Network resources and shares
    * Users and groups
    * Applications and banners

Monday, July 6, 2009

NULL SCAN

The NULL scan unsets ALL flags available in the TCP header. ACK, FIN, RST, SYN, URG, PSH all become unassigned.
If the port OPEN.
client -> NULL (no flags)
server -> -
Alternatively, an RST packet will be returned if a CLOSED port has been reached
client -> NULL (no flags)
server -> RST

FIN Scan

This works very similar to the SYNACK scan, with inverse mapping used to determine open or closed ports. The basis is that closed ports are required to reply to the probe packet with an RST, while open ports must ignore the packets in question.
client -> FIN
server -> -
No reply signaled by the server is iconic of an open port. The server'soperating system silently dropped the incoming FIN packet to the service running on that port.
Opposing this is the RST reply by the server upon a closed port reached. Since, no service is bound on that port, issuing a FIN invokes a reset(RST) response from the server.
client -> FIN
server -> RST
The scan attempts to exploit vulnerabilities in BSD code. Since most OS are based on BSD or derived from BSD, this was a scan that returned fairly good results. However, most OS have applied patches to correct the problem. However, there remains a possibility that the attacker may come across one where these patches have not been applied.

SYN | ACK Scan

A SYN | ACK flagged bit sent to a closed port elicits a RST response, while an open port will not reply. This is because the TCP protocol requires a SYN flag to initiate the connection.
This scan has a tendency to register fairly large false positives. For instance , packets dropped by filtering devices, network traffic, timeouts etc can given a wrong inference of an open port while the port may or may not be open.

The server ignores the SYN | ACK packet sent to an OPEN PORT.
client -> SYN | ACK
server -> -

Advantages : fast, avoids basic IDS/firewalls, avoids TCP three-way handshake
Disadvantages: less reliable (false positives)

STEALTH SCANNING

The definition of a "stealth" scan has varied over recent years from what Chris Klaus, author of a paper titled "Stealth Scanning: Bypassing Firewalls/SATAN Detectors" delineated. Originally the term was used to describe a technique that avoided IDS and logging, now know as "half-open" scanning.
However, nowadays stealth is considered to be any scan that is concerned with a few of the following:
* setting individual flags (ACK, FIN, RST, .. )
* NULL flags set
* All flags set
* bypassing filters, firewalls, routers
* appearing as casual network traffic
* varied packet dispersal rates

IP ID Header or "DUMB" scanning

IP ID Header or "DUMB" scanning
ID header scanning technique was discovered by antirez, who described it's technical details in a post to bugtraq. Evidently the basis of this scans implementation is reflective on the SYN scan method, although involves a third party host to use as a dummy source.

SILENT or DUMB HOST : is a server that sends and receives little to no traffic at all, hence the characteristic name endowed upon it. Locating one of these hosts requires much effort and host sweeping itself, and is probably more trouble than what it is worth.

Involved in this scenario are three hosts:
* A -> attackers host
* B -> dumb host
* C -> target host
Let's examine this cycle.
* Host A sends a series of ping's analysing the ID field, encapsulated within the IP header to Host B. A dumb host will have the ID increment the reply by 1 each time during the PING sequence.
60 bytes from BBB.BBB.BBB.BBB: seq=1 ttl=64 id=+1 win=0 time=96 ms
60 bytes from BBB.BBB.BBB.BBB: seq=2 ttl=64 id=+1 win=0 time=88 ms
60 bytes from BBB.BBB.BBB.BBB: seq=3 ttl=64 id=+1 win=0 time=92 ms
* Host A sends a spoofed SYN packet to Host C using the source address of Host B. The remote port is any arbitrary port (1-65535) that the attacker wishes to test for open/closed responses. Host C will reply to Host B with one of two standard responses:
-> SYNACK response indicates an open LISTENING port. Host B will then reply with an RST bit flagged in the packet (automated by kernel).
-> RSTACK will indicate a NON-LISTENING port, (a standard SYN scan method reply), and Host B will ignore that packet and send nothing in reply.

Now, how could Host A know what flags were sent to Host B ?
Well, assuming the port was open on the target server, our series of parallel PING's that Host A had been sending whilst the spoofed SYN packets were being sent will hold our answers.

Analyzing the ID field in these PING responses, one would notice a higher ID increment.
60 bytes from BBB.BBB.BBB.BBB: seq=25 ttl=64 id=+1 win=0 time=92 ms
60 bytes from BBB.BBB.BBB.BBB: seq=26 ttl=64 id=+3 win=0 time=80 ms
60 bytes from BBB.BBB.BBB.BBB: seq=27 ttl=64 id=+2 win=0 time=83 ms

Notice the second and third packets ID responses contain values greater than 1, hence an open port was located. Any further increment of more than 1 is indicative of an open port in Host B's responses, during this period.

Originally, the increment was 1, but because Host A sent a spoofed SYN to an open port, Host B had to reply to Host C with the SYNACK bit packet, thus incrementing the ID field. Following this the PING response to Host A would then in turn have a higher ID field, as suspected.
On the other hand, a closed port state on Host C would not require Host B to send anything, so the ID field in the PING response would not be incremented at all.
60 bytes from BBB.BBB.BBB.BBB: seq=30 ttl=64 id=+1 win=0 time=90 ms
60 bytes from BBB.BBB.BBB.BBB: seq=31 ttl=64 id=+1 win=0 time=88 ms
60 bytes from BBB.BBB.BBB.BBB: seq=32 ttl=64 id=+1 win=0 time=87 ms

Once again this is why a "dumb" host is required, so incoming and outgoing traffic is kept at a bare minimum in order to decrease false-positive results.

SYN SCAN

The implementation of this scan method is similar to a full TCP connect() three way handshake except instead of sending ACK responses we immediately tear down the connection.
client -> SYN
server -> SYN | ACK
client -> RST
This example has shown the target port was open, since the server responded with SYN ACK flags. The RST bit is kernel oriented, that is, the client need not send another packet with this bit, since the kernel's TCP/IP stack code automates this. Inversely, a closed port will respond with RST ACK.
client -> SYN
server -> RST | ACK

As such, this scan method will often go unlogged by connection based IDS', and will return fairly positive results (reliability of open/closed port recognition). Instead of sending ACK responses, we immediately tear down the connection.

As is displayed, this combination of flags is indicative of a non- listening port. Although, this technique has become rather easy to detect by many IDS, owing to the fact that a paramount of Denial of Service (DoS) utilities base their attacks by sending excess SYN packets.

Fairly standard intrusion detection systems are no doubt capable of logging these half-open scans: TCP wrappers, SNORT, Courtney, iplog. Notoriously, the SYN method was first used to avoid a well used IDS, named SATAN.

Advantages : fast, reliable, avoids basic IDS, avoids TCP three-way handshake

Disadvantages: require root privileges, rulesets block many SYN scan attempts