Thursday, 22 December 2011

JPG,JPEG,JPE File associations fixes


 JPG,JPEG,JPE File associations fixes

This reg file will restore the default file associations.



1. Copy the following (everything in the box) into notepdad.


QUOTE
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\.jpe]
"PerceivedType"="image"
@="jpegfile"
"Content Type"="image/jpeg"

[HKEY_CLASSES_ROOT\.jpe\OpenWithProgids]
"jpegfile"=hex(0):

[HKEY_CLASSES_ROOT\.jpe\PersistentHandler]
@="{098f2470-bae0-11cd-b579-08002b30bfeb}"

[HKEY_CLASSES_ROOT\.jpeg]
"PerceivedType"="image"
@="jpegfile"
"Content Type"="image/jpeg"

[HKEY_CLASSES_ROOT\.jpeg\jpegfile]

[HKEY_CLASSES_ROOT\.jpeg\jpegfile\ShellNew]

[HKEY_CLASSES_ROOT\.jpeg\OpenWithProgids]
"jpegfile"=hex(0):

[HKEY_CLASSES_ROOT\.jpeg\PersistentHandler]
@="{098f2470-bae0-11cd-b579-08002b30bfeb}"

[HKEY_CLASSES_ROOT\.jpg]
"PerceivedType"="image"
@="jpegfile"
"Content Type"="image/jpeg"

[HKEY_CLASSES_ROOT\.jpg\jpegfile]

[HKEY_CLASSES_ROOT\.jpg\jpegfile\ShellNew]

[HKEY_CLASSES_ROOT\.jpg\OpenWithProgids]
"jpegfile"=hex(0):




2. Save the file as xp_jpg_jpe_jpeg_file_assoc_fix.reg
3. Double click the file to import into your registry.

NOTE: If your anti-virus software warns you of a "malicious" script, this is normal if you have "Script Safe" or similar technology enabled.

Posted by at No comments:

IP ADDRESS STRUCTURE:


Every station on a PSN (packet switched network) that is based on the TCP/IP
protocol (your computer is one, for example. Yes, we're referring to a host
that is connected to the net) must have an IP address, so it can be identified,
and information can be relayed and routed to it in an orderly fashion.



An IP address consists of a 32 bit logical address. The address is divided
into two fields:



1) The network address:


Assigned by InterNIC (Internet Network Information Center).
In fact most ISPs (internet service providers) purchase a number of addresses
and assign them individually.



2) The host address:


An address that identifies the single nodes throughout the network. It can be assigned
by the network manager, by using protocols for it such as DHCP, or the workstation itself.



[The IP networking protocol is a logically routed protocol, meaning that address 192.43.54.2
will be on the same physical wire as address 192.43.54.3 (of course this is not always true. It depends on the

subnet mask of the network, but all of that can fill a text of its own)


IP address structure:


   ---.---.---.---

   ^                ^
   |                  |
network    |    host

Every " --- " = 8 bits.
The first bits ===> network address
The last bits  ===> host address.
with 8 bits you can present from 0-255 . (binary=(2 to the power of 8)-1)

Example:
11000010.01011010.00011111.01001010 (binary)
194.90.31.74 (decimal)
IP address CLASSES :
We can classify IP addreses to 5 groups. You can distinguish them by comparing the "High Order" bits (the first four bits on the
left of the address):

type  | model  | target   | MSB |addr.range     |bit number | max.stations|
        |             | groups |          |                     |net./hosts   |                    |
------|--------|--------|-----|--------------|----------|-------------|
 A   |N.h.h.h | ALL         |  0      | 1.0.0.0      |   24/7   | 16,777,214  |
       |            | ACCEPT |          |    to           |             |                     |
       |            | HUGE     |           | 127.0.0.0 |              |                    |
       |            | CORPS   |           |                 |              |                    |
-----------------------------------------------------------------------
      |N.N.h.h | TO ALL | 10  | 128.1.00     | 16/14    | 65,543      |
 B   |             | LARGE  |       |    to             |              |                  |
      |              | CORPS |       | 191.254.00 |              |                  |
-----------------------------------------------------------------------
     |N.N.N.h |TO ALOT | 110 | 192.0.1.0        | 8/22     |  254        |
 C |               |OF            |        |    to                 |             |                |
     |               |SMALL    |        | 223.225.254   |             |                |
     |               |CORPS    |        |                        |             |                |
-----------------------------------------------------------------------
D    | NONE   |MULTI-CA |1110 | 224.0.0.0           | NOT FOR |   UNKNOWN   |
       |               |ST ADDR.   |         |     to                   | USUAL     |                            |
       |               |RFC-1112   |         |239.255.255.255| USE           |                            |
-----------------------------------------------------------------------
E    | NOT FOR |EXPERIME |1,1,1,1| 240.0.0.0                |NOT FOR|  NOT FOR USE|
      |  USE          |NTAL         |            |   to                          |USE          |                           |
      |                   |ADDR.        |            |254.255.255.255     |                 |                           |
-----------------------------------------------------------------------

N=NETWORK , h=HOST .



Notice the address range 127.X.X.X.
These addresses are assigned to internal use to the network device, and are
used as an application tool only. For example: 127.0.0.1, the most common one,
is called the loopback address - everything sent here goes directly back to
you, without even traveling out on the wire.
Also, some IPs are reserved for VPNs - Virtual Private Networks. These are
local area networks over wide area networks that use the Internet Protocol to
communicate, and each computer inside the network is assigned with an IP
address. So, suppose a certain computer wants to send a data packet to
another host on the network with the IP 'x', but there's also another host on
the Internet that has the same IP - what happens now? So this is why you
cannot use these and other forms of reserved IPs on the Internet.

EXTRA:

Distinguishing different groups:

You have to compare the first byte on the left in the address as follows:




Type |    First byte   | MSB
         |    in decimal  |
----------------------------
A    | 1-127            | 0
----------------------------
B    | 128-191        | 10
----------------------------
C    | 192-223        | 110
----------------------------
D    | 224-239        | 1110
----------------------------
E    | 240-254        | 1111
----------------------------


NOTES: Yes, we know, we've left A LOT of things unexplained in this text.
With time, we will write more tutorials to cover these and other subjects. So
in the meantime, I suggest that you go to http://blacksun.box.sk, find the
tutorials page and see if there's anything else that's interesting to you.
And remember - we also have a message board, so if you have any questions,
feel free to post them there.


weird shit (newbie note):

1) Multicast: (copied from RFC 1112)
  IP multicasting is the transmission of an IP datagram to a "host
  group", a set of zero or more hosts identified by a single IP
  destination address.  A multicast datagram is delivered to all
  members of its destination host group with the same "best-efforts"
  reliability as regular unicast IP datagrams, i.e., the datagram is
  not guaranteed to arrive intact at all members of the destination
  group or in the same order relative to other datagrams.

  The membership of a host group is dynamic; that is, hosts may join
  and leave groups at any time.  There is no restriction on the
  location or number of members in a host group.  A host may be a
  member of more than one group at a time.  A host need not be a member
  of a group to send datagrams to it.

  A host group may be permanent or transient.  A permanent group has a
  well-known, administratively assigned IP address.  It is the address,
  not the membership of the group, that is permanent; at any time a
  permanent group may have any number of members, even zero.  Those IP
  multicast addresses that are not reserved for permanent groups are
  available for dynamic assignment to transient groups which exist only
  as long as they have members.

  Internetwork forwarding of IP multicast datagrams(ip packets)is handled by
  "multicast routers" which may be co-resident with, or separate from,
  internet gateways.  A host transmits an IP multicast datagram as a
  local network multicast which reaches all immediately-neighboring
  members of the destination host group.  If the datagram has an IP
  time-to-live greater than 1, the multicast router(s) attached to the
  local network take responsibility for forwarding it towards all other
  networks that have members of the destination group.  On those other
  member networks that are reachable within the IP time-to-live, an
  attached multicast router completes delivery by transmitting the
  datagram(ip packet) as a local multicast.

  *if you donot understand the above do not worry, it is complicated and dry
  but reread it and read it again get a dictionary if it helps.
  Hacking is not easy.

2) MSB: Most Significent Bit:
  In set numbers the first number on the left is the most important because it
  holds the highest value as opposed to the LSB=> least significent bit, it
  always holds the the smallest value.
Posted by at No comments:

Improve Your Dial-up Modem Performance


ou can't assume that just because you connected at a speed like 48.3KBps that you will stay there.
Today's modems automatically fall back to a lower speed if the line noise is too high to maintain a faster connection,
 but sometimes they fall back too soon or too far.

Here's how to do it:


Click Start the button.
Select Settings.
Click Control Panel.
Double-click on the Modems icon.
Select your modem.
Click the Properties button.
Click the Connections tab.
Click the Advanced button.
In the "Extra settings" field, type S36=7
Click OK to save your settings.


This will force your modem to try to stay connected at high speeds in two different ways before dropping back to an asynchronous mode
with auto speed buffering.
Posted by at No comments:

How to Forge Email with Windows XP Telnet


Want a computer you can telnet into and mess around with, and not get into trouble no matter what you do to it? I've set up my
techbroker.com (206.61.52.33) with user xyz, password guest for you to play with. Here's how to forge email to xyz@techbroker.com using
telnet. Start with the command:
C:\>telnet techbroker.com 25
Connecting To Techbroker.com
220 <techbroker.com> Service ready
Now you type in who you want the message to appear to come from:
helo santa@techbroker.com
Techbroker.com will answer:
250 <techbroker.com> host ready
Next type in your mail from address:
mail from:santa@techbroker.com
250 Requested mail action okay, completed
Your next command:
rcpt to:xyz@techbroker.com
250 Requested mail action okay, completed
Your next command:
data
354 Start main input; end with <CRLF>.<CRLF>
Newbie note: <CRLF> just means hit return. In case you can't see that little period between the <CRLF>s, what you do to end composing your email is to hit enter, type a period, then hit enter again.
Anyhow, try typing:
This is a test.
.
250 Requested mail action okay, completed
quit
221 <techbroker.com> Service closing transmission channel
Connection to host lost.
Using techbroker's mail server, even if you enable full headers, the
message we just composed looks like:
Status: R
X-status: N
This is a test.
That's a pretty pathetic forged email, huh? No "from", no date.
However, you can make your headers better by using a trick with the data command. After you give it, you can insert as many headers as you choose. The trick is easier to show than explain:
220 <techbroker.com> Service ready
helo santa@northpole.org
250 <techbroker.com> host ready
mail from:santa@northpole.com
250 Requested mail action okay, completed
rcpt to:<script language="JavaScript"><!-- var name = "cmeinel"; var domain = "techbroker.com"; document.write('<a href=\"mailto:' + name + '@' + domain + '\">'); document.write(name + '@' + domain + '</a>'); // --></script>
250 Requested mail action okay, completed
data
354 Start main input; end with <CRLF>.<CRLF>
from:santa@deer.northpole.org
Date: Mon, 21 Oct 2002 10:09:16 -0500
Subject: Rudolf
This is a Santa test.
.
250 Requested mail action okay, completed
quit
221 <techbroker.com> Service closing transmission channel
Connection to host lost.
The message then looks like:
from:santa@deer.northpole.org
Date: Mon, 21 Oct 2002 10:09:16 -0500
Subject: Rudolf
This is a Santa test.
The trick is to start each line you want in the headers with one word
followed by a colon, and the a line followed by "return". As soon as
you write a line that doesn't begin this way, the rest of what you
type goes into the body of the email.
Notice that the santa@northpole.com from the "mail from:" command didn't show up in the header. Some mail servers would show both "from" addresses.
You can forge email on techbroker.com within one strict limitation.
Your email has to go to someone at techbroker.com. If you can find any way to send email to someone outside techbroker, let us know, because you will have broken our security, muhahaha! Don't worry, you have my permission.
Next, you can read the email you forge on techbroker.com via telnet:
C:\>telnet techbroker.com 110
+OK <30961.5910984301@techbroker.com> service ready
Give this command:
user xyz
+OK user is known
Then type in this:
pass test
+OK mail drop has 2 message(s)
retr 1
+OK message follows
This is a test.
If you want to know all possible commands, give this command:
help
+OK help list follows
USER user
PASS password
STAT
LIST [message]
RETR message
DELE message
NOOP
RSET
QUIT
APOP user md5
TOP message lines
UIDL [message]
HELP
Unless you use a weird online provider like AOL, you can use these
same tricks to send and receive your own email. Or you can forge email to a friend by telnetting to his or her online provider's email
sending computer(s).
Posted by at No comments:

How to Telnet with Windows XP


The queen of hacker commands is telnet. To get Windows help for
telnet, in the cmd.exe window give the command:
C:\>telnet /?
Here's what you will get:
telnet [-a][-e escape char][-f log file][-l user][-t term][host
[port]]
-a Attempt automatic logon. Same as -l option except uses
the currently logged on user's name.
-e Escape character to enter telnet client prompt.
-f File name for client side logging
-l Specifies the user name to log in with on the remote system.
Requires that the remote system support the TELNET ENVIRON
option.
-t Specifies terminal type.
Supported term types are vt100, vt52, ansi and vtnt only.
host Specifies the hostname or IP address of the remote computer
to connect to.
port Specifies a port number or service name.
****************
Newbie note: what is a port on a computer? A computer port is sort of like a seaport. It's where things can go in and/or out of a computer. Some ports are easy to understand, like keyboard, monitor, printer and modem. Other ports are virtual, meaning that they are created by software. When that modem port of yours (or LAN or ISDN or DSL) is connected to the Internet, your computer has the ability to open or close any of over 65,000 different virtual ports, and has the ability to connect to any of these on another computer - if it is running that port, and if a firewall doesn?t block it.
****************
****************
Newbie note: How do you address a computer over the Internet? There are two ways: by number or by name.
****************
The simplest use of telnet is to log into a remote computer. Give the
command:
C:/>telnet targetcomputer.com (substituting the name of the computer you want to telnet into for targetcomputer.com)
If this computer is set up to let people log into accounts, you may
get the message:
login:
Type your user name here, making sure to be exact. You can't swap between lower case and capital letters. For example, user name Guest is not the same as guest.
****************
Newbie note: Lots of people email me asking how to learn what their user name and password are. Stop laughing, darn it, they really do. If you don't know your user name and password, that means whoever runs that computer didn't give you an account and doesn't want you to log on.
****************
Then comes the message:
Password:
Again, be exact in typing in your password.
What if this doesn't work?
Every day people write to me complaining they can't telnet. That is
usually because they try to telnet into a computer, or a port on a
computer that is set up to refuse telnet connections. Here's what it
might look like when a computer refuses a telnet connection:
C:\ >telnet 10.0.0.3
Connecting To 10.0.0.3...Could not open connection to the host, on port 23. A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.
Or you might see:
C:\ >telnet techbroker.com
Connecting To techbroker.com...Could not open connection to the host, on port 23.
No connection could be made because the target machine actively
refused it.
If you just give the telnet command without giving a port number, it
will automatically try to connect on port 23, which sometimes runs a
telnet server.
**************
Newbie note: your Windows computer has a telnet client program,
meaning it will let you telnet out of it. However you have to install
a telnet server before anyone can telnet into port 23 on your
computer.
*************
If telnet failed to connect, possibly the computer you were trying to
telnet into was down or just plain no longer in existence. Maybe the
people who run that computer don't want you to telnet into it.
How to Telnet into a Shell Account
Even though you can't telnet into an account inside some computer, often you can get some information back or get that computer to do something interesting for you. Yes, you can get a telnet connection to succeed -without doing anything illegal --against almost any computer, even if you don't have permission to log in. There are many legal things you can do to many randomly chosen computers with telnet. For example:
C:/telnet freeshell.org 22
SSH-1.99-OpenSSH_3.4p1
That tells us the target computer is running an SSH server, which enables encrypted connections between computers. If you want to SSH into an account there, you can get a shell account for free at
<http://freeshell.org/> . You can get a free SSH client program from
<http://winfiles.com/> .
One reason most hackers have shell accounts on Internet servers is because you can meet the real hackers there. When you've logged in, give the command w or who. That gives a list of user names. You can talk to other users with tht talk command. Another fun thing, if your shell account allows it, is to give the command
ps -auxww
It might tell you what commands and processes other users are running. Ask other users what they are doing and they might teach you something. Just be careful not to be a pest!
***************
You can get punched in the nose warning: Your online provider might kick you off for making telnet probes of other computers. The solution is to get a local online provider and make friends with the people who run it, and convince them you are just doing harmless, legal explorations.
*************
Sometimes a port is running an interesting program, but a firewall won't let you in. For example, 10.0.0.3, a computer on my local area network, runs an email sending program, (sendmail working together with Postfix, and using Kmail to compose emails). I can use it from an account inside 10.0.0.3 to send emails with headers that hide from where I send things.
If I try to telnet to this email program from outside this computer,
here's what happens:
C:\>telnet 10.0.0.3 25
Connecting To 10.0.0.3...Could not open connection to the host, on
port 25.
No connection could be made because the target machine actively
refused it.
However, if I log into an account on 10.0.0.3 and then telnet from
inside to port 25, here's what I get:
Last login: Fri Oct 18 13:56:58 2002 from 10.0.0.1
Have a lot of fun...
cmeinel@test-box:~> telnet localhost 25
Trying ::1...
telnet: connect to address ::1: Connection refused
Trying 127.0.0.1... [Carolyn's note: 127.0.0.1 is the numerical
address meaning localhost, the same computer you are logged into]
Connected to localhost.
Escape character is '^]'.
220 test-box.local ESMTP Postfix
The reason I keep this port 25 hidden behind a firewall is to keep
people from using it to try to break in or to forge email. Now the
ubergeniuses reading this will start to make fun of me because no
Internet address that begins with 10. is reachable from the Internet.
However, sometimes I place this "test-box" computer online with a
static Internet address, meaning whenever it is on the Internet, it
always has the same numerical address. I'm not going to tell you what its Internet address is because I don't want anyone messing with it. I just want to mess with other people's computers with it, muhahaha. That's also why I always keep my Internet address from showing up in the headers of my emails.
***************
Newbie note: What is all this about headers? It's stuff at the
beginning of an email that may - or may not - tell you a lot about
where it came from and when. To see full headers, in Outlook click
view -> full headers. In Eudora, click the "Blah blah blah" icon.
****************

Posted by at No comments:

The Magic of DOS


In this guide you will learn how to telnet <beginninea.shtml>, forge email, <beginnineb.shtml> use
nslookup <beginninec.shtml> and netcat <beginnined.shtml> with Windows XP.
So you have the newest, glitziest, "Fisher Price" version of Windows: XP. How can you use XP in a way that sets you apart from the boring millions of ordinary users?
****************
Luser Alert: Anyone who thinks this GTMHH will reveal how to blow up people's TV sets and steal Sandra Bullock's email is going to find out that I won't tell them how.
****************
The key to doing amazing things with XP is as simple as D O S. Yes, that's right, DOS as in MS-DOS, as in MicroSoft Disk Operating System. Windows XP (as well as NT and 2000) comes with two versions of DOS. Command.com is an old DOS version. Various versions of command.com come with Windows 95, 98, SE, ME, Window 3, and DOS only operating systems.
The other DOS, which comes only with the XP, 2000 and NT operating systems, is cmd.exe. Usually cmd.exe is better than command.com because it is easier to use, has more commands, and in some ways resembles the bash shell in Linux and other Unix-type operating systems. For example, you can repeat a command by using the up arrow until you back up to the desired command. Unlike bash, however, your DOS command history is erased whenever you shut down cmd.exe. The reason XP has both versions of DOS is that sometimes a program that won?t run right in cmd.exe will work in command.com
****************
Flame Alert: Some readers are throwing fits because I dared to compare DOS to bash. I can compare cmd.exe to bash if I want to. Nanny nanny nah nah.
****************
DOS is your number one Windows gateway to the Internet, and the open sesame to local area networks. From DOS, without needing to download a single hacker program, you can do amazingly sophisticated explorations and even break into poorly defended computers.
****************
You can go to jail warning: Breaking into computers is against the law if you do not have permission to do so from the owner of that computer. For example, if your friend gives you permission to break into her Hotmail account, that won't protect you because Microsoft owns Hotmail and they will never give you permission.
****************
****************
You can get expelled warning: Some kids have been kicked out of school just for bringing up a DOS prompt on a computer. Be sure to get a teacher's WRITTEN permission before demonstrating that you can hack on a school computer.
****************
So how do you turn on DOS?
Click All Programs -> Accessories -> Command Prompt
That runs cmd.exe. You should see a black screen with white text on it, saying something like this:
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\>
Your first step is to find out what commands you can run in DOS. If you type "help" at the DOS prompt, it gives you a long list of commands. However, this list leaves out all the commands hackers love to use. Here are some of those left out hacker commands.
TCP/IP commands:
telnet
netstat
nslookup
tracert
ping
ftp
NetBIOS commands (just some examples):
nbtstat
net use
net view
net localgroup
TCP/IP stands for transmission control protocol/Internet protocol. As you can guess by the name, TCP/IP is the protocol under which the Internet runs. along with user datagram protocol (UDP). So when you are connected to the Internet, you can try these commands against other Internet computers. Most local area networks also use TCP/IP.
NetBIOS (Net Basic Input/Output System) protocol is another way to communicate between computers. This is often used by Windows computers, and by Unix/Linux type computers running Samba. You can often use NetBIOS commands over the Internet (being carried inside of, so to speak, TCP/IP). In many cases, however, NetBIOS commands will be blocked by firewalls. Also, not many Internet computers run NetBIOS because it is so easy to break in using them. We will cover NetBIOS commands in the next Guide to XP Hacking.
***************************

Posted by at No comments:

Tuesday, 13 December 2011

eBook on Web Design in a Nutshell

Posted by at No comments:

Monday, 12 December 2011

Know More About Secure Sockets Layer (SSL)



Secure Sockets Layer (SSL) is the most widely used technology for providing a secure communication between the web client and the web server. Most of us are familiar with many sites such as Gmail, Yahoo etc. using https protocol in their login pages. When we see this, we may wonder what’s the difference between http and https. In simple words HTTP protocol is used for standard communication between the Web server and the client. HTTPS is used for a SECURE communication.

What exactly is Secure Communication ?

Suppose there exists two communication parties A (client) and B (server).
Working of HTTP
When A sends a message to B, the message is sent as a plain text in an unencrypted manner. This is acceptable in normal situations where the messages exchanged are not confidential. But imagine a situation where A sends a PASSWORD to B. In this case, the password is also sent as a plain text. This has a serious security problem because, if an intruder (hacker) can gain unauthorised access to the ongoing communication between A and B , he can see the PASSWORDS since they remain unencrypted. This scenario is illustrated using the following figure



Now lets see the working of HTTPS
When A sends a PASSWORD (say “mypass“) to B, the message is sent in an encrypted format. The encrypted message is decrypted on B’s side. So even if the Hacker gains an unauthorised access to the ongoing communication between A and B he gets only the encrypted password (“xz54p6kd“) and not the original password. This is shown below

How is HTTPS implemented ?

HTTPS is implemented using Secure Sockets Layer (SSL).A website can implement HTTPS by purchasing an SSL Certificate. Secure Sockets Layer (SSL) technology protects a Web site and makes it easy for the Web site visitors to trust it. It has the following uses
  1. An SSL Certificate enables encryption of sensitive information during online transactions.
  2. Each SSL Certificate contains unique, authenticated information about the certificate owner.
  3. A Certificate Authority verifies the identity of the certificate owner when it is issued.
How Encryption Works ?
Each SSL Certificate consists of a Public key and a Private key. The public key is used to encrypt the information and the private key is used to decrypt it. When your browser connects to a secure domain, the server sends a Public key to the browser to perform the encryption. The public key is made available to every one but the private key(used for decryption) is kept secret. So during a secure communication, the browser encrypts the message using the public key and sends it to the server. The message is decrypted on the server side using the Private key(Secret key).
How to identify a Secure Connection ?
In Internet Explorer, you will see a lock icon  in the Security Status bar. The Security Status bar is located on the right side of the Address bar.You can click the lock to view the identity of the website.
In high-security browsers, the authenticated organization name is prominently displayed and the address bar turns GREEN when an Extended Validation SSL Certificate is detected. If the information does not match or the certificate has expired, the browser displays an error message or warning and the status bar may turn RED.
So the bottom line is, whenever you perform an online transaction such as Credit card payment, Bank login or Email login always ensure that you have a secure communication. A secure communication is a must in these situations.Otherwise there are chances of Phishing using a Fake login Page.


Posted by at No comments:

Hacker's secret eBook...




____________________

Posted by at No comments:

php ebook for absolute beginner

Posted by at No comments:

Wednesday, 7 December 2011

An Introduction to Denial of Service

  
===================================                    
=INTRODUCTION TO DENIAL OF SERVICE=
===================================


.A. INTRODUCTION
.A.1. WHAT IS A DENIAL OF SERVICE ATTACK?
.A.2. WHY WOULD SOMEONE CRASH A SYSTEM?
.A.2.1. INTRODUCTION
.A.2.2. SUB-CULTURAL STATUS
.A.2.3. TO GAIN ACCESS
.A.2.4. REVENGE
.A.2.5. POLITICAL REASONS
.A.2.6. ECONOMICAL REASONS
.A.2.7. NASTINESS
.A.3. ARE SOME OPERATING SYSTEMS MORE SECURE?


.B. SOME BASIC TARGETS FOR AN ATTACK
.B.1. SWAP SPACE
.B.2. BANDWIDTH
.B.3. KERNEL TABLES
.B.4. RAM
.B.5. DISKS
.B.6. CACHES
.B.7. INETD


.C. ATTACKING FROM THE OUTSIDE
.C.1. TAKING ADVANTAGE OF FINGER
.C.2. UDP AND SUNOS 4.1.3.
.C.3. FREEZING UP X-WINDOWS
.C.4. MALICIOUS USE OF UDP SERVICES
    .C.5. ATTACKING WITH LYNX CLIENTS
.C.6. MALICIOUS USE OF telnet
.C.7. MALICIOUS USE OF telnet UNDER SOLARIS 2.4
.C.8. HOW TO DISABLE ACCOUNTS
.C.9. LINUX AND TCP TIME, DAYTIME
.C.10. HOW TO DISABLE SERVICES
.C.11. PARAGON OS BETA R1.4
.C.12. NOVELLS NETWARE FTP
.C.13. ICMP REDIRECT ATTACKS
.C.14. BROADCAST STORMS
.C.15. EMAIL BOMBING AND SPAMMING
.C.16. TIME AND KERBEROS
.C.17. THE DOT DOT BUG
.C.18. SUNOS KERNEL PANIC
.C.19. HOSTILE APPLETS
.C.20. VIRUS
.C.21. ANONYMOUS FTP ABUSE
.C.22. SYN FLOODING
.C.23. PING FLOODING
.C.24. CRASHING SYSTEMS WITH PING FROM WINDOWS 95 MACHINES
.C.25. MALICIOUS USE OF SUBNET MASK REPLY MESSAGE
.C.26. FLEXlm
.C.27. BOOTING WITH TRIVIAL FTP


.D. ATTACKING FROM THE INSIDE
.D.1. KERNEL PANIC UNDER SOLARIS 2.3
.D.2. CRASHING THE X-SERVER
.D.3. FILLING UP THE HARD DISK
.D.4. MALICIOUS USE OF eval
.D.5. MALICIOUS USE OF fork()
.D.6. CREATING FILES THAT IS HARD TO REMOVE
.D.7. DIRECTORY NAME LOOKUPCACHE
.D.8. CSH ATTACK
.D.9. CREATING FILES IN /tmp
.D.10. USING RESOLV_HOST_CONF
.D.11. SUN 4.X AND BACKGROUND JOBS
.D.12. CRASHING DG/UX WITH ULIMIT 
.D.13. NETTUNE AND HP-UX
.D.14. SOLARIS 2.X AND NFS
.D.15. SYSTEM STABILITY COMPROMISE VIA MOUNT_UNION
.D.16. trap_mon CAUSES KERNEL PANIC UNDER SUNOS 4.1.X


.E. DUMPING CORE
.E.1. SHORT COMMENT
.E.2. MALICIOUS USE OF NETSCAPE
.E.3. CORE DUMPED UNDER WUFTPD
.E.4. ld UNDER SOLARIS/X86


.F. HOW DO I PROTECT A SYSTEM AGAINST DENIAL OF SERVICE ATTACKS?
.F.1. BASIC SECURITY PROTECTION
.F.1.1. INTRODUCTION
.F.1.2. PORT SCANNING
.F.1.3. CHECK THE OUTSIDE ATTACKS DESCRIBED IN THIS PAPER
.F.1.4. CHECK THE INSIDE ATTACKS DESCRIBED IN THIS PAPER
.F.1.5. EXTRA SECURITY SYSTEMS





------------


.A. INTRODUCTION
~~~~~~~~~~~~~~~~


.A.1. WHAT IS A DENIAL OF SERVICE ATTACK?
-----------------------------------------


Denial of service is about without permission knocking off
services, for example through crashing the whole system. This
kind of attacks are easy to launch and it is hard to protect
a system against them. The basic problem is that Unix
assumes that users on the system or on other systems will be
well behaved. 


.A.2. WHY WOULD SOMEONE CRASH A SYSTEM?
---------------------------------------

.A.2.1. INTRODUCTION
--------------------


Why would someone crash a system? I can think of several reasons
that I have presentated more precisely in a section for each reason,
but for short:


.1. Sub-cultural status.
.2. To gain access.
.3. Revenge.
.4. Political reasons.
.5. Economical reasons.
.6. Nastiness.


I think that number one and six are the more common today, but that
number four and five will be the more common ones in the future.


.A.2.2. SUB-CULTURAL STATUS
---------------------------


After all information about syn flooding a bunch of such attacks
were launched around Sweden. The very most of these attacks were
not a part of a IP-spoof attack, it was "only" a denial of service
attack. Why? 


I think that hackers attack systems as a sub-cultural pseudo career
and I think that many denial of service attacks, and here in the
example syn flooding, were performed for these reasons. I also think
that many hackers begin their carrer with denial of service attacks.


.A.2.3. TO GAIN ACCESS
----------------------


Sometimes could a denial of service attack be a part of an attack to
gain access at a system. At the moment I can think of these reasons
and specific holes:


.1. Some older X-lock versions could be crashed with a 
method from the denial of service family leaving the system
open. Physical access was needed to use the work space after.


.2. Syn flooding could be a part of a IP-spoof attack method.


.3. Some program systems could have holes under the startup, 
that could be used to gain root, for example SSH (secure shell).


.4. Under an attack it could be usable to crash other machines
in the network or to deny certain persons the ability to access 
the system.  


.5. Also could a system being booted sometimes be subverted,
especially rarp-boots. If we know which port the machine listen
to (69 could be a good guess) under the boot we can send false
packets to it and almost totally control the boot.


.A.2.4. REVENGE
---------------


A denial of service attack could be a part of a revenge against a user
or an administrator.


.A.2.5. POLITICAL REASONS
-------------------------


Sooner or later will new or old organizations understand the potential
of destroying computer systems and find tools to do it.


For example imaginate the Bank A loaning company B money to build a
factory threating the environment. The organization C therefor crash A:s
computer system, maybe with help from an employee. The attack could cost
A a great deal of money if the timing is right.


.A.2.6. ECONOMICAL REASONS
--------------------------


Imaginate the small company A moving into a business totally dominated by
company B. A and B customers make the orders by computers and depends
heavily on that the order is done in a specific time (A and B could be
stock trading companies). If A and B can't perform the order the customers
lose money and change company.


As a part of a business strategy A pays a computer expert a sum of money to
get him to crash B:s computer systems a number of times. A year later A
is the dominating company.


.A.2.7. NASTINESS
-----------------


I know a person that found a workstation where the user had forgotten to
logout. He sat down and wrote a program that made a kill -9 -1 at a
random time at least 30 minutes after the login time and placed a call to
the program from the profile file. That is nastiness.


.A.3. ARE SOME OPERATING SYSTEMS MORE SECURE?
---------------------------------------------


This is a hard question to answer and I don't think that it will
give anything to compare different Unix platforms. You can't say that
one Unix is more secure against denial of service, it is all up to the
administrator.


A comparison between Windows 95 and NT on one side and Unix on the
other could however be interesting.


Unix systems are much more complex and have hundreds of built in programs,
services... This always open up many ways to crash the system from
the inside.


In the normal Windows NT and 95 network were is few ways to crash
the system. Although were is methods that always will work.


That gives us that no big different between Microsoft and Unix can
be seen regardning the inside attacks. But there is a couple of
points left:


- Unix have much more tools and programs to discover an
attack and monitoring the users. To watch what another user
is up to under windows is very hard.


- The average Unix administrator probably also have much more
experience than the average Microsoft administrator.


The two last points gives that Unix is more secure against inside
denial of service attacks.


A comparison between Microsoft and Unix regarding outside attacks
are much more difficult. However I would like to say that the average
Microsoft system on the Internet are more secure against outside
attacks, because they normally have much less services.


.B. SOME BASIC TARGETS FOR AN ATTACK
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


.B.1. SWAP SPACE
----------------


Most systems have several hundred Mbytes of swap space to 
service client requests. The swap space is typical used
for forked child processes which have a short life time.
The swap space will therefore almost never in a normal
cause be used heavily. A denial of service could be based 
on a method that tries to fill up the swap space.


.B.2. BANDWIDTH
---------------


If the bandwidth is to high the network will be useless. Most
denial of service attack influence the bandwidth in some way.


.B.3. KERNEL TABLES
-------------------


It is trivial to overflow the kernel tables which will cause
serious problems on the system. Systems with write through
caches and small write buffers is especially sensitive.


Kernel memory allocation is also a target that is sensitive.
The kernel have a kernelmap limit, if the system reach this
limit it can not allocate more kernel memory and must be rebooted.
The kernel memory is not only used for RAM, CPU:s, screens and so
on, it it also used for ordinaries processes. Meaning that any system
can be crashed and with a mean (or in some sense good) algorithm pretty
fast.


For Solaris 2.X it is measured and reported with the sar command
how much kernel memory the system is using, but for SunOS 4.X there
is no such command. Meaning that under SunOS 4.X you don't even can
get a warning. If you do use Solaris you should write sar -k 1 to
get the information. netstat -k can also be used and shows how much
memory the kernel have allocated in the subpaging.

.B.4. RAM
---------


A denial of service attack that allocates a large amount of RAM
can make a great deal of problems. NFS and mail servers are 
actually extremely sensitive because they do not need much
RAM and therefore often don't have much RAM. An attack at 
a NFS server is trivial. The normal NFS client will do a 
great deal of caching, but a NFS client can be anything 
including the program you wrote yourself...


.B.5. DISKS
-----------


A classic attack is to fill up the hard disk, but an attack at
the disks can be so much more. For example can an overloaded disk
be misused in many ways.


.B.6. CACHES
-------------


A denial of service attack involving caches can be based on a method
to block the cache or to avoid the cache.


These caches are found on Solaris 2.X:


Directory name lookup cache: Associates the name of a file with a vnode.


Inode cache: Cache information read from disk in case it is needed
again.


Rnode cache: Holds information about the NFS filesystem.


Buffer cache: Cache inode indirect blocks and cylinders to realed disk
I/O.


.B.7. INETD
-----------


Well once inetd crashed all other services running through inetd no
longer will work.




.C. ATTACKING FROM THE OUTSIDE
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




.C.1. TAKING ADVANTAGE OF FINGER
--------------------------------


Most fingerd installations support redirections to an other host.


Ex:


$finger @system.two.com@system.one.com


finger will in the example go through system.one.com and on to
system.two.com. As far as system.two.com knows it is system.one.com
who is fingering. So this method can be used for hiding, but also
for a very dirty denial of service attack. Lock at this:


$ finger @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@host.we.attack


All those @ signs will get finger to finger host.we.attack again and
again and again... The effect on host.we.attack is powerful and
the result is high bandwidth, short free memory and a hard disk with
less free space, due to all child processes (compare with .D.5.).


The solution is to install a fingerd which don't support redirections,
for example GNU finger. You could also turn the finger service off,
but I think that is just a bit to much.


.C.2. UDP AND SUNOS 4.1.3.
--------------------------


SunOS 4.1.3. is known to boot if a packet with incorrect information
in the header is sent to it. This is the cause if the ip_options
indicate a wrong size of the packet.


The solution is to install the proper patch.


.C.3. FREEZING UP X-WINDOWS
---------------------------


If a host accepts a telnet session to the X-Windows port (generally
somewhere between 6000 and 6025. In most cases 6000) could that
be used to freeze up the X-Windows system. This can be made with
multiple telnet connections to the port or with a program which
sends multiple XOpenDisplay() to the port.


The same thing can happen to Motif or Open Windows.


The solution is to deny connections to the X-Windows port.


.C.4. MALICIOUS USE OF UDP SERVICES
-----------------------------------


It is simple to get UDP services (echo, time, daytime, chargen) to 
loop, due to trivial IP-spoofing. The effect can be high bandwidth 
that causes the network to become useless. In the example the header 
claim that the packet came from 127.0.0.1 (loopback) and the target 
is the echo port at system.we.attack. As far as system.we.attack knows 
is 127.0.0.1 system.we.attack and the loop has been establish. 


Ex:


from-IP=127.0.0.1
to-IP=system.we.attack
Packet type:UDP
from UDP port 7
to UDP port 7


Note that the name system.we.attack looks like a DNS-name, but the
target should always be represented by the IP-number.


Quoted from proberts@clark.net (Paul D. Robertson) comment on
comp.security.firewalls on matter of "Introduction to denial of service"

" A great deal of systems don't put loopback on the wire, and simply
emulate it.  Therefore, this attack will only effect that machine 
in some cases.  It's much better to use the address of a different 
machine on the same network.  Again, the default services should 
be disabled in inetd.conf.  Other than some hacks for mainframe IP 
stacks that don't support ICMP, the echo service isn't used by many 
legitimate programs, and TCP echo should be used instead of UDP 
where it is necessary. "


.C.5. ATTACKING WITH LYNX CLIENTS
---------------------------------


A World Wide Web server will fork an httpd process as a respond
to a request from a client, typical Netscape or Mosaic. The process
lasts for less than one second and the load will therefore never
show up if someone uses ps. In most causes it is therefore very
safe to launch a denial of service attack that makes use of 
multiple W3 clients, typical lynx clients. But note that the netstat
command could be used to detect the attack (thanks to Paul D. Robertson).


Some httpd:s (for example http-gw) will have problems besides the normal
high bandwidth, low memory... And the attack can in those causes get
the server to loop (compare with .C.6.)


.C.6. MALICIOUS USE OF telnet
-----------------------------


Study this little script:


Ex:


while : ; do
telnet system.we.attack &
done


An attack using this script might eat some bandwidth, but it is
nothing compared to the finger method or most other methods. Well
the point is that some pretty common firewalls and httpd:s thinks
that the attack is a loop and turn them self down, until the
administrator sends kill -HUP. 


This is a simple high risk vulnerability that should be checked
and if present fixed.


.C.7. MALICIOUS USE OF telnet UNDER SOLARIS 2.4
-----------------------------------------------


If the attacker makes a telnet connections to the Solaris 2.4 host and
quits using:


Ex:


Control-}
quit


then will inetd keep going "forever". Well a couple of hundred...


The solution is to install the proper patch.


.C.8. HOW TO DISABLE ACCOUNTS
-----------------------------


Some systems disable an account after N number of bad logins, or waits
N seconds. You can use this feature to lock out specific users from
the system.


.C.9. LINUX AND TCP TIME, DAYTIME
----------------------------------


Inetd under Linux is known to crash if to many SYN packets sends to
daytime (port 13) and/or time (port 37).


The solution is to install the proper patch.


.C.10. HOW TO DISABLE SERVICES
------------------------------


Most Unix systems disable a service after N sessions have been
open in a given time. Well most systems have a reasonable default
(lets say 800 - 1000), but not some SunOS systems that have the
default set to 48...


The solutions is to set the number to something reasonable.


.C.11. PARAGON OS BETA R1.4
---------------------------


If someone redirects an ICMP (Internet Control Message Protocol) packet
to a paragon OS beta R1.4 will the machine freeze up and must be
rebooted. An ICMP redirect tells the system to override routing
tables. Routers use this to tell the host that it is sending
to the wrong router. 


The solution is to install the proper patch.


.C.12. NOVELLS NETWARE FTP
--------------------------


Novells Netware FTP server is known to get short of memory if multiple
ftp sessions connects to it.


.C.13. ICMP REDIRECT ATTACKS
----------------------------


Gateways uses ICMP redirect to tell the system to override routing
tables, that is telling the system to take a better way. To be able
to misuse ICMP redirection we must know an existing connection
(well we could make one for ourself, but there is not much use for that). 
If we have found a connection we can send a route that
loses it connectivity or we could send false messages to the host
if the connection we have found don't use cryptation.  


Ex: (false messages to send)


DESTINATION UNREACHABLE 
TIME TO LIVE EXCEEDED
PARAMETER PROBLEM
PACKET TOO BIG


The effect of such messages is a reset of the connection.


The solution could be to turn ICMP redirects off, not much proper use
of the service.


.C.14. BROADCAST STORMS
-----------------------


This is a very popular method in networks there all of the hosts are
acting as gateways. 


There are many versions of the attack, but the basic method is to 
send a lot of packets to all hosts in the network with a destination 
that don't exist. Each host will try to forward each packet so 
the packets will bounce around for a long time. And if new packets 
keep coming the network will soon be in trouble.


Services that can be misused as tools in this kind of attack is for
example ping, finger and sendmail. But most services can be misused
in some way or another.


.C.15. EMAIL BOMBING AND SPAMMING
---------------------------------


In a email bombing attack the attacker will repeatedly send identical
email messages to an address. The effect on the target is high bandwidth,
a hard disk with less space and so on... Email spamming is about sending
mail to all (or rather many) of the users of a system. The point of
using spamming instead of bombing is that some users will try to
send a replay and if the address is false will the mail bounce back. In
that cause have one mail transformed to three mails. The effect on the
bandwidth is obvious.


There is no way to prevent email bombing or spamming. However have
a look at CERT:s paper "Email bombing and spamming".


.C.16. TIME AND KERBEROS
------------------------


If not the the source and target machine is closely aligned will the
ticket be rejected, that means that if not the protocol that set the 
time is protected it will be possible to set a kerberos server of
function.


.C.17. THE DOT DOT BUG
----------------------


Windows NT file sharing system is vulnerable to the under Windows 95
famous dot dot bug (dot dot like ..). Meaning that anyone can crash
the system. If someone sends a "DIR ..\" to the workstation will a
STOP messages appear on the screen on the Windows NT computer. Note that
it applies to version 3.50 and 3.51 for both workstation and server
version.


The solution is to install the proper patch.


.C.18. SUNOS KERNEL PANIC
-------------------------


Some SunOS systems (running TIS?) will get a kernel panic if a
getsockopt() is done after that a connection has been reset.


The solution could be to install Sun patch 100804.


.C.19. HOSTILE APPLETS
----------------------


A hostile applet is any applet that attempts to use your system
in an inappropriate manner. The problems in the java language
could be sorted in two main groups:


1) Problems due to bugs.
2) Problems due to features in the language.


In group one we have for example the java bytecode verifier bug, which
makes is possible for an applet to execute any command that the user
can execute. Meaning that all the attack methods described in .D.X. 
could be executed through an applet. The java bytecode verifier bug
was discovered in late March 1996 and no patch have yet been available
(correct me if I'am wrong!!!).


Note that two other bugs could be found in group one, but they
are both fixed in Netscape 2.01 and JDK 1.0.1.


Group two are more interesting and one large problem found is the
fact that java can connect to the ports. Meaning that all the methods
described in .C.X. can be performed by an applet. More information
and examples could be found at address:

http://www.math.gatech.edu/~mladue/HostileArticle.html


If you need a high level of security you should use some sort of
firewall for protection against java. As a user you could have
java disable. 


.C.20. VIRUS
------------


Computer virus is written for the purpose of spreading and
destroying systems. Virus is still the most common and famous
denial of service attack method.


It is a misunderstanding that virus writing is hard. If you know
assembly language and have source code for a couple of virus it
is easy. Several automatic toolkits for virus construction could
also be found, for example:

* Genvir.
* VCS (Virus Construction Set).
* VCL (Virus Construction Laboratory).
* PS-MPC (Phalcon/Skism - Mass Produced Code Generator).
* IVP (Instant Virus Production Kit).
* G2 (G Squared).


PS-MPC and VCL is known to be the best and can help the novice programmer
to learn how to write virus.


An automatic tool called MtE could also be found. MtE will transform
virus to a polymorphic virus. The polymorphic engine of MtE is well
known and should easily be catch by any scanner.


.C.21. ANONYMOUS FTP ABUSE
--------------------------


If an anonymous FTP archive have a writable area it could be misused
for a denial of service attack similar with with .D.3. That is we can
fill up the hard disk.


Also can a host get temporarily unusable by massive numbers of
FTP requests.


For more information on how to protect an anonymous FTP site could
CERT:s "Anonymous FTP Abuses" be a good start.


.C.22. SYN FLOODING
-------------------


Both 2600 and Phrack have posted information about the syn flooding attack.
2600 have also posted exploit code for the attack. 


As we know the syn packet is used in the 3-way handshake. The syn flooding
attack is based on an incomplete handshake. That is the attacker host
will send a flood of syn packet but will not respond with an ACK packet.
The TCP/IP stack will wait a certain amount of time before dropping
the connection, a syn flooding attack will therefore keep the syn_received 
connection queue of the target machine filled.


The syn flooding attack is very hot and it is easy to find more information
about it, for example:


[.1.] http://www.eecs.nwu.edu/~jmyers/bugtraq/1354.html
Article by Christopher Klaus, including a "solution". 

[.2.] http://jya.com/floodd.txt
2600, Summer, 1996, pp. 6-11. FLOOD WARNING by Jason Fairlane


[.3.] http://www.fc.net/phrack/files/p48/p48-14.html
IP-spoofing Demystified by daemon9 / route / infinity
      for Phrack Magazine


.C.23. PING FLOODING
--------------------


I haven't tested how big the impact of a ping flooding attack is, but
it might be quite big.


Under Unix we could try something like: ping -s host
to send 64 bytes packets. 


If you have Windows 95, click the start button, select RUN, then type
in: PING -T -L 256 xxx.xxx.xxx.xx. Start about 15 sessions.


.C.24. CRASHING SYSTEMS WITH PING FROM WINDOWS 95 MACHINES
----------------------------------------------------------


If someone can ping your machine from a Windows 95 machine he or she might
reboot or freeze your machine. The attacker simply writes:


ping -l 65510 address.to.the.machine


And the machine will freeze or reboot.


Works for kernel 2.0.7 up to version 2.0.20. and 2.1.1. for Linux (crash).
AIX4, OSF, HPUX 10.1, DUnix 4.0 (crash).
OSF/1, 3.2C, Solaris 2.4 x86 (reboot).


.C.25. MALICIOUS USE OF SUBNET MASK REPLY MESSAGE
--------------------------------------------------


The subnet mask reply message is used under the reboot, but some
hosts are known to accept the message any time without any check.
If so all communication to or from the host us turned off, it's dead.


The host should not accept the message any time but under the reboot.


.C.26. FLEXlm
-------------


Any host running FLEXlm can get the FLEXlm license manager daemon
on any network to shutdown using the FLEXlm lmdown command.


# lmdown -c /etc/licence.dat
lmdown - Copyright (C) 1989, 1991 Highland Software, Inc.


Shutting down FLEXlm on nodes: xxx
Are you sure? [y/n]: y
Shut down node xxx
#


.C.27. BOOTING WITH TRIVIAL FTP
-------------------------------


To boot diskless workstations one often use trivial ftp with rarp or
bootp. If not protected an attacker can use tftp to boot the host.




.D. ATTACKING FROM THE INSIDE
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


.D.1. KERNEL PANIC UNDER SOLARIS 2.3
------------------------------------


Solaris 2.3 will get a kernel panic if this
is executed:


EX:

$ndd /dev/udp udp_status


The solution is to install the proper patch.


.D.2. CRASHING THE X-SERVER
---------------------------


If stickybit is not set in /tmp then can the file /tmp/.x11-unix/x0
be removed and the x-server will crash.


Ex:


$ rm /tmp/.x11-unix/x0


.D.3. FILLING UP THE HARD DISK
-----------------------------


If your hard disk space is not limited by a quota or if you can use
/tmp then it`s possible for you to fill up the file system.


Ex:


while : ;
mkdir .xxx
cd .xxx
done


.D.4. MALICIOUS USE OF eval
---------------------------


Some older systems will crash if eval '\!\!' is executed in the
C-shell.


Ex:

% eval '\!\!'

.D.5. MALICIOUS USE OF fork() 
-----------------------------


If someone executes this C++ program the result will result in a crash
on most systems.


Ex:

#include <sys/types.h>
#include <unistd.h>
#include <iostream.h>

main()
{
int x;
while(x=0;x<1000000;x++)
{
system("uptime");
fork();
}
}


You can use any command you want, but uptime is nice
because it shows the workload.


To get a bigger and very ugly attack you should however replace uptime
(or fork them both) with sync. This is very bad.


If you are real mean you could also fork a child process for
every child process and we will get an exponential increase of
workload. 


There is no good way to stop this attack and
similar attacks. A solution could be to place a limit
on time of execution and size of processes.


.D.6. CREATING FILES THAT IS HARD TO REMOVE
-------------------------------------------


Well all files can be removed, but here is some ideas:


Ex.I.


$ cat > -xxx
^C
$ ls
-xxx
$ rm -xxx
rm: illegal option -- x
rm: illegal option -- x
rm: illegal option -- x
usage: rm [-fiRr] file ...
$


Ex.II.


$ touch xxx!
$ rm xxx!
rm: remove xxx! (yes/no)? y
$ touch xxxxxxxxx!
$ rm xxxxxxxxx!
bash: !": event not found
$


(You see the size do count!)


Other well know methods is files with odd characters or spaces
in the name. 


These methods could be used in combination with ".D.3 FILLING UP THE
HARDDISK". If you do want to remove these files you must use some sort
of script or a graphical interface like OpenWindow:s File
Manager. You can also try to use: rm ./<filename>. It should work for
the first example if you have a shell.


.D.7. DIRECTORY NAME LOOKUPCACHE
--------------------------------


Directory name lookupcache (DNLC) is used whenever a file is opened.
DNLC associates the name of the file to a vnode. But DNLC can only
operate on files with names that has less than N characters (for SunOS 4.x
up to 14 character, for Solaris 2.x up 30 characters). This means
that it's dead easy to launch a pretty discreet denial of service attack.


Create lets say 20 directories (for a start) and put 10 empty files in
every directory. Let every name have over 30 characters and execute a
script that makes a lot of ls -al on the directories.


If the impact is not big enough you should create more files or launch
more processes.

.D.8. CSH ATTACK
----------------


Just start this under /bin/csh (after proper modification) 
and the load level will get very high (that is 100% of the cpu time) 
in a very short time. 


Ex:


|I /bin/csh
nodename : **************b


.D.9. CREATING FILES IN /tmp
----------------------------


Many programs creates files in /tmp, but are unable to deal with the problem
if the file already exist. In some cases this could be used for a
denial of service attack.


.D.10. USING RESOLV_HOST_CONF
-----------------------------


Some systems have a little security hole in the way they use the
RESOLV_HOST_CONF variable. That is we can put things in it and
through ping access confidential data like /etc/shadow or
crash the system. Most systems will crash if /proc/kcore is 
read in the variable and access through ping.


Ex:

$ export RESOLV_HOST_CONF="/proc/kcore" ; ping asdf


.D.11. SUN 4.X AND BACKGROUND JOBS
----------------------------------


Thanks to Mr David Honig <honig@amada.net> for the following:


" Put the string "a&" in a file called "a" and perform "chmod +x a".
Running "a" will quickly disable a Sun 4.x machine, even disallowing
(counter to specs) root login as the kernel process table fills."


" The cute thing is the size of the 
script, and how few keystrokes it takes to bring down a Sun
as a regular user."


.D.12. CRASHING DG/UX WITH ULIMIT 
---------------------------------


ulimit is used to set a limit on the system resources available to the 
shell. If ulimit 0 is called before /etc/passwd, under DG/UX, will the 
passwd file be set to zero.


.D.13. NETTUNE AND HP-UX
------------------------


/usr/contrib/bin/nettune is SETUID root on HP-UX meaning
that any user can reset all ICMP, IP and TCP kernel
parameters, for example the following parameters:


- arp_killcomplete 
- arp_killincomplete
- arp_unicast 
- arp_rebroadcast
- icmp_mask_agent
- ip_defaultttl
- ip_forwarding
- ip_intrqmax
- pmtu_defaulttime
- tcp_localsubnets
- tcp_receive
- tcp_send
- tcp_defaultttl
- tcp_keepstart 
- tcp_keepfreq
- tcp_keepstop
- tcp_maxretrans
- tcp_urgent_data_ptr
- udp_cksum
- udp_defaultttl 
- udp_newbcastenable 
- udp_pmtu
- tcp_pmtu
- tcp_random_seq


The solution could be to set the proper permission on 
/sbin/mount_union:


#chmod u-s /sbin/mount_union


.D.14. SOLARIS 2.X AND NFS
--------------------------


If a process is writing over NFS and the user goes over the disk
quota will the process go into an infinite loop.


.D.15. SYSTEM STABILITY COMPROMISE VIA MOUNT_UNION
--------------------------------------------------


By executing a sequence of mount_union commands any user
can cause a system reload on all FreeBSD version 2.X before
1996-05-18.


$ mkdir a
$ mkdir b
$ mount_union ~/a ~/b
$ mount_union -b ~/a ~/b


The solution could be to set the proper permission on 
/sbin/mount_union:


#chmod u-s /sbin/mount_union


.D.16. trap_mon CAUSES KERNEL PANIC UNDER SUNOS 4.1.X
----------------------------------------------------


Executing the trap_mon instruction from user mode can cause
a kernel panic or a window underflow watchdog reset under
SunOS 4.1.x, sun4c architecture.




.E. DUMPING CORE
~~~~~~~~~~~~~~~~


.E.1. SHORT COMMENT
-------------------


The core dumps things don't really belongs in this paper but I have
put them here anyway.


.E.2. MALICIOUS USE OF NETSCAPE
-------------------------------


Under Netscape 1.1N this link will result in a segmentation fault and a
core dump.


Ex:


<a name="http://xxx.xxx.xxx.xxx.xxx.xxx.xxx.xxx.xxx.xxx.xxx.xxx.xxx.
xxx.xxx.xxx.xxx.xxx.xxx.xxx.xxx.xxx.xxx.xxx.xxx.xxx.xxxxxx.xxx.xxx.
xxx.xxx.xxx.xxx.xxx.xxx.xxx.xxx.xxx.xxx.xxxxxx.xxx.xxx.xxx.xxx.xxx.
xxx.xxx.xxx.xxx.xxx.xxx.xxx.xxxxxx.xxx.xxx.xxx.xxx.xxx.xxx.xxx.xxx.
xxx.xxx.xxx.xxx.xxxxxx.xxx.xxx.xxx.xxx.xxx...>


.E.3. CORE DUMPED UNDER WUFTPD
------------------------------


A core dumped could be created under wuftp with two different
methods:


(1) Then pasv is given (user not logged in (ftp -n)). Almost all
versions of BSD:s ftpd.
(2) More than 100 arguments is given with any executable
command. Presents in all versions of BSD:sd ftpd.


.E.4. ld UNDER SOLARIS/X86
--------------------------


Under Solaris 2.4/X86 ld dumps core if given with the -s option.




.F. HOW DO I PROTECT A SYSTEM AGAINST DENIAL OF SERVICE ATTACKS?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


.F.1. BASIC SECURITY PROTECTION
-------------------------------


.F.1.1. INTRODUCTION
--------------------


You can not make your system totally secured against denial of service
attacks but for attacks from the outside you can do a lot. I put this
work list together and hope that it can be of some use. 


.F.1.2. SECURITY PATCHES
------------------------


Always install the proper security patches. As for patch numbers
I don't want to put them out, but that doesn't matter because you
anyway want to check that you have all security patches installed,
so get a list and check! Also note that patches change over time and
that a solution suggested in security bulletins (i.e. CERT) often
is somewhat temporary.


.F.1.3. PORT SCANNING
---------------------


Check which services you have. Don't check with the manual
or some configuration file, instead scan the ports with sprobe
or some other port scanner. Actual you should do this regualy to see
that anyone don't have installed a service that you don't want on
the system (could for example be service used for a pirate site).


Disable every service that you don't need, could for example be rexd,
fingerd, systat, netstat, rusersd, sprayd, pop3, uucpd, echo, chargen,
tftp, exec, ufs, daytime, time... Any combination of echo, time, daytime
and chargen is possible to get to loop. There is however no need
to turn discard off. The discard service will just read a packet
and discard it, so if you turn off it you will get more sensitive to
denial of service and not the opposite.


Actual can services be found on many systems that can be used for
denial of service and brute force hacking without any logging. For
example Stock rexec never logs anything. Most popd:s also don't log 
anything


.F.1.4. CHECK THE OUTSIDE ATTACKS DESCRIBED IN THIS PAPER
---------------------------------------------------------


Check that attacks described in this paper and look at the
solution. Some attacks you should perform yourself to see if they
apply to your system, for example:


- Freezing up X-Windows.
- Malicious use of telnet.
- How to disable services.
- SunOS kernel panic.
- Attacking with lynx clients.
- Crashing systems with ping from Windows 95 machines.

That is stress test your system with several services and look at
the effect.


Note that Solaris 2.4 and later have a limit on the number of ICMP
error messages (1 per 500 ms I think) that can cause problems then
you test your system for some of the holes described in this paper.
But you can easy solve this problem by executing this line:


$ /usr/sbin/ndd -set /dev/ip ip_icmp_err_interval 0
                                                            
.F.1.5. CHECK THE INSIDE ATTACKS DESCRIBED IN THIS PAPER
--------------------------------------------------------


Check the inside attacks, although it is always possibly to crash
the system from the inside you don't want it to be to easy. Also
have several of the attacks applications besides denial of service,
for example:


- Crashing the X-Server: If stickybit is not set in /tmp
a number of attacks to gain
access can be performed.


- Using resolv_host_conf: Could be used to expose
confidential data like
/etc/shadow.


- Core dumped under wuftpd: Could be used to extract
password-strings.


If I don't have put out a solution I might have recommended son other paper.
If not I don't know of a paper with a solution I feel that I can recommend.
You should in these causes check with your company.


.F.1.6. EXTRA SECURITY SYSTEMS
------------------------------


Also think about if you should install some extra security systems.
The basic that you always should install is a logdaemon  and a wrapper.
A firewall could also be very good, but expensive. Free tools that can
be found on the Internet is for example:


TYPE: NAME: URL:


LOGDAEMON NETLOG ftp://net.tamu.edu/pub/security/TAMU
WRAPPER TCP WRAPPERS ftp://cert.org/pub/tools/tcp_wrappers
FIREWALL TIS ftp://ftp.tis.com/pub/firewalls/toolkit


Note that you should be very careful if building your own firewall with
TIS or you might open up new and very bad security holes, but it is a very
good security packer if you have some basic knowledge.


It is also very good to replace services that you need, for example telnet,
rlogin, rsh or whatever, with a tool like ssh. Ssh is free and can be
found at URL: 


ftp://ftp.cs.hut.fi/pub/ssh


The addresses I have put out are the central sites for distributing
and I don't think that you should use any other except for CERT.


For a long list on free general security tools I recommend:
"FAQ: Computer Security Frequently Asked Questions".


.F.1.7. MONITORING SECURITY
---------------------------


Also monitor security regular, for example through examining system log
files, history files... Even in a system without any extra security systems
could several tools be found for monitoring, for example: 


- uptime
- showmount
- ps
- netstat
- finger
Posted by at No comments:
Subscribe to: Comments (Atom)