LOKI
| | ||
By now, you may be wondering: "Are similar tools available for the Unix operating systems?" The answer is Yes. The first and oldest remote controlling tool for Unix is called Loki. Known to some as the "God of Mischief," it is an apt name for this tool.
When Loki first appeared, everyone allowed ICMP traffic in and out of their network security architectures because the protocol was designed to allow machines to talk to other machines. Loki was created to exploit this vulnerability and remotely control a victim server without an active login from the attacker.
Loki can be found on most security sites such as http://www.packetstormsecurity.org.It has been written and ported to many Unix operating systems such as Linux, Solaris, and FreeBSD. In short, Loki works by encapsulating the commands to be executed on the victim machine within ICMP Ping traffic between the client and the server.
The encapsulation is done in the ICMP Ping request and reply payload, and with the standard version of Loki, it's passed in as clear text. The payload is the field within a Ping request/reply packet that can contain data. Therefore, a significant packet size for ICMP Ping traffic would be a signature to detect Loki on your network. It is important to note that alternate versions of Loki incorporated techniques to hide this information, such as the XOR or Blowfish encryption algorithms. Furthermore, the communication channel is unique in that the ICMP sequence number is always static and representative of the TAG number of that channel. The TAG is an attacker-designated number chosen during compilation of Loki. Therefore, the second signature Loki will leave on the victim's network is the static ICMP sequence number. The third signature Loki leaves is the ICMP Ping reply, which is supplied before the ICMP Ping request packet and is, therefore, noncompliant of the ICMP Ping request/reply specifications. Depending on the commands executed by the intruder, there may be significantly more ICMP requests than replies. In the normal use of Ping, one Ping reply would exist for every Ping request.
Implementation
Loki must be compiled using the make command. In addition, if you download version 2 and want to run it on the newer RedHat Linux distributions, the following patches must be applied:
diff Loki.orig/Makefile Loki/Makefile 37c37 < DEBUG = -DDEBUG --- > DEBUG = #-DDEBUG diff Loki.orig/loki.h Loki/loki.h 36c36,38 < #include <linux/icmp.h> --- > #define ICMP_ECHO 8 > #define ICMP_ECHOREPLY 0 > //#include <linux/icmp.h> 38c40 < #include <linux/signal.h> --- > #include <signal.h>
After the tool has been compiled, simply run the lokid program on the server or on the victim machine. It will fork into the background. The client, which is run on the attacker's machine, can be run like so:
attacker# ./loki -d < victim's IP address >
The loki prompt appears. You can type any command here as it would be typed at the prompt on the victim machine. The next screenshot shows the IP address of the victim machine (192.168.0.101) by executing ifconfig through the Loki interface:
Several caveats to Loki deserve mentioning:
-
The Loki daemon locks you within the /tmp directory by default. It is possible for you to escape this directory, but only with some source code modification.
-
It's a good idea to compile Loki statically if you intend to upload the binary to a server without compiling capabilities or differing versions of dynamic-link libraries (that is, you will not be compiling the source code on the victim server itself).
-
As seen in Figure 10-6, which details the traffic captured with Ethereal (Ethereal is discussed in detail in Chapter 16), the ICMP packets carry the information between the server and client. This information, by default, is not encrypted. However, encryption switches can be set: you can turn on XOR or Blowfish encryption if you need it in the makefile. Simply uncomment the appropriate CRYPTO_TYPE lines in the makefile for the encryption you would like to use.
Figure 10-6: Loki and traffic captured with Ethereal
| | ||
EAN: 2147483647
Pages: 175