Exploiting Network Protocols

I l @ ve RuBoard

Today, most exploits use network services, since most systems are accessed over the network. There are hundreds of network services from which hackers can choose to attack.

The internet daemon, inetd , controls some of the processes that communicate over the network. The internet daemon listens to each port and when a connection is identified, it passes control of the socket to the associated program.

A hacker can add a back door into a system by adding a line in /etc/inetd.conf that will attach a shell with root privileges to a specific socket. The line can be like this:

 hack  stream  tcp  nowait  root /bin/csh csh -i 

This direct approach is probably too visible to be used by any real hacker. It is more likely that a hacker will replace one of the programs that is already configured in inted.conf with an alternate program or just enable programs that are normally disabled, such as rexd .

The rexd server has a serious security design flaw. User authentication is done in the client and not in the server. The rexd daemon relies on the on command for any user authentication. A simple C program can send a request to a client and supply any command and any user ID, and rexd will happily execute the command. This would allow a hacker to write a program that would be a client to the rexd daemon and bypass all authentication. Running rexd is like having no passwords at all.

E-mail Spoofing

The e-mail spoof is one of the most trivial of all spoofs. SMTP, the simple mail transfer protocol, consists of simple ASCII commands. These commands can be easily input manually by using a telnet connection to the system's SMTP port. E-mail forgery does not require access or authorizations that have to be obtained improperly.

 telnet victim.com smtp 

Once connected, the hacker can type the mail protocol command directly to the port. Identifying someone else in the mail "From:" command will show that the mail was sent from the user identified. This technique can be used to send mail to other systems by entering a "To:" command to another system. Careful examination of the mail header will usually indicate where the spoof has come from.

If the spoofed e-mail originates from a compromised system, then even the ident protocol, RFC 1413, cannot be trusted to return correct information from the compromised system.

Several state legislatures began trying to regulate commercial e-mail as early as 1997. At least 18 states have enacted or are working on legislation that would impose stiff penalties on commercial e-mailers who engage in unsavory tactics. More states are writing their own legislation ” complete with pricey penalties for violating the law. Many state's laws require that the sender's contact information not be falsified and allow damages to be recovered. In Rhode Island, damages can be as high as $500 per message, up to $25,000 per day and spammers can also be liable to the state, with fines of up to $5,000 and imprisonment up to five years . [41]

[41] Cave, Damien, "States Outlaw Spam," Salon.com, 19 April 2000

IP Spoofing

Internet Protocol (IP) spoofing is the act of sending packets with source addresses other than the actual address of the originating host. These "spoofed" packets can have addresses that are unassigned or addresses that belong to another host.

The Internet Protocol (IP) was first designed when the Internet was a much smaller and friendlier place. Authentication was not a feature that was considered necessary and was not added into the protocol until the development of IPSec and it will still take many years before IPSec is widely utilized.

Currently there is no way to stop IP spoofing. The best we can do is to protect ourselves against attacks that attempt to spoof our own addresses and stop our network from being the source of such attacks.

To stop a network from being the source of such an attack, the border routers should be configured to drop any packet exiting the internal network with a source address that does not belong to the internal network.

  • Source Routing ” Source routing is a feature of IP that allows the packet to define the path that the return packet should take to find its way back to the source host. This feature is virtually never used by legitimate applications since the Internet utilizes dynamic routing protocols to optimize the traffic. However, it is often used by attackers who use IP spoofing to get packets returned, unless the attacker is either on the same network as the spoofed address or reliably along the path between the spoofed source and destination hosts. Since there is little legitimate use for source routing, it should be disabled on all hosts and routers and routers should be configured to drop any packet that contains a source route.

  • Network Flooding ” Network flooding is the process of creating more network traffic than the network is able to process, thereby making the network unavailable to legitimate traffic, and the hosts that require that network to communicate unreachable. The large number of packets received by the host often overwhelm the system resources before they overload the network. Every packet received by the system consumes memory and computational power to determine its disposition.

  • SYN Flooding ” SYN floods send a large number of spoofed TCP connection requests. These requests utilize data structures in the target machine which consume memory and kernel resources and may cause legitimate connections to be denied .

    This exploit was published, complete with source code, in two hacker publications . Shortly thereafter, numerous SYN flooding attacks ensued, including an attack against the Internet access provider PANIX.

    There have been a number of different solutions implemented to remedy this problem. Consult your vendor to get the appropriate patch.

  • Smurf ” The "smurf" attack uses forged ICMP echo request packets directed to IP broadcast addresses from remote locations to generate denial-of-service attacks. There are three parties in these attacks: the attacker, the intermediary, and the victim. The intermediary can be victimized by suffering the same types of problem that the "victim" does in these attacks.

    The intermediary receives an ICMP echo request packet directed to the IP broadcast address of its network. If the intermediary does not filter ICMP traffic directed to IP broadcast addresses, many of the machines on the network will receive this ICMP echo request packet and send an ICMP echo reply packet back to the spoofed source address in the forged packet who is the attacker's intended victim. The result is that when all the machines at the intermediary's site respond to the ICMP echo requests, they send replies to the victim's machine. The victim is subjected to network congestion that could potentially make the network unusable.

    Attackers have developed automated tools that enable them to send these attacks to multiple intermediaries at the same time, causing all of the intermediaries to direct their responses to the same victim. Attackers have also developed tools to look for network routers that do not filter broadcast traffic and networks where multiple hosts respond. These networks can the subsequently be used as intermediaries in attacks.

    To prevent your site from being used as an intermediary in this attack, you must disable IP-directed broadcasts at your router ” which will deny IP broadcast traffic onto your network from other networks ” and configure your systems to prevent the machine from responding to ICMP packets sent to IP broadcast addresses.

    In almost all cases, IP-directed broadcast functionality is not needed.

System Flooding

System flooding is the process of consuming a resource or resources on a system until it makes the system unable to do useful work. The resources consumed can be general resources, such as memory, storage, or computation or, more often, specific resources, such as buffers or queues, fill up. In many cases, system flooding will result in the system hanging or failing completely.

Mass- mailings

Mail flooding has become a very popular attack. Mail messages containing viruses can exploit powerful e-mail clients which provide powerful scripting languages and address books. These attacks generally forward infected mail messages to individuals from the address book. When the macro capability allows mail to be sent without user interaction, these attacks can overwhelm networks and mail servers.

I l @ ve RuBoard


Halting the Hacker. A Practical Guide to Computer Security
Halting the Hacker: A Practical Guide to Computer Security (2nd Edition)
ISBN: 0130464163
EAN: 2147483647
Year: 2002
Pages: 210

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net