Learn Ethical Hacking Tools Free Hacking Tricks How To Hack Hacking Passwords & Email Hacking

• Sniffers monitor network data.

• A sniffer can be a self-contained software program or a hardware device with the appropriate software or firmware programming.

• Sniffers usually act as network probes or "snoops" -- examining network traffic but not intercepting or altering it.

• Some sniffers work only with TCP/IP packets, but the more sophisticated tools can work with many other protocols and at lower levels such as the Ethernet frame.

Sniffers are also the engines for other programs. Network Intrusion Detection Systems (NIDS) use sniffers to match packets against a rule-set designed to flag anything malicious or strange. Network utilization and monitoring programs often use sniffers to gather data necessary for metrics and analysis. It is to be noted that sniffers do not intercept or alter the data it captures.

The most common way of networking computers is through Ethernet. The Ethernet protocol works by broadcasting packets to all hosts on the network, with the packet header containing the MAC address of the machine that is meant to receive the packet. All others are supposed to ignore it. A NIC (Network Interface Card, also known as Ethernet card) that is accepting all packets, regardless of the intended machine is said to be in promiscuous mode. A sniffer is a program that sets the desired NIC into promiscuous mode.

Before we can explore how some sniffing tools are used by attackers towards malicious ends, let us examine what enables the tool to work. However, on a LAN, several PCs share a common connection to the Internet. The devices that come into play here include hubs, switches and routers among others.

A switch performs the layer 2 or Data-Link layer function. That is, it simply looks at each packet or data unit and determines from a physical address (the "MAC address") which device a data unit is intended for and switches it out toward that device. A hub is a place of convergence where data arrives from one or more directions and is forwarded out in one or more other directions. The distinction seems to be that the hub is the place where data comes together and the switch is what determines how and where data is forwarded from the place where data comes together.

If the network is not switched, the traffic destined for any machine on a segment is broadcast to every machine on that segment. This means that a computer actually sees the data traveling to and from each of its neighbors, but ignores it, unless otherwise instructed.

The sniffer program works by asking a computer, specifically its Network Interface Card (NIC), to stop ignoring all the traffic headed to other computers and pay attention to them. It does this by placing the NIC in a state known as promiscuous mode. Once a NIC is promiscuous, (a status that requires administrative or root privileges) a machine can see all the data transmitted on its segment. The program then begins to constantly read all information entering the PC through the network card. A sniffer can therefore peel away the layers of encapsulation and decode the relevant information stored within. This includes information such as source computer, destination computer, targeted port number, payload etc - in short, every piece of information exchanged between two computers.

• Users of computer networks unwittingly disclose sensitive information about themselves through the use of insecure software, and protocols.

• Standard implementations of widely adopted protocols such as Windows file sharing (CIFS/SMB), telnet, POP3, HTTP and FTP transmit login passwords in clear text, exposing an extremely large segment of the internet population to sniffing-related attacks.

A sniffer can easily be customized to capture specific traffic like telnet sessions or e-mail. Once network traffic has been captured, an attacker can swiftly extract sensitive information such as logins, passwords and the text of messages to extend their attack. The disturbing part of the entire process is that users may remain clueless about the leakage of information until they are visibly compromised. This is because sniffers cause no damage or disturbance to a network environment.

Data is transmitted in the binary form over the network. Packet sniffers capture binary data passing through the network, and most of them decode this data into a human readable form. Another feature supported by popular sniffers is protocol analysis. This makes it even easier for attackers, as they can target specific protocols in accordance with their intent.

On most sniffers there is a varying degree of the analysis that takes place. This may be simple analysis involving just breaking down the information packet. Others are more complex involving detailed information contained in the packet (i.e., highlights a password for a service). We will explore some sniffers in this module and see the functionality offered by them.

It must be borne in mind that sniffer have beneficial applications as well. In fact, majority of them were designed for legitimate purposes. However, like double edged swords, the end sought by their means lies in the mind of the user.

• Reverse WWW shell allows an attacker to access a machine on your internal network from the outside.

• The attacker must install a simple trojan program on a machine in your network, the Reverse WWW shell server.

• On a regular basis, usually 60 seconds, the internal server will try to access the external master system to pick up commands.

• If the attacker has typed something into the master system, this command is retrieved and executed on the internal system.

• Reverse WWW shell uses standard http protocol.

• It looks like internal agent is browsing the web.

This Trojan can work through any firewall which allows users to access the Internet. It is the reverse of a straight HTTP tunnel. The program is run on the internal host, which spawns a child every day at a special time. The child program appears as a user to the firewall, which in turn allows it to access the Internet. However, this child program executes a local shell and connects to the web server owned by the attacker on the internet through a legitimate looking http request and sends it 'ready' signal. The legitimate looking answer of the web server owned by the attacker is in reality the commands the child will execute on its machine's local shell. All traffic will be converted into a Base64 like structure and given as a value for a cgi-string to prevent caching.

Example of a connection:

• Slave

  GET /cgi-bin/order?M5mAejTgZdgYOdgIOoBgFfVYTgjFLdgxEdbiHe7krj HTTP/1.0 

• Master replies with

  g5mAlfbknz 

For instance, The GET of the internal host (SLAVE) is just the command prompt of the shell; the answer is an encoded "Is" command from the hacker on the external server (MASTER). The SLAVE tries to connect daily at a specified time to the MASTER if needed; the child is spawned because if the shell hangs for whatever reason the attacker can check and fix it the next day.

In case the administrator sees connects to the attacker's server and connects to it himself he will just see a broken web server because there's a Token (Password) in the encoded cgi GET request; WWW Proxies (e.g. squid) are supported; program masks it's name in the process listing. The programs are reasonably small with the master and slave program just one 260-lines perl file Usage is simple: edit rwwwshell.pl for the correct values, execute "rwwwshell.pl slave" on the SLAVE, and just run "rwwwshell.pl" on the MASTER just before it is time that the slave tries to connect.

Sample of Reverse Http Shell:

                Http                         Http  |Internal|—------------>|PROXY|-->|FIREWALL|<---------->|Attacker|   SLAVE                                                  MASTER 

• Most commercial ant-virus products can automatically scan and detect backdoor programs before they can cause damage (Eg. before accessing a floppy, running exe or downloading mail)

• An inexpensive tool called Cleaner (http://www.moosoft.com/cleanet.html) can identify and eradicate 1000 types of backdoor programs and trojans.

• Educate your users not to install applications downloaded from the internet and e-mail attachments.

The first line of defense is to educate users regarding the dangers of installing applications downloaded from the Internet and to take great caution if they have to open any mail attachment.

The second line of defense can be antivirus products that are capable of recognizing Trojan signatures. Ensure that these updates are regularly applied over the network.

The third line of defense comes from keeping application version updated by following security patches and vulnerability announcements.

An inexpensive tool called Cleaner (http://www.moosoft.com/cleanet.html) can identify and eradicate 1000 types of backdoor programs and Trojans. Some of the other anti-Trojan software is:

• TDS-3 (http://tds.diamondcs.com.au)

• Hacker Eliminator (http://www.lockdown2000.com)

• TFAK5 (http://www.snake-basket.de/tfak/TFAK5.zip)

• Trojan Remover (http://www.simplysup.com/tremover/details.html)

• Pest Patrol (http://www.safersite.com/)

• Anti-Trojan (http://www.anti-trojan.net)

• Tauscan (http://www.agnitum.com/products/tausean)

• The Cleaner (http://www.moosoft.com)

• PC Door Guard (http://www.trojanclinic.com/pdg.html)

• Trojan Hunter (http://www.mischel.dhs.org/trojanhunter.jsp)

• LogMonitor (http://www.logmon.bitrix.ru/logmon/eng/)

• Covert Channels are methods in which an attacker can hide the data in a protocol that is undetectable.

• Covert Channels rely on techniques called tunneling, which allows one protocol to be carried over another protocol.

• ICMP tunneling is a method of using ICMP echo-request and echo-reply as a carrier of any payload an attacker may wish to use, in an attempt to stealthily access, or control a compromised system.

The ICMP types we are concerned with are type ox8 and type 0x8. ICMP type 0x0 specifies an ICMP_ECHOREPLY (the response) and type 0x8 indicates an ICMP _ECHO (the query). The normal course of action is for a type 0x8 to elicit a type 0x0 response from a listening server. (Normally, this server is actually the OS kernel of the target host. Most ICMP traffic is, by default, handled by the kernel). This is what the ping program does.

The concept of ICMP Tunneling involves arbitrary information tunneling in the data portion of ICMP_ECHO and ICMP_ECHOREPLY packets and using them to carry the payload.

Therefore, as a matter of consequence, covert channels are impossible to detect and deter using a system's normal (read: unmodified) security policy. In theory, almost any process or bit of data can be a covert channel. In practice, it is usually quite difficult to elicit meaningful data from most covert channels in a timely fashion.

This makes it an attractive mode of transmission for a Trojan. The attacker can use the covert channel and install the backdoor on the target machine.

The concept of ICMP Tunneling is simple: arbitrary information tunneling in the data portion of ICMP_ECHO and ICMP_ECHOREPLY packets. This exploits the covert channel that exists inside of ICMP_ECHO traffic. This channel exists because network devices do not filter the contents of ICMP_ECHO traffic. They simply pass them, drop them, or return them. The Trojan packets themselves are masqueraded as common ICMP_ECHO traffic. We can encapsulate (tunnel) any information we want.

(www.phrack.com)

• Loki was written by daemon9 to provide shell access over ICMP making it much more difficult to detect than TCP or UDP based backdoors.

• As far as the network is concerned, a series of ICMP packets are shot back and forth: Ping, Pong-response. As far as the attacker is concerned, commands can be typed into the loki client and executed on the server.

Although the payload of ICMP packet is often timing information, there is no check by any device as to the content of the data. So, as it turns out, this amount of data can also be arbitrary in content as well. Therein lies the covert channel. A covert channel is a vessel in which information can pass, but this vessel is not ordinarily used for information exchange. Therefore, covert channels are impossible to detect and deter using a system's normal security policy.

Loki exploits the covert channel that exists inside of ICMP_ECHO traffic. This channel exists because network devices do not filter the contents of ICMP_ECHO traffic. The Trojan packets themselves are masqueraded as common ICMP_ECHO traffic. It can be used as a backdoor into a system by providing a covert method of getting commands executed on a target machine. The LOKI packet with a forged source IP address will arrive at the target (and will elicit a legitimate ICMP_ECHOREPLY, which will travel to the spoofed host, and will be subsequently dropped silently) and can contain the 4-byte IP address of the desired target of the Loki response packets, as well as 51-bytes of malevolent data.

The important aspect of Loki is that routers, firewalls, packet-filters, dual-homed hosts all can serve as conduits for Loki. A surplus of ICMP_ECHOREPLY packets with a garbled payload can be ready indication the channel is in use. The standalone Loki server program can be easily detected. However, if the attacker can keep traffic on the channel down to a minimum, and was to hide the Loki server inside the kernel, detection is almost impossible.

• Configure your firewall to block ICMP incoming and outgoing echo packets.

• Blocking ICMP will disable ping request and may cause inconvenience to users.

• So you need to carefully decide on security Vs convenience.

• Loki also has the option to run over UDP port 53 (DNS queries and responses.)

■ Disable external ICMP_ECHO traffic entirely. This does have serious implications to normal network management since it does affect network communication management within the local segment. However, this can be configured to allow internal ping traffic and disable packets coming from the outside.

■ Disable ICMP_ECHO_REPLY traffic on a Cisco router. Security implications make this a prudent choice.

■ Ensure that the routers are configured to not send ICMP_UNREACHABLE error packets to hosts that do not respond to ARPs.

• How does an attacker get BO2K or any trojan installed on the victim's computer? Answer: Using Wrappers

• A wrapper attaches a given EXE application (such as games or orifice application) to the BO2K executable.

• The two programs are wrapped together into a single file. When the user runs the wrapped EXE, it first installs BO2K and then runs the wrapped application.

• The user only sees the latter application.

The attacker can place several executables to one executable as well. These wrappers may also support functions like running one file in the background while another one is running on the desktop.

Technically speaking though, wrappers can be considered to be another type of software "glueware" that is used to attach together other software components. A wrapper encapsulates a single data source to make it usable in a more convenient fashion than the original unwrapped source.

Users can be tricked into installing Trojan horses by being enticed or frightened. For example, a Trojan horse might arrive in email described as a computer game. When the user receives the mail, they may be enticed by the description of the game to install it. Although it may in fact be a game, it may also be taking other action that is not readily apparent to the user, such as deleting files or mailing sensitive information to the attacker.

Graffiti.exe is an example of a legitimate file that can be used to drop the Trojan into the target system. This program runs as soon as windows boots up and on execution keep the user distracted for a given period of time by running on the desktop.

http://homepage.ntlworld.com/chawmp/elitewrap/

• Elite Wrap is an advanced EXE wrapper for Windows 95/98/2K/NT used for SFX archiving and secretly installing and running programs.

• With EliteWrap one can create a setup program that would extract files to a directory and execute programs or batch files to display help, copy files, etc.

Icon Plus is a conversion program for translating icons between various formats. Icon Plus now can read and save Windows XP icons. Icon Plus can also be worked at from the command prompt. This kind of application can be used by an attacker to disguise his malicious code or Trojan so that users are tricked into executing it.

There are numerous icon libraries available on the Internet that allows a user to change icons to suit various operating systems by aping their look and feel.

Tool: Restorator

The relevance of discussing this tool here arises from its ability to modify the user interface of any Windows 32-bit program and thus create UCA's. The user can view, extract, and change images, icons, text, dialogs, sounds, videos, menus and much more.

• When you place a CD in your CD-ROM drive, it automatically starts with some set up interface. An Autorun.inf file that is placed on such CD's is responsible for this action which would look like this:

   [autorun]  open=setup.exe  icon=setup.exe 

• Therefore it is quite possible that while running the real setup program a trojan could be run very easily.

• Turn off the Auto-Start functionality by doing the following:

  Start button-> Settings-> Control Panel-> System-> Device Manager-> CDROM-> Properties -> Settings 

The Autorun.inf file that is placed on such CD's can be configured to execute the Trojan. This makes it possible to infect a machine while running the real setup program. It looks like this:

[autorun]  Open= setup.exe  Icon= setup.exe 

Countermeasure is to stop auto start functionality by doing the following:

Start Button-> Settings-> Control Panel-> System-> Device Manager-> CDROM->Properties- > Settings 

Turn off the reference to Auto Insert Notification

• It is a companion virus that can spread over the network.

• It also has a "backdoor" that will enable a remote user to connect to and control the computer using port 7597.

• It may have originally been sent out by email.

• Rename notepad to note.com

• Modifies the registry key:

  HKLM\software\Microsoft\Windows\Current Version\Run 

http://ntsecurity.nu/toolbox/tini

• It is a very tiny trojan program which is only 3 kb and programmed in assembly language. It takes minimal bandwidth to get on victim's computer and takes small disk space.

• Tini only listens on port 7777 and runs a command prompt when someone attaches to this port. The port number is fixed and cannot be customized. This makes it easier for a victim system to detect by scanning for port 7777.

• From a tini client you can telnet to tini server at port 7777

• Outbound or inbound connections, TCP or UDP, to or from any ports

• Ability to use any local source port

• Ability to use any locally-configured network source address

• Built-in port-scanning capabilities, with randomizer

• Built-in loose source-routing capability

The attacker uses the client to send command through TCP or SPX to the victim listening on a pre defined port.

Donald Dick uses default port either 23476 or 23477

Donald Dick is a tool that enables a user to control another computer over a network.

It uses a client server architecture with the server residing on the victim's computer.

• SubSeven is a backdoor program that enables others to gain full access to Windows 9x systems through network connection.

• The program consists of three different components : Client (SubSeven.exe), Server (Server.exe) and a Server configuration utility (EditServer.exe).

• The client is a GUI used to connect to server through a network or internet connection.

It is a RAT (Remote Administration Tool) that provides more options for attack than other Trojans like Back Orifice or NetBus. The SubSeven Trojan is consists of three programs: the SubSeven server, client and server editor. It has a DDoS potential and like other Trojans, SubSeven can be used as perfectly benign remote administration program.

The server must be run on the target computer to allow the attacker's computer to connect to the machine and have total access to it. The server editor (EditServer Program) helps configure the infection characteristics. This allows the hacker to specify whether the compromised system should send an email or ICQ notification to the attacker when the target is online, whether the program should "melt server after installation" and which ports the attacker can use to connect to the server. Once installed, SubSeven's friendly user-interface allows the attacker to easily monitor a victim's keystrokes, watch a computer's web cam, take screen shots, eavesdrop through the computer's microphone, control the mouse pointer, read and write files, and sniff traffic off the victim's local network.

Back Orifice accounts for highest number of infestations on Microsoft computers.

The BO2K server code is only 100KB. The client program is 500KB.

Once installed on a victim PC or server machine, BO2K gives the attacker complete control of the system.

BO2K has stealth capabilities, it will not show up on the task list and runs completely in hidden mode.

B02K is an almost complete rewrite of the original Back Orifice. By default, B02K comes with the capability to talk over TCP as well as UDP, and supports strong encryption through plug-ins. It has added functionality in the areas of file transfer and registry handling. It has hacking features, such as dumping certain cached passwords. It can be configured to be stealthy.

Like other Trojans, Back Orifice is a client/server application which allows the client software to monitor, administer, and perform other network and multimedia actions on the machine running the server. To communicate with the server, either the text based or GUI client can be run on any Microsoft Windows machine.

The B02K server installed without any plugins is ~100K and leaves a small footprint. The client software is ~500K. The whole suite will fit on a single 1.44MB floppy disk. B02K 1.0 will currently run on Windows 95, Windows 98, Windows ME, Windows NT, Windows 2000, and Windows XP systems. All of the various parts of the BO2K suite have been tested and found to be working on all of these platforms. It only runs on Intel platforms at the moment.

• BO2K functionality can be extended using BO plug-ins.

• BOPeep (Complete remote control snap in)

• Encryption (Encrypts the data sent between the BO2K GUI and the server)

• BOSOCK32 (Provides stealth capabilities by using ICMP instead of TCP UDP)

• STCPIO (Provides encrypted flow control between the GUI and the server, making the traffic more difficult to detect on the network)

NetBus consists of two parts: a client-program ("netbus.exe") and a server-program often named: "patch.exe" (or "SysEdit.exe" with version 1.5x), which is the actual backdoor. Version 1.60 uses the TCP/UDP-Port # "12345" which can't be altered. From the version 1.70 and higher the port be configured. If it is installed by a "game" called "whackamole" (file name is: "whackjob.zip" (contains the NetBus 1.53 server) its name is "explore.exe". There is also a file called whackjob17.zip, which installs the server of NetBus 1.70 and uses the port 12631. Additionally it is password protected (PW: "ecoli"). The NetBus Server is installed by "game.exe" during the setup routine; the name of the server actually is "explore.exe" located in the windows directory.

To start the server automatically, there is an entry in the registry at: "\HKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows\CurrentVersion\Run" normally used with the option "/nomsg". If this entry is deleted, the server won't be started with windows.

The NetBus server is about 4 times as large as the Back Orifice server, and generally less "stealthy." Unlike BO, NetBus is not designed to attach virus-like to legitimate files or applications.

Like BO, the NetBus server can have practically any filename. The usual way it is installed is through simple deception; the program is sent to the victim, or offered on a website, and falsely represented as something it is not. Occasionally it may be included in a setup package for a legitimate application and executed in the process of that setup.

The unsuspecting victim runs the program either directly or by way of the application used as camouflage, and it immediately installs itself and begins to offer access to intruders.

NetBus will always reveal its presence by way of an open port, viewable with netstat.exe. Because of this, many intruders delete netstat.exe from the victim's hard drive immediately upon gaining access. Creating a copy or two of netstat using other names is a good precaution against its loss. A regular check for the presence of netstat.exe, including the file's size and date, is advisable and is one means of spotting intrusions. Attackers may use BO as a means of installing Netbus on the target system. This is because NetBus is sophisticated yet easy to use.

Once access is gained, the intruder will often install other backdoors, ftp or http daemons which open victim's drive(s) to access or he may enable resource sharing on the Net connection

The v1.53 server opens two TCP ports numbered 12345 and 12346. It listens on 12345 for a remote client and apparently responds via 12346. It will respond to a Telnet connection on port 12345 with its name and version number.

NetBus v1.53 is not extremely stealthy, but it is certainly functional and effective.

This utility also has the ability to scan "Class C" addresses by adding "+Number of ports" to the end of the target address. Example: 255.255.255.1+254 will scan 255.255.255.1 through 255.

By default, the v1.6o server is named Patch.exe. It may be renamed. Its size is 4 61K (472,576 bytes). When this program is run, it remains where it is and nothing appears to happen. Unlike v1.53, it can then be deleted uneventfully. However, it is functional. It copies itself to the Windows directory, extracts from within itself a file called KeyHook.dll and activates both programs.

Run without added parameters, v1.6o is persistent; that is, it will execute on its own when the computer is restarted. It makes changes to the Registry; it creates the keys

HKEY_CURRENT_USER\PATCH, where PATCH is the filename before the extension; and by default, it places a value in the key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Version 1.60, like v1.53, also creates the Registry keys

HKEY_CURRENT_USER\NETBUS; and HKEY_CURRENT_USER\NETBUS\Settings and places basically the same series of values in the Settings key.

The v1.60 server opens two TCP ports numbered 12345 and 12346. It listens on 12345 for a remote client and apparently responds via 12346. It will respond to a Telnet connection on port 12345 with its name and version number.

Among the new features are greatly expanded file-handling capabilities, an interactive message dialog, password setting and other server controls, and new ways to tamper with the keyboard. Most of its tricks are evident from this console display.

Netbus 1.7 was released to the public on 11/14/98. It is basically the same program as version 1.6, but with an ultra-fast port scanner, capable of redirecting data to another host and port, option to configure the server-exe with some options, like TCP-port and mail notification, ability redirect I/O from console applications to a specified TCP-port and restricting access to only a few IP-numbers.

By default, the v1.70 server is named Patch.exe. It may be renamed. Its default size is 483K (494,592 bytes). With configuration added, its size increases, usually by a couple of hundred bytes. By default, the v1.70 server opens two TCP ports numbered 12345 and 12346. It listens on 12345 for a remote client and apparently responds via 12346. It will respond to a Telnet connection on port 12345 with its name and version number. It can however be readily configured to use any other virtual port from 1 to 65534. The port configuration can be pre-set by the sender, and/or it can be changed from remote. It will also open the next-numbered port in sequence, which it apparently uses for responses to the client.

NetBus 2.0 Pro", (often just called "NetBus 2.0") the latest version of this well known backdoor program has been released after Spector took over Netbus. Therefore the new version is a shareware and needs remote user's permission for installation. However, hackers have released variations such as Retail_10.exe which fakes the incomplete patch of ICQ. Instead it installs the "NetBus 2.0 Server" in the invisible and auto starting mode. It even deletes the data logged by the server.