Learn Ethical Hacking Tools Free Hacking Tricks How To Hack Hacking Passwords & Email Hacking

Friends, tomorrow onwards, we will look at various aspects of Denial of Service attacks. The discussion will include topics such as:

It's Real

On February 6th, 2000, Yahoo portal was shut down for 3 hours. Then retailer Buy.com Inc. (BUYX) was hit the next day, hours after going public. By that evening, eBay (EBAY), Amazon.com (AMZN), and CNN (TWX) had gone dark. And in the morning, the mayhem continued with online broker E*Trade (EGRP) and others having traffic to their sites virtually choked off.

(Business Week Online, 12 February 2000)

What became obvious over the hours was the victimization of the site by a distributed denial of service attack from hundreds of geographically dispersed Internet-connected machines sending millions of request for service packets. This resulted in an operational problem that eventually left the organization incapable of serving its legitimate customers.

According to the Yankee Group, estimated costs of the above mentioned attack totaled $1.2 billion cumulative and the attack on Amazon alone cost between $200,000 and $300,000 per hour. The loss in terms of customer goodwill, corporate reputation and public trust is likely to have been greater - given the mainstream media coverage of these attacks largely because of its sheer scale and high profile victims. The first DoS attack was recorded way back in 1988 and was instrumental in setting up of the CERT Coordination Center. The February 2000 attack was not the last either despite law enforcement agencies scooping up a 15-year-old Canadian teenager, who went by the alias "Mafia boy", who had reportedly launched the attacks using a DDoS tool called Tribe Flood Network 2000.

Major DDoS attacks still make the news. In January 20 01, Microsoft became the victim of such an attack. Microsoft's primary Web site and associated sites for MSN such as, online travel site Expedia.com, the auto sales site CarPoint, and the Microsoft email service Hotmail were inaccessible for several hours. The Code Red Worm targeting the white house in the stillborn second phase of its attack amassed 359,000 machines worldwide in just 14 hours. Even CERT was not spared as in May 2000; a DDoS was launched against it resulting in losses that totaled $100,000.

What is a Denial Of Service Attack?

• A denial of service attack (DOS) is an attack through which a person can render a system unusable or significantly slow down the system for legitimate users by overloading the resources, so that no one can access it.

• If an attacker is unable to gain access to a machine, the attacker most probably will just crash the machine to accomplish a denial of service attack.

Denial of Service (DoS) is an attack designed to render a computer or network incapable of providing normal services. The most common DoS attacks will target the computer's network bandwidth or connectivity. Bandwidth attacks flood the network with such a high volume of traffic, that all available network resources are consumed and legitimate user requests cannot get through. Connectivity attacks flood a computer with such a high volume of connection requests, that all available operating system resources are consumed and the computer can no longer process legitimate user requests.

A "denial-of-service" attack is characterized by an explicit attempt by attackers to prevent legitimate users of a service from using that service. Examples include

• attempts to "flood" a network, thereby preventing legitimate network traffic

• attempts to disrupt connections between two machines, thereby preventing access to a service

• attempts to prevent a particular individual from accessing a service

• attempts to disrupt service to a specific system or person

Not all service outages, even those that result from malicious activity, are necessarily denial-of-service attacks. Other types of attack may include a denial of service as a component, but the denial of service may be part of a larger attack. Illegitimate use of resources may also result in denial of service. For example, an intruder may use of an anonymous ftp area as a place to store illegal copies of commercial software, consuming disk space and generating network traffic

A denial of service attack can also destroy programming and files in a computer system. Although usually intentional and malicious, a denial of service attack can sometimes happen accidentally. A denial of service attack is a type of security breach to a computer system that does not usually result in the theft of information or other security loss. However, these attacks can cost the target person or company a great deal of time and money.

Types of denial of service attacks

• There are several general categories of DoS attacks.

• Popularly, the attacks are divided into three classes:

  • bandwidth attacks,

  • protocol attacks, and

  • logic attacks.

DoS attacks exploit the asymmetric nature of certain types of network traffic. One attack method seeks to cause the target to use more resources processing traffic than the attacker does sending the traffic.

Summary

• A sniffer is a piece of software that captures the traffic flowing into and out of a computer attached to a network.

• A sniffer attack is commonly used to grab logins and passwords that are traveling around on the network.

• Sniffing can be active or passive.

• Popular attack methods include man in the middle attack and session hijacking

• On switched networks, MAC flooding and ARP spoofing is carried out.

DNS Sniffing and Spoofing

• DNS Spoofing is said to have occurred when a DNS entry points to another IP instead of the legitimate IP address.

• When an attacker wants to poison a DNS cache, he will use a faulty DNS - which can be his own domain running a hacked DNS server. The DNS server is termed as hacked because the IP address records are manipulated to suit the attacker's needs.

Concept

DNS Spoofing is said to have occurred when a DNS entry points to another IP instead of the legitimate IP address. Let us see how this is done.

Typically, a DNS Server contains the records only for the machines of the domain it has authority over. If it has to answer queries about machines outside its domain, it has to send a request to the other DNS Server which handles these machines. As frequent communication is not practical, the DNS server keeps a cache and stores in it all the replies returned by other DNS servers.

When an attacker wants to poison a DNS cache, he will use a faulty DNS - which can be his own domain running a hacked DNS server. The DNS server is termed as hacked because the IP address records are manipulated to suit the attacker's needs.

Attack Methods

The attack methodology goes like this. The attacker sends a request to the target DNS Server asking it to resolve www.attacker.com (attacker's domain). As the target DNS does not have the pointing record in its cache, it seeks the answer from the responsible name server (which is the attacker's DNS server). While replying to the target DNS server, the hacked DNS server transfers all the records, including the manipulated records, to the target server. This process is called zone transfer. The DNS server is poisoned as long as the cache is not cleared or updated. This way, the attacker can make some records point to spoofed addresses or even remain silent and let all the traffic pass through his server.

Countermeasures

Countermeasures include implementing much of the anti-spoofing rules on the border routers of network. This can be as simple as not allowing anything out with a source IP address not belonging to the network or anything in with a source IP address belonging to the network.

The next level of protection can reside on the access routers. This could also be used in order to prevent IP spoofing at its most common source. While these filters can be sometimes tricky when it comes to combining dynamic IP and 'multi-POP' static IP routing, if implemented well, these filters can completely prevent IP spoofing that originates from an access network.

WinDNSSpoof

• This tool is a simple DNS ID Spoofer for Windows 9x/2K.

• In order to use it you must be able to sniff traffic of the computer being attacked.

• Usage: wds -h

  Example: wds -n www.microsoft.com -i 216.239.39.101 -9 00-00-39-5c-45-3b

This is a simple tool for spoofing the DNS ID for Windows 9x/2K. In order to use the user must be able to sniff traffic of the computer being attacked. However, it does not work in a switched network, as a switched network requires ARP Cache Poisoning tools like winarp_sk or winarp_mim.

A personal firewall must be configured to block UDP 53 destination port to check outgoing DNS traffic in order to ensure that the DNS Server does not answer before WinDNSSpoof does. The working of WinDNSSpoof then takes care of spoofing only those packets that are required to - while the rest are allow to go through. This is made possible by specifying the MAC address of the DNS server or the default gateway in case the DNS server is in another network.

Usage: wds -h

Example: wds -n www.targetsite.com -i 216.239.39.101 -g 00-00-39-5c-45-3b

SMAC is a Windows MAC Address Modifying Utility that allows users to change MAC address for most Network Interface Cards (NIC) on the Windows 2000, XP, and 2003 Server systems. This is irrespective of whether the manufactures of the cards permit the change. It must be noted that SMAC does not burn a new address on the hardware and the new MAC addresses the user change will sustain from reboots..

SMAC has 2 modes of operation: [WBEM ON] and [WBEM OFF]. If the "Windows Management Instrumentation (WMI)" service is running, it will be running on [WBEM ON] mode. Otherwise, it is on [WBEM OFF] mode. The [WBEM ON] mode shows more information. The tool also allows the user to log and track SMAC activities.

SMAC takes advantage of the NdisReadNetworkAddress function in the Microsoft Device Driver Development Kit (DDK.) NdisReadNetworkAddress(...) is called by the network adapter driver to obtain a user specified MAC address in the registry. After the driver confirms that there is a valid MAC address specified in the registry key, the driver then programs the MAC address to its hardware registers to override the burnt-in MAC address.

SMAC was designed originally as a security vulnerability testing tool for MAC address authorization and authentication systems, Intrusion Detection Systems and MAC address based software licenses testing tool. When changing MAC address, the user must ensure that they assign MAC addresses according to IANA Number Assignments database.

Mac Changer

• MAC changer is a Linux utility for setting a specific MAC address for a network interface.

• It enables the user to set the MAC address randomly. It allows specifying the MAC of another vendor or setting another MAC of the same vendor.

• The user can also set a MAC of the same kind (e.g.: wireless card).

• It offers a choice of vendor MAC list (more than 6200 items) to choose from

MAC changer is a Linux utility for setting a specific MAC address for a network interface. It enables the user to set the MAC address randomly. It allows specifying the MAC of another vendor or setting another MAC of the same vendor. The user can also set a MAC of the same kind (e.g.: wireless card). It offers a choice of vendor MAC list (more than 6200 items) to choose from. The latest version is 1.3 and it offers more than 35 wireless cards as well.

Usage Examples:

# macchanger eth1

Current MAC: 00:40:96:43:ef:9c [wireless] (Cisco/Aironet 4800/340)

Faked MAC: 00:40:96:43:ef:9d [wireless] (Cisco/Aironet 4800/340)

# macchanger -A eth1

Current MAC: 00:40:96:43:39:a6 [wireless] (Cisco/Aironet 4800/340)

Faked MAC: 00:10:5a:1e:06:93 (3Com, Fast Etherlink XL in a Gateway 2000)

Iris is an advanced data and network traffic analyzer, a "sniffer", that collects, stores, organizes and reports all data traffic on the network. Iris has advanced integrated technology that allows it to reconstruct network traffic, all with a push of a button.

Iris can reconstruct raw data in packets and turn it into complete HTTP, SMTP and POP3 sessions in their original format. The user can view both outgoing and incoming email messages, web browsing sessions, instant messenger exchanges, non-encrypted web-based email and FTP transfers. Using this, the user can set up automated screens to monitor the Web-browsing patterns of the network. With Iris, the user is able to read the actual text of an email - as well as any attachments - exactly as it was sent. Iris will reconstruct the actual html pages that network users have visited and even simulate cookies for entry into password-protected websites.

Iris provides a larger variety of statistical measurements such as pie charts and bar graphs, and provides information on protocol distribution, top hosts, packet-size distribution and bandwidth usage. Iris' Packet Editor gives the ability to create custom or spoof packets and to send them across the Internet, to specific ports or addresses, or repeatedly across the network. Iris has a fast packet injector that handles up to 9000 packets per second.

Iris can be easily configured to only capture specific data through any combination of packet filters. Packet filters can be based on the hardware or protocol layer, any number of key words, MAC or IP address, source and destination port, custom data and size of the packets

NetIntercept from Sandstorm enterprises belongs to the category of Network Forensics Analysis Tools (NFAT) that is gaining popularity these days. Using a network forensics tool a user can spy on people's email, learn passwords, determine Web pages viewed, and even spy on the contents of a person's shopping cart. The tremendous power these forensic tools have over today's networks makes them subject to abuse. The difference is in range or depth of network monitoring. These tools can be used for full content network monitoring - not just filters.

NetIntercept 1.2 captures LAN traffic using a standard Ethernet interface card placed in promiscuous mode and a modified UNIX kernel. The capture subsystem runs continuously, whether or not the GUI is active. NetIntercept performs stream reconstruction on demand. When the user selects a range of captured network traffic to analyze, NetIntercept assembles those packets into network connection data streams. The reconstructed streams are then presented to the NetIntercept analysis subsystem for identification and analysis. Once TCP streams are reconstructed and parsed, some of the objects that they contain need to be stored for long periods of time. Examples of such objects are web pages, files transferred by FTP, and e-mail attachments.

Besides controlling data capture and analysis, the GUI offers sophisticated search criteria. A user can find one or many network connections according to the time of day, source or destination hardware or Internet address, source or destination TCP or UDP port name or number, username associated with the connection, electronic mail sender, recipient(s) or subject header, file name or World Wide Web URI associated with the transfer, specific protocols or content types recognized in the connection's contents. Once a connection has been identified, the user can drill down to view the search criteria extracted from it

---Regards,

Tools

One tool for doing this is called "macof. Dsniffs "macof" generates random MAC addresses exhausting the switch's memory. It is capable of generating 155,000 MAC entries on a switch per minute. Some switches than revert to acting like a hub.

Tools

Mailsnarf makes it possible to save the messages in standard mail format, so that the attacker can use just about any e-mail client to read what is captured as easily as he can read mail from his inbox. Mailsnarf reassembles and displays e-mail traffic in a legible manner, thus enabling the attacker to read other users' e-mail in real time.

Tools

urlsnarf is a tool for monitoring Web traffic. urlsnarf grabs all the HTTP requests from the captured network traffic and outputs the results in the Common Log Format (CLF), as used by Web servers such as Apache or IIS.

Tools

The webspy package (webspy.exe) is a hacking tool. By the usage webspy 111.111.111.111 the program intercepts all HTTP traffic to and from the IP addresses 111.111.111.111 and passes it off to a local browser. This will open Netscape or IE and the traffic sent to the attacker's browser will match that of the target. He can then follow targets around as they surf the net. However, Webspy won't follow targets over ssl connection or reveal information entered into form fields (like passwords).

Attack Methods

How does an attacker exploit this vulnerability using a tool such as dsniff? The attacker will use webmitm and sshmitm tools from the dsniff package for attacking HTTPS or SSH.

Attackers position themselves between two systems and actively participate in the connection to gather data. The attacker may also run the dnsspoof program configured to send false DNS information so that a DNS query for a given website will resolve to the attacker's IP address. Then the attacker will activate webmitm program such that it will transparently proxy all HTTP and HTTPS traffic it receives.

The DNS spoof program detects DNS request for www.website.com and redirects the client to attacker's machine. The ARP table convinces the victim's machine that it is indeed talking to the intended web server. The victim's browser starts to establish a secure connection.

All messages for establishing SSL connection are sent to webmitm running on the attacker's machine. webmitm acts as a SSL proxy, establishing two SSL connections - one from victim to the attacker's machine and the other from attacker's machine to the actual web server. When establishing the SSL session between the victim machine and the attacker machine, webmitm will send the attacker's own certificate.

The victim's browser will notice that the certificate is not signed by a trusted Certificate Authority and show a message to the user asking the user whether to accept this un-trusted certificate or not. The normal tendency is to accept it, thinking it is some error message.

---Regards,
Amarjit Singh

Hi friends, today while posting I have seen an error. Screen shot attached below. I click back and repost it and its done. Can any one tell me pls... why this error occurs ??

A possible way to sniff information would be to control an ARP table of a computer. ARP spoofing involves changing the MAC to IP address entries, causing traffic to be redirected from the legitimate system to an unauthorized system of the attacker's choice.

This is achieved by sending out a forged ARP packet to the target system, telling it that its default gateway has changed to the attacker's system. This way, whenever the target system sends traffic on the network, it will send it to the attacker's system first, which then forwards the packet on to its original destination as if nothing ever happened.

Attack Methods

Let us take a closer look at the attack methodology. There are switches that are not foiled by MAC flooding. These switches stop storing new MAC addresses once their memory reaches a given limit. In this scenario, an attacker can use DSniff's tool called arpspoof. arpspoof allows an attacker to manipulate ARP traffic on a LAN by redefining the ARP table.

Usually, such attempts are preceded by the scanning and enumeration phases where the attacker draws up a map of the network and discovers the network topology. Looking at the network topology the attacker can decipher the IP address of the default router for the LAN. He then sets up the attack by configuring the IP layer of the attacker's machine to forward any packet it receives from the LAN to the IP address of the default router (IP forwarding). The next step in the attack is sending the fake ARP replies to the victim's machine.

This ARP changes the victims ARP table by remapping the default router's IP (layer 3) to attacker own MAC address (layer2). The victim machine sends the data, forwarding it to what it thinks is the default router (but unknowingly using the attackers MAC address).

The attacker sniffs the information using any kind of sniffing tool. The attacker's machine will promptly forward the victim's traffic to default router on the LAN. Upon reaching the default router the traffic is transmitted to the outside world. The attacker is now sniffing in a switched environment.

Sniffing HTTPS and SSH

• SSL connection uses a session key to encrypt all data sent by server and client.

• SSH is based on the public key encryption idea.

• With SSH a session key is transmitted in an encrypted fashion using a public key stored on the server.

• As such, these protocols - SSL and SSH are sound from a security standpoint. The problem however lies in the basis of these protocols - namely trust certificates and public keys.

---Regards,
Amarjit Singh

Passive Sniffing

A packet sniffer is seldom the only tool used for an attack. This is because a sniffer can work only in a common collision domain. A common collision domain is a network segment that is not switched or bridged (i.e. connected through a hub). Any traffic that is not switched or bridged on a network segment can be seen by all machines on that segment. As sniffers gather packets at Data Link Layer it can potentially grab all the packets on the LAN of the machine running the Sniffer program.

This is because on a network with a hub implements a broadcast medium shared by all systems on the LAN. Any data sent across the LAN is actually sent to each and every machine connected to the LAN. If an attacker runs a Sniffer on one system on LAN, he can gather data sent to and from any other system on the LAN. Majority of the Sniffer tools are ideally suited to sniff data in a hub environment. These tools are called passive sniffers as they passively wait for the data to be sent and capture them. They are efficient in silently gathering the data from the LAN.

Note

In passive sniff ing, the intruder gets access to the network by any of the following methods. By compromising the physical security. An example of this can be the intruder walking into the building with his laptop and capturing data by plugging in to access the network. Using a Trojan horse. Many Trojans have sniffing capability built into them. For instance, the Back Orifice server has a plugin known as "Butt Trumpet". Butt Trumpet will send the attacker an email when the server has been installed. Once the attacker knows that the victim's machine has been compromised, the attacker can then install a packet sniffer and use it.

---Regards,
Amarjit Singh

There are three main modes in which Snort can be configured: sniffer, packet logger, and network intrusion detection system.

• Sniffer mode simply reads the packets off of the network and displays them for you in a continuous stream on the console.

• Packet logger mode logs the packets to the disk.

• Network intrusion detection mode is the most complex and configurable configuration, allowing Snort to analyze network traffic for matches against a user defined rule set

The main distribution site for Snort is http://www.snort.org. Snort is distributed under the GNU GPL license by the author Martin Roesch. Snort is a lightweight network IDS, capable of performing real-time traffic analysis and packet logging on IP networks. It can perform protocol analysis, content searching/matching.

Snort logs packets in either tcpdump binary format or in Snort's decoded ASCII format to logging directories that are named based on the IP address of the foreign host. In our lab, we start using Snort as a packet sniffer and a packet analyzer. Apart from running in a promiscuous mode, we will also see how it will help us log interesting IPs. Using Snort as a packet sniffer and packet analyzer is an easy process. The man pages are very helpful.

From the command line prompt we set Snort to a verbose display of the packets sniffed and analyzed. e.g. - The command given below captures all the packets belonging to the class C internal IP's of the type 192.168.20.*.

C:\>snort -v -d -e -i etho -h 192.168.20.0/24 ^-1 log

The '-v' switch brings forth a verbose response.

The '-d' switch helps in dumping the decoded application layer data

While '-e' shows the decoded Ethernet headers.

The '-i' switch specifies the interface to be monitored for packet analysis.

The '-h' switch specifies which class of network packets has to be captured.

The -l option tells snort to dump the packets in the log file.

The packets are captured in hex format by default (this can be changed to binary -b) and sorted by IP address to facilitate easy mapping and decoding of data.

06/22-16:36:44.959860 0:C1:26:E:AF:10 -> 0:A0:C5:4B:52:FC type:0x800 len:0x4D

192.168.2.96:1629 -> 203.124.250.69:53 UDP TTL:128 TOS:oxo ID:38429 IpLen:20 DgmLen:63

Len: 43

00 02 0100 00 00 01 00 00 00 00 00 00 03 77 77 77 .............www

09 61 69 72 6C 69 6E 65 72 73 03 6E 65 74 00 00 .airliners.net..

01 00 01 ...

Ethereal is a free network protocol analyzer for UNIX and Windows. It allows the user to examine data from a live network or from a capture file on disk. Interactive browsing of the captured data, viewing summary and detailed information for each packet are part of the basic functionality of the sniffer. Ethereal has several powerful features, including a display filter language and the ability to view the reconstructed stream of a TCP session.

Recent versions of Ethereal have included many enhancements to the interface. Live data can be read from Ethernet, FDDI, PPP, Token-Ring, IEEE 802.11, Classical IP over ATM, and loopback interfaces (at least on some platforms; not all of those types are supported on all platforms). Let us take a closer look. We run Ethereal over the LAN (which is not switched) and take a look at the captured data. We sort by the protocol and notice a POP session.

Ethereal lets us follow the entire conversation as shown in the screenshot below.

We are able to reconstruct the client-server conversation as displayed by two different colors. We are able to make out the email service provider, the user name and password from the reconstruction of the sniffed packets. That is not all. We were also able to pick a chat thread from the thousands of packets that passed by in the two minutes.

---Regards,
Amarjit Singh

Introduction to Packet Sniffing

From Tony Bradley, CISSP, MCSE2k, MCSA, A+

Its a cruel irony in information security that many of the features that make using computers easier or more efficient and the tools used to protect and secure the network can also be used to exploit and compromise the same computers and networks. This is the case with packet sniffing.

A packet sniffer, sometimes referred to as a network monitor or network analyzer, can be used legitimately by a network or system administrator to monitor and troubleshoot network traffic. Using the information captured by the packet sniffer an administrator can identify erroneous packets and use the data to pinpoint bottlenecks and help maintain efficient network data transmission.

In its simple form a packet sniffer simply captures all of the packets of data that pass through a given network interface.

Typically, the packet sniffer would only capture packets that were intended for the machine in question. However, if placed into promiscuous mode, the packet sniffer is also capable of capturing ALL packets traversing the network regardless of destination.

By placing a packet sniffer on a network in promiscuous mode, a malicious intruder can capture and analyze all of the network traffic. Within a given network, username and password information is generally transmitted in clear text which means that the information would be viewable by analyzing the packets being transmitted.

A packet sniffer can only capture packet information within a given subnet. So, its not possible for a malicious attacker to place a packet sniffer on their home ISP network and capture network traffic from inside your corporate network (although there are ways that exist to more or less "hijack" services running on your internal network to effectively perform packet sniffing from a remote location). In order to do so, the packet sniffer needs to be running on a computer that is inside the corporate network as well. However, if one machine on the internal network becomes compromised through a Trojan or other security breach, the intruder could run a packet sniffer from that machine and use the captured username and password information to compromise other machines on the network.

Detecting rogue packet sniffers on your network is not an easy task. By its very nature the packet sniffer is passive. It simply captures the packets that are traveling to the network interface it is monitoring. That means there is generally no signature or erroneous traffic to look for that would identify a machine running a packet sniffer. There are ways to identify network interfaces on your network that are running in promiscuous mode though and this might be used as a means for locating rogue packet sniffers.

If you are one of the good guys and you need to maintain and monitor a network, I recommend you become familiar with network monitors or packet sniffers such as Ethereal. Learn what types of information can be discerned from the captured data and how you can put it to use to keep your network running smoothly. But, also be aware that users on your network may be running rogue packet sniffers, either experimenting out of curiosity or with malicious intent, and that you should do what you can to make sure this does not happen.