Learn Ethical Hacking Tools Free Hacking Tricks How To Hack Hacking Passwords & Email Hacking

Social Engineering can be broken into two types: human based and computer based

1. Human-based Social Engineering refers to person to person interaction to retrieve the desired information.

2. Computer based Social Engineering refers to having computer software that attempts to retrieve the desired information

Human based social engineering involves human interaction in one manner or the other. Computer based engineering depend on software to carry out the task at hand.

Gartner Group notes six human behaviors for positive response for social engineering. Corroborate this with the traits discussed in module one of the course.

• What is Social Engineering?

• Common Types of Attacks

• Social Engineering by Phone

• Dumpster Diving

• Online Social Engineering

• Reverse Social Engineering

• Policies and Procedures

• Employee Education

• Social Engineering is the use of influence and persuasion to deceive people for the purpose of obtaining information or persuading the victim to perform some action.

• Companies with authentication processes, firewalls, virtual private networks and network monitoring software are still wide open to attacks

• An employee may unwittingly give away key information in an email or by answering questions over the phone with someone they don't know or even by talking about a project with co workers at a local pub after hours.

It is said that security is only as strong as the weakest link. Social engineering is the use of influence and persuasion to deceive people for the purpose of obtaining information or persuading the victim to perform some action. It need not be restricted to corporate networks alone. It does not matter if enterprises have invested in high end infrastructure and security solutions such as complex authentication processes, firewalls, VPNs and network monitoring software. None of these devices or security measures is effective if an employee unwittingly gives away key information in an email, by answering questions over the phone with a stranger or new acquaintance or even brag about a project with coworkers at a local pub after hours.

Most often, people are not even aware of the security lapse made by them, albeit inadvertently. Attackers take special interest in developing social engineering skills and can be so proficient that their victims would not even realize that they have been scammed. Despite having security policies in place within the organization, they are compromised because this aspect of attack preys on the human impulse to be kind and helpful.

Attackers are always looking for new ways to access information. They will ensure that they know the perimeter and the people on the perimeter - security guards, receptionists and help desk workers - to exploit human oversight. People have been conditioned not to be overtly suspicious that, they associate certain behavior and appearance to known entities. For instance, on seeing a man dressed in brown and stacking a whole bunch of boxes in a cart, people will hold the door open because they think it is the delivery man.

Some companies list employees by title and give their phone number and email address on the corporate Web site. Alternatively, a corporation may put advertisements in the paper for high-tech workers who trained on Oracle databases or UNIX servers. These little bits of information help Attackers know what kind of system they're tackling. This overlaps with the reconnaissance phase.

• Social Engineering includes acquisition of sensitive information or inappropriate access privileges by an outsider, based upon building of inappropriate trust relationships with outsiders.

• The goal of a social engineer is to trick someone into providing valuable information or access to that information.

• It preys on qualities of human nature, such as the desire to be helpful, the tendency to trust people and the fear of getting in trouble.

Social engineering is the art and science of getting people to comply with an attacker's wishes. It is not a way of mind control, and it does not allow the attacker to get people to perform tasks wildly outside of their normal behavior. Above all, it is not foolproof. Yet, this is one way most Attackers get a foot into the corporation. There are two terms that are of interest here.

• Social engineering is hacker jargon for getting needed information from a person rather than breaking into a system.

• Psychological subversion is the term for using social engineering over an extended period of time to maintain a continuing stream of information and help from unsuspecting users.

Let us look at a sample scenario.

Attacker: "Good morning Ma'am, I am Bob; I would like to speak with Ms. Alice"

Alice: "Hello, I am Alice"

Attacker: "Good morning Ma'am, I am calling from the data center, I am sorry I am calling you so early..."

Alice:" Uh, data center office, well, I was having breakfast, but it doesn't matter"

Attacker: "I was able to call you because of the personal data form you filled when creating your account."

Alice: "My pers.. oh, yes"

Attacker: "I have to inform you that we had a mail server crash tonight, and we are trying to restore all corporate users' mail. Since you are a remote user, we are clearing your problems first."

Alice: "A crash? Is my mail lost?"

Attacker: "Oh no, Ma'am, we can restore it. But, since we are data center employees, and we are not allowed to mess with the corporate office user's mail, we need your password; otherwise we cannot take any action"(first try, probably unsuccessful)

Alice: "Er, my password? Well..."

Attacker: "Yes, I know, you have read on the license agreement that we will never ask for it, but it was written by the legal department, you know, all law stuff for compliance. (effort to gain victim's trust)

Attacker: Your username is AliceDxb, isn't it? Corporate sys dept gave us your username and telephone, but, as smart as they are, not the password. See, without your password nobody can access your mail, even we at the datacenter. But we have to restore your mail, and we need access. You can be sure we will not use your password for anything else, well, we will forget it." (smiling )

Alice: "Well, it's not so secret (also smiling! It's amazing...), my password is xxxxxx"

Attacker: "Thank you very much, Ma'am. We will restore your mail in a few minutes" Alice: "But no mail is lost, is it?"

Attacker: "Absolutely, Ma'am. You should not experience any problems, but do not hesitate to contact us just in case. You will find contact numbers on the Intranet"

Alice: "Thanks"

Attacker: "Goodbye"

• People are usually the weakest link in the security chain.

• A successful defense depends on having good policies in place and educating employees to follow the policies.

• Social Engineering is the hardest form of attack to defend against because it cannot be defended with hardware or software alone.

Anyone with access to any part of the system, physically or electronically is a potential security risk. Any information that can be gained may be used for social engineering further information. This means even people not considered as part of a security policy can be used to cause a security breach. Security professionals are constantly being told that security through obscurity is very weak security. In the case of social engineering it is no security at all. It is impossible to obscure the fact that humans use the system or that they can influence it.

Attempting to steer an individual towards completing a desired task can use several methods. The first and most obvious is simply a direct request, where an individual is asked to complete the task directly. Although difficult to succeed, this is the easiest method and the most straightforward. The individual knows exactly what is wanted of them. The second is by creating a contrived situation which the victim is simply a part of. With other factors than just the request to consider, the individual concerned is far more likely to be persuaded, because the attacker can create reasons for compliance other than simply personal ones. This involves far more work for the attacker, and almost certainly involves gaining extensive knowledge of the 'target'. This does not mean that situations do not have to be based in fact. The fewer untruths, the better the chances of success.

One of the essential tools used for social engineering is a good memory for gathered facts. This is something that hackers and sysadmins tend to excel in, especially when it comes to facts relating to their field.

• Denial of Service is a very commonly used attack methodology.

• Distributed Denial Of Service using a multiplicity of Zombie machines is an often seen attack methodology.

• There are various tools available for attackers to perpetrate DOS attacks.

• Protection against DOS is difficult due to the very nature of the attacks.

• Different scanning tools are available to aid detection and plugging of vulnerabilities leading to DOS

There are several tools available which could detect whether a system is being used as a DDOS server. The following tools can detect TFN2K, Trinoo and Stacheldraht.

1. Find_ddos

   (http://ftp.cert.org.tw/tools/Security_Scanner/find_ddos/)

2. SARA

   (http://www.cromwell-intl.com/security/468-netaudit.html)

3. DDoSPing v2.0

   (http://is-it-true.org/pt/ptips19.shtml)

4. RID

   (http://staff.washington.edu/dittrich/misc/ddos/)

5. Zombie Zapper

   (http://razor.bindview.com/tools/zombiezapper_form.shtml)

The tool will detect several known denial-of-service attack tools by looking at all 32-bit ELF format files in a given directory tree, and comparing the files' strings and symbol table against a set of known "fingerprints" for TFN and trinoo tools. If a file is considered a close enough match to one of these fingerprints, it is identified with that file. The tool will optionally make a copy of all files that are found to match. If it finds a match in a running process, it will also grab a core image of the process for subsequent analysis. Any matches that are found are also examined for any embedded IP addresses. All results are either displayed to the user's terminal, or stored in a log file.

The tool also looks for files named ".sr", "...", "mservers", and optionally makes a copy of them for later analysis. (These are common names for files that contain a list of blowfish-encrypted IP addresses. The blowfish encryption key can be found by examining the binary.)

The distributed denial-of-service tools that are detected by the tool are:

• mstream master

• mstream server

• stacheldraht client

• stacheldraht daemon

• stacheldraht master

• tfn-rush client

• tfn client

• tfn daemon

• tfn2k client

• tfn2k daemon

• trinoo daemon

• trinoo master

The tool must be run as root. The syntax of the tool is:

./find_ddos [-g grabdir] [-1 logfile] [-p] [-v] [-V] [-x exclude1] [scandir] 

SARA

SARA (Security Auditor's Research Assistant), a derivitive of the Security Administrator Tool for Analyzing Networks (SATAN), remotely probes systems via the network and stores its findings in a database. The results can be viewed with any Level 2 HTML browser that supports the http protocol (e.g. Mosaic, Netscape etc.)

primary_targets(s) can specify a:

host (e.g., www.microsoft.com),

range (e.g., 192.168.0.12–192.168.0.223)

subnet (e.g., 192.168.0.0/23)

When no primary_target(s) are specified on the command line, SARA starts up in interactive mode and takes commands from the HTML user interface. When primary_target(s) are specified on the command line, SARA collects data from the named hosts, and, possibly, from hosts that it discovers while probing a primary host. A primary target can be a host name, a host address, or a network number. In the latter case, SARA collects data from each host in the named network. SARA can generate reports of hosts by type, service, vulnerability and by trust relationship.

---

DDoSPing

This is a tool that explores another system and looks for vulnerabilities. DDoSPing is a remote network scanner for the most common DDoS programs. It can detect Trinoo, Stacheldraht and Tribe Flood Network programs running with their default settings, although configuration of each program type is possible from the tool's configuration screen. Scanning is performed by sending the appropriate UDP and ICMP messages at a controllable rate to a user-defined range of addresses.

---

RID can detect any remote software that elicits a predefined response to a given set of packets. Examples are:

• The Trinoo distributed denial of service attack client.

• The Tribal flood network distributed denial of service attack client.

• The StachelDraht distributed denial of service attack client.

This list is not extensive -- the tool is highly configurable to suit specific needs. RID is not a vulnerability assessment tool. It is also -- not a network intrusion detection system in the sense that it does not continually run monitoring your network.

Example: # Sample config file  start AgentStacheldraht      send icmp type=0 id=668 data=""      recv icmp type=0 id=669 data="sicken" nmatch=2 end AgentStacheldraht 

---

Zombie Zapper 
Zombie Zapper works against Trinoo, TFN, Stacheldraht,  Troj_Trinoo (Windows port of Trinoo), and Shaft. Assuming that the default  passwords have not been changed, the user can simply use the same commands that  an attacker would use to stop the flood. On Trinoo and Troj_Trinoo, it does stop  the daemon entirely (although Trinoo is typically set to be restarted by cron,  and Troj_Trinoo will restart after the Zombie Windows computer has been  restarted), but on TFN, Stacheldraht, and Shaft the flooding just stops. This  gives the advantage of telling the daemon to stop flooding without stopping the  daemon, allowing a little more time in tracking down where they are, and more  importantly, how they got there in the first place. ZZ assumes the passwords  have not been changed. All depend on the default passwords being in place

1. Shareware

2. Snort

3. Shadow

4. Courtney

5. Commercial

6. ISS RealSecure

7. Axent NetProwler

8. Cisco Secure ID (Net Ranger)

9. Network Flight Recorder

10. Network Security Wizard's Dragon

An Intrusion Detection System (abbreviated as IDS) is a defense system, which detects hostile activities in a network. The key is then to detect and possibly prevent activities that may compromise system security, or a hacking attempt in progress including reconnaissance/data collection phases that involve for example, port scans.

One key feature of intrusion detection systems is their ability to provide a view of unusual activity and issue alerts notifying administrators and/or block a suspected connection. In addition, IDS tools are capable of distinguishing between insider attacks originating from inside the organization (coming from own employees or customers) and external ones (attacks and the thread posed by hackers).

Once an intrusion has been detected, IDS issues alerts notifying administrators of this fact. The next step is undertaken either by the administrators or the IDS itself, by taking advantage of additional countermeasures (specific block functions to terminate sessions, backup systems, routing connections to a system trap, legal infrastructure etc.) - following the organization's security policy.

There are two kinds of DDOS-generated traffic, control traffic (between DDOS client and servers) and flood traffic (between DDOS servers and DDOS victim).

Anomaly 0: This is not real "DDOS" traffic, but it can be a viable method of determining the origin of DDOS attacks. As observed by RFP, an attacker will have to resolve his victim's hostname before a DDOS attack. BIND name servers are capable of recording these requests. You can either send them a WINCH signal with 'kill' or you can specify query logging in the BIND configuration. A single PTR type query before an attack indicates the request was made from the attacker's host, a great load of PTR type query for a DDOS victim before an attack indicates that the flood servers have been fed a host name and each server was resolving the hostname for itself.

Anomaly 1: Amount of bandwidth exceeds a maximum threshold that is expected normal traffic for a site could cause. Alternatively, the threshold can be measures for addresses in the traffic. These are clear signs of flood traffic and ACL rules can be implemented on the backbone routers that detect these signs and filter traffic.

Anomaly 2: Oversized ICMP and UDP packets. Stateful UDP sessions are normally using small UDP packets, having a payload of not more than 10 bytes. Normal ICMP messages don't exceed 64 to 128 bytes. Packets that are reasonably bigger are suspicious of containing control traffic, mostly the encrypted target(s) and other options for the DDOS server. Once (non-decoy) control traffic is spotted, one of the DDOS servers' location is revealed, as the destination IP address is not spoofed in control traffic.

Anomaly 3: TCP packets (and UDP packets) that are not part of a connection. The stealthiest DDOS tools use random protocols, including connection-oriented protocols, to send data over non-connection-oriented channels. Using stateful firewalls or link-state routing can discover these packets. Additionally, packets that indicate connection requests with destination ports above 1024, with which no known service is registered and running, are highly suspicious.

Anomaly 4: Packet payload contains ONLY alphanumeric character (e.g. no spaces, punctuation, control characters). This can be a sign that the packet payload is BASE64-encoded, and therefore contains only base64 characters. TFN2K is sending such packets in its control traffic. A TFN2K (and TFN2K derivatives) specific pattern is a string of repeating A's (AAAA...) in the payload, since the buffer size is padded by the encryption routine. If the BASE64 encoding is not used, and the payload contains binary encrypted traffic, the A's will be trailing binary \0's.

Anomaly 5: Packet payload contains ONLY binary, high-bit characters. While this can be a binary file transfer (traffic transmitted over ports 20, 21, 80, etc. must be excluded if this rule is applied), especially if contained in packets that are not part of valid stateful traffic, it is suspicious of being non-base64 encoded, but encrypted control traffic that is being transmitted in the packet payload.

Some of the popular IDS are:

1. Shareware

2. Snort

3. Shadow

4. Courtney

5. Commercial

6. ISS RealSecure

7. Axent NetProwler

8. Cisco Secure ID (Net Ranger)

9. Network Flight Recorder

10. Network Security Wizard's Dragon

• Keep the network secure

• Install IDS (Intrusion Detection System)

• Use scanning tools

• Run zombie tools

  IDS pattern matching technologies have a database of signatures. When it finds packets that have a given pattern, it sets off an alarm.

The bandwidth used in DDoS attacks is important. Therefore, there should be proper coordination with the ISP and the ISP with the upstream providers. To prevent SYN flooding attacks, set up the TCP interception feature. Details about this can be found at http://www.cisco.com. Block the UDP and ICMP messages that are not required by the network. Especially permitting outgoing ICMP unreachable messages could multiply the impact of a packet flooding attack. Deny all traffic that is not explicitly needed for the servers run. Adopt multi-homing as a best practice.

If attacked, start countermeasures as soon as possible. The response should be to determine origins of spoofed DoS attacks. This should be done quickly as the router entries that allow traffic backtracking will expire a short time after the flood is halted. Be updated. Check exploits databases, for example at securityfocus.com, or packetstorm.Com, to make sure that the versions of server software are not proven vulnerable. Learn sufficiently enough about how the system and server software operates, and review configuration and the security measures that are applied frequently. Set up a system that generates cryptographic signatures of all binary and other trusted system files, and compare the changes to those files periodically. Additionally, using a system where you store the actual checksums on a different machine or removable media, to which a remote attacker cannot have access, is strongly recommended. If you detect an attack emerging from your networks or hosts, or if you are being contacted because of this, you must immediately shut down your systems, or at least disconnect any of the systems from any network. If such attacks are being run on your hosts, it means that the attacker has almost-full control of the machines. They should be analyzed, and then reinstalled.

You could do the following things to minimize the DoS attack:

1. Effective robust design

2. Bandwidth limitations

3. Keep systems patched

4. Run the least amount of services

5. Allow only necessary traffic

6. Block IP addresses

Due to the power of DoS attacks and the way they work, there is nothing that can be done to prevent a Dos attack entirely

• Timely application of patches and system updates, especially to potentially exposed machines. For example, update and maintain a current build of BIND on DNS servers.

• Deployment of only strictly necessary network services

• Intrusion detection systems

• Firewalls

• Anti-virus software

• Good password policies

• Use of Tripwire or other similar tools to detect changes in configuration information or other important files

• Paying heed to "Top 20" vulnerability lists provided by the information security community and evaluating these risks against one's environment

• Establishment and maintenance of regular backup schedules and policies

• As a network is only as secure as its weakest link, protection of mobile and remote machines with personal firewall/intrusion detection software

However, in mitigating DoS or DDoS attacks, it requires good network design to be able to control the point of entry or the gateway. As for mitigating new attacks, it is essential to have filtering capability based on packet header and content within the network or at the critical gateways in order to filter malicious traffic as a response to such attacks while waiting for a permanent solution from suppliers to be applied to the devices. Applying all known patches and fixes to all devices in the network to prevent known attacks is necessary. Finally, it is important to have the relevant referrals in the policy and legislations to address the issue of DoS and DDoS to ensure an effective cooperation between service providers and law enforcement agencies .

---Regards,

• Could be thought of as 'son of trinoo'

• Improved on some of the weaknesses of trinoo by adding different types of attacks that could be mounted against the victim site.

• Structured like trinoo with attackers, clients (masters) and daemons.

• Initial system compromise allows the TFN programs to be installed.

• To initiate TFN, the attacker accesses the master program and sends it the IP address of one or more targets. The master program proceeds to communicate with all of the agent programs, instructing them to initiate the attack.

  • Communications between TFN master programs and agent programs use ICMP echo reply packets, where the actual instruction to be carried out is embedded in the 16-bit ID field in binary format. The use of ICMP (Internet Control Message Protocol) makes packet protocol filtering possible.

    • TFN agents can be defeated by configuring your router or intrusion detection system to disallow all ICMP echo and echo reply packets onto your network. However, this will break all internet programs (such as "ping") that utilize these functions.

  • The TFN master program reads a list of IP addresses containing the locations of the agents programs. This list of addresses may be encrypted, using "Blowfish" encryption.

    • If it is not encrypted, then the agents can be identified from the list.

  • The TFN agent programs have been found on systems with the filename td and the master programs with the name tfn. They can be positively identified by running the UNIX strings command.

    • TFN agents do not check where the ICMP echo reply packets come from. Therefore, it is possible to forge ICMP packets to flush out these processes.

TFN is made up of client and daemon programs, which implement a distributed network denial of service tool capable of waging ICMP flood, SYN flood, UDP flood, and Smurf style attacks, as well as providing an "on demand" root shell bound to a TCP port. The TFN network is made up of a tribe client program ("tribe.c") and the tribe daemon ("td.c"). The attacker(s) control one or more clients, each of which can control many daemons. The daemons are all instructed to coordinate a packet based attack against one or more victim systems by the client. Remote control of a TFN network is accomplished via command line execution of the client program, which can be accomplished using any of a number of connection methods (e.g., remote shell bound to a TCP port, UDP based client/server remote shells, ICMP based client/server shells such as LOKI, SSH terminal sessions, or normal "telnet" TCP terminal sessions.)

No password is required to run the client, although it is necessary to have the list of daemons at hand in an "iplist" file. Communication from the TFN client to daemons is accomplished via ICMP_ECHOREPLY packets. There is no TCP or UDP based communication between the client and daemons at all.

While the client is not password protected, per se, each "command" to the daemons is sent in the form of a 16 bit binary number in the id field of an ICMP_ECHOREPLY packet. (The sequence number is a constant 0x0000, which would make it look like the response to the initial packet sent out by the "ping" command.)

The values of these numbers, as well as macros that change the name of the running process as seen by PS (1) are defined by the file "config.h". As with trinoo, the method used to install the client/daemon will be the same as installing any program on a UNIX system, with all the standard options for concealing the programs and files.

Both the client and the daemon must be run as root, as they both open an AF_INET socket in SOCK_RAW mode. The client program requires the iplist be available. Recent installations of TFN daemons have included strings that indicate the author is (or has) added Blowfish encryption of the iplist file. This will make the task of determining the daemons much harder.

Detecting trinoo/TFN related attacks: Several conventional attacks are known to be related to trinoo/TFN compromises. Machines that are compromised using the following list of attacks should be checked for trinoo/TFN daemons:

- - rpc.ttdbserver

- - amd

- - rpc.cmsd

- - rpc.mountd

- - rpc.statd

http://packetstorm.security.com/distributed

• TFN2K is a DDOS program which runs in distributed mode. There are two parts to the program: client and server.

• The server (also known as zombies) runs on a machine in listening mode and waits for commands from the client.

  Running the server #td Running the client #tn -h 23.4.56.4 -c8 -i 56.3.4.5 

This command starts an attack from 23.4.56.4 to the victim's computer 56.3.4.5

The Client: The client is used to connect to master servers, which can then perform specified attacks against one or more victim machines. Commands are sent from the client to the master server within the data fields of ICMP, UDP, and TCP packets. The data fields are encrypted using the CAST algorithm and base64 encoded.

The client can specify the use of random TCP/UDP port numbers and source IP addresses. The system can also send out "decoy" packets to non-target machines. These factors make TFN2K more difficult to detect than the original TFN program.

The Master Server: The master server parses all UDP, TCP, and ICMP echo reply packets for encrypted commands. The master server does not use a default password when it is selected by the user at compile time.

TFN2K can also be used to execute remote commands on the master server and bind shells to a specified TCP port. TFN2K runs on Linux, Solaris, and Windows platforms.

• Stacheldraht combines the features of TFN and Trinoo but adds encryption layer between daemons.

• Stacheldraht uses TCP and ICMP on the following ports:

  • Client to Handler: 16660 TCP

  • Handler to and from agents: 65000 ICMP

The Client:

The client is used to connect to the master server on port 16660 or port 60001. Packet contents are blowfish encrypted using the default password "sicken", which can be changed by editing the Stacheldraht source code. After entering the password, an attacker can use the client to manage Stacheldraht agents, IP addresses of attack victims, lists of master servers, and to perform DoS attacks against specified machines.

The Master Server: The master server handles all communication between client and agent programs. It listens for connections from the client on port 16660 or 60001. When a client connects to the master, the master waits for the password before returning information about agent programs to the client and processing commands from the client.

The Agent: The agent listens for commands from master servers on port 65000. In addition to this port, master server/agent communications are also managed using ICMP echo reply packets. These packets are transmitted and replied to periodically. They contain specific values in the ID field (such as 666, 667, 668, and 669) and corresponding plaintext strings in the data fields (including "skillz", "ficken", and "spoofworks"). The ICMP packets act as a "heartbeat" between agent and master server, and to determine source IP spoofing capabilities of the master server. The agent identifies master servers using an internal address list, and an external encrypted file containing master server IP addresses. Agents can be directed to "upgrade" themselves by downloading a fresh copy of the agent program and deleting the old image as well as accepting commands to execute flood attacks against target machines.

The Attack: Like TFN/TFN2K, Stacheldraht can be used to perform ICMP, SYN, and UDP flood attacks. The attacks can run for a specified duration, and SYN floods can be directed to a set of specified ports. These flood attacks cause the target machine to slow down because of the processing required to handle the incoming packets, leaving little or no network bandwidth.

Stacheldraht (German for "barbed wire") combines features of the "trinoo" distributed denial of service tool, with those of the original TFN, and adds encryption of communication between the attacker and stacheldraht masters and automated update of the agents.

One of the weaknesses of TFN was that the attacker's connection to the master(s) that control the network was in clear-text form, and was subject to standard TCP attacks (session hijacking, RST sniping, etc.) Stacheldraht deals with this by adding an encrypting "telnet alike" (stacheldraht term) client. The attacker(s) control one or more handlers using encrypting clients. Each handler can control many agents (up to 1000 agents). The agents are all instructed to coordinate a packet-based attack against one or more victim systems by the handler.

Unlike trinoo, which uses UDP for communication between handlers and agents, or the original Tribe Flood Network, which uses ICMP for communication between the handler and agents, stacheldraht uses TCP and ICMP. Client to handler(s): 16660/tcp and Handler to/from agent(s): 65000/tcp, ICMP_ECHOREPLY. Remote control of a stacheldraht network is accomplished using a simple client that uses symmetric key encryption for communication between itself and the handler.

After connecting to the handler using the client program, the attacker is prompted for a password. This password (default "sicken") is a standard crypt() encrypted password, which is then Blowfish encrypted using the passphrase "authentication" before being sent over the network to the handler. One feature of stacheldraht not shared by trinoo or TFN is the ability to upgrade the agents on demand. This feature employs the Berkeley "rcp" command (514/tcp), using a stolen account at some site as a cache. On demand, all agents are instructed to delete the current program image, go out and get a new copy (either Linux- or Solaris-specific binary) from a site/account using "rcp", start running this new image with "nohup", and then exit.

When each agent starts up, it attempts to read a master server configuration file to learn which handler(s) may control it. This file is a list of IP addresses, encrypted using Blowfish, with a passphrase of "randomsucks". Failing to find a configuration file, there are one or more default handler IP addresses compiled into the program. Once the agent has determined a list of potential handlers, it then starts at the beginning of the list of handlers and sends an ICMP_ECHOREPLY packet with an ID field containing the value 666 and data field containing the string "skillz". If the master gets this packet, it sends back an ICMP_ECHOREPLY packet with an ID field containing the value 667 and data field containing the string "ficken".

In addition to finding an active handler, the agent performs a test to see if the network on which the agent is running allows packets to exit with forged source addresses. It does this by sending out an ICMP ECHO packet with a forged IP address of "3.3.3.3", an ID of 666, and the IP address of the agent system (obtained by getting the hostname, then resolving this to an IP address) in the data field of the ICMP packet.

If the master receives this packet, it replies to the IP address embedded in the packet with an ICMP_ECHOREPLY packet containing an ID of 1000 and the word "spoofworks" in the data field. If the agent receives this packet, it sets a spoof_level of zero (can spoof all 32 bits of IP address). If it times out before receiving a spoof reply packet, it sets a spoof_level of 3 (can only spoof the final octet).

The main tools for running DDOS attacks are:

1. Trinoo

2. TFN

3. Stacheldraht

4. Shaft

5. TFN2K

6. mstream

• Trinoo

  • UDP packet flood attack

  • No source address forgery

  • Some bugs, but full control features

• TFN

  • Some bugs, limited control features

  • UDP packet flood attack ("trinoo emulation")

  • TCP SYN flood attack

  • ICMP Echo flood attack

  • Smurf attack

  • Either randomizes all 32 bits of IP source address, or just the last 8 bits

• TFN2K

  • Same attacks as TFN, but can randomly do them all at once

  • Encryption added to improve security of the DDoS network

  • Control traffic uses UDP/TCP/ICMP

  • Same source address forgery features as TFN

• Stacheldraht/StacheldrahtV4

  • Some bugs, full control features

  • Same basic attacks as TFN

  • Same source address forgery features as TFN/TFN2K

• Stacheldraht v2.666

  • Fewer bugs than original

  • Same basic attacks as Stacheldraht

  • Adds TCP ACK flood attack

  • Adds TCP NUL (no flags) flood attack

  • Adds Smurf attack with pre-compiled list of 16,702 amplifiers

  • Same source address forgery features as stacheldraht/TFN/TFN2K

• shaft

  • Some bugs, but full control features

  • Adds statistics

  • UDP flood attack

  • TCP SYN flood attack

  • ICMP flood attack

  • Randomize all three attacks

• mstream

  • Many bugs, with very limited control features

  • TCP ACK flood (very efficient)

  • Randomizes all 32 bits of IP address

• All of the DDOS tools follow this sequence.

• Mass-intrusion Phase - automated tools identify potential systems with weaknesses; then root compromise them and install the DDOS software on them. These are the primary victims.

• DDOS Attack Phase - The compromised systems are used to run massive DOS against a victim site.

There is an initial mass-intrusion phase, in which automated tools are used to remotely root compromise large numbers (i.e., in the several hundred to several thousand ranges) and the distributed denial of service agents are installed on these compromised systems. These are primary victims (of system compromise.) None of these distributed denial of service tools has any features that facilitate compromising systems, and those groups who wrote them hold these automated tools closely.

The mass-intrusion phase is followed by the actual denial of service attack phase, in which these compromised systems which constitute the handlers and agents of the distributed attack network are used to wage massive denial of service attacks against one or more sites. These are secondary victims (of denial of service).

• Trinoo (TrinOO) was the first DDOS tool to be discovered.

• Found in the wild (binary form) on Solaris 2.x systems compromised by buffer overrun bug in RPC services: statd, cmsd, ttdbserverd.

• Trinoo daemons were UDP based, password protected remote command shells running on compromised systems.

DDOS Structure

• The attacker controls one or more master servers by password protected remote command shells.

• The master systems control multiple daemon sysyems. Trinoo calls the daemons "Beast" hosts.

• Daemons fire packets at the target specified by the attacker.

A stolen account is set up as a repository for pre-compiled versions of scanning tools, attack (i.e. buffer overrun exploit) tools, root kits and sniffers, trinoo daemon and master programs, lists of vulnerable hosts and previously compromised hosts, etc. This would normally be a large system with many users, one with little administrative oversight, and on a high-bandwidth connection for rapid file transfer.

A scan is performed of large ranges of network blocks to identify potential targets. Targets would include systems running various services known to have remotely exploitable buffer overflow security bugs, such as wu-ftpd, RPC services for "cmsd", "statd", "ttdbserverd", "amd", etc. Operating systems being targeted appear to be primarily Sun Solaris 2.x and Linux (due to the ready availability of network sniffers and "root kits" for concealing back doors, etc.), but stolen accounts on any architecture can be used for caching tools and log files.

A list of vulnerable systems is then used to create a script that performs the exploit, sets up a command shell running under the root account that listens on a TCP port (commonly 1524/tcp, the "ingreslock" service port), and connects to this port to confirm the success of the exploit. In some cases, an electronic mail message is sent to an account at a free web based email service to confirm which systems have been compromised. The result is a list of "owned" systems ready for setting up back doors, sniffers, or the trinoo daemons or masters.

From this list of compromised systems, subsets with the desired architecture are chosen for the trinoo network. Pre-compiled binaries of the trinoo daemon are created and stored on a stolen account somewhere on the Internet.

A script is then run which takes this list of "owned" systems and produces yet another script to automate the installation process, running each installation in the background for maximum multitasking. Even more subtle ways of having trinoo daemons/masters lie in wait for execution at a given time are easy to envision (e.g., UDP or ICMP based client/server shells, such as LOKI, programs that wake up periodically and open a listening TCP or UDP port, etc.)

The result of this automation is the ability for attackers to set up the denial of service network, on widely dispersed systems whose true owners don't even know are out of their control, in a very short time frame.

Optionally, a "root kit" is installed on the system to hide the presence of programs, files, and network connections. This is more important on the master system, since these systems are key to the trinoo network. (It should be noted that in many cases, masters have been set up on Internet Service Providers' primary name server hosts, which would normally have extremely high packet traffic and large numbers of TCP and UDP connections, which would effectively hide any trinoo related traffic or activity, and would likely not be detected. (The fact that these are primary name servers would also tend to make the owners less likely to take the system off the Internet when reports begin to come in about suspected denial of service related activity.)

Root kits would also be used on systems running sniffers that, along with programs like "hunt" (TCP/IP session hijacking tool) are used to burrow further into other networks directly, rather than through remote buffer overrun exploits (e.g., to find sites to set up new file repositories, etc.)

• Trinoo is a DDOS attack tool. It uses the following TCP Ports:

  Attacker to master: 27665/tcp Master to daemon: 27444/udp Daemon to master: 31335/udp 

• Daemons reside on the systems that launch that the attack, and masters control the daemon systems.

• Since Trinoo uses TCP, it can be easily detected and disabled.

The Client: The client is not part of the trinoo package. The telnet or Netcat program is used to connect to port 27665 of the "master." An attacker connects to a master to control the "broadcasts" that will flood a target. (The master and broadcast are described later in this section.)

The Master: The master is contained in the file master.c in the trinoo package. While running, it waits for UDP packets going to port 31335. These packets are registration packets from the "broadcast." It also waits for connections to TCP port 27665. When a client connects to port 27665, the master expects the password to be sent before it returns any data. The default password is "betaalmostdone". When the master is run, it displays a "?" prompt, waiting for a password. The password is "gOrave".

The Broadcast (or Beast): The broadcast is the code in trinoo that performs the actual flooding. It is ns.c in the trinoo package. When the broadcast is compiled, the IP addresses of the masters that can control it are hardcoded into the program. Starting the broadcast, a UDP packet is sent to port 31335 of each master IP, containing the data "*HELLO*". This packet registers the broadcast with the master. An attacker can then connect to the master and use the daemons to send a UDP flood.

There are six commands that a client can send to the master to cause the master to communicate with the broadcast. A master sending commands to a broadcast sends a UDP packet to port 27444 of the broadcast. The default password between the master and the broadcast daemon is "l44adsl". These are the six commands the client sends to the master:

- - mtimer:

Sets a timer to DoS a target. The master sends a "bbb" command to the broadcast. This packet looks like: "bbb l44adsl 300" when observed on the network.

- - dos:

Performs a Denial of Service attack on a machine. The attack used is explained below. The dos command sends an "aaa" command to the broadcast. This packet looks like: "aaa l44adsl 10.1.1.1" when observed on the network.

- - mdie:

Kills all broadcasts. An attacker cannot use this command when connected to the master unless an additional password is known (the password is unknown as of this writing), but an attacker can send their own UDP packet with the master-broadcast password ("l44adsl") to kill each of the broadcasts. The master then sends a "d1e" command to the broadcast daemon. This packet looks like: "d1e l44adsl" when observed on the network.

- - mping:

Pings all broadcasts. The master sends a "png" command to each broadcast, and the broadcast returns with a "PONG" packet sent to UDP port 31335 of the master. When this packet is transmitted from the master to the broadcast daemon, it looks like: "png 144 adsl".

- - mdos:

This command performs a Denial of Service attack on a list of machines. The master sends a "xyz" command to each broadcast. The packet looks like "xyz l44adsl 123:10.1.1.1:10.1.1.2:10.1.1.3:".

- - msize:

This command sets the size of the UDP packets to use when performing a Denial of Service attack on a target. It is undocumented in the master's online help system. The master sends a "rsz" command to the broadcast daemon, and the packet looks like "rsz l44adsl 300".

The DoS attack that trinoo broadcasts use is a UDP flood. Trinoo sends a large number of UDP packets containing 4 data bytes (all zeros) and coming from one source port to random destination ports on the target host. The target host returns ICMP Port Unreachable messages. The target host slows down because it is busy processing the UDP packets, and at this point, there will be little or no network bandwidth left.

There is no reliable way to tell the difference between a trinoo flood and a UDP port scan, because it is not possible to determine if someone is monitoring the ICMP messages.