Wednesday, March 17, 2010

Denial of Service attacks : Hacking Tool

                                               Hacking Tool: SSPing



  • SSPing is a DoS tool.

  • SSPing program sends the victim's computer a series of highly fragmented, oversized ICMP data packets.

  • The computer receiving the data packets lock when it tries to put the fragments together.

  • The result is a memory overflow which in turn causes the machine to stop responding.

  • Affects Win 95/NT and Mac OS
SSPING is a program that can freeze any computer connected to the Internet or on a network running Windows 95, Windows NT, and older versions of the Mac OS that are not behind a firewall that blocks ICMP (Internet Control Message Protocol) data packets. The SSPING program sends the victim's computer a series of highly fragmented, oversized ICMP data packets over the connection. The computer receiving the data packets locks when it tries to put the fragments together. Usually, the attacker only needs to send a few packets, locking the victim's computer instantaneously. When the victim restarts his or her computer, the connection with the attacker is lost and the attacker remains anonymous.
Jolt is a program, which effectively freezes some Windows 95 or Windows NT machines. It is based on old code, which freezes old SysV and Posix implementations. Jolt works by sending a series of spoofed & highly fragmented ICMP packets to the target, which then tries to reassemble the received fragments. As a result, of Jolt Windows 95/NT ceases to function altogether.
This will affect unpatched Windows 95, Memphis and Windows NT machines, which are not behind a firewall that blocks ICMP packets. This will also affect old MacOS machines, and it is possible it is also useful against old SysV/POSIX implementations.

Hacking Tool: Land Exploit


  • Land Exploit is a DoS attack in which a program sends a TCP SYN packet where the target and source addresses are the same and port numbers are the same.

  • When an attacker wants to attack a machine using the land exploit, he sends a packet in which the source/destination ports are the same.

  • Most machines will crash or hang because they do not know how to handle it.

The Land Exploit Denial of Service attack works by sending a spoofed packet with the SYN flag - used in a "handshake" between a client and a host - set from a host to any port that is open and listening. If the packet is programmed to have the same destination and source IP address, when it is sent to a machine, via IP spoofing, the transmission can fool the machine into thinking it is sending itself a message, which, depending on the operating system, will crash the machine.
After receiving spoofed connection request (SYN) packets over TCP/IP, a computer running Windows 95 or Windows NT may begin to operate slowly. After about one minute, Windows returns to normal operation. Variations of this attack can cause any Windows PC to stop responding. (hang)
This behavior occurs due to "Land Attack." Land Attack sends SYN packets with the same source and destination IP addresses and the same source and destination ports to a host computer. This makes it appear as if the host computer sent the packets to itself. Windows 95 and Windows NT operate slowly while the host computer tries to respond to itself.
Hacking Tool: Smurf


  • Smurf is a DoS attack involving forged ICMP packets sent to a broadcast address.

  • Attackers spoof the source address on ICMP echo requests and sending them to an IP broadcast address. This causes every machine on the broadcast network to receive the reply and respond back to the source address that was forged by the attacker.

    1. An attacker starts a forged ICMP packet-source address with broadcast as the destination.

    2. All the machines on the segment receives the broadcast and replies to the forged source address.

    3. This results in DoS due to high network traffic.
Smurf is a simple yet effective DDoS attack technique that takes advantage of the ICMP (Internet Control Message Protocol). ICMP is normally used on the internet for error handling and for passing control messages. One of its capabilities is to contact a host to see if it is "up" by sending an "echo request" packet. The common "ping" program uses this functionality. Smurf is installed on a computer using a stolen account, and then continuously "pings" one or more networks of computers using a forged source address. This causes all the computers to respond to a different computer than actually sent the packet. The forged source address, which is the actual target of the attack, is then overwhelmed by response traffic. The computer networks that respond to the forged ("spoofed") packet serve as unwitting accomplices to the attack.
The "smurf" attack, named after its exploit program, is one in the category of network-level attacks against hosts. A perpetrator sends a large amount of ICMP echo (ping) traffic at IP broadcast addresses, all of it having a spoofed source address of a victim. If the routing device delivering traffic to those broadcast addresses performs the IP broadcast to layer 2 broadcast function, most hosts on that IP network will take the ICMP echo request and reply to it with an echo reply each, multiplying the traffic by the number of hosts responding. On a multi-access broadcast network, there could potentially be hundreds of machines to reply to each packet.
The "smurf" attack's cousin is called "fraggle", which uses UDP echo packets in the same fashion as the ICMP echo packets; it was a simple re-write of "smurf". There are two parties who are hurt by this attack... the intermediary (broadcast) devices--let's call them "amplifiers", and the spoofed address target, or the "victim". The victim is the target of a large amount of traffic that the amplifiers generate.
Let's look at a scenario to see the nature of this attack. Assume a co-location switched network with 250 hosts, and that the attacker has a T1. The attacker sends, say, a 234b/s stream of ICMP echo (ping) packets, with a spoofed source address of the victim, to the broadcast address of the "bounce site". These ping packets hit the bounce site's broadcast network of 250 hosts; each of them takes the packet and responds to it, creating 250 ping replies out-bound. If you multiply the bandwidth, 58.5 Mbps is used outbound from the "bounce site" after the traffic is multiplied. This is then sent to the victim (the spoofed source of the originating packets). The perpetrators of these attacks rely on the ability to source spoofed packets to the "amplifiers" in order to generate the traffic which causes the denial of service.
In the case of the smurf or fraggle attack, each host which supports this behavior on a broadcast LAN will happily reply with an ICMP or UDP (smurf or fraggle, respectively) echo-reply packet toward the spoofed source address, the victim. The amount of bandwidth and packets per second (pps) that can be generated by this attack is quite large. Many hosts cannot process this many packets per second; many hosts are connected to 10 Mbps Ethernet LANs where more traffic than wire speed is sent. Therefore, the ability to drop these packets at the network border, or even before it flows down the ingress pipes, is desired.

SYN Flood


  • SYN attack floods a targeted system with a series of SYN packets.

  • Each packet causes the targeted system to issue a SYN-ACK response, while the targeted system waits for the ACK that follows the SYN-ACK, it queues up all outstanding SYN-ACK responses on what is known as a backlog queue.

  • SYN-ACKs are moved of the queue only when an ACK comes back or when an internal timer (which is set at relatively long intervals) terminates the TCP three-way handshake

  • Once the queue is full, the system will ignore all incoming SYN requests, making the system unavailable for legitimate users.

Concept
The connectionless TCP attack does not complete the three-way handshake initiated by the originator. Thus, often the packet is crafted with nonexistent (spoofed) source IP. For a connectionless TCP attack, it is more difficult to filter since the source address is not necessarily the original source IP of the packet. When the host fails to find the source IP, it will wait until it times out. The most effective way of stopping such attacks is by applying rate limit. Rate limit is a method of setting threshold to an acceptable number of packets to be processed by the computer.

Concept
One of the most common attacks that will appear on many Intruder Detection System alerts is TCP SYN flood alerts. TCP SYN flood attacks are instigated by crafting packets from spoofed or non-existent source address and generating a high number of half-open connections. Because each connection opened must be processed to its completion (to complete the handshake or eventual timeout), the system is pinned down to perform these tasks. This problem is inherent in any network or operating system running full-fledged TCP/IP design and something that is not easily rectified.

Countermeasure
Network Ingress filtering can also prevent their downstream networks from injecting packets with faked or "spoofed" addressed into the Internet. Although it may not stop the attack, it will make identifying the source host easier and terminate it immediately. RFC 2267 [1] provides more information on Ingress Filtering.
In the TCP/IP protocol, a three-way handshake takes place as a service is connected to. First in a SYN packet from the client, with which the service responses with a SYN-ACK. Finally, the client responds to the SYN-ACK and the conversation is considered started.
A SYN Flood attack is when the client does not response to the SYN-ACK, tying up the service until the service times out, and continues to send SYN packets. The source address of the client is forged to a non-existent host, and as long as the SYN packets are sent faster than the timeout rate of the TCP stack waiting for the time out, the resources of the service will be tied up.
This is a simplified version of what exactly happens. During a SYN flood attack, the attacker sends a large number of SYN packets alone, without the corresponding ACK packet response to the victim's SYN/ACK packets. The victim's connections table rapidly fills with incomplete connections, crowding out the legitimate traffic. Because the rate of attacking SYN packets usually far exceeds that of normal traffic, even when a table entry eventually is cleared out, another attacking SYN packet rather than a legitimate connection will fill it.
But because SYN packets are a necessary part of legitimate traffic, they cannot be filtered out altogether. Second, SYN packets are relatively small, so an attacker can send large numbers of packets using relatively low-bandwidth Internet connections. Finally, because the attacker does not need to receive any data from the victim, the attacker can place random source IP addresses in the attacking packets to camouflage the actual source of the attack, and make filtering all but impossible.
The basic purpose of a SYN flood is to use up all new network connections at a site and thus prevent legal users from being able to connect. TCP connections are made by first sending a request to connect with an ID in it. The receiving connection sends out an acknowledgment saying it's ready and then the sending system is supposed to send an acknowledgment that the connection has been made. The SYN (Synchronize sequence Number) packet is the first of these and contains the ID the receiver is supposed to reply to. If a fake ID is in that packet then the receiving system never gets a connection acknowledgment. Eventually, the connection will time out and that incoming channel on the receiver will become available again for another request. A SYN flood sends so many such requests that all incoming connections be continuously tied up waiting for acknowledgments that never come. This makes the server generally unavailable to legal users (unless one happens to sneak in just at the moment one of the tied-up connections times out).

Hacking Tool: WinNuke


  • WinNuke works by sending a packet with "Out of band" data to port 139 of the target host. First off, port 139 is the NetBIOS port and does not accept packets unless the flag OOB is set in incoming packet.

  • The OOB stands for Out Of Band. When the victim's machine accepts this packet, it causes the computer to crash a blue screen.

  • Because the program accepting the packets does not know how to appropriately handle Out Of Band data, it crashes.
A "blue bomb" (also known as "WinNuke") is a technique for causing the Windows operating system of someone you are communicating with to crash or suddenly terminate. The "blue bomb" is actually an out-of-band network packet containing information that the operating system cannot process. This condition causes the operating system to "crash" or terminate prematurely. The operating system can usually be restarted without any permanent damage other than possible loss of unsaved data when you crashed.
The blue bomb derives its name from the effect it sometimes causes on the display as the operating system is terminating - a white-on-blue error screen that is commonly known as blue screen of death. Blue bombs are sometimes sent by multi-player game participants who are about to lose or users of Internet Relay Chat (IRC) who are making a final comment. This is known as "nuking" someone. A commonly used program for causing the blue bomb is WinNuke. Many Internet service providers are filtering out the packets so they do not reach users.
The WinNuke attack sends OOB (Out-of-Band) data to an IP address of a Windows machine connected to a network and/or Internet. Usually, the WinNuke program connects via port 139, but other ports are vulnerable if they are open. When a Windows machine receives the out-of-band data, it is unable to handle it and exhibits odd behavior, ranging from a lost Internet connection to a system crash (resulting in the infamous Blue Screen of Death).
WinNuke is practically an outdated attack. All the new Windows versions are immune to WinNuke.

Hacking Tool: Jolt2


  • Jolt2 enables users across different networks to send IP fragment-driven denial of service attacks against NT/2000 by making victim's machine utilize 100% of its CPU when it attempts to process the illegal packets.
    c: \> jolt2 1.2.3.4 -p 80 4.5.6.7 

  • The above command launches the attack from the attacker's machine with a spoofed IP address of 1.2.3.4 against the IP address 4.5.6.7

  • The victim's machine CPU resources reach 100% causing the machine to lock up.
Sending large numbers of identical fragmented IP packets to a Windows 2000 or NT4 host may cause the target to lock-up for the duration of the attack. The CPU utilization on the target goes to 100% for the duration of the attack. This causes both the UI and network interfaces to lock up.
Jolt2 enables users across different networks to send IP fragment-driven denial of service attacks against NT/2000 by making victim's machine utilize 100% of its CPU when it attempts to process the illegal packets.
Usage:
c: \> jolt2 1.2.3.4 -p 80 4.5.6.7 
The above command launches the attack from the attacker's machine with a spoofed IP address of 1.2.3.4 against the IP address 4.5.6.7
The victim's machine CPU resources reach 100% causing the machine to lock up.

Hacking Tool: Bubonic.c


  • Bubonic.c is a DOS exploit that can be run against Windows 2000 machines.

  • It works by randomly sending TCP packets with random settings with the goal of increasing the load of the machine, so that it eventually crashes.
    c: \> bubonic 12.23.23.2 10.0.0.1 100 
Bubonic.c is a denial of service program written against Windows 2000 machines and certain versions of Linux. It has been noted to work against certain versions of Linux. The denial of service works by randomly sending TCP packets with random settings, etc. This in turn brings the load up causing the box to crash with error code: STOP 0x00000041 (0x00001000, 0x00001279, 0x000042A, 0x00000001) MUST_SUCCEED_POOL_EMPTY
Hacking Tool: Targa


  • Targa is a program that can be used to run 8 different Denial Of Service attacks.

  • The attacker has the option to either launch individual attacks or to try all the attacks until it is successful.

  • Targa is a very powerful program and can do a lot of damage to a company's network.

Targa, written by a German hacker known as Mixter, combines several tools specifically devised to attack machines that run Microsoft Windows. The potency of these tools can be increased further by using them to attack a target machine from several compromised computers at once. However, this requires the attacker to log on to each computer in turn to initiate the attack.
Targa is a free software packet available in the Internet. Targa contains many of the most well known protocol or Operating System based DoS attacks. The attacker must be logged in with root permissions; since most of the attacks, use IP spoofing that requires root privileges. The attack can be done from any machine on which the targa.c code compiles. Mainly, the Targa packet is intended to be used in Linux or BSD Unix computers. Target platforms can be any possible Operating System. However, the attacks do not have an impact on all Operating Systems.
The attacks that can be done with the Targa kit:

  • Jolt by Jeff W. Roberson (modified by Mixter for overdrop effect) - discussed separately

  • Land by m3lt - discussed separately

  • Winnuke by _eci - discussed separately

  • Nestea by humble and ttol - Nestea exploits the "off by one IP header" bug in the Linux IP packet fragmentation code. Nestea crashes Linux 2.0.33 and earlier and some Windows versions. A new and improved version of the Nestea Linux IP fragmentation is available

  • Syndrop by PineKoan - Syndrop is a mixture of teardrop and a TCP SYN flooding attack. Affected platforms are Linux and Windows 95/NT.

  • Teardrop by route|daemon9 - This type of denial of service attack exploits the way that the Internet Protocol (IP) requires a packet that is too large for the next router to handle be divided into fragments. The fragment packet identifies an offset to the beginning of the first packet that enables the entire packet to be reassembled by the receiving system. In the teardrop attack, the attacker's IP puts a confusing offset value in the second or later fragment. If the receiving operating system does not have a plan for this situation, it can cause the system to crash.



  • This bug has not been shown to cause any significant damage to systems, and a simple reboot is the preferred remedy. However, though non-destructive, this bug could cause possible problems if you have unsaved data in an open application when you are attacked, causing you to lose the data. There are fixes against Teardrop.




  • Bonk by route |daemon9 & klepto - Bonk is based on teardrop.c. Bonk crashes Windows 95 and NT operating systems. Boink is an improved version of bonk.c. Boink allows UDP port ranges and can possibly crash a patched Windows 95/NT machine. NewTear is another variant of teardrop.c, which is slightly different from bonk.c. Mainly they do the same thing just in different ways. Small changes in the code may have significant changes in the results, as you can see below.




  • NewTear by route | daemon9 - NewTear is another variant of teardrop.c



  • 0 comments:

    Post a Comment