Hacking Tool: SSPing
-  
 SSPing is a DoS tool.
-  
 SSPing program sends the victim's computer a series of highly fragmented, oversized ICMP data packets.
-  
 The computer receiving the data packets lock when it tries to put the fragments together.
-  
 The result is a memory overflow which in turn causes the machine to stop responding.
-  
 Affects Win 95/NT and Mac OS
| SSPING is a  program that can freeze any computer connected  to the Internet or on a  network running Windows 95, Windows NT, and older  versions of the Mac  OS that are not behind a firewall that blocks ICMP (Internet  Control  Message Protocol) data packets. The SSPING program sends the victim's   computer a series of highly fragmented, oversized ICMP data packets over  the  connection. The computer receiving the data packets locks when it  tries to put  the fragments together. Usually, the attacker only needs  to send a few packets,  locking the victim's computer instantaneously.  When the victim restarts his or  her computer, the connection with the  attacker is lost and the attacker remains  anonymous. | 
Jolt is a program, which effectively freezes some  Windows 95 or  Windows NT machines. It is based on old code, which  freezes old SysV and Posix  implementations. Jolt works by sending a  series of spoofed & highly  fragmented ICMP packets to the target,  which then tries to reassemble the  received fragments. As a result, of  Jolt Windows 95/NT ceases to function  altogether.
This  will affect unpatched Windows 95, Memphis and Windows NT  machines,  which are not behind a firewall that blocks ICMP packets. This will   also affect old MacOS machines, and it is possible it is also useful  against old  SysV/POSIX implementations.
-  
 Land Exploit is a DoS attack in which a program sends a TCP SYN packet where the target and source addresses are the same and port numbers are the same.
-  
 When an attacker wants to attack a machine using the land exploit, he sends a packet in which the source/destination ports are the same.
-  
 Most machines will crash or hang because they do not know how to handle it.
| The Land Exploit  Denial of Service attack works by sending a  spoofed packet with the  SYN flag - used in a "handshake" between a client and a  host - set from  a host to any port that is open and listening. If the packet is   programmed to have the same destination and source IP address, when it  is sent  to a machine, via IP spoofing, the transmission can fool the  machine into  thinking it is sending itself a message, which, depending  on the operating  system, will crash the machine. | 
After receiving spoofed connection request (SYN)  packets over  TCP/IP, a computer running Windows 95 or Windows NT may  begin to operate slowly.  After about one minute, Windows returns to  normal operation. Variations of this  attack can cause any Windows PC to  stop responding. (hang)
This behavior occurs due to  "Land Attack." Land Attack sends SYN  packets with the same source and  destination IP addresses and the same source  and destination ports to a  host computer. This makes it appear as if the host  computer sent the  packets to itself. Windows 95 and Windows NT operate slowly  while the  host computer tries to respond to itself.
-  
 Smurf is a DoS attack involving forged ICMP packets sent to a broadcast address.
-  
 Attackers spoof the source address on ICMP echo requests and sending them to an IP broadcast address. This causes every machine on the broadcast network to receive the reply and respond back to the source address that was forged by the attacker.-  
 An attacker starts a forged ICMP packet-source address with broadcast as the destination.
-  
 All the machines on the segment receives the broadcast and replies to the forged source address.
-  
 This results in DoS due to high network traffic.
 
-  
Smurf is a simple yet  effective DDoS  attack technique that takes advantage of the ICMP  (Internet Control Message  Protocol). ICMP is normally used on the  internet for error handling and for  passing control messages. One of  its capabilities is to contact a host to see if  it is "up" by sending  an "echo request" packet. The common "ping" program uses  this  functionality. Smurf is installed on a computer  using  a stolen account, and then continuously "pings" one or more  networks of  computers using a forged source address. This causes all  the computers to  respond to a different computer than actually sent the  packet. The forged source  address, which is the actual target of the  attack, is then overwhelmed by  response traffic. The computer networks  that respond to the forged ("spoofed")  packet serve as unwitting  accomplices to the attack.
| The "smurf" attack, named after its  exploit program, is one  in the category of network-level attacks  against hosts. A perpetrator sends a  large amount of ICMP echo (ping)  traffic at IP broadcast addresses, all of it  having a spoofed source  address of a victim. If the routing device delivering  traffic to those  broadcast addresses performs the IP broadcast to layer 2  broadcast  function, most hosts on that IP network will take the ICMP echo  request  and reply to it with an echo reply each, multiplying the traffic by the   number of hosts responding. On a multi-access broadcast network, there  could  potentially be hundreds of machines to reply to each  packet. | 
The "smurf" attack's cousin is called "fraggle", which  uses UDP  echo packets in the same fashion as the ICMP echo packets; it  was a simple  re-write of "smurf". There are two parties who are hurt by  this attack... the  intermediary (broadcast) devices--let's call them  "amplifiers", and the spoofed  address target, or the "victim". The  victim is the target of a large amount of  traffic that the amplifiers  generate.
Let's look at a scenario to see the nature  of this attack. Assume  a co-location switched network with 250 hosts,  and that the attacker has a T1.  The attacker sends, say, a 234b/s  stream of ICMP echo (ping) packets, with a  spoofed source address of  the victim, to the broadcast address of the "bounce  site". These ping  packets hit the bounce site's broadcast network of 250 hosts;  each of  them takes the packet and responds to it, creating 250 ping replies   out-bound. If you multiply the bandwidth, 58.5 Mbps is used outbound  from the  "bounce site" after the traffic is multiplied. This is then  sent to the victim  (the spoofed source of the originating packets). The  perpetrators of these  attacks rely on the ability to source spoofed  packets to the "amplifiers" in  order to generate the traffic which  causes the denial of service.
In the case of the  smurf or fraggle attack, each host which  supports this behavior on a  broadcast LAN will happily reply with an ICMP or UDP  (smurf or fraggle,  respectively) echo-reply packet toward the spoofed source  address, the  victim. The amount of bandwidth and packets per second (pps) that  can  be generated by this attack is quite large. Many hosts cannot process  this  many packets per second; many hosts are connected to 10 Mbps  Ethernet LANs where  more traffic than wire speed is sent. Therefore,  the ability to drop these  packets at the network border, or even before  it flows down the ingress pipes,  is desired.
-  
 SYN attack floods a targeted system with a series of SYN packets.
-  
 Each packet causes the targeted system to issue a SYN-ACK response, while the targeted system waits for the ACK that follows the SYN-ACK, it queues up all outstanding SYN-ACK responses on what is known as a backlog queue.
-  
 SYN-ACKs are moved of the queue only when an ACK comes back or when an internal timer (which is set at relatively long intervals) terminates the TCP three-way handshake
-  
 Once the queue is full, the system will ignore all incoming SYN requests, making the system unavailable for legitimate users.
| Concept | The connectionless TCP attack does  not complete the  three-way handshake initiated by the originator. Thus,  often the packet is  crafted with nonexistent (spoofed) source IP. For a  connectionless TCP attack,  it is more difficult to filter since the  source address is not necessarily the  original source IP of the packet.  When the host fails to find the source IP, it  will wait until it times  out. The most effective way of stopping such attacks is  by applying  rate limit. Rate limit is a method of setting threshold to an   acceptable number of packets to be processed by the  computer. | 
| Concept | One of the most common attacks that  will appear on many  Intruder Detection System alerts is TCP SYN flood  alerts. TCP SYN flood attacks  are instigated by crafting packets from  spoofed or non-existent source address  and generating a high number of  half-open connections. Because each connection  opened must be processed  to its completion (to complete the handshake or  eventual timeout), the  system is pinned down to perform these tasks. This  problem is inherent  in any network or operating system running full-fledged  TCP/IP design  and something that is not easily  rectified. | 
| Countermeasure | Network Ingress  filtering can also prevent their downstream  networks from injecting  packets with faked or "spoofed" addressed into the  Internet. Although  it may not stop the attack, it will make identifying the  source host  easier and terminate it immediately. RFC 2267 [1] provides more   information on Ingress Filtering. | 
In the TCP/IP protocol, a three-way handshake takes place  as a  service is connected to. First in a SYN packet from the client,  with which the  service responses with a SYN-ACK. Finally, the client  responds to the SYN-ACK  and the conversation is considered started.
A SYN Flood attack is when the client does not response  to the  SYN-ACK, tying up the service until the service times out, and  continues to send  SYN packets. The source address of the client is  forged to a non-existent host,  and as long as the SYN packets are sent  faster than the timeout rate of the TCP  stack waiting for the time out,  the resources of the service will be tied  up.
This  is a simplified version of what exactly happens. During a SYN  flood  attack, the attacker sends a large number of SYN packets alone, without   the corresponding ACK packet response to the victim's SYN/ACK packets.  The  victim's connections table rapidly fills with incomplete  connections, crowding  out the legitimate traffic. Because the rate of  attacking SYN packets usually  far exceeds that of normal traffic, even  when a table entry eventually is  cleared out, another attacking SYN  packet rather than a legitimate connection  will fill it.
But because SYN packets are a necessary part of legitimate   traffic, they cannot be filtered out altogether. Second, SYN packets  are  relatively small, so an attacker can send large numbers of packets  using  relatively low-bandwidth Internet connections. Finally, because  the attacker  does not need to receive any data from the victim, the  attacker can place random  source IP addresses in the attacking packets  to camouflage the actual source of  the attack, and make filtering all  but impossible.
The basic purpose of  a SYN flood is to use up all new  network connections at a site and  thus prevent legal users from being able to  connect. TCP connections  are made by first sending a request to connect with an  ID in it. The  receiving connection sends out an acknowledgment saying it's ready  and  then the sending system is supposed to send an acknowledgment that the   connection has been made. The SYN (Synchronize sequence Number) packet  is the  first of these and contains the ID the receiver is supposed to  reply to. If a  fake ID is in that packet then the receiving system  never gets a connection  acknowledgment. Eventually, the connection will  time out and that incoming  channel on the receiver will become  available again for another request. A SYN  flood sends so many such  requests that all incoming connections be continuously  tied up waiting  for acknowledgments that never come. This makes the server  generally  unavailable to legal users (unless one happens to sneak in just at the   moment one of the tied-up connections times out).
-  
 WinNuke works by sending a packet with "Out of band" data to port 139 of the target host. First off, port 139 is the NetBIOS port and does not accept packets unless the flag OOB is set in incoming packet.
-  
 The OOB stands for Out Of Band. When the victim's machine accepts this packet, it causes the computer to crash a blue screen.
-  
 Because the program accepting the packets does not know how to appropriately handle Out Of Band data, it crashes.
| A "blue bomb" (also known as  "WinNuke") is a technique for  causing the Windows operating system of  someone you are communicating with to  crash or suddenly terminate. The  "blue bomb" is actually an out-of-band network  packet containing  information that the operating system cannot process. This  condition  causes the operating system to "crash" or terminate prematurely. The   operating system can usually be restarted without any permanent damage  other  than possible loss of unsaved data when you  crashed. | 
The blue bomb derives its name from the effect it  sometimes causes  on the display as the operating system is terminating -  a white-on-blue error  screen that is commonly known as blue screen of  death. Blue bombs are sometimes  sent by multi-player game participants  who are about to lose or users of  Internet Relay Chat (IRC) who are  making a final comment. This is known as  "nuking" someone. A commonly  used program for causing the blue bomb is WinNuke.  Many Internet  service providers are filtering out the packets so they do not  reach  users.
| The WinNuke attack sends OOB (Out-of-Band) data to an  IP  address of a Windows machine connected to a network and/or  Internet. Usually,  the WinNuke program connects via port 139, but other  ports are vulnerable if  they are open. When a Windows machine receives  the out-of-band data, it is  unable to handle it and exhibits odd  behavior, ranging from a lost Internet  connection to a system crash  (resulting in the infamous Blue Screen of  Death). | 
WinNuke is practically an outdated attack. All the  new Windows  versions are immune to WinNuke.
-  
 Jolt2 enables users across different networks to send IP fragment-driven denial of service attacks against NT/2000 by making victim's machine utilize 100% of its CPU when it attempts to process the illegal packets.c: \> jolt2 1.2.3.4 -p 80 4.5.6.7 
-  
 The above command launches the attack from the attacker's machine with a spoofed IP address of 1.2.3.4 against the IP address 4.5.6.7
-  
 The victim's machine CPU resources reach 100% causing the machine to lock up.
| Sending large  numbers of identical fragmented IP packets to  a Windows 2000 or NT4  host may cause the target to lock-up for the duration of  the attack.  The CPU utilization on the target goes to 100% for the duration of  the  attack. This causes both the UI and network interfaces to lock  up. | 
Jolt2 enables users across different networks to send  IP  fragment-driven denial of service attacks against NT/2000 by making  victim's  machine utilize 100% of its CPU when it attempts to process  the illegal  packets.
Usage:
c: \> jolt2 1.2.3.4 -p 80 4.5.6.7
The above command launches the attack from the  attacker's machine  with a spoofed IP address of 1.2.3.4 against the IP  address 4.5.6.7
The victim's machine CPU resources  reach 100% causing the machine  to lock up.
-  
 Bubonic.c is a DOS exploit that can be run against Windows 2000 machines.
-  
 It works by randomly sending TCP packets with random settings with the goal of increasing the load of the machine, so that it eventually crashes.c: \> bubonic 12.23.23.2 10.0.0.1 100 
Bubonic.c is a denial of service  program  written against Windows 2000 machines and certain versions of  Linux. It has been  noted to work against certain versions of Linux. The  denial of service works by  randomly sending TCP packets with random  settings, etc. This in turn brings the  load up causing the box to crash  with error code: STOP 0x00000041 (0x00001000,  0x00001279, 0x000042A,  0x00000001) MUST_SUCCEED_POOL_EMPTY
-  
 Targa is a program that can be used to run 8 different Denial Of Service attacks.
-  
 The attacker has the option to either launch individual attacks or to try all the attacks until it is successful.
-  
 Targa is a very powerful program and can do a lot of damage to a company's network.
| Targa,  written by a German hacker known as  Mixter, combines several tools  specifically devised to attack machines that run  Microsoft Windows. The  potency of these tools can be increased further by using  them to  attack a target machine from several compromised computers at once.   However, this requires the attacker to log on to each computer in turn  to  initiate the attack. | 
Targa  is a free software packet available in the Internet. Targa  contains  many of the most well known protocol or Operating System based DoS   attacks. The attacker must be logged in with root permissions; since  most of the  attacks, use IP spoofing that requires root privileges. The  attack can be done  from any machine on which the targa.c code  compiles. Mainly, the Targa packet is  intended to be used in Linux or  BSD Unix computers. Target platforms can be any  possible Operating  System. However, the attacks do not have an impact on all  Operating  Systems.
The attacks that can be done with the Targa  kit:
-  
 Jolt by Jeff W. Roberson (modified by Mixter for overdrop effect) - discussed separately
-  
 Land by m3lt - discussed separately
-  
 Winnuke by _eci - discussed separately
-  
 Nestea by humble and ttol - Nestea exploits the "off by one IP header" bug in the Linux IP packet fragmentation code. Nestea crashes Linux 2.0.33 and earlier and some Windows versions. A new and improved version of the Nestea Linux IP fragmentation is available
-   
 Syndrop by PineKoan - Syndrop is a mixture of teardrop and a TCP SYN flooding attack. Affected platforms are Linux and Windows 95/NT.
-  
 Teardrop by route|daemon9 - This type of denial of service attack exploits the way that the Internet Protocol (IP) requires a packet that is too large for the next router to handle be divided into fragments. The fragment packet identifies an offset to the beginning of the first packet that enables the entire packet to be reassembled by the receiving system. In the teardrop attack, the attacker's IP puts a confusing offset value in the second or later fragment. If the receiving operating system does not have a plan for this situation, it can cause the system to crash.
| This bug has not been shown to cause any significant  damage  to systems, and a simple reboot is the preferred remedy.  However, though  non-destructive, this bug could cause possible problems  if you have unsaved data  in an open application when you are attacked,  causing you to lose the data.  There are fixes against Teardrop. | 
Bonk by route |daemon9  & klepto - Bonk is based on  teardrop.c. Bonk crashes Windows 95  and NT operating systems. Boink is an  improved version of bonk.c. Boink  allows UDP port ranges and can possibly crash  a patched Windows 95/NT  machine. NewTear is another variant of teardrop.c, which  is slightly  different from bonk.c. Mainly they do the same thing just in  different  ways. Small changes in the code may have significant changes in the   results, as you can see below.
NewTear by route | daemon9 - NewTear is another  variant of  teardrop.c 
 
0 comments:
Post a Comment